From 5490ae91cd85a65001d3c9df685b935c11e1378d Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 21 Jan 2022 14:52:16 +0100 Subject: WIP: Icinga2 improvements --- roles/icinga2/defaults/main.yml | 22 ++++++++++++- roles/icinga2/files/000-default.conf | 9 ++++++ roles/icinga2/files/index.html | 9 ++++++ roles/icinga2/handlers/main.yml | 14 +++++++++ roles/icinga2/tasks/apache.yml | 44 ++++++++++++++++++++++++++ roles/icinga2/tasks/icinga.yml | 41 +++++++++++++++++++++++- roles/icinga2/tasks/icingaweb.yml | 9 +++++- roles/icinga2/tasks/main.yml | 9 ++++++ roles/icinga2/tasks/postfix.yml | 49 +++++++++++++++++++++++++++++ roles/icinga2/templates/default-ssl.conf.j2 | 23 ++++++++++++++ roles/icinga2/templates/icinga2.conf.j2 | 4 +++ 11 files changed, 230 insertions(+), 3 deletions(-) create mode 100644 roles/icinga2/files/000-default.conf create mode 100644 roles/icinga2/files/index.html create mode 100644 roles/icinga2/tasks/apache.yml create mode 100644 roles/icinga2/tasks/postfix.yml create mode 100644 roles/icinga2/templates/default-ssl.conf.j2 diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml index f8b46e2..9b6a007 100644 --- a/roles/icinga2/defaults/main.yml +++ b/roles/icinga2/defaults/main.yml @@ -9,10 +9,25 @@ icinga: - name: 'test' password: 'changeme' permissions: '[ ]' + # CN MUST match FQDN + api_cert: + crt: '/etc/ssl/cert/ssl-cert-snakeoil.pem' + key: '/etc/ssl/private/ssl-cert-snakeoil.key' + ca: '/etc/ssl/certs/ca-certificates.crt' + config: + manage: false + git_url: '' + git_branch: 'mainu' + mail: + enable: false + smtp_host: 'smtp.example.com' + smtp_port: '25' + smtp_user: '' + smtp_psw: '' + from: '' icingaweb: cert: - use_ssl: true cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem' key: '/etc/ssl/private/ssl-cert-snakeoil.key' ldap: @@ -42,4 +57,9 @@ icingaweb: groups: 'Administrators' enabled_modules: - monitoring + - businessprocess + install_modules: + businessprocess: + url: 'https://github.com/Icinga/icingaweb2-module-businessprocess' + version: 'master' diff --git a/roles/icinga2/files/000-default.conf b/roles/icinga2/files/000-default.conf new file mode 100644 index 0000000..922eb96 --- /dev/null +++ b/roles/icinga2/files/000-default.conf @@ -0,0 +1,9 @@ + + ServerAdmin webmaster@localhost + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/icinga2/files/index.html b/roles/icinga2/files/index.html new file mode 100644 index 0000000..fa5cc89 --- /dev/null +++ b/roles/icinga2/files/index.html @@ -0,0 +1,9 @@ + + + + + + +

Icinga Web 2.

+ + diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml index 730742e..15e7fdf 100644 --- a/roles/icinga2/handlers/main.yml +++ b/roles/icinga2/handlers/main.yml @@ -5,3 +5,17 @@ state: restarted enabled: yes become: yes + +- name: Restart apache + systemd: + name: apache2 + state: restarted + enabled: yes + become: yes + +- name: Restart postfix + systemd: + name: postfix + state: restarted + enabled: yes + become: yes diff --git a/roles/icinga2/tasks/apache.yml b/roles/icinga2/tasks/apache.yml new file mode 100644 index 0000000..bfc6a52 --- /dev/null +++ b/roles/icinga2/tasks/apache.yml @@ -0,0 +1,44 @@ +--- +- name: Install index.html + copy: + src: index.html + dest: /var/www/html/index.html + become: yes + notify: Restart apache + +- name: Install site-config + copy: + src: 000-default.conf + dest: /etc/apache2/sites-available/000-default.conf + become: yes + notify: Restart apache + +- name: Install SSL site-config + template: + src: default-ssl.conf.j2 + dest: /etc/apache2/sites-available/default-ssl.conf + become: yes + notify: Restart apache + +- name: Enable sites + file: + state: link + path: '/etc/apache2/sites-enabled/{{ item }}' + src: '../sites-available/{{ item }}' + loop: + - 000-default.conf + - default-ssl.conf + become: yes + notify: Restart apache + +- name: Enable apache mods + file: + state: link + path: '/etc/apache2/mods-enabled/{{ item }}' + src: '../mods-available/{{ item }}' + loop: + - ssl.conf + - ssl.load + - socache_shmcb.load + become: yes + notify: Restart apache diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml index ec6fe1e..7acbb47 100644 --- a/roles/icinga2/tasks/icinga.yml +++ b/roles/icinga2/tasks/icinga.yml @@ -47,10 +47,49 @@ - ido-mysql.conf - api_users.conf +- name: Install config from git + git: + dest: '/etc/icinga2/conf.git.d' + repo: '{{ icinga.config.git_url }}' + version: '{{ icinga.config.git_version }}' + become: yes + become_user: nagios + when: icinga.config.manage | default(false) + notify: Restart icinga + +- name: Create API certs folder + file: + state: directory + path: /var/lib/icinga2/certs + owner: nagios + group: nagios + become: yes + +- name: Install API TLS Key/Certificate + copy: + remote_src: yes + src: '{{ icinga.api_cert[item] }}' + dest: '/var/lib/icinga2/certs/{{ ansible_facts.fqdn }}.{{ item }}' + owner: nagios + group: nagios + become: yes + loop: + - key + - crt + +- name: Install API TLS CA + copy: + remote_src: yes + src: '{{ icinga.api_cert.ca }}' + dest: '/var/lib/icinga2/certs/ca.crt' + owner: nagios + group: nagios + become: yes + - name: Enable features file: state: link - path: '/etc/icinga2/features-available/api.con' + path: '/etc/icinga2/features-enabled/api.conf' src: '../features-available/api.conf' owner: nagios group: nagios diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml index 1d527fc..ee4cd6a 100644 --- a/roles/icinga2/tasks/icingaweb.yml +++ b/roles/icinga2/tasks/icingaweb.yml @@ -67,6 +67,14 @@ - modules/monitoring/commandtransports.ini - modules/monitoring/backends.ini +- name: Install modules + git: + dest: '/usr/share/icingaweb2/modules/{{ item.key }}' + repo: '{{ item.value.url }}' + version: '{{ item.value.version }}' + become: yes + with_dict: '{{ icingaweb.install_modules }}' + - name: Enable modules file: path: '/etc/icingaweb2/enabledModules/{{ item }}' @@ -84,4 +92,3 @@ groups: www-data append: yes become: yes - diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml index 35e9bd6..bcb702f 100644 --- a/roles/icinga2/tasks/main.yml +++ b/roles/icinga2/tasks/main.yml @@ -43,6 +43,8 @@ - apache2 - libapache2-mod-php - python3-pymysql + - git + - mailutils become: yes - name: Securing MariaDB installation @@ -84,3 +86,10 @@ - name: Configure Icingaweb2 include_tasks: icingaweb.yml + +- name: Configure apache2 + include_tasks: apache.yml + +- name: Configure postfix + include_tasks: postfix.yml + when: icinga.mail.enable | default(false) diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml new file mode 100644 index 0000000..e71cc1d --- /dev/null +++ b/roles/icinga2/tasks/postfix.yml @@ -0,0 +1,49 @@ +--- +- name: Install postfix relay creds + copy: + content: '{{ icinga.mail.smtp_host }} {{ icinga.mail.smtp_user }}:{{ icinga.mail.smtp_psw }}' + dest: /etc/postfix/relay-credentials + mode: '0600' + become: yes + register: relay_creds + notify: Restart postfix + +- name: Create hash db + shell: postmap /etc/postfix/relay-credentials + become: yes + when: relay_creds.changed + +- name: Install postfix relay creds + copy: + content: '{{ icinga.mail.from }} [{{ icinga.mail.smtp_host }}]:{{ icinga.mail.smtp_port }}' + dest: /etc/postfix/bysender + become: yes + register: bysender + notify: Restart postfix + +- name: Create hash db + shell: postmap /etc/postfix/bysender + become: yes + when: bysender.changed + +# sudo apt install libsasl2-modules sasl2-bin +- name: postfix config + lineinfile: + path: /etc/postfix/main.cf + regexp: '{{ item.reg }}' + line: '{{ item.line }}' + loop: + - reg: '^sender_dependent_relayhost_maps\w*=.*$' + line: 'sender_dependent_relayhost_maps = hash:/etc/postfix/bysender' + - reg: '^smtp_sasl_auth_enable\w*=.*$' + line: 'smtp_sasl_auth_enable = yes' + - reg: '^smtp_tls_security_level\w*=.*$' + line: 'smtp_tls_security_level = encrypt' + - reg: '^smtp_sasl_password_maps\w*=.*$' + line: 'smtp_sasl_password_maps = hash:/etc/postfix/relay-credentials' + - reg: '^smtp_use_tls\w*=.*$' + line: 'smtp_use_tls = yes' + - reg: '^smtp_sasl_security_options\w*=.*$' + line: 'smtp_sasl_security_options = noanonymous' + notify: Restart postfix + become: yes diff --git a/roles/icinga2/templates/default-ssl.conf.j2 b/roles/icinga2/templates/default-ssl.conf.j2 new file mode 100644 index 0000000..7c9ab9e --- /dev/null +++ b/roles/icinga2/templates/default-ssl.conf.j2 @@ -0,0 +1,23 @@ + + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + SSLProtocol -all +TLSv1.2 +TLSv1.3 + SSLCertificateFile {{ icingaweb.cert.cert }} + SSLCertificateKeyFile {{ icingaweb.cert.key }} + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/icinga2/templates/icinga2.conf.j2 b/roles/icinga2/templates/icinga2.conf.j2 index fcb9088..13d2d7f 100644 --- a/roles/icinga2/templates/icinga2.conf.j2 +++ b/roles/icinga2/templates/icinga2.conf.j2 @@ -19,4 +19,8 @@ include "features-enabled/*.conf" include "ido-mysql.conf" include "api_users.conf" +{% if icinga.config.manage is true %} +include_recursive "conf.git.d" +{% else %} include_recursive "conf.d" +{% endif %} -- cgit v1.2.3