lilik_playbook/roles/icinga2/tasks/main.yaml

---
# ***** Icinga2 *****
- name: 'PGSQL | preseed IDO debconf variables'
  # When icinga2-ido-pgsql is installed for the first time:
  #  - db `icinga2` is automatically created as `postgres` user
  #  - user `nagios` for socket authentication is created
  #  - user `nagios` is granted privilegies on db `icinga2`
  #  - db `icinga2` is populated with DB IDO schema
  #  - pgsql is enabled as default DB IDO
  debconf:
      name: 'icinga2-ido-pgsql'
      question: 'icinga2-ido-pgsql/{{ item[0] }}'
      vtype: '{{ item[1] }}'
      value: '{{ item[2] }}'
  loop:
    - [ 'dbconfig-install', 'boolean', 'true' ]
    - [ 'enable', 'boolean', 'true' ]
    - [ 'pgsql/authmethod-user', 'string', 'ident' ]
    - [ 'pgsql/authmethod-admin', 'string', 'ident' ]
    - [ 'pgsql/method', 'string', 'Unix socket' ]
    - [ 'db/dbname', 'string', 'icinga2' ]
    - [ 'db/app-user', 'string', 'nagios' ]
    - [ 'dbconfig-reinstall', 'boolean', 'true' ]

- name: 'create icinga2 service role'
  include_role: name='service'
  vars:
    service_name: 'icinga2'
    service_packages:
      - 'icinga2'
      - 'icingacli'
      - 'icinga2-ido-pgsql'
      - 'monitoring-plugins'
      - 'libnet-ldap-perl'
#      - 'nagios-plugins-contrib'

- name: 'install extra monitoring plugins'
  copy:
    src: '{{ item }}'
    dest: '/usr/lib/nagios/plugins/{{ item }}'
    mode: '0755'
    owner: 'nagios'
    group: 'nagios'
  loop:
    - 'check_ldap_syncrepl_status.pl'
    - 'check_backup.sh'

- name: 'create directory for hosts configuration'
  file:
    path: '/etc/icinga2/conf.d/hosts/'
    state: 'directory'
    owner: 'nagios'
    group: 'nagios'
    mode: '0770'

- name: 'customize icinga2 host conf.d'
  copy:
    src: 'icinga2/{{ item }}'
    dest: '/etc/icinga2/conf.d/{{ item }}'
  notify: 'reload icinga2'
  loop:
    - 'templates.conf'
    - 'services.conf'
    - 'apt.conf'
    - 'command-ldapsync.conf'
    - 'command-backup.conf'
- name: 'disable local host conf.d'
  file:
    path: '/etc/icinga2/conf.d/hosts.conf'
    state: 'absent'
  notify: 'reload icinga2'

- name: 'create icinga2 ssh config dir'
  file:
    path: '/var/lib/nagios/.ssh'
    owner: 'nagios'
    group: 'nagios'
    mode: '0700'
    state: 'directory'
  tags:
    - 'ssh_certs'

- name: 'upload user ssh ca'
  copy:
    content: |
      {% for ca in ssh_user_ca %}
      {{ ca }}
      {% endfor %}
    dest: '/var/lib/nagios/.ssh/user_ca.pub'
  tags:
    - 'ssh_certs'

- name: 'upload host ssh ca'
  copy:
    content: |
      {% for ca in ssh_server_ca %}
      @cert-authority *.dmz.{{ domain }} {{ ca }}
      {% endfor %}
    dest: '/var/lib/nagios/.ssh/known_hosts'
    owner: 'nagios'
    group: 'nagios'
  tags:
    - 'ssh_certs'

- name: 'generate and sign ssh user cert for icinga'
  import_role: name='ca_cert'
  vars:
    ca_cert_common_name: 'icinga'
    ca_cert_proto: 'ssh'
    ca_cert_client: true
    ca_cert_ssh_ca_path: '/var/lib/nagios/.ssh/user_ca.pub'
    ca_cert_ssh_key_path: '/var/lib/nagios/.ssh/id_ed25519'
  tags:
    - 'ssh_certs'

- name: 'set private key ownership'
  file:
    path: '/var/lib/nagios/.ssh/id_ed25519'
    owner: 'nagios'
    group: 'nagios'
  tags:
    - 'ssh_certs'

# ***** IcingaWeb2 *****
- name: 'PGSQL | IcingaWeb2 tunings'
  block:
    - name: 'PGSQL | create IcingaWeb2 user preference DB'
      postgresql_db:
        name: 'icingaweb2'
      register: icingaweb2_db
    - name: 'PGSQL | create IcingaWeb2 socket authentication user'
      postgresql_user:
        db: 'icingaweb2'
        name: 'www-data'
        priv: 'ALL'
    - name: 'PGSQL | GRANT CONNECT to IDO'
      postgresql_privs:
        db: 'icinga2'
        privs: 'CONNECT'
        type: 'database'
        role: 'www-data'
    - name: 'PGSQL | GRANT SCHEMA USAGE on IDO'
      postgresql_privs:
        db: 'icinga2'
        privs: 'USAGE'
        type: 'schema'
        objs: 'public'
        role: 'www-data'
    - name: 'PGSQL | GRANT SELECT on all IDO tables (existing)'
      postgresql_privs:
        db: 'icinga2'
        privs: 'SELECT'
        type: 'table'
        schema: 'public'
        objs: 'ALL_IN_SCHEMA'
        role: 'www-data'
    - name: 'PGSQL | GRANT SELECT on all IDO tables (default privilege)'
      postgresql_privs:
        db: 'icinga2'
        privs: 'SELECT'
        type: 'default_privs'
        schema: 'public'
        objs: 'TABLES'
        role: 'www-data'
        target_roles: 'nagios'
  become: true
  become_method: 'su'
  become_user: 'postgres'


- name: 'install IcingaWeb2 packages'
  apt:
    pkg:
      - 'icingaweb2'
      - 'icingaweb2-module-monitoring'
      - 'php-ldap'
      - 'php-pgsql'
      - 'php-intl'
      - 'php-imagick'
      - 'php-fpm'
      - 'rsync'
    state: 'present'
    update_cache: true
    cache_valid_time: 3600
  tags:
    - 'packages'

- name: 'PGSQL | populate IcingaWeb2 user preference DB'
  shell: 'cat /usr/share/icingaweb2/etc/schema/pgsql.schema.sql | psql -d icingaweb2'
  become: true
  become_method: 'su'
  become_flags: '-p'
  become_user: 'www-data'
  when: icingaweb2_db.changed

- name: 'LDAP | upload client root ca'
  copy:
    content: '{{ ldap_tls_server_ca }}'
    dest: '/etc/ldap/server_ca.crt'
  tags:
    - 'tls_int'

- name: 'LDAP | configure client'
  copy:
    src: 'ldap.conf'
    dest: '/etc/ldap/ldap.conf'
  when: ldap_tls_enabled

- name: 'LDAP | generate client service password'
  gen_passwd: 'length=32'
  register: 'icingaweb2_ldap_passwd'
  no_log: true
  tags:
    - 'service_password'

- name: 'LDAP | set client service password on server'
  delegate_to: 'localhost'
  ldap_passwd:
    dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'
    passwd: '{{ icingaweb2_ldap_passwd.passwd }}'
    server_uri: 'ldap://{{ ldap_server }}'
    start_tls: '{{ ldap_tls_enabled }}'
    bind_dn: '{{ ldap_admin_dn }}'
    bind_pw: '{{ ldap_admin_pw }}'
  no_log: true
  tags:
    - 'service_password'

- name: 'configure IcingaWeb2 (static files)'
  synchronize:
    src: 'icingaweb2'
    dest: '/etc'
    rsync_opts:
        - "--chmod=Du+rwx,Dg+rwx,Do-rwx,Fu+rw,Fg+rw,Fo-rwx"
        - "--chown=root:icingaweb2"

- name: 'create enabledModules folder'
  file:
    path: '/etc/icingaweb2/enabledModules/'
    state: 'directory'
    owner: 'root'
    group: 'icingaweb2'
    mode: '0770'

- name: 'enable IcingaWeb2 monitoring plugin'
  file:
    src: '/usr/share/icingaweb2/modules/monitoring'
    dest: '/etc/icingaweb2/enabledModules/monitoring'
    state: 'link'

- name: 'configure IcingaWeb2 (templates)'
  template:
    src: 'icingaweb2/{{ item }}.j2'
    dest: '/etc/icingaweb2/{{ item }}'
    owner: 'root'
    group: 'icingaweb2'
    mode: '0660'
  loop:
    - 'resources.ini'
    - 'authentication.ini'
    - 'groups.ini'

- name: 'NGINX | configure IcingaWeb2 locations'
  template:
    src: 'icinga.conf'
    dest: "/etc/nginx/locations/{{ icingaweb2_nginx_fqdn }}/service.conf"
  notify:
    - 'reload nginx'

- name: 'MONITORING | add HTTP service'
  block:
    - name: 'MONITORING | add service to monitoring entry'
      set_fact:
        monitoring_entry: >
          {{ monitoring_entry | default({}) | combine({
             'address': ansible_host,
             'vhosts_uri': { icingaweb2_nginx_fqdn: {'/icingaweb2': { 'onredirect': 'ok' }} },
             }, recursive=true) }}
    - name: 'MONITORING | update monitoring facts'
      set_fact:
        monitoring_facts: >
          {{ hostvars[monitoring_host]['monitoring_facts']
               | default({})
               | combine({host_fqdn: monitoring_entry}) }}
      delegate_facts: true
      delegate_to: '{{ monitoring_host }}'
  tags:
    - 'monitoring'

...