r/blackbox-exporter: Deploy blackbox_exporter

The Prometheus *blackbox_exporter* is a tool that can perform arbitrary,
generic ICMP, TCP, or HTTP "probes" against external services.  This is
useful for applications that do not export their own metrics, and for
evaluating the health of protocol-level operations (e.g. TLS
certificate expiration).

The *blackbox-exporter* Ansible role installs and configures the
Blackbox Exporter on the target system.  It fetches the specified binary
release from Github and copies it to the remote machine.  It also
creates a systemd unit and configures the Blackbox exporter's "modules"
from the `blackbox_modules` Ansible variable.

roles/blackbox-exporter/defaults/main.yml

@@ -0,0 +1,3 @@
+blackbox_modules: {}
+blackbox_config:
+  modules: '{{ blackbox_modules }}'

roles/blackbox-exporter/files/blackbox_exporter.service

@@ -0,0 +1,45 @@
+[Unit]
+Description=Blackbox exporter
+Documentation=https://github.com/prometheus/blackbox_exporter/blob/master/README.md
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=exec
+ExecStart=/usr/local/sbin/blackbox_exporter \
+	--config.file=/etc/prometheus/blackbox.yml \
+	--web.listen-address=[::1]:9115
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+
+CapabilityBoundingSet=
+DeviceAllow=
+DevicePolicy=closed
+DynamicUser=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0027
+
+[Install]
+WantedBy=multi-user.target

roles/blackbox-exporter/handlers/main.yml

@@ -0,0 +1,13 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart blackbox_exporter
+  service:
+    name: blackbox_exporter
+    state: restarted
+
+- name: reload blackbox_exporter
+  service:
+    name: blackbox_exporter
+    state: reloaded

roles/blackbox-exporter/tasks/deploy.yml

@@ -0,0 +1,33 @@
+- name: ensure /etc/prometheus directory exists
+  file:
+    path: /etc/prometheus
+    mode: u=rwx,go=rx
+    owner: root
+    group: root
+    state: directory
+
+- name: ensure blackbox_exporter is configured
+  copy:
+    dest: /etc/prometheus/blackbox.yml
+    content: |
+      {{ blackbox_config|to_nice_yaml(indent=2) }}
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload blackbox_exporter
+
+- name: ensure blackbox_exporter starts at boot
+  service:
+    name: blackbox_exporter
+    enabled: true
+  tags:
+  - service
+- name: flush_handlers
+  meta: flush_handlers
+- name: ensure blackbox_exporter is running
+  service:
+    name: blackbox_exporter
+    state: started
+  tags:
+  - service

roles/blackbox-exporter/tasks/install.yml

@@ -0,0 +1,55 @@
+- name: load installation variables
+  include_vars: install.yml
+  tags:
+  - always
+
+- name: load architecture variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_architecture }}.yml'
+  - arch-defaults.yml
+  tags:
+  - always
+
+- name: ensure blackbox_exporter release archive is available
+  delegate_to: localhost
+  become: false
+  get_url:
+    url: '{{ blackbox_xptr_tar_url }}'
+    checksum: 'sha256:{{ blackbox_xptr_cksm_url }}'
+    dest: '{{ playbook_dir }}/tmp/{{ blackbox_xptr_tar_name }}'
+  tags:
+  - download
+
+- name: ensure blackbox_exporter archive is unpacked locally
+  delegate_to: localhost
+  become: false
+  unarchive:
+    src: '{{ playbook_dir }}/tmp/{{ blackbox_xptr_tar_name }}'
+    dest: '{{ playbook_dir }}/tmp/'
+    remote_src: true
+    creates: '{{ blackbox_xptr_extract_dir }}/blackbox_exporter'
+  tags:
+  - unarchive
+
+- name: ensure blackbox_exporter is installed
+  copy:
+    src: '{{ blackbox_xptr_extract_dir }}/blackbox_exporter'
+    dest: /usr/local/sbin/blackbox_exporter
+    mode: u=rwx,go=rx
+  diff: false
+  notify:
+  - restart blackbox_exporter
+
+- name: ensure blackbox_exporter systemd unit is installed
+  file:
+    src: blackbox_exporter.service
+    dest: /etc/systemd/system/blackbox_exporter.services
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart blackbox_exporter
+  tags:
+  - service
+  - systemd
+

roles/blackbox-exporter/tasks/main.yml

@@ -0,0 +1,7 @@
+- block:
+  - import_tasks: install.yml
+    tags:
+    - install
+  - import_tasks: deploy.yml
+  tags:
+  - blackbox-exporter

roles/blackbox-exporter/templates/execstart.conf.j2

@@ -0,0 +1,4 @@
+[Service]
+{% if blackbox_exporter_args|d %}
+ExecStart={{ blackbox_exporter_bin }} {{ blackbox_exporter_args }}
+{% endif %}

roles/blackbox-exporter/vars/aarch64.yml

@@ -0,0 +1,2 @@
+blackbox_xptr_arch: arm64
+

roles/blackbox-exporter/vars/arch-defaults.yml

@@ -0,0 +1 @@
+vm_arch: '{{ ansible_architecture }}'

roles/blackbox-exporter/vars/install.yml

@@ -0,0 +1,14 @@
+blackbox_xptr_version: 0.22.0
+
+blackbox_xptr_base_url:
+  https://github.com/prometheus/blackbox_exporter/releases/download
+blackbox_xptr_archive:
+  blackbox_exporter-{{ blackbox_xptr_version }}.linux-{{ blackbox_xptr_arch }}
+blackbox_xptr_tar_name: >-
+  {{ blackbox_xptr_archive }}.tar.gz
+blackbox_xptr_tar_url: >-
+  {{ blackbox_xptr_base_url }}/v{{ blackbox_xptr_version }}/{{ blackbox_xptr_tar_name }}
+blackbox_xptr_cksm_url: >-
+  {{ blackbox_xptr_base_url }}/v{{ blackbox_xptr_version }}/sha256sums.txt
+blackbox_xptr_extract_dir: >-
+  {{ playbook_dir }}/tmp/{{ blackbox_xptr_archive }}

roles/blackbox-exporter/vars/x86_64.yml

@@ -0,0 +1 @@
+blackbox_xptr_arch: amd64