From 964e841c1df100022a8088f585a1de1f56c1622a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 17:51:18 +0000 Subject: [PATCH] unbound_exporter: Add TLS support Currently unbound_exporter doesn't support TLS connections so proxy connections through stunnel. --- roles/unbound_exporter/handlers/main.yml | 5 +++ roles/unbound_exporter/tasks/main.yml | 36 +++++++++++++++---- .../templates/web-config.yml.j2 | 11 ------ 3 files changed, 35 insertions(+), 17 deletions(-) delete mode 100644 roles/unbound_exporter/templates/web-config.yml.j2 diff --git a/roles/unbound_exporter/handlers/main.yml b/roles/unbound_exporter/handlers/main.yml index bfbf5bf..2cd8d99 100644 --- a/roles/unbound_exporter/handlers/main.yml +++ b/roles/unbound_exporter/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: unbound_exporter state: restarted + +- name: Restart unbound_exporter_stunnel + ansible.builtin.service: + name: unbound_exporter_stunnel + state: restarted diff --git a/roles/unbound_exporter/tasks/main.yml b/roles/unbound_exporter/tasks/main.yml index d8936f3..b194422 100644 --- a/roles/unbound_exporter/tasks/main.yml +++ b/roles/unbound_exporter/tasks/main.yml @@ -1,8 +1,11 @@ --- - name: Install packages ansible.builtin.package: - name: unbound_exporter + name: "{{ item }}" state: installed + with_items: + - stunnel + - unbound_exporter - name: Add user to hostkey group ansible.builtin.user: @@ -10,7 +13,7 @@ groups: hostkey append: true create_home: false - notify: Restart unbound_exporter + notify: Restart unbound_exporter_stunnel - name: Create config directory ansible.builtin.file: @@ -20,17 +23,38 @@ owner: root group: "{{ ansible_wheel }}" -- name: Create web-config +- name: Create stunnel config ansible.builtin.template: - dest: /etc/unbound_exporter/web-config.yml - src: web-config.yml.j2 + dest: /etc/unbound_exporter/stunnel.conf + src: stunnel.conf.j2 mode: "0644" owner: root group: "{{ ansible_wheel }}" - notify: Restart unbound_exporter + notify: Restart unbound_exporter_stunnel - name: Enable service ansible.builtin.service: name: unbound_exporter state: started enabled: true + arguments: >- + -unbound.ca + -unbound.cert + -unbound.host unix:///var/run/unbound.sock + -web.listen-address 127.0.0.1:9167 + notify: Restart unbound_exporter + +- name: Create stunnel service config + ansible.builtin.copy: + dest: /etc/rc.d/unbound_exporter_stunnel + src: unbound_exporter_stunnel.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart unbound_exporter_stunnel + +- name: Enable stunnel service + ansible.builtin.service: + name: unbound_exporter_stunnel + state: started + enabled: true diff --git a/roles/unbound_exporter/templates/web-config.yml.j2 b/roles/unbound_exporter/templates/web-config.yml.j2 deleted file mode 100644 index 03e5466..0000000 --- a/roles/unbound_exporter/templates/web-config.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ ---- -tls_server_config: - key_file: {{ tls_private }}/{{ inventory_hostname }}.key - cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt - client_ca_file: {{ tls_certs }}/ca.crt - client_auth_type: RequireAndVerifyClientCert - client_allowed_sans: -{% for host in groups['prometheus'] %} - - {{ host }} -{% endfor %} - min_version: TLS13