r/blackbox-exporter: Deploy blackbox_exporter

The Prometheus *blackbox_exporter* is a tool that can perform arbitrary, generic ICMP, TCP, or HTTP "probes" against external services. This is useful for applications that do not export their own metrics, and for evaluating the health of protocol-level operations (e.g. TLS certificate expiration). The *blackbox-exporter* Ansible role installs and configures the Blackbox Exporter on the target system. It fetches the specified binary release from Github and copies it to the remote machine. It also creates a systemd unit and configures the Blackbox exporter's "modules" from the `blackbox_modules` Ansible variable.
2022-08-08 21:51:51 -05:00
parent 60505657f3
commit 1e14dd7905
13 changed files with 182 additions and 0 deletions
--- a/roles/blackbox-exporter/files/blackbox_exporter.service
+++ b/roles/blackbox-exporter/files/blackbox_exporter.service
@@ -0,0 +1,45 @@
+[Unit]
+Description=Blackbox exporter
+Documentation=https://github.com/prometheus/blackbox_exporter/blob/master/README.md
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=exec
+ExecStart=/usr/local/sbin/blackbox_exporter \
+	--config.file=/etc/prometheus/blackbox.yml \
+	--web.listen-address=[::1]:9115
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+
+CapabilityBoundingSet=
+DeviceAllow=
+DevicePolicy=closed
+DynamicUser=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0027
+
+[Install]
+WantedBy=multi-user.target