Joakim
1f3f111d88
Implement complete monitoring infrastructure following rick-infra principles: Components: - VictoriaMetrics: Prometheus-compatible TSDB (7x less RAM usage) - Grafana: Visualization dashboard with Authentik OAuth/OIDC integration - node_exporter: System metrics collection (CPU, memory, disk, network) Architecture: - All services run as native systemd binaries (no containers) - localhost-only binding for security - Grafana uses native OAuth integration with Authentik (not forward_auth) - Full systemd security hardening enabled - Proxied via Caddy at metrics.jnss.me with HTTPS Role Features: - Unified metrics role (single role for complete stack) - Automatic role mapping via Authentik groups: - authentik Admins OR grafana-admins -> Admin access - grafana-editors -> Editor access - All others -> Viewer access - VictoriaMetrics auto-provisioned as default Grafana datasource - 12-month metrics retention by default - Comprehensive documentation included Security: - OAuth/OIDC SSO via Authentik - All metrics services bind to 127.0.0.1 only - systemd hardening (NoNewPrivileges, ProtectSystem, etc.) - Grafana accessible only via Caddy HTTPS proxy Documentation: - roles/metrics/README.md: Complete role documentation - docs/metrics-deployment-guide.md: Step-by-step deployment guide Configuration: - Updated rick-infra.yml to include metrics deployment - Grafana port set to 3001 (Gitea uses 3000) - Ready for multi-host expansion (designed for future node_exporter deployment to production hosts)
50 lines
1.6 KiB
YAML
50 lines
1.6 KiB
YAML
---
|
|
- name: Create node_exporter system user
|
|
ansible.builtin.user:
|
|
name: "{{ node_exporter_user }}"
|
|
system: true
|
|
create_home: false
|
|
shell: /usr/sbin/nologin
|
|
state: present
|
|
|
|
- name: Download node_exporter binary
|
|
ansible.builtin.get_url:
|
|
url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz"
|
|
dest: "/tmp/node_exporter-{{ node_exporter_version }}.tar.gz"
|
|
mode: '0644'
|
|
register: node_exporter_download
|
|
|
|
- name: Extract node_exporter binary
|
|
ansible.builtin.unarchive:
|
|
src: "/tmp/node_exporter-{{ node_exporter_version }}.tar.gz"
|
|
dest: /tmp
|
|
remote_src: true
|
|
creates: "/tmp/node_exporter-{{ node_exporter_version }}.linux-amd64"
|
|
when: node_exporter_download.changed
|
|
|
|
- name: Copy node_exporter binary to /usr/local/bin
|
|
ansible.builtin.copy:
|
|
src: "/tmp/node_exporter-{{ node_exporter_version }}.linux-amd64/node_exporter"
|
|
dest: /usr/local/bin/node_exporter
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
remote_src: true
|
|
when: node_exporter_download.changed
|
|
|
|
- name: Deploy node_exporter systemd service
|
|
ansible.builtin.template:
|
|
src: node_exporter.service.j2
|
|
dest: /etc/systemd/system/node_exporter.service
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: restart node_exporter
|
|
|
|
- name: Enable and start node_exporter service
|
|
ansible.builtin.systemd:
|
|
name: node_exporter
|
|
enabled: "{{ node_exporter_service_enabled }}"
|
|
state: "{{ node_exporter_service_state }}"
|
|
daemon_reload: true
|