From b295078acccca2ba4f11ee52563f2b32feefa346 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Tue, 23 Nov 2021 09:15:31 +0000
Subject: [PATCH] Add asset tracking service
---
playbooks/all.yml | 3 +++
plugins/inventory/float.py | 3 +++
roles/float-base-docker/tasks/main.yml | 5 ++++
.../templates/assetmon.default.j2 | 1 +
roles/float-base/tasks/apt.yml | 1 +
roles/float-infra-assetmon/handlers/main.yml | 6 +++++
roles/float-infra-assetmon/tasks/main.yml | 18 +++++++++++++
.../templates/server.yml.j2 | 13 ++++++++++
services.yml.default | 25 +++++++++++++++++++
services.yml.no-elasticsearch | 25 +++++++++++++++++++
10 files changed, 100 insertions(+)
create mode 100644 roles/float-base-docker/templates/assetmon.default.j2
create mode 100644 roles/float-infra-assetmon/handlers/main.yml
create mode 100644 roles/float-infra-assetmon/tasks/main.yml
create mode 100644 roles/float-infra-assetmon/templates/server.yml.j2
diff --git a/playbooks/all.yml b/playbooks/all.yml
index 27bc4c56..ce743592 100644
--- a/playbooks/all.yml
+++ b/playbooks/all.yml
@@ -43,3 +43,6 @@
roles:
- float-infra-sso-server
+- hosts: assets
+ roles:
+ - float-infra-assetmon
diff --git a/plugins/inventory/float.py b/plugins/inventory/float.py
index 1e29228a..4acc3355 100644
--- a/plugins/inventory/float.py
+++ b/plugins/inventory/float.py
@@ -38,6 +38,9 @@ DEFAULT_SERVICE_CREDENTIALS = [
{
'name': 'auth-server',
},
+ {
+ 'name': 'assetmon-client',
+ },
]
diff --git a/roles/float-base-docker/tasks/main.yml b/roles/float-base-docker/tasks/main.yml
index d5d09ae6..6d08dcfc 100644
--- a/roles/float-base-docker/tasks/main.yml
+++ b/roles/float-base-docker/tasks/main.yml
@@ -1,5 +1,10 @@
---
+- name: Configure asset tracking
+ template:
+ src: "assetmon.default.j2"
+ dest: "/etc/default/assetmon"
+
- include_tasks: docker.yml
when: "container_runtime == 'docker'"
diff --git a/roles/float-base-docker/templates/assetmon.default.j2 b/roles/float-base-docker/templates/assetmon.default.j2
new file mode 100644
index 00000000..d9c0af49
--- /dev/null
+++ b/roles/float-base-docker/templates/assetmon.default.j2
@@ -0,0 +1 @@
+OPTIONS="--server=https://assets.{{ domain }}:3798 --tls-cert=/etc/credentials/x509/assetmon-client/client/cert.pem --tls-key=/etc/credentials/x509/assetmon-client/client/private_key.pem --tls-ca=/etc/credentials/x509/assetmon-client/ca.pem"
diff --git a/roles/float-base/tasks/apt.yml b/roles/float-base/tasks/apt.yml
index 054402a1..3e69364b 100644
--- a/roles/float-base/tasks/apt.yml
+++ b/roles/float-base/tasks/apt.yml
@@ -123,6 +123,7 @@
- auditd
- audisp-json
- prometheus-node-exporter
+ - assetmon
- name: Install extra packages
apt:
diff --git a/roles/float-infra-assetmon/handlers/main.yml b/roles/float-infra-assetmon/handlers/main.yml
new file mode 100644
index 00000000..acbc01c5
--- /dev/null
+++ b/roles/float-infra-assetmon/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- listen: reload assetmon
+ systemd:
+ name: docker-assets-http.service
+ state: restarted
diff --git a/roles/float-infra-assetmon/tasks/main.yml b/roles/float-infra-assetmon/tasks/main.yml
new file mode 100644
index 00000000..0334b4e7
--- /dev/null
+++ b/roles/float-infra-assetmon/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Create /etc/assetmon
+ file:
+ path: "/etc/assetmon"
+ state: directory
+ owner: root
+ group: docker-assets
+ mode: 0750
+
+- name: Configure asset tracking server
+ template:
+ src: "server.yml.j2"
+ dest: "/etc/assetmon/server.yml"
+ owner: root
+ group: docker-assets
+ mode: 0640
+ notify: reload assetmon
diff --git a/roles/float-infra-assetmon/templates/server.yml.j2 b/roles/float-infra-assetmon/templates/server.yml.j2
new file mode 100644
index 00000000..4b79449d
--- /dev/null
+++ b/roles/float-infra-assetmon/templates/server.yml.j2
@@ -0,0 +1,13 @@
+db_uri: /var/lib/assetmon/assets.db
+http_server:
+ request_timeout: 30
+ tls:
+ cert: "/etc/credentials/x509/assetmon/server/cert.pem"
+ key: "/etc/credentials/x509/assetmon/server/private_key.pem"
+ ca: "/etc/credentials/x509/assetmon/ca.pem"
+ acl:
+ allow:
+ - path: "/api/v1/.*"
+ cn: "assetmon-client.investici.org"
+ - path: ".*"
+ cn: ".*"
diff --git a/services.yml.default b/services.yml.default
index 4e87e25b..a901d767 100644
--- a/services.yml.default
+++ b/services.yml.default
@@ -339,3 +339,28 @@ acme:
systemd_services:
- acmeserver.service
+assets:
+ num_instances: 1
+ scheduling_group: backend
+ service_credentials:
+ - name: assetmon
+ containers:
+ - name: http
+ image: registry.git.autistici.org/ai3/tools/assetmon:master
+ volumes:
+ - /etc/assetmon/server.yml: /etc/assetmon/server.yml
+ - /var/lib/assetmon: /var/lib/assetmon
+ ports:
+ - 3798
+ monitoring_endpoints:
+ - job_name: assets
+ port: 3798
+ scheme: https
+ public_endpoints:
+ - name: assets
+ port: 3798
+ scheme: https
+ datasets:
+ - name: db
+ path: /var/lib/assetmon
+ owner: docker-assets
diff --git a/services.yml.no-elasticsearch b/services.yml.no-elasticsearch
index 8b6ccd28..aac52c09 100644
--- a/services.yml.no-elasticsearch
+++ b/services.yml.no-elasticsearch
@@ -267,3 +267,28 @@ acme:
systemd_services:
- acmeserver.service
+assets:
+ num_instances: 1
+ scheduling_group: backend
+ service_credentials:
+ - name: assetmon
+ containers:
+ - name: http
+ image: registry.git.autistici.org/ai3/tools/assetmon:master
+ volumes:
+ - /etc/assetmon/server.yml: /etc/assetmon/server.yml
+ - /var/lib/assetmon: /var/lib/assetmon
+ ports:
+ - 3798
+ monitoring_endpoints:
+ - job_name: assets
+ port: 3798
+ scheme: https
+ public_endpoints:
+ - name: assets
+ port: 3798
+ scheme: https
+ datasets:
+ - name: db
+ path: /var/lib/assetmon
+ owner: docker-assets
--
GitLab