add fw and dirs control - https://gitlab.confdroid.com/internal/confdroid_management/-/issues/260

manifests/firewall/iptables.pp

@@ -0,0 +1,16 @@
+# prometheus_cd::firewall::iptables.pp
+# Module name: prometheus_cd
+# Author: Arne Teuke (arne_teuke@confdroid.com)
+# @summary Class manages the firewall rules for the prometheus_cd module.
+##############################################################################
+class prometheus_cd::firewall::iptables (
+) inherits prometheus_cd::params {
+  if  ($ps_prom_host == $fqdn) and ($ps_manage_fw == true) {
+    # main port
+    firewall { "${ps_fw_prefix}${$ps_main_port} main port":
+      proto => 'tcp',
+      dport => $ps_main_port,
+      jump  => 'accept',
+    }
+  }
+}

manifests/main/dirs.pp

@@ -6,4 +6,16 @@
 class prometheus_cd::main::dirs (
 ) inherits prometheus_cd::params {
   require prometheus_cd::main::install
+  if $ps_prom_host == fqdn {
+    file { $ps_main_dir:
+      ensure   => directory,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+    }
+  }
 }

manifests/main/service.pp

@@ -6,7 +6,8 @@
 class prometheus_cd::main::service (
 ) inherits prometheus_cd::params {
   require prometheus_cd::main::files
-  if $manage_prometheus == true {
+  require prometheus_cd::firewall::iptables
+  if  ($ps_prom_host == $fqdn) and ($manage_prometheus == true) {
     service { 'prometheus':
       ensure     => running,
       hasstatus  => true,

manifests/params.pp

@@ -7,14 +7,27 @@
 # @param [String] pkg_ensure which version of the package to install
 # @param [boolean] manage_prometheus whether to manage prometheus
 # @param [boolean] manage_node_exporter whether to manage node exporter
+# @param [boolean] ps_manage_fw whether to manage the firewall
+# @param [String] ps_prom_host the fqdn of the prometheus server
+# @param [String] ps_fw_prefix the firewall rule prefix
+# @param [String] ps_main_port the firewall main port for prometheus
 ##############################################################################
 class prometheus_cd::params (
 
+  # installation
   String $reqpackage_prom       = 'prometheus2',
   String $reqpackage_ne         = 'node_exporter',
   String $pkg_ensure            = 'present',
+
+  # config logic
   Boolean $manage_prometheus    = false,
   Boolean $manage_node_exporter = false,
+  Boolean $ps_manage_fw         = false,
+  String $ps_prom_host          = 'prometheus.example.net',
+
+  # firewall
+  String $ps_fw_prefix          = '50',
+  String $ps_main_port          = '9090',
 
 ) {
   # defaults
@@ -23,6 +36,9 @@ class prometheus_cd::params (
   $os_name                = $facts['os']['name']
   $os_release             = $facts['os']['release']['major']
 
+  # dirs
+  $ps_main_dir            = '/etc/prometheus'
+
   # includes must be last
   include prometheus_cd::main::config
 }

templates/prometheus.yaml

@@ -0,0 +1,34 @@
+global:
+  scrape_interval: 60s
+  scrape_timeout: 10s
+  evaluation_interval: 15s
+storage:
+  tsdb:
+    out_of_order_time_window: 5m
+alerting:
+  alertmanagers:
+  - follow_redirects: true
+    scheme: http
+    timeout: 10s
+    api_version: v2
+    static_configs:
+    - targets: []
+scrape_configs:
+- job_name: prometheus
+  honor_timestamps: true
+  scrape_interval: 60s
+  scrape_timeout: 10s
+  metrics_path: /metrics
+  scheme: http
+  follow_redirects: true
+  static_configs:
+  - targets:
+    - localhost:9090
+  basic_auth:
+      username_file: /etc/prometheus/secrets/prometheus-auth/username
+      password_file: /etc/prometheus/secrets/prometheus-auth/password
+remote_write:
+  - url: "http://localhost:9090/api/v1/write"
+    basic_auth:
+      username_file: /etc/prometheus/secrets/prometheus-auth/username
+      password_file: /etc/prometheus/secrets/prometheus-auth/password