Clean up some matrix_nginx_proxy_proxy_matrix_metrics_* references
This commit is contained in:
Slavi Pantaleev
@ -223,59 +223,6 @@ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname: "{{ matrix_server_fqn_mautrix
|
||||
matrix_nginx_proxy_proxy_ntfy_enabled: false
|
||||
matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
|
||||
|
||||
# Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain)
|
||||
# If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly.
|
||||
# This is only useful when an external Prometheus will be collecting metrics.
|
||||
#
|
||||
# To control what kind of metrics are exposed under `/metrics/` (e.g `/metrics/node-exporter`, `/metrics/postgres-exporter`, etc.),
|
||||
# use `matrix_SERVICE_metrics_proxying_enabled` variables in each respective role.
|
||||
# Roles inject themselves into the matrix-nginx-proxy configuration.
|
||||
#
|
||||
# To protect the metrics endpoints, see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_enabled: false
|
||||
|
||||
# Controls whether Basic Auth is enabled for all `/metrics/*` endpoints.
|
||||
#
|
||||
# You can provide the Basic Auth credentials in 2 ways:
|
||||
# 1. A single username/password pair using `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`
|
||||
# 2. Using raw content (`htpasswd`-generated file) provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled: false
|
||||
|
||||
# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` specify
|
||||
# the Basic Auth username/password for protecting `/metrics/*` endpoints.
|
||||
# Alternatively, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username: ""
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password: ""
|
||||
|
||||
# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` value will be written verbatim to the htpasswd file protecting `/metrics/*` endpoints.
|
||||
# Use this when a single username/password is not enough and you'd like to get more control over credentials.
|
||||
#
|
||||
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
|
||||
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
|
||||
# The whole thing is needed here. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: ""
|
||||
|
||||
# Specifies the path to the htpasswd file holding the htpasswd credentials for protecting `/metrics/*` endpoints
|
||||
# This is not meant to be modified.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
|
||||
|
||||
# Specifies the Apache container image to use
|
||||
# when `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` are provided.
|
||||
# This image provides the `htpasswd` tool which we use for generating the htpasswd file protecting `/metrics/*`.
|
||||
# To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password.
|
||||
# Learn more in: `roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}"
|
||||
# renovate: datasource=docker depName=httpd
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16"
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}"
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the `location /metrics` configuration (matrix-domain.conf).
|
||||
# Do not modify `matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks` and `matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks`.
|
||||
# If you'd like to inject your own configuration blocks, use `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks: "{{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks + matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks }}"
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: []
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks: []
|
||||
|
||||
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||||
|
||||
@ -1,60 +0,0 @@
|
||||
---
|
||||
|
||||
# When we're dealing with raw htpasswd content, we just store it in the file directly.
|
||||
- name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
|
||||
ansible.builtin.copy:
|
||||
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
|
||||
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0600
|
||||
when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username
|
||||
|
||||
# Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file.
|
||||
# There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server.
|
||||
# See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module
|
||||
# We support various distros, with various versions of Python. Installing additional Python modules can be a hassle.
|
||||
# As a workaround, we run `htpasswd` from an Apache container image.
|
||||
- when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''
|
||||
block:
|
||||
- name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}"
|
||||
register: result
|
||||
retries: "{{ devture_playbook_help_container_retries_count }}"
|
||||
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
# We store the password in a file and make the `htpasswd` tool read it from there,
|
||||
# as opposed to passing it directly on stdin (which will expose it to other processes on the server).
|
||||
- name: Store metrics password in a temporary file
|
||||
ansible.builtin.copy:
|
||||
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
|
||||
dest: "/tmp/matrix-nginx-proxy-metrics-password"
|
||||
mode: 0400
|
||||
owner: "{{ matrix_user_uid }}"
|
||||
group: "{{ matrix_user_gid }}"
|
||||
|
||||
- name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
|
||||
ansible.builtin.command:
|
||||
cmd: >-
|
||||
{{ devture_systemd_docker_base_host_command_docker }} run
|
||||
--rm
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
||||
--cap-drop=ALL
|
||||
--network=none
|
||||
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data
|
||||
--mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro
|
||||
--entrypoint=/bin/sh
|
||||
{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}
|
||||
-c
|
||||
'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
|
||||
changed_when: true
|
||||
|
||||
- name: Delete temporary metrics password file
|
||||
ansible.builtin.file:
|
||||
path: /tmp/matrix-nginx-proxy-metrics-password
|
||||
state: absent
|
||||
@ -37,10 +37,6 @@
|
||||
mode: 0644
|
||||
when: matrix_nginx_proxy_enabled | bool
|
||||
|
||||
- name: Setup metrics
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/nginx-proxy/setup_metrics_auth.yml"
|
||||
when: matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configured (generic)
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
|
||||
@ -334,19 +330,8 @@
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_enabled | bool"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI)
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
|
||||
state: absent
|
||||
|
||||
# This file is now generated by the matrix-synapse role and saved in the Synapse directory
|
||||
- name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
|
||||
state: absent
|
||||
|
||||
- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs)
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool"
|
||||
|
||||
@ -30,14 +30,6 @@
|
||||
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
|
||||
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
|
||||
|
||||
- name: Fail if Basic Auth enabled for metrics, but no credentials supplied
|
||||
ansible.builtin.fail:
|
||||
msg: |
|
||||
Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires:
|
||||
- either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`)
|
||||
- or raw htpasswd content (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`)
|
||||
when: "matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content == '' and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username == '' or matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password == ''))"
|
||||
|
||||
- when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
block:
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
|
||||
@ -33,19 +33,6 @@
|
||||
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}
|
||||
location /metrics {
|
||||
{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
|
||||
location ^~ /_matrix/corporal {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
|
||||
Reference in New Issue
Block a user