diff --git a/.gitignore b/.gitignore index 2411689..7b22d86 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ prod passwords/ -vault_pass \ No newline at end of file +vault_pass +.idea/ \ No newline at end of file diff --git a/files/docker-compose.yml b/files/docker-compose.yml index 0f6c260..ade5bea 100644 --- a/files/docker-compose.yml +++ b/files/docker-compose.yml @@ -48,25 +48,6 @@ services: - redis - postfix - grafana: - image: grafana/grafana:7.2.2 - restart: always - ports: - - 127.0.0.1:3002:3000 - volumes: - - ./volumes/grafana:/var/lib/grafana - depends_on: - - influxdb - - influxdb: - image: influxdb:1.8-alpine - restart: always - ports: - - 127.0.0.1:8086:8086 - volumes: - - ./volumes/influxdb:/var/lib/influxdb - - ./influxdb.conf:/etc/influxdb/influxdb.conf:ro - postgres: image: postgres:12-alpine restart: always diff --git a/playbooks/gitea.yml b/playbooks/gitea.yml index b4a99a6..1e56972 100644 --- a/playbooks/gitea.yml +++ b/playbooks/gitea.yml @@ -22,16 +22,13 @@ - { path: '/gitea/volumes/gitea/', owner: 'root' } - { path: '/gitea/volumes/redis/', owner: 'root' } - { path: '/gitea/volumes/weblate/', owner: '1000' } - - { path: '/gitea/volumes/grafana/', owner: '472' } - { path: '/gitea/volumes/postgres/', owner: '70' } - - { path: '/gitea/volumes/influxdb/', owner: 'root' } - name: add all templates template: src={{item.src}} dest={{item.dest}} mode={{item.mode}} with_items: - { src: '../templates/gitea.conf', dest: '/etc/nginx/sites-enabled/gitea.conf', mode: '0600' } - { src: '../templates/weblate.conf', dest: '/etc/nginx/sites-enabled/weblate.conf', mode: '0600' } - - { src: '../templates/grafana.conf', dest: '/etc/nginx/sites-enabled/grafana.conf', mode: '0600' } - { src: '../templates/env', dest: '/gitea/.env', mode: '0600' } - name: copy all files copy: src={{item.src}} dest={{item.dest}} mode={{item.mode}} @@ -54,25 +51,10 @@ state: present pull: yes - - name: Create htpasswd file for influxdb reporting endpoint - community.general.htpasswd: - path: /gitea/influxdb_htpasswd - name: telegraf - password: '{{ influxdb_auth_password }}' - owner: root - group: www-data - mode: 0640 - - name: request letsencrypt certificates shell: | certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n - certbot certonly --nginx --agree-tos -d 'grafana.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n - # keep old domain working for a while - certbot certonly --nginx --agree-tos -d 'yerbamate.dev' -m '{{ letsencrypt_contact_email }}' -n - certbot certonly --nginx --agree-tos -d 'weblate.yerbamate.dev' -m '{{ letsencrypt_contact_email }}' -n - certbot certonly --nginx --agree-tos -d 'grafana.yerbamate.dev' -m '{{ letsencrypt_contact_email }}' -n - - name: reload nginx config and certs shell: nginx -s reload @@ -90,10 +72,3 @@ name=certbot-renew-weblate user=root job="certbot certonly --nginx -d weblate.{{ domain }} -n --deploy-hook 'nginx -s reload'" - - - name: renew grafana certificates - cron: - special_time=daily - name=certbot-renew-grafana - user=root - job="certbot certonly --nginx -d grafana.{{ domain }} -n --deploy-hook 'nginx -s reload'" diff --git a/playbooks/site.yml b/playbooks/site.yml index 9cc2705..b715768 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -1,3 +1,2 @@ --- - import_playbook: gitea.yml -- import_playbook: telegraf.yml diff --git a/playbooks/telegraf.yml b/playbooks/telegraf.yml deleted file mode 100644 index d5a01b1..0000000 --- a/playbooks/telegraf.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -- hosts: all - - tasks: - - name: copy nginx files - copy: - src: '../files/nginx_status.conf' - dest: '/etc/nginx/sites-enabled/nginx_status.conf' - - - name: add telegraf apt key - apt_key: - keyserver: https://repos.influxdata.com/influxdb.key - id: 684A14CF2582E0C5 - state: present - - - name: add telegraf apt repository - apt_repository: - # Note: we need to adjust this manually for different ubuntu versions - repo: 'deb https://repos.influxdata.com/ubuntu bionic stable' - state: present - filename: influxdb - update_cache: yes - - - name: add telegraf to docker group - action: user name=telegraf groups="docker" append=yes - - - name: install telegraf - apt: - name: telegraf - state: present - - - name: add telegraf config - template: - src: '../templates/telegraf.conf.j2' - dest: '/etc/telegraf/telegraf.conf' - owner: telegraf - group: telegraf - mode: '0600' - - - name: start and enable telegraf service - systemd: - state: reloaded - name: telegraf - enabled: true diff --git a/templates/grafana.conf b/templates/grafana.conf deleted file mode 100644 index 05a1030..0000000 --- a/templates/grafana.conf +++ /dev/null @@ -1,69 +0,0 @@ -# forward from old domain -server { - listen 80; - server_name grafana.yerbamate.dev; - return https://grafana.yerbamate.ml$request_uri; -} -server { - listen 443 ssl http2; - server_name grafana.yerbamate.dev; - ssl_certificate /etc/letsencrypt/live/grafana.yerbamate.dev/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/grafana.yerbamate.dev/privkey.pem; - return https://grafana.yerbamate.ml$request_uri; -} - -server { - listen 80; - server_name grafana.{{ domain }}; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - server_name grafana.{{ domain }}; - - ssl_certificate /etc/letsencrypt/live/grafana.{{ domain }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/grafana.{{ domain }}/privkey.pem; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; - - ssl_stapling on; - ssl_stapling_verify on; - - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Strict-Transport-Security "max-age=15768000"; - add_header Referrer-Policy "same-origin"; - fastcgi_hide_header X-Powered-By; - server_tokens off; - - client_max_body_size 100M; - - # No compression for json to avoid BREACH attack. - gzip on; - gzip_types text/plain text/xml text/css application/xml application/javascript image/svg+xml image/svg; - gzip_proxied any; - gzip_vary on; - - location / { - proxy_pass http://127.0.0.1:3002; - } - - location /telegraf-input/ { - auth_basic "telegraf input"; - auth_basic_user_file /gitea/influxdb_htpasswd; - proxy_pass http://127.0.0.1:8086/; - } -} diff --git a/templates/telegraf.conf.j2 b/templates/telegraf.conf.j2 deleted file mode 100644 index 068a6c5..0000000 --- a/templates/telegraf.conf.j2 +++ /dev/null @@ -1,445 +0,0 @@ - -# Telegraf Configuration -# -# Telegraf is entirely plugin driven. All metrics are gathered from the -# declared inputs, and sent to the declared outputs. -# -# Plugins must be declared in here to be active. -# To deactivate a plugin, comment out the name and any variables. -# -# Use 'telegraf -config telegraf.conf -test' to see what metrics a config -# file would generate. -# -# Environment variables can be used anywhere in this config file, simply surround -# them with ${}. For strings the variable must be within quotes (ie, "${STR_VAR}"), -# for numbers and booleans they should be plain (ie, ${INT_VAR}, ${BOOL_VAR}) - - -# Global tags can be specified here in key="value" format. -[global_tags] -# dc = "us-east-1" # will tag all metrics with dc=us-east-1 -# rack = "1a" -## Environment variables can be used as tags, and throughout the config file -# user = "$USER" - - -# Configuration for telegraf agent -[agent] -## Default data collection interval for all inputs -interval = "10s" -## Rounds collection interval to 'interval' -## ie, if interval="10s" then always collect on :00, :10, :20, etc. -round_interval = true - -## Telegraf will send metrics to outputs in batches of at most -## metric_batch_size metrics. -## This controls the size of writes that Telegraf sends to output plugins. -metric_batch_size = 1000 - -## Maximum number of unwritten metrics per output. Increasing this value -## allows for longer periods of output downtime without dropping metrics at the -## cost of higher maximum memory usage. -metric_buffer_limit = 10000 - -## Collection jitter is used to jitter the collection by a random amount. -## Each plugin will sleep for a random time within jitter before collecting. -## This can be used to avoid many plugins querying things like sysfs at the -## same time, which can have a measurable effect on the system. -collection_jitter = "0s" - -## Default flushing interval for all outputs. Maximum flush_interval will be -## flush_interval + flush_jitter -flush_interval = "10s" -## Jitter the flush interval by a random amount. This is primarily to avoid -## large write spikes for users running a large number of telegraf instances. -## ie, a jitter of 5s and interval 10s means flushes will happen every 10-15s -flush_jitter = "0s" - -## By default or when set to "0s", precision will be set to the same -## timestamp order as the collection interval, with the maximum being 1s. -## ie, when interval = "10s", precision will be "1s" -## when interval = "250ms", precision will be "1ms" -## Precision will NOT be used for service inputs. It is up to each individual -## service input to set the timestamp at the appropriate precision. -## Valid time units are "ns", "us" (or "µs"), "ms", "s". -precision = "" - -## Log at debug level. -# debug = false -## Log only error level messages. -# quiet = false - -## Log target controls the destination for logs and can be one of "file", -## "stderr" or, on Windows, "eventlog". When set to "file", the output file -## is determined by the "logfile" setting. -# logtarget = "file" - -## Name of the file to be logged to when using the "file" logtarget. If set to -## the empty string then logs are written to stderr. -# logfile = "" - -## The logfile will be rotated after the time interval specified. When set -## to 0 no time based rotation is performed. Logs are rotated only when -## written to, if there is no log activity rotation may be delayed. -# logfile_rotation_interval = "0d" - -## The logfile will be rotated when it becomes larger than the specified -## size. When set to 0 no size based rotation is performed. -# logfile_rotation_max_size = "0MB" - -## Maximum number of rotated archives to keep, any older logs are deleted. -## If set to -1, no archives are removed. -# logfile_rotation_max_archives = 5 - -## Override default hostname, if empty use os.Hostname() -hostname = "" -## If set to true, do no set the "host" tag in the telegraf agent. -omit_hostname = false - - -############################################################################### -# OUTPUT PLUGINS # -############################################################################### - - -# Configuration for sending metrics to InfluxDB -[[outputs.influxdb]] -## The full HTTP or UDP URL for your InfluxDB instance. -## -## Multiple URLs can be specified for a single cluster, only ONE of the -## urls will be written to each interval. -# urls = ["unix:///var/run/influxdb.sock"] -# urls = ["udp://127.0.0.1:8089"] -# urls = ["http://127.0.0.1:8086"] -urls = ["https://grafana.yerbamate.dev/telegraf-input"] - -## The target database for metrics; will be created as needed. -## For UDP url endpoint database needs to be configured on server side. -database = "yerbamate" - -## The value of this tag will be used to determine the database. If this -## tag is not set the 'database' option is used as the default. -# database_tag = "" - -## If true, the 'database_tag' will not be included in the written metric. -# exclude_database_tag = false - -## If true, no CREATE DATABASE queries will be sent. Set to true when using -## Telegraf with a user without permissions to create databases or when the -## database already exists. -# skip_database_creation = false - -## Name of existing retention policy to write to. Empty string writes to -## the default retention policy. Only takes effect when using HTTP. -# retention_policy = "" - -## The value of this tag will be used to determine the retention policy. If this -## tag is not set the 'retention_policy' option is used as the default. -# retention_policy_tag = "" - -## If true, the 'retention_policy_tag' will not be included in the written metric. -# exclude_retention_policy_tag = false - -## Write consistency (clusters only), can be: "any", "one", "quorum", "all". -## Only takes effect when using HTTP. -# write_consistency = "any" - -## Timeout for HTTP messages. -# timeout = "5s" - -## HTTP Basic Auth -username = "telegraf" -password = "{{ influxdb_auth_password }}" - -## HTTP User-Agent -# user_agent = "telegraf" - -## UDP payload size is the maximum packet size to send. -# udp_payload = "512B" - -## Optional TLS Config for use on HTTP connections. -# tls_ca = "/etc/telegraf/ca.pem" -# tls_cert = "/etc/telegraf/cert.pem" -# tls_key = "/etc/telegraf/key.pem" -## Use TLS but skip chain & host verification -# insecure_skip_verify = false - -## HTTP Proxy override, if unset values the standard proxy environment -## variables are consulted to determine which proxy, if any, should be used. -# http_proxy = "http://corporate.proxy:3128" - -## Additional HTTP headers -# http_headers = {"X-Special-Header" = "Special-Value"} - -## HTTP Content-Encoding for write request body, can be set to "gzip" to -## compress body or "identity" to apply no encoding. -# content_encoding = "identity" - -## When true, Telegraf will output unsigned integers as unsigned values, -## i.e.: "42u". You will need a version of InfluxDB supporting unsigned -## integer values. Enabling this option will result in field type errors if -## existing data has been written. -# influx_uint_support = false - - -############################################################################### -# INPUT PLUGINS # -############################################################################### - - -# Read metrics about cpu usage -[[inputs.cpu]] -## Whether to report per-cpu stats or not -percpu = true -## Whether to report total system cpu stats or not -totalcpu = true -## If true, collect raw CPU time metrics. -collect_cpu_time = false -## If true, compute and report the sum of all non-idle CPU states. -report_active = false - - -# Read metrics about disk usage by mount point -[[inputs.disk]] -## By default stats will be gathered for all mount points. -## Set mount_points will restrict the stats to only the specified mount points. -# mount_points = ["/"] - -## Ignore mount points by filesystem type. -ignore_fs = ["tmpfs", "devtmpfs", "devfs", "iso9660", "overlay", "aufs", "squashfs"] - - -# Read metrics about disk IO by device -[[inputs.diskio]] -## By default, telegraf will gather stats for all devices including -## disk partitions. -## Setting devices will restrict the stats to the specified devices. -# devices = ["sda", "sdb", "vd*"] -## Uncomment the following line if you need disk serial numbers. -# skip_serial_number = false -# -## On systems which support it, device metadata can be added in the form of -## tags. -## Currently only Linux is supported via udev properties. You can view -## available properties for a device by running: -## 'udevadm info -q property -n /dev/sda' -## Note: Most, but not all, udev properties can be accessed this way. Properties -## that are currently inaccessible include DEVTYPE, DEVNAME, and DEVPATH. -# device_tags = ["ID_FS_TYPE", "ID_FS_USAGE"] -# -## Using the same metadata source as device_tags, you can also customize the -## name of the device via templates. -## The 'name_templates' parameter is a list of templates to try and apply to -## the device. The template may contain variables in the form of '$PROPERTY' or -## '${PROPERTY}'. The first template which does not contain any variables not -## present for the device is used as the device name tag. -## The typical use case is for LVM volumes, to get the VG/LV name instead of -## the near-meaningless DM-0 name. -# name_templates = ["$ID_FS_LABEL","$DM_VG_NAME/$DM_LV_NAME"] - - -# Get kernel statistics from /proc/stat -[[inputs.kernel]] -# no configuration - - -# Read metrics about memory usage -[[inputs.mem]] -# no configuration - - -# Get the number of processes and group them by status -[[inputs.processes]] -# no configuration - - -# Read metrics about swap memory usage -[[inputs.swap]] -# no configuration - - -# Read metrics about system load & uptime -[[inputs.system]] -## Uncomment to remove deprecated metrics. -fielddrop = ["uptime_format"] - - -[[inputs.net]] -interfaces = ["eth0"] - - -# Read metrics about docker containers -[[inputs.docker]] -## Docker Endpoint -## To use TCP, set endpoint = "tcp://[ip]:[port]" -## To use environment variables (ie, docker-machine), set endpoint = "ENV" -endpoint = "unix:///var/run/docker.sock" - -## Set to true to collect Swarm metrics(desired_replicas, running_replicas) -gather_services = false - -## Only collect metrics for these containers, collect all if empty -container_names = [] - -## Set the source tag for the metrics to the container ID hostname, eg first 12 chars -source_tag = false - -## Containers to include and exclude. Globs accepted. -## Note that an empty array for both will include all containers -container_name_include = [] -container_name_exclude = [] - -## Container states to include and exclude. Globs accepted. -## When empty only containers in the "running" state will be captured. -## example: container_state_include = ["created", "restarting", "running", "removing", "paused", "exited", "dead"] -## example: container_state_exclude = ["created", "restarting", "running", "removing", "paused", "exited", "dead"] -# container_state_include = [] -# container_state_exclude = [] - -## Timeout for docker list, info, and stats commands -timeout = "5s" - -## Whether to report for each container per-device blkio (8:0, 8:1...) and -## network (eth0, eth1, ...) stats or not -perdevice = true - -## Whether to report for each container total blkio and network stats or not -total = false - -## Which environment variables should we use as a tag -##tag_env = ["JAVA_HOME", "HEAP_SIZE"] - -## docker labels to include and exclude as tags. Globs accepted. -## Note that an empty array for both will include all labels as tags -docker_label_include = [] -docker_label_exclude = [] - -## Optional TLS Config -# tls_ca = "/etc/telegraf/ca.pem" -# tls_cert = "/etc/telegraf/cert.pem" -# tls_key = "/etc/telegraf/key.pem" -## Use TLS but skip chain & host verification -# insecure_skip_verify = false - - -# Read Nginx's basic status information (ngx_http_stub_status_module) -[[inputs.nginx]] -# An array of Nginx stub_status URI to gather stats. -urls = ["http://localhost:8090/nginx_status"] -## Optional TLS Config -# tls_ca = "/etc/telegraf/ca.pem" -# tls_cert = "/etc/telegraf/cert.cer" -# tls_key = "/etc/telegraf/key.key" -## Use TLS but skip chain & host verification -# insecure_skip_verify = false -# HTTP response timeout (default: 5s) -# response_timeout = "5s" - - -# # Read nginx_upstream_check module status information (https://github.com/yaoweibin/nginx_upstream_check_module) -# [[inputs.nginx_upstream_check]] -# ## An URL where Nginx Upstream check module is enabled -# ## It should be set to return a JSON formatted response -# url = "http://127.0.0.1/status?format=json" -# -# ## HTTP method -# # method = "GET" -# -# ## Optional HTTP headers -# # headers = {"X-Special-Header" = "Special-Value"} -# -# ## Override HTTP "Host" header -# # host_header = "check.example.com" -# -# ## Timeout for HTTP requests -# timeout = "5s" -# -# ## Optional HTTP Basic Auth credentials -# # username = "username" -# # password = "pa$$word" -# -# ## Optional TLS Config -# # tls_ca = "/etc/telegraf/ca.pem" -# # tls_cert = "/etc/telegraf/cert.pem" -# # tls_key = "/etc/telegraf/key.pem" -# ## Use TLS but skip chain & host verification -# # insecure_skip_verify = false - - -############################################################################### -# SERVICE INPUT PLUGINS # -############################################################################### - - -# Read logging output from the Docker engine -[[inputs.docker_log]] -# Docker Endpoint -# To use TCP, set endpoint = "tcp://[ip]:[port]" -# To use environment variables (ie, docker-machine), set endpoint = "ENV" -endpoint = "unix:///var/run/docker.sock" -# When true, container logs are read from the beginning; otherwise -# reading begins at the end of the log. -from_beginning = false - -## Timeout for Docker API calls. -# timeout = "5s" - -## Containers to include and exclude. Globs accepted. -## Note that an empty array for both will include all containers -# container_name_include = [] -# container_name_exclude = [] - -## Container states to include and exclude. Globs accepted. -## When empty only containers in the "running" state will be captured. -# container_state_include = [] -# container_state_exclude = [] - -## docker labels to include and exclude as tags. Globs accepted. -## Note that an empty array for both will include all labels as tags -# docker_label_include = [] -# docker_label_exclude = [] - -## Set the source tag for the metrics to the container ID hostname, eg first 12 chars -source_tag = false - -## Optional TLS Config -# tls_ca = "/etc/telegraf/ca.pem" -# tls_cert = "/etc/telegraf/cert.pem" -# tls_key = "/etc/telegraf/key.pem" -## Use TLS but skip chain & host verification -# insecure_skip_verify = false - - -# # Read metrics from one or many postgresql servers -# [[inputs.postgresql]] -# ## specify address via a url matching: -# ## postgres://[pqgotest[:password]]@localhost[/dbname]\ -# ## ?sslmode=[disable|verify-ca|verify-full] -# ## or a simple string: -# ## host=localhost user=pqotest password=... sslmode=... dbname=app_production -# ## -# ## All connection parameters are optional. -# ## -# ## Without the dbname parameter, the driver will default to a database -# ## with the same name as the user. This dbname is just for instantiating a -# ## connection with the server and doesn't restrict the databases we are trying -# ## to grab metrics for. -# ## -# address = "host=localhost user=postgres sslmode=disable" -# ## A custom name for the database that will be used as the "server" tag in the -# ## measurement output. If not specified, a default one generated from -# ## the connection address is used. -# # outputaddress = "db01" -# -# ## connection configuration. -# ## maxlifetime - specify the maximum lifetime of a connection. -# ## default is forever (0s) -# max_lifetime = "0s" -# -# ## A list of databases to explicitly ignore. If not specified, metrics for all -# ## databases are gathered. Do NOT use with the 'databases' option. -# # ignored_databases = ["postgres", "template0", "template1"] -# -# ## A list of databases to pull metrics about. If not specified, metrics for all -# ## databases are gathered. Do NOT use with the 'ignored_databases' option. -# # databases = ["app_production", "testing"]