Updated the Prometheus role

8150411b · Nicolas Baudoin · 7cf85974 · 8150411b · 8150411b · 8150411b
Commit 8150411b authored 1 year ago by Nicolas Baudoin
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -9,3 +9,4 @@ prometheus_client_cn: "prometheus.{{domain_name}}"
 prometheus_federators: []
 prometheus_federator: False
 backup_prometheus: True
+use_service_vrf: False
--- a/tasks/debian.yml
+++ b/tasks/debian.yml
@@ -11,3 +11,10 @@
    src: default_prometheus.j2
  notify: restart prometheus
  tags: prometheus_conf
+
+- name: systemd file
+  template:
+    src: prometheus_systemd.j2
+    dest: /etc/systemd/system/prometheus.service
+  notify: restart prometheus      
+  tags: systemd
\ No newline at end of file
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -10,7 +10,13 @@
 - import_tasks: service.yml

 - include_tasks: "{{ansible_os_family|lower}}.yml"
-  tags: prometheus_conf
+  tags: prometheus_conf,systemd
+
+- name: set my interfaces
+  import_role:
+    name: my_interfaces
+  when: my_interfaces is defined
+  tags: my_interfaces

 - name: client certificates
  import_role:

--- a/templates/prometheus_systemd.j2
+++ b/templates/prometheus_systemd.j2
+[Unit]
+Description=Monitoring system and time series database
+Documentation=https://prometheus.io/docs/introduction/overview/ man:prometheus(1)
+
+[Service]
+Restart=on-failure
+User=prometheus
+EnvironmentFile=/etc/default/prometheus
+ExecStart=/usr/bin/prometheus $ARGS
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStopSec=20s
+SendSIGKILL=no
+
+# IP rule adjustments for Prometheus
+{% if use_service_vrf == True %}
+ExecStartPre=+/usr/sbin/ip -6 rule add dport 9100 lookup service priority 900
+ExecStartPre=+/usr/sbin/ip -6 rule add from all sport 9100 lookup service priority 899 
+ExecStop=+/usr/sbin/ip -6 rule del from all sport 9100 lookup service priority 899 
+ExecStop=+/usr/sbin/ip -6 rule del dport 9100 lookup service priority 900
+{% endif %}
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LimitMEMLOCK=0
+LimitNOFILE=8192
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file