Add dnssec_exporter role

roles/dnssec_exporter/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart prometheus-dnssec-exporter
+  ansible.builtin.service:
+    name: prometheus-dnssec-exporter
+    state: restarted

roles/dnssec_exporter/tasks/config.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Render /etc/prometheus/dnssec-exporter/config.yaml
+  ansible.builtin.template:
+    src: etc/prometheus/dnssec-exporter/config.yaml.j2
+    dest: /etc/prometheus/dnssec-exporter/config.yaml
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart prometheus-dnssec-exporter
+
+- name: Render /etc/default/prometheus-dnssec-exporter
+  ansible.builtin.template:
+    src: etc/default/prometheus-dnssec-exporter.j2
+    dest: etc/default/prometheus-dnssec-exporter
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart prometheus-dnssec-exporter
+
+- name: Start and enable prometheus-dnssec-exporter
+  ansible.builtin.service:
+    name: prometheus-dnssec-exporter
+    state: started
+    enabled: yes

roles/dnssec_exporter/tasks/install.yml

@@ -0,0 +1,6 @@
+---
+
+# Requires repo.s3lph.me to be set up
+- name: install prometheus-dnssec-exporter from system package sources
+  ansible.builtin.apt:
+    name: prometheus-dnssec-exporter

roles/dnssec_exporter/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: install prometheus-dnssec-exporter
+  ansible.builtin.import_tasks: install.yml
+  tags:
+    - "role::dnssec_exporter"
+    - "role::dnssec_exporter:install"
+
+- name: configure prometheus-dnssec-exporter
+  ansible.builtin.import_tasks: config.yml
+  tags:
+    - "role::dnssec_exporter"
+    - "role::dnssec_exporter:config"

roles/dnssec_exporter/templates/etc/default/prometheus-dnssec-exporter.j2

@@ -0,0 +1,14 @@
+{{ ansible_managed | comment }}
+
+ARGS="--config=/etc/prometheus/dnssec-exporter/config.yaml --web.listen-address={{ dnssec_exporter_listen_address }} {{ dnssec_exporter_additional_options }}"
+
+# GLOBAL OPTIONS:
+# --web.listen-address=":9142"
+#                      Address on which to expose metrics.
+# --web.metrics-path="/metrics"
+#                      Path under which to expose metrics.
+# --web.config=""      Path to web config yaml file.
+# --config=""          Path to config yaml file.
+# --log.level=info     Only log messages with the given severity or above. One of: [debug, info, warn, error]
+# --log.format=logfmt  Output format of log messages. One of: [logfmt, json]
+# --version            Show application version.

roles/dnssec_exporter/templates/etc/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+
+dnssec_exporter_listen_address: "[::1]:9142"
+dnssec_exporter_additional_options: ""
+
+dnssec_exporter_dns_resolver: "1.1.1.1:53"
+dnssec_exporter_dns_zones:
+  - example.org
+  - example.net
+dnssec_exporter_additional_config: ""

roles/dnssec_exporter/templates/etc/prometheus/dnssec-exporter/config.yaml.j2

@@ -0,0 +1,26 @@
+---
+{{ ansible_managed | comment }}
+
+## dnssec exporter configuration
+#
+dns:
+  # The resolver to use.  Must be DNSSEC validating, and
+  # must not strip DNSSEC responses.
+  resolver: {{ dnssec_exporter_dns_resolver }}
+  # List of zones to resolve.
+  zones:
+{% for zone in dnssec_exporter_dns_zones %}
+    - {{ zone }}{% if zone[-1] != '.' %}.{% endif %}
+{% endfor %}
+
+## TLS and Basic Auth can be configured here as well, see for details:
+## https://github.com/prometheus/exporter-toolkit/blob/master/web/tls_config.go#L36
+#
+#basic_auth_users:
+#  user1: pass1
+#  user2: pass2
+#tls_server_config:
+#  cert_file: server.crt
+#  key_file: server.key
+
+{{ dnssec_exporter_additional_config }}