sr2/ansible-collection-core
6
0
Fork 0
Code Issues 6 Pull requests Projects Releases Packages Wiki Activity Actions

more

Browse source
This commit is contained in:
Iain Learmonth 2026-05-25 17:23:34 +01:00
parent c404d08b89
commit 84cf62ab14
7 changed files with 69 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

37
playbooks/services.yml
View file

@ -75,24 +75,6 @@
- role: sr2c.core.podman_headscale - role: sr2c.core.podman_headscale
tags: headscale tags: headscale
- name: Deploy and update the Prometheus server
hosts:
- prometheus
roles:
- role: sr2c.core.baseline
vars:
baseline_epel_packages_allowed:
- node-exporter
tags: bootstrap
- role: freeipa.ansible_freeipa.ipaclient
become: true
state: present
tags: bootstrap
- role: sr2c.core.node_exporter
tags: prometheus
- role: sr2c.core.podman_prometheus
tags: prometheus
- name: Baseline for generic servers (manual or externally managed application deployment) - name: Baseline for generic servers (manual or externally managed application deployment)
hosts: hosts:
- generic - generic
@ -131,3 +113,22 @@
tags: prometheus tags: prometheus
- role: sr2c.core.radius - role: sr2c.core.radius
tags: radius tags: radius
- name: Deploy and update the Prometheus server
hosts:
- prometheus
roles:
- role: sr2c.core.baseline
vars:
baseline_epel_packages_allowed:
- node-exporter
tags: bootstrap
- role: freeipa.ansible_freeipa.ipaclient
become: true
state: present
tags: bootstrap
- role: sr2c.core.node_exporter
tags: prometheus
- role: sr2c.core.podman_prometheus
tags: prometheus

12
roles/baseline/tasks/tailscale.yml
View file

@ -38,3 +38,15 @@
when: tailscale_status.rc != 0 or "Logged out" in tailscale_status.stdout when: tailscale_status.rc != 0 or "Logged out" in tailscale_status.stdout
no_log: yes # Hide auth key from logs no_log: yes # Hide auth key from logs
become: true become: true
- name: Tailscale | PATCH | Add Tailscale interface to internal zone
ansible.posix.firewalld:
zone: internal
interface: "{{ item }}"
permanent: yes
immediate: yes
state: enabled
with_items:
- tailscale0
become: true

48
roles/node_exporter/tasks/main.yml
View file

@ -1,6 +1,7 @@
--- ---
- name: Node Exporter | AUDIT | Get Tailscale IP - name: Node Exporter | AUDIT | Get Tailscale IP address
ansible.builtin.shell: tailscale ip -4 2>/dev/null become: true
ansible.builtin.shell: tailscale ip -4
register: node_exporter_tailscale_ipv4 register: node_exporter_tailscale_ipv4
changed_when: false changed_when: false
@ -10,52 +11,12 @@
name: node-exporter name: node-exporter
state: present state: present
- name: Node Exporter | PATCH | Generate private TLS key
community.crypto.openssl_privatekey:
path: /etc/ssl/node-exporter.key
size: 4096
owner: prometheus
group: root
mode: '0440'
become: true
- name: Node Exporter | PATCH | Create certificate signing request
community.crypto.openssl_csr:
path: /etc/ssl/node-exporter.csr
privatekey_path: /etc/ssl/node-exporter.key
common_name: "{{ inventory_hostname }}"
subject_alt_name: "DNS:{{ inventory_hostname }}"
owner: root
group: root
mode: '0400'
become: true
- name: Generate self-signed certificate
community.crypto.x509_certificate:
provider: selfsigned
path: /etc/ssl/node-exporter.crt
privatekey_path: /etc/ssl/node-exporter.key
csr_path: /etc/ssl/node-exporter.csr
owner: prometheus
group: root
mode: '0440'
become: true
- name: Node Exporter | PATCH | Install node-exporter web configuration
become: true
ansible.builtin.template:
src: etc/node-exporter-web.yml
dest: /etc/node-exporter-web.yml
owner: root
group: root
mode: "0444"
- name: Node Exporter | PATCH | Set command line arguments - name: Node Exporter | PATCH | Set command line arguments
become: true become: true
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/default/prometheus-node-exporter path: /etc/default/prometheus-node-exporter
regexp: "^ARGS" regexp: "^ARGS"
line: "ARGS='--web.config.file=\"/etc/node-exporter-web.yml\"{% if node_exporter_textfile_directory is defined %} --collector.textfile.directory {{ node_exporter_textfile_directory }}{% endif %}'" line: "ARGS='--web.listen-address={{ node_exporter_tailscale_ipv4.stdout }}:9100{% if node_exporter_textfile_directory is defined %} --collector.textfile.directory {{ node_exporter_textfile_directory }}{% endif %}'"
notify: Restart Node Exporter notify: Restart Node Exporter
- name: Node Exporter | PATCH | Ensure node-exporter is enabled and running - name: Node Exporter | PATCH | Ensure node-exporter is enabled and running
@ -83,6 +44,7 @@
become: true become: true
ansible.posix.firewalld: ansible.posix.firewalld:
service: node-exporter service: node-exporter
zone: internal
permanent: true permanent: true
state: enabled state: enabled
immediate: true immediate: true

8
roles/podman_prometheus/handlers/main.yml
View file

@ -23,6 +23,14 @@
become: true become: true
become_user: "{{ podman_prometheus_podman_rootless_user }}" become_user: "{{ podman_prometheus_podman_rootless_user }}"
- name: Restart Prometheus-TS
ansible.builtin.systemd_service:
name: prometheus-ts
scope: user
state: restarted
become: true
become_user: "{{ podman_prometheus_podman_rootless_user }}"
- name: Restart nginx - name: Restart nginx
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
name: nginx name: nginx

4
roles/podman_prometheus/tasks/main.yml
View file

@ -111,10 +111,13 @@
- alertmanager.container - alertmanager.container
- grafana.container - grafana.container
- prometheus.container - prometheus.container
- prometheus-ts.container
become: true become: true
notify: notify:
- Restart Alertmanager
- Restart Grafana - Restart Grafana
- Restart Prometheus - Restart Prometheus
- Restart Prometheus-TS
- name: Podman Prometheus | PATCH | Install network quadlets - name: Podman Prometheus | PATCH | Install network quadlets
ansible.builtin.template: ansible.builtin.template:
@ -178,6 +181,7 @@
- grafana - grafana
- nginx - nginx
- prometheus - prometheus
- prometheus-ts
become: true become: true
become_user: "{{ podman_prometheus_podman_rootless_user }}" become_user: "{{ podman_prometheus_podman_rootless_user }}"

16
roles/podman_prometheus/templates/home/podman/config/containers/systemd/prometheus-ts.container Normal file
View file

@ -0,0 +1,16 @@
[Container]
ContainerName=prometheus-ts
Image=docker.io/tailscale/tailscale:latest
HostName=prometheus
Environment=TS_AUTH_KEY={{ podman_prometheus_ts_auth_key }}
Environment=TS_STATE_DIR=/var/lib/tailscale
Environment=TS_USERSPACE=true
Environment=TS_EXTRA_ARGS="--login-server https://hs.sr2.uk/"
Network=monitor.network
[Service]
Restart=on-failure
[Install]
WantedBy=default.target

15
roles/podman_prometheus/templates/home/podman/prometheus.yml
View file

@ -13,26 +13,21 @@ scrape_configs:
- targets: ['alertmanager:9093'] - targets: ['alertmanager:9093']
- job_name: 'node' - job_name: 'node'
scrape_interval: 5s scrape_interval: 5s
scheme: https scheme: http
basic_auth:
username: metrics
password: "{{ node_exporter_password }}"
tls_config:
insecure_skip_verify: true
static_configs: static_configs:
- targets: - targets:
- 'host.containers.internal:9100' - 'host.containers.internal:9100'
{% for host in groups['ipaservers'] %} {% for host in groups['ipaservers'] %}
- '{{ host }}:9100' - "{{ hostvars[host]['node_exporter_tailscale_ipv4'].stdout }}:9100"
{% endfor %} {% endfor %}
{% for host in groups['keycloak'] %} {% for host in groups['keycloak'] %}
- '{{ host }}:9100' - "{{ hostvars[host]['node_exporter_tailscale_ipv4'].stdout }}:9100"
{% endfor %} {% endfor %}
{% for host in groups['radius'] %} {% for host in groups['radius'] %}
- '{{ host }}:9100' - "{{ hostvars[host]['node_exporter_tailscale_ipv4'].stdout }}:9100"
{% endfor %} {% endfor %}
{% for host in groups['generic'] %} {% for host in groups['generic'] %}
- '{{ host }}:9100' - "{{ hostvars[host]['node_exporter_tailscale_ipv4'].stdout }}:9100"
{% endfor %} {% endfor %}
file_sd_configs: file_sd_configs:
- files: - files: