From db6864e15a113ec38dd2946161013814c9dfb668 Mon Sep 17 00:00:00 2001
From: Andrew Howden <hello@andrewhowden.com>
Date: Mon, 19 Feb 2018 15:57:10 +0100
Subject: [PATCH] AD-HOC refactor (*): Add support for apache

Recently, Sitewards expanded the server management tooling to include
apache/mod_php. This is fine, however it's not reasonable to run an
extra webserver on the machine simply because it's easier to reverse
proxy content to metrics.

This commit adds support for the apache webserver. Necessarily, this
means refactoring the role to be much more independent.

Note: A design flaw of this work is that apache does not have TLS
support. This is because the author currently has no mechanism to test
this.

== Design Notes ==

=== Lint Configuration ===

This commit also includes validation tooling for the authors lint setup.
This is described at the following URL:

  https://medium.com/@andrewhowdencom/i-successfully-fake-being-a-tidy-
    developer-with-this-one-weird-trick-okay-git-hooks-733573b1c679
---
 .arclint                                      | 10 ++++++
 .yamllint                                     | 12 +++++++
 README.md                                     | 31 ++++++++++++++-----
 defaults/main.yml                             | 24 +++++++++-----
 meta/main.yml                                 |  4 +--
 tasks/exposition.yml                          | 27 ++++++++--------
 tasks/proxies/apache.yml                      |  9 ++++++
 tasks/proxies/nginx.yml                       |  9 ++++++
 .../etc/apache2/sites-enabled/template.conf   | 19 ++++++++++++
 .../etc/nginx/sites-enabled/template.conf     | 12 ++++---
 10 files changed, 122 insertions(+), 35 deletions(-)
 create mode 100644 .arclint
 create mode 100644 .yamllint
 create mode 100644 tasks/proxies/apache.yml
 create mode 100644 tasks/proxies/nginx.yml
 create mode 100644 templates/etc/apache2/sites-enabled/template.conf

diff --git a/.arclint b/.arclint
new file mode 100644
index 0000000..747c4bb
--- /dev/null
+++ b/.arclint
@@ -0,0 +1,10 @@
+{
+  "linters": {
+    "yamllint": {
+      "type": "script-and-regex",
+      "include": "(\\.(yaml|yml)$)",
+      "script-and-regex.script": "sh -c '/usr/bin/yamllint -f parsable \"$0\" || true'",
+      "script-and-regex.regex": "/^(?P<file>[A-z0-9-_\\.\\/]+):(?P<line>[0-9]+):(?P<char>[0-9]+):\\s\\[(?P<severity>[a-z]+)\\]\\s(?P<message>.*)$/m"
+    }
+  }
+}
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..86c057b
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,12 @@
+---
+
+extends: default
+
+rules:
+  line-length:
+    max: 120
+  comments-indentation: disable
+  braces:
+    max-spaces-inside: 1
+
+
diff --git a/README.md b/README.md
index 34ee814..d446c5f 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # Ansible Prometheus exposition role
 
-This is the Ansible Prometheus NGINX exposition role. It's designed for consumption by playbooks, not for consumption by
-itself. It adds additional configuration that allows the exporters to be exposed on a public interface with the NGINX
-webserver
+This is the Ansible Prometheus reverse proxy exposition role. It's designed for consumption by playbooks, not for
+consumption by itself. It adds additional configuration that allows the exporters to be exposed on a public interface
+with the nginx or apache webservers
 
 ## Justification
 
@@ -18,6 +18,23 @@ data prevents unauthorized access.
 
 - Internet Access
 
+### Integrations
+
+This has been tested with the following additional roles:
+
+- geerlingguy.nginx
+- geerlingguy.apache
+
+It is not guaranteed to work with anything else.
+
+### Apache
+
+The module requires the following extensions to be enabled:
+
+- proxy
+- proxy_http
+- proxy_http2
+
 ## Warnings
 
 The way this works is to bind to a public interface, on the same port that the node exporter is listening to on the
@@ -34,9 +51,9 @@ There are two ways to install this role:
 ```bash
 $ cd path/to/playbook/root
 $ cat >> requirements.yaml <<EOF
-- src: "https://github.com/sitewards/ansible-role-nginx-prometheus-proxy"
+- src: "https://github.com/sitewards/ansible-role-prometheus-proxy"
   version: "master" # <----- Update this to a stable version
-  name: "sitewards.nginx-prometheus-proxy"
+  name: "sitewards.prometheus-proxy"
 EOF
 $ ansible-galaxy install -r requirements.yaml
 ```
@@ -46,7 +63,7 @@ $ ansible-galaxy install -r requirements.yaml
 ```
 $ cd path/to/playbook/root
 $ mkdir roles/
-$ git submodule add https://github.com/sitewards/ansible-role-nginx-prometheus-proxy.git  roles/sitewards.nginx-prometheus-proxy
+$ git submodule add https://github.com/sitewards/ansible-role-prometheus-proxy.git  roles/sitewards.prometheus-proxy
 ```
 
 ## Usage
@@ -69,7 +86,7 @@ Add the reference for the role:
 # ...
 become_user: "root"
 roles
-  - "sitewards.nginx-prometheus-proxy"
+  - "sitewards.prometheus-proxy"
 ```
 
 This should work!
diff --git a/defaults/main.yml b/defaults/main.yml
index 4ede99b..2d58e7e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,24 +1,34 @@
 ---
+## The webserver that will expose the metrics. Currently supported:
+##  - NGINX
+##  - Apache
+## (Required)
+# prometheus_proxy_webserver:
+
 ## The addresses of the exporters, such that they can be reversed proxied by the webserver
-nginx_prometheus_proxy_exporters: []
+prometheus_proxy_exporters: []
 ## The name of the exporter.
 # - name: "node-exporter"
 ## The port the exporter operators on
 #   port: 9100
 
 ## A series of usernames and passwords that will be used by the webserver as basic auth
-nginx_prometheus_proxy_users: []
+prometheus_proxy_users: []
 # - user: "monitoring"
 #   password: "testpassword"
 
-nginx_prometheus_proxy_htaccess_path: "/etc/nginx/nginx_prometheus_proxy.htaccess"
+## The path to the password file for the proxy
+prometheus_proxy_htaccess_path: "/etc/prometheus_proxy/prometheus-proxy.htaccess"
 
-## A server name which will be used in the nginx configuration,
-## please be advised that by default we use "_" and that is a dirty trick to achieve catch-all behavior,
-## see http://nginx.org/en/docs/http/server_names.html 
-nginx_prometheus_proxy_server_name: "_"
+## The user/group that should own the file
+prometheus_proxy_htaccess_owner: "www-data"
+prometheus_proxy_htaccess_group: "www-data"
 
 ## If TLS should be enabled for the connection, enable it by supplying an appropriate TLS certificate and key
 ## (Optional)
 # nginx_prometheus_tls_certificate_path: ""
 # nginx_prometheus_tls_certificate_key_path: ""
+
+## The prompt that basic authentication will supply
+## (Required)
+prometheus_proxy_authentication_prompt: "Please supply a valid username / password"
diff --git a/meta/main.yml b/meta/main.yml
index 699a9ee..04aeb13 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -3,11 +3,11 @@ dependencies: []
 
 galaxy_info:
   author: "sitewards"
-  description: "Exposes difened ports to prometheus data collector through nginx proxy"
+  description: "Exposes difened ports to prometheus data collector through reverse proxy"
   company: "Sitewards GmbH"
   license: "proprietary"
   min_ansible_version: 2.3
   platforms:
     - name: Ubuntu
       versions:
-      - 16.04
+        - 16.04
diff --git a/tasks/exposition.yml b/tasks/exposition.yml
index e3d7641..962e70a 100644
--- a/tasks/exposition.yml
+++ b/tasks/exposition.yml
@@ -1,21 +1,20 @@
 ---
-## Debguging
-- name: "Show me teh ip addresses"
-  debug:
-    var: ansible_all_ipv4_addresses
+- name: "Create the dir for htaccess"
+  file:
+    path: "{{ prometheus_proxy_htaccess_path | dirname }}"
+    state: "directory"
+    mode: "u=rx,g=rx,o="
+    owner: "{{ prometheus_proxy_htaccess_owner }}"
+    group: "{{ prometheus_proxy_htaccess_owner }}"
 
 - name: "Create the .htaccess file"
   htpasswd:
-    path: "{{ nginx_prometheus_proxy_htaccess_path }}"
+    path: "{{ prometheus_proxy_htaccess_path }}"
     name: "{{ item.user }}"
     password: "{{ item.password }}"
-  with_items: "{{ nginx_prometheus_proxy_users }}"
+    mode: "u=r,g=r,o="
+    owner: "{{ prometheus_proxy_htaccess_owner }}"
+    group: "{{ prometheus_proxy_htaccess_owner }}"
+  with_items: "{{ prometheus_proxy_users }}"
 
-# Exposes the exporters via the webserver, in a password protected way.
-- name: "Create the vhosts"
-  template:
-    src: "etc/nginx/sites-enabled/template.conf"
-    dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf"
-  with_items: "{{ nginx_prometheus_proxy_exporters }}"
-  ## This comes from the upstream geerlingguy.nginx task
-  notify: "reload nginx"
+- include: "proxies/{{ prometheus_proxy_webserver|lower }}.yml"
diff --git a/tasks/proxies/apache.yml b/tasks/proxies/apache.yml
new file mode 100644
index 0000000..ee100e9
--- /dev/null
+++ b/tasks/proxies/apache.yml
@@ -0,0 +1,9 @@
+---
+# Exposes the exporters via the webserver, in a password protected way.
+- name: "Create the vhosts"
+  template:
+    src: "etc/apache2/sites-enabled/template.conf"
+    dest: "/etc/apache2/sites-enabled/{{ item.name }}.conf"
+  with_items: "{{ prometheus_proxy_exporters }}"
+  ## This comes from the upstream geerlingguy.apache task
+  notify: "restart apache"
diff --git a/tasks/proxies/nginx.yml b/tasks/proxies/nginx.yml
new file mode 100644
index 0000000..cb378d1
--- /dev/null
+++ b/tasks/proxies/nginx.yml
@@ -0,0 +1,9 @@
+---
+# Exposes the exporters via the webserver, in a password protected way.
+- name: "Create the vhosts"
+  template:
+    src: "etc/nginx/sites-enabled/template.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf"
+  with_items: "{{ prometheus_proxy_exporters }}"
+  ## This comes from the upstream geerlingguy.nginx task
+  notify: "reload nginx"
diff --git a/templates/etc/apache2/sites-enabled/template.conf b/templates/etc/apache2/sites-enabled/template.conf
new file mode 100644
index 0000000..8652b41
--- /dev/null
+++ b/templates/etc/apache2/sites-enabled/template.conf
@@ -0,0 +1,19 @@
+{{ ansible_managed | comment }}
+
+{% for ip in ansible_all_ipv4_addresses %}
+Listen {{ ip }}:{{ item.port }}
+
+<VirtualHost {{ ip }}:{{ item.port }}>
+    ProxyPreserveHost On
+
+    <Location "/">
+        AuthType Basic
+        AuthName "{{ prometheus_proxy_authentication_prompt }}"
+        AuthUserFile {{ prometheus_proxy_htaccess_path }}
+        Require valid-user
+
+        ProxyPass http://localhost:{{ item.port }}/
+    </Location>
+
+</VirtualHost>
+{% endfor %}
\ No newline at end of file
diff --git a/templates/etc/nginx/sites-enabled/template.conf b/templates/etc/nginx/sites-enabled/template.conf
index 0b25a7c..088b791 100644
--- a/templates/etc/nginx/sites-enabled/template.conf
+++ b/templates/etc/nginx/sites-enabled/template.conf
@@ -1,10 +1,12 @@
+{{ ansible_managed | comment }}
+
 server {
-    # This isn't going to work as it's going to bind to localhosts
     {% for ip in ansible_all_ipv4_addresses %}
-    listen {{ ip }}:{{ item.port }}{% if nginx_prometheus_tls_certificate_path is defined %}    ssl http2{% endif %};
+    listen {{ ip }}:{{ item.port }}{% if nginx_prometheus_tls_certificate_path is defined %} ssl http2{% endif %};
     {% endfor %}
 
-    server_name {{ nginx_prometheus_proxy_server_name }};
+    ## We use "_" as a dirty trick to achieve catch-all behavior. See http://nginx.org/en/docs/http/server_names.html
+    server_name _;
 
     {% if nginx_prometheus_tls_certificate_path is defined %}
     ssl_certificate {{ nginx_prometheus_tls_certificate_path }};
@@ -16,8 +18,8 @@ server {
 
     location / {
         # Prevent unathorized access to this site
-        auth_basic           "Please supply a valid username / password";
-        auth_basic_user_file {{ nginx_prometheus_proxy_htaccess_path }};
+        auth_basic           "{{ prometheus_proxy_authentication_prompt }}";
+        auth_basic_user_file {{ prometheus_proxy_htaccess_path }};
 
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;