LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
387 Commits
12 Branches
967 KiB
Tree: fb7f6609f8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fb7f6609f8'
${ noResults }
lilik_playbook/roles/icinga2/tasks/main.yaml

198 lines
5.2 KiB
Raw Normal View History

simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
add icinga2
8 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
add icinga2
8 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
add icinga2
8 years ago
icinga2/roles: create conf.d/hosts dir
5 years ago
roles/icinga2: allow remote ssh agents
5 years ago
icinga2/roles: create conf.d/hosts dir
5 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
roles/icinga2: config backend ini -> pgsql (IcingaWeb2) Move configuration (user preferences) backend from INI files to a dedicated pgSQL db.
5 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
roles/icinga2: config backend ini -> pgsql (IcingaWeb2) Move configuration (user preferences) backend from INI files to a dedicated pgSQL db.
5 years ago
roles/icinga2: improve pgsql configuration - (Icinga2) Preseed correctly all the debconf variables to have IDO db created and populated by `icinga2-ido-pgsql` deb installation script. - (IcingaWeb2) Use a different user, `www-data`, with lower privileges, to access the IDO db in read-only mode. - Use everywhere socket (local ident) authentication to PostgreSQL to avoid local service password.
5 years ago
add icinga2
8 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
add icinga2
8 years ago
roles/icinga2: config backend ini -> pgsql (IcingaWeb2) Move configuration (user preferences) backend from INI files to a dedicated pgSQL db.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
add icinga2
8 years ago
roles/icinga2: ldap and configuration refactoring (IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago
simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
simplify nginx role templating - remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago
roles/icinga2: fix nginx configuration (IcingaWeb2) Configuration issues fixed: - Missing `php-fpm` requirement. - Migrating php7.0 -> php 7.3 in nginx config location config file. - Fixed `rewrite` rule in nginx configuration: When usign `/icingaweb2` as rewrite target nginx automatically expand the redirect 302 response as `$scheme://$remote_host:$remote_port/icingaweb2`, causing connection to fail when behind a *reverse proxy*, because remote_post and remote_host are incorrect. - Remove hardcoded `status.lilik.it` in `meta/main.yaml`, `server_fqdn` is already defined in `defaults/main.yaml` as `{{ ansible_hostname }}.{{ domain }}`.
5 years ago
 
  1. ---

  2. # ***** Icinga2 *****

  3. - name: 'PGSQL | preseed IDO debconf variables'

  4.   # When icinga2-ido-pgsql is installed for the first time:

  5.   #  - db `icinga2` is automatically created as `postgres` user

  6.   #  - user `nagios` for socket authentication is created

  7.   #  - user `nagios` is granted privilegies on db `icinga2`

  8.   #  - db `icinga2` is populated with DB IDO schema

  9.   #  - pgsql is enabled as default DB IDO

  10.   debconf:

  11.       name: 'icinga2-ido-pgsql'

  12.       question: 'icinga2-ido-pgsql/{{ item[0] }}'

  13.       vtype: '{{ item[1] }}'

  14.       value: '{{ item[2] }}'

  15.   loop:

  16.     - [ 'dbconfig-install', 'boolean', 'true' ]

  17.     - [ 'enable', 'boolean', 'true' ]

  18.     - [ 'pgsql/authmethod-user', 'string', 'ident' ]

  19.     - [ 'pgsql/authmethod-admin', 'string', 'ident' ]

  20.     - [ 'pgsql/method', 'string', 'Unix socket' ]

  21.     - [ 'db/dbname', 'string', 'icinga2' ]

  22.     - [ 'db/app-user', 'string', 'nagios' ]

  23.     - [ 'dbconfig-reinstall', 'boolean', 'true' ]

  24. 

  25. - name: 'create icinga2 service role'

  26.   include_role: name='service'

  27.   vars:

  28.     service_name: 'icinga2'

  29.     service_packages:

  30.       - 'icinga2'

  31.       - 'icingacli'

  32.       - 'icinga2-ido-pgsql'

  33.       - 'monitoring-plugins'

  34.       - 'nagios-plugins-contrib'

  35. 

  36. - name: 'create directory for hosts configuration'

  37.   file:

  38.     path: '/etc/icinga2/conf.d/hosts/'

  39.     state: 'directory'

  40.     owner: 'nagios'

  41.     group: 'nagios'

  42.     mode: '0770'

  43. 

  44. - name: 'customize icinga2 host conf.d'

  45.   copy:

  46.     src: 'icinga2/{{ item }}'

  47.     dest: '/etc/icinga2/conf.d/{{ item }}'

  48.   notify: 'reload icinga2'

  49.   loop:

  50.     - 'templates.conf'

  51.     - 'services.conf'

  52.     - 'ssh_services.conf'

  53. 

  54. # ***** IcingaWeb2 *****

  55. - name: 'PGSQL | IcingaWeb2 tunings'

  56.   block:

  57.     - name: 'PGSQL | create IcingaWeb2 user preference DB'

  58.       postgresql_db:

  59.         name: 'icingaweb2'

  60.       register: icingaweb2_db

  61.     - name: 'PGSQL | create IcingaWeb2 socket authentication user'

  62.       postgresql_user:

  63.         db: 'icingaweb2'

  64.         name: 'www-data'

  65.         priv: 'ALL'

  66.     - name: 'PGSQL | GRANT CONNECT to IDO'

  67.       postgresql_privs:

  68.         db: 'icinga2'

  69.         privs: 'CONNECT'

  70.         type: 'database'

  71.         role: 'www-data'

  72.     - name: 'PGSQL | GRANT SCHEMA USAGE on IDO'

  73.       postgresql_privs:

  74.         db: 'icinga2'

  75.         privs: 'USAGE'

  76.         type: 'schema'

  77.         objs: 'public'

  78.         role: 'www-data'

  79.     - name: 'PGSQL | GRANT SELECT on all IDO tables (existing)'

  80.       postgresql_privs:

  81.         db: 'icinga2'

  82.         privs: 'SELECT'

  83.         type: 'table'

  84.         schema: 'public'

  85.         objs: 'ALL_IN_SCHEMA'

  86.         role: 'www-data'

  87.     - name: 'PGSQL | GRANT SELECT on all IDO tables (default privilege)'

  88.       postgresql_privs:

  89.         db: 'icinga2'

  90.         privs: 'SELECT'

  91.         type: 'default_privs'

  92.         schema: 'public'

  93.         objs: 'TABLES'

  94.         role: 'www-data'

  95.         target_roles: 'nagios'

  96.   become: true

  97.   become_method: 'su'

  98.   become_user: 'postgres'

  99. 

  100. 

  101. - name: 'install IcingaWeb2 packages'

  102.   apt:

  103.     pkg:

  104.       - 'icingaweb2'

  105.       - 'icingaweb2-module-monitoring'

  106.       - 'php-ldap'

  107.       - 'php-pgsql'

  108.       - 'php-intl'

  109.       - 'php-imagick'

  110.       - 'php-fpm'

  111.       - 'rsync'

  112.     state: 'present'

  113.     update_cache: true

  114.     cache_valid_time: 3600

  115.   tags:

  116.     - 'packages'

  117. 

  118. - name: 'PGSQL | populate IcingaWeb2 user preference DB'

  119.   shell: 'cat /usr/share/icingaweb2/etc/schema/pgsql.schema.sql | psql -d icingaweb2'

  120.   become: true

  121.   become_method: 'su'

  122.   become_flags: '-p'

  123.   become_user: 'www-data'

  124.   when: icingaweb2_db.changed

  125. 

  126. - name: 'LDAP | upload client root ca'

  127.   copy:

  128.     content: '{{ ldap_tls_server_ca }}'

  129.     dest: '/etc/ldap/server_ca.crt'

  130.   tags:

  131.     - 'tls_int'

  132. 

  133. - name: 'LDAP | configure client'

  134.   copy:

  135.     src: 'ldap.conf'

  136.     dest: '/etc/ldap/ldap.conf'

  137.   when: ldap_tls_enabled

  138. 

  139. - name: 'LDAP | generate client service password'

  140.   gen_passwd: 'length=32'

  141.   register: 'icingaweb2_ldap_passwd'

  142.   no_log: true

  143.   tags:

  144.     - 'service_password'

  145. 

  146. - name: 'LDAP | set client service password on server'

  147.   delegate_to: 'localhost'

  148.   ldap_passwd:

  149.     dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'

  150.     passwd: '{{ icingaweb2_ldap_passwd.passwd }}'

  151.     server_uri: 'ldap://{{ ldap_server }}'

  152.     start_tls: '{{ ldap_tls_enabled }}'

  153.     bind_dn: '{{ ldap_admin_dn }}'

  154.     bind_pw: '{{ ldap_admin_pw }}'

  155.   no_log: true

  156.   tags:

  157.     - 'service_password'

  158. 

  159. - name: 'configure IcingaWeb2 (static files)'

  160.   synchronize:

  161.     src: 'icingaweb2'

  162.     dest: '/etc'

  163.     rsync_opts:

  164.         - "--chmod=Du+rwx,Dg+rwx,Do-rwx,Fu+rw,Fg+rw,Fo-rwx"

  165.         - "--chown=root:icingaweb2"

  166. 

  167. - name: 'create enabledModules folder'

  168.   file:

  169.     path: '/etc/icingaweb2/enabledModules/'

  170.     state: 'directory'

  171.     owner: 'root'

  172.     group: 'icingaweb2'

  173.     mode: '0770'

  174. 

  175. - name: 'enable IcingaWeb2 monitoring plugin'

  176.   file:

  177.     src: '/usr/share/icingaweb2/modules/monitoring'

  178.     dest: '/etc/icingaweb2/enabledModules/monitoring'

  179.     state: 'link'

  180. 

  181. - name: 'configure IcingaWeb2 (templates)'

  182.   template:

  183.     src: 'icingaweb2/{{ item }}.j2'

  184.     dest: '/etc/icingaweb2/{{ item }}'

  185.     owner: 'root'

  186.     group: 'icingaweb2'

  187.     mode: '0660'

  188.   loop:

  189.     - 'resources.ini'

  190.     - 'authentication.ini'

  191.     - 'groups.ini'

  192. 

  193. - name: 'NGINX | configure IcingaWeb2 locations'

  194.   template:

  195.     src: 'icinga.conf'

  196.     dest: "/etc/nginx/locations/{{ icingaweb2_nginx_fqdn }}/service.conf"

  197.   notify:

  198.     - 'reload nginx'