forgejo-autohebergement/ansible/roles/forgejo/tasks/monitoring.yml

---
# Prometheus monitoring setup for Forgejo
# This is INTERNAL monitoring - metrics are only accessible locally or via authenticated endpoint

- name: Create monitoring directory
  ansible.builtin.file:
    path: "{{ forgejo_base_path }}/monitoring"
    state: directory
    owner: "{{ forgejo_user }}"
    group: "{{ forgejo_group }}"
    mode: '0755'
  become: yes

- name: Create Prometheus configuration
  ansible.builtin.template:
    src: prometheus.yml.j2
    dest: "{{ forgejo_base_path }}/monitoring/prometheus.yml"
    owner: "{{ forgejo_user }}"
    group: "{{ forgejo_group }}"
    mode: '0644'
  become: yes
  notify: Restart Prometheus

- name: Create Prometheus Docker Compose override
  ansible.builtin.template:
    src: docker-compose.monitoring.yml.j2
    dest: "{{ forgejo_base_path }}/docker-compose.monitoring.yml"
    owner: "{{ forgejo_user }}"
    group: "{{ forgejo_group }}"
    mode: '0644'
  become: yes
  notify: Restart Prometheus

- name: Create Prometheus data directory
  ansible.builtin.file:
    path: "{{ forgejo_base_path }}/monitoring/data"
    state: directory
    owner: "65534"  # nobody user in Prometheus container
    group: "65534"
    mode: '0755'
  become: yes

- name: Start Prometheus container
  community.docker.docker_compose_v2:
    project_src: "{{ forgejo_base_path }}"
    files:
      - docker-compose.yml
      - docker-compose.monitoring.yml
    state: present
  become: yes

- name: Display monitoring access information
  ansible.builtin.debug:
    msg: |
      Prometheus monitoring is now enabled!

      Internal access (from server):
        - Prometheus UI: http://localhost:9090
        - Forgejo metrics: http://localhost:3000/metrics (requires token)

      The metrics endpoint is protected by a token configured in your secrets.yml
      (vault_forgejo_metrics_token). Use this token in the Authorization header
      or as a query parameter: /metrics?token=YOUR_TOKEN

      Prometheus scrapes Forgejo metrics every 15 seconds.
      Data is retained for 15 days by default.