ceph: allow IPv6 neighbor discovery on mgmt interface

And enable it for ceph nodes.

roles/ceph/templates/nftables.conf.j2

@@ -42,6 +42,10 @@ table inet filter {
             packet-too-big, parameter-problem, time-exceeded,
         } accept comment "accept some ICMPv6"
 
+        iif mgmt0 ip6 hoplimit 255 ip6 nexthdr icmpv6 icmpv6 type {
+            nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert
+        } accept comment "accept IPv6 neighbor discovery"
+
         # BGP / BFD sessions
         iif lan0 ip6 saddr fe80::/64 accept
         iif lan1 ip6 saddr fe80::/64 accept

roles/telegraf/handlers/main.yml

@@ -0,0 +1,10 @@
+- name: update package cache
+  package:
+    update_cache: yes
+  when: "'handler' not in ansible_skip_tags"
+
+- name: restart telegraf
+  service:
+    name: telegraf
+    state: restarted
+  when: "'handler' not in ansible_skip_tags"

roles/telegraf/tasks/debian.yml

@@ -0,0 +1,31 @@
+- name: Add influxdb repository
+  deb822_repository:
+    name: influxdata
+    uris: https://repos.influxdata.com/debian
+    suites: stable
+    components: main
+    architectures: amd64
+    signed_by: https://repos.influxdata.com/influxdata-archive.key
+  notify: update package cache
+
+- meta: flush_handlers
+
+- name: Install telegraf
+  package:
+    name: telegraf
+
+- name: Configure telegraf
+  when: not ansible_check_mode
+  template:
+    dest: /etc/telegraf/telegraf.d/output.conf
+    src: output.conf.j2
+    owner: telegraf
+    group: telegraf
+    mode: 0640
+  notify: restart telegraf
+
+- name: Enable telegraf
+  service:
+    name: telegraf
+    enabled: true
+    state: started

roles/telegraf/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: Get influxdb info
+  set_fact:
+    influxdb_info: '{{ lookup("passwordstore", "vm/"~influxdb_host, returnall=true, missing="empty") | from_yaml }}'
+
+- name: Create influxdb token for this host
+  include_tasks: token.yml
+  when: 'not ansible_check_mode and "influxdb_token" not in password'
+
+- name: Install telegraf on Debian
+  include_tasks: debian.yml
+  when: ansible_os_family == "Debian"

roles/telegraf/tasks/token.yml

@@ -0,0 +1,53 @@
+- name: Get influxdb organization ID
+  delegate_to: localhost
+  uri:
+    url: '{{ influxdb_info.influxdb_url }}/api/v2/orgs'
+    headers:
+      Authorization: Token {{ influxdb_info.influxdb_operator_token }}
+  register: response
+
+- name: Parse influxdb orgID
+  set_fact:
+    influxdb_orgID: '{{ response.json.orgs | selectattr("name", "==", influxdb_info.influxdb_org) | map(attribute="id") | first }}'
+
+- name: Get influxdb bucket ID
+  delegate_to: localhost
+  uri:
+    url: '{{ influxdb_info.influxdb_url }}/api/v2/buckets?orgID={{ influxdb_orgID }}'
+    headers:
+      Authorization: Token {{ influxdb_info.influxdb_operator_token }}
+  register: response
+
+- name: Parse influxdb bucketID
+  set_fact:
+    influxdb_bucketID: '{{ response.json.buckets | selectattr("name", "==", "servers") | map(attribute="id") | first }}'
+
+- name: Create influxdb token
+  delegate_to: localhost
+  uri:
+    url: '{{ influxdb_info.influxdb_url }}/api/v2/authorizations'
+    method: POST
+    body_format: json
+    status_code: 201
+    headers:
+      Authorization: Token {{ influxdb_info.influxdb_operator_token }}
+      Content-Type: application/json
+    body: |
+      {
+        "description": "{{ inventory_hostname }}",
+        "orgID": "{{ influxdb_orgID }}",
+        "permissions": [{ "action": "write", "resource": { "type": "buckets", "id": "{{ influxdb_bucketID }}" } }]
+      }
+  register: response
+
+- name: Parse influxdb token
+  set_fact:
+    influxdb_token: '{{ response.json.token }}'
+
+# Ansible’s passwordstore lookup plugin should be able to do that but is pretty broken,
+# so we do it manually.
+- name: Store influxdb token in password store
+  delegate_to: localhost
+  command:
+    cmd: 'pass insert --force --multiline {{ ("vm/" if is_virtual else "host/")~inventory_hostname }}'
+    stdin: '{{ password | to_nice_yaml(sort_keys=false) }}influxdb_token: {{ influxdb_token }}'

roles/telegraf/templates/output.conf.j2

@@ -0,0 +1,5 @@
+[[outputs.influxdb_v2]]
+ urls = ["{{ influxdb_info.influxdb_url }}"]
+ organization = "{{ influxdb_info.influxdb_org }}"
+ bucket = "{{ influxdb_info.influxdb_bucket }}"
+ token = "{{ influxdb_token | default(password.influxdb_token) }}"

setup.yml

@@ -3,6 +3,13 @@
   roles:
     - facts
 
+- hosts: monitor
+  roles:
+    - alpine
+    - nginx
+    - influxdb
+    - grafana
+
 - hosts: dhcp
   roles:
     - alpine
@@ -19,6 +26,7 @@
   roles:
     - debian
     - frr
+    - telegraf
     - ceph
 
 - hosts: pve-rc-*, pve-lab-*