WIP: Icinga2 improvements

author: Jonas Gunz <himself@jonasgunz.de> 2022-01-21 14:52:16 +0100
committer: Jonas Gunz <himself@jonasgunz.de> 2022-01-21 14:52:16 +0100
commit: 5490ae91cd85a65001d3c9df685b935c11e1378d (patch)
tree: ad6ec264d93a2456691bf0ee8109ebef729bd439 /roles
parent: 41a475c5fb12d0bb82d596331796b8f375904c0a (diff)
download: ansible_collection-5490ae91cd85a65001d3c9df685b935c11e1378d.tar.gz
11 files changed, 230 insertions, 3 deletions
diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml
index f8b46e2..9b6a007 100644
--- a/roles/icinga2/defaults/main.yml
+++ b/roles/icinga2/defaults/main.yml
@@ -9,10 +9,25 @@ icinga:
     - name: 'test'
       password: 'changeme'
       permissions: '[ ]'
+  # CN MUST match FQDN
+  api_cert:
+    crt: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
+    key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+    ca: '/etc/ssl/certs/ca-certificates.crt'
+  config:
+    manage: false
+    git_url: ''
+    git_branch: 'mainu'
+  mail:
+    enable: false
+    smtp_host: 'smtp.example.com'
+    smtp_port: '25'
+    smtp_user: ''
+    smtp_psw: ''
+    from: ''
 
 icingaweb:
   cert:
-    use_ssl: true
     cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
     key: '/etc/ssl/private/ssl-cert-snakeoil.key'
   ldap:
@@ -42,4 +57,9 @@ icingaweb:
       groups: 'Administrators'
   enabled_modules:
     - monitoring
+    - businessprocess
+  install_modules:
+    businessprocess:
+      url: 'https://github.com/Icinga/icingaweb2-module-businessprocess'
+      version: 'master'
 
diff --git a/roles/icinga2/files/000-default.conf b/roles/icinga2/files/000-default.conf
new file mode 100644
index 0000000..922eb96
--- /dev/null
+++ b/roles/icinga2/files/000-default.conf
@@ -0,0 +1,9 @@
+<VirtualHost *:80>
+	ServerAdmin webmaster@localhost
+	
+	RewriteEngine On
+	RewriteCond %{HTTPS}  !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] 
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/icinga2/files/index.html b/roles/icinga2/files/index.html
new file mode 100644
index 0000000..fa5cc89
--- /dev/null
+++ b/roles/icinga2/files/index.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="refresh" content="0; url='/icingaweb2'" />
+  </head>
+  <body>
+    <p><a href="/icingaweb2">Icinga Web 2</a>.</p>
+  </body>
+</html>
diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml
index 730742e..15e7fdf 100644
--- a/roles/icinga2/handlers/main.yml
+++ b/roles/icinga2/handlers/main.yml
@@ -5,3 +5,17 @@
     state: restarted
     enabled: yes
   become: yes
+
+- name: Restart apache
+  systemd:
+    name: apache2
+    state: restarted
+    enabled: yes
+  become: yes
+
+- name: Restart postfix
+  systemd:
+    name: postfix
+    state: restarted
+    enabled: yes
+  become: yes
diff --git a/roles/icinga2/tasks/apache.yml b/roles/icinga2/tasks/apache.yml
new file mode 100644
index 0000000..bfc6a52
--- /dev/null
+++ b/roles/icinga2/tasks/apache.yml
@@ -0,0 +1,44 @@
+---
+- name: Install index.html
+  copy:
+    src: index.html
+    dest: /var/www/html/index.html
+  become: yes
+  notify: Restart apache
+
+- name: Install site-config
+  copy:
+    src: 000-default.conf
+    dest: /etc/apache2/sites-available/000-default.conf
+  become: yes
+  notify: Restart apache
+
+- name: Install SSL site-config
+  template:
+    src: default-ssl.conf.j2
+    dest: /etc/apache2/sites-available/default-ssl.conf
+  become: yes
+  notify: Restart apache
+
+- name: Enable sites
+  file:
+    state: link
+    path: '/etc/apache2/sites-enabled/{{ item }}'
+    src: '../sites-available/{{ item }}'
+  loop:
+    - 000-default.conf
+    - default-ssl.conf
+  become: yes
+  notify: Restart apache
+
+- name: Enable apache mods
+  file:
+    state: link
+    path: '/etc/apache2/mods-enabled/{{ item }}'
+    src: '../mods-available/{{ item }}'
+  loop:
+    - ssl.conf
+    - ssl.load
+    - socache_shmcb.load
+  become: yes
+  notify: Restart apache
diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml
index ec6fe1e..7acbb47 100644
--- a/roles/icinga2/tasks/icinga.yml
+++ b/roles/icinga2/tasks/icinga.yml
@@ -47,10 +47,49 @@
     - ido-mysql.conf
     - api_users.conf
 
+- name: Install config from git
+  git:
+    dest: '/etc/icinga2/conf.git.d'
+    repo: '{{ icinga.config.git_url }}'
+    version: '{{ icinga.config.git_version }}'
+  become: yes
+  become_user: nagios
+  when: icinga.config.manage | default(false)
+  notify: Restart icinga
+
+- name: Create API certs folder
+  file:
+    state: directory
+    path: /var/lib/icinga2/certs
+    owner: nagios
+    group: nagios
+  become: yes
+
+- name: Install API TLS Key/Certificate
+  copy:
+    remote_src: yes
+    src: '{{ icinga.api_cert[item] }}'
+    dest: '/var/lib/icinga2/certs/{{ ansible_facts.fqdn }}.{{ item }}'
+    owner: nagios
+    group: nagios
+  become: yes
+  loop:
+    - key
+    - crt
+
+- name: Install API TLS CA
+  copy:
+    remote_src: yes
+    src: '{{ icinga.api_cert.ca }}'
+    dest: '/var/lib/icinga2/certs/ca.crt'
+    owner: nagios
+    group: nagios
+  become: yes
+
 - name: Enable features
   file:
     state: link
-    path: '/etc/icinga2/features-available/api.con'
+    path: '/etc/icinga2/features-enabled/api.conf'
     src: '../features-available/api.conf'
     owner: nagios
     group: nagios
diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml
index 1d527fc..ee4cd6a 100644
--- a/roles/icinga2/tasks/icingaweb.yml
+++ b/roles/icinga2/tasks/icingaweb.yml
@@ -67,6 +67,14 @@
     - modules/monitoring/commandtransports.ini
     - modules/monitoring/backends.ini
 
+- name: Install modules
+  git:
+    dest: '/usr/share/icingaweb2/modules/{{ item.key }}'
+    repo: '{{ item.value.url }}'
+    version: '{{ item.value.version }}'
+  become: yes
+  with_dict: '{{ icingaweb.install_modules }}'
+
 - name: Enable modules
   file:
     path: '/etc/icingaweb2/enabledModules/{{ item }}'
@@ -84,4 +92,3 @@
     groups: www-data
     append: yes
   become: yes
-
diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml
index 35e9bd6..bcb702f 100644
--- a/roles/icinga2/tasks/main.yml
+++ b/roles/icinga2/tasks/main.yml
@@ -43,6 +43,8 @@
       - apache2
       - libapache2-mod-php
       - python3-pymysql
+      - git
+      - mailutils
   become: yes
 
 - name: Securing MariaDB installation
@@ -84,3 +86,10 @@
 
 - name: Configure Icingaweb2
   include_tasks: icingaweb.yml
+
+- name: Configure apache2
+  include_tasks: apache.yml
+
+- name: Configure postfix
+  include_tasks: postfix.yml
+  when: icinga.mail.enable | default(false)
diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml
new file mode 100644
index 0000000..e71cc1d
--- /dev/null
+++ b/roles/icinga2/tasks/postfix.yml
@@ -0,0 +1,49 @@
+---
+- name: Install postfix relay creds
+  copy:
+    content: '{{ icinga.mail.smtp_host }} {{ icinga.mail.smtp_user }}:{{ icinga.mail.smtp_psw }}'
+    dest: /etc/postfix/relay-credentials
+    mode: '0600'
+  become: yes
+  register: relay_creds
+  notify: Restart postfix
+
+- name: Create hash db
+  shell: postmap /etc/postfix/relay-credentials
+  become: yes
+  when: relay_creds.changed
+
+- name: Install postfix relay creds
+  copy:
+    content: '{{ icinga.mail.from }} [{{ icinga.mail.smtp_host }}]:{{ icinga.mail.smtp_port }}'
+    dest: /etc/postfix/bysender
+  become: yes
+  register: bysender
+  notify: Restart postfix
+
+- name: Create hash db
+  shell: postmap /etc/postfix/bysender
+  become: yes
+  when: bysender.changed
+
+# sudo apt install libsasl2-modules sasl2-bin
+- name: postfix config
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '{{ item.reg }}'
+    line: '{{ item.line }}'
+  loop:
+    - reg: '^sender_dependent_relayhost_maps\w*=.*$'
+      line: 'sender_dependent_relayhost_maps = hash:/etc/postfix/bysender'
+    - reg: '^smtp_sasl_auth_enable\w*=.*$'
+      line: 'smtp_sasl_auth_enable = yes'
+    - reg: '^smtp_tls_security_level\w*=.*$'
+      line: 'smtp_tls_security_level = encrypt'
+    - reg: '^smtp_sasl_password_maps\w*=.*$'
+      line: 'smtp_sasl_password_maps = hash:/etc/postfix/relay-credentials'
+    - reg: '^smtp_use_tls\w*=.*$'
+      line: 'smtp_use_tls = yes'
+    - reg: '^smtp_sasl_security_options\w*=.*$'
+      line: 'smtp_sasl_security_options = noanonymous'
+  notify: Restart postfix
+  become: yes
diff --git a/roles/icinga2/templates/default-ssl.conf.j2 b/roles/icinga2/templates/default-ssl.conf.j2
new file mode 100644
index 0000000..7c9ab9e
--- /dev/null
+++ b/roles/icinga2/templates/default-ssl.conf.j2
@@ -0,0 +1,23 @@
+<IfModule mod_ssl.c>
+	<VirtualHost _default_:443>
+		ServerAdmin webmaster@localhost
+		DocumentRoot /var/www/html
+
+		ErrorLog ${APACHE_LOG_DIR}/error.log
+		CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+		SSLEngine on
+		SSLProtocol -all +TLSv1.2 +TLSv1.3
+		SSLCertificateFile {{ icingaweb.cert.cert }}
+		SSLCertificateKeyFile {{ icingaweb.cert.key }}
+
+		<FilesMatch "\.(cgi|shtml|phtml|php)$">
+				SSLOptions +StdEnvVars
+		</FilesMatch>
+		<Directory /usr/lib/cgi-bin>
+				SSLOptions +StdEnvVars
+		</Directory>
+	</VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/icinga2/templates/icinga2.conf.j2 b/roles/icinga2/templates/icinga2.conf.j2
index fcb9088..13d2d7f 100644
--- a/roles/icinga2/templates/icinga2.conf.j2
+++ b/roles/icinga2/templates/icinga2.conf.j2
@@ -19,4 +19,8 @@ include "features-enabled/*.conf"
 include "ido-mysql.conf"
 include "api_users.conf"
 
+{% if icinga.config.manage is true %}
+include_recursive "conf.git.d"
+{% else %}
 include_recursive "conf.d"
+{% endif %}
author	Jonas Gunz <himself@jonasgunz.de>	2022-01-21 14:52:16 +0100
committer	Jonas Gunz <himself@jonasgunz.de>	2022-01-21 14:52:16 +0100
commit	5490ae91cd85a65001d3c9df685b935c11e1378d (patch)
tree	ad6ec264d93a2456691bf0ee8109ebef729bd439 /roles
parent	41a475c5fb12d0bb82d596331796b8f375904c0a (diff)
download	ansible_collection-5490ae91cd85a65001d3c9df685b935c11e1378d.tar.gz