(BC Break) Redo how metrics are exposed to external Prometheus servers
This commit is contained in:
Slavi Pantaleev
@@ -29,13 +29,20 @@ matrix_hookshot_public_endpoint: /hookshot
|
||||
matrix_hookshot_appservice_port: 9993
|
||||
matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app"
|
||||
|
||||
# Metrics work only in conjunction with matrix_synapse_metrics_enabled etc
|
||||
matrix_hookshot_metrics_enabled: true
|
||||
# Controls whether metrics are enabled in the bridge configuration.
|
||||
# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
|
||||
# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`.
|
||||
matrix_hookshot_metrics_enabled: false
|
||||
|
||||
# Controls whether Hookshot metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/hookshot`.
|
||||
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
|
||||
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
|
||||
matrix_hookshot_metrics_proxying_enabled: false
|
||||
|
||||
# There is no need to edit ports.
|
||||
# Read the documentation to learn about using hookshot metrics with external Prometheus
|
||||
# If you still want something different, use matrix_hookshot_container_http_host_bind_ports below to expose ports instead.
|
||||
matrix_hookshot_metrics_port: 9001
|
||||
matrix_hookshot_metrics_endpoint: "{{ matrix_hookshot_public_endpoint }}/metrics"
|
||||
|
||||
# There is no need to edit ports. use matrix_hookshot_container_http_host_bind_ports below to expose ports instead.
|
||||
matrix_hookshot_webhook_port: 9000
|
||||
|
||||
@@ -103,11 +103,10 @@
|
||||
[matrix_hookshot_matrix_nginx_proxy_configuration]
|
||||
}}
|
||||
|
||||
- name: Generate Matrix hookshot proxying configuration for matrix-nginx-proxy
|
||||
- name: Generate hookshot metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot)
|
||||
set_fact:
|
||||
matrix_hookshot_matrix_nginx_proxy_metrics_configuration: |
|
||||
{% if matrix_hookshot_metrics_enabled and matrix_hookshot_proxy_metrics %}
|
||||
location {{ matrix_hookshot_metrics_endpoint }} {
|
||||
matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain: |
|
||||
location /metrics/hookshot {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
@@ -117,24 +116,18 @@
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_hookshot_metrics_port }}/metrics;
|
||||
{% endif %}
|
||||
proxy_set_header Host $host;
|
||||
{% if matrix_hookshot_proxy_metrics_basic_auth_enabled %}
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
||||
when: matrix_hookshot_metrics_enabled|bool and matrix_hookshot_metrics_proxying_enabled|bool
|
||||
|
||||
- name: Register hookshot metrics proxying configuration with matrix-nginx-proxy
|
||||
- name: Register hookshot metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot)
|
||||
set_fact:
|
||||
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: |
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
|
||||
{{
|
||||
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks|default([])
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks|default([])
|
||||
+
|
||||
[matrix_hookshot_matrix_nginx_proxy_metrics_configuration]
|
||||
[matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain]
|
||||
}}
|
||||
tags:
|
||||
- always
|
||||
when: matrix_hookshot_metrics_enabled|bool and matrix_hookshot_metrics_proxying_enabled|bool
|
||||
when: matrix_hookshot_enabled|bool
|
||||
|
||||
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
|
||||
|
||||
@@ -57,3 +57,16 @@
|
||||
when: "matrix_hookshot_provisioning_enabled and vars[item] == ''"
|
||||
with_items:
|
||||
- "matrix_hookshot_provisioning_secret"
|
||||
|
||||
- name: (Deprecation) Catch and report old metrics usage
|
||||
fail:
|
||||
msg: >-
|
||||
Your configuration contains a variable (`{{ item }}`), which refers to the old metrics collection system for Hookshot,
|
||||
which exposed metrics on `https://stats.DOMAIN/hookshot/metrics`.
|
||||
|
||||
We now recommend exposing Hookshot metrics in another way, from another URL.
|
||||
Refer to the changelog for more details: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2022-06-22
|
||||
with_items:
|
||||
- matrix_hookshot_proxy_metrics
|
||||
- matrix_hookshot_metrics_endpoint
|
||||
when: "item in vars"
|
||||
|
||||
@@ -192,6 +192,58 @@ matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
|
||||
matrix_nginx_proxy_proxy_sygnal_enabled: false
|
||||
matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
|
||||
|
||||
# Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain)
|
||||
# If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly.
|
||||
# This is only useful when an external Prometheus will be collecting metrics.
|
||||
#
|
||||
# To control what kind of metrics are exposed under `/metrics/` (e.g `/metrics/node-exporter`, `/metrics/postgres-exporter`, etc.),
|
||||
# use `matrix_SERVICE_metrics_proxying_enabled` variables in each respective role.
|
||||
# Roles inject themselves into the matrix-nginx-proxy configuration.
|
||||
#
|
||||
# To protect the metrics endpoints, see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_enabled: false
|
||||
|
||||
# Controls whether Basic Auth is enabled for all `/metrics/*` endpoints.
|
||||
#
|
||||
# You can provide the Basic Auth credentials in 2 ways:
|
||||
# 1. A single username/password pair using `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`
|
||||
# 2. Using raw content (`htpasswd`-generated file) provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled: false
|
||||
|
||||
# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` specify
|
||||
# the Basic Auth username/password for protecting `/metrics/*` endpoints.
|
||||
# Alternatively, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username: ""
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password: ""
|
||||
|
||||
# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` value will be written verbatim to the htpasswd file protecting `/metrics/*` endpoints.
|
||||
# Use this when a single username/password is not enough and you'd like to get more control over credentials.
|
||||
#
|
||||
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
|
||||
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
|
||||
# The whole thing is needed here. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: ""
|
||||
|
||||
# Specifies the path to the htpasswd file holding the htpasswd credentials for protecting `/metrics/*` endpoints
|
||||
# This is not meant to be modified.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
|
||||
|
||||
# Specifies the Apache container image to use
|
||||
# when `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` are provided.
|
||||
# This image provides the `htpasswd` tool which we use for generating the htpasswd file protecting `/metrics/*`.
|
||||
# To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password.
|
||||
# Learn more in: `roles/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}"
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16"
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}"
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the `location /metrics` configuration (matrix-domain.conf).
|
||||
# Do not modify `matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks` and `matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks`.
|
||||
# If you'd like to inject your own configuration blocks, use `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`.
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks: "{{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks + matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks }}"
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: []
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks: []
|
||||
|
||||
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||||
@@ -216,18 +268,6 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
|
||||
|
||||
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_synapse_metrics: false
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
||||
# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
|
||||
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
|
||||
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
|
||||
# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:9100"
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:9100"
|
||||
|
||||
# The addresses where the Matrix Client API is.
|
||||
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"
|
||||
@@ -260,8 +300,6 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
||||
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
||||
+
|
||||
(['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])
|
||||
}}
|
||||
|
||||
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
||||
|
||||
@@ -0,0 +1,53 @@
|
||||
# When we're dealing with raw htpasswd content, we just store it in the file directly.
|
||||
- name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
|
||||
copy:
|
||||
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
|
||||
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0600
|
||||
when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username
|
||||
|
||||
# Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file.
|
||||
# There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server.
|
||||
# See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module
|
||||
# We support various distros, with various versions of Python. Installing additional Python modules can be a hassle.
|
||||
# As a workaround, we run `htpasswd` from an Apache container image.
|
||||
- block:
|
||||
- name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
|
||||
docker_image:
|
||||
name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}"
|
||||
|
||||
# We store the password in a file and make the `htpasswd` tool read it from there,
|
||||
# as opposed to passing it directly on stdin (which will expose it to other processes on the server).
|
||||
- name: Store metrics password in a temporary file
|
||||
copy:
|
||||
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
|
||||
dest: "/tmp/matrix-nginx-proxy-metrics-password"
|
||||
mode: 0400
|
||||
owner: "{{ matrix_user_uid }}"
|
||||
group: "{{ matrix_user_gid }}"
|
||||
|
||||
- name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
|
||||
command:
|
||||
cmd: >-
|
||||
{{ matrix_host_command_docker }} run
|
||||
--rm
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
||||
--cap-drop=ALL
|
||||
--network=none
|
||||
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data
|
||||
--mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro
|
||||
--entrypoint=/bin/sh
|
||||
{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}
|
||||
-c
|
||||
'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
|
||||
|
||||
- name: Delete temporary metrics password file
|
||||
file:
|
||||
path: /tmp/matrix-nginx-proxy-metrics-password
|
||||
state: absent
|
||||
when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''
|
||||
@@ -31,23 +31,9 @@
|
||||
mode: 0644
|
||||
when: matrix_nginx_proxy_enabled|bool
|
||||
|
||||
- name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI)
|
||||
template:
|
||||
src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2"
|
||||
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0400
|
||||
when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool"
|
||||
|
||||
- name: Generate sample prometheus.yml for external scraping
|
||||
template:
|
||||
src: "{{ role_path }}/templates/prometheus/external_prometheus.yml.example.j2"
|
||||
dest: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0644
|
||||
when: matrix_nginx_proxy_proxy_synapse_metrics|bool
|
||||
- name: Setup metrics
|
||||
include_tasks: "{{ role_path }}/tasks/nginx-proxy/setup_metrics_auth.yml"
|
||||
when: matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configured (generic)
|
||||
template:
|
||||
@@ -324,10 +310,15 @@
|
||||
file:
|
||||
path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool"
|
||||
|
||||
- name: Ensure sample prometheus.yml for external scraping is deleted
|
||||
# This file is now generated by the matrix-synapse role and saved in the Synapse directory
|
||||
- name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted
|
||||
file:
|
||||
path: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_synapse_metrics|bool"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs)
|
||||
file:
|
||||
path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool"
|
||||
|
||||
@@ -27,6 +27,14 @@
|
||||
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
|
||||
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
|
||||
|
||||
- name: Fail if Basic Auth enabled for metrics, but no credentials supplied
|
||||
fail:
|
||||
msg: |
|
||||
Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires:
|
||||
- either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`)
|
||||
- or raw htpasswd content (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`)
|
||||
when: "matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content == '' and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username == '' or matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password == ''))"
|
||||
|
||||
- block:
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
fail:
|
||||
@@ -36,6 +44,7 @@
|
||||
with_items:
|
||||
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
||||
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_synapse_workers_enabled_list', 'new': '<no longer used>'}
|
||||
when: "item.old in vars"
|
||||
|
||||
- name: Fail if required variables are undefined
|
||||
@@ -49,3 +58,17 @@
|
||||
- "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container"
|
||||
when: "vars[item] == '' or vars[item] is none"
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
- name: (Deprecation) Catch and report old metrics usage
|
||||
fail:
|
||||
msg: >-
|
||||
Your configuration contains a variable (`{{ item }}`), which refers to the old metrics collection system for Synapse,
|
||||
which exposed metrics on `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`.
|
||||
|
||||
We now recommend exposing Synapse metrics in another way, from another URL.
|
||||
Refer to the changelog for more details: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2022-06-22
|
||||
with_items:
|
||||
- matrix_nginx_proxy_proxy_synapse_metrics
|
||||
- matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled
|
||||
- matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
|
||||
when: "item in vars"
|
||||
|
||||
@@ -45,6 +45,19 @@
|
||||
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}
|
||||
location /metrics {
|
||||
{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
|
||||
location ^~ /_matrix/corporal {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
|
||||
@@ -145,45 +145,6 @@ server {
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics %}
|
||||
location /_synapse/metrics {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file {{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path }};
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %}
|
||||
{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %}
|
||||
{% if worker.metrics_port != 0 %}
|
||||
location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics {
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}";
|
||||
proxy_pass http://$backend/_synapse/metrics;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file {{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path }};
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{# Everything else just goes to the API server ##}
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
# User and password for protecting /_synapse/metrics URI
|
||||
prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }}
|
||||
@@ -17,10 +17,17 @@ matrix_prometheus_node_exporter_systemd_required_services_list: ['docker.service
|
||||
# List of systemd services that matrix-prometheus.service wants
|
||||
matrix_prometheus_node_exporter_systemd_wanted_services_list: []
|
||||
|
||||
# Controls whether node-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/node-exporter`.
|
||||
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
|
||||
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
|
||||
matrix_prometheus_node_exporter_metrics_proxying_enabled: false
|
||||
|
||||
# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
|
||||
#
|
||||
# You likely don't need to do this. See `matrix_prometheus_node_exporter_metrics_proxying_enabled`.
|
||||
#
|
||||
# Official recommendations are to run this container with `--net=host`,
|
||||
# but we don't do that, since it:
|
||||
# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
|
||||
|
||||
@@ -3,3 +3,39 @@
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-node-exporter.service'] }}"
|
||||
when: matrix_prometheus_node_exporter_enabled|bool
|
||||
|
||||
- block:
|
||||
- name: Fail if matrix-nginx-proxy role already executed
|
||||
fail:
|
||||
msg: >-
|
||||
Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy,
|
||||
but it's pointless since the matrix-nginx-proxy role had already executed.
|
||||
To fix this, please change the order of roles in your playbook,
|
||||
so that the matrix-nginx-proxy role would run after the matrix-prometheus-node-exporter role.
|
||||
when: matrix_nginx_proxy_role_executed|default(False)|bool
|
||||
|
||||
- name: Generate node-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter)
|
||||
set_fact:
|
||||
matrix_prometheus_node_exporter_nginx_metrics_configuration_block: |
|
||||
location /metrics/node-exporter {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-prometheus-node-exporter:9100";
|
||||
proxy_pass http://$backend/metrics;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
{# This may be implemented in the future. #}
|
||||
return 404 "matrix-nginx-proxy is disabled, so metrics are unavailable";
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
- name: Register node-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter)
|
||||
set_fact:
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
|
||||
{{
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks|default([])
|
||||
+
|
||||
[matrix_prometheus_node_exporter_nginx_metrics_configuration_block]
|
||||
}}
|
||||
when: matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_metrics_proxying_enabled|bool
|
||||
|
||||
@@ -28,11 +28,17 @@ matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres'
|
||||
matrix_prometheus_postgres_exporter_database_port: 5432
|
||||
matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter'
|
||||
|
||||
# Controls whether postgres-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/postgres-exporter`.
|
||||
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
|
||||
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
|
||||
matrix_prometheus_postgres_exporter_metrics_proxying_enabled: false
|
||||
|
||||
# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9187 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9187"), or empty string to not expose.
|
||||
#
|
||||
# You likely don't need to do this. See `matrix_prometheus_postgres_exporter_metrics_proxying_enabled`.
|
||||
#
|
||||
# Official recommendations are to run this container with `--net=host`,
|
||||
# but we don't do that, since it:
|
||||
# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
|
||||
|
||||
@@ -3,3 +3,39 @@
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}"
|
||||
when: matrix_prometheus_postgres_exporter_enabled|bool
|
||||
|
||||
- block:
|
||||
- name: Fail if matrix-nginx-proxy role already executed
|
||||
fail:
|
||||
msg: >-
|
||||
Trying to append postgres-exporter's reverse-proxying configuration to matrix-nginx-proxy,
|
||||
but it's pointless since the matrix-nginx-proxy role had already executed.
|
||||
To fix this, please change the order of roles in your playbook,
|
||||
so that the matrix-nginx-proxy role would run after the matrix-prometheus-postgres-exporter role.
|
||||
when: matrix_nginx_proxy_role_executed|default(False)|bool
|
||||
|
||||
- name: Generate postgres-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter)
|
||||
set_fact:
|
||||
matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block: |
|
||||
location /metrics/postgres-exporter {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-prometheus-postgres-exporter:9187";
|
||||
proxy_pass http://$backend/metrics;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
{# This may be implemented in the future. #}
|
||||
return 404 "matrix-nginx-proxy is disabled, so metrics are unavailable";
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
- name: Register postgres-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter)
|
||||
set_fact:
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
|
||||
{{
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks|default([])
|
||||
+
|
||||
[matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block]
|
||||
}}
|
||||
when: matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_metrics_proxying_enabled|bool
|
||||
|
||||
@@ -334,6 +334,14 @@ matrix_url_preview_accept_language: ['en-US', 'en']
|
||||
matrix_synapse_metrics_enabled: false
|
||||
matrix_synapse_metrics_port: 9100
|
||||
|
||||
# Controls whether Synapse metrics should be proxied (exposed) on:
|
||||
# - `matrix.DOMAIN/metrics/synapse/main-process` for the main process
|
||||
# - `matrix.DOMAIN/metrics/synapse/worker/{type}-{id}` for each worker process
|
||||
#
|
||||
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
|
||||
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
|
||||
matrix_synapse_metrics_proxying_enabled: false
|
||||
|
||||
# Enable the Synapse manhole
|
||||
# See https://github.com/matrix-org/synapse/blob/master/docs/manhole.md
|
||||
matrix_synapse_manhole_enabled: false
|
||||
|
||||
@@ -25,3 +25,63 @@
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}"
|
||||
when: matrix_s3_media_store_enabled|bool
|
||||
|
||||
- block:
|
||||
- name: Fail if matrix-nginx-proxy role already executed
|
||||
fail:
|
||||
msg: >-
|
||||
Trying to append Synapse's reverse-proxying configuration to matrix-nginx-proxy,
|
||||
but it's pointless since the matrix-nginx-proxy role had already executed.
|
||||
To fix this, please change the order of roles in your playbook,
|
||||
so that the matrix-nginx-proxy role would run after the matrix-synapse role.
|
||||
when: matrix_nginx_proxy_role_executed|default(False)|bool
|
||||
|
||||
- name: Generate synapse metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/synapse/main-process)
|
||||
set_fact:
|
||||
matrix_synapse_nginx_metrics_configuration_block: |
|
||||
location /metrics/synapse/main-process {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-synapse:{{ matrix_synapse_metrics_port }}";
|
||||
proxy_pass http://$backend/_synapse/metrics;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_synapse_metrics_port }}/_synapse/metrics;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
- name: Register synapse metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/synapse/main-process)
|
||||
set_fact:
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
|
||||
{{
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks|default([])
|
||||
+
|
||||
[matrix_synapse_nginx_metrics_configuration_block]
|
||||
}}
|
||||
|
||||
- name: Generate synapse worker metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/synapse/worker)
|
||||
set_fact:
|
||||
matrix_synapse_worker_nginx_metrics_configuration_block: |
|
||||
{% for worker in matrix_synapse_workers_enabled_list %}
|
||||
{% if worker.metrics_port != 0 %}
|
||||
location /metrics/synapse/worker/{{ worker.type }}-{{ worker.instanceId }} {
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}";
|
||||
proxy_pass http://$backend/_synapse/metrics;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
when: matrix_synapse_workers_enabled_list|length > 0
|
||||
|
||||
- name: Register synapse worker metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/synapse/worker)
|
||||
set_fact:
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
|
||||
{{
|
||||
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks|default([])
|
||||
+
|
||||
[matrix_synapse_worker_nginx_metrics_configuration_block]
|
||||
}}
|
||||
when: matrix_synapse_workers_enabled_list|length > 0
|
||||
when: matrix_synapse_enabled|bool and matrix_synapse_metrics_proxying_enabled|bool
|
||||
|
||||
@@ -119,3 +119,12 @@
|
||||
src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user"
|
||||
mode: 0755
|
||||
|
||||
- name: Generate sample prometheus.yml for external scraping
|
||||
template:
|
||||
src: "{{ role_path }}/templates/synapse/prometheus/external_prometheus.yml.example.j2"
|
||||
dest: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0644
|
||||
when: matrix_synapse_metrics_proxying_enabled|bool
|
||||
|
||||
@@ -29,3 +29,9 @@
|
||||
docker_image:
|
||||
name: "{{ matrix_synapse_docker_image }}"
|
||||
state: absent
|
||||
|
||||
- name: Ensure sample prometheus.yml for external scraping is deleted
|
||||
file:
|
||||
path: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example"
|
||||
state: absent
|
||||
when: "not matrix_synapse_metrics_proxying_enabled|bool"
|
||||
|
||||
@@ -11,29 +11,29 @@ rule_files:
|
||||
|
||||
scrape_configs:
|
||||
- job_name: 'synapse'
|
||||
metrics_path: /_synapse/metrics
|
||||
scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
|
||||
metrics_path: /metrics/synapse/main-process
|
||||
scheme: {{ 'https' if matrix_nginx_proxy_https_enabled|default(true) else 'http' }}
|
||||
{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|default(true) %}
|
||||
basic_auth:
|
||||
username: prometheus
|
||||
password_file: /path/to/your/passwordfile.pwd
|
||||
{% endif %}
|
||||
static_configs:
|
||||
- targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}']
|
||||
- targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port|default(443) if matrix_nginx_proxy_https_enabled|default(true) else matrix_nginx_proxy_container_http_host_bind_port|default(80) }}']
|
||||
labels:
|
||||
job: "master"
|
||||
index: "0"
|
||||
{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %}
|
||||
{% for worker in matrix_synapse_workers_enabled_list %}
|
||||
- job_name: 'synapse-{{ worker.type }}-{{ worker.instanceId }}'
|
||||
metrics_path: /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics
|
||||
scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
|
||||
metrics_path: /metrics/synapse/worker/{{ worker.type }}-{{ worker.instanceId }}
|
||||
scheme: {{ 'https' if matrix_nginx_proxy_https_enabled|default(true) else 'http' }}
|
||||
{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|default(true) %}
|
||||
basic_auth:
|
||||
username: prometheus
|
||||
password_file: /path/to/your/passwordfile.pwd
|
||||
{% endif %}
|
||||
static_configs:
|
||||
- targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}']
|
||||
- targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port|default(443) if matrix_nginx_proxy_https_enabled|default(true) else matrix_nginx_proxy_container_http_host_bind_port|default(80) }}']
|
||||
labels:
|
||||
job: "{{ worker.type }}"
|
||||
index: "{{ worker.instanceId }}"
|
||||
Reference in New Issue
Block a user