icinga2: WIP

author: Jonas Gunz <himself@jonasgunz.de> 2021-10-05 03:47:16 +0200
committer: Jonas Gunz <himself@jonasgunz.de> 2021-10-05 03:47:16 +0200
commit: e5df302e3c17c29f16427c5cf35a0d45ffd7aac6 (patch)
tree: c02a7eae5dc8fc44d327f75a1504af8dffbd3504 /roles/icinga2/tasks
parent: 89b4408e0b91ee670bda0c6ea5a1f9d183e2504a (diff)
download: ansible_collection-e5df302e3c17c29f16427c5cf35a0d45ffd7aac6.tar.gz
3 files changed, 231 insertions, 0 deletions
diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml
new file mode 100644
index 0000000..ec6fe1e
--- /dev/null
+++ b/roles/icinga2/tasks/icinga.yml
@@ -0,0 +1,58 @@
+---
+- name: Install icinga2.conf
+  template:
+    src: icinga2.conf.j2
+    dest: /etc/icinga2/icinga2.conf
+    owner: nagios
+    group: nagios
+  become: yes
+  notify: Restart icinga
+
+- name: IDO Database
+  mysql_db:
+    name: ido
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  register: ido_db
+
+- name: IDO Database schema import
+  mysql_db:
+    name: ido
+    target: '/usr/share/icinga2-ido-mysql/schema/mysql.sql'
+    state: import
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  when: ido_db.changed
+
+- name: IDO Database user
+  mysql_user:
+    name: icinga
+    host: 'localhost'
+    state: present
+    priv: 'ido.*:ALL'
+    password: '{{ icinga_ido_db_pw }}'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+
+- name: Install extra config files
+  template:
+    src: '{{ item }}.j2'
+    dest: '/etc/icinga2/{{ item }}'
+    owner: nagios
+    group: nagios
+  become: yes
+  notify: Restart icinga
+  loop:
+    - ido-mysql.conf
+    - api_users.conf
+
+- name: Enable features
+  file:
+    state: link
+    path: '/etc/icinga2/features-available/api.con'
+    src: '../features-available/api.conf'
+    owner: nagios
+    group: nagios
+  become: yes
+  notify: Restart icinga
diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml
new file mode 100644
index 0000000..1d527fc
--- /dev/null
+++ b/roles/icinga2/tasks/icingaweb.yml
@@ -0,0 +1,87 @@
+---
+- name: icingaweb Database
+  mysql_db:
+    name: icingaweb
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  register: icingaweb_db
+
+- name: icingaweb Database schema
+  mysql_db:
+    name: icingaweb
+    state: import
+    target: '/usr/share/icingaweb2/etc/schema/mysql.schema.sql'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  when: icingaweb_db.changed
+
+# password is 'admin'
+# create with php -r 'echo password_hash("admin", PASSWORD_DEFAULT);'
+- name: Create default admin user
+  community.mysql.mysql_query:
+    query: "INSERT INTO icingaweb.icingaweb_user (name, active, password_hash) VALUES ('admin', 1, '$2y$10$MN74jDR1LtgzEzxxxyqOgug1WWuuirfMWjOtHZdvi5yjsd4el75Y2')"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  when: icingaweb_db.changed
+
+- name: icingaweb Database user
+  mysql_user:
+    name: icingaweb
+    host: localhost
+    state: present
+    priv: 'icingaweb.*:ALL'
+    password: '{{ icinga_web_db_pw }}'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+
+- name: Config dirs
+  file:
+    state: directory
+    path: '/etc/icingaweb2/{{ item }}'
+    owner: root
+    group: icingaweb2
+    mode: '2770'
+  become: yes
+  loop:
+    - ''
+    - modules
+    - modules/monitoring
+    - enabledModules
+
+- name: Install configuration files
+  template:
+    src: 'web/{{ item }}.j2'
+    dest: '/etc/icingaweb2/{{ item }}'
+    owner: www-data
+    group: icingaweb2
+    mode: '0660'
+  become: yes
+  loop:
+    - config.ini
+    - authentication.ini
+    - groups.ini
+    - resources.ini
+    - roles.ini
+    - modules/monitoring/config.ini
+    - modules/monitoring/commandtransports.ini
+    - modules/monitoring/backends.ini
+
+- name: Enable modules
+  file:
+    path: '/etc/icingaweb2/enabledModules/{{ item }}'
+    src: '/usr/share/icingaweb2/modules/{{ item }}'
+    state: link
+    owner: www-data
+    group: icingaweb2
+  become: yes
+  with_items: '{{ icingaweb.enabled_modules }}'
+
+- name: icingaweb2 user
+  user:
+    name: icingaweb2
+    group: icingaweb2
+    groups: www-data
+    append: yes
+  become: yes
+
diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml
new file mode 100644
index 0000000..35e9bd6
--- /dev/null
+++ b/roles/icinga2/tasks/main.yml
@@ -0,0 +1,86 @@
+---
+- name: Install GnuPG
+  apt:
+    name: gnupg2
+  become: yes
+
+- name: Icinga APT Key
+  apt_key:
+    url: 'https://packages.icinga.com/icinga.key'
+    state: present
+  become: yes
+
+- name: Install Icinga APT Repository
+  template:
+    src: icinga.list.j2
+    dest: /etc/apt/sources.list.d/icinga.list
+  become: yes
+  register: install_repo
+
+- name: Update cache
+  apt:
+    update_cache: yes
+  become: yes
+  when: install_repo.changed
+
+- name: Install Packages
+  apt:
+    name:
+      - icinga2
+      - icinga2-ido-mysql
+      - icingaweb2
+      - icingacli
+      - monitoring-plugins
+      - mariadb-server
+      - mariadb-client
+      - php
+      - php-intl
+      - php-imagick
+      - php-gd
+      - php-mysql
+      - php-curl
+      - php-mbstring
+      - apache2
+      - libapache2-mod-php
+      - python3-pymysql
+  become: yes
+
+- name: Securing MariaDB installation
+  community.mysql.mysql_query:
+    query:
+      - "DELETE FROM mysql.user WHERE User=''"
+      - "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+      - "DROP DATABASE IF EXISTS test"
+      - "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
+      - "FLUSH PRIVILEGES"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+
+- name: Generate Icingaweb2 API Password
+  shell:
+    cmd: 'dd if=/dev/urandom bs=16 count=1 status=none | base64'
+    creates: /etc/icinga2/api_pw.ansible
+  become: yes
+  register: gen_api_key
+
+- name: Save API Password
+  copy:
+    content: '{{ gen_api_key.stdout }}'
+    dest: /etc/icinga2/api_pw.ansible
+    owner: root
+    group: root
+    mode: '600'
+  become: yes
+  when: gen_api_key.changed
+
+- name: Read API Password
+  slurp:
+    src: /etc/icinga2/api_pw.ansible
+  become: yes
+  register: icingaweb_api_password
+
+- name: Configure Icinga2
+  include_tasks: icinga.yml
+
+- name: Configure Icingaweb2
+  include_tasks: icingaweb.yml
author	Jonas Gunz <himself@jonasgunz.de>	2021-10-05 03:47:16 +0200
committer	Jonas Gunz <himself@jonasgunz.de>	2021-10-05 03:47:16 +0200
commit	e5df302e3c17c29f16427c5cf35a0d45ffd7aac6 (patch)
tree	c02a7eae5dc8fc44d327f75a1504af8dffbd3504 /roles/icinga2/tasks
parent	89b4408e0b91ee670bda0c6ea5a1f9d183e2504a (diff)
download	ansible_collection-e5df302e3c17c29f16427c5cf35a0d45ffd7aac6.tar.gz