Added role which installs and configures node_exporter protected via https and auth token

roles/service-node_exporter/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+# defaults file for node_exporter
+
+node_exporter_version: "0.13.0"
+node_exporter_arch: amd64
+node_exporter_archive_name: "node_exporter-{{ node_exporter_version }}.linux-{{ node_exporter_arch }}.tar.gz"
+node_exporter_download_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/{{ node_exporter_archive_name }}"

roles/service-node_exporter/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+# handlers file for node_exporter
+
+- name: Restart node_exporter
+  service: name=node_exporter state=restarted
+
+- name: Reload nginx
+  service: name=nginx state=reloaded
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/service-node_exporter/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+# tasks file for node_exporter
+
+- name: Download and unpack node_exporter
+  unarchive:
+    src: "{{ node_exporter_download_url }}"
+    dest: /tmp
+    remote_src: True
+
+- name: Copy node_exporter to /usr/local/bin
+  copy:
+    remote_src: True
+    src: "/tmp/node_exporter-{{ node_exporter_version }}.linux-{{ node_exporter_arch }}/node_exporter"
+    dest: /usr/local/bin
+    mode: 0744
+  notify: Restart node_exporter
+
+- name: Ensure systemd service is up to date
+  register: node_exporter_systemd
+  template:
+    src: node_exporter.service.j2
+    dest: /etc/systemd/system/node_exporter.service
+  notify: Restart node_exporter
+
+- name: Reload systemd
+  when: node_exporter_systemd|changed
+  shell: systemctl daemon-reload
+
+- name: Ensure node_exporter is running and enabled
+  service:
+    name: node_exporter
+    state: running
+    enabled: yes
+
+- name: Ensure node_exporter nginx config is up to date
+  template:
+    src: node_exporter_nginx.j2
+    dest: /etc/nginx/sites-available/node_exporter.conf
+  notify: Reload nginx
+
+- stat:
+    path: "/var/lib/acme/live/{{ ansible_fqdn }}/privkey"
+  become: yes
+  register: gogs_key_file_stat
+
+- name: Let acmetool generate a key and a certificate
+  become: yes
+  when: not gogs_key_file_stat.stat.exists
+  shell: /usr/bin/acmetool want --batch {{ ansible_fqdn }}
+  notify: Restart nginx
+
+- name: Ensure unsecure node_exporter configuration for nginx is enabled
+  become: yes
+  file: 
+    state: link
+    dest: /etc/nginx/sites-enabled/node_exporter.conf
+    src: /etc/nginx/sites-available/node_exporter.conf 
+  notify: Reload nginx

roles/service-node_exporter/templates/node_exporter.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=node_exporter
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/node_exporter -web.listen-address 127.0.0.1:9100
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/service-node_exporter/templates/node_exporter_nginx.j2

@@ -0,0 +1,26 @@
+server {
+  listen          443 ssl http2;
+  listen          [::]:443 ssl http2;
+  server_name     {{ ansible_fqdn }};
+
+  include /etc/nginx/ssl.conf;
+
+  ssl_certificate /var/lib/acme/live/{{ ansible_fqdn }}/fullchain;
+  ssl_certificate_key /var/lib/acme/live/{{ ansible_fqdn }}/privkey;
+
+  access_log off;
+
+  location /metrics {
+    if ($http_authorization != 'Bearer {{ node_exporter_authorization_token }}') {
+      return 403;
+    }
+    proxy_http_version      1.1;
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+
+    proxy_pass              http://localhost:9100;
+    proxy_redirect          off;
+  }
+}