diff --git a/roles/icinga2/defaults/main.yaml b/roles/icinga2/defaults/main.yaml new file mode 100644 index 0000000..73d48fa --- /dev/null +++ b/roles/icinga2/defaults/main.yaml @@ -0,0 +1,6 @@ +--- +server_fqdn: '{{ ansible_hostname }}.{{ domain }}' +ldap_server: 'ldap1.dmz.{{ domain }}' +ldap_basedn: 'dc={{ domain.replace(".", ",dc=") }}' +ldap_tls_enabled: true +... diff --git a/roles/icinga2/files/icingaweb2/authentication.ini b/roles/icinga2/files/icingaweb2/authentication.ini deleted file mode 100644 index 7ab72a3..0000000 --- a/roles/icinga2/files/icingaweb2/authentication.ini +++ /dev/null @@ -1,7 +0,0 @@ -[icingaweb2] -user_class = "inetOrgPerson" -filter = "" -user_name_attribute = "uid" -backend = "ldap" -base_dn = "o=People,dc=lilik,dc=it" -resource = "icingaweb_ldap" diff --git a/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini b/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini index 702a1a4..bb6fc43 100644 --- a/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini +++ b/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini @@ -1,3 +1,3 @@ -[icinga] +[icinga2] type = "ido" -resource = "icinga_ido" +resource = "icingaweb2-ido-pgsql" diff --git a/roles/icinga2/files/ldap.conf b/roles/icinga2/files/ldap.conf new file mode 100644 index 0000000..545c25f --- /dev/null +++ b/roles/icinga2/files/ldap.conf @@ -0,0 +1,22 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# TLS certificates (needed for GnuTLS) +TLS_CACERT /etc/ldap/root_ca.crt +#TLS_CERT /etc/ldap/ldap.crt +#TLS_KEY /etc/ldap/ldap.key + +# TLSv1.3 Only +TLS_CIPHER_SUITE SECURE:-VERS-ALL:+VERS-TLS1.3 + diff --git a/roles/icinga2/tasks/main.yaml b/roles/icinga2/tasks/main.yaml index fc26e45..87299fb 100644 --- a/roles/icinga2/tasks/main.yaml +++ b/roles/icinga2/tasks/main.yaml @@ -64,43 +64,78 @@ register: icinga2_features changed_when: "'Enabling' in icinga2_features.stdout" notify: restart icinga2 +- name: 'LDAP | upload client root ca' + copy: + content: '{{ tls_root_ca }}' + dest: '/etc/ldap/root_ca.crt' + tags: + - 'tls_int' -- name: copy icingaweb2 configuration +- name: 'LDAP | configure client' + copy: + src: 'ldap.conf' + dest: '/etc/ldap/ldap.conf' + when: ldap_tls_enabled + +- name: 'LDAP | generate client service password' + gen_passwd: 'length=32' + register: 'new_passwd' + no_log: true + tags: + - 'service_password' + +- name: 'LDAP | set client service password on server' + delegate_to: 'localhost' + ldap_passwd: + dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}' + passwd: '{{ new_passwd.passwd }}' + server_uri: 'ldap://{{ ldap_server }}' + start_tls: '{{ ldap_tls_enabled }}' + bind_dn: '{{ ldap_admin_dn }}' + bind_pw: '{{ ldap_admin_pw }}' + no_log: true + tags: + - 'service_password' + + +- name: 'configure IcingaWeb2 (static files)' synchronize: - src: icingaweb2 - dest: /etc + src: 'icingaweb2' + dest: '/etc' rsync_opts: - - "--chmod Du=rwx,Dg=rwx,Do=,Fu=rw,Fg=rw,Fo= " - - "--chown root:icingaweb2" + - "--chmod=Du+rwx,Dg+rwx,Do-rwx,Fu+rw,Fg+rw,Fo-rwx" + - "--chown=root:icingaweb2" -- name: enable icingaweb2 monitoring plugin +- name: 'create enabledModules folder' + file: + path: '/etc/icingaweb2/enabledModules/' + state: 'directory' + owner: 'root' + group: 'icingaweb2' + mode: '0770' + +- name: 'enable IcingaWeb2 monitoring plugin' file: src: '/usr/share/icingaweb2/modules/monitoring' dest: '/etc/icingaweb2/enabledModules/monitoring' - state: link + state: 'link' - name: command: grep -Po 'password = "\K.*?(?=")' /etc/icinga2/features-available/ido-pgsql.conf register: icinga2_password changed_when: false -- name: configure icingaweb2 resources +- name: 'configure IcingaWeb2 (templates)' template: - src: icingaweb2/resources.ini.j2 - dest: /etc/icingaweb2/resources.ini - owner: root - group: icingaweb2 - mode: 0640 - -- name: create icinga2 hosts directory - file: - path: "{{ item }}" - state: directory - owner: icinga2 - group: icinga2 - mode: 0770 - with_items: - - /etc/icinga2/conf.d/hosts/ + src: 'icingaweb2/{{ item }}.j2' + dest: '/etc/icingaweb2/{{ item }}' + owner: 'root' + group: 'icingaweb2' + mode: '0660' + loop: + - 'resources.ini' + - 'authentication.ini' + - 'groups.ini' - name: add nginx configurations template: diff --git a/roles/icinga2/templates/icingaweb2/authentication.ini.j2 b/roles/icinga2/templates/icingaweb2/authentication.ini.j2 new file mode 100644 index 0000000..b8db82d --- /dev/null +++ b/roles/icinga2/templates/icingaweb2/authentication.ini.j2 @@ -0,0 +1,7 @@ +[ldap-user-auth] +user_class = "inetOrgPerson" +filter = "authorizedService=icinga2" +user_name_attribute = "cn" +backend = "ldap" +base_dn = "ou=People,{{ ldap_basedn }}" +resource = "icingaweb2-users-ldap" diff --git a/roles/icinga2/files/icingaweb2/groups.ini b/roles/icinga2/templates/icingaweb2/groups.ini.j2 similarity index 56% rename from roles/icinga2/files/icingaweb2/groups.ini rename to roles/icinga2/templates/icingaweb2/groups.ini.j2 index 1940cb8..28674ea 100644 --- a/roles/icinga2/files/icingaweb2/groups.ini +++ b/roles/icinga2/templates/icingaweb2/groups.ini.j2 @@ -1,9 +1,10 @@ [icingaweb2] -resource = "icingaweb_ldap" -user_backend = "icingaweb2" +backend = "ldap" +resource = "icingaweb2-users-ldap" +user_backend = "ldap-user-auth" group_class = "groupofnames" group_filter = "" group_name_attribute = "cn" group_member_attribute = "member" -base_dn = "o=Group,dc=lilik,dc=it" -backend = "ldap" +base_dn = "ou=Group,{{ ldap_basedn }}" + diff --git a/roles/icinga2/templates/icingaweb2/resources.ini.j2 b/roles/icinga2/templates/icingaweb2/resources.ini.j2 index 6fb7bce..e65ac14 100644 --- a/roles/icinga2/templates/icingaweb2/resources.ini.j2 +++ b/roles/icinga2/templates/icingaweb2/resources.ini.j2 @@ -1,19 +1,30 @@ -[icingaweb_ldap] +[icingaweb2-users-ldap] type = "ldap" -hostname = "ldap.dmz.lilik" +hostname = "{{ ldap_server }}" port = "389" -encryption = "none" -root_dn = "dc=lilik,dc=it" -bind_dn = "" -bind_pw = "" +encryption = "starttls" +root_dn = "{{ ldap_basedn }}" +bind_dn = "cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}" +bind_pw = "{{ new_passwd.passwd }}" -[icinga_ido] +[icingaweb2-ido-pgsql] type = "db" db = "pgsql" -host = "localhost" +host = "/var/run/postgresql" port = "5432" dbname = "icinga2" -username = "icinga2" -password = "{{ icinga2_password.stdout}}" +username = "www-data" +password = "" +charset = "" +persistent = "0" + +[icingaweb2-config-pgsql] +type = "db" +db = "pgsql" +host = "/var/run/postgresql" +port = "5432" +dbname = "icingaweb2" +username = "www-data" +password = "" charset = "" persistent = "0"