r/collectd-prometheus: Allow scraping from outside

The *collectd-prometheus* role now has a
`collectd_prometheus_allow_outsize` variable.  This variable controls
whether or not external hosts are allowed to scrape data from *collectd*.
When set to `false`, as is the default value, *collectd* will be
configured to listen on the loopback interface only, and the TCP port
will not be opened in the firewall.

roles/collectd-prometheus/defaults/main.yml

@@ -1,2 +1,5 @@
 collectd_load_prometheus_plugin: true
 collectd_prometheus_port: 9103
+collectd_prometheus_allow_outside: false
+collectd_prometheus_host: >-
+  {% if not collectd_prometheus_allow_outside %}::1{% endif %}

roles/collectd-prometheus/tasks/main.yml

@@ -17,6 +17,7 @@
 - name: ensure collectd-local selinux module is installed
   copy:
     src: collectd-local.pp
+    mode: 'u=rw,go=r'
     dest: /var/lib/selinux/collectd-local.pp
   notify:
   - install collectd-local selinux module
@@ -32,3 +33,19 @@
   - restart collectd
   tags:
   - collectd-config
+
+- name: ensure firewall is configured for collectd write_prometheus plugin
+  firewalld:
+    port: '{{ collectd_prometheus_port }}/tcp'
+    permanent: false
+    immediate: true
+    state: '{{ "enabled" if collectd_prometheus_allow_outside else "disabled" }}'
+  tags: firewalld
+
+- name: ensure firewall is configured for collectd write_prometheus plugin
+  firewalld:
+    port: '{{ collectd_prometheus_port }}/tcp'
+    permanent: true
+    immediate: false
+    state: '{{ "enabled" if collectd_prometheus_allow_outside else "disabled" }}'
+  tags: firewalld

roles/collectd-prometheus/templates/collectd-prometheus.conf.j2

@@ -4,7 +4,7 @@ LoadPlugin write_prometheus
 {% endif %}
 <Plugin write_prometheus>
     Port {{ collectd_prometheus_port }}
-{% if collectd_prometheus_host is defined %}
+{% if collectd_prometheus_host|d %}
     Host "{{ collectd_prometheus_host }}"
 {% endif %}
 </Plugin>