feat: nginx prometheus exporter on ks1

confs/ks1/default/prometheus-nginx-exporter

@@ -0,0 +1,65 @@
+# Set the command-line arguments to pass to the server.
+# Due to shell escaping, to pass backslashes for regexes, you need to double
+# them (\\d for \d). If running under systemd, you need to double them again
+# (\\\\d to mean \d), and escape newlines too.
+ARGS="-web.listen-address 127.0.0.1:9113"
+
+# prometheus-nginx-exporter supports the following options:
+#
+#  -nginx.plus
+#    Start the exporter for NGINX Plus. By default, the exporter is started for
+#    NGINX. The default value can be overwritten by NGINX_PLUS environment
+#    variable.
+#  -nginx.retries uint
+#    A number of retries the exporter will make on start to connect to the
+#    NGINX stub_status page/NGINX Plus API before exiting with an error. The
+#    default value can be overwritten by NGINX_RETRIES environment variable.
+#  -nginx.retry-interval value
+#    An interval between retries to connect to the NGINX stub_status page/NGINX
+#    Plus API on start. The default value can be overwritten by
+#    NGINX_RETRY_INTERVAL environment variable. (default 5s).
+#  -nginx.scrape-uri string
+#    A URI or unix domain socket path for scraping NGINX or NGINX Plus metrics.
+#    For NGINX, the stub_status page must be available through the URI. For
+#    NGINX Plus -- the API. The default value can be overwritten by SCRAPE_URI
+#    environment variable. (default "http://127.0.0.1:8080/stub_status").
+#  -nginx.ssl-ca-cert string
+#    Path to the PEM encoded CA certificate file used to validate the servers
+#    SSL certificate. The default value can be overwritten by SSL_CA_CERT
+#    environment variable.
+#  -nginx.ssl-client-cert string
+#    Path to the PEM encoded client certificate file to use when connecting to
+#    the server. The default value can be overwritten by SSL_CLIENT_CERT
+#    environment variable.
+#  -nginx.ssl-client-key string
+#    Path to the PEM encoded client certificate key file to use when connecting
+#    to the server. The default value can be overwritten by SSL_CLIENT_KEY
+#    environment variable.
+#  -nginx.ssl-verify
+#    Perform SSL certificate verification. The default value can be overwritten
+#    by SSL_VERIFY environment variable. (default true).
+#  -nginx.timeout value
+#    A timeout for scraping metrics from NGINX or NGINX Plus. The default value
+#    can be overwritten by TIMEOUT environment variable. (default 5s).
+#  -prometheus.const-labels value
+#    A comma separated list of constant labels that will be used in every
+#    metric. Format is label1=value1,label2=value2... The default value can be
+#    overwritten by CONST_LABELS environment variable.
+#  -web.listen-address string
+#    An address or unix domain socket path to listen on for web interface and
+#    telemetry. The default value can be overwritten by LISTEN_ADDRESS
+#    environment variable. (default ":9113").
+#  -web.secured-metrics
+#    Expose metrics using https. The default value can be overwritten by
+#    SECURED_METRICS variable.
+#  -web.ssl-server-cert string
+#    Path to the PEM encoded certificate for the nginx-exporter metrics
+#    server(when web.secured-metrics=true). The default value can be
+#    overwritten by SSL_SERVER_CERT variable.
+#  -web.ssl-server-key string
+#    Path to the PEM encoded key for the nginx-exporter metrics server (when
+#    web.secured-metrics=true). The default value can be overwritten by
+#    SSL_SERVER_KEY variable.
+#  -web.telemetry-path string
+#    A path under which to expose metrics. The default value can be overwritten
+#    by TELEMETRY_PATH environment variable. (default "/metrics").

confs/ks1/nginx/sites-available/images-off

@@ -106,8 +106,8 @@ server {
 	}
 
 
-    listen [::]:443 ssl ipv6only=on; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
+    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
+    listen 443 ssl http2; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/images.openfoodfacts.org-0001/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/images.openfoodfacts.org-0001/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
@@ -121,8 +121,8 @@ server {
     } # managed by Certbot
 
 
-        listen 80 http2;
-        listen [::]:80 http2;
+        listen 80;
+        listen [::]:80;
         server_name images.openfoodfacts.org;
     return 404; # managed by Certbot
 

confs/ks1/nginx/sites-available/ks1

@@ -0,0 +1,63 @@
+# map from service to exporter
+map $uri $exporter {
+    # nginx metrics proxy
+    "/images-ks1/nginx/metrics" 127.0.0.1:9113;
+}
+
+#log_format debug_exporter "$time_local $scheme://$host:$server_port$request_uri $exporter";
+
+# https server
+server {
+    server_name ks1.openfoodfacts.org;
+
+    # SSL/TLS settings
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/ks1.openfoodfacts.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/ks1.openfoodfacts.org/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # logs location, avoid access_log, no need
+    #access_log  /var/log/nginx/free-exporters.log  debug_exporter;
+    #access_log  /var/log/nginx/free-exporters.log  main;
+    access_log  off;
+    error_log   /var/log/nginx/ks1.errors.log;
+
+    # protect
+    auth_basic "Exporter metrics";
+    auth_basic_user_file "/etc/nginx/.htpasswd/ks1";
+
+    # url to join is defined thanks to exporter variable, itself based upon uri
+    location / {
+
+        if ($exporter = "") {
+            return 404;
+        }
+        proxy_pass http://$exporter/metrics;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Host $host;
+        client_max_body_size 512M;
+    }
+}
+
+
+
+
+server {
+    if ($host = ks1.openfoodfacts.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80;
+    listen [::]:80;
+    server_name ks1.openfoodfacts.org;
+    return 404; # managed by Certbot
+
+    location /.well-known {
+        root /var/www/html;
+        try_files $uri =404;
+    }
+}

confs/ks1/nginx/sites-available/stub_status

@@ -0,0 +1,6 @@
+# This enables prometheus exporter to get data from nginx
+server {
+        listen 127.0.0.1:8080;
+        stub_status on;
+}
+

confs/ks1/sysctl.d/60-swapiness.conf

@@ -0,0 +1 @@
+vm.swappiness=10