Initial commit with previous code

defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# Default values for variables of the role
+# variable_name: value

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart Prometheus Node Exporter
+  service:
+    name: prometheus-node-exporter
+    state: restarted

tasks/configure.yml

@@ -0,0 +1,4 @@
+---
+- name: Ensure configuration of prometheus exporters service
+  include_tasks: configure_prometheus_exporters.yml
+  when: "'WSL' not in ansible_facts['kernel']"

tasks/configure_prometheus_exporters.yml

@@ -0,0 +1,55 @@
+---
+- name: Ensure node-exporter is reachable internally
+  ufw:
+    rule: allow
+    port: 9100
+    src: 192.168.1.0/24
+
+- name: Ensure node exporter group exists
+  ansible.builtin.group:
+    name: node_exporter
+
+- name: Ensure prometheus is a member of node_exporter group
+  ansible.builtin.user:
+    name: prometheus
+    append: yes
+    groups:
+      - node_exporter
+
+- name: Ensure node exporter textfile directory exists
+  file:
+    path: /var/lib/prometheus/node-exporter
+    state: directory
+    owner: prometheus
+    group: node_exporter
+    mode: 0775
+
+- name: Ensure textfile directory is enabled for node exporter
+  ansible.builtin.lineinfile:
+    path: /etc/default/prometheus-node-exporter
+    regexp: '^ARGS'
+    line: ARGS="--collector.textfile.directory='/var/lib/prometheus/node-exporter'  --collector.filesystem.ignored-fs-types=dav --collector.zfs --collector.xfs"
+    owner: root
+    group: root
+    mode: '0644'
+    backup: yes
+  notify:
+    - Restart Prometheus Node Exporter
+  when: "ansible_hostname == 'hiljainen' or ansible_hostname == 'deu1.susurrando.com'"
+
+- name: Ensure textfile directory is enabled for node exporter
+  ansible.builtin.lineinfile:
+    path: /etc/default/prometheus-node-exporter
+    regexp: '^ARGS'
+    line: ARGS="--collector.textfile.directory='/var/lib/prometheus/node-exporter'  --collector.filesystem.ignored-fs-types=dav"
+    owner: root
+    group: root
+    mode: '0644'
+    backup: yes
+  notify:
+    - Restart Prometheus Node Exporter
+  when: "ansible_hostname != 'hiljainen' and ansible_hostname != 'deu1.susurrando.com'"
+
+- name: Ensure configuration of prometheus exporters for external servers
+  include_tasks: configure_prometheus_exporters_external.yml
+  when: "'external' in group_names"

tasks/configure_prometheus_exporters_certificates.yml

@@ -0,0 +1,33 @@
+---
+- name: Ensure UFW is enabled and accepting HTTPS traffic
+  ufw:
+    state: enabled
+    policy: deny
+    rule: allow
+    to_port: '443'
+
+- name: Ensure UFW is enabled and accepting HTTP traffic
+  ufw:
+    state: enabled
+    policy: deny
+    rule: allow
+    to_port: '80'
+
+- name: Ensure certbot is installed
+  apt:
+    name: certbot
+
+- name: Stop Apache2 to request certificate
+  service:
+    name: apache2
+    state: stopped
+
+- name: Request certificate for node-metrics
+  shell: "certbot certonly --agree-tos --email certs@susurrando.com --standalone -n -d node-metrics-{{ inventory_hostname }}"
+  args:
+    creates: "/etc/letsencrypt/live/node-metrics-{{ inventory_hostname }}/fullchain.pem"
+
+- name: Request certificate for postfix-metrics
+  shell: "certbot certonly --agree-tos --email certs@susurrando.com --standalone --agree-tos --email gestor@susurrando.com -n -d postfix-metrics-{{ inventory_hostname }}"
+  args:
+    creates: "/etc/letsencrypt/live/postfix-metrics-{{ inventory_hostname }}/fullchain.pem"

tasks/configure_prometheus_exporters_external.yml

@@ -0,0 +1,77 @@
+---
+- name: Ensure UFW is enabled and accepting HTTPS traffic
+  ufw:
+    state: enabled
+    policy: deny
+    rule: allow
+    to_port: '443'
+
+- name: Ensure UFW is enabled and accepting HTTP traffic
+  ufw:
+    state: enabled
+    policy: deny
+    rule: allow
+    to_port: '80'
+
+
+- name: Ensure the document root exists for node exporter
+  file:
+    path: "/var/www/node-metrics-{{ ansible_fqdn }}/"
+    state: directory
+    owner: www-data
+- name: Ensure the document root exists postfixnode exporter
+  file:
+    path: "/var/www/postfix-metrics-{{ ansible_fqdn }}/"
+    state: directory
+    owner: www-data
+- name: Enable the Apache2 SSL module
+  community.general.apache2_module:
+    state: present
+    name: ssl
+- name: Enable the Apache2 rewrite module
+  community.general.apache2_module:
+    state: present
+    name: rewrite
+- name: Enable the Apache2 authnz_external module
+  community.general.apache2_module:
+    state: present
+    name: authnz_external
+- name: Enable the Apache2 proxy module
+  community.general.apache2_module:
+    state: present
+    name: proxy
+- name: Enable the Apache2 proxy_http module
+  community.general.apache2_module:
+    state: present
+    name: proxy_http
+- name: Enable the Apache2 proxy_wstunnel module
+  community.general.apache2_module:
+    state: present
+    name: proxy_wstunnel
+- name: Enable the Apache2 authnz_external module
+  community.general.apache2_module:
+    state: present
+    name: authnz_external
+# Add DNS entries in OVH
+- name: Check if certificates exist
+  stat:
+    path: "/etc/letsencrypt/live/node-metrics-{{ ansible_fqdn }}/fullchain.pem"
+  register: node_certificate
+- name: Request certificates for node and postfix
+  include_tasks: configure_prometheus_exporters_certificates.yml
+  when: not node_certificate.stat.exists
+- name: Ensure virtual hosts configuration is deployed
+  template:
+    src: templates/apache2.conf.j2
+    dest: /etc/apache2/sites-available/25-metrics-exporters.conf
+    backup: yes
+- name: Ensure virtual hosts configuration is enabled
+  file:
+    dest: /etc/apache2/sites-enabled/25-metrics-exporters.conf
+    src: /etc/apache2/sites-available/25-metrics-exporters.conf
+    state: link
+
+- name: Start Apache2 after request certificate
+  service:
+    name: apache2
+    state: started

tasks/install.yml

@@ -0,0 +1,5 @@
+---
+- name: Ensure software for Prometheus node exporter is installed
+  package:
+    name:
+      - prometheus-node-exporter

tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Ensure installation
+  include_tasks: install.yml
+- name: Ensure configuration
+  include_tasks: configure.yml

templates/apache2.conf.j2

@@ -0,0 +1,81 @@
+<VirtualHost *:80>
+  ServerName node-metrics-{{ inventory_hostname }}
+  DocumentRoot "/var/www/node-metrics-{{ inventory_hostname }}/"
+  <Directory "/var/www/node-metrics-{{ inventory_hostname }}/">
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+  ErrorLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_insecure_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_insecure_access.log" combined
+  Redirect permanent / https://node-metrics-{{ inventory_hostname }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName node-metrics-{{ inventory_hostname }}
+  ServerAdmin webmaster@susurrando.com
+  DocumentRoot "/var/www/node-metrics-{{ inventory_hostname }}/"
+  <Directory "/var/www/node-metrics-{{ inventory_hostname }}/">
+    Options -Indexes +FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+  ErrorLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_ssl_error_ssl.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/node-metrics-{{ inventory_hostname }}_ssl_access_ssl.log" combined
+  ErrorDocument 404 /notfound.php
+  ErrorDocument 500 /error500.php
+  ErrorDocument 503 /error503.php
+  RewriteEngine On
+  SSLEngine on
+  SSLCertificateFile      "/etc/letsencrypt/live/node-metrics-{{ inventory_hostname }}/fullchain.pem"
+  SSLCertificateKeyFile   "/etc/letsencrypt/live/node-metrics-{{ inventory_hostname }}/privkey.pem"
+  SSLProtocol             all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
+  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+  DefineExternalAuth mysqlauth pipe /usr/local/bin/mysql-auth.pl
+    SSLHonorCipherOrder     on
+    ProxyPass / http://127.0.0.1:9100/
+    ProxyPassReverse / http://127.0.0.1:9100/
+</VirtualHost>
+
+<VirtualHost *:80>
+  ServerName postfix-metrics-{{ inventory_hostname }}
+  DocumentRoot "/var/www/postfix-metrics-{{ inventory_hostname }}/"
+  <Directory "/var/www/postfix-metrics-{{ inventory_hostname }}/">
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+  ErrorLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_insecure_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_insecure_access.log" combined
+  Redirect permanent / https://postfix-metrics-{{ inventory_hostname }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName postfix-metrics-{{ inventory_hostname }}
+  ServerAdmin webmaster@susurrando.com
+  DocumentRoot "/var/www/postfix-metrics-{{ inventory_hostname }}/"
+  <Directory "/var/www/postfix-metrics-{{ inventory_hostname }}/">
+    Options -Indexes +FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+  ErrorLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_ssl_error_ssl.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/postfix-metrics-{{ inventory_hostname }}_ssl_access_ssl.log" combined
+  ErrorDocument 404 /notfound.php
+  ErrorDocument 500 /error500.php
+  ErrorDocument 503 /error503.php
+  RewriteEngine On
+  SSLEngine on
+  SSLCertificateFile      "/etc/letsencrypt/live/postfix-metrics-{{ inventory_hostname }}/fullchain.pem"
+  SSLCertificateKeyFile   "/etc/letsencrypt/live/postfix-metrics-{{ inventory_hostname }}/privkey.pem"
+  SSLProtocol             all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
+  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+  DefineExternalAuth mysqlauth pipe /usr/local/bin/mysql-auth.pl
+    SSLHonorCipherOrder     on
+    ProxyPass / http://127.0.0.1:9154/
+    ProxyPassReverse / http://127.0.0.1:9154/
+</VirtualHost>