From b78af05fd86259a59d170e8dcb0472fc1d388bcc Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 30 Oct 2021 16:34:25 -0500
Subject: [PATCH] r/collectd-prometheus: Allow scraping from outside

The *collectd-prometheus* role now has a
`collectd_prometheus_allow_outsize` variable.  This variable controls
whether or not external hosts are allowed to scrape data from *collectd*.
When set to `false`, as is the default value, *collectd* will be
configured to listen on the loopback interface only, and the TCP port
will not be opened in the firewall.
---
 roles/collectd-prometheus/defaults/main.yml     |  3 +++
 roles/collectd-prometheus/tasks/main.yml        | 17 +++++++++++++++++
 .../templates/collectd-prometheus.conf.j2       |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/roles/collectd-prometheus/defaults/main.yml b/roles/collectd-prometheus/defaults/main.yml
index 30a73ea..e9f13aa 100644
--- a/roles/collectd-prometheus/defaults/main.yml
+++ b/roles/collectd-prometheus/defaults/main.yml
@@ -1,2 +1,5 @@
 collectd_load_prometheus_plugin: true
 collectd_prometheus_port: 9103
+collectd_prometheus_allow_outside: false
+collectd_prometheus_host: >-
+  {% if not collectd_prometheus_allow_outside %}::1{% endif %}
diff --git a/roles/collectd-prometheus/tasks/main.yml b/roles/collectd-prometheus/tasks/main.yml
index 93c7d0d..653ac96 100644
--- a/roles/collectd-prometheus/tasks/main.yml
+++ b/roles/collectd-prometheus/tasks/main.yml
@@ -17,6 +17,7 @@
 - name: ensure collectd-local selinux module is installed
   copy:
     src: collectd-local.pp
+    mode: 'u=rw,go=r'
     dest: /var/lib/selinux/collectd-local.pp
   notify:
   - install collectd-local selinux module
@@ -32,3 +33,19 @@
   - restart collectd
   tags:
   - collectd-config
+
+- name: ensure firewall is configured for collectd write_prometheus plugin
+  firewalld:
+    port: '{{ collectd_prometheus_port }}/tcp'
+    permanent: false
+    immediate: true
+    state: '{{ "enabled" if collectd_prometheus_allow_outside else "disabled" }}'
+  tags: firewalld
+
+- name: ensure firewall is configured for collectd write_prometheus plugin
+  firewalld:
+    port: '{{ collectd_prometheus_port }}/tcp'
+    permanent: true
+    immediate: false
+    state: '{{ "enabled" if collectd_prometheus_allow_outside else "disabled" }}'
+  tags: firewalld
diff --git a/roles/collectd-prometheus/templates/collectd-prometheus.conf.j2 b/roles/collectd-prometheus/templates/collectd-prometheus.conf.j2
index 8a6369d..d5fbf8c 100644
--- a/roles/collectd-prometheus/templates/collectd-prometheus.conf.j2
+++ b/roles/collectd-prometheus/templates/collectd-prometheus.conf.j2
@@ -4,7 +4,7 @@ LoadPlugin write_prometheus
 {% endif %}
 <Plugin write_prometheus>
     Port {{ collectd_prometheus_port }}
-{% if collectd_prometheus_host is defined %}
+{% if collectd_prometheus_host|d %}
     Host "{{ collectd_prometheus_host }}"
 {% endif %}
 </Plugin>