OP#470 add dir

.gitignore

@@ -2,3 +2,4 @@
 Gemfile.lock
 FileList
 .scannerwork
+.vscode

.puppet-lint.rc

@@ -0,0 +1,2 @@
+--no-variable_scope-check
+--no-top_scope_facts

.vscode/settings.json

@@ -1,9 +0,0 @@
-{
-    "cSpell.words": [
-        "changeme",
-        "reqpackage",
-        "rpms",
-        "sslcacert",
-        "sslverify"
-    ]
-}

Jenkinsfile

@@ -69,7 +69,7 @@ pipeline {
             withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
               sh '''
               /opt/sonar-scanner/bin/sonar-scanner \
-                -Dsonar.projectKey=prometheus_cd \
+                -Dsonar.projectKey=confdroid_prometheus \
                 -Dsonar.sources=. \
                 -Dsonar.host.url=https://sonarqube.confdroid.com \
                 -Dsonar.token=$SONAR_TOKEN
@@ -90,16 +90,37 @@ pipeline {
             sh '''
                  git config user.name "Jenkins Server"
                 git config user.email jenkins@confdroid.com
+                git rm -r --cached .vscode || echo "No .vscode to remove from git"
                 git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
-                git push -o merge_request.create \
-                         -o merge_request.target=master \
-                         -o merge_request.title="Auto-merge for build $BUILD_NUMBER" \
-                         -o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \
-                         -o merge_request.merge_when_pipeline_succeeds=true \
-                         origin jenkins-build-$BUILD_NUMBER
+                git push origin HEAD:master
+            '''
+        }
+      }
+    }
+
+         stage('Mirror to Gitea') {
+             steps {
+                withCredentials([usernamePassword(
+                credentialsId: 'Jenkins-gitea',
+                usernameVariable: 'GITEA_USER',
+                passwordVariable: 'GITEA_TOKEN')]) {
+                script {
+                    // Checkout from GitLab (already done implicitly)
+                    sh '''
+                        git checkout master
+                        git pull origin master
+                        git branch -D development
+                        git branch -D jenkins-build-$BUILD_NUMBER
+                        git rm -f Jenkinsfile
+                        git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                        git commit --amend --no-edit --allow-empty
+                        git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_prometheus.git
+                        git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
+                        push master --mirror
                     '''
 					}
 				}
 			}
 		}
   }
+}

README.md

@@ -1,20 +1,37 @@
 # Readme
 
-[![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=prometheus_cd)](https://jenkins.confdroid.com/job/prometheus_cd/)
+[![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_prometheus)](https://jenkins.confdroid.com/job/confdroid_prometheus/)
+[![Security Issues](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_prometheus&metric=software_quality_security_issues&token=sqb_3d09bf2c3c7ef13bd7ba77aceb330a82fbb36cdf)](https://sonarqube.confdroid.com/dashboard?id=confdroid_prometheus)
+
+- [Readme](#readme)
+  - [Synopsis](#synopsis)
+  - [WARNING](#warning)
+  - [Features](#features)
+  - [Puppet Documentation](#puppet-documentation)
+  - [Dependencies](#dependencies)
+  - [Deployment](#deployment)
+  - [SELINUX](#selinux)
+  - [Known Problems](#known-problems)
+  - [Support](#support)
+  - [Tests](#tests)
+  - [Contact Us](#contact-us)
+  - [Feedback](#feedback)
+  - [Disclaimer](#disclaimer)
 
-[[_TOC_]]
 
 ## Synopsis
 
 Prometheus is an open-source monitoring system with a dimensional data model, flexible query language, efficient time series database and modern alerting approach.
 
-`prometheus_cd` is a Puppet module to automate installation and configuration of prometheus and node exporter.
+`confdroid_prometheus` is a Puppet module to automate installation and configuration of prometheus, optionally   node exporter, tsdb pruning and more.
 This module supports either managing prometheus or node_exporter or both. You need to set the parameters `$manage_prometheus`and / or `$manage_node_exporter`to true ( false by default)
 
 ## WARNING
 
 ***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production***
 
+[!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/grizzly_coda)
+
 ## Features
 
 INSTALLATION
@@ -31,11 +48,22 @@ CONFIGURATION
 Configurable options:
 - --storage.tsdb.retention.time via `$ps_retention_time`
 - --storage.tsdb.retention.size via `$ps_retention_size`
+- --storage.tsdb.wal-segment-size via `ps_wal_seg_size`
+- --storage.tsdb.min-block-duration via `ps_min_block_dur`
+- --storage.tsdb.max-block-duration via `ps_max_block_dur`
 - authentication user via `$ps_auth_user`
 - authentication password via `$ps_auth_pass`
 - web authentication password via `$ps_web_pass` ( different format required)
+- external remote write ( writing to a remote instance like pg-adapter):
+  - `ps_write_external` true enables it
+  - `ps_external_url` must be a valid full url
+  - `ps_auth_ext_user`must be a valid user
+  - `ps_auth_ext_pass`must be a valid password
+- pruning local blocks
+  - `ps_enable_pruning` true enables it
+  - `ps_pruning_dir` the directory where the pruning script should live
 
-## Repo Documentation
+## Puppet Documentation
 
 See the full Puppet documentation including parameters in `docs/index.html`
 
@@ -83,6 +111,10 @@ All files and directories are configured with correct selinux context. If selinu
 
 [contact Us](https://confdroid.com/contact/)
 
+## Feedback
+Having suggestions or feature requests? head over to our
+[feedback collection](https://feedback.confdroid.com) and add an item for public votes or discussion.
+
 ## Disclaimer
 
 ConfDroid as entity is entirely independent from Puppet. We provide custom configuration modules, written for specific purposes and specific environments.

manifests/firewall/iptables.pp

@@ -1,10 +1,10 @@
-# prometheus_cd::firewall::iptables.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages the firewall rules for the prometheus_cd module.
+# confdroid_prometheus::firewall::iptables.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages the firewall rules for the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd::firewall::iptables (
-) inherits prometheus_cd::params {
+class confdroid_prometheus::firewall::iptables (
+) inherits confdroid_prometheus::params {
   if  ($ps_prom_host == $fqdn) and ($ps_manage_fw == true) {
     # main port
     firewall { "${ps_fw_prefix}${$ps_main_port} main port":

manifests/init.pp

@@ -1,8 +1,8 @@
-# prometheus_cd::init.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class initializes the prometheus_cd module.
+# confdroid_prometheus::init.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class initializes the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd {
-  include prometheus_cd::params
+class confdroid_prometheus {
+  include confdroid_prometheus::params
 }

manifests/main/config.pp

@@ -1,9 +1,15 @@
-# prometheus_cd::main::config.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages the module logic for the prometheus_cd module.
+# confdroid_prometheus::main::config.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages the module logic for the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd::main::config (
-) inherits prometheus_cd::params {
-  include prometheus_cd::main::service
+class confdroid_prometheus::main::config (
+) inherits confdroid_prometheus::params {
+  include confdroid_prometheus::main::service
+
+  exec { 'systemd-daemon-reload':
+    command     => '/bin/systemctl daemon-reload',
+    path        => ['/bin', '/usr/bin'],
+    refreshonly => true,
+  }
 }

manifests/main/dirs.pp

@@ -1,11 +1,11 @@
-# prometheus_cd::main::dirs.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages directories for the prometheus_cd module.
+# confdroid_prometheus::main::dirs.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages directories for the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd::main::dirs (
-) inherits prometheus_cd::params {
-  require prometheus_cd::main::install
+class confdroid_prometheus::main::dirs (
+) inherits confdroid_prometheus::params {
+  require confdroid_prometheus::main::install
   if ($ps_prom_host == $fqdn) and ($manage_prometheus == true) {
     # prometheus directory
     file { $ps_main_dir:
@@ -29,5 +29,35 @@ class prometheus_cd::main::dirs (
       seltype  => systemd_unit_file_t,
       seluser  => unconfined_u,
     }
+    if $ps_enable_pruning == true {
+      file { $ps_pruning_dir:
+        ensure   => directory,
+        owner    => 'prometheus',
+        group    => 'prometheus',
+        mode     => '0755',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => usr_,
+        seluser  => unconfined_u,
+      }
+    }
+    if $ps_enable_pruning == false {
+      file { $ps_pruning_dir:
+        ensure => absent,
+      }
+    }
+    # binary install directory
+    if $install_from_binary == true {
+      file { $ps_install_dir:
+        ensure   => directory,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0755',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => usr_,
+        seluser  => unconfined_u,
+      }
+    }
   }
 }

manifests/main/files.pp

@@ -1,12 +1,12 @@
-# prometheus_cd::main::files.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages configuration files for the prometheus_cd module.
+# confdroid_prometheus::main::files.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages configuration files for the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd::main::files (
-) inherits prometheus_cd::params {
+class confdroid_prometheus::main::files (
+) inherits confdroid_prometheus::params {
   if ($ps_prom_host == $fqdn) and ($manage_prometheus == true)  {
-    require prometheus_cd::main::dirs
+    require confdroid_prometheus::main::dirs
     file { $ps_main_file:
       ensure   => file,
       owner    => 'root',
@@ -16,7 +16,7 @@ class prometheus_cd::main::files (
       selrole  => object_r,
       seltype  => etc_t,
       seluser  => system_u,
-      content  => template('prometheus_cd/prometheus.yml.erb'),
+      content  => template('confdroid_prometheus/prometheus.yml.erb'),
       notify   => Service[$ps_prom_service],
     }
     file { $ps_system_service_file:
@@ -28,7 +28,7 @@ class prometheus_cd::main::files (
       selrole  => object_r,
       seltype  => systemd_unit_file_t,
       seluser  => unconfined_u,
-      content  => template('prometheus_cd/override.conf.erb'),
+      content  => template('confdroid_prometheus/override.conf.erb'),
       notify   => Service[$ps_prom_service],
     }
     file { $ps_web_config_file:
@@ -40,8 +40,77 @@ class prometheus_cd::main::files (
       selrole  => object_r,
       seltype  => etc_t,
       seluser  => system_u,
-      content  => template('prometheus_cd/web.yml.erb'),
+      content  => template('confdroid_prometheus/web.yml.erb'),
       notify   => Service[$ps_prom_service],
     }
+    if $ps_enable_pruning == true {
+      file { $ps_pruning_file:
+        ensure   => file,
+        owner    => 'prometheus',
+        group    => 'prometheus',
+        mode     => '0750',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => usr_,
+        seluser  => unconfined_u,
+        content  => template('confdroid_prometheus/prune_blocks.erb'),
+        # notify Service ToDo,
+      }
+      file { $ps_env_file:
+        ensure   => file,
+        owner    => 'prometheus',
+        group    => 'prometheus',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => usr_,
+        seluser  => unconfined_u,
+        content  => template('confdroid_prometheus/prune.env.erb'),
+      }
+      file { $ps_pruning_svc_file:
+        ensure   => file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => systemd_unit_file_t,
+        seluser  => unconfined_u,
+        content  => template('confdroid_prometheus/prometheus-prune-service.erb'),
+        notify   => Exec['systemd-daemon-reload'],
+      }
+      file { $ps_pruning_timer_file:
+        ensure   => file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => systemd_unit_file_t,
+        seluser  => unconfined_u,
+        content  => template('confdroid_prometheus/prometheus-prune-timer.erb'),
+        notify   => Exec['systemd-daemon-reload'],
+      }
+      file { $ps_prune_log_file:
+        ensure => file,
+        owner  => 'prometheus',
+        group  => 'prometheus',
+        mode   => '0644',
+      }
+    }
+
+    if $ps_enable_pruning == false {
+      file { $ps_pruning_file:
+        ensure => absent,
+        notify => Exec['systemd-daemon-reload'],
+      }
+      file { $ps_env_file:
+        ensure   => absent,
+      }
+      file { $ps_pruning_svc_file:
+        ensure => absent,
+        notify => Exec['systemd-daemon-reload'],
+      }
+    }
   }
 }

manifests/main/install.pp

@@ -1,16 +1,22 @@
-# prometheus_cd::main::install.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class install binaries for the prometheus_cd module.
+# confdroid_prometheus::main::install.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class install binaries for the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd::main::install (
-) inherits prometheus_cd::params {
-  require prometheus_cd::main::yumrepo
+class confdroid_prometheus::main::install (
+) inherits confdroid_prometheus::params {
+  require confdroid_prometheus::main::yumrepo
   if $manage_prometheus  == true {
+    if $install_from_binary == false {
       package { $reqpackage_prom:
         ensure => $pkg_ensure,
       }
     }
+    if $install_from_binary == true {
+      # place function here to install from binary releases, e.g. using the archive module
+    }
+  }
+
   if $manage_node_exporter == true {
     package { $reqpackage_ne:
       ensure => $pkg_ensure,

manifests/main/service.pp

@@ -1,13 +1,13 @@
-# prometheus_cd::main::service.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages the services for the prometheus_cd module.
+# confdroid_prometheus::main::service.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages the services for the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd::main::service (
-) inherits prometheus_cd::params {
+class confdroid_prometheus::main::service (
+) inherits confdroid_prometheus::params {
   if  ($ps_prom_host == $fqdn) and ($manage_prometheus == true) {
-    require prometheus_cd::main::files
-    require prometheus_cd::firewall::iptables
+    require confdroid_prometheus::main::files
+    require confdroid_prometheus::firewall::iptables
     service { $ps_prom_service:
       ensure     => running,
       hasstatus  => true,
@@ -23,4 +23,27 @@ class prometheus_cd::main::service (
       enable     => true,
     }
   }
+  if $ps_enable_pruning == true {
+    service { $ps_prune_service:
+      hasstatus  => true,
+      hasrestart => true,
+    }
+    service { $ps_prune_timer:
+      ensure     => running,
+      hasstatus  => true,
+      hasrestart => true,
+      enable     => true,
+      subscribe  => File[$ps_pruning_svc_file],
+    }
+  }
+  if $ps_enable_pruning == false {
+    service { $ps_prune_service:
+      ensure => stopped,
+      enable => false,
+    }
+    service { $ps_prune_timer:
+      ensure => stopped,
+      enable => false,
+    }
+  }
 }

manifests/main/yumrepo.pp

@@ -1,10 +1,10 @@
-# prometheus_cd::main::yumrepo.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages yumrepo for the prometheus_cd module.
+# confdroid_prometheus::main::yumrepo.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages yumrepo for the confdroid_prometheus module.
 ##############################################################################
-class prometheus_cd::main::yumrepo (
-) inherits prometheus_cd::params {
+class confdroid_prometheus::main::yumrepo (
+) inherits confdroid_prometheus::params {
   yumrepo { 'prometheus':
     ensure   => 'present',
     name     => 'prometheus',

manifests/params.pp

@@ -1,7 +1,7 @@
-# prometheus_cd::params.pp
-# Module name: prometheus_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class holds all parameters for the prometheus_cd module.
+# confdroid_prometheus::params.pp
+# Module name: confdroid_prometheus
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class holds all parameters for the confdroid_prometheus module.
 # @param [String] reqpackage_prom the prometheus package
 # @param [String] reqpackage_ne the node_exporter package
 # @param [String] pkg_ensure which version of the package to install
@@ -16,13 +16,41 @@
 # @param [String] ps_web_pass the password for web authentication
 # @param [String] ps_retention_time tsdb retention time
 # @param [String] ps_retention_size tsdb retention size
+# @param [String] ps_wal_seg_size WAL segment size
+# @param [String] ps_min_block_dur tsdb minimum block duration
+# @param [String] ps_max_block_dur tsdb maximum block duration
+# @param [String] ps_max_mem hard memory ceiling
+# @param [String] ps_high_mem soft limit to make kernel reclaim earlier
+# @param [String] ps_swap_mem allow swap, but limit it
+# @param [String] ps_oom_score OOM killer choosing prometheus
+# @param [String] ps_max_procs reduce parallel WAL replay workers
+# @param [Boolean] ps_write_external whether to allow remote postgres
+# @param [String] ps_auth_ext_user user for writing to extern instance
+# @param [String] ps_auth_ext_pass password for writing to extern instance
+# @param [String] ps_external_url the full url for the remote write point
+# @param [Boolean] ps_enable_pruning whether to allow pruning local blocks
+# @param [String] ps_pruning_dir the directory for the pruning script
+# @param [String] ps_pruning_file the url and filename for the pruning script
+# @param [String] ps_env_file the url and filename for the env file
+# @param [String] ps_pg_host the host running the database for cold metrics
+# @param [String] ps_pg_port the port for the database for cold metrics
+# @param [String] ps_pg_db the database for cold metrics
+# @param [String] ps_pg_user the read-only user for the db for cold metrics
+# @param [String] ps_pg_pass the password for the db for cold metrics
+# @param [Boolean] ps_dry_run (true = just log, false = actually delete blocks)
+# @param [String] ps_min_age_hours Minimum block age in hours before pruning
+# @param [String] ps_grace_hours Grace period in hours to be extra safe
+# @param [String] ps_sql_template the SQL template to use for checks.
+# @param [Boolean] install_from_binary whether to install from binary releases 
+#   instead of packages
 ##############################################################################
-class prometheus_cd::params (
+class confdroid_prometheus::params (
 
   # installation
   String $reqpackage_prom       = 'prometheus2',
   String $reqpackage_ne         = 'node_exporter',
   String $pkg_ensure            = 'present',
+  Boolean $install_from_binary  = false,
 
   # config logic
   Boolean $manage_prometheus    = false,
@@ -34,14 +62,47 @@ class prometheus_cd::params (
   String $ps_fw_prefix          = '50',
   String $ps_main_port          = '9090',
 
-  # auth
+  # auth prometheus
   String $ps_auth_user          = 'changeme',
   String $ps_auth_pass          = 'changeme',
   String $ps_web_pass           = 'changeme',
 
+  # auth remote
+  String $ps_auth_ext_user      = 'changeme',
+  String $ps_auth_ext_pass      = 'changeme',
+
   # storage
   String $ps_retention_time     = '15d',
   String $ps_retention_size     = '20GB',
+  String $ps_wal_seg_size       = '50MB',
+  String $ps_min_block_dur      = '2h',
+  String $ps_max_block_dur      = '2h',
+
+  # service
+  String $ps_max_mem            = '6G',
+  String $ps_high_mem           = '5G',
+  String $ps_swap_mem           = '4G',
+  String $ps_oom_score          = '500',
+  String $ps_max_procs          = '1',
+
+  # remote write external
+  Boolean $ps_write_external    = false,
+  String $ps_external_url       = 'http://changeme.local',
+
+  # pruning script
+  Boolean $ps_enable_pruning    = false,
+  String $ps_pruning_dir        = '/opt/prometheus-prune',
+  String $ps_pruning_file       = "${ps_pruning_dir}/prune_prometheus_pg.sh",
+  String $ps_env_file           = "${ps_pruning_dir}/prune.env",
+  String $ps_pg_host            = 'localhost',
+  String $ps_pg_port            = '5432',
+  String $ps_pg_db              = 'prometheus',
+  String $ps_pg_user            = 'readaccess',
+  String $ps_pg_pass            = 'Changeme',
+  Boolean $ps_dry_run           = true,
+  String $ps_min_age_hours      = '4',
+  String $ps_grace_hours        = '1',
+  String $ps_sql_template       = 'Changeme',
 
 ) {
   # defaults
@@ -53,16 +114,23 @@ class prometheus_cd::params (
   # dirs
   $ps_main_dir            = '/etc/prometheus'
   $ps_system_file_dir     = '/etc/systemd/system/prometheus.service.d'
+  $ps_system_dir          = '/etc/systemd/system/'
+  $ps_install_dir         = '/opt/prometheus'
 
   # files
   $ps_main_file           = "${ps_main_dir}/prometheus.yml"
   $ps_web_config_file     = "${ps_main_dir}/web.yml"
   $ps_system_service_file = "${ps_system_file_dir}/override.conf"
+  $ps_pruning_svc_file    = "${ps_system_dir}/prometheus-prune.service"
+  $ps_pruning_timer_file  = "${ps_system_dir}/prometheus-prune.timer"
+  $ps_prune_log_file      = '/var/log/prometheus-prune.log'
 
   # services
   $ps_prom_service        = 'prometheus'
   $ps_ne_service          = 'node_exporter'
+  $ps_prune_service       = 'prometheus-prune.service'
+  $ps_prune_timer         = 'prometheus-prune.timer'
 
   # includes must be last
-  include prometheus_cd::main::config
+  include confdroid_prometheus::main::config
 }

templates/override.conf.erb

@@ -2,6 +2,7 @@
 #####    File created by Puppet - manual changes will be overwritten      #####
 ###############################################################################
 [Service]
+
 ExecStart=
 ExecStart=/usr/bin/prometheus \
   --config.file=/etc/prometheus/prometheus.yml \
@@ -9,6 +10,9 @@ ExecStart=/usr/bin/prometheus \
   --storage.tsdb.path=/var/lib/prometheus \
   --storage.tsdb.retention.time=<%= @ps_retention_time %> \
   --storage.tsdb.retention.size=<%= @ps_retention_size %> \
+  --storage.tsdb.wal-segment-size=<%= @ps_wal_seg_size %> \
   --web.enable-remote-write-receiver \
   --web.enable-lifecycle \
-  --storage.tsdb.wal-compression
+  --storage.tsdb.wal-compression \
+  --storage.tsdb.min-block-duration=<%= @ps_min_block_dur %> \
+  --storage.tsdb.max-block-duration=<%= @ps_max_block_dur %>

templates/prometheus-prune-service.erb

@@ -0,0 +1,13 @@
+[Unit]
+Description=Prometheus TSDB prune service
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+User=prometheus
+Group=prometheus
+EnvironmentFile=<%= @ps_env_file %>
+ExecStart=<%= @ps_pruning_file %>
+Nice=10
+IOWeight=80

templates/prometheus-prune-timer.erb

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run Prometheus TSDB prune script every 6 hours
+
+[Timer]
+OnBootSec=10min
+OnUnitActiveSec=6h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

templates/prometheus.yml.erb

@@ -32,7 +32,16 @@ scrape_configs:
     username: <%= @ps_auth_user %>
     password: <%= @ps_auth_pass %>
 remote_write:
-  - url: "http://localhost:9090/api/v1/write"
+<% if @ps_write_external == true -%>
+  - url: "<%= @ps_external_url %>/write"
     basic_auth:
-      username: <%= @ps_auth_user %>
-      password: <%= @ps_auth_pass %>
+      username: <%= @ps_auth_ext_user %>
+      password: <%= @ps_auth_ext_pass %>
+<% end -%>
+remote_read:
+<% if @ps_write_external == true -%>
+  - url: "<%= @ps_external_url %>/read"
+    basic_auth:
+      username: <%= @ps_auth_ext_user %>
+      password: <%= @ps_auth_ext_pass %>
+<% end -%>

templates/prune.env.erb

@@ -0,0 +1,21 @@
+# /opt/prometheus-prune/prune.env
+
+# PostgreSQL connection
+PGHOST=<%= @ps_pg_host %>
+PGPORT=<%= @ps_pg_port %>
+PGDATABASE=<%= @ps_pg_db %>
+PGUSER=<%= @ps_pg_user %>
+PGPASSWORD=<%= @ps_pg_pass %>
+
+# Dry-run mode (true = just log, false = actually delete)
+DRY_RUN=<%= @ps_dry_run %>
+
+# Minimum block age in hours before pruning
+MIN_AGE_HOURS=<%= @ps_min_age_hours %>
+
+# Grace period in hours to be extra safe
+GRACE_HOURS=<%= @ps_grace_hours %>
+
+# SQL template to check if block exists in PostgreSQL
+# @param [String] ps_sql_template the SQL template to use for checks.
+<%= @ps_sql_template %>

templates/prune_blocks.erb

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -euo pipefail
+
+# Load environment
+source <%= @ps_env_file %>
+
+LOG_FILE="<%= @ps_prune_log_file %>"
+echo "$(date '+%Y-%m-%d %H:%M:%S') Starting prune run" >> "$LOG_FILE"
+
+# -----------------------
+# Iterate TSDB blocks
+# -----------------------
+for block in "$TSDB_DIR"/*/; do
+    [[ -d "$block" ]] || continue
+    meta="$block/meta.json"
+    [[ -f "$meta" ]] || continue
+
+    min_time=$(jq -r '.minTime' "$meta")
+    max_time=$(jq -r '.maxTime' "$meta")
+
+    # Skip last MIN_AGE_HOURS
+    block_age_hours=$(( ($(date +%s) - min_time/1000) / 3600 ))
+    if (( block_age_hours < MIN_AGE_HOURS + GRACE_HOURS )); then
+        log "Keeping block $block (age ${block_age_hours}h)"
+        continue
+    fi
+
+    # Check existence in PostgreSQL
+    check_sql="${CHECK_SQL_TEMPLATE//\{min\}/$min_time}"
+    check_sql="${check_sql//\{max\}/$max_time}"
+
+    exists=$(psql -h "$PGHOST" -p "$PGPORT" -U "$PGUSER" -d "$PGDATABASE" -t -c "$check_sql" | xargs || echo "0")
+
+    if [[ "$exists" != "1" ]]; then
+        log "Block $block not confirmed in PostgreSQL, skipping deletion"
+        continue
+    fi
+
+    # Delete block
+    if [[ "$DRY_RUN" == "true" ]]; then
+        log "[DRY-RUN] Would delete block $block"
+    else
+        log "Deleting block $block"
+        rm -rf "$block"
+    fi
+done
+
+echo "$(date '+%Y-%m-%d %H:%M:%S') Prune run finished" >> "$LOG_FILE"