From 82e7d01f9f752a163219d43a2cf7e5988f78790b Mon Sep 17 00:00:00 2001
From: Alpha Chen <alpha@kejadlen.dev>
Date: Sat, 8 Apr 2023 13:37:13 -0700
Subject: [PATCH] mu

---
 lotus-land-story/Rakefile                 | 25 +++++++----
 lotus-land-story/caddy.yml                |  1 +
 lotus-land-story/grafana.yml              |  5 ++-
 lotus-land-story/loki.yml                 |  2 -
 lotus-land-story/miniflux.yml             |  8 ++--
 lotus-land-story/prometheus.yml           | 51 +++++++----------------
 lotus-land-story/templates/prometheus.yml | 39 +++++++++++++++++
 7 files changed, 79 insertions(+), 52 deletions(-)
 create mode 100644 lotus-land-story/templates/prometheus.yml

diff --git a/lotus-land-story/Rakefile b/lotus-land-story/Rakefile
index 27c9d49..1d64b47 100644
--- a/lotus-land-story/Rakefile
+++ b/lotus-land-story/Rakefile
@@ -28,8 +28,10 @@ task terraform: "terraform.tfvars" do
 end
 
 desc ""
-task ansible: "vars.yml" do
-  sh "ansible-playbook main.yml"
+task :ansible, %i[ playbook ] => "vars.yml" do |_, args|
+  playbook = args.fetch(:playbook, "main")
+
+  sh "ansible-playbook #{playbook}.yml"
 end
 
 task "terraform.tfvars" do |t|
@@ -38,14 +40,21 @@ end
 
 task "vars.yml" do |t|
   linode_volume = `terraform output -raw lotus_land_story_volume`
-  miniflux_db_password = `op read op://Private/Miniflux/db_password`.strip
+  miniflux_db_password = `op read "op://Private/Miniflux/db password"`.strip
   miniflux_password = `op read op://Private/Miniflux/password`.strip
+  prometheus_linode_api_token = `op read "op://Private/lotus-land-story/prometheus/linode api token"`.strip
+
   File.write(t.name, YAML.dump({
-    domain: DOMAIN,
-    linode_volume:,
-    miniflux_db_password:,
-    miniflux_password:,
-  }.transform_keys(&:to_s)))
+    "domain" => DOMAIN,
+    "linode_volume" => linode_volume,
+    "prometheus" => {
+      "linode_api_token" => prometheus_linode_api_token,
+    },
+    "miniflux" => {
+      "db_password" => miniflux_db_password,
+      "password" => miniflux_password,
+    },
+  }))
 end
 
 task default: %i[ terraform ansible ]
diff --git a/lotus-land-story/caddy.yml b/lotus-land-story/caddy.yml
index 2445d12..8a322be 100644
--- a/lotus-land-story/caddy.yml
+++ b/lotus-land-story/caddy.yml
@@ -32,6 +32,7 @@
         ports:
           - "80:80"
           - "443:443"
+          - "443:443/udp"
           - "2019:2019"
         volumes:
           - /mnt/lotus-land-story/caddy/Caddyfile:/etc/caddy/Caddyfile
diff --git a/lotus-land-story/grafana.yml b/lotus-land-story/grafana.yml
index 6fa52ca..5c5ae42 100644
--- a/lotus-land-story/grafana.yml
+++ b/lotus-land-story/grafana.yml
@@ -21,6 +21,7 @@
           disable_total_stats = false
           [server]
           domain = grafana.{{ domain }}
+          http_addr = 0.0.0.0
         mode: "0644"
 
     - name: Provision Prometheus
@@ -52,8 +53,8 @@
         # restart: true
         name: grafana
         image: grafana/grafana-oss:9.2.15
-        ports:
-          - "3000:3000"
+        # ports:
+        #   - "3000:3000"
         volumes:
           - /mnt/lotus-land-story/grafana/grafana.ini:/etc/grafana/grafana.ini
           - /mnt/lotus-land-story/grafana/provisioning:/etc/grafana/provisioning
diff --git a/lotus-land-story/loki.yml b/lotus-land-story/loki.yml
index b382c16..d205bff 100644
--- a/lotus-land-story/loki.yml
+++ b/lotus-land-story/loki.yml
@@ -100,8 +100,6 @@
         # restart: true
         name: loki
         image: grafana/loki:2.8.0
-        ports:
-          - "3100:3100"
         command: -config.file=/mnt/config/loki.yml
         volumes:
           - /mnt/lotus-land-story/loki/config:/mnt/config
diff --git a/lotus-land-story/miniflux.yml b/lotus-land-story/miniflux.yml
index fd10d69..4dd4e70 100644
--- a/lotus-land-story/miniflux.yml
+++ b/lotus-land-story/miniflux.yml
@@ -17,7 +17,7 @@
       community.postgresql.postgresql_user:
         db: miniflux
         name: miniflux
-        password: "{{ miniflux_db_password }}"
+        password: "{{ miniflux.db_password }}"
       notify: Restart postgres
 
     - name: Grant Miniflux access to the db
@@ -52,14 +52,12 @@
         # restart: true
         name: miniflux
         image: miniflux/miniflux:2.0.43
-        ports:
-          - "8080:8080"
         env:
-          DATABASE_URL: postgres://miniflux:{{ miniflux_db_password }}@host.docker.internal/miniflux
+          DATABASE_URL: postgres://miniflux:{{ miniflux.db_password }}@host.docker.internal/miniflux
           RUN_MIGRATIONS: "1"
           CREATE_ADMIN: "1"
           ADMIN_USERNAME: alpha
-          ADMIN_PASSWORD: "{{ miniflux_password }}"
+          ADMIN_PASSWORD: "{{ miniflux.password }}"
           BASE_URL: https://rss.{{ domain }}
         restart_policy: unless-stopped
         networks:
diff --git a/lotus-land-story/prometheus.yml b/lotus-land-story/prometheus.yml
index 3632f21..285b00f 100644
--- a/lotus-land-story/prometheus.yml
+++ b/lotus-land-story/prometheus.yml
@@ -1,5 +1,7 @@
 - name: Set up Prometheus
   hosts: lotus-land-story
+  vars_files:
+    - vars.yml
   tasks:
 
     - name: Install host exporters
@@ -21,56 +23,35 @@
       ansible.builtin.file:
         path: /mnt/lotus-land-story/prometheus
         state: directory
+        owner: prometheus
+        group: prometheus
         mode: "0755"
 
     - name: Prometheus config
-      ansible.builtin.copy:
+      ansible.builtin.template:
         dest: /mnt/lotus-land-story/prometheus/prometheus.yml
-        content: |
-          global:
-            # Attach these labels to any time series or alerts when communicating with
-            # external systems (federation, remote storage, Alertmanager).
-            external_labels:
-              monitor: 'codelab-monitor'
-
-          scrape_configs:
-            - job_name: prometheus
-              static_configs:
-                - targets: ['localhost:9090']
-
-            - job_name: node
-              static_configs:
-                - targets: ['host.docker.internal:9100']
-
-            - job_name: docker
-              static_configs:
-                - targets: ['host.docker.internal:9323']
-
-            - job_name: caddy
-              static_configs:
-                - targets: ['caddy:2019']
-
-            - job_name: grafana
-              static_configs:
-                - targets: ['grafana:3000']
-
-            - job_name: postgres
-              static_configs:
-                - targets: ['host.docker.internal:9187']
-        mode: "0644"
+        src: templates/prometheus.yml
+        owner: prometheus
+        group: prometheus
+        mode: "0600"
 
     - name: Create Prometheus volume
       community.docker.docker_volume:
         name: prometheus
 
+    - name: Get prometheus user info
+      ansible.builtin.user:
+        name: prometheus
+      register: prometheus_user
+
     - name: Run Prometheus
       community.docker.docker_container:
         # recreate: true
         # restart: true
         name: prometheus
         image: prom/prometheus:v2.43.0
-        ports:
-          - "9090:9090"
+        user: "{{ prometheus_user.uid }}"
+        groups: "{{ prometheus_user.group }}"
         volumes:
           - /mnt/lotus-land-story/prometheus:/etc/prometheus
           - prometheus:/prometheus
diff --git a/lotus-land-story/templates/prometheus.yml b/lotus-land-story/templates/prometheus.yml
new file mode 100644
index 0000000..2d61374
--- /dev/null
+++ b/lotus-land-story/templates/prometheus.yml
@@ -0,0 +1,39 @@
+global:
+  # Attach these labels to any time series or alerts when communicating with
+  # external systems (federation, remote storage, Alertmanager).
+  external_labels:
+    monitor: 'codelab-monitor'
+
+scrape_configs:
+  - job_name: prometheus
+    static_configs:
+      - targets: ['localhost:9090']
+
+  - job_name: node
+    static_configs:
+      - targets: ['host.docker.internal:9100']
+
+  - job_name: docker
+    static_configs:
+      - targets: ['host.docker.internal:9323']
+
+  - job_name: caddy
+    static_configs:
+      - targets: ['caddy:2019']
+
+  - job_name: grafana
+    static_configs:
+      - targets: ['grafana:3000']
+
+  - job_name: postgres
+    static_configs:
+      - targets: ['host.docker.internal:9187']
+
+  - job_name: promtail
+    static_configs:
+      - targets: ['promtail:9080']
+
+  - job_name: linode
+    linode_sd_configs:
+      - authorization:
+          credentials: {{ prometheus.linode_api_token }}