aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2021-10-05 03:47:16 +0200
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2021-10-05 03:47:16 +0200
commite5df302e3c17c29f16427c5cf35a0d45ffd7aac6 (patch)
treec02a7eae5dc8fc44d327f75a1504af8dffbd3504
parent89b4408e0b91ee670bda0c6ea5a1f9d183e2504a (diff)
downloadansible_collection-e5df302e3c17c29f16427c5cf35a0d45ffd7aac6.tar.gz
icinga2: WIP
-rw-r--r--roles/icinga2/Readme.md51
-rw-r--r--roles/icinga2/defaults/main.yml45
-rw-r--r--roles/icinga2/handlers/main.yml7
-rw-r--r--roles/icinga2/tasks/icinga.yml58
-rw-r--r--roles/icinga2/tasks/icingaweb.yml87
-rw-r--r--roles/icinga2/tasks/main.yml86
-rw-r--r--roles/icinga2/templates/api_users.conf.j217
-rw-r--r--roles/icinga2/templates/icinga.list.j25
-rw-r--r--roles/icinga2/templates/icinga2.conf.j222
-rw-r--r--roles/icinga2/templates/ido-mysql.conf.j213
-rw-r--r--roles/icinga2/templates/web/authentication.ini.j212
-rw-r--r--roles/icinga2/templates/web/config.ini.j221
-rw-r--r--roles/icinga2/templates/web/groups.ini.j217
-rw-r--r--roles/icinga2/templates/web/modules/monitoring/backends.ini.j23
-rw-r--r--roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j26
-rw-r--r--roles/icinga2/templates/web/modules/monitoring/config.ini.j22
-rw-r--r--roles/icinga2/templates/web/resources.ini.j232
-rw-r--r--roles/icinga2/templates/web/roles.ini.j27
18 files changed, 491 insertions, 0 deletions
diff --git a/roles/icinga2/Readme.md b/roles/icinga2/Readme.md
new file mode 100644
index 0000000..05969c7
--- /dev/null
+++ b/roles/icinga2/Readme.md
@@ -0,0 +1,51 @@
+# icinga2
+
+Installs Icinga2 Monitor standalone node and Icingaweb2 with integrated MariaDB Databse
+
+Default settings
+
+```
+---
+icinga_ido_db_pw: 'changeme'
+icinga_web_db_pw: 'changeme'
+
+icinga:
+ # icingaweb2 api user is created automatically with random password
+ api_users:
+ - name: 'test'
+ password: 'changeme'
+ permissions: '[ ]'
+
+icingaweb:
+ cert:
+ use_ssl: true
+ cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
+ key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+ ldap:
+ use_ldap: false
+ host: 'localhost'
+ port: '389'
+ # none / starttsl / ssl?
+ encryption: 'none'
+ root_dn: ''
+ bind_dn: ''
+ bind_pw: ''
+ user_class: 'inetOrgPerson'
+ user_name_attribute: 'uid'
+ filter: ''
+ groups:
+ base_dn: ''
+ group_member_attribute: 'cn'
+ group_class: 'groupOfNames'
+ group_filter: 'cn=*'
+ user_base_dn: ''
+ user_class: 'posixAccount'
+ user_name_attribute: 'uid'
+ roles:
+ - name: Administrators
+ users: 'admin'
+ permissions: '*'
+ groups: 'Administrators'
+ enabled_modules:
+ - monitoring
+```
diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml
new file mode 100644
index 0000000..f8b46e2
--- /dev/null
+++ b/roles/icinga2/defaults/main.yml
@@ -0,0 +1,45 @@
+---
+icinga_ido_db_pw: 'changeme'
+icinga_web_db_pw: 'changeme'
+
+
+icinga:
+ # icingaweb2 api user is created automatically with random password
+ api_users:
+ - name: 'test'
+ password: 'changeme'
+ permissions: '[ ]'
+
+icingaweb:
+ cert:
+ use_ssl: true
+ cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
+ key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+ ldap:
+ use_ldap: false
+ host: 'localhost'
+ port: '389'
+ # none / starttsl / ssl?
+ encryption: 'none'
+ root_dn: ''
+ bind_dn: ''
+ bind_pw: ''
+ user_class: 'inetOrgPerson'
+ user_name_attribute: 'uid'
+ filter: ''
+ groups:
+ base_dn: ''
+ group_member_attribute: 'cn'
+ group_class: 'groupOfNames'
+ group_filter: 'cn=*'
+ user_base_dn: ''
+ user_class: 'posixAccount'
+ user_name_attribute: 'uid'
+ roles:
+ - name: Administrators
+ users: 'admin'
+ permissions: '*'
+ groups: 'Administrators'
+ enabled_modules:
+ - monitoring
+
diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml
new file mode 100644
index 0000000..730742e
--- /dev/null
+++ b/roles/icinga2/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Restart icinga
+ systemd:
+ name: icinga2
+ state: restarted
+ enabled: yes
+ become: yes
diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml
new file mode 100644
index 0000000..ec6fe1e
--- /dev/null
+++ b/roles/icinga2/tasks/icinga.yml
@@ -0,0 +1,58 @@
+---
+- name: Install icinga2.conf
+ template:
+ src: icinga2.conf.j2
+ dest: /etc/icinga2/icinga2.conf
+ owner: nagios
+ group: nagios
+ become: yes
+ notify: Restart icinga
+
+- name: IDO Database
+ mysql_db:
+ name: ido
+ state: present
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+ register: ido_db
+
+- name: IDO Database schema import
+ mysql_db:
+ name: ido
+ target: '/usr/share/icinga2-ido-mysql/schema/mysql.sql'
+ state: import
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+ when: ido_db.changed
+
+- name: IDO Database user
+ mysql_user:
+ name: icinga
+ host: 'localhost'
+ state: present
+ priv: 'ido.*:ALL'
+ password: '{{ icinga_ido_db_pw }}'
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+
+- name: Install extra config files
+ template:
+ src: '{{ item }}.j2'
+ dest: '/etc/icinga2/{{ item }}'
+ owner: nagios
+ group: nagios
+ become: yes
+ notify: Restart icinga
+ loop:
+ - ido-mysql.conf
+ - api_users.conf
+
+- name: Enable features
+ file:
+ state: link
+ path: '/etc/icinga2/features-available/api.con'
+ src: '../features-available/api.conf'
+ owner: nagios
+ group: nagios
+ become: yes
+ notify: Restart icinga
diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml
new file mode 100644
index 0000000..1d527fc
--- /dev/null
+++ b/roles/icinga2/tasks/icingaweb.yml
@@ -0,0 +1,87 @@
+---
+- name: icingaweb Database
+ mysql_db:
+ name: icingaweb
+ state: present
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+ register: icingaweb_db
+
+- name: icingaweb Database schema
+ mysql_db:
+ name: icingaweb
+ state: import
+ target: '/usr/share/icingaweb2/etc/schema/mysql.schema.sql'
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+ when: icingaweb_db.changed
+
+# password is 'admin'
+# create with php -r 'echo password_hash("admin", PASSWORD_DEFAULT);'
+- name: Create default admin user
+ community.mysql.mysql_query:
+ query: "INSERT INTO icingaweb.icingaweb_user (name, active, password_hash) VALUES ('admin', 1, '$2y$10$MN74jDR1LtgzEzxxxyqOgug1WWuuirfMWjOtHZdvi5yjsd4el75Y2')"
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+ when: icingaweb_db.changed
+
+- name: icingaweb Database user
+ mysql_user:
+ name: icingaweb
+ host: localhost
+ state: present
+ priv: 'icingaweb.*:ALL'
+ password: '{{ icinga_web_db_pw }}'
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+
+- name: Config dirs
+ file:
+ state: directory
+ path: '/etc/icingaweb2/{{ item }}'
+ owner: root
+ group: icingaweb2
+ mode: '2770'
+ become: yes
+ loop:
+ - ''
+ - modules
+ - modules/monitoring
+ - enabledModules
+
+- name: Install configuration files
+ template:
+ src: 'web/{{ item }}.j2'
+ dest: '/etc/icingaweb2/{{ item }}'
+ owner: www-data
+ group: icingaweb2
+ mode: '0660'
+ become: yes
+ loop:
+ - config.ini
+ - authentication.ini
+ - groups.ini
+ - resources.ini
+ - roles.ini
+ - modules/monitoring/config.ini
+ - modules/monitoring/commandtransports.ini
+ - modules/monitoring/backends.ini
+
+- name: Enable modules
+ file:
+ path: '/etc/icingaweb2/enabledModules/{{ item }}'
+ src: '/usr/share/icingaweb2/modules/{{ item }}'
+ state: link
+ owner: www-data
+ group: icingaweb2
+ become: yes
+ with_items: '{{ icingaweb.enabled_modules }}'
+
+- name: icingaweb2 user
+ user:
+ name: icingaweb2
+ group: icingaweb2
+ groups: www-data
+ append: yes
+ become: yes
+
diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml
new file mode 100644
index 0000000..35e9bd6
--- /dev/null
+++ b/roles/icinga2/tasks/main.yml
@@ -0,0 +1,86 @@
+---
+- name: Install GnuPG
+ apt:
+ name: gnupg2
+ become: yes
+
+- name: Icinga APT Key
+ apt_key:
+ url: 'https://packages.icinga.com/icinga.key'
+ state: present
+ become: yes
+
+- name: Install Icinga APT Repository
+ template:
+ src: icinga.list.j2
+ dest: /etc/apt/sources.list.d/icinga.list
+ become: yes
+ register: install_repo
+
+- name: Update cache
+ apt:
+ update_cache: yes
+ become: yes
+ when: install_repo.changed
+
+- name: Install Packages
+ apt:
+ name:
+ - icinga2
+ - icinga2-ido-mysql
+ - icingaweb2
+ - icingacli
+ - monitoring-plugins
+ - mariadb-server
+ - mariadb-client
+ - php
+ - php-intl
+ - php-imagick
+ - php-gd
+ - php-mysql
+ - php-curl
+ - php-mbstring
+ - apache2
+ - libapache2-mod-php
+ - python3-pymysql
+ become: yes
+
+- name: Securing MariaDB installation
+ community.mysql.mysql_query:
+ query:
+ - "DELETE FROM mysql.user WHERE User=''"
+ - "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+ - "DROP DATABASE IF EXISTS test"
+ - "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
+ - "FLUSH PRIVILEGES"
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ become: yes
+
+- name: Generate Icingaweb2 API Password
+ shell:
+ cmd: 'dd if=/dev/urandom bs=16 count=1 status=none | base64'
+ creates: /etc/icinga2/api_pw.ansible
+ become: yes
+ register: gen_api_key
+
+- name: Save API Password
+ copy:
+ content: '{{ gen_api_key.stdout }}'
+ dest: /etc/icinga2/api_pw.ansible
+ owner: root
+ group: root
+ mode: '600'
+ become: yes
+ when: gen_api_key.changed
+
+- name: Read API Password
+ slurp:
+ src: /etc/icinga2/api_pw.ansible
+ become: yes
+ register: icingaweb_api_password
+
+- name: Configure Icinga2
+ include_tasks: icinga.yml
+
+- name: Configure Icingaweb2
+ include_tasks: icingaweb.yml
diff --git a/roles/icinga2/templates/api_users.conf.j2 b/roles/icinga2/templates/api_users.conf.j2
new file mode 100644
index 0000000..e72847a
--- /dev/null
+++ b/roles/icinga2/templates/api_users.conf.j2
@@ -0,0 +1,17 @@
+/**
+* vi: ft=icinga2
+* This File is managed by Ansible. Do NOT change.
+*/
+
+object ApiUser "icingaweb2" {
+ password = "{{ icingaweb_api_password.content | b64decode }}"
+ permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]
+}
+
+{% for user in icinga.api_users %}
+
+object ApiUser "{{ user.name }}" {
+ password = "{{ user.password }}"
+ permissions = {{ user.permissions }}
+}
+{% endfor %}
diff --git a/roles/icinga2/templates/icinga.list.j2 b/roles/icinga2/templates/icinga.list.j2
new file mode 100644
index 0000000..f3654bd
--- /dev/null
+++ b/roles/icinga2/templates/icinga.list.j2
@@ -0,0 +1,5 @@
+# vi: ft=debsources
+# This file is managed by Ansible. Do NOT change.
+
+deb https://packages.icinga.com/debian icinga-{{ ansible_facts.distribution_release }} main
+deb-src https://packages.icinga.com/debian icinga-{{ ansible_facts.distribution_release }} main
diff --git a/roles/icinga2/templates/icinga2.conf.j2 b/roles/icinga2/templates/icinga2.conf.j2
new file mode 100644
index 0000000..fcb9088
--- /dev/null
+++ b/roles/icinga2/templates/icinga2.conf.j2
@@ -0,0 +1,22 @@
+/**
+* vi: ft=icinga2
+* This File is managed by Ansible. Do NOT change.
+*/
+
+include "constants.conf"
+include "zones.conf"
+
+include <itl>
+include <plugins>
+include <plugins-contrib>
+include <manubulon>
+
+include <windows-plugins>
+
+include <nscp>
+
+include "features-enabled/*.conf"
+include "ido-mysql.conf"
+include "api_users.conf"
+
+include_recursive "conf.d"
diff --git a/roles/icinga2/templates/ido-mysql.conf.j2 b/roles/icinga2/templates/ido-mysql.conf.j2
new file mode 100644
index 0000000..ef7a398
--- /dev/null
+++ b/roles/icinga2/templates/ido-mysql.conf.j2
@@ -0,0 +1,13 @@
+/**
+* vi: ft=icinga2
+* This File is managed by Ansible. Do NOT change.
+*/
+
+library "db_ido_mysql"
+
+object IdoMysqlConnection "ido-mysql" {
+ user = "icinga",
+ password = "{{ icinga_ido_db_pw }}",
+ host = "localhost",
+ database = "ido"
+}
diff --git a/roles/icinga2/templates/web/authentication.ini.j2 b/roles/icinga2/templates/web/authentication.ini.j2
new file mode 100644
index 0000000..02b46f1
--- /dev/null
+++ b/roles/icinga2/templates/web/authentication.ini.j2
@@ -0,0 +1,12 @@
+[icingaweb2]
+backend = "db"
+resource = "icingaweb_db"
+
+{% if icingaweb.ldap.use_ldap %}
+[auth_ldap]
+backend = ldap
+resource = ldap_server
+user_class = {{ icingaweb.ldap.user_class }}
+user_name_attribute = {{ icingaweb.ldap.user_name_attribute }}
+filter = "{{ icingaweb.ldap.filter }}"
+{% endif %}
diff --git a/roles/icinga2/templates/web/config.ini.j2 b/roles/icinga2/templates/web/config.ini.j2
new file mode 100644
index 0000000..5b0834c
--- /dev/null
+++ b/roles/icinga2/templates/web/config.ini.j2
@@ -0,0 +1,21 @@
+[global]
+show_stacktraces = "1"
+show_application_state_messages = "1"
+config_backend = "db"
+config_resource = "icingaweb_db"
+module_path = "/usr/share/icingaweb2/modules"
+
+[logging]
+log = "syslog"
+level = "ERROR"
+application = "icingaweb2"
+facility = "user"
+
+[security]
+protected_customvars = "*pw*,*password*,*key*,*snmp_community*"
+
+[themes]
+
+[authentication]
+
+
diff --git a/roles/icinga2/templates/web/groups.ini.j2 b/roles/icinga2/templates/web/groups.ini.j2
new file mode 100644
index 0000000..848b254
--- /dev/null
+++ b/roles/icinga2/templates/web/groups.ini.j2
@@ -0,0 +1,17 @@
+[icingaweb2]
+backend = "db"
+resource = "icingaweb_db"
+
+{% if icingaweb.ldap.use_ldap %}
+[groups_ldap]
+backend = ldap
+resource = ldap_server
+base_dn = {{ icingaweb.ldap.groups.base_dn }}
+group_member_attribute = {{ icingaweb.ldap.groups.group_member_attribute }}
+group_name_attribute = {{ icingaweb.ldap.groups.group_name_attribute }}
+group_class = {{ icingaweb.ldap.groups.group_class }}
+group_filter = {{ icingaweb.ldap.groups.group_filter }}
+user_base_dn = {{ icingaweb.ldap.groups.user_base_dn }}
+user_class = {{ icingaweb.ldap.groups.user_class }}
+user_name_attribute = {{ icingaweb.ldap.groups.uid }}
+{% endif %}
diff --git a/roles/icinga2/templates/web/modules/monitoring/backends.ini.j2 b/roles/icinga2/templates/web/modules/monitoring/backends.ini.j2
new file mode 100644
index 0000000..12806e3
--- /dev/null
+++ b/roles/icinga2/templates/web/modules/monitoring/backends.ini.j2
@@ -0,0 +1,3 @@
+[icinga]
+type = "ido"
+resource = "icinga_ido"
diff --git a/roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j2 b/roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j2
new file mode 100644
index 0000000..0341b01
--- /dev/null
+++ b/roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j2
@@ -0,0 +1,6 @@
+[icinga2]
+transport = "api"
+host = "localhost"
+port = "5665"
+username = "icingaweb2"
+password = "{{ icingaweb_api_password.content | b64decode }}"
diff --git a/roles/icinga2/templates/web/modules/monitoring/config.ini.j2 b/roles/icinga2/templates/web/modules/monitoring/config.ini.j2
new file mode 100644
index 0000000..9b69fe8
--- /dev/null
+++ b/roles/icinga2/templates/web/modules/monitoring/config.ini.j2
@@ -0,0 +1,2 @@
+[security]
+protected_customvars = "*pw*,*pass*,community"
diff --git a/roles/icinga2/templates/web/resources.ini.j2 b/roles/icinga2/templates/web/resources.ini.j2
new file mode 100644
index 0000000..1b1aa2a
--- /dev/null
+++ b/roles/icinga2/templates/web/resources.ini.j2
@@ -0,0 +1,32 @@
+[icingaweb_db]
+type = "db"
+db = "mysql"
+host = "localhost"
+port = ""
+dbname = "icingaweb"
+username = "icingaweb"
+password = "{{ icinga_web_db_pw }}"
+charset = ""
+use_ssl = "0"
+
+[icinga_ido]
+type = "db"
+db = "mysql"
+host = "localhost"
+port = ""
+dbname = "ido"
+username = "icinga"
+password = "{{ icinga_ido_db_pw }}"
+charset = ""
+use_ssl = "0"
+
+{% if icingaweb.ldap.use_ldap %}
+[ldap_server]
+type = ldap
+hostname= {{ icingaweb.ldap.host }}
+port = {{ icingaweb.ldap.port }}
+encryption = {{ icingaweb.ldap.encryption }}
+root_dn = "{{ icingaweb.ldap.root_dn }}"
+bind_dn = "{{ icingaweb.ldap.bind_dn }}"
+bind_pw = "{{ icingaweb.ldap.bind_pw }}"
+{% endif %}
diff --git a/roles/icinga2/templates/web/roles.ini.j2 b/roles/icinga2/templates/web/roles.ini.j2
new file mode 100644
index 0000000..190accf
--- /dev/null
+++ b/roles/icinga2/templates/web/roles.ini.j2
@@ -0,0 +1,7 @@
+{% for role in icingaweb.roles %}
+[{{ role.name }}]
+users = "{{ role.users }}"
+permissions = "{{ role.permissions }}"
+groups = "{{ role.groups }}"
+
+{% endfor %}