feat(observability): add SearXNG, Argos, and Pallas monitoring

- Add SearXNG syslog ingestion and blackbox health probes on miranda and rosalind for per-host attributable failure detection - Scrape Argos MCP application metrics from miranda - Add Pallas dashboard panels for downstream availability and turn error ratios
2026-05-24 23:52:53 -04:00
parent 43fae203d1
commit 3c2f8c57ca
24 changed files with 1968 additions and 938 deletions
--- a/ansible/searxng/deploy_oauth2.yml
+++ b/ansible/searxng/deploy_oauth2.yml
@@ -0,0 +1,86 @@
+---
+- name: Deploy OAuth2-Proxy sidecar for SearXNG
+  hosts: ubuntu
+  become: true
+  tasks:
+    - name: Check if host has searxng service with OAuth2 configured
+      ansible.builtin.set_fact:
+        has_searxng_oauth2: >-
+          {{ 'searxng' in services
+             and (searxng_oauth2_client_id | default('')) | length > 0 }}
+
+    - name: Skip hosts without SearXNG OAuth2-Proxy configuration
+      ansible.builtin.meta: end_host
+      when: not has_searxng_oauth2
+
+    # ===========================================================================
+    # OAuth2-Proxy Sidecar
+    # Note: Each host supports at most one OAuth2-Proxy sidecar instance
+    # (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
+    # ===========================================================================
+    - name: Create oauth2-proxy directory
+      ansible.builtin.file:
+        path: "{{ searxng_oauth2_proxy_dir }}"
+        owner: root
+        group: root
+        state: directory
+        mode: '0755'
+
+    - name: Download oauth2-proxy binary
+      ansible.builtin.get_url:
+        url: "https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ searxng_oauth2_proxy_version }}/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64.tar.gz"
+        dest: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.tar.gz"
+        mode: '0644'
+
+    - name: Extract oauth2-proxy binary
+      ansible.builtin.unarchive:
+        src: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.tar.gz"
+        dest: /tmp
+        remote_src: true
+        creates: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64/oauth2-proxy"
+
+    - name: Install oauth2-proxy binary
+      ansible.builtin.copy:
+        src: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64/oauth2-proxy"
+        dest: /usr/local/bin/oauth2-proxy
+        owner: root
+        group: root
+        mode: '0755'
+        remote_src: true
+
+    - name: Template oauth2-proxy configuration
+      ansible.builtin.template:
+        src: oauth2-proxy-searxng.cfg.j2
+        dest: "{{ searxng_oauth2_proxy_dir }}/oauth2-proxy.cfg"
+        owner: root
+        group: root
+        mode: '0600'
+      notify: restart oauth2-proxy-searxng
+
+    - name: Template oauth2-proxy systemd service
+      ansible.builtin.template:
+        src: oauth2-proxy-searxng.service.j2
+        dest: /etc/systemd/system/oauth2-proxy-searxng.service
+        owner: root
+        group: root
+        mode: '0644'
+      notify:
+        - reload systemd
+        - restart oauth2-proxy-searxng
+
+    - name: Enable and start OAuth2-Proxy service
+      ansible.builtin.systemd:
+        name: oauth2-proxy-searxng
+        enabled: true
+        state: started
+        daemon_reload: true
+
+  handlers:
+    - name: reload systemd
+      ansible.builtin.systemd:
+        daemon_reload: true
+
+    - name: restart oauth2-proxy-searxng
+      ansible.builtin.systemd:
+        name: oauth2-proxy-searxng
+        state: restarted