unbound_exporter: Add TLS support

Currently unbound_exporter doesn't support TLS connections so proxy connections through stunnel.
2025-01-19 17:51:18 +00:00 · 2025-01-19 17:51:18 +00:00 · 964e841c1d
commit 964e841c1d
parent 271eb09669
3 changed files with 35 additions and 17 deletions
--- a/roles/unbound_exporter/handlers/main.yml
+++ b/roles/unbound_exporter/handlers/main.yml
@ -3,3 +3,8 @@
  ansible.builtin.service:
    name: unbound_exporter
    state: restarted
+
+- name: Restart unbound_exporter_stunnel
+  ansible.builtin.service:
+    name: unbound_exporter_stunnel
+    state: restarted
--- a/roles/unbound_exporter/tasks/main.yml
+++ b/roles/unbound_exporter/tasks/main.yml
@ -1,8 +1,11 @@
 ---
 - name: Install packages
  ansible.builtin.package:
-    name: unbound_exporter
+    name: "{{ item }}"
    state: installed
+  with_items:
+    - stunnel
+    - unbound_exporter

 - name: Add user to hostkey group
  ansible.builtin.user:
@ -10,7 +13,7 @@
    groups: hostkey
    append: true
    create_home: false
-  notify: Restart unbound_exporter
+  notify: Restart unbound_exporter_stunnel

 - name: Create config directory
  ansible.builtin.file:
@ -20,17 +23,38 @@
    owner: root
    group: "{{ ansible_wheel }}"

- name: Create web-config
+- name: Create stunnel config
  ansible.builtin.template:
-    dest: /etc/unbound_exporter/web-config.yml
-    src: web-config.yml.j2
+    dest: /etc/unbound_exporter/stunnel.conf
+    src: stunnel.conf.j2
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
-  notify: Restart unbound_exporter
+  notify: Restart unbound_exporter_stunnel

 - name: Enable service
  ansible.builtin.service:
    name: unbound_exporter
    state: started
    enabled: true
+    arguments: >-
+      -unbound.ca
+      -unbound.cert
+      -unbound.host unix:///var/run/unbound.sock
+      -web.listen-address 127.0.0.1:9167
+  notify: Restart unbound_exporter
+
+- name: Create stunnel service config
+  ansible.builtin.copy:
+    dest: /etc/rc.d/unbound_exporter_stunnel
+    src: unbound_exporter_stunnel.sh
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart unbound_exporter_stunnel
+
+- name: Enable stunnel service
+  ansible.builtin.service:
+    name: unbound_exporter_stunnel
+    state: started
+    enabled: true
--- a/roles/unbound_exporter/templates/web-config.yml.j2
+++ b/roles/unbound_exporter/templates/web-config.yml.j2
@ -1,11 +0,0 @@
---
-tls_server_config:
-  key_file: {{ tls_private }}/{{ inventory_hostname }}.key
-  cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt
-  client_ca_file: {{ tls_certs }}/ca.crt
-  client_auth_type: RequireAndVerifyClientCert
-  client_allowed_sans:
-{% for host in groups['prometheus'] %}
-    - {{ host }}
-{% endfor %}
-  min_version: TLS13