WIP: Icinga2 improvements

5 files changed, 150 insertions, 2 deletions

diff --git a/roles/icinga2/tasks/apache.yml b/roles/icinga2/tasks/apache.yml
new file mode 100644
index 0000000..bfc6a52
--- /dev/null
+++ b/roles/icinga2/tasks/apache.yml
@@ -0,0 +1,44 @@
+---
+- name: Install index.html
+  copy:
+    src: index.html
+    dest: /var/www/html/index.html
+  become: yes
+  notify: Restart apache
+
+- name: Install site-config
+  copy:
+    src: 000-default.conf
+    dest: /etc/apache2/sites-available/000-default.conf
+  become: yes
+  notify: Restart apache
+
+- name: Install SSL site-config
+  template:
+    src: default-ssl.conf.j2
+    dest: /etc/apache2/sites-available/default-ssl.conf
+  become: yes
+  notify: Restart apache
+
+- name: Enable sites
+  file:
+    state: link
+    path: '/etc/apache2/sites-enabled/{{ item }}'
+    src: '../sites-available/{{ item }}'
+  loop:
+    - 000-default.conf
+    - default-ssl.conf
+  become: yes
+  notify: Restart apache
+
+- name: Enable apache mods
+  file:
+    state: link
+    path: '/etc/apache2/mods-enabled/{{ item }}'
+    src: '../mods-available/{{ item }}'
+  loop:
+    - ssl.conf
+    - ssl.load
+    - socache_shmcb.load
+  become: yes
+  notify: Restart apache
diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml
index ec6fe1e..7acbb47 100644
--- a/roles/icinga2/tasks/icinga.yml
+++ b/roles/icinga2/tasks/icinga.yml
@@ -47,10 +47,49 @@
     - ido-mysql.conf
     - api_users.conf
 
+- name: Install config from git
+  git:
+    dest: '/etc/icinga2/conf.git.d'
+    repo: '{{ icinga.config.git_url }}'
+    version: '{{ icinga.config.git_version }}'
+  become: yes
+  become_user: nagios
+  when: icinga.config.manage | default(false)
+  notify: Restart icinga
+
+- name: Create API certs folder
+  file:
+    state: directory
+    path: /var/lib/icinga2/certs
+    owner: nagios
+    group: nagios
+  become: yes
+
+- name: Install API TLS Key/Certificate
+  copy:
+    remote_src: yes
+    src: '{{ icinga.api_cert[item] }}'
+    dest: '/var/lib/icinga2/certs/{{ ansible_facts.fqdn }}.{{ item }}'
+    owner: nagios
+    group: nagios
+  become: yes
+  loop:
+    - key
+    - crt
+
+- name: Install API TLS CA
+  copy:
+    remote_src: yes
+    src: '{{ icinga.api_cert.ca }}'
+    dest: '/var/lib/icinga2/certs/ca.crt'
+    owner: nagios
+    group: nagios
+  become: yes
+
 - name: Enable features
   file:
     state: link
-    path: '/etc/icinga2/features-available/api.con'
+    path: '/etc/icinga2/features-enabled/api.conf'
     src: '../features-available/api.conf'
     owner: nagios
     group: nagios
diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml
index 1d527fc..ee4cd6a 100644
--- a/roles/icinga2/tasks/icingaweb.yml
+++ b/roles/icinga2/tasks/icingaweb.yml
@@ -67,6 +67,14 @@
     - modules/monitoring/commandtransports.ini
     - modules/monitoring/backends.ini
 
+- name: Install modules
+  git:
+    dest: '/usr/share/icingaweb2/modules/{{ item.key }}'
+    repo: '{{ item.value.url }}'
+    version: '{{ item.value.version }}'
+  become: yes
+  with_dict: '{{ icingaweb.install_modules }}'
+
 - name: Enable modules
   file:
     path: '/etc/icingaweb2/enabledModules/{{ item }}'
@@ -84,4 +92,3 @@
     groups: www-data
     append: yes
   become: yes
-
diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml
index 35e9bd6..bcb702f 100644
--- a/roles/icinga2/tasks/main.yml
+++ b/roles/icinga2/tasks/main.yml
@@ -43,6 +43,8 @@
       - apache2
       - libapache2-mod-php
       - python3-pymysql
+      - git
+      - mailutils
   become: yes
 
 - name: Securing MariaDB installation
@@ -84,3 +86,10 @@
 
 - name: Configure Icingaweb2
   include_tasks: icingaweb.yml
+
+- name: Configure apache2
+  include_tasks: apache.yml
+
+- name: Configure postfix
+  include_tasks: postfix.yml
+  when: icinga.mail.enable | default(false)
diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml
new file mode 100644
index 0000000..e71cc1d
--- /dev/null
+++ b/roles/icinga2/tasks/postfix.yml
@@ -0,0 +1,49 @@
+---
+- name: Install postfix relay creds
+  copy:
+    content: '{{ icinga.mail.smtp_host }} {{ icinga.mail.smtp_user }}:{{ icinga.mail.smtp_psw }}'
+    dest: /etc/postfix/relay-credentials
+    mode: '0600'
+  become: yes
+  register: relay_creds
+  notify: Restart postfix
+
+- name: Create hash db
+  shell: postmap /etc/postfix/relay-credentials
+  become: yes
+  when: relay_creds.changed
+
+- name: Install postfix relay creds
+  copy:
+    content: '{{ icinga.mail.from }} [{{ icinga.mail.smtp_host }}]:{{ icinga.mail.smtp_port }}'
+    dest: /etc/postfix/bysender
+  become: yes
+  register: bysender
+  notify: Restart postfix
+
+- name: Create hash db
+  shell: postmap /etc/postfix/bysender
+  become: yes
+  when: bysender.changed
+
+# sudo apt install libsasl2-modules sasl2-bin
+- name: postfix config
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '{{ item.reg }}'
+    line: '{{ item.line }}'
+  loop:
+    - reg: '^sender_dependent_relayhost_maps\w*=.*$'
+      line: 'sender_dependent_relayhost_maps = hash:/etc/postfix/bysender'
+    - reg: '^smtp_sasl_auth_enable\w*=.*$'
+      line: 'smtp_sasl_auth_enable = yes'
+    - reg: '^smtp_tls_security_level\w*=.*$'
+      line: 'smtp_tls_security_level = encrypt'
+    - reg: '^smtp_sasl_password_maps\w*=.*$'
+      line: 'smtp_sasl_password_maps = hash:/etc/postfix/relay-credentials'
+    - reg: '^smtp_use_tls\w*=.*$'
+      line: 'smtp_use_tls = yes'
+    - reg: '^smtp_sasl_security_options\w*=.*$'
+      line: 'smtp_sasl_security_options = noanonymous'
+  notify: Restart postfix
+  become: yes