diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 7c3054c..5297e8c 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -40,6 +40,14 @@ hackmd_dbuser: hackmd hackmd_dbpass: "{{ vault_hackmd_dbpass }}" hackmd_secret: "{{ vault_hackmd_secret }}" +icinga_domain: icinga.binary.kitchen +icinga_dbname: icinga +icinga_dbuser: icinga +icinga_dbpass: "{{ vault_icinga_dbpass }}" +icingaweb_dbname: icingaweb +icingaweb_dbuser: icingaweb +icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}" + jitsi_domain: jitsi.binary-kitchen.de jitsi_admin_email: exxess@binary-kitchen.de diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 941848f..c272fd4 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,59 +1,63 @@ $ANSIBLE_VAULT;1.1;AES256 -37303932343462623335393066643531373533636435356462326537373532613534353266396435 -3636666364306637306266393933383963633032383265650a656563303332303134323135353239 -34633863333930316564633632313939643664373163373833636139366537646530383736343130 -6239373931306234620a353966346262646538306631656461613431636230333430663931643933 -31316362353439393838363666613932313635313864333135636530653238653162353033356437 -33353063363639346266313631393463623864636133623264613865336536613536343365386230 -65396263393862626139396430623134316632313637623631623762656139623664356331623066 -30323430613963313162616135303164663364336634326533346438373635366238356531613461 -30333736633965333163616437303566666239313962353531393530613265363833396136646262 -62633662666532396535316361303934613138373365633161393664313234663533363736323335 -38613762376234663564333333386265633138613839636132346638313430653639636339336239 -38633564333831326331326166666362353364303933393532643936313564386565643162623435 -36356437356631666137323039316430656566613436623062656562666139383635653039636463 -35393438323765303431333737356339343730303531333834306239366533393537626239376163 -31663332343136323264376234363264343136623365383833666638656531306362663462383033 -31633838643562613762363634653865353361303666363139636337386439626235336462653036 -30376461643839313665383430386534656265626139313034646438323861653530383637316139 -35313539636137303561646564616362313435666262343137616263396465356434363862323137 -38626464383039386139343665363538326539613837366437623362336639336133323463666235 -36346333356434363838363634343233323363333762653264333062656133623434666162356433 -37623862653862643335333931663063623166353534636430323230663838653532356335306632 -33646265343834363839653565326538353930663061376461646534386637376234646264343933 -65653763343236653630396238333232633461663333646531323337626235396231383931663264 -34363564366134663036643332346238373639646336396261316133326235636265323636663335 -35363537346466396432396162383131306438396431336138666663633132646662316165643333 -64633434623166343262623038623431343631333962663566303566393761653536303638643037 -63363963306139336235363537396432383131303763643966313937353537333739393031616439 -35343361646234663062633631323238656137373464386561656439313636613630323632616332 -39346239666266623038363066643865373762633532323431373431373165643662663661633365 -35353361383339623535336362313430616139396561623934346264323462663663383566393165 -35366637313861386465333530613530623832643333616538336436356134313832306139336361 -32393162373235356236343332363038393631626534643237383232323735633265333562633231 -61613164363962323236666365353830346664643263393532343562383736336535353364343638 -62386465323331653565306234646664393164666334383765336630346438633636353264636138 -31316231326236313839353465353230353935363330393035373234393039386134366534653636 -63323730383931353763383739393330316335373563393039366166313031373664636335363363 -38363131363565326431636361316562313037373664306333313366646336333162663664306539 -64636530363561393037373766383937616435313333653836363835383231633130396133663635 -36613531323732623264646666656139333766656562623430313964366236373663626135383437 -31643663663637613762313465656636396264623362643538323166356636303430613133383664 -66383332326437333638663562376665386237313533303437623765353661393561373338636130 -30383665333366643331366536646330633133643566393962633164643563613536363434393234 -66323931316535353632356432373262623962616264383430623436303637616165386433326231 -38633730636633643634343833313964653530663034333063313334636134646634363437346161 -32613061363032383732323263303830363532326239316538393739313730383530633862313039 -37653865303932313635656332663039376331393161623731623039653865623436363061626538 -32383934613335363534666461343135303235373262343634306130633536323839393139346662 -31623265323138353963623938616665383765366230656461383835346230346261623866366630 -65303965353432386136373562306434623739666262356663656266346439356435613362333563 -34366539353366346636376662363837303332373866323434366261326164633033353930383038 -36666433656365366663326163343034306439653262353733323232373133386436333637346563 -32626533336530633731336631333334353366306538663936643637346335303965626631316562 -33333061656234393661363766663630316662613764333231326434383465666234653238393965 -31636561396665383063613433653837363634623337623330666466353532633434383864343464 -38303436306165353433356536326466306530373635616531393462666336666435633235613937 -37343832333864643636366632623062363234633365326635386663376439383332306333653161 -34353830396165366534313334616161323461613066383561343563393330613464373862623062 -3536303066343262636636393861313539616636643339353562 +33623262383731376234653937386664383037396361353362313834636537396336633639666536 +3364666364333738623435623963643065353037386364300a326638303065303430373764386430 +62336230366431303138633764356562373432646233353335336232623764633135646430313832 +3337376266393632660a663664316131663332656334386434323865623665633132323164613664 +65326432376532343833353137616161383465393637666137356334333231313564336233326132 +63316137353437643261646332373539626532333738303333373131626261653433363838306566 +61633234663534646665363233366630333830383834363266396465383231306562636561393934 +39316637386233666261373463333935663765636466613766613736666536346363646538613862 +61373638643264623537393665353464646165363261356536366564383835346664633133363733 +61373965626238363461333861333766343561356436623234396334373763663162623963383335 +65326433323562303938363137343137653536373437656565323631626637643463353238323665 +30663831353464393334646232656465386439383064386362356666653165643566383334633731 +64383963356363333765623965626637346539613461653262313239653464363638323636633235 +31373936663563336433333032386134353739383131383631336136646163383038653135343635 +35373362613331396662346632356565636365636430313236386339633037316531363739383034 +39643033346530316164303237326462633661623766323062333433663661313166623332326332 +63646434373936623630643165313435393439653839623061633663336666376464366136626338 +33393333353331383837373661323236653530646438376165623130663634353562303733376536 +30353235303536336639393236656438663837323131393261626561303135626631346462383638 +32656435656134616439346134346564633238376235623861663735653434323637343734373262 +32666231336432663830323038663331633964663334623030373264303561326366326539323536 +36613732623937376162643132393733326439343438356135313138623366333762373536636337 +31343062336332383238303434653863623032343261623638616561663130396630363136373665 +32343633376433383331666237653338373563666133383537393465616439333161393534363861 +62313965366161386437326563336435653730653837616162643433646563393335363266653935 +34376538346532336637306330333034373434383032636231633339383036623466373637643730 +32336461303566333461333865313634373137343534356130333461633165643364616137653336 +35346132373839313536646230323635636437643630646535353535383838656461653838653031 +30363833306664343632396135383730306365306466643534303133383365363331633936333738 +62393066623563366264623234653036633337386234356634323133666665653866376664393962 +61353736303933623439303834646630346439666236353530396566306433363937613638376162 +32326635386332343161646430376663376131653536646539326561313234353566646633343464 +63386230653762376134633933363733326637336135653365656665613339383838623363353130 +30306165316136313039393231303939326233656333633133323934343833383632333535383362 +36333265623834643634633239363962323139363666376434623465316534653762653066353930 +62343662386431353830356638656534386262626130663466313937343732303338616330373632 +35396637646133346336666666316665373938663031363566373036306561623234323633313433 +65373133393166616366376536353731666262366163373037306433373138663131363232656563 +36376162636662373865626166656664333732656464356232633866313739383362303836616630 +30393430383539383735653130303530623134646436326633373233356334356439383566353630 +61636465366261393564663331633336313261663539376363623636303030396465636238636561 +66626465373238333931336231373738343430326361373634346463336538623433663564646665 +64323733626536303637376662613434353039666366306662653739366335333631356433656262 +37646664333339396236333464643436386663386532643934633730653434633731653463343464 +61376265373135336234636238626434663263353366386532316236646433623530363662376361 +37383963383730396334306433643731636365343935613061663739323361613962323039363534 +36363934356364396464346132633737633833306336663336363231383935323363633930303631 +37393534376233306335636239616330353164653232386536353966383433363134336366343738 +31303136663934663234313533316535633165343065396262626162343335653066393438656137 +62366666626462343839396364633261363835373461633362663139373335633165393336353834 +35393864393831336166383365663834616234353431383535373139386138373130356136663161 +38363936386366306437336164396262613635643037306665663035346364366439386366646231 +62333430613031326662393236383565376132366133653232313230643037346438636635623837 +62303434366461373130633137323038393933313230613163336532323031663434653334663338 +63643330306535306466313861653833373437386636356261623662636266323165383064626539 +63313563306135386235626666646561306163343736363733336139383537613031333538386362 +32643562386635623231666134373636393736346631356339626564316236656263653633343266 +65646562623836666136653962303534363335303233313262323235393539373563333530336363 +65623662346366613631373430353833336362393865643366353663323363373566393139633364 +37306361656661343031663736333465323534356439343266376464616534316439333761396666 +63633537616162393863306332363734663765626639613638396434333531316237373737636135 +6463623864656232343433396662323963366234653366656562 diff --git a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 index 86f45e5..0a0a7b5 100644 --- a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 +++ b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 @@ -1,7 +1,7 @@ $ORIGIN binary.kitchen ; base for unqualified names $TTL 1h ; default time-to-live @ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. ( - 2020051101; serial + 2021050601; serial 1d; refresh 2h; retry 4w; expire @@ -13,6 +13,7 @@ $TTL 1h ; default time-to-live www IN A 213.166.246.4 ; Aliases 3dprinter IN A 172.23.3.251 +icinga IN A 172.23.2.6 ldap IN A 172.23.2.3 ldap IN A 172.23.2.4 ldap IN A 213.166.246.2 diff --git a/roles/icinga/defaults/main.yml b/roles/icinga/defaults/main.yml new file mode 100644 index 0000000..3fccf20 --- /dev/null +++ b/roles/icinga/defaults/main.yml @@ -0,0 +1,4 @@ +--- + +icinga_user: nagios +icinga_group: nagios diff --git a/roles/icinga/handlers/main.yml b/roles/icinga/handlers/main.yml new file mode 100644 index 0000000..4462113 --- /dev/null +++ b/roles/icinga/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Run acertmgr + command: /usr/bin/acertmgr + +- name: Restart icinga2 + service: name=icinga2 state=restarted + +- name: Restart nginx + service: name=nginx state=restarted diff --git a/roles/icinga/meta/main.yml b/roles/icinga/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/icinga/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/icinga/tasks/main.yml b/roles/icinga/tasks/main.yml new file mode 100644 index 0000000..76d1f6d --- /dev/null +++ b/roles/icinga/tasks/main.yml @@ -0,0 +1,93 @@ +--- + +- name: Enable icinga apt-key + apt_key: url='https://packages.icinga.com/icinga.key' + +- name: Enable icinga repository + apt_repository: + repo: 'deb https://packages.icinga.com/debian icinga-{{ ansible_distribution_release }} main' + filename: icinga + +- name: Install icinga + apt: + name: + - php-pgsql + - icinga2 + - icinga2-ido-pgsql + - icingaweb2 + +- name: Install PostgreSQL + apt: + name: + - postgresql + - python-psycopg2 + +- name: Configure icinga database + postgresql_db: name={{ icinga_dbname }} + become: true + become_user: postgres + register: icinga_ido_db + +- name: Configure icinga database user + postgresql_user: db={{ icinga_dbname }} name={{ icinga_dbuser }} password={{ icinga_dbpass }} priv=ALL state=present + become: true + become_user: postgres + +# FIXME it is not possible to use login_username and login_password here in order to change the role to icinga +# so as a workaround you have to insert "SET ROLE icinga;" manually at the top of the referred sql file +- name: Configure database schema + postgresql_db: name={{ icinga_dbname }} target=/usr/share/icinga2-ido-pgsql/schema/pgsql.sql state=restore + become: true + become_user: postgres + when: icinga_ido_db.changed + +- name: Configure icingaweb database + postgresql_db: name={{ icingaweb_dbname }} + become: true + become_user: postgres + +- name: Configure icingaweb database user + postgresql_user: db={{ icingaweb_dbname }} name={{ icingaweb_dbuser }} password={{ icingaweb_dbpass }} priv=ALL state=present + become: true + become_user: postgres + +- name: Configure icinga ido pgsql + template: src=ido-pgsql.conf.j2 dest=/etc/icinga2/features-available/ido-pgsql.conf owner={{ icinga_user }} group={{ icinga_group }} + notify: Restart icinga2 + +- name: Enable icinga ido PostgreSQL + command: "icinga2 feature enable ido-pgsql" + register: features_result + changed_when: "'for these changes to take effect' in features_result.stdout" + notify: Restart icinga2 + +- name: Create group icingaweb2 + group: name=icingaweb2 system=yes + +- name: Add www-data to icingaweb2 + user: name=www-data append=yes groups=icingaweb2 + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ icinga_domain }}.key -out /etc/nginx/ssl/{{ icinga_domain }}.crt -days 730 -subj "/CN={{ icinga_domain }}" creates=/etc/nginx/ssl/{{ icinga_domain }}.crt + notify: Restart nginx + +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ icinga_domain }}" + +- name: Configure certificate manager for icinga + template: src=certs.j2 dest=/etc/acertmgr/{{ icinga_domain }}.conf + notify: Run acertmgr + +- name: Configure vhost + template: src=vhost.j2 dest=/etc/nginx/sites-available/icinga + notify: Restart nginx + +- name: Enable vhost + file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link + notify: Restart nginx + +- name: Start php7.3-fpm + service: name=php7.3-fpm state=started enabled=yes diff --git a/roles/icinga/templates/certs.j2 b/roles/icinga/templates/certs.j2 new file mode 100644 index 0000000..2f92b19 --- /dev/null +++ b/roles/icinga/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ icinga_domain }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/nginx/ssl/{{ icinga_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ icinga_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/icinga/templates/ido-pgsql.conf.j2 b/roles/icinga/templates/ido-pgsql.conf.j2 new file mode 100644 index 0000000..fcd808f --- /dev/null +++ b/roles/icinga/templates/ido-pgsql.conf.j2 @@ -0,0 +1,13 @@ +/** + * The db_ido_pgsql library implements IDO functionality + * for PostgreSQL. + */ + +library "db_ido_pgsql" + +object IdoPgsqlConnection "ido-pgsql" { + user = "{{ icinga_dbuser}}", + password = "{{ icinga_dbpass }}", + host = "localhost", + database = "{{ icinga_dbname }}" +} diff --git a/roles/icinga/templates/vhost.j2 b/roles/icinga/templates/vhost.j2 new file mode 100644 index 0000000..c20e462 --- /dev/null +++ b/roles/icinga/templates/vhost.j2 @@ -0,0 +1,36 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ icinga_domain }}; + + location / { + return 301 https://{{ icinga_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ icinga_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ icinga_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt; + + location ~ ^/icingaweb2/index\.php(.*)$ { + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php; + fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2; + fastcgi_param REMOTE_USER $remote_user; + } + + location ~ ^/icingaweb2(.+)? { + alias /usr/share/icingaweb2/public; + index index.php; + try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args; + } + +} diff --git a/site.yml b/site.yml index e5b2ae2..a37578a 100644 --- a/site.yml +++ b/site.yml @@ -34,6 +34,7 @@ - name: Setup BK monitoring server hosts: nabia.binary.kitchen roles: + - icinga - librenms - prometheus