From e5df302e3c17c29f16427c5cf35a0d45ffd7aac6 Mon Sep 17 00:00:00 2001
From: Jonas Gunz <himself@jonasgunz.de>
Date: Tue, 5 Oct 2021 03:47:16 +0200
Subject: icinga2: WIP

---
 roles/icinga2/Readme.md                            | 51 +++++++++++++
 roles/icinga2/defaults/main.yml                    | 45 +++++++++++
 roles/icinga2/handlers/main.yml                    |  7 ++
 roles/icinga2/tasks/icinga.yml                     | 58 +++++++++++++++
 roles/icinga2/tasks/icingaweb.yml                  | 87 ++++++++++++++++++++++
 roles/icinga2/tasks/main.yml                       | 86 +++++++++++++++++++++
 roles/icinga2/templates/api_users.conf.j2          | 17 +++++
 roles/icinga2/templates/icinga.list.j2             |  5 ++
 roles/icinga2/templates/icinga2.conf.j2            | 22 ++++++
 roles/icinga2/templates/ido-mysql.conf.j2          | 13 ++++
 roles/icinga2/templates/web/authentication.ini.j2  | 12 +++
 roles/icinga2/templates/web/config.ini.j2          | 21 ++++++
 roles/icinga2/templates/web/groups.ini.j2          | 17 +++++
 .../web/modules/monitoring/backends.ini.j2         |  3 +
 .../modules/monitoring/commandtransports.ini.j2    |  6 ++
 .../templates/web/modules/monitoring/config.ini.j2 |  2 +
 roles/icinga2/templates/web/resources.ini.j2       | 32 ++++++++
 roles/icinga2/templates/web/roles.ini.j2           |  7 ++
 18 files changed, 491 insertions(+)
 create mode 100644 roles/icinga2/Readme.md
 create mode 100644 roles/icinga2/defaults/main.yml
 create mode 100644 roles/icinga2/handlers/main.yml
 create mode 100644 roles/icinga2/tasks/icinga.yml
 create mode 100644 roles/icinga2/tasks/icingaweb.yml
 create mode 100644 roles/icinga2/tasks/main.yml
 create mode 100644 roles/icinga2/templates/api_users.conf.j2
 create mode 100644 roles/icinga2/templates/icinga.list.j2
 create mode 100644 roles/icinga2/templates/icinga2.conf.j2
 create mode 100644 roles/icinga2/templates/ido-mysql.conf.j2
 create mode 100644 roles/icinga2/templates/web/authentication.ini.j2
 create mode 100644 roles/icinga2/templates/web/config.ini.j2
 create mode 100644 roles/icinga2/templates/web/groups.ini.j2
 create mode 100644 roles/icinga2/templates/web/modules/monitoring/backends.ini.j2
 create mode 100644 roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j2
 create mode 100644 roles/icinga2/templates/web/modules/monitoring/config.ini.j2
 create mode 100644 roles/icinga2/templates/web/resources.ini.j2
 create mode 100644 roles/icinga2/templates/web/roles.ini.j2

diff --git a/roles/icinga2/Readme.md b/roles/icinga2/Readme.md
new file mode 100644
index 0000000..05969c7
--- /dev/null
+++ b/roles/icinga2/Readme.md
@@ -0,0 +1,51 @@
+# icinga2
+
+Installs Icinga2 Monitor standalone node and Icingaweb2 with integrated MariaDB Databse
+
+Default settings
+
+```
+---
+icinga_ido_db_pw: 'changeme'
+icinga_web_db_pw: 'changeme'
+
+icinga:
+  # icingaweb2 api user is created automatically with random password
+  api_users:
+    - name: 'test'
+      password: 'changeme'
+      permissions: '[ ]'
+
+icingaweb:
+  cert:
+    use_ssl: true
+    cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
+    key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+  ldap:
+    use_ldap: false
+    host: 'localhost'
+    port: '389'
+    # none / starttsl / ssl?
+    encryption: 'none'
+    root_dn: ''
+    bind_dn: ''
+    bind_pw: ''
+    user_class: 'inetOrgPerson'
+    user_name_attribute: 'uid'
+    filter: ''
+    groups:
+      base_dn: ''
+      group_member_attribute: 'cn'
+      group_class: 'groupOfNames'
+      group_filter: 'cn=*'
+      user_base_dn: ''
+      user_class: 'posixAccount'
+      user_name_attribute: 'uid'
+  roles:
+    - name: Administrators
+      users: 'admin'
+      permissions: '*'
+      groups: 'Administrators'
+  enabled_modules:
+    - monitoring
+```
diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml
new file mode 100644
index 0000000..f8b46e2
--- /dev/null
+++ b/roles/icinga2/defaults/main.yml
@@ -0,0 +1,45 @@
+---
+icinga_ido_db_pw: 'changeme'
+icinga_web_db_pw: 'changeme'
+
+
+icinga:
+  # icingaweb2 api user is created automatically with random password
+  api_users:
+    - name: 'test'
+      password: 'changeme'
+      permissions: '[ ]'
+
+icingaweb:
+  cert:
+    use_ssl: true
+    cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem'
+    key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+  ldap:
+    use_ldap: false
+    host: 'localhost'
+    port: '389'
+    # none / starttsl / ssl?
+    encryption: 'none'
+    root_dn: ''
+    bind_dn: ''
+    bind_pw: ''
+    user_class: 'inetOrgPerson'
+    user_name_attribute: 'uid'
+    filter: ''
+    groups:
+      base_dn: ''
+      group_member_attribute: 'cn'
+      group_class: 'groupOfNames'
+      group_filter: 'cn=*'
+      user_base_dn: ''
+      user_class: 'posixAccount'
+      user_name_attribute: 'uid'
+  roles:
+    - name: Administrators
+      users: 'admin'
+      permissions: '*'
+      groups: 'Administrators'
+  enabled_modules:
+    - monitoring
+
diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml
new file mode 100644
index 0000000..730742e
--- /dev/null
+++ b/roles/icinga2/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Restart icinga
+  systemd:
+    name: icinga2
+    state: restarted
+    enabled: yes
+  become: yes
diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml
new file mode 100644
index 0000000..ec6fe1e
--- /dev/null
+++ b/roles/icinga2/tasks/icinga.yml
@@ -0,0 +1,58 @@
+---
+- name: Install icinga2.conf
+  template:
+    src: icinga2.conf.j2
+    dest: /etc/icinga2/icinga2.conf
+    owner: nagios
+    group: nagios
+  become: yes
+  notify: Restart icinga
+
+- name: IDO Database
+  mysql_db:
+    name: ido
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  register: ido_db
+
+- name: IDO Database schema import
+  mysql_db:
+    name: ido
+    target: '/usr/share/icinga2-ido-mysql/schema/mysql.sql'
+    state: import
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  when: ido_db.changed
+
+- name: IDO Database user
+  mysql_user:
+    name: icinga
+    host: 'localhost'
+    state: present
+    priv: 'ido.*:ALL'
+    password: '{{ icinga_ido_db_pw }}'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+
+- name: Install extra config files
+  template:
+    src: '{{ item }}.j2'
+    dest: '/etc/icinga2/{{ item }}'
+    owner: nagios
+    group: nagios
+  become: yes
+  notify: Restart icinga
+  loop:
+    - ido-mysql.conf
+    - api_users.conf
+
+- name: Enable features
+  file:
+    state: link
+    path: '/etc/icinga2/features-available/api.con'
+    src: '../features-available/api.conf'
+    owner: nagios
+    group: nagios
+  become: yes
+  notify: Restart icinga
diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml
new file mode 100644
index 0000000..1d527fc
--- /dev/null
+++ b/roles/icinga2/tasks/icingaweb.yml
@@ -0,0 +1,87 @@
+---
+- name: icingaweb Database
+  mysql_db:
+    name: icingaweb
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  register: icingaweb_db
+
+- name: icingaweb Database schema
+  mysql_db:
+    name: icingaweb
+    state: import
+    target: '/usr/share/icingaweb2/etc/schema/mysql.schema.sql'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  when: icingaweb_db.changed
+
+# password is 'admin'
+# create with php -r 'echo password_hash("admin", PASSWORD_DEFAULT);'
+- name: Create default admin user
+  community.mysql.mysql_query:
+    query: "INSERT INTO icingaweb.icingaweb_user (name, active, password_hash) VALUES ('admin', 1, '$2y$10$MN74jDR1LtgzEzxxxyqOgug1WWuuirfMWjOtHZdvi5yjsd4el75Y2')"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+  when: icingaweb_db.changed
+
+- name: icingaweb Database user
+  mysql_user:
+    name: icingaweb
+    host: localhost
+    state: present
+    priv: 'icingaweb.*:ALL'
+    password: '{{ icinga_web_db_pw }}'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+
+- name: Config dirs
+  file:
+    state: directory
+    path: '/etc/icingaweb2/{{ item }}'
+    owner: root
+    group: icingaweb2
+    mode: '2770'
+  become: yes
+  loop:
+    - ''
+    - modules
+    - modules/monitoring
+    - enabledModules
+
+- name: Install configuration files
+  template:
+    src: 'web/{{ item }}.j2'
+    dest: '/etc/icingaweb2/{{ item }}'
+    owner: www-data
+    group: icingaweb2
+    mode: '0660'
+  become: yes
+  loop:
+    - config.ini
+    - authentication.ini
+    - groups.ini
+    - resources.ini
+    - roles.ini
+    - modules/monitoring/config.ini
+    - modules/monitoring/commandtransports.ini
+    - modules/monitoring/backends.ini
+
+- name: Enable modules
+  file:
+    path: '/etc/icingaweb2/enabledModules/{{ item }}'
+    src: '/usr/share/icingaweb2/modules/{{ item }}'
+    state: link
+    owner: www-data
+    group: icingaweb2
+  become: yes
+  with_items: '{{ icingaweb.enabled_modules }}'
+
+- name: icingaweb2 user
+  user:
+    name: icingaweb2
+    group: icingaweb2
+    groups: www-data
+    append: yes
+  become: yes
+
diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml
new file mode 100644
index 0000000..35e9bd6
--- /dev/null
+++ b/roles/icinga2/tasks/main.yml
@@ -0,0 +1,86 @@
+---
+- name: Install GnuPG
+  apt:
+    name: gnupg2
+  become: yes
+
+- name: Icinga APT Key
+  apt_key:
+    url: 'https://packages.icinga.com/icinga.key'
+    state: present
+  become: yes
+
+- name: Install Icinga APT Repository
+  template:
+    src: icinga.list.j2
+    dest: /etc/apt/sources.list.d/icinga.list
+  become: yes
+  register: install_repo
+
+- name: Update cache
+  apt:
+    update_cache: yes
+  become: yes
+  when: install_repo.changed
+
+- name: Install Packages
+  apt:
+    name:
+      - icinga2
+      - icinga2-ido-mysql
+      - icingaweb2
+      - icingacli
+      - monitoring-plugins
+      - mariadb-server
+      - mariadb-client
+      - php
+      - php-intl
+      - php-imagick
+      - php-gd
+      - php-mysql
+      - php-curl
+      - php-mbstring
+      - apache2
+      - libapache2-mod-php
+      - python3-pymysql
+  become: yes
+
+- name: Securing MariaDB installation
+  community.mysql.mysql_query:
+    query:
+      - "DELETE FROM mysql.user WHERE User=''"
+      - "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+      - "DROP DATABASE IF EXISTS test"
+      - "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
+      - "FLUSH PRIVILEGES"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: yes
+
+- name: Generate Icingaweb2 API Password
+  shell:
+    cmd: 'dd if=/dev/urandom bs=16 count=1 status=none | base64'
+    creates: /etc/icinga2/api_pw.ansible
+  become: yes
+  register: gen_api_key
+
+- name: Save API Password
+  copy:
+    content: '{{ gen_api_key.stdout }}'
+    dest: /etc/icinga2/api_pw.ansible
+    owner: root
+    group: root
+    mode: '600'
+  become: yes
+  when: gen_api_key.changed
+
+- name: Read API Password
+  slurp:
+    src: /etc/icinga2/api_pw.ansible
+  become: yes
+  register: icingaweb_api_password
+
+- name: Configure Icinga2
+  include_tasks: icinga.yml
+
+- name: Configure Icingaweb2
+  include_tasks: icingaweb.yml
diff --git a/roles/icinga2/templates/api_users.conf.j2 b/roles/icinga2/templates/api_users.conf.j2
new file mode 100644
index 0000000..e72847a
--- /dev/null
+++ b/roles/icinga2/templates/api_users.conf.j2
@@ -0,0 +1,17 @@
+/**
+* vi: ft=icinga2
+* This File is managed by Ansible. Do NOT change.
+*/
+
+object ApiUser "icingaweb2" {
+  password = "{{ icingaweb_api_password.content | b64decode }}"
+  permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]
+}
+
+{% for user in icinga.api_users %}
+
+object ApiUser "{{ user.name }}" {
+  password = "{{ user.password }}"
+  permissions = {{ user.permissions }}
+}
+{% endfor %}
diff --git a/roles/icinga2/templates/icinga.list.j2 b/roles/icinga2/templates/icinga.list.j2
new file mode 100644
index 0000000..f3654bd
--- /dev/null
+++ b/roles/icinga2/templates/icinga.list.j2
@@ -0,0 +1,5 @@
+# vi: ft=debsources
+# This file is managed by Ansible. Do NOT change.
+
+deb https://packages.icinga.com/debian icinga-{{ ansible_facts.distribution_release }} main
+deb-src https://packages.icinga.com/debian icinga-{{ ansible_facts.distribution_release }} main
diff --git a/roles/icinga2/templates/icinga2.conf.j2 b/roles/icinga2/templates/icinga2.conf.j2
new file mode 100644
index 0000000..fcb9088
--- /dev/null
+++ b/roles/icinga2/templates/icinga2.conf.j2
@@ -0,0 +1,22 @@
+/**
+* vi: ft=icinga2
+* This File is managed by Ansible. Do NOT change.
+*/
+
+include "constants.conf"
+include "zones.conf"
+
+include <itl>
+include <plugins>
+include <plugins-contrib>
+include <manubulon>
+
+include <windows-plugins>
+
+include <nscp>
+
+include "features-enabled/*.conf"
+include "ido-mysql.conf"
+include "api_users.conf"
+
+include_recursive "conf.d"
diff --git a/roles/icinga2/templates/ido-mysql.conf.j2 b/roles/icinga2/templates/ido-mysql.conf.j2
new file mode 100644
index 0000000..ef7a398
--- /dev/null
+++ b/roles/icinga2/templates/ido-mysql.conf.j2
@@ -0,0 +1,13 @@
+/**
+* vi: ft=icinga2
+* This File is managed by Ansible. Do NOT change.
+*/
+
+library "db_ido_mysql"
+
+object IdoMysqlConnection "ido-mysql" {
+  user = "icinga",
+  password = "{{ icinga_ido_db_pw }}",
+  host = "localhost",
+  database = "ido"
+}
diff --git a/roles/icinga2/templates/web/authentication.ini.j2 b/roles/icinga2/templates/web/authentication.ini.j2
new file mode 100644
index 0000000..02b46f1
--- /dev/null
+++ b/roles/icinga2/templates/web/authentication.ini.j2
@@ -0,0 +1,12 @@
+[icingaweb2]
+backend = "db"
+resource = "icingaweb_db"
+
+{% if icingaweb.ldap.use_ldap  %}
+[auth_ldap]
+backend			= ldap
+resource		= ldap_server
+user_class		= {{ icingaweb.ldap.user_class }}
+user_name_attribute	= {{ icingaweb.ldap.user_name_attribute }}
+filter			= "{{ icingaweb.ldap.filter }}"
+{% endif %}
diff --git a/roles/icinga2/templates/web/config.ini.j2 b/roles/icinga2/templates/web/config.ini.j2
new file mode 100644
index 0000000..5b0834c
--- /dev/null
+++ b/roles/icinga2/templates/web/config.ini.j2
@@ -0,0 +1,21 @@
+[global]
+show_stacktraces = "1"
+show_application_state_messages = "1"
+config_backend = "db"
+config_resource = "icingaweb_db"
+module_path = "/usr/share/icingaweb2/modules"
+
+[logging]
+log = "syslog"
+level = "ERROR"
+application = "icingaweb2"
+facility = "user"
+
+[security]
+protected_customvars = "*pw*,*password*,*key*,*snmp_community*"
+
+[themes]
+
+[authentication]
+
+
diff --git a/roles/icinga2/templates/web/groups.ini.j2 b/roles/icinga2/templates/web/groups.ini.j2
new file mode 100644
index 0000000..848b254
--- /dev/null
+++ b/roles/icinga2/templates/web/groups.ini.j2
@@ -0,0 +1,17 @@
+[icingaweb2]
+backend = "db"
+resource = "icingaweb_db"
+
+{% if icingaweb.ldap.use_ldap  %}
+[groups_ldap]
+backend			= ldap
+resource		= ldap_server
+base_dn			= {{ icingaweb.ldap.groups.base_dn }}
+group_member_attribute	= {{ icingaweb.ldap.groups.group_member_attribute }}
+group_name_attribute	= {{ icingaweb.ldap.groups.group_name_attribute }}
+group_class		= {{ icingaweb.ldap.groups.group_class }}
+group_filter		= {{ icingaweb.ldap.groups.group_filter }}
+user_base_dn		= {{ icingaweb.ldap.groups.user_base_dn }}
+user_class		= {{ icingaweb.ldap.groups.user_class }}
+user_name_attribute	= {{ icingaweb.ldap.groups.uid }}
+{% endif %}
diff --git a/roles/icinga2/templates/web/modules/monitoring/backends.ini.j2 b/roles/icinga2/templates/web/modules/monitoring/backends.ini.j2
new file mode 100644
index 0000000..12806e3
--- /dev/null
+++ b/roles/icinga2/templates/web/modules/monitoring/backends.ini.j2
@@ -0,0 +1,3 @@
+[icinga]
+type                = "ido"
+resource            = "icinga_ido"
diff --git a/roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j2 b/roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j2
new file mode 100644
index 0000000..0341b01
--- /dev/null
+++ b/roles/icinga2/templates/web/modules/monitoring/commandtransports.ini.j2
@@ -0,0 +1,6 @@
+[icinga2]
+transport = "api"
+host = "localhost"
+port = "5665"
+username = "icingaweb2"
+password = "{{ icingaweb_api_password.content | b64decode }}"
diff --git a/roles/icinga2/templates/web/modules/monitoring/config.ini.j2 b/roles/icinga2/templates/web/modules/monitoring/config.ini.j2
new file mode 100644
index 0000000..9b69fe8
--- /dev/null
+++ b/roles/icinga2/templates/web/modules/monitoring/config.ini.j2
@@ -0,0 +1,2 @@
+[security]
+protected_customvars = "*pw*,*pass*,community"
diff --git a/roles/icinga2/templates/web/resources.ini.j2 b/roles/icinga2/templates/web/resources.ini.j2
new file mode 100644
index 0000000..1b1aa2a
--- /dev/null
+++ b/roles/icinga2/templates/web/resources.ini.j2
@@ -0,0 +1,32 @@
+[icingaweb_db]
+type = "db"
+db = "mysql"
+host = "localhost"
+port = ""
+dbname = "icingaweb"
+username = "icingaweb"
+password = "{{ icinga_web_db_pw }}"
+charset = ""
+use_ssl = "0"
+
+[icinga_ido]
+type = "db"
+db = "mysql"
+host = "localhost"
+port = ""
+dbname = "ido"
+username = "icinga"
+password = "{{ icinga_ido_db_pw }}"
+charset = ""
+use_ssl = "0"
+
+{% if icingaweb.ldap.use_ldap  %}
+[ldap_server]
+type	= ldap
+hostname= {{ icingaweb.ldap.host }}
+port	= {{ icingaweb.ldap.port }}
+encryption = {{ icingaweb.ldap.encryption }}
+root_dn	= "{{ icingaweb.ldap.root_dn }}"
+bind_dn	= "{{ icingaweb.ldap.bind_dn }}"
+bind_pw = "{{ icingaweb.ldap.bind_pw }}"
+{% endif  %}
diff --git a/roles/icinga2/templates/web/roles.ini.j2 b/roles/icinga2/templates/web/roles.ini.j2
new file mode 100644
index 0000000..190accf
--- /dev/null
+++ b/roles/icinga2/templates/web/roles.ini.j2
@@ -0,0 +1,7 @@
+{% for role in icingaweb.roles %}
+[{{ role.name }}]
+users = "{{ role.users }}"
+permissions = "{{ role.permissions }}"
+groups = "{{ role.groups }}"
+
+{% endfor %}
-- 
cgit v1.2.3