diff --git a/deployment/ansible/playbooks/setup-infrastructure.yml b/deployment/ansible/playbooks/setup-infrastructure.yml index cb8f419f..808d4c6c 100644 --- a/deployment/ansible/playbooks/setup-infrastructure.yml +++ b/deployment/ansible/playbooks/setup-infrastructure.yml @@ -19,13 +19,19 @@ msg: "Deployment stacks directory not found at {{ stacks_base_path }}" when: not stacks_dir.stat.exists - # Create external network required by all stacks + # Create external networks required by all stacks - name: Create traefik-public network community.docker.docker_network: name: traefik-public driver: bridge state: present + - name: Create app-internal network + community.docker.docker_network: + name: app-internal + driver: bridge + state: present + # 1. Deploy Traefik (Reverse Proxy & SSL) - name: Deploy Traefik stack community.docker.docker_compose_v2: @@ -157,6 +163,48 @@ ignore_errors: yes # 5. Deploy Monitoring (Portainer + Grafana + Prometheus) + - name: Optionally load monitoring secrets from vault + include_vars: + file: "{{ playbook_dir }}/../secrets/production.vault.yml" + no_log: yes + ignore_errors: yes + delegate_to: localhost + become: no + + - name: Set Grafana admin password from vault or generate + set_fact: + grafana_admin_password: "{{ vault_grafana_admin_password | default(lookup('password', '/dev/null length=25 chars=ascii_letters,digits')) }}" + + - name: Set Prometheus password from vault or generate + set_fact: + prometheus_password: "{{ vault_prometheus_password | default(lookup('password', '/dev/null length=25 chars=ascii_letters,digits')) }}" + + - name: Generate Prometheus BasicAuth hash + shell: | + docker run --rm httpd:alpine htpasswd -nbB admin "{{ prometheus_password }}" 2>/dev/null | cut -d ":" -f 2 + register: prometheus_auth_hash + changed_when: false + no_log: yes + + - name: Set Prometheus BasicAuth string + set_fact: + prometheus_auth: "admin:{{ prometheus_auth_hash.stdout }}" + + - name: Ensure monitoring stack directory exists + file: + path: "{{ stacks_base_path }}/monitoring" + state: directory + mode: '0755' + + - name: Create monitoring stack .env file + template: + src: "{{ playbook_dir }}/../templates/monitoring.env.j2" + dest: "{{ stacks_base_path }}/monitoring/.env" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: '0600' + no_log: yes + - name: Deploy Monitoring stack community.docker.docker_compose_v2: project_src: "{{ stacks_base_path }}/monitoring" diff --git a/deployment/ansible/secrets/production.vault.yml.example b/deployment/ansible/secrets/production.vault.yml.example index fd53680b..6895107c 100644 --- a/deployment/ansible/secrets/production.vault.yml.example +++ b/deployment/ansible/secrets/production.vault.yml.example @@ -24,3 +24,7 @@ vault_docker_registry_password: "change-me-registry-password" # Optional: Additional Secrets vault_encryption_key: "change-me-encryption-key" vault_session_secret: "change-me-session-secret" + +# Monitoring Stack Credentials +vault_grafana_admin_password: "change-me-secure-grafana-password" +vault_prometheus_password: "change-me-secure-prometheus-password" diff --git a/deployment/ansible/templates/monitoring.env.j2 b/deployment/ansible/templates/monitoring.env.j2 new file mode 100644 index 00000000..0f8c77a6 --- /dev/null +++ b/deployment/ansible/templates/monitoring.env.j2 @@ -0,0 +1,20 @@ +# Monitoring Stack Environment Configuration +# Generated by Ansible - DO NOT EDIT MANUALLY + +# Domain Configuration +DOMAIN={{ app_domain | default('michaelschiemer.de') }} + +# Grafana Configuration +GRAFANA_ADMIN_USER={{ grafana_admin_user | default('admin') }} +GRAFANA_ADMIN_PASSWORD={{ grafana_admin_password }} + +# Grafana Plugins (comma-separated) +# Common useful plugins: +# - grafana-clock-panel +# - grafana-piechart-panel +# - grafana-worldmap-panel +GRAFANA_PLUGINS={{ grafana_plugins | default('') }} + +# Prometheus BasicAuth +# Format: username:hashed_password +PROMETHEUS_AUTH={{ prometheus_auth }} \ No newline at end of file