From d9c4a2aabd047ef0643968b2632436ad85521aff Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 14 Sep 2023 13:19:33 +0200 Subject: [PATCH] Implement wireguard exporter --- .rubocop.yml | 2 + .rubocop_todo.yml | 12 + REFERENCE.md | 424 ++++++++++++++++++++++++ manifests/wireguard_exporter.pp | 195 +++++++++++ spec/classes/wireguard_exporter_spec.rb | 37 +++ 5 files changed, 670 insertions(+) create mode 100644 .rubocop_todo.yml create mode 100644 manifests/wireguard_exporter.pp create mode 100644 spec/classes/wireguard_exporter_spec.rb diff --git a/.rubocop.yml b/.rubocop.yml index 53ac1898..ea22bff8 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,4 +1,6 @@ --- +inherit_from: .rubocop_todo.yml + # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml new file mode 100644 index 00000000..475827e6 --- /dev/null +++ b/.rubocop_todo.yml @@ -0,0 +1,12 @@ +# This configuration was generated by +# `rubocop --auto-gen-config` +# on 2023-09-15 08:48:43 UTC using RuboCop version 1.50.2. +# The point is for the user to remove these configuration records +# one by one as the offenses are removed from the code base. +# Note that changes in the inspected code, or installation of new +# versions of RuboCop, may require this file to be generated again. + +# Offense count: 6 +RSpec/RepeatedExample: + Exclude: + - 'spec/classes/wireguard_exporter_spec.rb' diff --git a/REFERENCE.md b/REFERENCE.md index b87067ff..a6eaa086 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -58,6 +58,7 @@ The package method needs specific yum or apt repo settings which are not made ye * [`prometheus::statsd_exporter`](#prometheus--statsd_exporter): This module manages prometheus statsd_exporter * [`prometheus::unbound_exporter`](#prometheus--unbound_exporter): This module manages prometheus unbound exporter. The exporter needs to be compiled by hand! (https://github.com/kumina/unbound_exporter/issues/21) * [`prometheus::varnish_exporter`](#prometheus--varnish_exporter): This module manages prometheus varnish_exporter +* [`prometheus::wireguard_exporter`](#prometheus--wireguard_exporter): This module manages prometheus wireguard_exporter #### Private Classes @@ -13893,6 +13894,429 @@ Data type: `Optional[Hash]` +Default value: `undef` + +### `prometheus::wireguard_exporter` + +This module manages prometheus wireguard_exporter + +#### Parameters + +The following parameters are available in the `prometheus::wireguard_exporter` class: + +* [`arch`](#-prometheus--wireguard_exporter--arch) +* [`bin_dir`](#-prometheus--wireguard_exporter--bin_dir) +* [`extra_groups`](#-prometheus--wireguard_exporter--extra_groups) +* [`extra_options`](#-prometheus--wireguard_exporter--extra_options) +* [`group`](#-prometheus--wireguard_exporter--group) +* [`init_style`](#-prometheus--wireguard_exporter--init_style) +* [`install_method`](#-prometheus--wireguard_exporter--install_method) +* [`manage_group`](#-prometheus--wireguard_exporter--manage_group) +* [`manage_service`](#-prometheus--wireguard_exporter--manage_service) +* [`manage_user`](#-prometheus--wireguard_exporter--manage_user) +* [`os`](#-prometheus--wireguard_exporter--os) +* [`package_ensure`](#-prometheus--wireguard_exporter--package_ensure) +* [`package_name`](#-prometheus--wireguard_exporter--package_name) +* [`purge_config_dir`](#-prometheus--wireguard_exporter--purge_config_dir) +* [`restart_on_change`](#-prometheus--wireguard_exporter--restart_on_change) +* [`service_enable`](#-prometheus--wireguard_exporter--service_enable) +* [`service_ensure`](#-prometheus--wireguard_exporter--service_ensure) +* [`service_name`](#-prometheus--wireguard_exporter--service_name) +* [`user`](#-prometheus--wireguard_exporter--user) +* [`version`](#-prometheus--wireguard_exporter--version) +* [`env_vars`](#-prometheus--wireguard_exporter--env_vars) +* [`env_file_path`](#-prometheus--wireguard_exporter--env_file_path) +* [`proxy_server`](#-prometheus--wireguard_exporter--proxy_server) +* [`proxy_type`](#-prometheus--wireguard_exporter--proxy_type) +* [`download_url`](#-prometheus--wireguard_exporter--download_url) +* [`scrape_host`](#-prometheus--wireguard_exporter--scrape_host) +* [`export_scrape_job`](#-prometheus--wireguard_exporter--export_scrape_job) +* [`scrape_port`](#-prometheus--wireguard_exporter--scrape_port) +* [`scrape_job_name`](#-prometheus--wireguard_exporter--scrape_job_name) +* [`scrape_job_labels`](#-prometheus--wireguard_exporter--scrape_job_labels) +* [`bin_name`](#-prometheus--wireguard_exporter--bin_name) +* [`use_tls_server_config`](#-prometheus--wireguard_exporter--use_tls_server_config) +* [`tls_cert_file`](#-prometheus--wireguard_exporter--tls_cert_file) +* [`tls_key_file`](#-prometheus--wireguard_exporter--tls_key_file) +* [`tls_client_ca_file`](#-prometheus--wireguard_exporter--tls_client_ca_file) +* [`tls_client_auth_type`](#-prometheus--wireguard_exporter--tls_client_auth_type) +* [`web_config_file`](#-prometheus--wireguard_exporter--web_config_file) +* [`tls_min_version`](#-prometheus--wireguard_exporter--tls_min_version) +* [`tls_max_version`](#-prometheus--wireguard_exporter--tls_max_version) +* [`tls_cipher_suites`](#-prometheus--wireguard_exporter--tls_cipher_suites) +* [`tls_curve_preferences`](#-prometheus--wireguard_exporter--tls_curve_preferences) +* [`tls_prefer_server_cipher_suites`](#-prometheus--wireguard_exporter--tls_prefer_server_cipher_suites) +* [`use_http_server_config`](#-prometheus--wireguard_exporter--use_http_server_config) +* [`http2`](#-prometheus--wireguard_exporter--http2) +* [`http2_headers`](#-prometheus--wireguard_exporter--http2_headers) +* [`basic_auth_users`](#-prometheus--wireguard_exporter--basic_auth_users) + +##### `arch` + +Data type: `String[1]` + +Architecture + +Default value: `$prometheus::real_arch` + +##### `bin_dir` + +Data type: `Stdlib::Absolutepath` + +Directory where binaries are located + +Default value: `$prometheus::bin_dir` + +##### `extra_groups` + +Data type: `Array[String]` + +Extra groups to add the binary user to + +Default value: `[]` + +##### `extra_options` + +Data type: `Optional[String[1]]` + +Extra options added to the startup command + +Default value: `undef` + +##### `group` + +Data type: `String[1]` + +Group under which the binary is running + +Default value: `'wireguard_exporter'` + +##### `init_style` + +Data type: `Prometheus::Initstyle` + +Service startup scripts style (e.g. rc, upstart or systemd) + +Default value: `'none'` + +##### `install_method` + +Data type: `Prometheus::Install` + +Installation method: url or package (only url is supported currently) + +Default value: `'package'` + +##### `manage_group` + +Data type: `Boolean` + +Whether to create a group for or rely on external code for that + +Default value: `false` + +##### `manage_service` + +Data type: `Boolean` + +Should puppet manage the service? + +Default value: `true` + +##### `manage_user` + +Data type: `Boolean` + +Whether to create user or rely on external code for that + +Default value: `false` + +##### `os` + +Data type: `String[1]` + +Operating system (linux is the only one supported) + +Default value: `downcase($facts['kernel'])` + +##### `package_ensure` + +Data type: `String[1]` + +If package, then use this for package ensure default 'latest' + +Default value: `'installed'` + +##### `package_name` + +Data type: `String[1]` + +The binary package name - not available yet + +Default value: `'prometheus-wireguard-exporter'` + +##### `purge_config_dir` + +Data type: `Boolean` + +Purge config files no longer generated by Puppet + +Default value: `true` + +##### `restart_on_change` + +Data type: `Boolean` + +Should puppet restart the service on configuration change? + +Default value: `true` + +##### `service_enable` + +Data type: `Boolean` + +Whether to enable the service from puppet + +Default value: `true` + +##### `service_ensure` + +Data type: `Stdlib::Ensure::Service` + +State ensured for the service + +Default value: `'running'` + +##### `service_name` + +Data type: `String[1]` + +Name of the wireguard exporter service + +Default value: `'prometheus-wireguard-exporter'` + +##### `user` + +Data type: `String[1]` + +User which runs the service + +Default value: `'wireguard_exporter'` + +##### `version` + +Data type: `String[1]` + +The binary release version + +Default value: `'3.6.6'` + +##### `env_vars` + +Data type: `Hash[String[1], Scalar]` + +hash with custom environment variables thats passed to the exporter via init script / unit file + +Default value: `{}` + +##### `env_file_path` + +Data type: `Stdlib::Absolutepath` + +The path to the file with the environmetn variable that is read from the init script/systemd unit + +Default value: `$prometheus::env_file_path` + +##### `proxy_server` + +Data type: `Optional[String[1]]` + +Optional proxy server, with port number if needed. ie: https://example.com:8080 + +Default value: `undef` + +##### `proxy_type` + +Data type: `Optional[Enum['none', 'http', 'https', 'ftp']]` + +Optional proxy server type (none|http|https|ftp) + +Default value: `undef` + +##### `download_url` + +Data type: `Prometheus::Uri` + + + +Default value: `'https://github.com/MindFlavor/prometheus_wireguard_exporter/releases/tag/3.6.6'` + +##### `scrape_host` + +Data type: `Optional[Stdlib::Host]` + + + +Default value: `undef` + +##### `export_scrape_job` + +Data type: `Boolean` + + + +Default value: `false` + +##### `scrape_port` + +Data type: `Stdlib::Port` + + + +Default value: `9586` + +##### `scrape_job_name` + +Data type: `String[1]` + + + +Default value: `'wireguard'` + +##### `scrape_job_labels` + +Data type: `Optional[Hash]` + + + +Default value: `undef` + +##### `bin_name` + +Data type: `Optional[String[1]]` + + + +Default value: `undef` + +##### `use_tls_server_config` + +Data type: `Boolean` + + + +Default value: `false` + +##### `tls_cert_file` + +Data type: `Optional[Stdlib::Absolutepath]` + + + +Default value: `undef` + +##### `tls_key_file` + +Data type: `Optional[Stdlib::Absolutepath]` + + + +Default value: `undef` + +##### `tls_client_ca_file` + +Data type: `Optional[Stdlib::Absolutepath]` + + + +Default value: `undef` + +##### `tls_client_auth_type` + +Data type: `String[1]` + + + +Default value: `'RequireAndVerifyClientCert'` + +##### `web_config_file` + +Data type: `Stdlib::Absolutepath` + + + +Default value: `'/etc/wireguard_exporter_web-config.yml'` + +##### `tls_min_version` + +Data type: `String[1]` + + + +Default value: `'TLS12'` + +##### `tls_max_version` + +Data type: `String[1]` + + + +Default value: `'TLS13'` + +##### `tls_cipher_suites` + +Data type: `Optional[Array[String[1]]]` + + + +Default value: `undef` + +##### `tls_curve_preferences` + +Data type: `Optional[Array[String[1]]]` + + + +Default value: `undef` + +##### `tls_prefer_server_cipher_suites` + +Data type: `Boolean` + + + +Default value: `true` + +##### `use_http_server_config` + +Data type: `Boolean` + + + +Default value: `false` + +##### `http2` + +Data type: `Boolean` + + + +Default value: `true` + +##### `http2_headers` + +Data type: `Optional[Hash]` + + + +Default value: `undef` + +##### `basic_auth_users` + +Data type: `Optional[Hash]` + + + Default value: `undef` ## Defined types diff --git a/manifests/wireguard_exporter.pp b/manifests/wireguard_exporter.pp new file mode 100644 index 00000000..efa1c284 --- /dev/null +++ b/manifests/wireguard_exporter.pp @@ -0,0 +1,195 @@ +# @summary This module manages prometheus wireguard_exporter +# +# @param arch Architecture +# @param bin_dir Directory where binaries are located +# @param extra_groups Extra groups to add the binary user to +# @param extra_options Extra options added to the startup command +# @param group Group under which the binary is running +# @param init_style Service startup scripts style (e.g. rc, upstart or systemd) +# @param install_method Installation method: url or package (only url is supported currently) +# @param manage_group Whether to create a group for or rely on external code for that +# @param manage_service Should puppet manage the service? +# @param manage_user Whether to create user or rely on external code for that +# @param os Operating system (linux is the only one supported) +# @param package_ensure If package, then use this for package ensure default 'latest' +# @param package_name The binary package name - not available yet +# @param purge_config_dir Purge config files no longer generated by Puppet +# @param restart_on_change Should puppet restart the service on configuration change? +# @param service_enable Whether to enable the service from puppet +# @param service_ensure State ensured for the service +# @param service_name Name of the wireguard exporter service +# @param user User which runs the service +# @param version The binary release version +# @param env_vars hash with custom environment variables thats passed to the exporter via init script / unit file +# @param env_file_path The path to the file with the environmetn variable that is read from the init script/systemd unit +# @param proxy_server Optional proxy server, with port number if needed. ie: https://example.com:8080 +# @param proxy_type Optional proxy server type (none|http|https|ftp) +# +# @author Tim Meusel +# +class prometheus::wireguard_exporter ( + Array[String] $extra_groups = [], + String[1] $group = 'wireguard_exporter', + String[1] $package_ensure = 'installed', + String[1] $package_name = 'prometheus-wireguard-exporter', + String[1] $user = 'wireguard_exporter', + String[1] $version = '3.6.6', + Boolean $purge_config_dir = true, + Boolean $restart_on_change = true, + Boolean $service_enable = true, + Stdlib::Ensure::Service $service_ensure = 'running', + String[1] $service_name = 'prometheus-wireguard-exporter', + Prometheus::Initstyle $init_style = 'none', + Prometheus::Install $install_method = 'package', + Boolean $manage_group = false, + Boolean $manage_service = true, + Boolean $manage_user = false, + String[1] $os = downcase($facts['kernel']), + Optional[String[1]] $extra_options = undef, + Prometheus::Uri $download_url = 'https://github.com/MindFlavor/prometheus_wireguard_exporter/releases/tag/3.6.6', + String[1] $arch = $prometheus::real_arch, + Stdlib::Absolutepath $bin_dir = $prometheus::bin_dir, + Optional[Stdlib::Host] $scrape_host = undef, + Boolean $export_scrape_job = false, + Stdlib::Port $scrape_port = 9586, + String[1] $scrape_job_name = 'wireguard', + Optional[Hash] $scrape_job_labels = undef, + Optional[String[1]] $bin_name = undef, + Hash[String[1], Scalar] $env_vars = {}, + Stdlib::Absolutepath $env_file_path = $prometheus::env_file_path, + Optional[String[1]] $proxy_server = undef, + Optional[Enum['none', 'http', 'https', 'ftp']] $proxy_type = undef, + + ### TLS + Boolean $use_tls_server_config = false, + Optional[Stdlib::Absolutepath] $tls_cert_file = undef, + Optional[Stdlib::Absolutepath] $tls_key_file = undef, + Optional[Stdlib::Absolutepath] $tls_client_ca_file = undef, + String[1] $tls_client_auth_type = 'RequireAndVerifyClientCert', + Stdlib::Absolutepath $web_config_file = '/etc/wireguard_exporter_web-config.yml', + String[1] $tls_min_version = 'TLS12', + String[1] $tls_max_version = 'TLS13', + Optional[Array[String[1]]] $tls_cipher_suites = undef, + Optional[Array[String[1]]] $tls_curve_preferences = undef, + Boolean $tls_prefer_server_cipher_suites = true, + + ### HTTP/2 + Boolean $use_http_server_config = false, + Boolean $http2 = true, + Optional[Hash] $http2_headers = undef, + + ### Basic Auth + Optional[Hash] $basic_auth_users = undef, +) inherits prometheus { + $notify_service = $restart_on_change ? { + true => Service[$service_name], + default => undef, + } + + if $use_tls_server_config { + # if tls is enabled, these values have to be set and cannot be undef anymore + $valid_tls_cert_file = assert_type(Stdlib::Absolutepath, $tls_cert_file) + $valid_tls_key_file = assert_type(Stdlib::Absolutepath, $tls_key_file) + + $tls_server_config = { + tls_server_config => { + cert_file => $valid_tls_cert_file, + key_file => $valid_tls_key_file, + client_ca_file => $tls_client_ca_file, + client_auth_type => $tls_client_auth_type, + min_version => $tls_min_version, + max_version => $tls_max_version, + cipher_suites => $tls_cipher_suites, + prefer_server_cipher_suites => $tls_prefer_server_cipher_suites, + curve_preferences => $tls_curve_preferences, + }, + } + } else { + $tls_server_config = {} + } + + if $use_http_server_config { + $http_server_config = { + http_server_config => { + http2 => $http2, + headers => $http2_headers, + }, + } + } else { + $http_server_config = {} + } + + if $basic_auth_users =~ Undef { + $basic_auth_config = {} + } else { + $basic_auth_config = { + basic_auth_users => $basic_auth_users, + } + } + + $web_config_content = $tls_server_config + $http_server_config + $basic_auth_config + + if empty($web_config_content) { + file { $web_config_file: + ensure => absent, + } + + $web_config = '' + } else { + file { $web_config_file: + ensure => file, + content => $web_config_content.stdlib::to_yaml, + } + + if versioncmp($version, '1.5.0') >= 0 { + $web_config = "--web.config.file=${$web_config_file}" + } else { + $web_config = "--web.config=${$web_config_file}" + } + } + + $options = [ + $extra_options, + $web_config, + ].join(' ') + + sudo::conf { $service_name: + ensure => 'present', + content => "${user} ALL=(root) NOPASSWD: /usr/bin/wg\n", + sudo_file_name => $service_name, + } + + prometheus::daemon { $service_name: + install_method => $install_method, + version => $version, + download_extension => '', + os => $os, + arch => $arch, + real_download_url => $download_url, + bin_dir => $bin_dir, + notify_service => $notify_service, + package_name => $package_name, + package_ensure => $package_ensure, + manage_user => $manage_user, + user => $user, + extra_groups => $extra_groups, + group => $group, + manage_group => $manage_group, + purge => $purge_config_dir, + options => $options, + init_style => $init_style, + service_ensure => $service_ensure, + service_enable => $service_enable, + manage_service => $manage_service, + export_scrape_job => $export_scrape_job, + scrape_host => $scrape_host, + scrape_port => $scrape_port, + scrape_job_name => $scrape_job_name, + scrape_job_labels => $scrape_job_labels, + bin_name => $bin_name, + env_vars => $env_vars, + env_file_path => $env_file_path, + proxy_server => $proxy_server, + proxy_type => $proxy_type, + } +} diff --git a/spec/classes/wireguard_exporter_spec.rb b/spec/classes/wireguard_exporter_spec.rb new file mode 100644 index 00000000..a228f630 --- /dev/null +++ b/spec/classes/wireguard_exporter_spec.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'prometheus::wireguard_exporter' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) do + os_facts + end + + context 'without parameters' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('prometheus') } + it { is_expected.to contain_file('/etc/wireguard_exporter_web-config.yml') } + it { is_expected.to contain_package('prometheus-wireguard-exporter') } + it { is_expected.to contain_prometheus__daemon('prometheus-wireguard-exporter') } + it { is_expected.to contain_service('prometheus-wireguard-exporter') } + it { is_expected.to contain_sudo__conf('prometheus-wireguard-exporter') } + + if os_facts[:os]['family'] == 'RedHat' + it { is_expected.to contain_file('/etc/sysconfig/prometheus-wireguard-exporter') } + it { is_expected.not_to contain_file('/etc/default/prometheus-wireguard-exporter') } + it { is_expected.not_to contain_file('/etc/conf.d/prometheus-wireguard-exporter') } + elsif os_facts[:os]['name'] == 'Archlinux' + it { is_expected.to contain_file('/etc/conf.d/prometheus-wireguard-exporter') } + it { is_expected.not_to contain_file('/etc/sysconfig/prometheus-wireguard-exporter') } + it { is_expected.not_to contain_file('/etc/default/prometheus-wireguard-exporter') } + elsif os_facts[:os]['family'] == 'Debian' + it { is_expected.to contain_file('/etc/default/prometheus-wireguard-exporter') } + it { is_expected.not_to contain_file('/etc/sysconfig/prometheus-wireguard-exporter') } + it { is_expected.not_to contain_file('/etc/conf.d/prometheus-wireguard-exporter') } + end + end + end + end +end