working on prometheus + grafana

80a184f8 · Karl Grube · 7d3036cc · 80a184f8 · 80a184f8 · 80a184f8
Commit 80a184f8 authored 2 years ago by Karl Grube
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -4,3 +4,7 @@
  service:
    name: prometheus
    state: restarted
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
--- a/tasks/all.yml
+++ b/tasks/all.yml
 ---

- name: prometheus installed
+- name: base packages installed
  package:
-    name: prometheus
+    name: 
+    - prometheus
+    - nginx
 - name: prometheus started and enabled
  service:
    name: prometheus
@@ -14,3 +16,16 @@
    dest: /etc/prometheus/prometheus.yml
  notify: restart prometheus
  tags: prometheus_conf
+- name: prometheus site template
+  template:
+    src: prometheus_site.j2
+    dest: /etc/nginx/sites-available/prometheus
+  notify: reload nginx
+  tags: nginx
+- name: site link
+  file:
+    state: link
+    path: /etc/nginx/sites-enabled/prometheus
+    src: ../sites-available/prometheus
+  notify: reload nginx
+  tags: nginx
--- a/templates/prometheus.yml.j2
+++ b/templates/prometheus.yml.j2
@@ -34,8 +34,6 @@ scrape_configs:
    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

-    static_configs:
-      - targets: ['localhost:9090']
  - job_name: dns_scrape
    scheme: https
    tls_config:

--- a/templates/prometheus_site.j2
+++ b/templates/prometheus_site.j2
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name {{fqdn}};
+  #access_log /var/log/nginx_verbose ssl_verbose;
+
+  location / {
+    if ($ssl_client_s_dn != "CN={{grafana_cn}}" ){
+    return 403;
+    }
+    if ($ssl_client_verify != "SUCCESS"){
+    return 403;
+    }
+    proxy_pass  http://[::1]:9090;
+  }
+  ssl_prefer_server_ciphers on;
+  ssl_protocols TLSv1.3;
+  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+  ssl_certificate '/etc/ssl/step/{{fqdn}}.crt';
+  ssl_certificate_key '/etc/ssl/step/{{fqdn}}.key';
+  ssl_session_timeout 10m;
+  add_header Strict-Transport-Security max-age=15768000;
+
+  ssl_client_certificate '/etc/ssl/step/root.ca.crt';
+  ssl_verify_client on;
+}