Skip to content

Commit

Permalink
Improve node_exporter firewall rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@nikdoof
nikdoof committed Aug 15, 2024
1 parent 1bf9028 commit 7668a05
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
5 changes: 4 additions & 1 deletion environments/prod/group_vars/all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,15 @@ ansible_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORyJ0195AyNxsTxQpucXuz1460x/2SphPi8dYxMzoRU Doofnet AWX"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALZxAIQwODgToet5E1ya5x6jsQYdZHhNlWrs8Ed6voO Dimension Github Key"

fail2ban_ignoreip:
admin_ip_src:
- "81.187.48.147"
- "217.169.25.8/29"
- "2001:8b0:bd9::/48"
- "2001:470:1f1d:79c::/64"

fail2ban_ignoreip: "{{ admin_ip_src }}"
node_exporter_source_ips: "{{ admin_ip_src }}"

digitalocean_token: !vault |
$ANSIBLE_VAULT;1.2;AES256;dimension-vault
61623231656637363766373139313264616136663436643032396230323866333835386238366264
Expand Down
8 changes: 7 additions & 1 deletion roles/common/tasks/node_exporter.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,20 @@
ansible.builtin.package:
name: golang-github-prometheus-node-exporter
state: installed

- name: Start node_exporter
ansible.builtin.service:
name: node_exporter
state: started
enabled: true

- name: Add firewall rule for node_exporter
ansible.posix.firewalld:
zone: public
rich_rule: rule family="ipv4" source address="81.187.48.147/32" port protocol="tcp" port="9100" accept
rich_rule: rule family="{% if item is ansible.utils.ipv6 %}ipv6{% else %}ipv4{% endif %}" source address="{{ item }}" port protocol="tcp" port="9100" accept
permanent: true
state: enabled
immediate: true
loop: "{{ node_exporter_source_ips }}"
loop_control:
label: "{{ item }}"

0 comments on commit 7668a05

Please sign in to comment.