commit dbc54484de6a2556252f216ca45c1ee3ac9125a0
parent 5fd884c28c04f46a50858198764d6c143c4e6298
Author: Christian Grothoff <christian@grothoff.org>
Date: Tue, 28 Jan 2025 17:33:53 +0100
fix prometheus config
Diffstat:
4 files changed, 94 insertions(+), 6 deletions(-)
diff --git a/roles/monitoring/files/etc/default/prometheus b/roles/monitoring/files/etc/default/prometheus
@@ -0,0 +1,5 @@
+# Set the command-line arguments to pass to the server.
+# Due to shell escaping, to pass backslashes for regexes, you need to double
+# them (\\d for \d). If running under systemd, you need to double them again
+# (\\\\d to mean \d), and escape newlines too.
+ARGS="--web.listen-address=127.0.0.1:9090"
diff --git a/roles/monitoring/files/etc/prometheus/prometheus.yml b/roles/monitoring/files/etc/prometheus/prometheus.yml
@@ -0,0 +1,51 @@
+# my global config
+global:
+ scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+ evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+ # scrape_timeout is set to the global default (10s).
+
+# Alertmanager configuration -- FIXME: not yet setup!
+alerting:
+ alertmanagers:
+ - static_configs:
+ - targets: ["localhost:9093"]
+ # - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files:
+ - "alert_rules.yml"
+ # - "second_rules.yml"
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+ # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+ - job_name: "prometheus"
+
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ static_configs:
+ - targets: ["localhost:9090"]
+
+ # Job, for local node exporter
+ - job_name: 'node_exporter_metrics'
+ scrape_interval: 5s
+ static_configs:
+ - targets: ['localhost:9100']
+
+ # Job, for local nginx exporter
+ - job_name: 'nginx_exporter_metrics'
+ scrape_interval: 5s
+ static_configs:
+ - targets: ['localhost:9113']
+
+ # Job, for local postgres_exporter
+ - job_name: 'postgres_exporter'
+ static_configs:
+ - targets: ['localhost:9187']
+
+ # Job, for prometheus_process_exporter
+ - job_name: 'process_exporter'
+ static_configs:
+ - targets: ['localhost:9256']
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
@@ -34,14 +34,16 @@
- prometheus-node-exporter.service
- prometheus-nginx-exporter.service
- prometheus-postgres-exporter.service
+ - prometheus.service
when: "'prometheus-node-exporter.service' in services"
-- name: Install prometheus exporters
+- name: Install prometheus and its exporters
apt:
name:
- prometheus-nginx-exporter
- prometheus-node-exporter
- prometheus-postgres-exporter
+ - prometheus
- alloy
install_recommends: no
@@ -154,6 +156,22 @@
mode: 0644
notify: restart nginx-exporter
+- name: Configure prometheus master
+ copy:
+ src: etc/default/prometheus
+ dest: /etc/default/prometheus
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Configure prometheus
+ copy:
+ src: etc/prometheus/prometheus.yml
+ dest: /etc/prometheus/prometheus.yml
+ owner: root
+ group: root
+ mode: 0644
+
- name: Configure alloy service
copy:
src: etc/default/alloy
@@ -179,4 +197,5 @@
- prometheus-node-exporter.service
- prometheus-nginx-exporter.service
- prometheus-postgres-exporter.service
+ - prometheus.service
- alloy.service
diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
@@ -21,44 +21,57 @@ server {
error_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.err;
access_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.log;
+ location /prometheus/ {
+ if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
+ return 401;
+ }
+ rewrite ^/prometheus/(.*)$ /$1 break;
+ proxy_pass http://127.0.0.1:9090/;
+ }
+
location /node/ {
- # Put API behind simple access control. TODO: check Prometheus can do this!
+ # Put API behind simple access control.
if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
return 401;
}
+ rewrite ^/node/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9100/;
}
location /nginx/ {
- # Put API behind simple access control. TODO: check Prometheus can do this!
+ # Put API behind simple access control.
if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
return 401;
}
+ rewrite ^/nginx/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9113/;
}
location /postgres/ {
- # Put API behind simple access control. TODO: check Prometheus can do this!
+ # Put API behind simple access control.
if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
return 401;
}
+ rewrite ^/postgres/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9187/;
}
# location /systemd/ {
- # Put API behind simple access control. TODO: check Prometheus can do this!
+ # Put API behind simple access control.
# if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
# return 401;
# }
+# rewrite ^/systemd/(.*)$ /$1 break;
# proxy_pass http://127.0.0.1:9116/;
# }
# See /etc/default/alloy for the export
location /alloy/ {
- # Put API behind simple access control. TODO: check Loki can do this!
+ # Put API behind simple access control.
if ($http_authorization != "Bearer {{ LOKI_ACCESS_TOKEN }}") {
return 401;
}
+ rewrite ^/alloy/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:12345/;
}
}
