scrape configfile: support custom group ownership

support tor_enableMetricsPort: True without implying the generation of the scrape config file remove default tor_prometheus_scrape_file value do not generate prometheus scrape configs when tor_prometheus_scrape_file is not set remove obsolete task "Ensure tor_prometheus_scrape_file is set when needed" README: improve prometheus related var descriptions
RiccardoMasutti · Jan 28, 2023 · 5043ee2 · 5043ee2
1 parent 2502cfd
commit 5043ee2
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -292,11 +292,15 @@ All variables mentioned here are optional.
     - default: 127.0.0.1
 
 * `tor_prometheus_scrape_file` filepath
-    - this variable must be set if `tor_enableMetricsPort` is True
-    - it defines the absolute filename on the prometheus server (`tor_prometheus_host`) where ansible will create the prometheus scrape configs
-    - the filepath must be host specific, each host has its own scrape config file on the prometheus server
+    - when set it will enable the generation of prometheus [scrape configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) files (one file per tor server)
+      on the prometheus server (defined in `tor_prometheus_host`)
+    - the scrape config files will contain scrape jobs for the tor MetricsPort (behind a reverse proxy for TLS/basic auth) and/or scrape jobs for blackbox exporter (ORPort/DirPort TCP probes)
+    - the filepath must be host specific, each host has its own scrape config file on the prometheus server to support the ansible "--limit" cli option
     - use a hostname variable in the filepath, this is a reasonable example: `/etc/prometheus/config.d/tor_{{ ansible_fqdn }}.yml`
-    - default: ""
+    - merging these scrape configs into your global prometheus.yml is outside the scope of this role (for now)
+    - the generated scrape config files will also contain a few useful labels automatically, see the "Prometheus Labels" section in this README
+    - the file is sensitive (contains scrape credentials) and gets these file permissions: 0640 (owner: root, group: `tor_prometheus_scrape_file_group`, defaults to root)
+    - default: undefined (no file is generated)
 
 * `tor_prom_labels` dictionary
     - arbitrary number of prometheus label value pairs
@@ -306,7 +310,9 @@ All variables mentioned here are optional.
 
 * `tor_gen_blackbox_scrape_config` boolean
     - when set to True we add the necessary prometheus scrape config for blackbox exporter TCP propes in the file defined by `tor_prometheus_scrape_file`
-    - we monitor all relay ORPorts and when set DirPorts on IPv4 and when detected IPv6
+    - if True you also have to set `tor_prometheus_scrape_file` otherwise no scrape config file is generated
+    - we monitor all relay ORPorts and when set DirPorts on IPv4 and IPv6 (if enabled)
+    - this feature is not supported on relays behind NAT
     - default: False
 
 * `tor_blackbox_exporter_host` hostname:port

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -112,9 +112,8 @@ tor_MetricsPort_offset: 33300
 # prometheus (tor MetricsPort) related vars
 # On which host should we generate the prometheus scrape config? (delegate_to)
 tor_prometheus_host: 127.0.0.1
-# file path to the scrape config
-tor_prometheus_scrape_file: ""
 tor_blackbox_exporter_host: localhost:9115
+tor_prometheus_scrape_file_group: root
 tor_gen_blackbox_scrape_config: False
 tor_blackbox_exporter_scheme: http
 tor_blackbox_exporter_password: "{{ lookup('password', '~/.tor/blackbox_exporter_password') }}"

diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -283,15 +283,16 @@
   tags:
    - reconfigure
 
-- name: Generate prometheus scrape configs
+- name: Generate prometheus scrape configs for MetricsPort and/or blackbox exporter
   become: yes
   template:
     src: prometheus-scrape-configs
     dest: "{{ tor_prometheus_scrape_file }}"
     owner: root
+    group: "{{ tor_prometheus_scrape_file_group }}"
     mode: 0640
   delegate_to: "{{ tor_prometheus_host }}"
-  when: tor_enableMetricsPort or tor_gen_blackbox_scrape_config
+  when: (tor_enableMetricsPort or tor_gen_blackbox_scrape_config) and tor_prometheus_scrape_file is defined
   tags:
    - reconfigure
    - promconfig

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -39,15 +39,6 @@
   tags:
     - always
 
-- name: Ensure tor_prometheus_scrape_file is set when needed
-  assert:
-    that:
-      - "tor_prometheus_scrape_file | length > 0"
-    msg: "Please set tor_prometheus_scrape_file, see defaults/main.yml for an example"
-  when: tor_enableMetricsPort or tor_gen_blackbox_scrape_config
-  tags:
-    - always
-
 - name: Ensure preconditions for tor_dedicatedExitIP are met (enough public IP addresses on the system)
   assert:
     that: