Skip to content
Snippets Groups Projects
Verified Commit f5f5b4c7 authored by Kristian Klausen's avatar Kristian Klausen :tada:
Browse files

WireGuard the remaining Prometheus exporters

WireGuard was setup to provide a internal network with confidentiality,
authenticity and integrity[1]. This migrate the remaining Prometheus
exporters to use the internal WireGuard network.

[1] 664deb67 ("WireGuard all hosts")

Fix #384
parent 168a0cfb
No related branches found
No related tags found
No related merge requests found
Pipeline #34069 passed
......@@ -53,7 +53,7 @@ scrape_configs:
- job_name: 'node_exporter'
static_configs:
{% for host in groups['all'] %}
- targets: ['{{ host }}:{{ prometheus_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}
......@@ -83,7 +83,7 @@ scrape_configs:
- job_name: 'gitlab_runner_exporter'
static_configs:
{% for host in groups['gitlab_runners'] %}
- targets: ['{{ host }}:{{ gitlab_runner_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ gitlab_runner_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}
......@@ -112,7 +112,7 @@ scrape_configs:
- job_name: 'mysqld_exporter'
static_configs:
{% for host in groups['mysql_servers'] %}
- targets: ['{{ host }}:{{ prometheus_mysqld_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_mysqld_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}
......@@ -120,7 +120,7 @@ scrape_configs:
- job_name: 'memcached_exporter'
static_configs:
{% for host in groups['memcached'] %}
- targets: ['{{ host }}:{{ prometheus_memcached_exporter_port }}']
- targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_memcached_exporter_port }}']
labels:
instance: "{{ host }}"
{% endfor %}
......
......@@ -221,21 +221,21 @@
when: "'memcached' in group_names"
- name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
when: "'prometheus' not in group_names"
- name: Open gitlab exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
when: "'gitlab_runners' in group_names"
- name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
when: "'mysql_servers' in group_names"
- name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
when: "'memcached' in group_names"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment