From b8448569d429eed8a70dd14db1e1bf22811bf75b Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Mon, 24 Jan 2022 00:30:29 +0100 Subject: [PATCH 1/4] [monitoring] Zamok don't have certbot neither nginx Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- hosts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hosts b/hosts index af376853..36241bd6 100644 --- a/hosts +++ b/hosts @@ -22,11 +22,13 @@ belenios.adm.crans.org routeurs_vm [blackbox] +fyre.cachan-adm.crans.org monitoring.adm.crans.org [certbot] -sputnik.adm.crans.org +irc.adm.crans.org proxy-pve-adh.adm.crans.org +sputnik.adm.crans.org [certbot:children] dovecot @@ -37,7 +39,6 @@ mailman postfix radius # We use certbot to manage LE certificates reverseproxy -thelounge vsftpd_mirror [constellation:children] @@ -130,6 +131,7 @@ tealc.adm.crans.org [nginx] eclat.adm.crans.org +irc.adm.crans.org ptf.adm.crans.org [nginx:children] @@ -143,7 +145,6 @@ printer re2o_front reverseproxy roundcube -thelounge wiki [ntp_server] -- GitLab From d19545cd848b55503014da4aecd3acdd47b8963f Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Mon, 24 Jan 2022 00:54:39 +0100 Subject: [PATCH 2/4] [monitoring] Add permission to send pings to prometheus-blackbox-exporter Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- roles/prometheus-blackbox-exporter/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/prometheus-blackbox-exporter/tasks/main.yml b/roles/prometheus-blackbox-exporter/tasks/main.yml index a571e907..8e9915c6 100644 --- a/roles/prometheus-blackbox-exporter/tasks/main.yml +++ b/roles/prometheus-blackbox-exporter/tasks/main.yml @@ -1,4 +1,12 @@ --- +- name: Configure the exporter to allow pings + debconf: + name: "prometheus-blackbox-exporter" + question: "prometheus-blackbox-exporter/want_cap_net_raw" + value: "true" + vtype: "boolean" + notify: Restart prometheus-blackbox-exporter + - name: Install Prometheus Blackbox exporter apt: update_cache: true -- GitLab From da70cc483e5a093916b59fa659cd89eceb6f955c Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Mon, 4 Apr 2022 16:48:26 +0200 Subject: [PATCH 3/4] Good bye Cachan, hello Horst, Karst & Rodney! Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- host_vars/monitoring.adm.crans.org.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/host_vars/monitoring.adm.crans.org.yml b/host_vars/monitoring.adm.crans.org.yml index 8850d61a..fc4f2a9b 100644 --- a/host_vars/monitoring.adm.crans.org.yml +++ b/host_vars/monitoring.adm.crans.org.yml @@ -76,6 +76,28 @@ loc_prometheus: - target_label: __address__ replacement: 127.0.0.1:9115 + blackbox_icmp: + file: targets_icmp.json + targets: + - karst.adm.crans.org + - horst.adm.crans.org + - rodney.adm.crans.org + config: + - job_name: blackbox_icmp + file_sd_configs: + - files: + - '/etc/prometheus/targets_icmp.json' + metrics_path: /probe + params: + module: [icmp] # Look for a ICMP ping + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: 127.0.0.1:9115 + mtail: file: targets_mtail.json targets: -- GitLab From 830afd153182bb691243ce79def88b5c9b6f22e8 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Mon, 4 Apr 2022 17:26:15 +0200 Subject: [PATCH 4/4] [grafana] More power! Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- group_vars/grafana.yml | 4 ++++ roles/grafana/templates/ldap.toml.j2 | 12 +++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/group_vars/grafana.yml b/group_vars/grafana.yml index 254405df..9653f4a3 100644 --- a/group_vars/grafana.yml +++ b/group_vars/grafana.yml @@ -4,6 +4,10 @@ glob_grafana: ldap_base: "{{ glob_ldap.base }}" ldap_master_ipv4: "{{ glob_ldap.servers[0] }}" ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}" + ldap_group_tree: "ou=group,{{ glob_ldap.base }}" + ldap_group_filter: "uid" + ldap_group_admin: "cn=_nounou,ou=group,{{ glob_ldap.base }}" + ldap_group_editor: "*" # Everyone is editor logos: - which: crans_logo_white_small.svg diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2 index c92a9330..7685d90f 100644 --- a/roles/grafana/templates/ldap.toml.j2 +++ b/roles/grafana/templates/ldap.toml.j2 @@ -31,8 +31,8 @@ search_base_dns = ["ou=passwd,dc=crans,dc=org"] ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings ## Please check grafana LDAP docs for examples group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" -group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"] -group_search_filter_user_attribute = "cn" +group_search_base_dns = ["{{ grafana.ldap_group_tree }}"] +group_search_filter_user_attribute = "{{ grafana.ldap_group_filter }}" # Specify names of the ldap attributes your ldap uses [servers.attributes] @@ -41,7 +41,13 @@ surname = "sn" username = "uid" email = "mail" +# Nounous can administrate +[[servers.group_mappings]] +group_dn = "{{ grafana.ldap_group_admin }}" +org_role = "Admin" +grafana_admin = true + # All LDAP members can edit [[servers.group_mappings]] -group_dn = "*" +group_dn = "{{ grafana.ldap_group_editor }}" org_role = "Editor" -- GitLab