From 606562987f78bf7c48fcbd110b223b15b0388bf1 Mon Sep 17 00:00:00 2001 From: "Antonio J. Delgado" Date: Tue, 11 Oct 2022 10:19:07 +0300 Subject: [PATCH] Initial commit with previous code --- defaults/main.yml | 3 + handlers/main.yml | 5 ++ tasks/configure.yml | 4 + tasks/configure_prometheus_exporters.yml | 55 +++++++++++++ ...gure_prometheus_exporters_certificates.yml | 33 ++++++++ ...onfigure_prometheus_exporters_external.yml | 77 ++++++++++++++++++ tasks/install.yml | 5 ++ tasks/main.yml | 5 ++ templates/apache2.conf.j2 | 81 +++++++++++++++++++ 9 files changed, 268 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/configure.yml create mode 100644 tasks/configure_prometheus_exporters.yml create mode 100644 tasks/configure_prometheus_exporters_certificates.yml create mode 100644 tasks/configure_prometheus_exporters_external.yml create mode 100644 tasks/install.yml create mode 100644 tasks/main.yml create mode 100644 templates/apache2.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..711a2b1 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +--- +# Default values for variables of the role +# variable_name: value diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..8e1f409 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart Prometheus Node Exporter + service: + name: prometheus-node-exporter + state: restarted diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..b5a25af --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,4 @@ +--- +- name: Ensure configuration of prometheus exporters service + include_tasks: configure_prometheus_exporters.yml + when: "'WSL' not in ansible_facts['kernel']" \ No newline at end of file diff --git a/tasks/configure_prometheus_exporters.yml b/tasks/configure_prometheus_exporters.yml new file mode 100644 index 0000000..60735af --- /dev/null +++ b/tasks/configure_prometheus_exporters.yml @@ -0,0 +1,55 @@ +--- +- name: Ensure node-exporter is reachable internally + ufw: + rule: allow + port: 9100 + src: 192.168.1.0/24 + +- name: Ensure node exporter group exists + ansible.builtin.group: + name: node_exporter + +- name: Ensure prometheus is a member of node_exporter group + ansible.builtin.user: + name: prometheus + append: yes + groups: + - node_exporter + +- name: Ensure node exporter textfile directory exists + file: + path: /var/lib/prometheus/node-exporter + state: directory + owner: prometheus + group: node_exporter + mode: 0775 + +- name: Ensure textfile directory is enabled for node exporter + ansible.builtin.lineinfile: + path: /etc/default/prometheus-node-exporter + regexp: '^ARGS' + line: ARGS="--collector.textfile.directory='/var/lib/prometheus/node-exporter' --collector.filesystem.ignored-fs-types=dav --collector.zfs --collector.xfs" + owner: root + group: root + mode: '0644' + backup: yes + notify: + - Restart Prometheus Node Exporter + when: "ansible_hostname == 'hiljainen' or ansible_hostname == 'deu1.susurrando.com'" + +- name: Ensure textfile directory is enabled for node exporter + ansible.builtin.lineinfile: + path: /etc/default/prometheus-node-exporter + regexp: '^ARGS' + line: ARGS="--collector.textfile.directory='/var/lib/prometheus/node-exporter' --collector.filesystem.ignored-fs-types=dav" + owner: root + group: root + mode: '0644' + backup: yes + notify: + - Restart Prometheus Node Exporter + when: "ansible_hostname != 'hiljainen' and ansible_hostname != 'deu1.susurrando.com'" + +- name: Ensure configuration of prometheus exporters for external servers + include_tasks: configure_prometheus_exporters_external.yml + when: "'external' in group_names" diff --git a/tasks/configure_prometheus_exporters_certificates.yml b/tasks/configure_prometheus_exporters_certificates.yml new file mode 100644 index 0000000..5061056 --- /dev/null +++ b/tasks/configure_prometheus_exporters_certificates.yml @@ -0,0 +1,33 @@ +--- +- name: Ensure UFW is enabled and accepting HTTPS traffic + ufw: + state: enabled + policy: deny + rule: allow + to_port: '443' + +- name: Ensure UFW is enabled and accepting HTTP traffic + ufw: + state: enabled + policy: deny + rule: allow + to_port: '80' + +- name: Ensure certbot is installed + apt: + name: certbot + +- name: Stop Apache2 to request certificate + service: + name: apache2 + state: stopped + +- name: Request certificate for node-metrics + shell: "certbot certonly --agree-tos --email certs@susurrando.com --standalone -n -d node-metrics-{{ inventory_hostname }}" + args: + creates: "/etc/letsencrypt/live/node-metrics-{{ inventory_hostname }}/fullchain.pem" + +- name: Request certificate for postfix-metrics + shell: "certbot certonly --agree-tos --email certs@susurrando.com --standalone --agree-tos --email gestor@susurrando.com -n -d postfix-metrics-{{ inventory_hostname }}" + args: + creates: "/etc/letsencrypt/live/postfix-metrics-{{ inventory_hostname }}/fullchain.pem" diff --git a/tasks/configure_prometheus_exporters_external.yml b/tasks/configure_prometheus_exporters_external.yml new file mode 100644 index 0000000..b8bbf47 --- /dev/null +++ b/tasks/configure_prometheus_exporters_external.yml @@ -0,0 +1,77 @@ +--- +- name: Ensure UFW is enabled and accepting HTTPS traffic + ufw: + state: enabled + policy: deny + rule: allow + to_port: '443' + +- name: Ensure UFW is enabled and accepting HTTP traffic + ufw: + state: enabled + policy: deny + rule: allow + to_port: '80' + + +- name: Ensure the document root exists for node exporter + file: + path: "/var/www/node-metrics-{{ ansible_fqdn }}/" + state: directory + owner: www-data +- name: Ensure the document root exists postfixnode exporter + file: + path: "/var/www/postfix-metrics-{{ ansible_fqdn }}/" + state: directory + owner: www-data +- name: Enable the Apache2 SSL module + community.general.apache2_module: + state: present + name: ssl +- name: Enable the Apache2 rewrite module + community.general.apache2_module: + state: present + name: rewrite +- name: Enable the Apache2 authnz_external module + community.general.apache2_module: + state: present + name: authnz_external +- name: Enable the Apache2 proxy module + community.general.apache2_module: + state: present + name: proxy +- name: Enable the Apache2 proxy_http module + community.general.apache2_module: + state: present + name: proxy_http +- name: Enable the Apache2 proxy_wstunnel module + community.general.apache2_module: + state: present + name: proxy_wstunnel +- name: Enable the Apache2 authnz_external module + community.general.apache2_module: + state: present + name: authnz_external +# Add DNS entries in OVH +- name: Check if certificates exist + stat: + path: "/etc/letsencrypt/live/node-metrics-{{ ansible_fqdn }}/fullchain.pem" + register: node_certificate +- name: Request certificates for node and postfix + include_tasks: configure_prometheus_exporters_certificates.yml + when: not node_certificate.stat.exists +- name: Ensure virtual hosts configuration is deployed + template: + src: templates/apache2.conf.j2 + dest: /etc/apache2/sites-available/25-metrics-exporters.conf + backup: yes +- name: Ensure virtual hosts configuration is enabled + file: + dest: /etc/apache2/sites-enabled/25-metrics-exporters.conf + src: /etc/apache2/sites-available/25-metrics-exporters.conf + state: link + +- name: Start Apache2 after request certificate + service: + name: apache2 + state: started \ No newline at end of file diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..061c0c7 --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,5 @@ +--- +- name: Ensure software for Prometheus node exporter is installed + package: + name: + - prometheus-node-exporter \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..cbe813e --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Ensure installation + include_tasks: install.yml +- name: Ensure configuration + include_tasks: configure.yml \ No newline at end of file diff --git a/templates/apache2.conf.j2 b/templates/apache2.conf.j2 new file mode 100644 index 0000000..f4e9dee --- /dev/null +++ b/templates/apache2.conf.j2 @@ -0,0 +1,81 @@ + + ServerName node-metrics-{{ inventory_hostname }} + DocumentRoot "/var/www/node-metrics-{{ inventory_hostname }}/" + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + + ErrorLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_insecure_error.log" + ServerSignature Off + CustomLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_insecure_access.log" combined + Redirect permanent / https://node-metrics-{{ inventory_hostname }}/ + + + + ServerName node-metrics-{{ inventory_hostname }} + ServerAdmin webmaster@susurrando.com + DocumentRoot "/var/www/node-metrics-{{ inventory_hostname }}/" + + Options -Indexes +FollowSymLinks + AllowOverride None + Require all granted + + ErrorLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_ssl_error_ssl.log" + ServerSignature Off + CustomLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_ssl_access_ssl.log" combined + ErrorDocument 404 /notfound.php + ErrorDocument 500 /error500.php + ErrorDocument 503 /error503.php + RewriteEngine On + SSLEngine on + SSLCertificateFile "/etc/letsencrypt/live/node-metrics-{{ inventory_hostname }}/fullchain.pem" + SSLCertificateKeyFile "/etc/letsencrypt/live/node-metrics-{{ inventory_hostname }}/privkey.pem" + SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + DefineExternalAuth mysqlauth pipe /usr/local/bin/mysql-auth.pl + SSLHonorCipherOrder on + ProxyPass / http://127.0.0.1:9100/ + ProxyPassReverse / http://127.0.0.1:9100/ + + + + ServerName postfix-metrics-{{ inventory_hostname }} + DocumentRoot "/var/www/postfix-metrics-{{ inventory_hostname }}/" + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + + ErrorLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_insecure_error.log" + ServerSignature Off + CustomLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_insecure_access.log" combined + Redirect permanent / https://postfix-metrics-{{ inventory_hostname }}/ + + + + ServerName postfix-metrics-{{ inventory_hostname }} + ServerAdmin webmaster@susurrando.com + DocumentRoot "/var/www/postfix-metrics-{{ inventory_hostname }}/" + + Options -Indexes +FollowSymLinks + AllowOverride None + Require all granted + + ErrorLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_ssl_error_ssl.log" + ServerSignature Off + CustomLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_ssl_access_ssl.log" combined + ErrorDocument 404 /notfound.php + ErrorDocument 500 /error500.php + ErrorDocument 503 /error503.php + RewriteEngine On + SSLEngine on + SSLCertificateFile "/etc/letsencrypt/live/postfix-metrics-{{ inventory_hostname }}/fullchain.pem" + SSLCertificateKeyFile "/etc/letsencrypt/live/postfix-metrics-{{ inventory_hostname }}/privkey.pem" + SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + DefineExternalAuth mysqlauth pipe /usr/local/bin/mysql-auth.pl + SSLHonorCipherOrder on + ProxyPass / http://127.0.0.1:9154/ + ProxyPassReverse / http://127.0.0.1:9154/ + \ No newline at end of file