WireGuard the remaining Prometheus exporters

WireGuard was setup to provide a internal network with confidentiality, authenticity and integrity[1]. This migrate the remaining Prometheus exporters to use the internal WireGuard network. [1] 664deb67 ("WireGuard all hosts") Fix #384

WireGuard the remaining Prometheus exporters
f5f5b4c7 · Kristian Klausen · 168a0cfb · f5f5b4c7 · f5f5b4c7
Verified Commit f5f5b4c7 authored 2 years ago by Kristian Klausen
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -53,7 +53,7 @@ scrape_configs:
  - job_name: 'node_exporter'
    static_configs:
      {% for host in groups['all'] %}
-      - targets: ['{{ host }}:{{ prometheus_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_exporter_port }}']
        labels:
          instance: "{{ host }}"
      {% endfor %}
@@ -83,7 +83,7 @@ scrape_configs:
  - job_name: 'gitlab_runner_exporter'
    static_configs:
      {% for host in groups['gitlab_runners'] %}
-      - targets: ['{{ host }}:{{ gitlab_runner_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ gitlab_runner_exporter_port }}']
        labels:
          instance: "{{ host }}"
      {% endfor %}
@@ -112,7 +112,7 @@ scrape_configs:
  - job_name: 'mysqld_exporter'
    static_configs:
      {% for host in groups['mysql_servers'] %}
-      - targets: ['{{ host }}:{{ prometheus_mysqld_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_mysqld_exporter_port }}']
        labels:
          instance: "{{ host }}"
      {% endfor %}
@@ -120,7 +120,7 @@ scrape_configs:
  - job_name: 'memcached_exporter'
    static_configs:
      {% for host in groups['memcached'] %}
-      - targets: ['{{ host }}:{{ prometheus_memcached_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_memcached_exporter_port }}']
        labels:
          instance: "{{ host }}"
      {% endfor %}

--- a/roles/prometheus_exporters/tasks/main.yml
+++ b/roles/prometheus_exporters/tasks/main.yml
@@ -221,21 +221,21 @@
  when: "'memcached' in group_names"

 - name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
  when: "'prometheus' not in group_names"

 - name: Open gitlab exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
  when: "'gitlab_runners' in group_names"

 - name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
  when: "'mysql_servers' in group_names"

 - name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
  when: "'memcached' in group_names"