From 50b602eadc21364e38868e64f4b118382d7cfe42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Mon, 13 Feb 2023 22:42:11 +0100
Subject: [PATCH] alertmanager: Protect with basic auth

Alertmanager will get exposed with nginx, so silence integration with
ntfy-alertmanager can work.
---
 roles/alertmanager/files/alertmanager.conf     | 2 +-
 roles/alertmanager/tasks/main.yml              | 7 +++++--
 roles/alertmanager/templates/web-config.yml.j2 | 2 ++
 roles/prometheus/tasks/main.yml                | 1 +
 roles/prometheus/templates/prometheus.yml.j2   | 3 +++
 5 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 roles/alertmanager/templates/web-config.yml.j2

diff --git a/roles/alertmanager/files/alertmanager.conf b/roles/alertmanager/files/alertmanager.conf
index 3267b9d..df85593 100644
--- a/roles/alertmanager/files/alertmanager.conf
+++ b/roles/alertmanager/files/alertmanager.conf
@@ -1 +1 @@
-ALERTMANAGER_ARGS="--data.retention=168h"
+ALERTMANAGER_ARGS="--data.retention=168h --web.config.file=/etc/alertmanager/web-config.yml"
diff --git a/roles/alertmanager/tasks/main.yml b/roles/alertmanager/tasks/main.yml
index 93c13a6..0bf6856 100644
--- a/roles/alertmanager/tasks/main.yml
+++ b/roles/alertmanager/tasks/main.yml
@@ -12,11 +12,14 @@
 
 - name: Configure
   ansible.builtin.template:
-    src: alertmanager.yml.j2
-    dest: /etc/alertmanager/alertmanager.yml
+    src: "{{ item }}.j2"
+    dest: "/etc/alertmanager/{{ item }}"
     owner: alertmanager
     group: alertmanager
     mode: 0600
+  with_items:
+    - alertmanager.yml
+    - web-config.yml
   notify: Reload alertmanager
 
 - name: Install cli configuration
diff --git a/roles/alertmanager/templates/web-config.yml.j2 b/roles/alertmanager/templates/web-config.yml.j2
new file mode 100644
index 0000000..372b968
--- /dev/null
+++ b/roles/alertmanager/templates/web-config.yml.j2
@@ -0,0 +1,2 @@
+basic_auth_users:
+  {{ alertmanager_secrets['user'] }}: '{{ alertmanager_secrets['pass'] | password_hash('bcrypt', alertmanager_secrets['salt']) }}'
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index 7dc56f2..6362293 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 - name: Get secrets
   ansible.builtin.set_fact:
+    alertmanager_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/alertmanager') }}"
     prometheus_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/prometheus') }}"
     minio_jwt: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio:jwt') }}"
 
diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index c804158..a0a77fe 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -4,6 +4,9 @@ alerting:
     - static_configs:
         - targets:
             - localhost:9093
+      basic_auth:
+        username: "{{ alertmanager_secrets['user'] }}"
+        password: "{{ alertmanager_secrets['pass'] }}"
 
 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
 rule_files:
-- 
2.44.0