commit 53bb6870714b04e5e26935c34b83f38c83f0cfe0
parent 9955504a8f8676c2e15032513d0fe1a1a37b19cf
Author: Christian Grothoff <christian@grothoff.org>
Date: Sun, 19 Jan 2025 12:41:40 +0100
work on exporters
Diffstat:
5 files changed, 135 insertions(+), 11 deletions(-)
diff --git a/roles/monitoring/files/etc/default/prometheus-nginx-exporter b/roles/monitoring/files/etc/default/prometheus-nginx-exporter
@@ -0,0 +1,69 @@
+# Set the command-line arguments to pass to the server.
+# Due to shell escaping, to pass backslashes for regexes, you need to double
+# them (\\d for \d). If running under systemd, you need to double them again
+# (\\\\d to mean \d), and escape newlines too.
+ARGS="-web.listen-address 127.0.0.1:9913 -nginx.scrape-uri http://127.0.0.1:80/metrics"
+
+# See monitoring-nginx.conf for the scrape-uri export!
+
+
+
+# prometheus-nginx-exporter supports the following options:
+#
+# -nginx.plus
+# Start the exporter for NGINX Plus. By default, the exporter is started for
+# NGINX. The default value can be overwritten by NGINX_PLUS environment
+# variable.
+# -nginx.retries uint
+# A number of retries the exporter will make on start to connect to the
+# NGINX stub_status page/NGINX Plus API before exiting with an error. The
+# default value can be overwritten by NGINX_RETRIES environment variable.
+# -nginx.retry-interval value
+# An interval between retries to connect to the NGINX stub_status page/NGINX
+# Plus API on start. The default value can be overwritten by
+# NGINX_RETRY_INTERVAL environment variable. (default 5s).
+# -nginx.scrape-uri string
+# A URI or unix domain socket path for scraping NGINX or NGINX Plus metrics.
+# For NGINX, the stub_status page must be available through the URI. For
+# NGINX Plus -- the API. The default value can be overwritten by SCRAPE_URI
+# environment variable. (default "http://127.0.0.1:8080/stub_status").
+# -nginx.ssl-ca-cert string
+# Path to the PEM encoded CA certificate file used to validate the servers
+# SSL certificate. The default value can be overwritten by SSL_CA_CERT
+# environment variable.
+# -nginx.ssl-client-cert string
+# Path to the PEM encoded client certificate file to use when connecting to
+# the server. The default value can be overwritten by SSL_CLIENT_CERT
+# environment variable.
+# -nginx.ssl-client-key string
+# Path to the PEM encoded client certificate key file to use when connecting
+# to the server. The default value can be overwritten by SSL_CLIENT_KEY
+# environment variable.
+# -nginx.ssl-verify
+# Perform SSL certificate verification. The default value can be overwritten
+# by SSL_VERIFY environment variable. (default true).
+# -nginx.timeout value
+# A timeout for scraping metrics from NGINX or NGINX Plus. The default value
+# can be overwritten by TIMEOUT environment variable. (default 5s).
+# -prometheus.const-labels value
+# A comma separated list of constant labels that will be used in every
+# metric. Format is label1=value1,label2=value2... The default value can be
+# overwritten by CONST_LABELS environment variable.
+# -web.listen-address string
+# An address or unix domain socket path to listen on for web interface and
+# telemetry. The default value can be overwritten by LISTEN_ADDRESS
+# environment variable. (default ":9113").
+# -web.secured-metrics
+# Expose metrics using https. The default value can be overwritten by
+# SECURED_METRICS variable.
+# -web.ssl-server-cert string
+# Path to the PEM encoded certificate for the nginx-exporter metrics
+# server(when web.secured-metrics=true). The default value can be
+# overwritten by SSL_SERVER_CERT variable.
+# -web.ssl-server-key string
+# Path to the PEM encoded key for the nginx-exporter metrics server (when
+# web.secured-metrics=true). The default value can be overwritten by
+# SSL_SERVER_KEY variable.
+# -web.telemetry-path string
+# A path under which to expose metrics. The default value can be overwritten
+# by TELEMETRY_PATH environment variable. (default "/metrics").
diff --git a/roles/monitoring/files/etc/default/prometheus-node-exporter b/roles/monitoring/files/etc/default/prometheus-node-exporter
@@ -0,0 +1,5 @@
+# Set the command-line arguments to pass to the server.
+# Due to shell escaping, to pass backslashes for regexes, you need to double
+# them (\\d for \d). If running under systemd, you need to double them again
+# (\\\\d to mean \d), and escape newlines too.
+ARGS="--web.listen-address 127.0.0.1:9100"
diff --git a/roles/monitoring/files/etc/default/prometheus-postgres-exporter b/roles/monitoring/files/etc/default/prometheus-postgres-exporter
@@ -10,4 +10,4 @@ DATA_SOURCE_NAME='user=postgres host=/run/postgresql dbname=taler-exchange'
# Due to shell escaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
-ARGS=""
+ARGS="--web.listen-address=127.0.0.1:9187"
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
@@ -66,6 +66,29 @@
state: link
notify: restart nginx
+- name: Create prometheus database user
+ community.postgresql.postgresql_user:
+ name: prometheus
+
+- name: Grant access to postgres database to the postgres-exporter
+ become: yes
+ become_user: postgres
+ community.postgresql.postgresql_query:
+ login_user: postgres
+ query:
+ - "SELECT format('GRANT CONNECT ON DATABASE %I TO prometheus;', datname) FROM pg_database \gexec"
+ - "GRANT USAGE ON SCHEMA pg_catalog TO prometheus;"
+ - "GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO prometheus;"
+
+- name: Configure node-exporter
+ copy:
+ src: etc/default/prometheus-node-exporter
+ dest: /etc/default/prometheus-node-exporter
+ owner: root
+ group: root
+ mode: 0644
+ notify: restart node-exporter
+
- name: Configure postgres-exporter
copy:
src: etc/default/prometheus-postgres-exporter
@@ -75,6 +98,15 @@
mode: 0644
notify: restart postgres-exporter
+- name: Configure nginx-exporter
+ copy:
+ src: etc/default/prometheus-nginx-exporter
+ dest: /etc/default/prometheus-nginx-exporter
+ owner: root
+ group: root
+ mode: 0644
+ notify: restart nginx-exporter
+
- name: Ensure exporter services are enabled and started
service:
name: "{{item}}"
diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
@@ -21,20 +21,20 @@ server {
error_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.err;
access_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.log;
- location /nginx/ {
+ location /node/ {
# Put API behind simple access control. TODO: check Prometheus can do this!
if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
return 401;
}
- proxy_pass http://127.0.0.1:9113/;
+ proxy_pass http://127.0.0.1:9100/;
}
- location /node/ {
+ location /nginx/ {
# Put API behind simple access control. TODO: check Prometheus can do this!
if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
return 401;
}
- proxy_pass http://127.0.0.1:9100/;
+ proxy_pass http://127.0.0.1:9113/;
}
location /postgres/ {
@@ -45,11 +45,29 @@ server {
proxy_pass http://127.0.0.1:9187/;
}
- location /systemd/ {
+# location /systemd/ {
# Put API behind simple access control. TODO: check Prometheus can do this!
- if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
- return 401;
- }
- proxy_pass http://127.0.0.1:9116/;
- }
+# if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
+# return 401;
+# }
+# proxy_pass http://127.0.0.1:9116/;
+# }
+
+}
+
+
+
+# Expose Nginx /metrics on loopback for the node exporter
+# See /etc/default/prometheus-nginx-exporter for the use
+server {
+ listen localhost;
+ root /dev/null;
+ server_name localhost;
+
+ location /metrics {
+ stub_status on;
+ access_log off;
+ allow 127.0.0.1;
+ deny all;
+ }
}
