2025-01-10
- Scripted out most of the config for prometheus/alertmanager/blackbox_exporter.
- AlertManager had disappeared (can't remember why) but config was still there so that kept things simple.
- Going to set up NGINX as a reverse proxy for prometheus.blip.zip, alertmanager.blip.zip. Is it worth putting it in docker? Probably not.
- I'm going to script up the key renewal and distribution from (probably) the monitoring box.
- Setup:
- Create tls_certs (?) user on automation host
- Create SSH key
- Create tls_certs user on each machine that needs it.
- Add pub to authorized_keys.
- Add all process user (i.e., nginx) that need it to a group tls_certs.
- Create new directory /etc/tlscerts/<domainname>
- Make tls_certs owner/group. Set 640 -rw-r——– perms.
- Script:
- (Maybe) prompt for porkbun API secret
- Call API and write key/cert to /tmp/keys
- Iterate over all stored hosts and SCP new key/cert onto /etc/tlscerts<domainname> (replacing previous ones)
- Notify via webhook if there are any failures
- Setup:
- Stupid and annoying learning point: if you add a new group, and add yourself as a member of that group, it won't take effect in that session.
- TODO – set up a new jump box for remote access?