Merge branch 'dev' of giteaprod-01.my.cum.re:infra/ansible-kompetenzbolzen-stuff into calibre

16 files changed, 279 insertions, 8 deletions

diff --git a/roles/bind/defaults/main.yml b/roles/bind/defaults/main.yml
index bd90082..f242706 100644
--- a/roles/bind/defaults/main.yml
+++ b/roles/bind/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
 bind_zones: []
 bind_zonefile_base_url: ''
+bind_zonefile_base_folder: ''
 bind_install_zonefiles: false
diff --git a/roles/bind/tasks/download_zonefile.yml b/roles/bind/tasks/download_zonefile.yml
index 9e89507..9c0f4ac 100644
--- a/roles/bind/tasks/download_zonefile.yml
+++ b/roles/bind/tasks/download_zonefile.yml
@@ -5,6 +5,7 @@
     return_content: yes
   delegate_to: localhost
   register: zonefile
+  when: bind_zonefile_base_url != ""
 
 - name: Install zonefile
   copy:
@@ -12,4 +13,13 @@
     content: '{{ zonefile.content }}'
   become: yes
   notify: Restart bind
+  when: bind_zonefile_base_url != ""
+
+- name: Copy zonefile
+  copy:
+    src: '{{ bind_zonefile_base_folder }}/{{ item }}'
+    dest: '/etc/bind/zonefiles/{{ item }}'
+  become: yes
+  notify: Restart bind
+  when: bind_zonefile_base_folder != ""
 
diff --git a/roles/gitea/Readme.md b/roles/gitea/Readme.md
index 6637b97..139de4a 100644
--- a/roles/gitea/Readme.md
+++ b/roles/gitea/Readme.md
@@ -29,5 +29,15 @@ gitea:
     user: ''
     passwd: ''
     ssl: 'true'
+  mail:
+    enable: false
+    smtp_host: ''
+    tls: false
+    skip_verify: false
+    from: ''
+    user: ''
+    pass: ''
+    plain_text: false
+    subject_prefix: ''
 
 ```
diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2
index 9bbd097..f59c557 100644
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@@ -631,13 +631,15 @@ EMAIL_DOMAIN_WHITELIST =
 ; Comma-separated list of domain names that are not allowed to be used to register on a Gitea instance
 EMAIL_DOMAIN_BLOCKLIST =
 ; Disallow registration, only allow admins to create accounts.
+
+
 DISABLE_REGISTRATION = true
 ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-; User must sign in to view anything.
+
 REQUIRE_SIGNIN_VIEW = true
-; Mail notification
-ENABLE_NOTIFY_MAIL = false
+ENABLE_NOTIFY_MAIL = {{ gitea.mail.enable }}
+
 ; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password
 ; If you set this to false you will not be able to access the tokens endpoints on the API with your password
 ; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token
diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml
index f8b46e2..0c36ee6 100644
--- a/roles/icinga2/defaults/main.yml
+++ b/roles/icinga2/defaults/main.yml
@@ -9,10 +9,25 @@ icinga:
     - name: 'test'
       password: 'changeme'
       permissions: '[ ]'
+  # CN MUST match FQDN
+  api_cert:
+    crt: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
+    key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+    ca: '/etc/ssl/certs/ca-certificates.crt'
+  config:
+    manage: false
+    git_url: ''
+    git_branch: 'mainu'
+  mail:
+    enable: false
+    smtp_host: 'smtp.example.com'
+    smtp_port: '25'
+    smtp_user: ''
+    smtp_psw: ''
+    from: ''
 
 icingaweb:
   cert:
-    use_ssl: true
     cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
     key: '/etc/ssl/private/ssl-cert-snakeoil.key'
   ldap:
@@ -29,7 +44,8 @@ icingaweb:
     filter: ''
     groups:
       base_dn: ''
-      group_member_attribute: 'cn'
+      group_member_attribute: 'member'
+      group_name_attribute: 'cn'
       group_class: 'groupOfNames'
       group_filter: 'cn=*'
       user_base_dn: ''
@@ -42,4 +58,9 @@ icingaweb:
       groups: 'Administrators'
   enabled_modules:
     - monitoring
+    - businessprocess
+  install_modules:
+    businessprocess:
+      url: 'https://github.com/Icinga/icingaweb2-module-businessprocess'
+      version: 'master'
 
diff --git a/roles/icinga2/files/000-default.conf b/roles/icinga2/files/000-default.conf
new file mode 100644
index 0000000..922eb96
--- /dev/null
+++ b/roles/icinga2/files/000-default.conf
@@ -0,0 +1,9 @@
+<VirtualHost *:80>
+	ServerAdmin webmaster@localhost
+	
+	RewriteEngine On
+	RewriteCond %{HTTPS}  !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] 
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/icinga2/files/index.html b/roles/icinga2/files/index.html
new file mode 100644
index 0000000..fa5cc89
--- /dev/null
+++ b/roles/icinga2/files/index.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="refresh" content="0; url='/icingaweb2'" />
+  </head>
+  <body>
+    <p><a href="/icingaweb2">Icinga Web 2</a>.</p>
+  </body>
+</html>
diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml
index 730742e..15e7fdf 100644
--- a/roles/icinga2/handlers/main.yml
+++ b/roles/icinga2/handlers/main.yml
@@ -5,3 +5,17 @@
     state: restarted
     enabled: yes
   become: yes
+
+- name: Restart apache
+  systemd:
+    name: apache2
+    state: restarted
+    enabled: yes
+  become: yes
+
+- name: Restart postfix
+  systemd:
+    name: postfix
+    state: restarted
+    enabled: yes
+  become: yes
diff --git a/roles/icinga2/tasks/apache.yml b/roles/icinga2/tasks/apache.yml
new file mode 100644
index 0000000..bfc6a52
--- /dev/null
+++ b/roles/icinga2/tasks/apache.yml
@@ -0,0 +1,44 @@
+---
+- name: Install index.html
+  copy:
+    src: index.html
+    dest: /var/www/html/index.html
+  become: yes
+  notify: Restart apache
+
+- name: Install site-config
+  copy:
+    src: 000-default.conf
+    dest: /etc/apache2/sites-available/000-default.conf
+  become: yes
+  notify: Restart apache
+
+- name: Install SSL site-config
+  template:
+    src: default-ssl.conf.j2
+    dest: /etc/apache2/sites-available/default-ssl.conf
+  become: yes
+  notify: Restart apache
+
+- name: Enable sites
+  file:
+    state: link
+    path: '/etc/apache2/sites-enabled/{{ item }}'
+    src: '../sites-available/{{ item }}'
+  loop:
+    - 000-default.conf
+    - default-ssl.conf
+  become: yes
+  notify: Restart apache
+
+- name: Enable apache mods
+  file:
+    state: link
+    path: '/etc/apache2/mods-enabled/{{ item }}'
+    src: '../mods-available/{{ item }}'
+  loop:
+    - ssl.conf
+    - ssl.load
+    - socache_shmcb.load
+  become: yes
+  notify: Restart apache
diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml
index ec6fe1e..7acbb47 100644
--- a/roles/icinga2/tasks/icinga.yml
+++ b/roles/icinga2/tasks/icinga.yml
@@ -47,10 +47,49 @@
     - ido-mysql.conf
     - api_users.conf
 
+- name: Install config from git
+  git:
+    dest: '/etc/icinga2/conf.git.d'
+    repo: '{{ icinga.config.git_url }}'
+    version: '{{ icinga.config.git_version }}'
+  become: yes
+  become_user: nagios
+  when: icinga.config.manage | default(false)
+  notify: Restart icinga
+
+- name: Create API certs folder
+  file:
+    state: directory
+    path: /var/lib/icinga2/certs
+    owner: nagios
+    group: nagios
+  become: yes
+
+- name: Install API TLS Key/Certificate
+  copy:
+    remote_src: yes
+    src: '{{ icinga.api_cert[item] }}'
+    dest: '/var/lib/icinga2/certs/{{ ansible_facts.fqdn }}.{{ item }}'
+    owner: nagios
+    group: nagios
+  become: yes
+  loop:
+    - key
+    - crt
+
+- name: Install API TLS CA
+  copy:
+    remote_src: yes
+    src: '{{ icinga.api_cert.ca }}'
+    dest: '/var/lib/icinga2/certs/ca.crt'
+    owner: nagios
+    group: nagios
+  become: yes
+
 - name: Enable features
   file:
     state: link
-    path: '/etc/icinga2/features-available/api.con'
+    path: '/etc/icinga2/features-enabled/api.conf'
     src: '../features-available/api.conf'
     owner: nagios
     group: nagios
diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml
index 1d527fc..ee4cd6a 100644
--- a/roles/icinga2/tasks/icingaweb.yml
+++ b/roles/icinga2/tasks/icingaweb.yml
@@ -67,6 +67,14 @@
     - modules/monitoring/commandtransports.ini
     - modules/monitoring/backends.ini
 
+- name: Install modules
+  git:
+    dest: '/usr/share/icingaweb2/modules/{{ item.key }}'
+    repo: '{{ item.value.url }}'
+    version: '{{ item.value.version }}'
+  become: yes
+  with_dict: '{{ icingaweb.install_modules }}'
+
 - name: Enable modules
   file:
     path: '/etc/icingaweb2/enabledModules/{{ item }}'
@@ -84,4 +92,3 @@
     groups: www-data
     append: yes
   become: yes
-
diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml
index 35e9bd6..07f02d8 100644
--- a/roles/icinga2/tasks/main.yml
+++ b/roles/icinga2/tasks/main.yml
@@ -43,6 +43,10 @@
       - apache2
       - libapache2-mod-php
       - python3-pymysql
+      - git
+      - mailutils
+      - libsasl2-modules
+      - sasl2-bin
   become: yes
 
 - name: Securing MariaDB installation
@@ -79,8 +83,34 @@
   become: yes
   register: icingaweb_api_password
 
+- name: generate SSH folder
+  file:
+    state: directory
+    path: /var/lib/nagios/.ssh
+  become: yes
+  become_user: nagios
+
+- name: generate SSH-Key
+  community.crypto.openssh_keypair:
+    comment: 'monitor'
+    path: /var/lib/nagios/.ssh/id_rsa
+  become: yes
+  become_user: nagios
+  register: ssh_key
+
+- name: Print SSH-PubKey
+  debug:
+    var: ssh_key.public_key
+
 - name: Configure Icinga2
   include_tasks: icinga.yml
 
 - name: Configure Icingaweb2
   include_tasks: icingaweb.yml
+
+- name: Configure apache2
+  include_tasks: apache.yml
+
+- name: Configure postfix
+  include_tasks: postfix.yml
+  when: icinga.mail.enable | default(false)
diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml
new file mode 100644
index 0000000..044a938
--- /dev/null
+++ b/roles/icinga2/tasks/postfix.yml
@@ -0,0 +1,48 @@
+---
+- name: Install postfix relay creds
+  copy:
+    content: '{{ icinga.mail.smtp_host }} {{ icinga.mail.smtp_user }}:{{ icinga.mail.smtp_psw }}'
+    dest: /etc/postfix/relay-credentials
+    mode: '0600'
+  become: yes
+  register: relay_creds
+  notify: Restart postfix
+
+- name: Create hash db
+  shell: postmap /etc/postfix/relay-credentials
+  become: yes
+  when: relay_creds.changed
+
+- name: Install postfix relay creds
+  copy:
+    content: '{{ icinga.mail.from }} [{{ icinga.mail.smtp_host }}]:{{ icinga.mail.smtp_port }}'
+    dest: /etc/postfix/bysender
+  become: yes
+  register: bysender
+  notify: Restart postfix
+
+- name: Create hash db
+  shell: postmap /etc/postfix/bysender
+  become: yes
+  when: bysender.changed
+
+- name: postfix config
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '{{ item.reg }}'
+    line: '{{ item.line }}'
+  loop:
+    - reg: '^sender_dependent_relayhost_maps\w*=.*$'
+      line: 'sender_dependent_relayhost_maps = hash:/etc/postfix/bysender'
+    - reg: '^smtp_sasl_auth_enable\w*=.*$'
+      line: 'smtp_sasl_auth_enable = yes'
+    - reg: '^smtp_tls_security_level\w*=.*$'
+      line: 'smtp_tls_security_level = encrypt'
+    - reg: '^smtp_sasl_password_maps\w*=.*$'
+      line: 'smtp_sasl_password_maps = hash:/etc/postfix/relay-credentials'
+    - reg: '^smtp_use_tls\w*=.*$'
+      line: 'smtp_use_tls = yes'
+    - reg: '^smtp_sasl_security_options\w*=.*$'
+      line: 'smtp_sasl_security_options = noanonymous'
+  become: yes
+  notify: Restart postfix
diff --git a/roles/icinga2/templates/default-ssl.conf.j2 b/roles/icinga2/templates/default-ssl.conf.j2
new file mode 100644
index 0000000..7c9ab9e
--- /dev/null
+++ b/roles/icinga2/templates/default-ssl.conf.j2
@@ -0,0 +1,23 @@
+<IfModule mod_ssl.c>
+	<VirtualHost _default_:443>
+		ServerAdmin webmaster@localhost
+		DocumentRoot /var/www/html
+
+		ErrorLog ${APACHE_LOG_DIR}/error.log
+		CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+		SSLEngine on
+		SSLProtocol -all +TLSv1.2 +TLSv1.3
+		SSLCertificateFile {{ icingaweb.cert.cert }}
+		SSLCertificateKeyFile {{ icingaweb.cert.key }}
+
+		<FilesMatch "\.(cgi|shtml|phtml|php)$">
+				SSLOptions +StdEnvVars
+		</FilesMatch>
+		<Directory /usr/lib/cgi-bin>
+				SSLOptions +StdEnvVars
+		</Directory>
+	</VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/icinga2/templates/icinga2.conf.j2 b/roles/icinga2/templates/icinga2.conf.j2
index fcb9088..13d2d7f 100644
--- a/roles/icinga2/templates/icinga2.conf.j2
+++ b/roles/icinga2/templates/icinga2.conf.j2
@@ -19,4 +19,8 @@ include "features-enabled/*.conf"
 include "ido-mysql.conf"
 include "api_users.conf"
 
+{% if icinga.config.manage is true %}
+include_recursive "conf.git.d"
+{% else %}
 include_recursive "conf.d"
+{% endif %}
diff --git a/roles/icinga2/templates/web/groups.ini.j2 b/roles/icinga2/templates/web/groups.ini.j2
index 848b254..04dba70 100644
--- a/roles/icinga2/templates/web/groups.ini.j2
+++ b/roles/icinga2/templates/web/groups.ini.j2
@@ -13,5 +13,5 @@ group_class		= {{ icingaweb.ldap.groups.group_class }}
 group_filter		= {{ icingaweb.ldap.groups.group_filter }}
 user_base_dn		= {{ icingaweb.ldap.groups.user_base_dn }}
 user_class		= {{ icingaweb.ldap.groups.user_class }}
-user_name_attribute	= {{ icingaweb.ldap.groups.uid }}
+user_name_attribute	= {{ icingaweb.ldap.groups.user_name_attribute }}
 {% endif %}