(BC Break) Redo how metrics are exposed to external Prometheus servers

roles/matrix-nginx-proxy/defaults/main.yml

@@ -192,6 +192,58 @@ matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
 matrix_nginx_proxy_proxy_sygnal_enabled: false
 matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
 
+# Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain)
+# If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly.
+# This is only useful when an external Prometheus will be collecting metrics.
+#
+# To control what kind of metrics are exposed under `/metrics/` (e.g `/metrics/node-exporter`, `/metrics/postgres-exporter`, etc.),
+# use `matrix_SERVICE_metrics_proxying_enabled` variables in each respective role.
+# Roles inject themselves into the matrix-nginx-proxy configuration.
+#
+# To protect the metrics endpoints, see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`
+matrix_nginx_proxy_proxy_matrix_metrics_enabled: false
+
+# Controls whether Basic Auth is enabled for all `/metrics/*` endpoints.
+#
+# You can provide the Basic Auth credentials in 2 ways:
+# 1. A single username/password pair using `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`
+# 2. Using raw content (`htpasswd`-generated file) provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled: false
+
+# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` specify
+# the Basic Auth username/password for protecting `/metrics/*` endpoints.
+# Alternatively, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`.
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username: ""
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password: ""
+
+# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` value will be written verbatim to the htpasswd file protecting `/metrics/*` endpoints.
+# Use this when a single username/password is not enough and you'd like to get more control over credentials.
+#
+# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
+# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
+# The whole thing is needed here. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: ""
+
+# Specifies the path to the htpasswd file holding the htpasswd credentials for protecting `/metrics/*` endpoints
+# This is not meant to be modified.
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
+
+# Specifies the Apache container image to use
+# when `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` are provided.
+# This image provides the `htpasswd` tool which we use for generating the htpasswd file protecting `/metrics/*`.
+# To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password.
+# Learn more in: `roles/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`.
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}"
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16"
+matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}"
+
+# A list of strings containing additional configuration blocks to add to the `location /metrics` configuration (matrix-domain.conf).
+# Do not modify `matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks` and `matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks`.
+# If you'd like to inject your own configuration blocks, use `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`.
+matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks: "{{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks + matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks }}"
+matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: []
+matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks: []
+
 # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@@ -216,18 +268,6 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
 
-# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
-matrix_nginx_proxy_proxy_synapse_metrics: false
-matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
-# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
-# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
-# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
-# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
-matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
-matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
-matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:9100"
-matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:9100"
-
 # The addresses where the Matrix Client API is.
 # Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
 matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"
@@ -260,8 +300,6 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
     (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
     +
     (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
-    +
-    (['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])
   }}
 
 # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.

roles/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml

@@ -0,0 +1,53 @@
+# When we're dealing with raw htpasswd content, we just store it in the file directly.
+- name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
+  copy:
+    content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
+    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: 0600
+  when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username
+
+# Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file.
+# There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server.
+# See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module
+# We support various distros, with various versions of Python. Installing additional Python modules can be a hassle.
+# As a workaround, we run `htpasswd` from an Apache container image.
+- block:
+  - name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
+    docker_image:
+      name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}"
+      source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+      force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+      force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}"
+
+  # We store the password in a file and make the `htpasswd` tool read it from there,
+  # as opposed to passing it directly on stdin (which will expose it to other processes on the server).
+  - name: Store metrics password in a temporary file
+    copy:
+      content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
+      dest: "/tmp/matrix-nginx-proxy-metrics-password"
+      mode: 0400
+      owner: "{{ matrix_user_uid }}"
+      group: "{{ matrix_user_gid }}"
+
+  - name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
+    command:
+      cmd: >-
+        {{ matrix_host_command_docker }} run
+        --rm
+        --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+        --cap-drop=ALL
+        --network=none
+        --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data
+        --mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro
+        --entrypoint=/bin/sh
+        {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}
+        -c
+        'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
+
+  - name: Delete temporary metrics password file
+    file:
+      path: /tmp/matrix-nginx-proxy-metrics-password
+      state: absent
+  when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -31,23 +31,9 @@
     mode: 0644
   when: matrix_nginx_proxy_enabled|bool
 
-- name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI)
-  template:
-    src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2"
-    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0400
-  when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool"
-
-- name: Generate sample prometheus.yml for external scraping
-  template:
-    src: "{{ role_path }}/templates/prometheus/external_prometheus.yml.example.j2"
-    dest: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0644
-  when: matrix_nginx_proxy_proxy_synapse_metrics|bool
+- name: Setup metrics
+  include_tasks: "{{ role_path }}/tasks/nginx-proxy/setup_metrics_auth.yml"
+  when: matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool
 
 - name: Ensure Matrix nginx-proxy configured (generic)
   template:
@@ -324,10 +310,15 @@
   file:
     path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
     state: absent
-  when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool"
 
-- name: Ensure sample prometheus.yml for external scraping is deleted
+# This file is now generated by the matrix-synapse role and saved in the Synapse directory
+- name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted
   file:
     path: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
     state: absent
-  when: "not matrix_nginx_proxy_proxy_synapse_metrics|bool"
+
+- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs)
+  file:
+    path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool"

roles/matrix-nginx-proxy/tasks/validate_config.yml

@@ -27,6 +27,14 @@
       `matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
   when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
 
+- name: Fail if Basic Auth enabled for metrics, but no credentials supplied
+  fail:
+    msg: |
+      Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires:
+      - either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`)
+      - or raw htpasswd content (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`)
+  when: "matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content == '' and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username == '' or matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password == ''))"
+
 - block:
     - name: (Deprecation) Catch and report renamed settings
       fail:
@@ -36,6 +44,7 @@
       with_items:
         - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
         - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
+        - {'old': 'matrix_nginx_proxy_proxy_synapse_workers_enabled_list', 'new': '<no longer used>'}
       when: "item.old in vars"
 
     - name: Fail if required variables are undefined
@@ -49,3 +58,17 @@
         - "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container"
       when: "vars[item] == '' or vars[item] is none"
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+
+- name: (Deprecation) Catch and report old metrics usage
+  fail:
+    msg: >-
+      Your configuration contains a variable (`{{ item }}`), which refers to the old metrics collection system for Synapse,
+      which exposed metrics on `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`.
+
+      We now recommend exposing Synapse metrics in another way, from another URL.
+      Refer to the changelog for more details: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2022-06-22
+  with_items:
+    - matrix_nginx_proxy_proxy_synapse_metrics
+    - matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled
+    - matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
+  when: "item in vars"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -45,6 +45,19 @@
 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
 	{% endif %}
 
+	{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}
+	location /metrics {
+		{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}
+			auth_basic "protected";
+			auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};
+		{% endif %}
+
+		{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}
+			{{- configuration_block }}
+		{% endfor %}
+	}
+	{% endif %}
+
 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
 	location ^~ /_matrix/corporal {
 		{% if matrix_nginx_proxy_enabled %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

@@ -145,45 +145,6 @@ server {
 		{{- configuration_block }}
 	{% endfor %}
 
-	{% if matrix_nginx_proxy_proxy_synapse_metrics %}
-	location /_synapse/metrics {
-		{% if matrix_nginx_proxy_enabled %}
-			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
-			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
-			proxy_pass http://$backend;
-		{% else %}
-			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }};
-		{% endif %}
-
-		proxy_set_header Host $host;
-
-		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
-			auth_basic "protected";
-			auth_basic_user_file {{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path }};
-		{% endif %}
-	}
-	{% endif %}
-
-	{% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %}
-		{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %}
-			{% if worker.metrics_port != 0 %}
-				location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics {
-					resolver 127.0.0.11 valid=5s;
-					set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}";
-					proxy_pass http://$backend/_synapse/metrics;
-					proxy_set_header Host $host;
-
-					{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
-						auth_basic "protected";
-						auth_basic_user_file {{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path }};
-					{% endif %}
-				}
-			{% endif %}
-		{% endfor %}
-	{% endif %}
-
 	{# Everything else just goes to the API server ##}
 	location / {
 		{% if matrix_nginx_proxy_enabled %}

roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2

@@ -1,3 +0,0 @@
-#jinja2: lstrip_blocks: "True"
-# User and password for protecting /_synapse/metrics URI
-prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }}

roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2

@@ -1,40 +0,0 @@
-global:
-  scrape_interval: 5s
-
-  # Attach these labels to any time series or alerts when communicating with
-  # external systems (federation, remote storage, Alertmanager).
-  external_labels:
-    monitor: 'synapse-{{ matrix_domain }}'
-
-rule_files:
-  - /etc/prometheus/synapse-v2.rules
-
-scrape_configs:
-  - job_name: 'synapse'
-    metrics_path: /_synapse/metrics
-    scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}
-{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
-    basic_auth:
-      username: prometheus
-      password_file: /path/to/your/passwordfile.pwd
-{% endif %}
-    static_configs:
-      - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}']
-        labels:
-          job: "master"
-          index: "0"
-{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %}
-  - job_name: 'synapse-{{ worker.type }}-{{ worker.instanceId }}'
-    metrics_path: /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics
-    scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}
-{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
-    basic_auth:
-      username: prometheus
-      password_file: /path/to/your/passwordfile.pwd
-{% endif %}
-    static_configs:
-      - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}']
-        labels:
-          job: "{{ worker.type }}"
-          index: "{{ worker.instanceId }}"
-{% endfor %}