Puppet Class: prometheus::wireguard_exporter

Inherits:: prometheus

Defined in:: manifests/wireguard_exporter.pp

Summary

This module manages prometheus wireguard_exporter

Overview

Parameters:

arch (String[1]) (defaults to: $prometheus::real_arch) —

Architecture
bin_dir (Stdlib::Absolutepath) (defaults to: $prometheus::bin_dir) —

Directory where binaries are located
extra_groups (Array[String]) (defaults to: []) —

Extra groups to add the binary user to
extra_options (Optional[String[1]]) (defaults to: undef) —

Extra options added to the startup command
group (String[1]) (defaults to: 'wireguard_exporter') —

Group under which the binary is running
init_style (Prometheus::Initstyle) (defaults to: 'none') —

Service startup scripts style (e.g. rc, upstart or systemd)
install_method (Prometheus::Install) (defaults to: 'package') —

Installation method: url or package (only url is supported currently)
manage_group (Boolean) (defaults to: false) —

Whether to create a group for or rely on external code for that
manage_service (Boolean) (defaults to: true) —

Should puppet manage the service?
manage_user (Boolean) (defaults to: false) —

Whether to create user or rely on external code for that
os (String[1]) (defaults to: downcase($facts['kernel'])) —

Operating system (linux is the only one supported)
package_ensure (String[1]) (defaults to: 'installed') —

If package, then use this for package ensure default ‘latest’
package_name (String[1]) (defaults to: 'prometheus-wireguard-exporter') —

The binary package name - not available yet
purge_config_dir (Boolean) (defaults to: true) —

Purge config files no longer generated by Puppet
restart_on_change (Boolean) (defaults to: true) —

Should puppet restart the service on configuration change?
service_enable (Boolean) (defaults to: true) —

Whether to enable the service from puppet
service_ensure (Stdlib::Ensure::Service) (defaults to: 'running') —

State ensured for the service
service_name (String[1]) (defaults to: 'prometheus-wireguard-exporter') —

Name of the wireguard exporter service
user (String[1]) (defaults to: 'wireguard_exporter') —

User which runs the service
version (String[1]) (defaults to: '3.6.6') —

The binary release version
env_vars (Hash[String[1], Scalar]) (defaults to: {}) —

hash with custom environment variables thats passed to the exporter via init script / unit file
env_file_path (Stdlib::Absolutepath) (defaults to: $prometheus::env_file_path) —

The path to the file with the environmetn variable that is read from the init script/systemd unit
proxy_server (Optional[String[1]]) (defaults to: undef) —

Optional proxy server, with port number if needed. ie: example.com:8080
proxy_type (Optional[Enum['none', 'http', 'https', 'ftp']]) (defaults to: undef) —

Optional proxy server type (none|http|https|ftp)
download_url (Prometheus::Uri) (defaults to: 'https://github.com/MindFlavor/prometheus_wireguard_exporter/releases/tag/3.6.6')
scrape_host (Optional[Stdlib::Host]) (defaults to: undef)
export_scrape_job (Boolean) (defaults to: false)
scrape_port (Stdlib::Port) (defaults to: 9586)
scrape_job_name (String[1]) (defaults to: 'wireguard')
scrape_job_labels (Optional[Hash]) (defaults to: undef)
bin_name (Optional[String[1]]) (defaults to: undef)
use_tls_server_config (Boolean) (defaults to: false)
tls_cert_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)
tls_key_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)
tls_client_ca_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)
tls_client_auth_type (String[1]) (defaults to: 'RequireAndVerifyClientCert')
web_config_file (Stdlib::Absolutepath) (defaults to: '/etc/wireguard_exporter_web-config.yml')
tls_min_version (String[1]) (defaults to: 'TLS12')
tls_max_version (String[1]) (defaults to: 'TLS13')
tls_cipher_suites (Optional[Array[String[1]]]) (defaults to: undef)
tls_curve_preferences (Optional[Array[String[1]]]) (defaults to: undef)
tls_prefer_server_cipher_suites (Boolean) (defaults to: true)
use_http_server_config (Boolean) (defaults to: false)
http2 (Boolean) (defaults to: true)
http2_headers (Optional[Hash]) (defaults to: undef)
basic_auth_users (Optional[Hash]) (defaults to: undef)

Author:

Tim Meusel <tim@bastelfreak.de>

# File 'manifests/wireguard_exporter.pp', line 30

class prometheus::wireguard_exporter (
  Array[String] $extra_groups = [],
  String[1] $group = 'wireguard_exporter',
  String[1] $package_ensure = 'installed',
  String[1] $package_name = 'prometheus-wireguard-exporter',
  String[1] $user = 'wireguard_exporter',
  String[1] $version = '3.6.6',
  Boolean $purge_config_dir = true,
  Boolean $restart_on_change = true,
  Boolean $service_enable = true,
  Stdlib::Ensure::Service $service_ensure = 'running',
  String[1] $service_name = 'prometheus-wireguard-exporter',
  Prometheus::Initstyle $init_style = 'none',
  Prometheus::Install $install_method = 'package',
  Boolean $manage_group = false,
  Boolean $manage_service = true,
  Boolean $manage_user = false,
  String[1] $os = downcase($facts['kernel']),
  Optional[String[1]] $extra_options = undef,
  Prometheus::Uri $download_url = 'https://github.com/MindFlavor/prometheus_wireguard_exporter/releases/tag/3.6.6',
  String[1] $arch = $prometheus::real_arch,
  Stdlib::Absolutepath $bin_dir = $prometheus::bin_dir,
  Optional[Stdlib::Host] $scrape_host = undef,
  Boolean $export_scrape_job = false,
  Stdlib::Port $scrape_port = 9586,
  String[1] $scrape_job_name = 'wireguard',
  Optional[Hash] $scrape_job_labels = undef,
  Optional[String[1]] $bin_name = undef,
  Hash[String[1], Scalar] $env_vars = {},
  Stdlib::Absolutepath $env_file_path = $prometheus::env_file_path,
  Optional[String[1]] $proxy_server = undef,
  Optional[Enum['none', 'http', 'https', 'ftp']] $proxy_type = undef,

  ### TLS
  Boolean $use_tls_server_config                     = false,
  Optional[Stdlib::Absolutepath] $tls_cert_file      = undef,
  Optional[Stdlib::Absolutepath] $tls_key_file       = undef,
  Optional[Stdlib::Absolutepath] $tls_client_ca_file = undef,
  String[1] $tls_client_auth_type                    = 'RequireAndVerifyClientCert',
  Stdlib::Absolutepath $web_config_file              = '/etc/wireguard_exporter_web-config.yml',
  String[1] $tls_min_version                         = 'TLS12',
  String[1] $tls_max_version                         = 'TLS13',
  Optional[Array[String[1]]] $tls_cipher_suites      = undef,
  Optional[Array[String[1]]] $tls_curve_preferences  = undef,
  Boolean $tls_prefer_server_cipher_suites           = true,

  ### HTTP/2
  Boolean $use_http_server_config = false,
  Boolean $http2                  = true,
  Optional[Hash] $http2_headers   = undef,

  ### Basic Auth
  Optional[Hash] $basic_auth_users = undef,
) inherits prometheus {
  $notify_service = $restart_on_change ? {
    true    => Service[$service_name],
    default => undef,
  }

  if $use_tls_server_config {
    # if tls is enabled, these values have to be set and cannot be undef anymore
    $valid_tls_cert_file        = assert_type(Stdlib::Absolutepath, $tls_cert_file)
    $valid_tls_key_file         = assert_type(Stdlib::Absolutepath, $tls_key_file)

    $tls_server_config = {
      tls_server_config => {
        cert_file        => $valid_tls_cert_file,
        key_file         => $valid_tls_key_file,
        client_ca_file   => $tls_client_ca_file,
        client_auth_type => $tls_client_auth_type,
        min_version      => $tls_min_version,
        max_version      => $tls_max_version,
        cipher_suites    => $tls_cipher_suites,
        prefer_server_cipher_suites => $tls_prefer_server_cipher_suites,
        curve_preferences           => $tls_curve_preferences,
      },
    }
  } else {
    $tls_server_config = {}
  }

  if $use_http_server_config {
    $http_server_config = {
      http_server_config => {
        http2   => $http2,
        headers => $http2_headers,
      },
    }
  } else {
    $http_server_config = {}
  }

  if $basic_auth_users =~ Undef {
    $basic_auth_config = {}
  } else {
    $basic_auth_config = {
      basic_auth_users => $basic_auth_users,
    }
  }

  $web_config_content = $tls_server_config + $http_server_config + $basic_auth_config

  if empty($web_config_content) {
    file { $web_config_file:
      ensure  => absent,
    }

    $web_config = ''
  } else {
    file { $web_config_file:
      ensure  => file,
      content => $web_config_content.stdlib::to_yaml,
    }

    if versioncmp($version, '1.5.0') >= 0 {
      $web_config = "--web.config.file=${$web_config_file}"
    } else {
      $web_config = "--web.config=${$web_config_file}"
    }
  }

  $options = [
    $extra_options,
    $web_config,
  ].join(' ')

  sudo::conf { $service_name:
    ensure         => 'present',
    content        => "${user} ALL=(root) NOPASSWD: /usr/bin/wg\n",
    sudo_file_name => $service_name,
  }

  prometheus::daemon { $service_name:
    install_method     => $install_method,
    version            => $version,
    download_extension => '',
    os                 => $os,
    arch               => $arch,
    real_download_url  => $download_url,
    bin_dir            => $bin_dir,
    notify_service     => $notify_service,
    package_name       => $package_name,
    package_ensure     => $package_ensure,
    manage_user        => $manage_user,
    user               => $user,
    extra_groups       => $extra_groups,
    group              => $group,
    manage_group       => $manage_group,
    purge              => $purge_config_dir,
    options            => $options,
    init_style         => $init_style,
    service_ensure     => $service_ensure,
    service_enable     => $service_enable,
    manage_service     => $manage_service,
    export_scrape_job  => $export_scrape_job,
    scrape_host        => $scrape_host,
    scrape_port        => $scrape_port,
    scrape_job_name    => $scrape_job_name,
    scrape_job_labels  => $scrape_job_labels,
    bin_name           => $bin_name,
    env_vars           => $env_vars,
    env_file_path      => $env_file_path,
    proxy_server       => $proxy_server,
    proxy_type         => $proxy_type,
  }
}