Add prometheus client tls cert config role

roles/prometheus/handlers/main.yml

+- name: Restart prometheus
+  service:
+    name: prometheus
+    state: restarted
+

roles/prometheus/tasks/main.yml

+- name: Check if /etc/prometheus/prometheus.yml exists
+  stat:
+    path: "/etc/prometheus/prometheus.yml"
+  register: is_prometheus
+
+- name: Fail if host is not prometheus host
+  fail:
+    msg: "This role must only be run on prometheus hosts"
+  when: not is_prometheus | default(false)
+
+    #- name: Create node_exporter_targets.yml file
+    #  template:
+    #    src: node_exporter_targets.yml.j2
+    #    dest: /etc/prometheus/node_exporter_targets.yml
+    #  notify:
+    #    - Restart prometheus
+
+- name: Check if client-cert exists
+  stat:
+    path: "/etc/prometheus/ssl/client.cert.pem"
+  register: client_cert_exists
+
+- name: Ensure /etc/prometheus/ssl exists
+  when: not client_cert_exists.stat.exists
+  file:
+    path: /etc/prometheus/ssl
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Kopiere ca_cert.pem zum Ziel
+  copy:
+    dest: /etc/prometheus/ssl/ca_cert.pem
+    content: "{{ ca_cert_pem }}"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: create key
+  when: not client_cert_exists.stat.exists
+  command: >
+    openssl genrsa -out /etc/prometheus/ssl/client.key.pem 2048
+  args:
+    creates: /etc/prometheus/ssl/client.key.pem
+
+- name: Change file ownership, group and permissions
+  ansible.builtin.file:
+    path: /etc/prometheus/ssl/client.key.pem
+    owner: prometheus
+    group: prometheus
+    mode: '0600'
+
+- name: create csr
+  when: not client_cert_exists.stat.exists
+  command: >
+    openssl req -new -key /etc/prometheus/ssl/client.key.pem -out /tmp/client.csr.pem \
+    -subj "/CN={{ inventory_hostname }}"
+  args:
+    creates: /tmp/client.csr.pem
+
+- name: Fetch CSR from prometheus host
+  when: not client_cert_exists.stat.exists
+  fetch:
+    src: /tmp/client.csr.pem
+    dest: /tmp/{{ inventory_hostname }}.csr.pem
+    flat: true
+    mode: '0600'
+
+- name: Lösche csr.pem
+  file:
+    path: /tmp/client.csr.pem
+    state: absent
+
+- name: create csr conf
+  when: not client_cert_exists.stat.exists
+  delegate_to: localhost
+  copy:
+    content: |
+      extendedKeyUsage = clientAuth
+      subjectAltName = @alt_names
+      [alt_names]
+      DNS.1 = {{ inventory_hostname }}
+    dest: /tmp/{{ inventory_hostname }}_ext.cnf
+
+- name: Schreibe Private Key in RAM-Datei
+  when: not client_cert_exists.stat.exists
+  delegate_to: localhost
+  copy:
+    dest: /dev/shm/ca_key.pem
+    content: "{{ ca_key_pem }}"
+    mode: '0600'
+  no_log: true
+
+- name: Schreibe ca_cert.pem in RAM-Datei
+  when: not client_cert_exists.stat.exists
+  delegate_to: localhost
+  copy:
+    dest: /dev/shm/ca_cert.pem
+    content: "{{ ca_cert_pem }}"
+    mode: '0600'
+  no_log: false
+
+- name: create client cert
+  when: not client_cert_exists.stat.exists
+  delegate_to: localhost
+  command: >
+    openssl x509 -req -in /tmp/{{ inventory_hostname }}.csr.pem -CA /dev/shm/ca_cert.pem -CAkey /dev/shm/ca_key.pem \
+    -CAcreateserial -out /tmp/{{ inventory_hostname }}.cert.pem -days 3650 -sha256 \
+    -extfile /tmp/{{ inventory_hostname }}_ext.cnf
+  args:
+    creates: /tmp/{{ inventory_hostname }}.cert.pem
+
+- name: Lösche CA und ext-cnf
+  delegate_to: localhost
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop: 
+    - /dev/shm/ca_cert.pem
+    - /dev/shm/ca_key.pem
+    - /tmp/{{ inventory_hostname }}_ext.cnf
+    - /tmp/{{ inventory_hostname }}.csr.pem
+
+- name: Copy cert to prometheus host
+  when: not client_cert_exists.stat.exists
+  copy: 
+    src: /tmp/{{ inventory_hostname }}.cert.pem
+    dest: /etc/prometheus/ssl/client.cert.pem
+    mode: '0644'
+
+- name: Lösche client cert
+  delegate_to: localhost
+  file:
+    path: /tmp/{{ inventory_hostname }}.cert.pem
+    state: absent

roles/prometheus/templates/node_exporter_targets.yml.j2

+- targets:
+    {% for container in groups['ffspveguests'] %}
+    - '{{ hostvars[container].ansible_host | default(container) }}.vm.freifunk-stuttgart.de:9998'
+    {% endfor %}