Add monitoring role

roles/monitoring/templates/grafana-data-source.yml

@@ -0,0 +1,4 @@
+apiVersion: 1
+deleteDatasources: []
+datasources:
+  {{ [item] | to_nice_yaml | indent(2) }}

roles/monitoring/templates/grafana-ldap.toml

@@ -0,0 +1,85 @@
+# Managed by Ansible
+
+# Set to true to log user information returned from LDAP
+verbose_logging = true
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "ldap.bitlair.nl"
+# Default port is 389 or 636 if use_ssl = true
+port = 636
+# Set to true if ldap server supports TLS
+use_ssl = true
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = /path/to/certificate.crt
+
+# Search user bind dn
+bind_dn = "cn=grafana,ou=System,dc=bitlair,dc=nl"
+# Search user bind password
+bind_password = 'VHfVwAYB6tsEZHuX'
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+search_filter = "(uid=%s)"
+
+# An array of base dns to search through
+search_base_dns = ["dc=bitlair,dc=nl"]
+
+# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
+# This is done by enabling group_search_filter below. You must also set member_of= "cn"
+# in [servers.attributes] below.
+
+# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
+# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
+# below in such a way that the user's recursive group membership is considered.
+#
+# Nested Groups + Active Directory (AD) Example:
+#
+#   AD groups store the Distinguished Names (DNs) of members, so your filter must
+#   recursively search your groups for the authenticating user's DN. For example:
+#
+#     group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
+#     group_search_filter_user_attribute = "distinguishedName"
+#     group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+#
+#     [servers.attributes]
+#     ...
+#     member_of = "distinguishedName"
+
+## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
+group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
+## Defaults to the value of username in [server.attributes]
+## Valid options are any of your values in [servers.attributes]
+## If you are using nested groups you probably want to set this and member_of in
+## [servers.attributes] to "distinguishedName"
+# group_search_filter_user_attribute = "distinguishedName"
+## An array of the base DNs to search through for groups. Typically uses ou=groups
+group_search_base_dns = ["ou=Groups,dc=bitlair,dc=nl"]
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "uid"
+email =  "mail"
+member_of = "cn"
+
+# Map ldap groups to grafana org roles
+[[servers.group_mappings]]
+group_dn = "Admins"
+org_role = "Admin"
+# The Grafana organization database id, optional, if left out the default org (id 1) will be used
+# org_id = 1
+
+[[servers.group_mappings]]
+group_dn = "Members"
+org_role = "Editor"
+
+[[servers.group_mappings]]
+# If you want to match all (or no ldap groups) then you can use wildcard
+group_dn = "*"
+org_role = "Viewer"

roles/monitoring/templates/grafana.ini

@@ -0,0 +1,85 @@
+# Managed by Asnible
+
+app_mode = production
+instance_name = monitoring
+
+# Directories
+[paths]
+data = /var/lib/grafana
+logs = /var/log/grafana
+plugins = /var/lib/grafana/plugins
+
+# HTTP options
+[server]
+http_addr = {{ grafana_address }}
+http_port = {{ grafana_port }}
+domain = {{ grafana_domain }}
+root_url = {{ grafana_url }}
+protocol = http
+enforce_domain = False
+socket =
+cert_key =
+cert_file =
+enable_gzip = False
+static_root_path = public
+router_logging = False
+serve_from_sub_path = False
+
+# Database
+[database]
+type = sqlite3
+
+# Remote cache
+[remote_cache]
+
+# Security
+[security]
+admin_user = admin
+admin_password = {{ grafana_admin_password }}
+
+# Users management and registration
+[users]
+allow_sign_up = False
+auto_assign_org_role = Viewer
+default_theme = dark
+
+[emails]
+welcome_email_on_sign_up = False
+
+# Analytics
+[analytics]
+reporting_enabled = "True"
+
+# Dashboards
+[dashboards]
+versions_to_keep = 20
+
+[dashboards.json]
+enabled = true
+path = /var/lib/grafana/dashboards
+
+# Alerting
+[alerting]
+enabled = true
+execute_alerts = True
+
+# SMTP and email config
+
+# Logging
+[log]
+mode = console, file
+level = info
+
+# Grafana.com configuration
+[grafana_com]
+url = https://grafana.com
+
+[auth.anonymous]
+enabled = true
+org_name = Bitlair
+org_role = Viewer
+
+[auth.ldap]
+enabled = true
+config_file = /etc/grafana/ldap.toml
+allow_sign_up = true

roles/monitoring/templates/mqtt_exporter.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Prometheus exporter for MQTT
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/mqtt_exporter/mqtt-exporter.py /etc/mqtt_exporter.yaml
+Restart=always
+RestartSec=10
+DynamicUser=true
+AmbientCapabilities=CAP_NET_RAW,CAP_NET_ADMIN+eip
+
+[Install]
+WantedBy=multi-user.target

roles/monitoring/templates/mqtt_exporter_config.yaml

@@ -0,0 +1,25 @@
+mqtt:
+  host: {{ mqtt_public_host }}
+  port: 1883
+
+prometheus:
+  port: {{ monitoring_mqtt_exporter_port }}
+
+export:
+  - subscribe: bitlair/#
+  - subscribe: bitlair/climate/+location/#
+  - subscribe: bitlair/wifi/+ssid/#
+  - subscribe: bitlair/state
+    value_map:
+      open: 1
+      closed: 0
+  - subscribe: bitlair/pos/product
+    metric_type: counter
+    labels:
+      product: enum
+  - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
+    metric_name: bitlair_internet_rx
+    value_regex: "^.+:(.+):"
+  - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
+    metric_name: bitlair_internet_tx
+    value_regex: "^.+:.+:([\\d\\.]+)"

roles/monitoring/templates/nginx-site.conf

@@ -0,0 +1,45 @@
+server {
+	listen 443 ssl http2 default_server;
+	listen [::]:443 ssl http2;
+	server_name {{ monitoring_domain }};
+
+	{% if monitoring_bootstrap_cert %}
+	include "snippets/snakeoil.conf";
+	{% else %}
+	ssl_certificate     "/var/lib/dehydrated/certs/{{ monitoring_domain }}/fullchain.pem";
+	ssl_certificate_key "/var/lib/dehydrated/certs/{{ monitoring_domain }}/privkey.pem";
+	{% endif %}
+
+	add_header X-Robots-Tag noindex;
+
+	location / {
+		proxy_pass http://localhost:9000/;
+		include proxy_params;
+	}
+
+	location /prometheus/ {
+		proxy_pass http://localhost:9090/prometheus/;
+		include proxy_params;
+
+		{% for range in trusted_ranges %}
+		allow "{{ range.cidr }}";
+		{% endfor %}
+		allow "127.0.0.1";
+		allow "::1";
+		deny all;
+	}
+
+	include "snippets/acme.conf";
+}
+
+server {
+	listen 80 default_server;
+	listen [::]:80;
+	server_name {{ monitoring_domain }};
+
+	location / {
+		rewrite ^/(.*) https://$server_name$request_uri? redirect;
+	}
+
+	include "snippets/acme.conf";
+}

roles/monitoring/templates/prometheus.yml

@@ -0,0 +1,18 @@
+# Managed by Ansible
+
+global:
+  evaluation_interval: 1m
+  scrape_interval: 1m
+
+  external_labels:
+    environment: monitoring
+
+rule_files:
+  - /etc/prometheus/rules/*.rules
+
+scrape_configs:
+  - job_name: "prometheus"
+    metrics_path: "/prometheus/metrics"
+    static_configs:
+      - targets: [ "localhost:9090" ]
+  {{ prometheus_scrape_configs | to_nice_yaml | indent(2) }}