- name: Deploy Security Monitoring Infrastructure hosts: security_servers become: true vars: prometheus_version: "2.47.0" grafana_version: "10.1.0" node_exporter_version: "1.6.1" alertmanager_version: "0.25.0" monitoring_retention_days: 30 roles: - prometheus - vault - wazuh tasks: - name: Install Node Exporter block: - name: Download Node Exporter get_url: url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" dest: /tmp/node_exporter.tar.gz - name: Extract Node Exporter unarchive: src: /tmp/node_exporter.tar.gz dest: /opt/ remote_src: yes owner: prometheus group: prometheus - name: Create Node Exporter symlink file: src: "/opt/node_exporter-{{ node_exporter_version }}.linux-amd64/node_exporter" dest: /usr/local/bin/node_exporter state: link - name: Create Node Exporter systemd service copy: content: | [Unit] Description=Node Exporter Wants=network-online.target After=network-online.target [Service] User=prometheus Group=prometheus Type=simple ExecStart=/usr/local/bin/node_exporter [Install] WantedBy=multi-user.target dest: /etc/systemd/system/node_exporter.service notify: - reload systemd - restart node_exporter - name: Install Grafana block: - name: Add Grafana GPG key apt_key: url: https://packages.grafana.com/gpg.key state: present - name: Add Grafana repository apt_repository: repo: "deb https://packages.grafana.com/oss/deb stable main" state: present - name: Install Grafana apt: name: grafana state: present update_cache: yes - name: Start and enable Grafana service: name: grafana-server state: started enabled: yes - name: Configure security monitoring alerts copy: content: | groups: - name: security_alerts rules: - alert: WazuhManagerDown expr: up{job="wazuh"} == 0 for: 2m labels: severity: critical annotations: summary: "Wazuh Manager is down" - alert: VaultSealed expr: vault_core_unsealed == 0 for: 1m labels: severity: critical annotations: summary: "Vault is sealed" - alert: HighCPUUsage expr: 100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80 for: 5m labels: severity: warning annotations: summary: "High CPU usage on {{ $labels.instance }}" dest: /etc/prometheus/security_rules.yml owner: prometheus group: prometheus notify: restart prometheus handlers: - name: reload systemd systemd: daemon_reload: yes - name: restart prometheus service: name: prometheus state: restarted - name: restart node_exporter service: name: node_exporter state: restarted enabled: yes post_tasks: - name: Verify monitoring services service: name: "{{ item }}" state: started enabled: yes loop: - prometheus - node_exporter - grafana-server - name: Display monitoring URLs debug: msg: | Monitoring services available at: - Prometheus: http://{{ ansible_default_ipv4.address }}:9090 - Grafana: http://{{ ansible_default_ipv4.address }}:3000 - Node Exporter: http://{{ ansible_default_ipv4.address }}:9100