From b3dd8a8870aed158af36042359d224d350f1b39e Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 7 Jan 2022 12:40:17 +0100 Subject: gitea: enable mail notifications --- roles/gitea/Readme.md | 10 ++++++++++ roles/gitea/templates/app.ini.j2 | 8 +++++--- 2 files changed, 15 insertions(+), 3 deletions(-) (limited to 'roles') diff --git a/roles/gitea/Readme.md b/roles/gitea/Readme.md index 6637b97..139de4a 100644 --- a/roles/gitea/Readme.md +++ b/roles/gitea/Readme.md @@ -29,5 +29,15 @@ gitea: user: '' passwd: '' ssl: 'true' + mail: + enable: false + smtp_host: '' + tls: false + skip_verify: false + from: '' + user: '' + pass: '' + plain_text: false + subject_prefix: '' ``` diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 index 9bbd097..f59c557 100644 --- a/roles/gitea/templates/app.ini.j2 +++ b/roles/gitea/templates/app.ini.j2 @@ -631,13 +631,15 @@ EMAIL_DOMAIN_WHITELIST = ; Comma-separated list of domain names that are not allowed to be used to register on a Gitea instance EMAIL_DOMAIN_BLOCKLIST = ; Disallow registration, only allow admins to create accounts. + + DISABLE_REGISTRATION = true ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false ALLOW_ONLY_EXTERNAL_REGISTRATION = false -; User must sign in to view anything. + REQUIRE_SIGNIN_VIEW = true -; Mail notification -ENABLE_NOTIFY_MAIL = false +ENABLE_NOTIFY_MAIL = {{ gitea.mail.enable }} + ; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password ; If you set this to false you will not be able to access the tokens endpoints on the API with your password ; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token -- cgit v1.2.3 From 41a475c5fb12d0bb82d596331796b8f375904c0a Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 14 Jan 2022 15:37:07 +0100 Subject: bind: add file zonefile source --- galaxy.yml | 2 +- roles/bind/defaults/main.yml | 1 + roles/bind/tasks/download_zonefile.yml | 10 ++++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) (limited to 'roles') diff --git a/galaxy.yml b/galaxy.yml index 5ce7984..e8e52bc 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ namespace: kompetenzbolzen name: stuff -version: 0.8.2 +version: 0.8.3 readme: README.md authors: - Jonas Gunz diff --git a/roles/bind/defaults/main.yml b/roles/bind/defaults/main.yml index bd90082..f242706 100644 --- a/roles/bind/defaults/main.yml +++ b/roles/bind/defaults/main.yml @@ -1,4 +1,5 @@ --- bind_zones: [] bind_zonefile_base_url: '' +bind_zonefile_base_folder: '' bind_install_zonefiles: false diff --git a/roles/bind/tasks/download_zonefile.yml b/roles/bind/tasks/download_zonefile.yml index 9e89507..9c0f4ac 100644 --- a/roles/bind/tasks/download_zonefile.yml +++ b/roles/bind/tasks/download_zonefile.yml @@ -5,6 +5,7 @@ return_content: yes delegate_to: localhost register: zonefile + when: bind_zonefile_base_url != "" - name: Install zonefile copy: @@ -12,4 +13,13 @@ content: '{{ zonefile.content }}' become: yes notify: Restart bind + when: bind_zonefile_base_url != "" + +- name: Copy zonefile + copy: + src: '{{ bind_zonefile_base_folder }}/{{ item }}' + dest: '/etc/bind/zonefiles/{{ item }}' + become: yes + notify: Restart bind + when: bind_zonefile_base_folder != "" -- cgit v1.2.3 From 5490ae91cd85a65001d3c9df685b935c11e1378d Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 21 Jan 2022 14:52:16 +0100 Subject: WIP: Icinga2 improvements --- roles/icinga2/defaults/main.yml | 22 ++++++++++++- roles/icinga2/files/000-default.conf | 9 ++++++ roles/icinga2/files/index.html | 9 ++++++ roles/icinga2/handlers/main.yml | 14 +++++++++ roles/icinga2/tasks/apache.yml | 44 ++++++++++++++++++++++++++ roles/icinga2/tasks/icinga.yml | 41 +++++++++++++++++++++++- roles/icinga2/tasks/icingaweb.yml | 9 +++++- roles/icinga2/tasks/main.yml | 9 ++++++ roles/icinga2/tasks/postfix.yml | 49 +++++++++++++++++++++++++++++ roles/icinga2/templates/default-ssl.conf.j2 | 23 ++++++++++++++ roles/icinga2/templates/icinga2.conf.j2 | 4 +++ 11 files changed, 230 insertions(+), 3 deletions(-) create mode 100644 roles/icinga2/files/000-default.conf create mode 100644 roles/icinga2/files/index.html create mode 100644 roles/icinga2/tasks/apache.yml create mode 100644 roles/icinga2/tasks/postfix.yml create mode 100644 roles/icinga2/templates/default-ssl.conf.j2 (limited to 'roles') diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml index f8b46e2..9b6a007 100644 --- a/roles/icinga2/defaults/main.yml +++ b/roles/icinga2/defaults/main.yml @@ -9,10 +9,25 @@ icinga: - name: 'test' password: 'changeme' permissions: '[ ]' + # CN MUST match FQDN + api_cert: + crt: '/etc/ssl/cert/ssl-cert-snakeoil.pem' + key: '/etc/ssl/private/ssl-cert-snakeoil.key' + ca: '/etc/ssl/certs/ca-certificates.crt' + config: + manage: false + git_url: '' + git_branch: 'mainu' + mail: + enable: false + smtp_host: 'smtp.example.com' + smtp_port: '25' + smtp_user: '' + smtp_psw: '' + from: '' icingaweb: cert: - use_ssl: true cert: '/etc/ssl/cert/ssl-cert-snakeoil.pem' key: '/etc/ssl/private/ssl-cert-snakeoil.key' ldap: @@ -42,4 +57,9 @@ icingaweb: groups: 'Administrators' enabled_modules: - monitoring + - businessprocess + install_modules: + businessprocess: + url: 'https://github.com/Icinga/icingaweb2-module-businessprocess' + version: 'master' diff --git a/roles/icinga2/files/000-default.conf b/roles/icinga2/files/000-default.conf new file mode 100644 index 0000000..922eb96 --- /dev/null +++ b/roles/icinga2/files/000-default.conf @@ -0,0 +1,9 @@ + + ServerAdmin webmaster@localhost + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/icinga2/files/index.html b/roles/icinga2/files/index.html new file mode 100644 index 0000000..fa5cc89 --- /dev/null +++ b/roles/icinga2/files/index.html @@ -0,0 +1,9 @@ + + + + + + +

Icinga Web 2.

+ + diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml index 730742e..15e7fdf 100644 --- a/roles/icinga2/handlers/main.yml +++ b/roles/icinga2/handlers/main.yml @@ -5,3 +5,17 @@ state: restarted enabled: yes become: yes + +- name: Restart apache + systemd: + name: apache2 + state: restarted + enabled: yes + become: yes + +- name: Restart postfix + systemd: + name: postfix + state: restarted + enabled: yes + become: yes diff --git a/roles/icinga2/tasks/apache.yml b/roles/icinga2/tasks/apache.yml new file mode 100644 index 0000000..bfc6a52 --- /dev/null +++ b/roles/icinga2/tasks/apache.yml @@ -0,0 +1,44 @@ +--- +- name: Install index.html + copy: + src: index.html + dest: /var/www/html/index.html + become: yes + notify: Restart apache + +- name: Install site-config + copy: + src: 000-default.conf + dest: /etc/apache2/sites-available/000-default.conf + become: yes + notify: Restart apache + +- name: Install SSL site-config + template: + src: default-ssl.conf.j2 + dest: /etc/apache2/sites-available/default-ssl.conf + become: yes + notify: Restart apache + +- name: Enable sites + file: + state: link + path: '/etc/apache2/sites-enabled/{{ item }}' + src: '../sites-available/{{ item }}' + loop: + - 000-default.conf + - default-ssl.conf + become: yes + notify: Restart apache + +- name: Enable apache mods + file: + state: link + path: '/etc/apache2/mods-enabled/{{ item }}' + src: '../mods-available/{{ item }}' + loop: + - ssl.conf + - ssl.load + - socache_shmcb.load + become: yes + notify: Restart apache diff --git a/roles/icinga2/tasks/icinga.yml b/roles/icinga2/tasks/icinga.yml index ec6fe1e..7acbb47 100644 --- a/roles/icinga2/tasks/icinga.yml +++ b/roles/icinga2/tasks/icinga.yml @@ -47,10 +47,49 @@ - ido-mysql.conf - api_users.conf +- name: Install config from git + git: + dest: '/etc/icinga2/conf.git.d' + repo: '{{ icinga.config.git_url }}' + version: '{{ icinga.config.git_version }}' + become: yes + become_user: nagios + when: icinga.config.manage | default(false) + notify: Restart icinga + +- name: Create API certs folder + file: + state: directory + path: /var/lib/icinga2/certs + owner: nagios + group: nagios + become: yes + +- name: Install API TLS Key/Certificate + copy: + remote_src: yes + src: '{{ icinga.api_cert[item] }}' + dest: '/var/lib/icinga2/certs/{{ ansible_facts.fqdn }}.{{ item }}' + owner: nagios + group: nagios + become: yes + loop: + - key + - crt + +- name: Install API TLS CA + copy: + remote_src: yes + src: '{{ icinga.api_cert.ca }}' + dest: '/var/lib/icinga2/certs/ca.crt' + owner: nagios + group: nagios + become: yes + - name: Enable features file: state: link - path: '/etc/icinga2/features-available/api.con' + path: '/etc/icinga2/features-enabled/api.conf' src: '../features-available/api.conf' owner: nagios group: nagios diff --git a/roles/icinga2/tasks/icingaweb.yml b/roles/icinga2/tasks/icingaweb.yml index 1d527fc..ee4cd6a 100644 --- a/roles/icinga2/tasks/icingaweb.yml +++ b/roles/icinga2/tasks/icingaweb.yml @@ -67,6 +67,14 @@ - modules/monitoring/commandtransports.ini - modules/monitoring/backends.ini +- name: Install modules + git: + dest: '/usr/share/icingaweb2/modules/{{ item.key }}' + repo: '{{ item.value.url }}' + version: '{{ item.value.version }}' + become: yes + with_dict: '{{ icingaweb.install_modules }}' + - name: Enable modules file: path: '/etc/icingaweb2/enabledModules/{{ item }}' @@ -84,4 +92,3 @@ groups: www-data append: yes become: yes - diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml index 35e9bd6..bcb702f 100644 --- a/roles/icinga2/tasks/main.yml +++ b/roles/icinga2/tasks/main.yml @@ -43,6 +43,8 @@ - apache2 - libapache2-mod-php - python3-pymysql + - git + - mailutils become: yes - name: Securing MariaDB installation @@ -84,3 +86,10 @@ - name: Configure Icingaweb2 include_tasks: icingaweb.yml + +- name: Configure apache2 + include_tasks: apache.yml + +- name: Configure postfix + include_tasks: postfix.yml + when: icinga.mail.enable | default(false) diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml new file mode 100644 index 0000000..e71cc1d --- /dev/null +++ b/roles/icinga2/tasks/postfix.yml @@ -0,0 +1,49 @@ +--- +- name: Install postfix relay creds + copy: + content: '{{ icinga.mail.smtp_host }} {{ icinga.mail.smtp_user }}:{{ icinga.mail.smtp_psw }}' + dest: /etc/postfix/relay-credentials + mode: '0600' + become: yes + register: relay_creds + notify: Restart postfix + +- name: Create hash db + shell: postmap /etc/postfix/relay-credentials + become: yes + when: relay_creds.changed + +- name: Install postfix relay creds + copy: + content: '{{ icinga.mail.from }} [{{ icinga.mail.smtp_host }}]:{{ icinga.mail.smtp_port }}' + dest: /etc/postfix/bysender + become: yes + register: bysender + notify: Restart postfix + +- name: Create hash db + shell: postmap /etc/postfix/bysender + become: yes + when: bysender.changed + +# sudo apt install libsasl2-modules sasl2-bin +- name: postfix config + lineinfile: + path: /etc/postfix/main.cf + regexp: '{{ item.reg }}' + line: '{{ item.line }}' + loop: + - reg: '^sender_dependent_relayhost_maps\w*=.*$' + line: 'sender_dependent_relayhost_maps = hash:/etc/postfix/bysender' + - reg: '^smtp_sasl_auth_enable\w*=.*$' + line: 'smtp_sasl_auth_enable = yes' + - reg: '^smtp_tls_security_level\w*=.*$' + line: 'smtp_tls_security_level = encrypt' + - reg: '^smtp_sasl_password_maps\w*=.*$' + line: 'smtp_sasl_password_maps = hash:/etc/postfix/relay-credentials' + - reg: '^smtp_use_tls\w*=.*$' + line: 'smtp_use_tls = yes' + - reg: '^smtp_sasl_security_options\w*=.*$' + line: 'smtp_sasl_security_options = noanonymous' + notify: Restart postfix + become: yes diff --git a/roles/icinga2/templates/default-ssl.conf.j2 b/roles/icinga2/templates/default-ssl.conf.j2 new file mode 100644 index 0000000..7c9ab9e --- /dev/null +++ b/roles/icinga2/templates/default-ssl.conf.j2 @@ -0,0 +1,23 @@ + + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + SSLProtocol -all +TLSv1.2 +TLSv1.3 + SSLCertificateFile {{ icingaweb.cert.cert }} + SSLCertificateKeyFile {{ icingaweb.cert.key }} + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/icinga2/templates/icinga2.conf.j2 b/roles/icinga2/templates/icinga2.conf.j2 index fcb9088..13d2d7f 100644 --- a/roles/icinga2/templates/icinga2.conf.j2 +++ b/roles/icinga2/templates/icinga2.conf.j2 @@ -19,4 +19,8 @@ include "features-enabled/*.conf" include "ido-mysql.conf" include "api_users.conf" +{% if icinga.config.manage is true %} +include_recursive "conf.git.d" +{% else %} include_recursive "conf.d" +{% endif %} -- cgit v1.2.3 From d2864ab4eb221007ce3647d22c1d3e334e6134cc Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 21 Jan 2022 15:51:57 +0100 Subject: icinga: modify --- galaxy.yml | 2 +- roles/icinga2/tasks/main.yml | 21 +++++++++++++++++++++ roles/icinga2/tasks/postfix.yml | 2 -- 3 files changed, 22 insertions(+), 3 deletions(-) (limited to 'roles') diff --git a/galaxy.yml b/galaxy.yml index 70a0652..a0ce0c8 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ namespace: kompetenzbolzen name: stuff -version: 0.8.4 +version: 0.8.8 readme: README.md authors: - Jonas Gunz diff --git a/roles/icinga2/tasks/main.yml b/roles/icinga2/tasks/main.yml index bcb702f..07f02d8 100644 --- a/roles/icinga2/tasks/main.yml +++ b/roles/icinga2/tasks/main.yml @@ -45,6 +45,8 @@ - python3-pymysql - git - mailutils + - libsasl2-modules + - sasl2-bin become: yes - name: Securing MariaDB installation @@ -81,6 +83,25 @@ become: yes register: icingaweb_api_password +- name: generate SSH folder + file: + state: directory + path: /var/lib/nagios/.ssh + become: yes + become_user: nagios + +- name: generate SSH-Key + community.crypto.openssh_keypair: + comment: 'monitor' + path: /var/lib/nagios/.ssh/id_rsa + become: yes + become_user: nagios + register: ssh_key + +- name: Print SSH-PubKey + debug: + var: ssh_key.public_key + - name: Configure Icinga2 include_tasks: icinga.yml diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml index e71cc1d..c3b8eb1 100644 --- a/roles/icinga2/tasks/postfix.yml +++ b/roles/icinga2/tasks/postfix.yml @@ -26,7 +26,6 @@ become: yes when: bysender.changed -# sudo apt install libsasl2-modules sasl2-bin - name: postfix config lineinfile: path: /etc/postfix/main.cf @@ -46,4 +45,3 @@ - reg: '^smtp_sasl_security_options\w*=.*$' line: 'smtp_sasl_security_options = noanonymous' notify: Restart postfix - become: yes -- cgit v1.2.3 From 3e186b4098c9f811decc5f79bc279cfa4d3880f4 Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 21 Jan 2022 16:25:16 +0100 Subject: Icinga: fix ldap --- galaxy.yml | 2 +- roles/icinga2/defaults/main.yml | 3 ++- roles/icinga2/templates/web/groups.ini.j2 | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) (limited to 'roles') diff --git a/galaxy.yml b/galaxy.yml index a0ce0c8..5614156 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ namespace: kompetenzbolzen name: stuff -version: 0.8.8 +version: 0.8.9 readme: README.md authors: - Jonas Gunz diff --git a/roles/icinga2/defaults/main.yml b/roles/icinga2/defaults/main.yml index 9b6a007..0c36ee6 100644 --- a/roles/icinga2/defaults/main.yml +++ b/roles/icinga2/defaults/main.yml @@ -44,7 +44,8 @@ icingaweb: filter: '' groups: base_dn: '' - group_member_attribute: 'cn' + group_member_attribute: 'member' + group_name_attribute: 'cn' group_class: 'groupOfNames' group_filter: 'cn=*' user_base_dn: '' diff --git a/roles/icinga2/templates/web/groups.ini.j2 b/roles/icinga2/templates/web/groups.ini.j2 index 848b254..04dba70 100644 --- a/roles/icinga2/templates/web/groups.ini.j2 +++ b/roles/icinga2/templates/web/groups.ini.j2 @@ -13,5 +13,5 @@ group_class = {{ icingaweb.ldap.groups.group_class }} group_filter = {{ icingaweb.ldap.groups.group_filter }} user_base_dn = {{ icingaweb.ldap.groups.user_base_dn }} user_class = {{ icingaweb.ldap.groups.user_class }} -user_name_attribute = {{ icingaweb.ldap.groups.uid }} +user_name_attribute = {{ icingaweb.ldap.groups.user_name_attribute }} {% endif %} -- cgit v1.2.3 From d400f8820ad8e824ce454d9283e2bb8d6a28cdd3 Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Fri, 21 Jan 2022 16:27:33 +0100 Subject: icinga: fix postfix --- galaxy.yml | 2 +- roles/icinga2/tasks/postfix.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'roles') diff --git a/galaxy.yml b/galaxy.yml index 5614156..a252349 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ namespace: kompetenzbolzen name: stuff -version: 0.8.9 +version: 0.8.10 readme: README.md authors: - Jonas Gunz diff --git a/roles/icinga2/tasks/postfix.yml b/roles/icinga2/tasks/postfix.yml index c3b8eb1..044a938 100644 --- a/roles/icinga2/tasks/postfix.yml +++ b/roles/icinga2/tasks/postfix.yml @@ -44,4 +44,5 @@ line: 'smtp_use_tls = yes' - reg: '^smtp_sasl_security_options\w*=.*$' line: 'smtp_sasl_security_options = noanonymous' + become: yes notify: Restart postfix -- cgit v1.2.3