unifi: Deploy unifi_exporter

`unifi_exporter` provides Prometheus metrics for UniFi controller.

group_vars/unifi/main.yml

@@ -1 +1,10 @@
 nginx_redirect_http_https: true
+unifi_exporter_site: Pyrocufflink
+unifi_exporter_username: prometheus
+unifi_exporter_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65626437623130653232373130663834303134343439326166643561663666616134356331666461
+  3430633639346331356562306165333939643030353735640a633636353436376431353939653064
+  64346335623433306663386364353461636663613434363663383564343039653861336162616235
+  3464633736656437360a376666656632326562656233393064326430633936666162303562373461
+  31643637623835323064623932323331386136663732626665666639663136666437

roles/unifi/defaults/main.yml

@@ -1,3 +1,17 @@
 unifi_version: latest
 unifi_container_image: lscr.io/linuxserver/unifi-controller
 unifi_storage_path: /var/lib/unifi
+
+unifi_exporter_container_image: docker.io/jessestuart/unifi_exporter
+unifi_exporter_version: v0.4.0
+unifi_exporter_config:
+  listen:
+    address: :9130
+    metricspath: /metrics
+  unifi:
+    address: https://localhost:8443/
+    insecure: true
+    password: '{{ unifi_exporter_password }}'
+    site: '{{ unifi_exporter_site }}'
+    timeout: 5s
+    username: '{{ unifi_exporter_username }}'

roles/unifi/handlers/main.yml

@@ -6,3 +6,8 @@
   systemd:
     name: unifi
     state: restarted
+
+- name: restart unifi_exporter
+  systemd:
+    name: unifi_exporter
+    state: restarted

roles/unifi/tasks/exporter.yml

@@ -0,0 +1,58 @@
+- name: ensure unifi_exporter is configured
+  copy:
+    dest: /etc/unifi_exporter.yml
+    content: >-
+      {{ unifi_exporter_config | to_nice_yaml(indent=2) }}
+    mode: u=rw,g=r,o=
+    owner: root
+    group: 200
+  notify:
+  - restart unifi_exporter
+  tags:
+  - config
+
+- name: ensure unifi_exporter container is configured
+  template:
+    src: unifi_exporter.container.j2
+    dest: /etc/containers/systemd/unifi_exporter.container
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload systemd
+  - restart unifi_exporter
+  tags:
+  - container
+
+- name: ensure unifi_exporter container image is present
+  podman_image:
+    name: '{{ unifi_exporter_container_image }}:{{ unifi_exporter_version }}'
+    state: present
+  tags:
+  - container
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure unifi_exporter service is enabled
+  systemd:
+    name: unifi_exporter
+    enabled: true
+  tags:
+  - service
+- name: ensure unifi_exporter service is running
+  systemd:
+    name: unifi_exporter
+    state: started
+  tags:
+  - service
+
+- name: ensure firewall is configured for unifi_exporter
+  firewalld:
+    port: 9130/tcp
+    state: enabled
+    permanent: true
+    immediate: true
+  when: host_uses_firewalld|d(true)
+  tags:
+  - firewalld

roles/unifi/tasks/main.yml

@@ -3,5 +3,8 @@
     tags:
     - install
   - import_tasks: deploy.yml
+  - import_tasks: exporter.yml
+    tags:
+    - unifi-exporter
   tags:
   - unifi

roles/unifi/templates/unifi_exporter.container.j2

@@ -0,0 +1,31 @@
+[Unit]
+Description=Prometheus metrics exporter for Unifi Controller
+Wants=unifi.service
+After=unifi.service
+
+[Container]
+Image={{ unifi_exporter_container_image }}:{{ unifi_exporter_version }}
+Volume=/etc/unifi_exporter.yml:/etc/unifi_exporter.yml:ro
+Network=host
+NoNewPrivileges=yes
+Exec=-config.file /etc/unifi_exporter.yml
+User=200
+Group=200
+VolatileTmp=yes
+
+[Service]
+Restart=always
+RestartSec=2
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run
+ReadWritePaths=/var/lib/containers/storage
+RestrictRealtime=yes
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target