Joakim
1f3f111d88
Implement complete monitoring infrastructure following rick-infra principles: Components: - VictoriaMetrics: Prometheus-compatible TSDB (7x less RAM usage) - Grafana: Visualization dashboard with Authentik OAuth/OIDC integration - node_exporter: System metrics collection (CPU, memory, disk, network) Architecture: - All services run as native systemd binaries (no containers) - localhost-only binding for security - Grafana uses native OAuth integration with Authentik (not forward_auth) - Full systemd security hardening enabled - Proxied via Caddy at metrics.jnss.me with HTTPS Role Features: - Unified metrics role (single role for complete stack) - Automatic role mapping via Authentik groups: - authentik Admins OR grafana-admins -> Admin access - grafana-editors -> Editor access - All others -> Viewer access - VictoriaMetrics auto-provisioned as default Grafana datasource - 12-month metrics retention by default - Comprehensive documentation included Security: - OAuth/OIDC SSO via Authentik - All metrics services bind to 127.0.0.1 only - systemd hardening (NoNewPrivileges, ProtectSystem, etc.) - Grafana accessible only via Caddy HTTPS proxy Documentation: - roles/metrics/README.md: Complete role documentation - docs/metrics-deployment-guide.md: Step-by-step deployment guide Configuration: - Updated rick-infra.yml to include metrics deployment - Grafana port set to 3001 (Gitea uses 3000) - Ready for multi-host expansion (designed for future node_exporter deployment to production hosts)
43 lines
1.1 KiB
Django/Jinja
43 lines
1.1 KiB
Django/Jinja
[Unit]
|
|
Description=Prometheus Node Exporter
|
|
Documentation=https://github.com/prometheus/node_exporter
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User={{ node_exporter_user }}
|
|
Group={{ node_exporter_group }}
|
|
|
|
ExecStart=/usr/local/bin/node_exporter \
|
|
--web.listen-address={{ node_exporter_listen_address }} \
|
|
{% for collector in node_exporter_enabled_collectors %}
|
|
--collector.{{ collector }} \
|
|
{% endfor %}
|
|
{% for collector in node_exporter_disabled_collectors %}
|
|
--no-collector.{{ collector }} \
|
|
{% endfor %}
|
|
--collector.filesystem.fs-types-exclude="{{ node_exporter_filesystem_ignored_fs_types | join('|') }}" \
|
|
--collector.filesystem.mount-points-exclude="{{ node_exporter_filesystem_ignored_mount_points | join('|') }}"
|
|
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
|
|
# Security hardening
|
|
{% if node_exporter_systemd_security %}
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictRealtime=true
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
ReadOnlyPaths=/
|
|
{% endif %}
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|