Add Monitoring host

2023-03-30 21:51:23 +02:00 · 2023-03-30 21:51:23 +02:00 · f2cd3c991b
commit f2cd3c991b
parent 936bbf7ecd
9 changed files with 226 additions and 17 deletions
--- a/coreos-config/host_vars/mon1.hel1.chaoswg.org/vault.yaml
+++ b/coreos-config/host_vars/mon1.hel1.chaoswg.org/vault.yaml
@ -0,0 +1,60 @@
 $ANSIBLE_VAULT;1.2;AES256;secrets
 31653262313736623962393333616632653938646364643062383266643237343032326637356462
 3032363766336231636665633736616637363661303634320a393033393239356234623661353461
 38376630623233616632636234643039663235373035633132636666363133633030353938373461
 3539383935333036640a626330376666396565663137363366616432343365393931643233363730
 35313339373838313534616562313662313932343565323636626337393737323337616635336666
 33313463353339306563333537663139616231386331333636343132396663613137636332383638
 66363164343833353164356136306135333038613264363663346232393237373266323237353639
 34643236613763323364306161353735663030653361336364306366336330326331366463646163
 64626436386461393033336136666466313030383531396464646632333939313335383738303838
 34613663663665306337656530663234316132303062323966633332393165326133643639633263
 32346465323032623837323034646462643038356339613234383332623962626631366262333564
 61356132633135666630376461646366333939316435336566363139303032623563646563316536
 62326230643866653665363536663137383534346165646563636437346361613865396437623664
 35366139666538663937356337356437353135306336333262356363613063363334663837376561
 37333134323861326261343333323061343936326439623439656135613734326531306630336432
 36356362363230646561303266396135343935316236313162663133393833356163363535336265
 37373637353337306135393330363266653538353863353637396263333061316230653032326237
 66326331336238333230303566333961636165343265623264396138633237623061623566653036
 30613330653235303336643135383833636337346264383731303837303565333861386464616138
 31373363316338626237376133333636643136346466616130353934323237316365366563666536
 32656362363864363362633734316536623433353164323236303830316334323639303639633633
 62353439353465393532636462316163643438376336316439373739666233646630353661393466
 34336535396231663762643736323461656239396262376262663434393865373461623737663762
 62303365356664633363323461396164626266613935303036373938356130373132643164306462
 63356562343932373362386564363337653161363836333062396266363931373938323066393766
 64623634373835373138316636346537326661333462623839303366386566383231376339653034
 37336561373961636334623462303834323363663339333035396263653030643534386431323065
 62373965376666363033653230643134343363396261373239313839656234363032333632396339
 32636562663733396361323865623039636334643732666536633734643764316165666162363231
 64356236386164653335613765396639363363643935653862326638323031653364646137356366
 64366266376162653561333035396433653162316365623234613538363534303762663138396138
 32366335393064356234323931373833336563306264633264633366323266376364343566633739
 31383437353138643833376431623165616439356434643236343763626235333933613036323934
 36613862383232656531646365373930363830646132373664616365666264336264383538306463
 63353037353938633366336535306166633238663331386339396563616336313765646565316164
 36343866343532373639363662666235653932396535383935666166643535366539623265613365
 38616561656539363839323136646533643937383165386131353138363466646237313136326139
 61383466343238396439356132613565363436303234373334643461303334353366346366636235
 32616661356664626431663539646663343661613039653438323339353765353931623632336233
 37346561333239366337643133653238643231613938326136376664616563346335333935353738
 35626137353533613866626338303266356139373134343462656239633330623964376537396162
 63626339356130326363633731363662393737623031663566386530623666346531653931656138
 38646564363239326636393138623465306233316631346531373430383839353465646166633261
 65313062353338303261313461356662626131663538303535336333393363373437633336396534
 30373866366539646133393530396535363063303534303533303735616437336362333831636461
 66313230666463303330336561383234373130313731343732646239333031366235633238363563
 35616266346463363034303237623062626261666638323734343330623565333637663266303635
 33626662643363373064666461323337613635323239333761386237326237646465653339323433
 65623837663965666666643230346265323362613635653930313236666338383935316337356533
 64613462323565353732666234636365613366366630373533633130303064663830333437623631
 65666439623364616561373936643536626165613339396363323630383665616130333630316266
 38643737396263653966623534396434363266643037626134303433393437623434343861343363
 36623464643937646166333438623763396365643332666466306262313633313036333736353935
 36353931383732376362613433636338633565653530666464613965333732363165623437303461
 32383462333731393932313462646561373966363533613236616435643363336661306636613761
 39666463373933373963636535663737633035396332373261333133383964626435303436386265
 39326336313534623834626265313861393831656133323438396630353063653036623136633132
 66383833393038323763336666336363313331326636656536636633666536666635333735366533
 636662373161333330346662336161643233
--- a/coreos-config/playbook.yaml
+++ b/coreos-config/playbook.yaml
@ -101,7 +101,7 @@
  vars:
    state: present
  roles:
-    - { role: compose_project, service: traefik }
+    - { role: compose_project, service: traefik, with_fa: true }
    - { role: compose_project, service: keycloak }
    - { role: compose_project, service: minio }
    - { role: compose_project, service: repo_proxy }
@ -133,4 +133,35 @@
    - { role: compose_project, service: wireguard }
    - { role: compose_project, service: watchtower }
    - { role: compose_project, service: gitea-runner }
 - name: Base Setup Monitoring
  hosts: mon1.hel1.chaoswg.org
  vars:
    state: present
  roles:
    - { role: compose_project, service: traefik }
    - { role: compose_project, service: pantalaimon }
    - { role: compose_project, service: watchtower }
 - name: Setup Monitoring Kuma 1
  hosts: mon1.hel1.chaoswg.org
  vars:
    state: present
  roles:
    - role: compose_project
      service: kuma
      vars:
        service_name: "tobias"
        url: "status.tobiasmanske.de"
 - name: Setup Monitoring Kuma 2
  hosts: mon1.hel1.chaoswg.org
  vars:
    state: present
  roles:
    - role: compose_project
      service: kuma
      vars:
        service_name: "istannen"
        url: "monitor.ialistannen.de"
 ...
--- a/coreos-config/roles/compose_project/tasks/main.yml
+++ b/coreos-config/roles/compose_project/tasks/main.yml
@ -2,11 +2,11 @@
 - name: Set service_dir
  ansible.builtin.set_fact:
-    service_dir: "{{ compose_dir | mandatory }}/{{ service | mandatory }}"
+    service_dir: "{{ compose_dir | mandatory }}/{{ service | mandatory }}{% if service_name is defined %}-{{ service_name }}{% endif %}"
    cacheable: true
 - ansible.builtin.debug:
-    msg: "Working on {{ service }}"
+    msg: "Working on {{ service }}{% if service_name is defined %}-{{ service_name }}{% endif %}"
    verbosity: 0
 - include_tasks: create.yml
--- a/coreos-config/roles/compose_project/templates/kuma/.env
+++ b/coreos-config/roles/compose_project/templates/kuma/.env
@ -0,0 +1 @@
 COMPOSE_PROJECT_NAME=kuma-{{ service_name|default("kuma") }}
--- a/coreos-config/roles/compose_project/templates/kuma/docker-compose.yaml
+++ b/coreos-config/roles/compose_project/templates/kuma/docker-compose.yaml
@ -0,0 +1,28 @@
 {% set _name = service_name|default("kuma") %}
 {% set _url = url|default(kuma.url)|mandatory %}
 ---
 services:
  kuma:
    image: louislam/uptime-kuma:latest
    restart: unless-stopped
    volumes:
      - data:/app/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.kuma-{{ _name }}.rule=Host(`{{ _url | mandatory }}`)"
      - "traefik.http.routers.kuma-{{ _name }}.entryPoints=websecure"
      - "traefik.http.services.kuma-{{ _name }}.loadbalancer.server.port=3001"
    networks:
      - default
      - gateway
      - pantalaimon
 volumes:
  data:
 networks:
  gateway:
    external: true
  pantalaimon:
    external: true
 ...
--- a/coreos-config/roles/compose_project/templates/traefik/docker-compose.yaml
+++ b/coreos-config/roles/compose_project/templates/traefik/docker-compose.yaml
@ -1,3 +1,4 @@
 {% set deploy_traefik_fa = with_fa|default(false) %}
 ---
 version: '3.9'
 services:
@ -17,9 +18,8 @@ services:
    networks:
      - gateway
      - default
    environment:
      CLOUDFLARE_DNS_API_TOKEN: "{{ traefik.CLOUDFLARE_DNS_API_TOKEN }}"
 {% if deploy_traefik_fa %}
  traefik-fa:
    image: thomseddon/traefik-forward-auth:latest
    restart: always
@ -38,16 +38,7 @@ services:
      - "traefik.http.services.traefik-fa.loadbalancer.server.port=4181"
      - "traefik.http.routers.traefik-fa.middlewares=sso@file"
-  # whoami:
+{% endif %}
  #   image: containous/whoami
  #   networks:
  #     - gateway
  #   labels:
  #     - "traefik.enable=true"
  #     - "traefik.http.services.whoami.loadbalancer.server.port=80"
  #     - "traefik.http.routers.whoami.rule=Host(`test.tobiasmanske.de`)"
  #     - "traefik.http.routers.whoami.entryPoints=websecure"
  #     - "traefik.http.routers.whoami.middlewares=sso@file"
 volumes:
  acme:
--- a/coreos-config/roles/compose_project/templates/traefik/traefik-fa.ini
+++ b/coreos-config/roles/compose_project/templates/traefik/traefik-fa.ini
@ -1,3 +1,4 @@
 {% if with_fa|default(false) %}
 default-provider = oidc
 # Cookie signing nonce, replace this with something random
@ -18,3 +19,4 @@ auth-host = traefik-fa.tobiasmanske.de
 whitelist = {{ user }}
 {% endfor %}
 {% endif %}
--- a/coreos-config/roles/compose_project/templates/traefik/traefik.yaml
+++ b/coreos-config/roles/compose_project/templates/traefik/traefik.yaml
@ -27,5 +27,4 @@ certificatesResolvers:
      email: webmaster@tobiasmanske.de
      storage: /acme/acme.json
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      dnsChallenge:
+      tlsChallenge: true
        provider: cloudflare
--- a/restore-tests/butane/mon1.hel1.chaoswg.org.bu
+++ b/restore-tests/butane/mon1.hel1.chaoswg.org.bu
@ -0,0 +1,97 @@
 ---
 variant: fcos
 version: 1.4.0
 systemd:
  units:
    # Installing vim as a layered package with rpm-ostree
    - name: rpm-ostree-install-pkg.service
      enabled: true
      contents: |
        [Unit]
        Description=Layer packages with rpm-ostree
        Wants=network-online.target
        After=network-online.target
        # We run before `zincati.service` to avoid conflicting rpm-ostree
        # transactions.
        Before=zincati.service
        # Otherwise vagrant will try to run the playbook before we got python
        Before=sshd.service
        ConditionPathExists=!/var/lib/%N.stamp
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        # `--allow-inactive` ensures that rpm-ostree does not return an error
        # if the package is already installed. This is useful if the package is
        # added to the root image in a future Fedora CoreOS release as it will
        # prevent the service from failing.
        ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive vim python docker-compose borgbackup btop iftop iotop
        ExecStart=/bin/touch /var/lib/%N.stamp
        [Install]
        WantedBy=multi-user.target
    # Make sure docker is actually starting without a call to the socket.
    - name: docker.service
      enabled: true
    - name: borgbackup.service
      contents: |
        [Unit]
        Description=Run Backup of /var/lib/docker
        [Service]
        ExecStart=/usr/bin/bash /root/backup.sh
        [Install]
        WantedBy=multi-user.target
    - name: borgbackup.timer
      enabled: true
      contents: |
        [Unit]
        Description=Daily backup
        [Timer]
        OnCalendar=daily
        Persistent=true
        [Install]
        WantedBy=timers.target
 storage:
  filesystems:
    - device: /dev/disk/by-partlabel/root
      wipe_filesystem: true
      format: ext4
      label: root
  files:
    # Set vim as default editor
    # We use `zz-` as prefix to make sure this is processed last in order to
    # override any previously set defaults.
    - path: /etc/profile.d/zz-default-editor.sh
      overwrite: true
      contents:
        inline: |
          export EDITOR=vim
    - path: /etc/hostname
      mode: 0644
      contents:
        inline: mon1.hel1.chaoswg.org
    - path: /etc/zincati/config.d/55-updates-strategy.toml
      contents:
        inline: |
          [updates]
          strategy = "periodic"
          [[updates.periodic.window]]
          days = [ "Fri", "Sat" ]
          start_time = "23:30"
          length_minutes = 60
  links:
    - path: /etc/localtime
      target: /usr/share/zoneinfo/Europe/Berlin
 passwd:
  users:
    - name: core
      groups:
        - docker
      ssh_authorized_keys:
        - cert-authority,principals="rad4day,rad4day@chaoswg.org" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUN/Ik3CqhsVLGEkl2rJLUhC0AXFmVp6BgETaqgVKq5 user-ca@chaoswg.org
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhzs4vCOhy3yH2TF2bO5Qalt2P4WG4nDYTLarPKFrdM ansible@provisioner
 ...
		`@ -0,0 +1 @@`
							`COMPOSE_PROJECT_NAME=kuma-{{ service_name\|default("kuma") }}`