Merge pull request #19 from DO1JLR/u

update monitoring

.gitmodules

@@ -135,3 +135,6 @@
 [submodule "collections/ansible_collections/community/general"]
 	path = collections/ansible_collections/community/general
 	url = https://github.com/ansible-collections/community.general.git
+[submodule "roles/l3d.nginx_exporter"]
+	path = roles/l3d.nginx_exporter
+	url = https://github.com/roles-ansible/ansible_role_nginx_exporter

collections/ansible_collections/ansible/posix

@@ -1 +1 @@
-Subproject commit 2f699307c75ab26e8fc4b77c74943e639fbe6615
+Subproject commit 719f7dfebf214388d68ed9d431cc471d961325a7

collections/ansible_collections/community/crypto

@@ -1 +1 @@
-Subproject commit e9dbc1a5a58a981c5003fea1136d3f57e4ac9943
+Subproject commit f2ebae635a5e50a91f3a03576b73347b38271408

collections/ansible_collections/community/general

@@ -1 +1 @@
-Subproject commit 21cd65fccf41d3c365572ec7f443214ba474f125
+Subproject commit af5da7d412a6d1e262715a05d40e091d8ed6b08b

collections/ansible_collections/community/mysql

@@ -1 +1 @@
-Subproject commit 0dbedf57cb988c3a5c3444f79d2da996e101edf1
+Subproject commit 8dfab12bae0dfe9bbcb4d40f7cdd7670e457c5fa

group_vars/all/vault.yml

@@ -1,9 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-33653433393063643435616663326534343238633130313062613137306536343464306665376632
-6436333534383464356332316437353165396138643565340a323032316666643339623061626537
-64343366353261616339643661343830343965626136623337316261656666653735313433313031
-3533313336383766330a353532656538393038376266646564636166316333636432316535396639
-61333532326461393065653336613366323030356330366262343430396537346232373966636636
-32613637353335303565656233346263353266623864313062643335313863333634376563346134
-38613836646332653235636439356261633138613862633465393463383265383031313133363762
-30356464333566343739
+62313734366533326334646163383462373265303264643366323937666564653064383037623931
+3831643363613132376165373936306638366439613536650a383536663736313232623965313362
+34366438343164353836333739316261363233366463613964636665306232333534633434643164
+3930333935356131620a613931343230383862353639663862356139663664356163623938376561
+35383464386237363736313265613137656530323165613965633463376464366133376430613965
+33623464383730396265613536336437303964333763633563616662313762346235316531313139
+62373134393865306562346332613361623534396433666232333665336139333730313362353539
+64386135346638643234653536353439646235303634306362376463343135386464663962333934
+65376265353436353038333830636566343834643737333537376235613038343661646431373131
+35633065333233383334383661666533353765653230653361366461613138613935383165623739
+326231316564393161333839393733616531

host_vars/mail01.l3d.space/vars.yml

@@ -44,11 +44,16 @@ postfix__db_user: "{{ _mailserver__mysql_user }}"
 postfix__db_password: "{{ _mailserver__mysql_password }}"
 postfix__db_name: "{{ _mailserver__mysql_database }}"
 
+acme_domain_unwant_list: []
+#  - name: 'example.com'
+
 nginx_sites:
   - name: 'mail.l3d.space'
     webroot:
       user: 'mailwebuser'
   - name: "{{ mailserver_domain }}"
+  - name: 'node-exporter.mail01.l3d.space'
+  - name: 'nginx-exporter.mail01.l3d.space'
 
 # letsencrypt
 acme_notification_email: "{{ _acme_notification_email }}"
@@ -110,3 +115,7 @@ fail2ban_jail_configuration:
     section: 'dovecot'
 
 nginx__infrastructure_domain__enabled: false
+
+# l3d.nginx_exporter
+nginx_exporter_listen_address: '127.0.0.1:9113'
+nginx_exporter_scrape_uri: 'https://node-exporter.mail01.l3d.space/nginx_status'

host_vars/services.l3d.space/vars.yml

@@ -6,6 +6,8 @@ nginx_sites:
   - name: 'etebase.l3d.ch'
   - name: 'grafana.l3d.ch'
   - name: 'www.grafana.l3d.ch'
+  - name: 'node-exporter.services.l3d.space'
+  - name: 'nginx-exporter.services.l3d.space'
 
 acme_notification_email: "{{ _acme_notification_email }}"
 
@@ -29,3 +31,19 @@ acme_reload_services:
 # grafana.grafana-grafana
 grafana_address: '127.0.0.1'
 grafana_instance: 'grafana.l3d.ch'
+grafana_users:
+  allow_sign_up: false
+  auto_assign_org_role: Viewer
+  default_theme: dark
+
+grafana_dashboards:
+  - dashboard_id: '1860'
+    revision_id: '33'
+    datasource: '{{ grafana_datasources.0.name }}'
+  - dashboard_id: '12708'
+    revision_id: '1'
+    datasource: '{{ grafana_datasources.0.name }}'
+
+# l3d.nginx_exporter
+nginx_exporter_listen_address: '127.0.0.1:9113'
+nginx_exporter_scrape_uri: 'https://node-exporter.services.l3d.space/nginx_status'

host_vars/services.l3d.space/vault.yml

@@ -1,26 +1,82 @@
 $ANSIBLE_VAULT;1.1;AES256
-38633637643839303839303663643461313236656466336463376361623338306161323735646431
-3664666664656463323737313734343532386136333764620a363638666263383262616137633130
-36616665616632346439633832346662323833616163333835666536383433383462616364376133
-3937373938383963640a626336323432626463363065346663396537343961386131326534623661
-36656535383135313562613338343136386466316231626162313833656232363633336236636164
-62653937316331313331626436366130386164353264636435373365653432393463326661623334
-39656465663130343838663839626432396361343065396237616536386430633061303463393831
-62366139333530656431616663383063656662616236396535383931386534366232666134653438
-34333135666161643565333736656433396134663765616534303865353635363366323739646131
-61363937343733323036636236336336646538636239663739373234393030616664346561396230
-36633364343233376637376439623631303030636564353866386638636432613232346438366465
-63376664666462396162623832393532666265326466383735316638613064336331323861616236
-34393238313739396163646335396564353438626630393830633961316136633863633732393635
-33373138353936323934663130636266343836316139356462616431313733333239623062343132
-35616533633865376238356265646437353436383062666237613266616634643764643764313631
-63343331623932383336363765303431353737653735653131623466363334346665316632313438
-64316532646630366563393839363938376465316661313761346461343465626536393263666337
-32643561623535303034663964376439343039653862333063363132333835303234636631636433
-37343731376533323630313137343930326538366566306661333366356633373461613939366338
-65383433373633623263333733336634366437633965656132366238313236316561303530333564
-35383430663935303435623165333866386535353035396533336638356634353439633133373562
-35316232393561646262383165613330636464623036353733363438656139623064303937313532
-62376431666635376239363261346537633831643165396331666463666235666436646233396564
-37343635343639383662316330313839656631303237383535643730646164306630303465626434
-31343935346331636435313935666637393261633063396539386530613731396637
+39303134626437393662336266636533656235623863333638306161383663323130363538663563
+3533653865653136616563623365623033623337623433360a336131376135343864633638666264
+61323737613439613035653433666433613030613331666234633833336238386135623035386335
+3137356662626465640a653736363266356435656234656365363035386264333637626130666532
+39373330303363353061346364323035613031343965636435313033376330653032643334306132
+32313262373536396137313336343832633734633361633234393634636637636432623866623431
+64373230316330636533323966613963373533363964666165386233303965376139653263316663
+30633261613764303832663432313166656538353132643531363864353266356431303865663235
+64333665663739336163633933653831623464353962663836613765353935346635323161633831
+38653235353436303934393061353439653732616565643561336438613931656164666136616537
+61643364616632616563313534353139363762643163373339663262653466393065653434653935
+62366166393763353136663331386661643361353634326561643766653963303934383939316665
+31336433633435666564373538316537353531306632306632373031346235663562343731316431
+37353036663666383761373065333937643030353464633433343962626366636437326131653934
+64343461636364336130636566633962613733346430393135303965373635383538666137396335
+37633739633366353765666537336362346530336132376165656135376261623530313831663839
+38663061383564393464333135393731323639353531393964316136333665356166643634316461
+32343734653134343633313630623234636338663935386636656235313635356364336632383462
+64393366313964653833323031633036396264383166643935666331346133663534353937333361
+31383734303636383230386335323030663034303331366264623933646537316638373134663861
+36616334343563373839393063383330636630303132663332643038393933383565656338646436
+35386537333666336663353235333634623935396131663364646264326137343263306631356238
+33326333653336653332393235363265616137616331356566643634333763383762626531633635
+31336333363231643630333361633837386131353264303037386364366264633632343134643365
+33623265363133366639383033316132663431346539343131353664363834316566306464646262
+65303037656363656335346662326461353165633566316661303332666136353537316533306665
+37383862633964333063343333626231393438653838626466393565613466656662623265363166
+63303237656130353132653039333562363638643565363731623135653264393361343932613937
+36623835633466353139633966663531663433303335376437643031353630393365353236306635
+64376134613865393261613330373433666661393731333262663335616232646665333931663038
+64323037303536616566663962633535656664633330623331666239326136623433333931636462
+31626236326336646165623834626566343533363938373635633832623761313030653533646431
+37653763383136643465363335386636306136336632356339653264396532623039653533353036
+36313833363434376538346433313436383035646366353639313461346133383632643334346537
+66363537326537626565393735316636373365386339646264316365303665323234633838316330
+66306566346261373633323862363637653636343338316335373066643130616662323664306336
+34313061343034663262396630353231393930393538623736616337336133393163646635326431
+34393963386364653433323765626566306232616161666536306663636635343238323630353039
+35386331663136383461313866386466336164616635363138306239356334306265393331633062
+38313335633931353232336163643562323636326564643864636236303530303135393132333232
+38643139376534366264633233656334653938306232303631356339356164333335313737346134
+31333135663965393533333737356132383533653161636562346264373132346463346239633162
+64326464356435393963373639613063343764343964643432363165353662393039323039666139
+64306136656236663935333538303437393333363631616463656230663931313432396666616633
+62366336336162393264376137643066633038376332623330336534383235663562366136663762
+39656565336631323431346364666563366561336661316239313231313833633939336638666465
+37376265326433363735656266336339653136386461336531316634626532626138303437313737
+61303232633265383035663666663663623962383331376364313961333237363265653134656361
+39363962396138323761346431636533333234616361306437326666393065303332386439343664
+32306663633565343130663261623337323035333165373062396334356330616635663932616362
+34663331633065613738373631666434633132353664663132386532396365643063363161396430
+65613861653538616263633533323136636235616133383266366362623461323363353361323762
+62326333633564346331333861656564303161643033363935356331306133343066323738656363
+33303966323033643862303235323238633335303065356233656133376433393564643462633232
+32303730313839343931616235623437366330623539636361373165643162343836323731396535
+36316566623231373234306166306239336235613639636234343034663961393339656663313830
+65333366366333343963313533653439643931393363346132636539343631366536373564363832
+30613266663062343262343263306134363539343264636331313132373165353738303538613639
+33363130383463356233383864383738336361633437383639633164383737393432633838396434
+36356230623962376263313466663834626132336331616236313939313034613432633532643161
+62303963336139396566386232316138663562633435396463363534383735303039373836353530
+36323161656566366566356462353834623536313932386632623135653562333134316630376531
+33623362396165313530393739646566366265656665383563643632333336636235343835333362
+39306462316439336133393832316664333736633561313362613765373235373462343638356430
+63336265363763646434623364373139333165613337323635303238353231633165636633336566
+31373130326232653661393765313430633330613439613261646530633139613533313662633538
+65623565373232356166346364303538626164376538633265633261393335633363393136316539
+35303036653932333831303961633364393238663537653763376163333863616138666565666533
+65666530316434333565663336373235353437623433306234393336323065323165323432656236
+30333538376534333431353836636339346137396166633130336262663638376138613530356563
+33373564326231333064663563613637316436333531313037333930636363373030373863373162
+30383835303730323839333265633533656131636633333131643262383132396135366635363035
+64363564306236633537393766623766383530356135346236653531663265336264376530383961
+65386139663664353133633837643538646532386164626438363861316435636133393461666132
+39366663366165363138613063353563653966386561633435306661383935376335663535663065
+32366434323038623338383637366534313263363666646434363737373536373033386639333132
+31333037623864636162613336363133616665663839383262333630616132333663366237366136
+62343661666532626232346563323333336238336662646237366639666336303036393339336433
+66373661313838303363363131313537323661386462306538643663373866646363303935376539
+33346465303836343563363532656164663637656136646137323364333861613932326539393037
+39623265333633343832643237393962373865343932663161373937303831316263

host_vars/web01.l3d.space/vars.yml

@@ -193,6 +193,8 @@ nginx_sites:
     webroot:
       user: 'klima'
   - name: 'www.klima-streik.de'
+  - name: 'node-exporter.web01.l3d.space'
+  - name: 'nginx-exporter.web01.l3d.space'
 
 acme_notification_email: "{{ _acme_notification_email }}"
 
@@ -266,3 +268,7 @@ gitea_attachment_max_size: 35
 gitea_disable_git_hooks: "{{ _gitea_disable_git_hooks }}"
 gitea_disable_registration: "{{ _gitea_disable_registration }}"
 gitea_show_registration_button: "{{ _gitea_show_registration_button }}"
+
+# l3d.nginx_exporter
+nginx_exporter_listen_address: '127.0.0.1:9113'
+nginx_exporter_scrape_uri: 'https://node-exporter.web01.l3d.space/nginx_status'

roles/l3d.nginx_exporter

@@ -0,0 +1 @@
+Subproject commit 379ee27796c3ceb64de1f4f2ad49a50b5a74391f

site.yml

@@ -25,11 +25,12 @@
     - {role: robertdebock.fail2ban, tags: [default, fail2ban], become: true}
 
 - name: Setup Webserver
-  hosts: nginx
+  hosts: all
   roles:
     - {role: do1jlr.webhost, tags: [web, webhost], become: true}
     - {role: do1jlr.acmetool, tags: [web, acmetool], become: true}
     - {role: do1jlr.nginx, tags: [web, nginx]}
+    - {role: l3d.nginx_exporter, tags: [monitoring, nginx, prometheus, exporter]}
 
 
 - name: Deploy web config
@@ -48,6 +49,7 @@
   roles:
     - {role: do1jlr.etebase, tags: [etebase, etesync, calendar, kalender, contacts, kontakte]}
     - {role: grafana.grafana.grafana, tags: [grafana. monitoring]}
+    - {role: prometheus.prometheus.prometheus, tags: [monitoring, prometheus]}
 
 - name: Deploy mail config
   hosts: mail

templates/files/nginx/sites/nginx-exporter.mail01.l3d.space_tls.conf

@@ -0,0 +1,24 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name nginx-exporter.mail.l3d.space;
+
+  include snippets/tls_parameters_{{ site.name }}.snippet.conf;
+  include snippets/tls_certificate_{{ site.name }}.snippet.conf;
+  include snippets/logging_{{ site.name }}.snippet.conf;
+
+
+  location / {
+    charset utf-8;
+    proxy_pass http://localhost:9113;
+    proxy_read_timeout 3600;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    allow 127.0.0.1;  #  allow requests from localhost
+    allow ::1;  #  allow requests from localhost
+    allow {{ prometheus_v4 }};  # allow prometheus IPv4
+    allow {{ prometheus_v6 }};  # allow prometheus IPv6
+    deny all;   # deny all other hosts
+  }
+}

templates/files/nginx/sites/nginx-exporter.services.l3d.space_tls.conf

@@ -0,0 +1,24 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name nginx-exporter.services.l3d.space;
+
+  include snippets/tls_parameters_{{ site.name }}.snippet.conf;
+  include snippets/tls_certificate_{{ site.name }}.snippet.conf;
+  include snippets/logging_{{ site.name }}.snippet.conf;
+
+
+  location / {
+    charset utf-8;
+    proxy_pass http://localhost:9113;
+    proxy_read_timeout 3600;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    allow 127.0.0.1;  #  allow requests from localhost
+    allow ::1;  #  allow requests from localhost
+    allow {{ prometheus_v4 }};  # allow prometheus IPv4
+    allow {{ prometheus_v6 }};  # allow prometheus IPv6
+    deny all;   # deny all other hosts
+  }
+}

templates/files/nginx/sites/nginx-exporter.web01.l3d.space_tls.conf

@@ -0,0 +1,24 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name nginx-exporter.web01.l3d.space;
+
+  include snippets/tls_parameters_{{ site.name }}.snippet.conf;
+  include snippets/tls_certificate_{{ site.name }}.snippet.conf;
+  include snippets/logging_{{ site.name }}.snippet.conf;
+
+
+  location / {
+    charset utf-8;
+    proxy_pass http://localhost:9113;
+    proxy_read_timeout 3600;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    allow 127.0.0.1;  #  allow requests from localhost
+    allow ::1;  #  allow requests from localhost
+    allow {{ prometheus_v4 }};  # allow prometheus IPv4
+    allow {{ prometheus_v6 }};  # allow prometheus IPv6
+    deny all;   # deny all other hosts
+  }
+}

templates/files/nginx/sites/node-exporter.mail01.l3d.space_tls.conf

@@ -0,0 +1,37 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name node-exporter.mail01.l3d.space;
+
+  include snippets/tls_parameters_{{ site.name }}.snippet.conf;
+  include snippets/tls_certificate_{{ site.name }}.snippet.conf;
+  include snippets/logging_{{ site.name }}.snippet.conf;
+
+
+  location / {
+    charset utf-8;
+    proxy_pass http://localhost:9100;
+    client_max_body_size 256M;
+    proxy_read_timeout 3600;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    allow 127.0.0.1;  #  allow requests from localhost
+    allow ::1;  #  allow requests from localhost
+    allow {{ prometheus_v4 }};  # allow prometheus IPv4
+    allow {{ prometheus_v6 }};  # allow prometheus IPv6
+    deny all;   # deny all other hosts
+  }
+  location /nginx_status {
+    stub_status;
+    allow 127.0.0.1;  # allow requests from localhost
+    allow ::1;  # allow requests from localhost
+{% for ipv4 in ansible_all_ipv4_addresses %}
+    allow {{ ipv4 }};  # allow local ipv4 address
+{% endfor %}
+{% for ipv6 in ansible_all_ipv6_addresses %}
+    allow {{ ipv6 }};  # allow local ipv6 address
+{% endfor %}
+    deny all;   # deny all other hosts
+ }
+}

templates/files/nginx/sites/node-exporter.services.l3d.space_tls.conf

@@ -0,0 +1,37 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name node-exporter.services.l3d.space;
+
+  include snippets/tls_parameters_{{ site.name }}.snippet.conf;
+  include snippets/tls_certificate_{{ site.name }}.snippet.conf;
+  include snippets/logging_{{ site.name }}.snippet.conf;
+
+
+  location / {
+    charset utf-8;
+    proxy_pass http://localhost:9100;
+    client_max_body_size 256M;
+    proxy_read_timeout 3600;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    allow 127.0.0.1;  #  allow requests from localhost
+    allow ::1;  #  allow requests from localhost
+    allow {{ prometheus_v4 }};  # allow prometheus IPv4
+    allow {{ prometheus_v6 }};  # allow prometheus IPv6
+    deny all;   # deny all other hosts
+  }
+  location /nginx_status {
+    stub_status;
+    allow 127.0.0.1;  # allow requests from localhost
+    allow ::1;  # allow requests from localhost
+{% for ipv4 in ansible_all_ipv4_addresses %}
+    allow {{ ipv4 }};  # allow local ipv4 address
+{% endfor %}
+{% for ipv6 in ansible_all_ipv6_addresses %}
+    allow {{ ipv6 }};  # allow local ipv6 address
+{% endfor %}
+    deny all;   # deny all other hosts
+ }
+}

templates/files/nginx/sites/node-exporter.web01.l3d.space_tls.conf

@@ -0,0 +1,37 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name node-exporter.web01.l3d.space;
+
+  include snippets/tls_parameters_{{ site.name }}.snippet.conf;
+  include snippets/tls_certificate_{{ site.name }}.snippet.conf;
+  include snippets/logging_{{ site.name }}.snippet.conf;
+
+
+  location / {
+    charset utf-8;
+    proxy_pass http://localhost:9100;
+    client_max_body_size 256M;
+    proxy_read_timeout 3600;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    allow 127.0.0.1;  #  allow requests from localhost
+    allow ::1;  #  allow requests from localhost
+    allow {{ prometheus_v4 }};  # allow prometheus IPv4
+    allow {{ prometheus_v6 }};  # allow prometheus IPv6
+    deny all;   # deny all other hosts
+  }
+  location /nginx_status {
+    stub_status;
+    allow 127.0.0.1;  # allow requests from localhost
+    allow ::1;  # allow requests from localhost
+{% for ipv4 in ansible_all_ipv4_addresses %}
+    allow {{ ipv4 }};  # allow local ipv4 address
+{% endfor %}
+{% for ipv6 in ansible_all_ipv6_addresses %}
+    allow {{ ipv6 }};  # allow local ipv6 address
+{% endfor %}
+    deny all;   # deny all other hosts
+ }
+}

templates/files/nginx/sites/node_exporter.web01.l3d.space_tls

@@ -1,17 +0,0 @@
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-
-  server_name node_exporter.web01.l3d.space;
-
-  include snippets/tls_parameters_{{ site.name }}.snippet.conf;
-  include snippets/tls_certificate_{{ site.name }}.snippet.conf;
-  include snippets/logging_{{ site.name }}.snippet.conf;
-
-  root /srv/www/c3woc.de;
-
-  location / {
-    charset utf-8;
-    try_files $uri $uri/ =404;
-  }
-}