r/postgres-exporter: Deploy postgres-exporter

The [postgres-exporter][0] exposes PostgreSQL server statistics to
Prometheus.  It connects to a specified PostgreSQL server (in this
case, a server on the local machine via UNIX socket) and collects data
from the `pg_stat_activity`, et al. views.  It needs the `pg_monitor`
role in order to be allowed to read the relevant metrics.

Since we're setting up the exporter to connect via UNIX socket, it needs
a dedicated OS user to match the PostgreSQL user in order to
authenticate via the _peer_ method.

[0]: https://github.com/prometheus-community/postgres_exporter/

group_vars/postgresql.yml

@@ -23,6 +23,11 @@ postgresql_config:
   hot_standby: 'on'
 
 pg_hba_extra:
+- type: local
+  database: all
+  user: postgres-exporter
+  address: ''
+  method: peer
 - type: hostssl
   database: sameuser
   user: all

postgresql.yml

@@ -9,3 +9,5 @@
     tags:
     - wal-g
   - postgresql-server
+  - role: postgres-exporter
+    tags: postgres-exporter

roles/postgres-exporter/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart postgres exporter
+  service:
+    name: postgres-exporter
+    state: restarted

roles/postgres-exporter/tasks/main.yml

@@ -0,0 +1,85 @@
+- name: ensure required packages are installed
+  package:
+    name:
+    - acl
+    - podman
+    - python3-psycopg2
+    state: present
+  tags:
+  - install
+
+- name: ensure postgres-exporter os group exists
+  group:
+    name: postgres-exporter
+    gid: 221
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure postgres-exporter os user exists
+  user:
+    name: postgres-exporter
+    uid: 221
+    system: true
+    state: present
+  tags:
+  - user
+
+- name: ensure postgres-exporter postgresql role exists
+  become_user: postgres
+  postgresql_user:
+    name: postgres-exporter
+    state: present
+  tags:
+  - pguser
+- name: ensure postgres-exporter postgresql is in pg_monitor group
+  become_user: postgres
+  postgresql_membership:
+    groups:
+    - pg_monitor
+    target_roles:
+    - postgres-exporter
+  tags:
+  - pguser
+
+- name: ensure postgres-exporter container is defined
+  template:
+    src: postgres-exporter.container.j2
+    dest: /etc/containers/systemd/postgres-exporter.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart postgres exporter
+  tags:
+  - systemd
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure postgres exporter starts at boot
+  service:
+    name: postgres-exporter
+    enabled: true
+  tags:
+  - service
+
+- name: ensure postgres exporter is running
+  service:
+    name: postgres-exporter
+    state: started
+  tags:
+  - service
+
+- name: ensure firewall is configured for postgres exporter
+  firewalld:
+    port: 9187/tcp
+    immediate: true
+    permanent: true
+    state: enabled
+  when: host_uses_firewalld|d(true)
+  tags:
+  - firewalld

roles/postgres-exporter/templates/postgres-exporter.container.j2

@@ -0,0 +1,19 @@
+[Unit]
+Description=PostgreSQL Exporter for Prometheus
+Wants=network-online.target
+After=network-online.target
+After=postgresql.service
+
+[Container]
+Image=quay.io/prometheuscommunity/postgres-exporter:v0.15.0
+Environment=DATA_SOURCE_URI='postgres-exporter@:5432/template1?host=/run/postgresql'
+Mount=type=bind,source=/run/postgresql,target=/run/postgresql
+# container_t cannot access the PostgreSQL socket postgresql_var_run_t
+SecurityLabelDisable=true
+User=221
+Group=221
+DropCapability=all
+PublishPort=9187:9187
+
+[Install]
+WantedBy=multi-user.target