From a273bcf6c6e71df6cd1f16b67fb05c4f53b6b68d Mon Sep 17 00:00:00 2001
From: Andrea Cimbalo <cimbalo@gmail.com>
Date: Sun, 18 Jun 2017 19:48:29 +0200
Subject: [PATCH] add icinga2

---
 all.yaml                                      |  1 +
 .../files/icingaweb2/authentication.ini       |  7 ++
 roles/icinga2/files/icingaweb2/config.ini     |  9 ++
 roles/icinga2/files/icingaweb2/groups.ini     |  9 ++
 .../modules/monitoring/backends.ini           |  3 +
 .../modules/monitoring/commandtransports.ini  |  3 +
 .../icingaweb2/modules/monitoring/config.ini  |  2 +
 roles/icinga2/files/icingaweb2/roles.ini      |  3 +
 roles/icinga2/meta/main.yaml                  |  6 ++
 roles/icinga2/tasks/main.yaml                 | 92 +++++++++++++++++++
 roles/icinga2/templates/icinga2.conf.nginx.j2 | 21 +++++
 .../templates/icingaweb2/resources.ini.j2     | 19 ++++
 status.yaml                                   | 13 +++
 13 files changed, 188 insertions(+)
 create mode 100644 roles/icinga2/files/icingaweb2/authentication.ini
 create mode 100644 roles/icinga2/files/icingaweb2/config.ini
 create mode 100644 roles/icinga2/files/icingaweb2/groups.ini
 create mode 100644 roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini
 create mode 100644 roles/icinga2/files/icingaweb2/modules/monitoring/commandtransports.ini
 create mode 100644 roles/icinga2/files/icingaweb2/modules/monitoring/config.ini
 create mode 100644 roles/icinga2/files/icingaweb2/roles.ini
 create mode 100644 roles/icinga2/meta/main.yaml
 create mode 100644 roles/icinga2/tasks/main.yaml
 create mode 100644 roles/icinga2/templates/icinga2.conf.nginx.j2
 create mode 100644 roles/icinga2/templates/icingaweb2/resources.ini.j2
 create mode 100644 status.yaml

diff --git a/all.yaml b/all.yaml
index 3acf6f3..649155e 100644
--- a/all.yaml
+++ b/all.yaml
@@ -4,6 +4,7 @@
 - include: login.yaml
 - include: mail.yaml
 - include: projects.yaml
+- include: status.yaml
 - include: users.yaml
 - include: webmail.yaml
 - include: wiki.yaml
diff --git a/roles/icinga2/files/icingaweb2/authentication.ini b/roles/icinga2/files/icingaweb2/authentication.ini
new file mode 100644
index 0000000..7ab72a3
--- /dev/null
+++ b/roles/icinga2/files/icingaweb2/authentication.ini
@@ -0,0 +1,7 @@
+[icingaweb2]
+user_class = "inetOrgPerson"
+filter = ""
+user_name_attribute = "uid"
+backend = "ldap"
+base_dn = "o=People,dc=lilik,dc=it"
+resource = "icingaweb_ldap"
diff --git a/roles/icinga2/files/icingaweb2/config.ini b/roles/icinga2/files/icingaweb2/config.ini
new file mode 100644
index 0000000..5ea96a2
--- /dev/null
+++ b/roles/icinga2/files/icingaweb2/config.ini
@@ -0,0 +1,9 @@
+[global]
+show_stacktraces = "1"
+config_backend = "ini"
+
+[logging]
+log = "syslog"
+level = "ERROR"
+application = "icingaweb2"
+facility = "user"
diff --git a/roles/icinga2/files/icingaweb2/groups.ini b/roles/icinga2/files/icingaweb2/groups.ini
new file mode 100644
index 0000000..1940cb8
--- /dev/null
+++ b/roles/icinga2/files/icingaweb2/groups.ini
@@ -0,0 +1,9 @@
+[icingaweb2]
+resource = "icingaweb_ldap"
+user_backend = "icingaweb2"
+group_class = "groupofnames"
+group_filter = ""
+group_name_attribute = "cn"
+group_member_attribute = "member"
+base_dn = "o=Group,dc=lilik,dc=it"
+backend = "ldap"
diff --git a/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini b/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini
new file mode 100644
index 0000000..702a1a4
--- /dev/null
+++ b/roles/icinga2/files/icingaweb2/modules/monitoring/backends.ini
@@ -0,0 +1,3 @@
+[icinga]
+type = "ido"
+resource = "icinga_ido"
diff --git a/roles/icinga2/files/icingaweb2/modules/monitoring/commandtransports.ini b/roles/icinga2/files/icingaweb2/modules/monitoring/commandtransports.ini
new file mode 100644
index 0000000..3d5d591
--- /dev/null
+++ b/roles/icinga2/files/icingaweb2/modules/monitoring/commandtransports.ini
@@ -0,0 +1,3 @@
+[icinga2]
+transport = "local"
+path = "/var/run/icinga2/cmd/icinga2.cmd"
diff --git a/roles/icinga2/files/icingaweb2/modules/monitoring/config.ini b/roles/icinga2/files/icingaweb2/modules/monitoring/config.ini
new file mode 100644
index 0000000..9b69fe8
--- /dev/null
+++ b/roles/icinga2/files/icingaweb2/modules/monitoring/config.ini
@@ -0,0 +1,2 @@
+[security]
+protected_customvars = "*pw*,*pass*,community"
diff --git a/roles/icinga2/files/icingaweb2/roles.ini b/roles/icinga2/files/icingaweb2/roles.ini
new file mode 100644
index 0000000..a1bb754
--- /dev/null
+++ b/roles/icinga2/files/icingaweb2/roles.ini
@@ -0,0 +1,3 @@
+[Administrators]
+groups = "admin"
+permissions = "*"
diff --git a/roles/icinga2/meta/main.yaml b/roles/icinga2/meta/main.yaml
new file mode 100644
index 0000000..5a7f47c
--- /dev/null
+++ b/roles/icinga2/meta/main.yaml
@@ -0,0 +1,6 @@
+dependencies:
+  - role: nginx
+    php: true
+    parent_role_path: "icinga2"
+    config_names: "icinga2"
+  - role: postgresql
diff --git a/roles/icinga2/tasks/main.yaml b/roles/icinga2/tasks/main.yaml
new file mode 100644
index 0000000..e5fab84
--- /dev/null
+++ b/roles/icinga2/tasks/main.yaml
@@ -0,0 +1,92 @@
+- name: configure icinga2-ido-pgsql (host)
+  debconf:
+      name: 'icinga2-ido-pgsql'
+      question: 'icinga2-ido-pgsql/remote/host'
+      vtype: 'string'
+      value: 'localhost'
+
+- name: configure icinga2-ido-pgsql (enable)
+  debconf:
+      name: 'icinga2-ido-pgsql'
+      question: 'icinga2-ido-pgsql/enable'
+      vtype: 'boolean'
+      value: true
+
+- name: configure icinga2-ido-pgsql (dbconfig-install)
+  debconf:
+      name: 'icinga2-ido-pgsql'
+      question: 'icinga2-ido-pgsql/dbconfig-install'
+      vtype: 'boolean'
+      value: true
+
+- name: configure icinga2-ido-pgsql (dbconfig-reinstall)
+  debconf:
+      name: 'icinga2-ido-pgsql'
+      question: 'icinga2-ido-pgsql/dbconfig-reinstall'
+      vtype: 'boolean'
+      value: true
+
+
+# - name: nasty dpkg-reconfigure
+#   command: "dpkg-reconfigure --frontend noninteractive icinga2-ido-pgsql"
+#
+# - name: configure icinga2-ido-pgsql (dbconfig-reinstall)
+#   debconf:
+#       name: 'icinga2-ido-pgsql'
+#       question: 'icinga2-ido-pgsql/dbconfig-reinstall'
+#       vtype: 'boolean'
+#       value: false
+
+
+- include_role:
+    name: service
+  vars:
+    service_name: icinga2
+    service_packages:
+      - icinga2-ido-pgsql
+      - monitoring-plugins
+      - nagios-plugins-contrib
+      - icinga2
+      - icingacli
+      - php-ldap
+      - php-pgsql
+      - php-intl
+      - php-imagick
+      - icingaweb2-module-monitoring
+      - icingaweb2
+      # TODO: log, add a centralized log server
+      - rsyslog
+      - rsync
+
+- name: enable ido-pgsql and command features
+  command: "icinga2 feature enable ido-pgsql command"
+  register: icinga2_features
+  changed_when: "'Enabling' in icinga2_features.stdout"
+  notify: restart icinga2
+
+- name: copy icingaweb2 configuration
+  synchronize:
+    src: icingaweb2
+    dest: /etc
+    rsync_opts:
+        - "--chmod Du=rwx,Dg=rwx,Do=,Fu=rw,Fg=rw,Fo= "
+        - "--chown root:icingaweb2"
+
+- name: enable icingaweb2 monitoring plugin
+  file:
+    src: '/usr/share/icingaweb2/modules/monitoring'
+    dest: '/etc/icingaweb2/enabledModules/monitoring'
+    state: link
+
+- name:
+  command: grep -Po 'password = "\K.*?(?=")' /etc/icinga2/features-available/ido-pgsql.conf
+  register: icinga2_password
+  changed_when: false
+
+- name: configure icingaweb2 resources
+  template:
+    src: icingaweb2/resources.ini.j2
+    dest: /etc/icingaweb2/resources.ini
+    owner: root
+    group: icingaweb2
+    mode: 0640
diff --git a/roles/icinga2/templates/icinga2.conf.nginx.j2 b/roles/icinga2/templates/icinga2.conf.nginx.j2
new file mode 100644
index 0000000..b9ae2d9
--- /dev/null
+++ b/roles/icinga2/templates/icinga2.conf.nginx.j2
@@ -0,0 +1,21 @@
+server {
+    listen              80;
+
+    location = / {
+        return 301 http://$host/icingaweb2;
+    }
+
+    location ~ ^/icingaweb2/index\.php(.*)$ {
+      fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+      fastcgi_index index.php;
+      include fastcgi_params;
+      fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
+      fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+      fastcgi_param REMOTE_USER $remote_user;
+    }
+
+    location ~ ^/icingaweb2(.+)? {
+      alias /usr/share/icingaweb2/public;
+      try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
+    }
+}
diff --git a/roles/icinga2/templates/icingaweb2/resources.ini.j2 b/roles/icinga2/templates/icingaweb2/resources.ini.j2
new file mode 100644
index 0000000..8534de1
--- /dev/null
+++ b/roles/icinga2/templates/icingaweb2/resources.ini.j2
@@ -0,0 +1,19 @@
+[icingaweb_ldap]
+type = "ldap"
+hostname = "ldap.lilik.dmz"
+port = "389"
+encryption = "none"
+root_dn = "dc=lilik,dc=it"
+bind_dn = ""
+bind_pw = ""
+
+[icinga_ido]
+type = "db"
+db = "pgsql"
+host = "localhost"
+port = "5432"
+dbname = "icinga2"
+username = "icinga2"
+password = "{{ icinga2_password.stdout}}"
+charset = ""
+persistent = "0"
diff --git a/status.yaml b/status.yaml
new file mode 100644
index 0000000..9aa9dac
--- /dev/null
+++ b/status.yaml
@@ -0,0 +1,13 @@
+- hosts: biff
+  roles:
+    - role: lxc_guest
+      vm_name: status
+      distro: stretch
+    - role: ssh_server
+      ansible_connection: lxc_ssh
+      ansible_docker_extra_args: status
+- hosts: status
+  roles:
+      - role: dns_record
+      - role: icinga2
+      - role: reverse_proxy