mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues

WireGuard the remaining Prometheus exporters

Browse Source 
WireGuard was setup to provide a internal network with confidentiality,
authenticity and integrity[1]. This migrate the remaining Prometheus
exporters to use the internal WireGuard network.

[1] 664deb67 ("WireGuard all hosts")

Fix #384
This commit is contained in:
Kristian Klausen 2022-10-16 16:29:32 +02:00
parent 168a0cfbfd
commit f5f5b4c733
No known key found for this signature in database
GPG Key ID: E2BE346E410366C3
2 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
roles/prometheus/templates/prometheus.yml.j2
View File

@ -53,7 +53,7 @@ scrape_configs:
- job_name: 'node_exporter'
static_configs:
{% for host in groups['all'] %}
- targets: ['{{ host }}:{{ prometheus_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}
@ -83,7 +83,7 @@ scrape_configs:
- job_name: 'gitlab_runner_exporter'
static_configs:
{% for host in groups['gitlab_runners'] %}
- targets: ['{{ host }}:{{ gitlab_runner_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ gitlab_runner_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}
@ -112,7 +112,7 @@ scrape_configs:
- job_name: 'mysqld_exporter'
static_configs:
{% for host in groups['mysql_servers'] %}
- targets: ['{{ host }}:{{ prometheus_mysqld_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_mysqld_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}
@ -120,7 +120,7 @@ scrape_configs:
- job_name: 'memcached_exporter'
static_configs:
{% for host in groups['memcached'] %}
- targets: ['{{ host }}:{{ prometheus_memcached_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_memcached_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}

16
roles/prometheus_exporters/tasks/main.yml
View File

@ -221,21 +221,21 @@
when: "'memcached' in group_names"
- name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
when: "'prometheus' not in group_names"
- name: Open gitlab exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
when: "'gitlab_runners' in group_names"
- name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
when: "'mysql_servers' in group_names"
- name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
when: "'memcached' in group_names"