feat(podman_prometheus): initial role for running prometheus in podman

roles/podman_prometheus/templates/home/podman/config/containers/systemd/frontend.network

@@ -0,0 +1,2 @@
+[Network]
+NetworkName=frontend

roles/podman_prometheus/templates/home/podman/config/containers/systemd/prometheus.container

@@ -0,0 +1,13 @@
+[Container]
+ContainerName=prometheus
+Image=quay.io/prometheus/prometheus:v3.8.1
+Network=frontend.network
+Volume=/home/{{ podman_prometheus_podman_rootless_user }}/prometheus-data:/prometheus:rw,Z
+Volume=/home/{{ podman_prometheus_podman_rootless_user }}/file-configs:/file-configs:ro,Z
+Volume=/home/{{ podman_prometheus_podman_rootless_user }}/prometheus.yml:/etc/prometheus/prometheus.yml:ro,Z
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=default.target

roles/podman_prometheus/templates/home/podman/nginx.conf

@@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+resolver 10.89.0.1 ipv6=off valid=10s;
+
+# Mitigate httpoxy attack
+proxy_set_header Proxy "";
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ inventory_hostname }};
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://{{ inventory_hostname }}$request_uri;
+    }
+}
+
+upstream prometheus {
+    zone prometheus_upstream 64k;
+	server prometheus:9090 resolve;
+}
+
+server {
+	server_name {{ inventory_hostname }};
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_tokens off;
+
+    ssl_certificate /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem;
+
+	add_header Strict-Transport-Security "max-age=31536000" always;
+	add_header Referrer-Policy origin always;  # make sure outgoing links don't show the URL to the Prometheus instance
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+  location / {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    proxy_read_timeout 180;
+    proxy_pass http://prometheus;
+  }
+}

roles/podman_prometheus/templates/home/podman/prometheus.yml

@@ -0,0 +1,33 @@
+global:
+  scrape_interval: 15s
+  external_labels:
+    monitor: '{{ inventory_hostname }}'
+
+scrape_configs:
+  - job_name: 'prometheus'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['localhost:9090']
+  - job_name: 'node'
+    scrape_interval: 5s
+    scheme: https
+    basic_auth:
+      username: metrics
+      password: "{{ node_exporter_password }}"
+    tls_config:
+      insecure_skip_verify: true
+    static_configs:
+      - targets:
+        - 'host.containers.internal:9100'
+{% for host in groups['ipaservers'] %}
+        - '{{ host }}:9100'
+{% endfor %}
+{% for host in groups['keycloak'] %}
+        - '{{ host }}:9100'
+{% endfor %}
+{% for host in groups['generic'] %}
+        - '{{ host }}:9100'
+{% endfor %}
+    file_sd_configs:
+      - files:
+          - "/file-configs/*.yml"