install blackbox exporter

2021-10-07 22:53:28 +02:00 · 2021-10-07 22:53:28 +02:00 · efdf4a21f9
commit efdf4a21f9
parent e0feade59a
9 changed files with 165 additions and 0 deletions
--- a/books/monitoring.yml
+++ b/books/monitoring.yml
@ -5,6 +5,7 @@
    - prometheus
    - prometheus-alert-manager
    - grafana
+    - prometheus-blackbox-exporter

 - hosts: all, !tests,
  roles:
--- a/roles/prometheus-blackbox-exporter/handlers/main.yml
+++ b/roles/prometheus-blackbox-exporter/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart blackbox-exporter
+  systemd:
+    name: prometheus-blackbox-exporter.service
+    state: restarted
--- a/roles/prometheus-blackbox-exporter/meta/main.yml
+++ b/roles/prometheus-blackbox-exporter/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx
--- a/roles/prometheus-blackbox-exporter/tasks/main.yml
+++ b/roles/prometheus-blackbox-exporter/tasks/main.yml
@ -0,0 +1,96 @@
+---
+- name: Install Prometheus Components
+  apt:
+    name:
+      - prometheus-blackbox-exporter
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/prometheus/
+    cname: "blackbox-{{ lan_address }}"
+    owner: prometheus
+    group: prometheus
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/prometheus/ca.crt
+  notify:
+   - Restart blackbox-exporter
+   - Reload nginx
+
+- name: Setup the blackbox config
+  template:
+    src: blackbox.yml
+    dest: /etc/prometheus/blackbox.yml
+    owner: prometheus
+    group: prometheus
+    mode: '0640'
+  notify: Restart blackbox-exporter
+  no_log: true
+
+- name: Add targets files
+  template:
+    src: targets.json
+    dest: "/etc/prometheus/blackbox-{{ item }}-targets.json"
+    owner: prometheus
+    group: prometheus
+    mode: '0640'
+    force: no
+  notify: Restart blackbox-exporter
+  loop:
+    - https-internal
+    - https-external-up
+    - http-external-down
+
+#- name: Copy the web-config folder
+#  template:
+#    src: web-config.yaml
+#    dest: /etc/prometheus/web-config-blackbox.yaml
+#    group: prometheus
+#    owner: prometheus
+#    mode: u=rw,g=r,o=r
+#  notify: Restart blackbox-exporter
+
+- name: Setup the arguments for prometheus
+  template:
+    src: prometheus-blackbox-exporter
+    dest: /etc/default/prometheus-blackbox-exporter
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart blackbox-exporter
+  vars:
+    args:
+      - name: web.listen-address
+        value: "127.0.0.1:9115"
+#        value: "{{ lan_address }}:9115"
+      - name: config.file
+        value: /etc/prometheus/blackbox.yml
+#      - name: web.config.file 
+#        value: /etc/prometheus/web-config.yaml
+
+## Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
+# Think prometheus, think!
+- name: Copy the nginx config
+  template:
+    src: atrocious_nginx_stub
+    dest: "/etc/nginx/sites-available/internal-blackbox"
+  notify: Reload nginx
+
+- name: Activate the config
+  file:
+    src: "/etc/nginx/sites-available/internal-blackbox"
+    dest: "/etc/nginx/sites-enabled/internal-blackbox"
+    state: link
+    force: yes
--- a/roles/prometheus-blackbox-exporter/templates/atrocious_nginx_stub
+++ b/roles/prometheus-blackbox-exporter/templates/atrocious_nginx_stub
@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ lan_address }}:9115 ssl;
+    ssl_certificate /etc/prometheus/blackbox-{{ lan_address }}.crt;
+    ssl_certificate_key /etc/prometheus/blackbox-{{ lan_address }}.key;
+    ssl_client_certificate /etc/prometheus/ca.crt;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass http://127.0.0.1:9115;
+    }
+}
--- a/roles/prometheus-blackbox-exporter/templates/blackbox.yml
+++ b/roles/prometheus-blackbox-exporter/templates/blackbox.yml
@ -0,0 +1,14 @@
+{{ ansible_managed | comment }}
+
+modules:
+  http_2xx:
+    prober: http
+    http:
+  http_post_2xx:
+    prober: http
+    http:
+      method: POST
+  tcp_connect:
+    prober: tcp
+  icmp:
+    prober: icmp
--- a/roles/prometheus-blackbox-exporter/templates/prometheus-blackbox-exporter
+++ b/roles/prometheus-blackbox-exporter/templates/prometheus-blackbox-exporter
@ -0,0 +1,21 @@
+{{ ansible_managed | comment }}
+
+# Set the command-line arguments to pass to the server.
+{% if not args %}
+ARGS=""
+{% else %}
+ARGS="\
+{% for arg in args %}
+      --{{ arg.name }}={{ arg.value }} \
+{% endfor %}
+"
+{% endif %}
+
+# Usage of prometheus-blackbox-exporter:
+#   --config.file="blackbox.yml"
+#                         Blackbox exporter configuration file.
+#   --web.listen-address=":9115"
+#                         The address to listen on for HTTP requests.
+#   --timeout-offset=0.5  Offset to subtract from timeout in seconds.
+#   --log.level=info      Only log messages with the given severity or above.
+#                         One of: [debug, info, warn, error]
--- a/roles/prometheus-blackbox-exporter/templates/targets.json
+++ b/roles/prometheus-blackbox-exporter/templates/targets.json
@ -0,0 +1,6 @@
+[
+    {
+        "targets": [
+        ]
+    }
+]
--- a/roles/prometheus-blackbox-exporter/templates/web-config.yaml
+++ b/roles/prometheus-blackbox-exporter/templates/web-config.yaml
@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+tls_server_config:
+  cert_file: "/etc/prometheus/blackbox-{{ lan_address }}.crt"
+  key_file: "/etc/prometheus/blackbox-{{ lan_address }}.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "/etc/prometheus/ca.crt"