chrissam / ansible-role-pmm-server Goto Github PK

Installs and configures pmm-server on RHEL/CentOS or Debian/Ubuntu servers.

Requirements

Docker should be installed in the server prior to running this role. Make use of other available docker roles in ansible galaxy before executing this role. Note that this role requires root access, so either run it in a playbook with a global become: yes, or invoke the role in your playbook like:

- hosts: pmm-server
  roles:
    - role: chrissam.pmm-server
      become: yes

Security Features

You can protect PMM from unauthorized access using the following security features:

• HTTP password protection adds authentication when accessing the PMM Server web interface

• SSL encryption secures traffic between PMM Client and PMM Server

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

pmm_server_version: 1.0.7

This defines the version of pmm-server that will installed. Percona recommends to use the latest stable version.

pmm_server_ENABLE_PROTECTION: true

This defines whether to enable password protection or not. This protects PMM from unauthorized access.

pmm_server_username: admin
pmm_server_password: admin

If ENABLE_PROTECTION is set to true then these variables defines the username and password that will be used.

pmm_server_ENABLE_SSL: true

Enables encryption in traffic between PMM Client and PMM Server using SSL certificates.

pmm_server_default_cert: false

If ENABLE_SSL is set to true, then this defines whether a default self-signed certificate should be used.

pmm_server_certificate_path: ""

If default_cert is set to false then this defines the path where you'll place the custom certificate. The certificate and key name should be "server.crt and server.key" respectively. Leaving this variable empty will assume that the certificate is placed within the files directory of the role. If specifying a custom path, don't forget to include the trailing slash in the path ( Eg: /path/to/file/ ) and don't include the file name.

pmm_server_UNINSTALL_PMM: false

Set this to true if you want to uninstall pmm-server. Other variable options will not be considered if this is set to true.

Possible configuration options

Unprotected:

pmm_server_ENABLE_PROTECTION: false
pmm_server_ENABLE_SSL: false

Only password protected:

pmm_server_ENABLE_PROTECTION: true
pmm_server_username: admin
pmm_server_password: admin

Only SSL Encryption:

pmm_server_ENABLE_SSL: true
pmm_server_default_cert: true
(or)
pmm_server_default_cert: false
pmm_server_certificate_path: "/path/to/cert/"

Both password protection and SSL encryption ( Combined Security ):

pmm_server_ENABLE_PROTECTION: true
pmm_server_username: admin
pmm_server_password: admin
pmm_server_ENABLE_SSL: true
pmm_server_default_cert: true
(or)
pmm_server_default_cert: false
pmm_server_certificate_path: "/path/to/cert/"

Custom options:

pmm_server_env_custom:
  METRICS_RETENTION: 192h

Example Playbook

---
- hosts: localhost
  become: yes

  vars:
    pmm_server_version: 1.0.7
    pmm_server_certificate_path: "~/pmm-certs/"
  
  roles:
    - chrissam.pmm-server

License

MIT / BSD

Author

This role was created by Chris Sam for devopsideas