role service-prometheus: add vhost

2018-09-25 10:33:52 +02:00 · 2018-09-25 10:33:52 +02:00 · 13ff110411
parent e8d9e6af90
commit 13ff110411
4 changed files with 53 additions and 0 deletions
--- a/inventory/group_vars/ffmwu-monitoring
+++ b/inventory/group_vars/ffmwu-monitoring
@ -11,6 +11,7 @@ common_repos:
 http_meshviewer_prefix: map
 http_grafana_prefix: stats
 http_lookingglass_prefix: lg
+http_prometheus_prefix: prom

 prometheus_conf_main: prometheus/prometheus.yml.j2

--- a/roles/service-prometheus/defaults/main.yml
+++ b/roles/service-prometheus/defaults/main.yml
@ -15,6 +15,9 @@ alertmanager_version: 0.15.2

 gosu_version: "1.10"

+prometheus_url_external: "{{ http_prometheus_prefix }}.{{ http_domain_external }}"
+prometheus_url_internal: "{{ http_prometheus_prefix }}.{{ http_domain_internal }}"
+
 prometheus_install_path: /opt/prometheus
 prometheus_config_path: /etc/prometheus
 prometheus_rule_path: "{{ prometheus_config_path }}/rules"
--- a/roles/service-prometheus/tasks/prometheus.yml
+++ b/roles/service-prometheus/tasks/prometheus.yml
@ -12,6 +12,11 @@
  set_fact:
    prometheus_default_opts: "{{ prometheus_default_opts }} --web.console.templates={{ prometheus_daemon_dir }}/consoles  --web.console.libraries={{ prometheus_daemon_dir }}/console_libraries"

+- name: install python-passlib
+  package:
+    name: python-passlib
+    state: present
+
 - name: download and untar prometheus tarball
  unarchive:
    src: "{{ prometheus_tarball_url }}"
@ -80,3 +85,22 @@
    name: prometheus
    enabled: yes
    state: started
+
+- name: create htpasswd
+  htpasswd:
+    path: /etc/nginx/htpasswd_prometheus
+    name: admin
+    password: "{{ lookup('passwordstore', 'prometheus/admin') }}"
+    owner: root
+    group: nginx
+    mode: 0640
+  notify: restart nginx
+
+- name: write vhost
+  template:
+    src: prometheus_vhost.conf.j2
+    dest: /etc/nginx/conf.d/prometheus.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart nginx
--- a/roles/service-prometheus/templates/prometheus_vhost.conf.j2
+++ b/roles/service-prometheus/templates/prometheus_vhost.conf.j2
@ -0,0 +1,25 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ prometheus_url_external }} {{ prometheus_url_internal }};
+
+    include /etc/nginx/snippets/redirect-to-ssl.conf;
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name {{ prometheus_url_external }} {{ prometheus_url_internal }};
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location / {
+      auth_basic "Prometheus";
+      auth_basic_user_file /etc/nginx/htpasswd_prometheus;
+      proxy_pass http://127.0.0.1:9090;
+    }
+}