icinga: first attept at monitoring with icinga

2021-05-06 20:39:40 +02:00 · 2021-05-06 20:39:40 +02:00 · c93b864f03
commit c93b864f03
parent 5156bdf33c
11 changed files with 252 additions and 59 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -40,6 +40,14 @@ hackmd_dbuser: hackmd
 hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
 hackmd_secret: "{{ vault_hackmd_secret }}"

+icinga_domain: icinga.binary.kitchen
+icinga_dbname: icinga
+icinga_dbuser: icinga
+icinga_dbpass: "{{ vault_icinga_dbpass }}"
+icingaweb_dbname: icingaweb
+icingaweb_dbuser: icingaweb
+icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
+
 jitsi_domain: jitsi.binary-kitchen.de
 jitsi_admin_email: exxess@binary-kitchen.de

--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,59 +1,63 @@
 $ANSIBLE_VAULT;1.1;AES256
-37303932343462623335393066643531373533636435356462326537373532613534353266396435
-3636666364306637306266393933383963633032383265650a656563303332303134323135353239
-34633863333930316564633632313939643664373163373833636139366537646530383736343130
-6239373931306234620a353966346262646538306631656461613431636230333430663931643933
-31316362353439393838363666613932313635313864333135636530653238653162353033356437
-33353063363639346266313631393463623864636133623264613865336536613536343365386230
-65396263393862626139396430623134316632313637623631623762656139623664356331623066
-30323430613963313162616135303164663364336634326533346438373635366238356531613461
-30333736633965333163616437303566666239313962353531393530613265363833396136646262
-62633662666532396535316361303934613138373365633161393664313234663533363736323335
-38613762376234663564333333386265633138613839636132346638313430653639636339336239
-38633564333831326331326166666362353364303933393532643936313564386565643162623435
-36356437356631666137323039316430656566613436623062656562666139383635653039636463
-35393438323765303431333737356339343730303531333834306239366533393537626239376163
-31663332343136323264376234363264343136623365383833666638656531306362663462383033
-31633838643562613762363634653865353361303666363139636337386439626235336462653036
-30376461643839313665383430386534656265626139313034646438323861653530383637316139
-35313539636137303561646564616362313435666262343137616263396465356434363862323137
-38626464383039386139343665363538326539613837366437623362336639336133323463666235
-36346333356434363838363634343233323363333762653264333062656133623434666162356433
-37623862653862643335333931663063623166353534636430323230663838653532356335306632
-33646265343834363839653565326538353930663061376461646534386637376234646264343933
-65653763343236653630396238333232633461663333646531323337626235396231383931663264
-34363564366134663036643332346238373639646336396261316133326235636265323636663335
-35363537346466396432396162383131306438396431336138666663633132646662316165643333
-64633434623166343262623038623431343631333962663566303566393761653536303638643037
-63363963306139336235363537396432383131303763643966313937353537333739393031616439
-35343361646234663062633631323238656137373464386561656439313636613630323632616332
-39346239666266623038363066643865373762633532323431373431373165643662663661633365
-35353361383339623535336362313430616139396561623934346264323462663663383566393165
-35366637313861386465333530613530623832643333616538336436356134313832306139336361
-32393162373235356236343332363038393631626534643237383232323735633265333562633231
-61613164363962323236666365353830346664643263393532343562383736336535353364343638
-62386465323331653565306234646664393164666334383765336630346438633636353264636138
-31316231326236313839353465353230353935363330393035373234393039386134366534653636
-63323730383931353763383739393330316335373563393039366166313031373664636335363363
-38363131363565326431636361316562313037373664306333313366646336333162663664306539
-64636530363561393037373766383937616435313333653836363835383231633130396133663635
-36613531323732623264646666656139333766656562623430313964366236373663626135383437
-31643663663637613762313465656636396264623362643538323166356636303430613133383664
-66383332326437333638663562376665386237313533303437623765353661393561373338636130
-30383665333366643331366536646330633133643566393962633164643563613536363434393234
-66323931316535353632356432373262623962616264383430623436303637616165386433326231
-38633730636633643634343833313964653530663034333063313334636134646634363437346161
-32613061363032383732323263303830363532326239316538393739313730383530633862313039
-37653865303932313635656332663039376331393161623731623039653865623436363061626538
-32383934613335363534666461343135303235373262343634306130633536323839393139346662
-31623265323138353963623938616665383765366230656461383835346230346261623866366630
-65303965353432386136373562306434623739666262356663656266346439356435613362333563
-34366539353366346636376662363837303332373866323434366261326164633033353930383038
-36666433656365366663326163343034306439653262353733323232373133386436333637346563
-32626533336530633731336631333334353366306538663936643637346335303965626631316562
-33333061656234393661363766663630316662613764333231326434383465666234653238393965
-31636561396665383063613433653837363634623337623330666466353532633434383864343464
-38303436306165353433356536326466306530373635616531393462666336666435633235613937
-37343832333864643636366632623062363234633365326635386663376439383332306333653161
-34353830396165366534313334616161323461613066383561343563393330613464373862623062
-3536303066343262636636393861313539616636643339353562
+33623262383731376234653937386664383037396361353362313834636537396336633639666536
+3364666364333738623435623963643065353037386364300a326638303065303430373764386430
+62336230366431303138633764356562373432646233353335336232623764633135646430313832
+3337376266393632660a663664316131663332656334386434323865623665633132323164613664
+65326432376532343833353137616161383465393637666137356334333231313564336233326132
+63316137353437643261646332373539626532333738303333373131626261653433363838306566
+61633234663534646665363233366630333830383834363266396465383231306562636561393934
+39316637386233666261373463333935663765636466613766613736666536346363646538613862
+61373638643264623537393665353464646165363261356536366564383835346664633133363733
+61373965626238363461333861333766343561356436623234396334373763663162623963383335
+65326433323562303938363137343137653536373437656565323631626637643463353238323665
+30663831353464393334646232656465386439383064386362356666653165643566383334633731
+64383963356363333765623965626637346539613461653262313239653464363638323636633235
+31373936663563336433333032386134353739383131383631336136646163383038653135343635
+35373362613331396662346632356565636365636430313236386339633037316531363739383034
+39643033346530316164303237326462633661623766323062333433663661313166623332326332
+63646434373936623630643165313435393439653839623061633663336666376464366136626338
+33393333353331383837373661323236653530646438376165623130663634353562303733376536
+30353235303536336639393236656438663837323131393261626561303135626631346462383638
+32656435656134616439346134346564633238376235623861663735653434323637343734373262
+32666231336432663830323038663331633964663334623030373264303561326366326539323536
+36613732623937376162643132393733326439343438356135313138623366333762373536636337
+31343062336332383238303434653863623032343261623638616561663130396630363136373665
+32343633376433383331666237653338373563666133383537393465616439333161393534363861
+62313965366161386437326563336435653730653837616162643433646563393335363266653935
+34376538346532336637306330333034373434383032636231633339383036623466373637643730
+32336461303566333461333865313634373137343534356130333461633165643364616137653336
+35346132373839313536646230323635636437643630646535353535383838656461653838653031
+30363833306664343632396135383730306365306466643534303133383365363331633936333738
+62393066623563366264623234653036633337386234356634323133666665653866376664393962
+61353736303933623439303834646630346439666236353530396566306433363937613638376162
+32326635386332343161646430376663376131653536646539326561313234353566646633343464
+63386230653762376134633933363733326637336135653365656665613339383838623363353130
+30306165316136313039393231303939326233656333633133323934343833383632333535383362
+36333265623834643634633239363962323139363666376434623465316534653762653066353930
+62343662386431353830356638656534386262626130663466313937343732303338616330373632
+35396637646133346336666666316665373938663031363566373036306561623234323633313433
+65373133393166616366376536353731666262366163373037306433373138663131363232656563
+36376162636662373865626166656664333732656464356232633866313739383362303836616630
+30393430383539383735653130303530623134646436326633373233356334356439383566353630
+61636465366261393564663331633336313261663539376363623636303030396465636238636561
+66626465373238333931336231373738343430326361373634346463336538623433663564646665
+64323733626536303637376662613434353039666366306662653739366335333631356433656262
+37646664333339396236333464643436386663386532643934633730653434633731653463343464
+61376265373135336234636238626434663263353366386532316236646433623530363662376361
+37383963383730396334306433643731636365343935613061663739323361613962323039363534
+36363934356364396464346132633737633833306336663336363231383935323363633930303631
+37393534376233306335636239616330353164653232386536353966383433363134336366343738
+31303136663934663234313533316535633165343065396262626162343335653066393438656137
+62366666626462343839396364633261363835373461633362663139373335633165393336353834
+35393864393831336166383365663834616234353431383535373139386138373130356136663161
+38363936386366306437336164396262613635643037306665663035346364366439386366646231
+62333430613031326662393236383565376132366133653232313230643037346438636635623837
+62303434366461373130633137323038393933313230613163336532323031663434653334663338
+63643330306535306466313861653833373437386636356261623662636266323165383064626539
+63313563306135386235626666646561306163343736363733336139383537613031333538386362
+32643562386635623231666134373636393736346631356339626564316236656263653633343266
+65646562623836666136653962303534363335303233313262323235393539373563333530336363
+65623662346366613631373430353833336362393865643366353663323363373566393139633364
+37306361656661343031663736333465323534356439343266376464616534316439333761396666
+63633537616162393863306332363734663765626639613638396434333531316237373737636135
+6463623864656232343433396662323963366234653366656562
--- a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2
+++ b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2
@ -1,7 +1,7 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2020051101; serial
+					2021050601; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@ -13,6 +13,7 @@ $TTL 1h				; default time-to-live
 www				IN	A	213.166.246.4
 ; Aliases
 3dprinter			IN	A	172.23.3.251
+icinga				IN	A	172.23.2.6
 ldap				IN	A	172.23.2.3
 ldap				IN	A	172.23.2.4
 ldap				IN	A	213.166.246.2
--- a/roles/icinga/defaults/main.yml
+++ b/roles/icinga/defaults/main.yml
@ -0,0 +1,4 @@
+---
+
+icinga_user: nagios
+icinga_group: nagios
--- a/roles/icinga/handlers/main.yml
+++ b/roles/icinga/handlers/main.yml
@ -0,0 +1,10 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart icinga2
+  service: name=icinga2 state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
--- a/roles/icinga/meta/main.yml
+++ b/roles/icinga/meta/main.yml
@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
--- a/roles/icinga/tasks/main.yml
+++ b/roles/icinga/tasks/main.yml
@ -0,0 +1,93 @@
+---
+
+- name: Enable icinga apt-key
+  apt_key: url='https://packages.icinga.com/icinga.key'
+
+- name: Enable icinga repository
+  apt_repository:
+    repo: 'deb https://packages.icinga.com/debian icinga-{{ ansible_distribution_release }} main'
+    filename: icinga
+
+- name: Install icinga
+  apt:
+    name:
+    - php-pgsql
+    - icinga2
+    - icinga2-ido-pgsql
+    - icingaweb2
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python-psycopg2
+
+- name: Configure icinga database
+  postgresql_db: name={{ icinga_dbname }}
+  become: true
+  become_user: postgres
+  register: icinga_ido_db
+
+- name: Configure icinga database user
+  postgresql_user: db={{ icinga_dbname }} name={{ icinga_dbuser }} password={{ icinga_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+# FIXME it is not possible to use login_username and login_password here in order to change the role to icinga
+# so as a workaround you have to insert "SET ROLE icinga;" manually at the top of the referred sql file
+- name: Configure database schema
+  postgresql_db: name={{ icinga_dbname }} target=/usr/share/icinga2-ido-pgsql/schema/pgsql.sql state=restore
+  become: true
+  become_user: postgres
+  when: icinga_ido_db.changed
+
+- name: Configure icingaweb database
+  postgresql_db: name={{ icingaweb_dbname }}
+  become: true
+  become_user: postgres
+
+- name: Configure icingaweb database user
+  postgresql_user: db={{ icingaweb_dbname }} name={{ icingaweb_dbuser }} password={{ icingaweb_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+- name: Configure icinga ido pgsql
+  template: src=ido-pgsql.conf.j2 dest=/etc/icinga2/features-available/ido-pgsql.conf owner={{ icinga_user }} group={{ icinga_group }}
+  notify: Restart icinga2
+
+- name: Enable icinga ido PostgreSQL
+  command: "icinga2 feature enable ido-pgsql"
+  register: features_result
+  changed_when: "'for these changes to take effect' in features_result.stdout"
+  notify: Restart icinga2
+
+- name: Create group icingaweb2
+  group: name=icingaweb2 system=yes
+
+- name: Add www-data to icingaweb2
+  user: name=www-data append=yes groups=icingaweb2
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ icinga_domain }}.key -out /etc/nginx/ssl/{{ icinga_domain }}.crt -days 730 -subj "/CN={{ icinga_domain }}" creates=/etc/nginx/ssl/{{ icinga_domain }}.crt
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ icinga_domain }}"
+
+- name: Configure certificate manager for icinga
+  template: src=certs.j2 dest=/etc/acertmgr/{{ icinga_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/icinga
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
+  notify: Restart nginx
+
+- name: Start php7.3-fpm
+  service: name=php7.3-fpm state=started enabled=yes
--- a/roles/icinga/templates/certs.j2
+++ b/roles/icinga/templates/certs.j2
@ -0,0 +1,18 @@
+---
+
+{{ icinga_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ icinga_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ icinga_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
--- a/roles/icinga/templates/ido-pgsql.conf.j2
+++ b/roles/icinga/templates/ido-pgsql.conf.j2
@ -0,0 +1,13 @@
+/**
+ * The db_ido_pgsql library implements IDO functionality
+ * for PostgreSQL.
+ */
+
+library "db_ido_pgsql"
+
+object IdoPgsqlConnection "ido-pgsql" {
+  user = "{{ icinga_dbuser}}",
+  password = "{{ icinga_dbpass }}",
+  host = "localhost",
+  database = "{{ icinga_dbname }}"
+}
--- a/roles/icinga/templates/vhost.j2
+++ b/roles/icinga/templates/vhost.j2
@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ icinga_domain }};
+
+	location / {
+		return 301 https://{{ icinga_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ icinga_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ icinga_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
+
+	location ~ ^/icingaweb2/index\.php(.*)$ {
+		fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
+		fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+		fastcgi_param REMOTE_USER $remote_user;
+	}
+
+	location ~ ^/icingaweb2(.+)? {
+		alias /usr/share/icingaweb2/public;
+		index index.php;
+		try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
+	}
+
+}
--- a/site.yml
+++ b/site.yml
@ -34,6 +34,7 @@
 - name: Setup BK monitoring server
  hosts: nabia.binary.kitchen
  roles:
+  - icinga
  - librenms
  - prometheus