ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE

main.yml (6047B)

      1 ---
      2 - name: Get the list of services
      3   service_facts:
      4 
      5 - name: Deploy grafana signing key
      6   copy:
      7     src: etc/apt/keyrings/grafana.gpg
      8     dest: /etc/apt/keyrings/grafana.gpg
      9     owner: root
     10     group: root
     11     mode: "0644"
     12 
     13 - name: Add grafana repo
     14   deb822_repository:
     15     name: Grafana
     16     types: deb
     17     uris: https://apt.grafana.com
     18     suites: stable
     19     components:
     20       - main
     21     architectures: amd64
     22     signed_by: /etc/apt/keyrings/grafana.gpg
     23 
     24 - name: Update caches
     25   apt:
     26     state: latest
     27     update_cache: true
     28     autoclean: true
     29     autoremove: true
     30     upgrade: safe
     31   when: ansible_os_family == 'Debian'
     32 
     33 - name: Stop log export service before update or reconfiguration
     34   service:
     35     name: alloy.service
     36     state: stopped
     37     enabled: false
     38   when: "'alloy.service' in services"
     39 
     40 - name: Stop monitoring services before update or reconfiguration
     41   service:
     42     name: "{{ item }}"
     43     state: stopped
     44     enabled: false
     45   with_items:
     46     - prometheus-node-exporter.service
     47     - prometheus-nginx-exporter.service
     48     - prometheus-postgres-exporter.service
     49     - prometheus-alertmanager.service
     50     - prometheus.service
     51   when: "'prometheus-node-exporter.service' in services"
     52 
     53 - name: Install prometheus and its exporters
     54   apt:
     55     name:
     56       - prometheus-nginx-exporter
     57       - prometheus-node-exporter
     58       - prometheus-postgres-exporter
     59       - prometheus-alertmanager
     60       - prometheus
     61       - alloy
     62     install_recommends: false
     63 
     64 - name: Ensure Taler monitoring HTTP virtualhost configuration file exists
     65   template:
     66     src: templates/etc/nginx/sites-available/monitoring-http.conf.j2
     67     dest: /etc/nginx/sites-available/monitoring-http.conf
     68     owner: root
     69     group: root
     70     mode: "0644"
     71   notify: Restart nginx
     72 
     73 - name: Ensure Taler monitoring HTTPS configuration file exists
     74   template:
     75     src: templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
     76     dest: /etc/nginx/sites-available/monitoring-nginx.conf
     77     owner: root
     78     group: root
     79     mode: "0644"
     80   notify: Restart nginx
     81 
     82 - name: Secure the monitoring site with Letsencrypt
     83   ansible.builtin.include_role:
     84     name: cert
     85   vars:
     86     cert_name: monitoring
     87     wanted_cert_domains:
     88       - "monitoring.{{ domain_name }}"
     89     nginx_sites:
     90       - monitoring-nginx.conf
     91       - monitoring-http.conf
     92 
     93 # We need to make sure that our handler notifies nginx to restart NOW
     94 - name: Flush handlers
     95   meta: flush_handlers
     96 
     97 - name: Create prometheus database user
     98   community.postgresql.postgresql_user:
     99     name: prometheus
    100   become: true
    101   become_user: postgres
    102 
    103 - name: Grant access to canonical postgres databases to the postgres-exporter
    104   become: true
    105   become_user: postgres
    106   community.postgresql.postgresql_query:
    107     login_user: postgres
    108     db: postgres
    109     query:
    110       GRANT CONNECT ON DATABASE libeufin TO prometheus;
    111       GRANT CONNECT ON DATABASE postgres TO prometheus;
    112       GRANT CONNECT ON DATABASE "taler-auditor" TO prometheus;
    113       GRANT CONNECT ON DATABASE "taler-exchange" TO prometheus;
    114       GRANT USAGE ON SCHEMA pg_catalog TO prometheus;
    115       GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO prometheus;
    116 
    117 - name: Grant access to challengers databases to the postgres-exporter
    118   become: true
    119   become_user: postgres
    120   community.postgresql.postgresql_query:
    121     login_user: postgres
    122     db: postgres
    123     query:
    124       GRANT CONNECT ON DATABASE "challenger-email" TO prometheus;
    125       GRANT CONNECT ON DATABASE "challenger-postal" TO prometheus;
    126       GRANT CONNECT ON DATABASE "challenger-sms" TO prometheus;
    127   when: deploy_challenger | bool
    128 
    129 - name: Configure node-exporter
    130   copy:
    131     src: etc/default/prometheus-node-exporter
    132     dest: /etc/default/prometheus-node-exporter
    133     owner: root
    134     group: root
    135     mode: "0644"
    136   notify: Restart node-exporter
    137 
    138 - name: Configure node-exporter
    139   copy:
    140     src: etc/default/prometheus-alertmanager
    141     dest: /etc/default/prometheus-alertmanager
    142     owner: root
    143     group: root
    144     mode: "0644"
    145   notify: Restart node-exporter
    146 
    147 - name: Configure postgres-exporter
    148   copy:
    149     src: etc/default/prometheus-postgres-exporter
    150     dest: /etc/default/prometheus-postgres-exporter
    151     owner: root
    152     group: root
    153     mode: "0644"
    154   notify: Restart postgres-exporter
    155 
    156 - name: Configure nginx-exporter
    157   copy:
    158     src: etc/default/prometheus-nginx-exporter
    159     dest: /etc/default/prometheus-nginx-exporter
    160     owner: root
    161     group: root
    162     mode: "0644"
    163   notify: Restart nginx-exporter
    164 
    165 - name: Configure prometheus master
    166   copy:
    167     src: etc/default/prometheus
    168     dest: /etc/default/prometheus
    169     owner: root
    170     group: root
    171     mode: "0644"
    172 
    173 - name: Configure prometheus
    174   copy:
    175     src: etc/prometheus/prometheus.yml
    176     dest: /etc/prometheus/prometheus.yml
    177     owner: root
    178     group: root
    179     mode: "0644"
    180 
    181 - name: Configure alloy service
    182   copy:
    183     src: etc/default/alloy
    184     dest: /etc/default/alloy
    185     owner: root
    186     group: root
    187     mode: "0644"
    188 
    189 - name: Configure alloy log export
    190   template:
    191     src: templates/etc/alloy/config.alloy
    192     dest: /etc/alloy/config.alloy
    193     owner: root
    194     group: root
    195     mode: "0644"
    196 
    197 - name: Configure prometheus alertmanager
    198   template:
    199     src: templates/etc/prometheus/alertmanager.yml
    200     dest: /etc/prometheus/alertmanager.yml
    201     owner: root
    202     group: root
    203     mode: "0644"
    204 
    205 - name: Configure node-exporter rules for alertmanager
    206   copy:
    207     src: etc/prometheus/node-exporter-rules.yml
    208     dest: /etc/prometheus/node-exporter-rules.yml
    209     owner: root
    210     group: root
    211     mode: "0644"
    212 
    213 - name: Configure node-exporter rules for alertmanager
    214   copy:
    215     src: etc/prometheus/alert_rules.yml
    216     dest: /etc/prometheus/alert_rules.yml
    217     owner: root
    218     group: root
    219     mode: "0644"
    220 
    221 - name: Ensure exporter services are enabled and started
    222   service:
    223     name: "{{ item }}"
    224     state: started
    225     enabled: true
    226   with_items:
    227     - prometheus-node-exporter.service
    228     - prometheus-nginx-exporter.service
    229     - prometheus-postgres-exporter.service
    230     - prometheus-alertmanager.service
    231     - prometheus.service
    232     - alloy.service