From b032f130b8947882fd2d49be1bd7dba43ef45a27 Mon Sep 17 00:00:00 2001
From: nazunalika <tucklesepk@gmail.com>
Date: Sun, 17 Jan 2021 20:46:06 -0700
Subject: [PATCH] merging some internal changes for awx

---
 ansible/inventories/production/hosts.ini    |  3 +-
 ansible/playbooks/role-rocky-monitoring.yml | 32 ++++++++++++++++++--
 ansible/playbooks/vars/ipsilon.yml          |  2 +-
 ansible/playbooks/vars/monitoring.yml       | 33 +++++++++++++++++++++
 ansible/playbooks/vars/monitoring/README.md |  1 +
 ansible/roles/requirements.yml              |  2 ++
 6 files changed, 69 insertions(+), 4 deletions(-)
 create mode 100644 ansible/playbooks/vars/monitoring/README.md

diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini
index d55c4db..44184b8 100644
--- a/ansible/inventories/production/hosts.ini
+++ b/ansible/inventories/production/hosts.ini
@@ -25,8 +25,9 @@ chrony001.rockylinux.org ansiblehost=10.100.3.110
 chrony002.rockylinux.org ansiblehost=10.200.3.111
 git.rockylinux.org ansible_host=10.100.1.113
 
-[ipsilon]
+[idp]
 idp001.rockylinux.org ansible_host=10.100.x.x
+idp002.rockylinux.org ansible_host=10.100.x.x
 
 [chronyservers]
 chrony001.rockylinux.org ansiblehost=10.100.3.110
diff --git a/ansible/playbooks/role-rocky-monitoring.yml b/ansible/playbooks/role-rocky-monitoring.yml
index f351d0b..274d7b1 100644
--- a/ansible/playbooks/role-rocky-monitoring.yml
+++ b/ansible/playbooks/role-rocky-monitoring.yml
@@ -5,10 +5,25 @@
 # Memory: 2GB
 # Storage: a piece of string
 - name: Install Prometheus
-  hosts: monitoringserver
+  hosts: monitoringservers
   become: true
+  vars_files:
+    - vars/vaults/encpass.yml
+    - vars/monitoring.yml
+    - vars/monitoring/alertmanager.yml
+    - vars/monitoring/grafana.yml
+    - vars/monitoring/prometheus.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
 
   pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
     - name: Verify if we can run ansible
       assert:
         that:
@@ -21,11 +36,24 @@
         name: python3-policycoreutils.noarch
         state: present
 
-  role:
+  roles:
+    - role: rockylinux.ipagetcert
+      state: present
     - role: cloudalchemy.prometheus
+      state: present
     - role: cloudalchemy.alertmanager
+      state: present
+    - role: cloudalchemy.grafana
+      state: present
 
   post_tasks:
+    - name: Open firewalld ports
+      ansible.posix.firewalld:
+        port: "{{ item.port }}"
+        permanent: "{{ item.permanent }}"
+        state: "{{ item.state }}"
+      loop: "{{ monitoring_server_firewall_rules }}"
+
     - name: Touching run file that ansible has ran here
       file:
         path: /var/log/ansible.run
diff --git a/ansible/playbooks/vars/ipsilon.yml b/ansible/playbooks/vars/ipsilon.yml
index 0bc7224..587c4d8 100644
--- a/ansible/playbooks/vars/ipsilon.yml
+++ b/ansible/playbooks/vars/ipsilon.yml
@@ -1,6 +1,6 @@
 ---
 # Vars for ipsilon
-ipsilon_fqdn: idp.rockylinux.org
+ipsilon_fqdn: accounts.rockylinux.org
 ipsilon_databases:
   - name: rockyipsilon
 
diff --git a/ansible/playbooks/vars/monitoring.yml b/ansible/playbooks/vars/monitoring.yml
index 093be95..962ab43 100644
--- a/ansible/playbooks/vars/monitoring.yml
+++ b/ansible/playbooks/vars/monitoring.yml
@@ -1,4 +1,37 @@
 ---
+# monitoring
+
+monitoring_server_firewall_rules:
+  - port: 80/tcp
+    permanent: true
+    state: enabled
+  - port: 443/tcp
+    permanent: true
+    state: enabled
+  - port: 9100/tcp
+    permanent: true
+    state: enabled
+  - port: 3000/tcp
+    permanent: true
+    state: enabled
+  - port: 9090/tcp
+    permanent: true
+    state: enabled
+  - port: 9093/tcp
+    permanent: true
+    state: enabled
+
+monitoring_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
+monitoring_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
+monitoring_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
+
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: grafana
+    key_location: "{{ monitoring_tls_key }}"
+    cert_location: "{{ monitoring_tls_cert }}"
+    postcmd: "/bin/systemctl restart grafana"
+
 # prometheus_targets:
 #   node:
 #     - targets:
diff --git a/ansible/playbooks/vars/monitoring/README.md b/ansible/playbooks/vars/monitoring/README.md
new file mode 100644
index 0000000..f329cbd
--- /dev/null
+++ b/ansible/playbooks/vars/monitoring/README.md
@@ -0,0 +1 @@
+# Blank for now
diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml
index 874baab..9471285 100644
--- a/ansible/roles/requirements.yml
+++ b/ansible/roles/requirements.yml
@@ -5,6 +5,8 @@ roles:
   # monitoring
   - name: cloudalchemy.node-exporter
   - name: cloudalchemy.prometheus
+  - name: cloudalchemy.alertmanager
+  - name: cloudalchemy.grafana
   - name: geerlingguy.gitlab
   - name: geerlingguy.postgresql
   - name: rockylinux.ipagetcert