ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit d1a1c6ec3501c2dbe6175f59cd6b4a19c18d99d6
parent 00a7bc8b4b6faabe6b02c98b0e7bae15c9dbfd21
Author: Christian Grothoff <christian@grothoff.org>
Date:   Tue, 21 Jan 2025 15:18:28 +0100

add alloy deployment

Diffstat:

Mplaybooks/test-secrets.yml | 1+


Aroles/monitoring/files/etc/default/alloy | 9+++++++++


Mroles/monitoring/tasks/main.yml | 35+++++++++++++++++++++++++++++++++++


Aroles/monitoring/templates/etc/alloy/config.alloy | 85+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mroles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 | 8++++++++


5 files changed, 138 insertions(+), 0 deletions(-)

diff --git a/playbooks/test-secrets.yml b/playbooks/test-secrets.yml
@@ -24,3 +24,4 @@ AUDITOR_ACCESS_TOKEN: secret-token:FIXME
 
 # Bearer access token for monitoring
 PROMETHEUS_ACCESS_TOKEN: secret-token:FIXME
+LOKI_ACCESS_TOKEN: secret-token:FIXME
diff --git a/roles/monitoring/files/etc/default/alloy b/roles/monitoring/files/etc/default/alloy
@@ -0,0 +1,9 @@
+
+# The configuration file holding the Alloy config.
+CONFIG_FILE="/etc/alloy/config.alloy"
+
+# User-defined arguments to pass to the run command.
+CUSTOM_ARGS="--server.http.listen-addr=127.0.0.1:12345"
+
+# Restart on system upgrade. Defaults to true.
+RESTART_ON_UPGRADE=true
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
@@ -18,6 +18,24 @@
     architectures: amd64
     signed_by: /etc/apt/keyrings/grafana.gpg
 
+- name: Stop log export service before update or reconfiguration
+  service:
+    name: alloy.service
+    state: stopped
+    enabled: false
+  when: "'alloy.service' in services"
+
+- name: Stop monitoring services before update or reconfiguration
+  service:
+    name: "{{item}}"
+    state: stopped
+    enabled: false
+  with_items:
+    - prometheus-node-exporter.service
+    - prometheus-nginx-exporter.service
+    - prometheus-postgres-exporter.service
+  when: "'prometheus-node-exporter.service' in services"
+
 - name: Install prometheus exporters
   apt:
     name:
@@ -136,6 +154,22 @@
     mode: 0644
   notify: restart nginx-exporter
 
+- name: Configure alloy service
+  copy:
+    src: templates/etc/default/alloy
+    dest: /etc/default/alloy
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Configure alloy log export
+  template:
+    src: templates/etc/alloy/config.alloy
+    dest: /etc/alloy/config.alloy
+    owner: root
+    group: root
+    mode: 0644
+
 - name: Ensure exporter services are enabled and started
   service:
     name: "{{item}}"
@@ -145,3 +179,4 @@
     - prometheus-node-exporter.service
     - prometheus-nginx-exporter.service
     - prometheus-postgres-exporter.service
+    - alloy.service
diff --git a/roles/monitoring/templates/etc/alloy/config.alloy b/roles/monitoring/templates/etc/alloy/config.alloy
@@ -0,0 +1,85 @@
+// Sample config for Alloy.
+//
+// For a full configuration reference, see https://grafana.com/docs/alloy
+logging {
+  level = "warn"
+}
+
+// Which log files to monitor
+local.file_match "local_files" {
+   path_targets = [
+        {"__path__" = "/var/log/*.log"},
+        {"__path__" = "/var/log/nginx/*.err"},
+   ]
+   sync_period = "5s"
+}
+
+// Which log files to monitor
+local.file_match "http_logs" {
+   path_targets = [
+        {"__path__" = "/var/log/nginx/*.log"},
+   ]
+   sync_period = "5s"
+}
+
+// Connect local_files as source to filter_logs
+// See: https://grafana.com/docs/alloy/latest/tutorials/send-logs-to-loki/
+loki.source.file "log_scrape" {
+    targets    = local.file_match.local_files.targets
+    forward_to = [loki.process.filter_logs.receiver]
+    tail_from_end = true
+}
+
+loki.source.file "web_scrape" {
+    targets    = local.file_match.http_logs.targets
+    forward_to = [loki.process.filter_logs.receiver]
+    tail_from_end = true
+}
+
+// Filter the logs
+// See: https://grafana.com/docs/alloy/latest/tutorials/send-logs-to-loki/
+loki.process "filter_logs" {
+    stage.drop {
+        source = "http_logs"
+        expression  = ".*GET.* 200 .*"
+        drop_counter_reason = "successful HTTP GETs"
+      }
+    forward_to = [loki.write.grafana_loki.receiver]
+}
+
+// Push the logs to loki
+// See: https://grafana.com/docs/alloy/latest/tutorials/send-logs-to-loki/
+loki.write "grafana_loki" {
+    endpoint {
+      // FIXME: loki not yet running on deltoid (and not even in DNS!)
+      url = "https://loki.taler.net/loki/api/v1/push"
+
+      // basic_auth {
+      //  username = "admin"
+      //  password = "admin"
+      // }
+    }
+}
+
+// This was in the defaults, FIXME: not sure what it does...
+prometheus.exporter.unix "default" {
+  include_exporter_metrics = true
+  disable_collectors       = ["mdadm"]
+}
+
+// This was in the defaults, FIXME: not sure what it does...
+prometheus.scrape "default" {
+  targets = array.concat(
+    prometheus.exporter.unix.default.targets,
+    [{
+      // Self-collect metrics
+      job         = "alloy",
+      __address__ = "127.0.0.1:12345",
+    }],
+  )
+
+  forward_to = [
+  // TODO: components to forward metrics to (like prometheus.remote_write or
+  // prometheus.relabel).
+  ]
+}
diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
@@ -53,6 +53,14 @@ server {
 #     proxy_pass http://127.0.0.1:9116/;
 #  }
 
+  # See /etc/default/alloy for the export
+  location /alloy/ {
+     # Put API behind simple access control. TODO: check Loki can do this!
+     if ($http_authorization != "Bearer {{ LOKI_ACCESS_TOKEN }}") {
+        return 401;
+     }
+     proxy_pass http://127.0.0.1:12345/;
+  }
 }