diff options
-rw-r--r-- | galaxy.yml | 2 | ||||
-rw-r--r-- | roles/bind/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/bind/tasks/download_zonefile.yml | 10 | ||||
-rw-r--r-- | roles/gitea/Readme.md | 10 | ||||
-rw-r--r-- | roles/gitea/templates/app.ini.j2 | 8 | ||||
-rw-r--r-- | roles/icinga2/defaults/main.yml | 25 | ||||
-rw-r--r-- | roles/icinga2/files/000-default.conf | 9 | ||||
-rw-r--r-- | roles/icinga2/files/index.html | 9 | ||||
-rw-r--r-- | roles/icinga2/handlers/main.yml | 14 | ||||
-rw-r--r-- | roles/icinga2/tasks/apache.yml | 44 | ||||
-rw-r--r-- | roles/icinga2/tasks/icinga.yml | 41 | ||||
-rw-r--r-- | roles/icinga2/tasks/icingaweb.yml | 9 | ||||
-rw-r--r-- | roles/icinga2/tasks/main.yml | 30 | ||||
-rw-r--r-- | roles/icinga2/tasks/postfix.yml | 48 | ||||
-rw-r--r-- | roles/icinga2/templates/default-ssl.conf.j2 | 23 | ||||
-rw-r--r-- | roles/icinga2/templates/icinga2.conf.j2 | 4 | ||||
-rw-r--r-- | roles/icinga2/templates/web/groups.ini.j2 | 2 |
17 files changed, 280 insertions, 9 deletions
@@ -1,6 +1,6 @@ namespace: kompetenzbolzen name: stuff -version: 0.8.1 +version: 0.8.10 readme: README.md authors: - Jonas Gunz <himself@jonasgunz.de> diff --git a/roles/bind/defaults/main.yml b/roles/bind/defaults/main.yml index bd90082..f242706 100644 --- a/roles/bind/defaults/main.yml +++ b/roles/bind/defaults/main.yml @@ -1,4 +1,5 @@ --- bind_zones: [] bind_zonefile_base_url: '' +bind_zonefile_base_folder: '' bind_install_zonefiles: false diff --git a/roles/bind/tasks/download_zonefile.yml b/roles/bind/tasks/download_zonefile.yml index 9e89507..9c0f4ac 100644 --- a/roles/bind/tasks/download_zonefile.yml +++ b/roles/bind/tasks/download_zonefile.yml @@ -5,6 +5,7 @@ return_content: yes delegate_to: localhost register: zonefile + when: bind_zonefile_base_url != "" - name: Install zonefile copy: @@ -12,4 +13,13 @@ content: '{{ zonefile.content }}' become: yes notify: Restart bind + when: bind_zonefile_base_url != "" + +- name: Copy zonefile + copy: + src: '{{ bind_zonefile_base_folder }}/{{ item }}' + dest: '/etc/bind/zonefiles/{{ item }}' + become: yes + notify: Restart bind + when: bind_zonefile_base_folder != "" diff --git a/roles/gitea/Readme.md b/roles/gitea/Readme.md index 6637b97..139de4a 100644 --- a/roles/gitea/Readme.md +++ b/roles/gitea/Readme.md @@ -29,5 +29,15 @@ gitea: user: '' passwd: '' ssl: 'true' + mail: + enable: false + smtp_host: '' + tls: false + skip_verify: false + from: '' + user: '' + pass: '' + plain_text: false + subject_prefix: '' ``` diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 index 9bbd097..f59c557 100644 --- a/roles/gitea/templates/app.ini.j2 +++ b/roles/gitea/templates/app.ini.j2 @@ -631,13 +631,15 @@ EMAIL_DOMAIN_WHITELIST = ; Comma-separated list of domain names that are not allowed to be used to register on a Gitea instance EMAIL_DOMAIN_BLOCKLIST = ; Disallow registration, only allow admins to create accounts. + + DISABLE_REGISTRATION = true ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false ALLOW_ONLY_EXTERNAL_REGISTRATION = false -; User must sign in to view anything. + REQUIRE_SIGNIN_VIEW = true -; Mail notification -ENABLE_NOTIFY_MAIL = false +ENABLE_NOTIFY_MAIL = {{ gitea.mail.enable }} + ; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password ; If you set this to false you will not be able to access the tokens endpoints on the API with your password ; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml index f8b46e2..0c36ee6 100644 --- a/roles/icinga2/defaults/main.yml +++ b/roles/icinga2/defaults/main.yml @@ -9,10 +9,25 @@ icinga: - name: 'test' password: 'changeme' permissions: '[ ]' + # CN MUST match FQDN + api_cert: + crt: '/etc/ssl/cert/ssl-cert-snakeoil.pem' + key: '/etc/ssl/private/ssl-cert-snakeoil.key' + ca: '/etc/ssl/certs/ca-certificates.crt' + config: + manage: false + git_url: '' + git_branch: 'mainu' + mail: + enable: false + smtp_host: 'smtp.example.com' + smtp_port: '25' + smtp_user: '' + smtp_psw: '' + from: '' icingaweb: cert: - use_ssl: true cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem' key: '/etc/ssl/private/ssl-cert-snakeoil.key' ldap: @@ -29,7 +44,8 @@ icingaweb: filter: '' groups: base_dn: '' - group_member_attribute: 'cn' + group_member_attribute: 'member' + group_name_attribute: 'cn' group_class: 'groupOfNames' group_filter: 'cn=*' user_base_dn: '' @@ -42,4 +58,9 @@ icingaweb: groups: 'Administrators' enabled_modules: - monitoring + - businessprocess + install_modules: + businessprocess: + url: 'https://github.com/Icinga/icingaweb2-module-businessprocess' + version: 'master' diff --git a/roles/icinga2/files/000-default.conf b/roles/icinga2/files/000-default.conf new file mode 100644 index 0000000..922eb96 --- /dev/null +++ b/roles/icinga2/files/000-default.conf @@ -0,0 +1,9 @@ +<VirtualHost *:80> + ServerAdmin webmaster@localhost + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] +</VirtualHost> + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/icinga2/files/index.html b/roles/icinga2/files/index.html new file mode 100644 index 0000000..fa5cc89 --- /dev/null +++ b/roles/icinga2/files/index.html @@ -0,0 +1,9 @@ +<!DOCTYPE html> +<html> + <head> + <meta http-equiv="refresh" content="0; url='/icingaweb2'" /> + </head> + <body> + <p><a href="/icingaweb2">Icinga Web 2</a>.</p> + </body> +</html> diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml index 730742e..15e7fdf 100644 --- a/roles/icinga2/handlers/main.yml +++ b/roles/icinga2/handlers/main.yml @@ -5,3 +5,17 @@ state: restarted enabled: yes become: yes + +- name: Restart apache + systemd: + name: apache2 + state: restarted + enabled: yes + become: yes + +- name: Restart postfix + systemd: + name: postfix + state: restarted + enabled: yes + become: yes diff --git a/roles/icinga2/tasks/apache.yml b/roles/icinga2/tasks/apache.yml new file mode 100644 index 0000000..bfc6a52 --- /dev/null +++ b/roles/icinga2/tasks/apache.yml @@ -0,0 +1,44 @@ +--- +- name: Install index.html + copy: + src: index.html + dest: /var/www/html/index.html + become: yes + notify: Restart apache + +- name: Install site-config + copy: + src: 000-default.conf + dest: /etc/apache2/sites-available/000-default.conf + become: yes + notify: Restart apache + +- name: Install SSL site-config + template: + src: default-ssl.conf.j2 + dest: /etc/apache2/sites-available/default-ssl.conf + become: yes + notify: Restart apache + +- name: Enable sites + file: + state: link + path: '/etc/apache2/sites-enabled/{{ item }}' + src: '../sites-available/{{ item }}' + loop: + - 000-default.conf + - default-ssl.conf + become: yes + notify: Restart apache + +- name: Enable apache mods + file: + state: link + path: '/etc/apache2/mods-enabled/{{ item }}' + src: '../mods-available/{{ item }}' + loop: + - ssl.conf + - ssl.load + - socache_shmcb.load + become: yes + notify: Restart apache diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml index ec6fe1e..7acbb47 100644 --- a/roles/icinga2/tasks/icinga.yml +++ b/roles/icinga2/tasks/icinga.yml @@ -47,10 +47,49 @@ - ido-mysql.conf - api_users.conf +- name: Install config from git + git: + dest: '/etc/icinga2/conf.git.d' + repo: '{{ icinga.config.git_url }}' + version: '{{ icinga.config.git_version }}' + become: yes + become_user: nagios + when: icinga.config.manage | default(false) + notify: Restart icinga + +- name: Create API certs folder + file: + state: directory + path: /var/lib/icinga2/certs + owner: nagios + group: nagios + become: yes + +- name: Install API TLS Key/Certificate + copy: + remote_src: yes + src: '{{ icinga.api_cert[item] }}' + dest: '/var/lib/icinga2/certs/{{ ansible_facts.fqdn }}.{{ item }}' + owner: nagios + group: nagios + become: yes + loop: + - key + - crt + +- name: Install API TLS CA + copy: + remote_src: yes + src: '{{ icinga.api_cert.ca }}' + dest: '/var/lib/icinga2/certs/ca.crt' + owner: nagios + group: nagios + become: yes + - name: Enable features file: state: link - path: '/etc/icinga2/features-available/api.con' + path: '/etc/icinga2/features-enabled/api.conf' src: '../features-available/api.conf' owner: nagios group: nagios diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml index 1d527fc..ee4cd6a 100644 --- a/roles/icinga2/tasks/icingaweb.yml +++ b/roles/icinga2/tasks/icingaweb.yml @@ -67,6 +67,14 @@ - modules/monitoring/commandtransports.ini - modules/monitoring/backends.ini +- name: Install modules + git: + dest: '/usr/share/icingaweb2/modules/{{ item.key }}' + repo: '{{ item.value.url }}' + version: '{{ item.value.version }}' + become: yes + with_dict: '{{ icingaweb.install_modules }}' + - name: Enable modules file: path: '/etc/icingaweb2/enabledModules/{{ item }}' @@ -84,4 +92,3 @@ groups: www-data append: yes become: yes - diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml index 35e9bd6..07f02d8 100644 --- a/roles/icinga2/tasks/main.yml +++ b/roles/icinga2/tasks/main.yml @@ -43,6 +43,10 @@ - apache2 - libapache2-mod-php - python3-pymysql + - git + - mailutils + - libsasl2-modules + - sasl2-bin become: yes - name: Securing MariaDB installation @@ -79,8 +83,34 @@ become: yes register: icingaweb_api_password +- name: generate SSH folder + file: + state: directory + path: /var/lib/nagios/.ssh + become: yes + become_user: nagios + +- name: generate SSH-Key + community.crypto.openssh_keypair: + comment: 'monitor' + path: /var/lib/nagios/.ssh/id_rsa + become: yes + become_user: nagios + register: ssh_key + +- name: Print SSH-PubKey + debug: + var: ssh_key.public_key + - name: Configure Icinga2 include_tasks: icinga.yml - name: Configure Icingaweb2 include_tasks: icingaweb.yml + +- name: Configure apache2 + include_tasks: apache.yml + +- name: Configure postfix + include_tasks: postfix.yml + when: icinga.mail.enable | default(false) diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml new file mode 100644 index 0000000..044a938 --- /dev/null +++ b/roles/icinga2/tasks/postfix.yml @@ -0,0 +1,48 @@ +--- +- name: Install postfix relay creds + copy: + content: '{{ icinga.mail.smtp_host }} {{ icinga.mail.smtp_user }}:{{ icinga.mail.smtp_psw }}' + dest: /etc/postfix/relay-credentials + mode: '0600' + become: yes + register: relay_creds + notify: Restart postfix + +- name: Create hash db + shell: postmap /etc/postfix/relay-credentials + become: yes + when: relay_creds.changed + +- name: Install postfix relay creds + copy: + content: '{{ icinga.mail.from }} [{{ icinga.mail.smtp_host }}]:{{ icinga.mail.smtp_port }}' + dest: /etc/postfix/bysender + become: yes + register: bysender + notify: Restart postfix + +- name: Create hash db + shell: postmap /etc/postfix/bysender + become: yes + when: bysender.changed + +- name: postfix config + lineinfile: + path: /etc/postfix/main.cf + regexp: '{{ item.reg }}' + line: '{{ item.line }}' + loop: + - reg: '^sender_dependent_relayhost_maps\w*=.*$' + line: 'sender_dependent_relayhost_maps = hash:/etc/postfix/bysender' + - reg: '^smtp_sasl_auth_enable\w*=.*$' + line: 'smtp_sasl_auth_enable = yes' + - reg: '^smtp_tls_security_level\w*=.*$' + line: 'smtp_tls_security_level = encrypt' + - reg: '^smtp_sasl_password_maps\w*=.*$' + line: 'smtp_sasl_password_maps = hash:/etc/postfix/relay-credentials' + - reg: '^smtp_use_tls\w*=.*$' + line: 'smtp_use_tls = yes' + - reg: '^smtp_sasl_security_options\w*=.*$' + line: 'smtp_sasl_security_options = noanonymous' + become: yes + notify: Restart postfix diff --git a/roles/icinga2/templates/default-ssl.conf.j2 b/roles/icinga2/templates/default-ssl.conf.j2 new file mode 100644 index 0000000..7c9ab9e --- /dev/null +++ b/roles/icinga2/templates/default-ssl.conf.j2 @@ -0,0 +1,23 @@ +<IfModule mod_ssl.c> + <VirtualHost _default_:443> + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + SSLProtocol -all +TLSv1.2 +TLSv1.3 + SSLCertificateFile {{ icingaweb.cert.cert }} + SSLCertificateKeyFile {{ icingaweb.cert.key }} + + <FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars + </FilesMatch> + <Directory /usr/lib/cgi-bin> + SSLOptions +StdEnvVars + </Directory> + </VirtualHost> +</IfModule> + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/icinga2/templates/icinga2.conf.j2 b/roles/icinga2/templates/icinga2.conf.j2 index fcb9088..13d2d7f 100644 --- a/roles/icinga2/templates/icinga2.conf.j2 +++ b/roles/icinga2/templates/icinga2.conf.j2 @@ -19,4 +19,8 @@ include "features-enabled/*.conf" include "ido-mysql.conf" include "api_users.conf" +{% if icinga.config.manage is true %} +include_recursive "conf.git.d" +{% else %} include_recursive "conf.d" +{% endif %} diff --git a/roles/icinga2/templates/web/groups.ini.j2 b/roles/icinga2/templates/web/groups.ini.j2 index 848b254..04dba70 100644 --- a/roles/icinga2/templates/web/groups.ini.j2 +++ b/roles/icinga2/templates/web/groups.ini.j2 @@ -13,5 +13,5 @@ group_class = {{ icingaweb.ldap.groups.group_class }} group_filter = {{ icingaweb.ldap.groups.group_filter }} user_base_dn = {{ icingaweb.ldap.groups.user_base_dn }} user_class = {{ icingaweb.ldap.groups.user_class }} -user_name_attribute = {{ icingaweb.ldap.groups.uid }} +user_name_attribute = {{ icingaweb.ldap.groups.user_name_attribute }} {% endif %} |