unbound_exporter: Add TLS support
Currently unbound_exporter doesn't support TLS connections so proxy connections through stunnel.
This commit is contained in:
parent
271eb09669
commit
964e841c1d
3 changed files with 35 additions and 17 deletions
|
|
@ -3,3 +3,8 @@
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: unbound_exporter
|
name: unbound_exporter
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: Restart unbound_exporter_stunnel
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: unbound_exporter_stunnel
|
||||||
|
state: restarted
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
---
|
---
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: unbound_exporter
|
name: "{{ item }}"
|
||||||
state: installed
|
state: installed
|
||||||
|
with_items:
|
||||||
|
- stunnel
|
||||||
|
- unbound_exporter
|
||||||
|
|
||||||
- name: Add user to hostkey group
|
- name: Add user to hostkey group
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
|
|
@ -10,7 +13,7 @@
|
||||||
groups: hostkey
|
groups: hostkey
|
||||||
append: true
|
append: true
|
||||||
create_home: false
|
create_home: false
|
||||||
notify: Restart unbound_exporter
|
notify: Restart unbound_exporter_stunnel
|
||||||
|
|
||||||
- name: Create config directory
|
- name: Create config directory
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
|
@ -20,17 +23,38 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ ansible_wheel }}"
|
group: "{{ ansible_wheel }}"
|
||||||
|
|
||||||
- name: Create web-config
|
- name: Create stunnel config
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
dest: /etc/unbound_exporter/web-config.yml
|
dest: /etc/unbound_exporter/stunnel.conf
|
||||||
src: web-config.yml.j2
|
src: stunnel.conf.j2
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ ansible_wheel }}"
|
group: "{{ ansible_wheel }}"
|
||||||
notify: Restart unbound_exporter
|
notify: Restart unbound_exporter_stunnel
|
||||||
|
|
||||||
- name: Enable service
|
- name: Enable service
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: unbound_exporter
|
name: unbound_exporter
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
|
arguments: >-
|
||||||
|
-unbound.ca
|
||||||
|
-unbound.cert
|
||||||
|
-unbound.host unix:///var/run/unbound.sock
|
||||||
|
-web.listen-address 127.0.0.1:9167
|
||||||
|
notify: Restart unbound_exporter
|
||||||
|
|
||||||
|
- name: Create stunnel service config
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: /etc/rc.d/unbound_exporter_stunnel
|
||||||
|
src: unbound_exporter_stunnel.sh
|
||||||
|
mode: "0755"
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
notify: Restart unbound_exporter_stunnel
|
||||||
|
|
||||||
|
- name: Enable stunnel service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: unbound_exporter_stunnel
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
tls_server_config:
|
|
||||||
key_file: {{ tls_private }}/{{ inventory_hostname }}.key
|
|
||||||
cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt
|
|
||||||
client_ca_file: {{ tls_certs }}/ca.crt
|
|
||||||
client_auth_type: RequireAndVerifyClientCert
|
|
||||||
client_allowed_sans:
|
|
||||||
{% for host in groups['prometheus'] %}
|
|
||||||
- {{ host }}
|
|
||||||
{% endfor %}
|
|
||||||
min_version: TLS13
|
|
||||||
Loading…
Add table
Reference in a new issue