Add Monitoring host

2023-03-30 21:51:23 +02:00 · 2023-03-30 21:51:23 +02:00 · f2cd3c991b
parent 936bbf7ecd
commit f2cd3c991b
9 changed files with 226 additions and 17 deletions
--- a/coreos-config/host_vars/mon1.hel1.chaoswg.org/vault.yaml
+++ b/coreos-config/host_vars/mon1.hel1.chaoswg.org/vault.yaml
@ -0,0 +1,60 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+31653262313736623962393333616632653938646364643062383266643237343032326637356462
+3032363766336231636665633736616637363661303634320a393033393239356234623661353461
+38376630623233616632636234643039663235373035633132636666363133633030353938373461
+3539383935333036640a626330376666396565663137363366616432343365393931643233363730
+35313339373838313534616562313662313932343565323636626337393737323337616635336666
+33313463353339306563333537663139616231386331333636343132396663613137636332383638
+66363164343833353164356136306135333038613264363663346232393237373266323237353639
+34643236613763323364306161353735663030653361336364306366336330326331366463646163
+64626436386461393033336136666466313030383531396464646632333939313335383738303838
+34613663663665306337656530663234316132303062323966633332393165326133643639633263
+32346465323032623837323034646462643038356339613234383332623962626631366262333564
+61356132633135666630376461646366333939316435336566363139303032623563646563316536
+62326230643866653665363536663137383534346165646563636437346361613865396437623664
+35366139666538663937356337356437353135306336333262356363613063363334663837376561
+37333134323861326261343333323061343936326439623439656135613734326531306630336432
+36356362363230646561303266396135343935316236313162663133393833356163363535336265
+37373637353337306135393330363266653538353863353637396263333061316230653032326237
+66326331336238333230303566333961636165343265623264396138633237623061623566653036
+30613330653235303336643135383833636337346264383731303837303565333861386464616138
+31373363316338626237376133333636643136346466616130353934323237316365366563666536
+32656362363864363362633734316536623433353164323236303830316334323639303639633633
+62353439353465393532636462316163643438376336316439373739666233646630353661393466
+34336535396231663762643736323461656239396262376262663434393865373461623737663762
+62303365356664633363323461396164626266613935303036373938356130373132643164306462
+63356562343932373362386564363337653161363836333062396266363931373938323066393766
+64623634373835373138316636346537326661333462623839303366386566383231376339653034
+37336561373961636334623462303834323363663339333035396263653030643534386431323065
+62373965376666363033653230643134343363396261373239313839656234363032333632396339
+32636562663733396361323865623039636334643732666536633734643764316165666162363231
+64356236386164653335613765396639363363643935653862326638323031653364646137356366
+64366266376162653561333035396433653162316365623234613538363534303762663138396138
+32366335393064356234323931373833336563306264633264633366323266376364343566633739
+31383437353138643833376431623165616439356434643236343763626235333933613036323934
+36613862383232656531646365373930363830646132373664616365666264336264383538306463
+63353037353938633366336535306166633238663331386339396563616336313765646565316164
+36343866343532373639363662666235653932396535383935666166643535366539623265613365
+38616561656539363839323136646533643937383165386131353138363466646237313136326139
+61383466343238396439356132613565363436303234373334643461303334353366346366636235
+32616661356664626431663539646663343661613039653438323339353765353931623632336233
+37346561333239366337643133653238643231613938326136376664616563346335333935353738
+35626137353533613866626338303266356139373134343462656239633330623964376537396162
+63626339356130326363633731363662393737623031663566386530623666346531653931656138
+38646564363239326636393138623465306233316631346531373430383839353465646166633261
+65313062353338303261313461356662626131663538303535336333393363373437633336396534
+30373866366539646133393530396535363063303534303533303735616437336362333831636461
+66313230666463303330336561383234373130313731343732646239333031366235633238363563
+35616266346463363034303237623062626261666638323734343330623565333637663266303635
+33626662643363373064666461323337613635323239333761386237326237646465653339323433
+65623837663965666666643230346265323362613635653930313236666338383935316337356533
+64613462323565353732666234636365613366366630373533633130303064663830333437623631
+65666439623364616561373936643536626165613339396363323630383665616130333630316266
+38643737396263653966623534396434363266643037626134303433393437623434343861343363
+36623464643937646166333438623763396365643332666466306262313633313036333736353935
+36353931383732376362613433636338633565653530666464613965333732363165623437303461
+32383462333731393932313462646561373966363533613236616435643363336661306636613761
+39666463373933373963636535663737633035396332373261333133383964626435303436386265
+39326336313534623834626265313861393831656133323438396630353063653036623136633132
+66383833393038323763336666336363313331326636656536636633666536666635333735366533
+636662373161333330346662336161643233
--- a/coreos-config/playbook.yaml
+++ b/coreos-config/playbook.yaml
@ -101,7 +101,7 @@
  vars:
    state: present
  roles:
-    - { role: compose_project, service: traefik }
+    - { role: compose_project, service: traefik, with_fa: true }
    - { role: compose_project, service: keycloak }
    - { role: compose_project, service: minio }
    - { role: compose_project, service: repo_proxy }
@ -133,4 +133,35 @@
    - { role: compose_project, service: wireguard }
    - { role: compose_project, service: watchtower }
    - { role: compose_project, service: gitea-runner }
+
+- name: Base Setup Monitoring
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - { role: compose_project, service: traefik }
+    - { role: compose_project, service: pantalaimon }
+    - { role: compose_project, service: watchtower }
+
+- name: Setup Monitoring Kuma 1
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "tobias"
+        url: "status.tobiasmanske.de"
+
+- name: Setup Monitoring Kuma 2
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "istannen"
+        url: "monitor.ialistannen.de"
 ...
--- a/coreos-config/roles/compose_project/tasks/main.yml
+++ b/coreos-config/roles/compose_project/tasks/main.yml
@ -2,11 +2,11 @@

 - name: Set service_dir
  ansible.builtin.set_fact:
-    service_dir: "{{ compose_dir | mandatory }}/{{ service | mandatory }}"
+    service_dir: "{{ compose_dir | mandatory }}/{{ service | mandatory }}{% if service_name is defined %}-{{ service_name }}{% endif %}"
    cacheable: true

 - ansible.builtin.debug:
-    msg: "Working on {{ service }}"
+    msg: "Working on {{ service }}{% if service_name is defined %}-{{ service_name }}{% endif %}"
    verbosity: 0

 - include_tasks: create.yml
--- a/coreos-config/roles/compose_project/templates/kuma/.env
+++ b/coreos-config/roles/compose_project/templates/kuma/.env
@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=kuma-{{ service_name|default("kuma") }}
--- a/coreos-config/roles/compose_project/templates/kuma/docker-compose.yaml
+++ b/coreos-config/roles/compose_project/templates/kuma/docker-compose.yaml
@ -0,0 +1,28 @@
+{% set _name = service_name|default("kuma") %}
+{% set _url = url|default(kuma.url)|mandatory %}
+---
+services:
+  kuma:
+    image: louislam/uptime-kuma:latest
+    restart: unless-stopped
+    volumes:
+      - data:/app/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.kuma-{{ _name }}.rule=Host(`{{ _url | mandatory }}`)"
+      - "traefik.http.routers.kuma-{{ _name }}.entryPoints=websecure"
+      - "traefik.http.services.kuma-{{ _name }}.loadbalancer.server.port=3001"
+    networks:
+      - default
+      - gateway
+      - pantalaimon
+
+volumes:
+  data:
+
+networks:
+  gateway:
+    external: true
+  pantalaimon:
+    external: true
+...
--- a/coreos-config/roles/compose_project/templates/traefik/docker-compose.yaml
+++ b/coreos-config/roles/compose_project/templates/traefik/docker-compose.yaml
@ -1,3 +1,4 @@
+{% set deploy_traefik_fa = with_fa|default(false) %}
 ---
 version: '3.9'
 services:
@ -17,9 +18,8 @@ services:
    networks:
      - gateway
      - default
-    environment:
-      CLOUDFLARE_DNS_API_TOKEN: "{{ traefik.CLOUDFLARE_DNS_API_TOKEN }}"

+{% if deploy_traefik_fa %}
  traefik-fa:
    image: thomseddon/traefik-forward-auth:latest
    restart: always
@ -38,16 +38,7 @@ services:
      - "traefik.http.services.traefik-fa.loadbalancer.server.port=4181"
      - "traefik.http.routers.traefik-fa.middlewares=sso@file"

-  # whoami:
-  #   image: containous/whoami
-  #   networks:
-  #     - gateway
-  #   labels:
-  #     - "traefik.enable=true"
-  #     - "traefik.http.services.whoami.loadbalancer.server.port=80"
-  #     - "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)"
-  #     - "traefik.http.routers.whoami.entryPoints=websecure"
-  #     - "traefik.http.routers.whoami.middlewares=sso@file"
+{% endif %}

 volumes:
  acme:
--- a/coreos-config/roles/compose_project/templates/traefik/traefik-fa.ini
+++ b/coreos-config/roles/compose_project/templates/traefik/traefik-fa.ini
@ -1,3 +1,4 @@
+{% if with_fa|default(false) %}
 default-provider = oidc

 # Cookie signing nonce, replace this with something random
@ -18,3 +19,4 @@ auth-host = traefik-fa.tobiasmanske.de
 whitelist = {{ user }}
 {% endfor %}

+{% endif %}
--- a/coreos-config/roles/compose_project/templates/traefik/traefik.yaml
+++ b/coreos-config/roles/compose_project/templates/traefik/traefik.yaml
@ -27,5 +27,4 @@ certificatesResolvers:
      email: webmaster@tobiasmanske.de
      storage: /acme/acme.json
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      dnsChallenge:
-        provider: cloudflare
+      tlsChallenge: true
--- a/restore-tests/butane/mon1.hel1.chaoswg.org.bu
+++ b/restore-tests/butane/mon1.hel1.chaoswg.org.bu
@ -0,0 +1,97 @@
+---
+variant: fcos
+version: 1.4.0
+systemd:
+  units:
+    # Installing vim as a layered package with rpm-ostree
+    - name: rpm-ostree-install-pkg.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Layer packages with rpm-ostree
+        Wants=network-online.target
+        After=network-online.target
+        # We run before `zincati.service` to avoid conflicting rpm-ostree
+        # transactions.
+        Before=zincati.service
+        # Otherwise vagrant will try to run the playbook before we got python
+        Before=sshd.service
+        ConditionPathExists=!/var/lib/%N.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        # `--allow-inactive` ensures that rpm-ostree does not return an error
+        # if the package is already installed. This is useful if the package is
+        # added to the root image in a future Fedora CoreOS release as it will
+        # prevent the service from failing.
+        ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive vim python docker-compose borgbackup btop iftop iotop
+        ExecStart=/bin/touch /var/lib/%N.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+    # Make sure docker is actually starting without a call to the socket.
+    - name: docker.service
+      enabled: true
+    - name: borgbackup.service
+      contents: |
+        [Unit]
+        Description=Run Backup of /var/lib/docker
+
+        [Service]
+        ExecStart=/usr/bin/bash /root/backup.sh
+
+        [Install]
+        WantedBy=multi-user.target
+    - name: borgbackup.timer
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Daily backup
+
+        [Timer]
+        OnCalendar=daily
+        Persistent=true
+
+        [Install]
+        WantedBy=timers.target
+storage:
+  filesystems:
+    - device: /dev/disk/by-partlabel/root
+      wipe_filesystem: true
+      format: ext4
+      label: root
+  files:
+    # Set vim as default editor
+    # We use `zz-` as prefix to make sure this is processed last in order to
+    # override any previously set defaults.
+    - path: /etc/profile.d/zz-default-editor.sh
+      overwrite: true
+      contents:
+        inline: |
+          export EDITOR=vim
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: mon1.hel1.chaoswg.org
+    - path: /etc/zincati/config.d/55-updates-strategy.toml
+      contents:
+        inline: |
+          [updates]
+          strategy = "periodic"
+          [[updates.periodic.window]]
+          days = [ "Fri", "Sat" ]
+          start_time = "23:30"
+          length_minutes = 60
+  links:
+    - path: /etc/localtime
+      target: /usr/share/zoneinfo/Europe/Berlin
+passwd:
+  users:
+    - name: core
+      groups:
+        - docker
+      ssh_authorized_keys:
+        - cert-authority,principals="rad4day,rad4day@chaoswg.org" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUN/Ik3CqhsVLGEkl2rJLUhC0AXFmVp6BgETaqgVKq5 user-ca@chaoswg.org
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhzs4vCOhy3yH2TF2bO5Qalt2P4WG4nDYTLarPKFrdM ansible@provisioner
+...
				`@ -0,0 +1 @@`
				`COMPOSE_PROJECT_NAME=kuma-{{ service_name\|default("kuma") }}`