roles/icinga2: ldap and configuration refactoring

(IcingaWeb2) LDAP: - procedure to automatically issue service credetinals to authenticate with the ldap server. - starttls secured ldap connection with service account. - use of the variable `base_dn` instead of hard-coded values in config files. (IcingaWeb2) CONFIGURATION: - fixed rsync parameters. - resource renaming.
5 years ago · 5c42bb0093
--- a/roles/icinga2/defaults/main.yaml
+++ b/roles/icinga2/defaults/main.yaml
@ -0,0 +1,6 @@
 ---
 server_fqdn: '{{ ansible_hostname }}.{{ domain }}'
 ldap_server: 'ldap1.dmz.{{ domain }}'
 ldap_basedn: 'dc={{ domain.replace(".", ",dc=") }}'
 ldap_tls_enabled: true
 ...
--- a/roles/icinga2/files/icingaweb2/authentication.ini
+++ b/roles/icinga2/files/icingaweb2/authentication.ini
@ -1,7 +0,0 @@
 [icingaweb2]
 user_class = "inetOrgPerson"
 filter = ""
 user_name_attribute = "uid"
 backend = "ldap"
 base_dn = "o=People,dc=lilik,dc=it"
 resource = "icingaweb_ldap"
--- a/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini
+++ b/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini
@ -1,3 +1,3 @@
 [icinga]
 [icinga2]
 type = "ido"
 resource = "icinga_ido"
 resource = "icingaweb2-ido-pgsql"
--- a/roles/icinga2/files/ldap.conf
+++ b/roles/icinga2/files/ldap.conf
@ -0,0 +1,22 @@
 #
 # LDAP Defaults
 #

 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.

 #BASE	dc=example,dc=com
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never

 # TLS certificates (needed for GnuTLS)
 TLS_CACERT	/etc/ldap/root_ca.crt
 #TLS_CERT	/etc/ldap/ldap.crt
 #TLS_KEY	/etc/ldap/ldap.key

 # TLSv1.3 Only
 TLS_CIPHER_SUITE	SECURE:-VERS-ALL:+VERS-TLS1.3

--- a/roles/icinga2/tasks/main.yaml
+++ b/roles/icinga2/tasks/main.yaml
@ -64,43 +64,78 @@
  register: icinga2_features
  changed_when: "'Enabling' in icinga2_features.stdout"
  notify: restart icinga2
 - name: 'LDAP | upload client root ca'
  copy:
    content: '{{ tls_root_ca }}'
    dest: '/etc/ldap/root_ca.crt'
  tags:
    - 'tls_int'

 - name: copy icingaweb2 configuration
 - name: 'LDAP | configure client'
  copy:
    src: 'ldap.conf'
    dest: '/etc/ldap/ldap.conf'
  when: ldap_tls_enabled

 - name: 'LDAP | generate client service password'
  gen_passwd: 'length=32'
  register: 'new_passwd'
  no_log: true
  tags:
    - 'service_password'

 - name: 'LDAP | set client service password on server'
  delegate_to: 'localhost'
  ldap_passwd:
    dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}'
    passwd: '{{ new_passwd.passwd }}'
    server_uri: 'ldap://{{ ldap_server }}'
    start_tls: '{{ ldap_tls_enabled }}'
    bind_dn: '{{ ldap_admin_dn }}'
    bind_pw: '{{ ldap_admin_pw }}'
  no_log: true
  tags:
    - 'service_password'


 - name: 'configure IcingaWeb2 (static files)'
  synchronize:
    src: icingaweb2
    dest: /etc
    src: 'icingaweb2'
    dest: '/etc'
    rsync_opts:
        - "--chmod Du=rwx,Dg=rwx,Do=,Fu=rw,Fg=rw,Fo= "
        - "--chown root:icingaweb2"
        - "--chmod=Du+rwx,Dg+rwx,Do-rwx,Fu+rw,Fg+rw,Fo-rwx"
        - "--chown=root:icingaweb2"

 - name: enable icingaweb2 monitoring plugin
 - name: 'create enabledModules folder'
  file:
    path: '/etc/icingaweb2/enabledModules/'
    state: 'directory'
    owner: 'root'
    group: 'icingaweb2'
    mode: '0770'

 - name: 'enable IcingaWeb2 monitoring plugin'
  file:
    src: '/usr/share/icingaweb2/modules/monitoring'
    dest: '/etc/icingaweb2/enabledModules/monitoring'
    state: link
    state: 'link'

 - name:
  command: grep -Po 'password = "\K.*?(?=")' /etc/icinga2/features-available/ido-pgsql.conf
  register: icinga2_password
  changed_when: false

 - name: configure icingaweb2 resources
 - name: 'configure IcingaWeb2 (templates)'
  template:
    src: icingaweb2/resources.ini.j2
    dest: /etc/icingaweb2/resources.ini
    owner: root
    group: icingaweb2
    mode: 0640

 - name: create icinga2 hosts directory
  file:
    path: "{{ item }}"
    state: directory
    owner: icinga2
    group: icinga2
    mode: 0770
  with_items:
    - /etc/icinga2/conf.d/hosts/
    src: 'icingaweb2/{{ item }}.j2'
    dest: '/etc/icingaweb2/{{ item }}'
    owner: 'root'
    group: 'icingaweb2'
    mode: '0660'
  loop:
    - 'resources.ini'
    - 'authentication.ini'
    - 'groups.ini'

 - name: add nginx configurations
  template:
--- a/roles/icinga2/templates/icingaweb2/authentication.ini.j2
+++ b/roles/icinga2/templates/icingaweb2/authentication.ini.j2
@ -0,0 +1,7 @@
 [ldap-user-auth]
 user_class = "inetOrgPerson"
 filter = "authorizedService=icinga2"
 user_name_attribute = "cn"
 backend = "ldap"
 base_dn = "ou=People,{{ ldap_basedn }}"
 resource = "icingaweb2-users-ldap"
--- a/roles/icinga2/templates/icingaweb2/groups.ini.j2
+++ b/roles/icinga2/templates/icingaweb2/groups.ini.j2
--- a/roles/icinga2/templates/icingaweb2/resources.ini.j2
+++ b/roles/icinga2/templates/icingaweb2/resources.ini.j2
@ -1,19 +1,30 @@
 [icingaweb_ldap]
 [icingaweb2-users-ldap]
 type = "ldap"
 hostname = "ldap.dmz.lilik"
 hostname = "{{ ldap_server }}"
 port = "389"
 encryption = "none"
 root_dn = "dc=lilik,dc=it"
 bind_dn = ""
 bind_pw = ""
 encryption = "starttls"
 root_dn = "{{ ldap_basedn }}"
 bind_dn = "cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}"
 bind_pw = "{{ new_passwd.passwd }}"

 [icinga_ido]
 [icingaweb2-ido-pgsql]
 type = "db"
 db = "pgsql"
 host = "localhost"
 host = "/var/run/postgresql"
 port = "5432"
 dbname = "icinga2"
 username = "icinga2"
 password = "{{ icinga2_password.stdout}}"
 username = "www-data"
 password = ""
 charset = ""
 persistent = "0"

 [icingaweb2-config-pgsql]
 type = "db"
 db = "pgsql"
 host = "/var/run/postgresql"
 port = "5432"
 dbname = "icingaweb2"
 username = "www-data"
 password = ""
 charset = ""
 persistent = "0"