LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
411 Commits
12 Branches
967 KiB
Tree: 6db052e8a7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6db052e8a7'
${ noResults }
lilik_playbook/roles/icinga2/tasks/main.yaml

277 lines
7.2 KiB
Raw Normal View History

simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
add icinga2
8 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
add icinga2
8 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
add icinga2
8 years ago
icinga2/roles: create conf.d/hosts dir
5 years ago
roles/icinga2: allow remote ssh agents
5 years ago
roles/icinga2: new templates configuration Improved automatic settings for ssh agent. Load and mem services against `physical` machine and not lxc guest.
5 years ago
icinga2/roles: create conf.d/hosts dir
5 years ago
roles/icinga2: issue client ssh key for icinga user So that ssh-agent Host can be actively monitored by the Icinga controller.
5 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
roles/icinga2: config backend ini -> pgsql (IcingaWeb2) Move configuration (user preferences) backend from INI files to a dedicated pgSQL db.
5 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
roles/icinga2: config backend ini -> pgsql (IcingaWeb2) Move configuration (user preferences) backend from INI files to a dedicated pgSQL db.
5 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
add icinga2
8 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
add icinga2
8 years ago
roles/icinga2: config backend ini -> pgsql (IcingaWeb2) Move configuration (user preferences) backend from INI files to a dedicated pgSQL db.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
monitoring: new host template
5 years ago
roles/icinga2: issue client ssh key for icinga user So that ssh-agent Host can be actively monitored by the Icinga controller.
5 years ago
 
  1. ---

  2. # ***** Icinga2 *****

  3. - name: 'PGSQL | preseed IDO debconf variables'

  4.   # When icinga2-ido-pgsql is installed for the first time:

  5.   #  - db `icinga2` is automatically created as `postgres` user

  6.   #  - user `nagios` for socket authentication is created

  7.   #  - user `nagios` is granted privilegies on db `icinga2`

  8.   #  - db `icinga2` is populated with DB IDO schema

  9.   #  - pgsql is enabled as default DB IDO

  10.   debconf:

  11.       name: 'icinga2-ido-pgsql'

  12.       question: 'icinga2-ido-pgsql/{{ item[0] }}'

  13.       vtype: '{{ item[1] }}'

  14.       value: '{{ item[2] }}'

  15.   loop:

  16.     - [ 'dbconfig-install', 'boolean', 'true' ]

  17.     - [ 'enable', 'boolean', 'true' ]

  18.     - [ 'pgsql/authmethod-user', 'string', 'ident' ]

  19.     - [ 'pgsql/authmethod-admin', 'string', 'ident' ]

  20.     - [ 'pgsql/method', 'string', 'Unix socket' ]

  21.     - [ 'db/dbname', 'string', 'icinga2' ]

  22.     - [ 'db/app-user', 'string', 'nagios' ]

  23.     - [ 'dbconfig-reinstall', 'boolean', 'true' ]

  24. 

  25. - name: 'create icinga2 service role'

  26.   include_role: name='service'

  27.   vars:

  28.     service_name: 'icinga2'

  29.     service_packages:

  30.       - 'icinga2'

  31.       - 'icingacli'

  32.       - 'icinga2-ido-pgsql'

  33.       - 'monitoring-plugins'

  34.       - 'nagios-plugins-contrib'

  35. 

  36. - name: 'create directory for hosts configuration'

  37.   file:

  38.     path: '/etc/icinga2/conf.d/hosts/'

  39.     state: 'directory'

  40.     owner: 'nagios'

  41.     group: 'nagios'

  42.     mode: '0770'

  43. 

  44. - name: 'customize icinga2 host conf.d'

  45.   copy:

  46.     src: 'icinga2/{{ item }}'

  47.     dest: '/etc/icinga2/conf.d/{{ item }}'

  48.   notify: 'reload icinga2'

  49.   loop:

  50.     - 'templates.conf'

  51.     - 'services.conf'

  52.     - 'apt.conf'

  53. 

  54. - name: 'disable local host conf.d'

  55.   file:

  56.     path: '/etc/icinga2/conf.d/hosts.conf'

  57.     state: 'absent'

  58.   notify: 'reload icinga2'

  59. 

  60. - name: 'create icinga2 ssh config dir'

  61.   file:

  62.     path: '/var/lib/nagios/.ssh'

  63.     owner: 'nagios'

  64.     group: 'nagios'

  65.     mode: '0700'

  66.     state: 'directory'

  67.   tags:

  68.     - 'ssh_certs'

  69. 

  70. - name: 'upload user ssh ca'

  71.   copy:

  72.     content: |

  73.       {% for ca in ssh_user_ca %}

  74.       {{ ca }}

  75.       {% endfor %}

  76.     dest: '/var/lib/nagios/.ssh/user_ca.pub'

  77.   tags:

  78.     - 'ssh_certs'

  79. 

  80. - name: 'upload host ssh ca'

  81.   copy:

  82.     content: |

  83.       {% for ca in ssh_server_ca %}

  84.       @cert-authority *.dmz.{{ domain }} {{ ca }}

  85.       {% endfor %}

  86.     dest: '/var/lib/nagios/.ssh/known_hosts'

  87.     owner: 'nagios'

  88.     group: 'nagios'

  89.   tags:

  90.     - 'ssh_certs'

  91. 

  92. - name: 'generate and sign ssh user cert for icinga'

  93.   import_role: name='ca_cert'

  94.   vars:

  95.     ca_cert_common_name: 'icinga'

  96.     ca_cert_proto: 'ssh'

  97.     ca_cert_client: true

  98.     ca_cert_ssh_ca_path: '/var/lib/nagios/.ssh/user_ca.pub'

  99.     ca_cert_ssh_key_path: '/var/lib/nagios/.ssh/id_ed25519'

  100.   tags:

  101.     - 'ssh_certs'

  102. 

  103. - name: 'set private key ownership'

  104.   file:

  105.     path: '/var/lib/nagios/.ssh/id_ed25519'

  106.     owner: 'nagios'

  107.     group: 'nagios'

  108.   tags:

  109.     - 'ssh_certs'

  110. 

  111. # ***** IcingaWeb2 *****

  112. - name: 'PGSQL | IcingaWeb2 tunings'

  113.   block:

  114.     - name: 'PGSQL | create IcingaWeb2 user preference DB'

  115.       postgresql_db:

  116.         name: 'icingaweb2'

  117.       register: icingaweb2_db

  118.     - name: 'PGSQL | create IcingaWeb2 socket authentication user'

  119.       postgresql_user:

  120.         db: 'icingaweb2'

  121.         name: 'www-data'

  122.         priv: 'ALL'

  123.     - name: 'PGSQL | GRANT CONNECT to IDO'

  124.       postgresql_privs:

  125.         db: 'icinga2'

  126.         privs: 'CONNECT'

  127.         type: 'database'

  128.         role: 'www-data'

  129.     - name: 'PGSQL | GRANT SCHEMA USAGE on IDO'

  130.       postgresql_privs:

  131.         db: 'icinga2'

  132.         privs: 'USAGE'

  133.         type: 'schema'

  134.         objs: 'public'

  135.         role: 'www-data'

  136.     - name: 'PGSQL | GRANT SELECT on all IDO tables (existing)'

  137.       postgresql_privs:

  138.         db: 'icinga2'

  139.         privs: 'SELECT'

  140.         type: 'table'

  141.         schema: 'public'

  142.         objs: 'ALL_IN_SCHEMA'

  143.         role: 'www-data'

  144.     - name: 'PGSQL | GRANT SELECT on all IDO tables (default privilege)'

  145.       postgresql_privs:

  146.         db: 'icinga2'

  147.         privs: 'SELECT'

  148.         type: 'default_privs'

  149.         schema: 'public'

  150.         objs: 'TABLES'

  151.         role: 'www-data'

  152.         target_roles: 'nagios'

  153.   become: true

  154.   become_method: 'su'

  155.   become_user: 'postgres'

  156. 

  157. 

  158. - name: 'install IcingaWeb2 packages'

  159.   apt:

  160.     pkg:

  161.       - 'icingaweb2'

  162.       - 'icingaweb2-module-monitoring'

  163.       - 'php-ldap'

  164.       - 'php-pgsql'

  165.       - 'php-intl'

  166.       - 'php-imagick'

  167.       - 'php-fpm'

  168.       - 'rsync'

  169.     state: 'present'

  170.     update_cache: true

  171.     cache_valid_time: 3600

  172.   tags:

  173.     - 'packages'

  174. 

  175. - name: 'PGSQL | populate IcingaWeb2 user preference DB'

  176.   shell: 'cat /usr/share/icingaweb2/etc/schema/pgsql.schema.sql | psql -d icingaweb2'

  177.   become: true

  178.   become_method: 'su'

  179.   become_flags: '-p'

  180.   become_user: 'www-data'

  181.   when: icingaweb2_db.changed

  182. 

  183. - name: 'LDAP | upload client root ca'

  184.   copy:

  185.     content: '{{ ldap_tls_server_ca }}'

  186.     dest: '/etc/ldap/server_ca.crt'

  187.   tags:

  188.     - 'tls_int'

  189. 

  190. - name: 'LDAP | configure client'

  191.   copy:

  192.     src: 'ldap.conf'

  193.     dest: '/etc/ldap/ldap.conf'

  194.   when: ldap_tls_enabled

  195. 

  196. - name: 'LDAP | generate client service password'

  197.   gen_passwd: 'length=32'

  198.   register: 'icingaweb2_ldap_passwd'

  199.   no_log: true

  200.   tags:

  201.     - 'service_password'

  202. 

  203. - name: 'LDAP | set client service password on server'

  204.   delegate_to: 'localhost'

  205.   ldap_passwd:

  206.     dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'

  207.     passwd: '{{ icingaweb2_ldap_passwd.passwd }}'

  208.     server_uri: 'ldap://{{ ldap_server }}'

  209.     start_tls: '{{ ldap_tls_enabled }}'

  210.     bind_dn: '{{ ldap_admin_dn }}'

  211.     bind_pw: '{{ ldap_admin_pw }}'

  212.   no_log: true

  213.   tags:

  214.     - 'service_password'

  215. 

  216. - name: 'configure IcingaWeb2 (static files)'

  217.   synchronize:

  218.     src: 'icingaweb2'

  219.     dest: '/etc'

  220.     rsync_opts:

  221.         - "--chmod=Du+rwx,Dg+rwx,Do-rwx,Fu+rw,Fg+rw,Fo-rwx"

  222.         - "--chown=root:icingaweb2"

  223. 

  224. - name: 'create enabledModules folder'

  225.   file:

  226.     path: '/etc/icingaweb2/enabledModules/'

  227.     state: 'directory'

  228.     owner: 'root'

  229.     group: 'icingaweb2'

  230.     mode: '0770'

  231. 

  232. - name: 'enable IcingaWeb2 monitoring plugin'

  233.   file:

  234.     src: '/usr/share/icingaweb2/modules/monitoring'

  235.     dest: '/etc/icingaweb2/enabledModules/monitoring'

  236.     state: 'link'

  237. 

  238. - name: 'configure IcingaWeb2 (templates)'

  239.   template:

  240.     src: 'icingaweb2/{{ item }}.j2'

  241.     dest: '/etc/icingaweb2/{{ item }}'

  242.     owner: 'root'

  243.     group: 'icingaweb2'

  244.     mode: '0660'

  245.   loop:

  246.     - 'resources.ini'

  247.     - 'authentication.ini'

  248.     - 'groups.ini'

  249. 

  250. - name: 'NGINX | configure IcingaWeb2 locations'

  251.   template:

  252.     src: 'icinga.conf'

  253.     dest: "/etc/nginx/locations/{{ icingaweb2_nginx_fqdn }}/service.conf"

  254.   notify:

  255.     - 'reload nginx'

  256. 

  257. - name: 'MONITORING | add HTTP service'

  258.   block:

  259.     - name: 'MONITORING | add service to monitoring entry'

  260.       set_fact:

  261.         monitoring_entry: >

  262.           {{ monitoring_entry | default({}) | combine({

  263.              'address': ansible_host,

  264.              'vhosts_uri': { icingaweb2_nginx_fqdn: {'/icingaweb2': { 'onredirect': 'ok' }} },

  265.              }, recursive=true) }}

  266.     - name: 'MONITORING | update monitoring facts'

  267.       set_fact:

  268.         monitoring_facts: >

  269.           {{ hostvars[monitoring_host]['monitoring_facts']

  270.                | default({})

  271.                | combine({host_fqdn: monitoring_entry}) }}

  272.       delegate_facts: true

  273.       delegate_to: '{{ monitoring_host }}'

  274.   tags:

  275.     - 'monitoring'

  276. 

  277. ...