LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

roles/icinga2: improve pgsql configuration 

- (Icinga2) Preseed correctly all the debconf variables to have IDO db created
  and populated by `icinga2-ido-pgsql` deb installation script.

- (IcingaWeb2) Use a different user, `www-data`, with lower
  privileges, to access the IDO db in read-only mode.

- Use everywhere socket (local ident) authentication to PostgreSQL to
  avoid local service password.
python3
Zolfa 5 years ago
parent
a14cae49a2
commit
ab52b48078
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
1 changed files with 61 additions and 38 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +61
    -38
      roles/icinga2/tasks/main.yaml

+ 61
- 38
roles/icinga2/tasks/main.yaml View File

@ -1,31 +1,27 @@
---
- name: configure icinga2-ido-pgsql (host)
# ***** Icinga2 *****
- name: 'PGSQL | preseed IDO debconf variables'
# When icinga2-ido-pgsql is installed for the first time:
# - db `icinga2` is automatically created as `postgres` user
# - user `nagios` for socket authentication is created
# - user `nagios` is granted privilegies on db `icinga2`
# - db `icinga2` is populated with DB IDO schema
# - pgsql is enabled as default DB IDO
debconf:
name: 'icinga2-ido-pgsql'
question: 'icinga2-ido-pgsql/remote/host'
vtype: 'string'
value: 'localhost'
- name: configure icinga2-ido-pgsql (enable)
debconf:
name: 'icinga2-ido-pgsql'
question: 'icinga2-ido-pgsql/enable'
vtype: 'boolean'
value: true
- name: configure icinga2-ido-pgsql (dbconfig-install)
debconf:
name: 'icinga2-ido-pgsql'
question: 'icinga2-ido-pgsql/dbconfig-install'
vtype: 'boolean'
value: true
question: 'icinga2-ido-pgsql/{{ item[0] }}'
vtype: '{{ item[1] }}'
value: '{{ item[2] }}'
loop:
- [ 'dbconfig-install', 'boolean', 'true' ]
- [ 'enable', 'boolean', 'true' ]
- [ 'pgsql/authmethod-user', 'string', 'ident' ]
- [ 'pgsql/authmethod-admin', 'string', 'ident' ]
- [ 'pgsql/method', 'string', 'Unix socket' ]
- [ 'db/dbname', 'string', 'icinga2' ]
- [ 'db/app-user', 'string', 'nagios' ]
- [ 'dbconfig-reinstall', 'boolean', 'true' ]
- name: configure icinga2-ido-pgsql (dbconfig-reinstall)
debconf:
name: 'icinga2-ido-pgsql'
question: 'icinga2-ido-pgsql/dbconfig-reinstall'
vtype: 'boolean'
value: true
- name: 'create icinga2 service role'
include_role: name='service'
vars:
@ -37,16 +33,48 @@
- 'monitoring-plugins'
- 'nagios-plugins-contrib'
# ***** IcingaWeb2 *****
- name: 'PGSQL | IcingaWeb2 tunings'
block:
- name: 'PGSQL | create IcingaWeb2 socket authentication user'
postgresql_user:
name: 'www-data'
priv: 'ALL'
- name: 'PGSQL | GRANT CONNECT to IDO'
postgresql_privs:
db: 'icinga2'
privs: 'CONNECT'
type: 'database'
role: 'www-data'
- name: 'PGSQL | GRANT SCHEMA USAGE on IDO'
postgresql_privs:
db: 'icinga2'
privs: 'USAGE'
type: 'schema'
objs: 'public'
role: 'www-data'
- name: 'PGSQL | GRANT SELECT on all IDO tables (existing)'
postgresql_privs:
db: 'icinga2'
privs: 'SELECT'
type: 'table'
schema: 'public'
objs: 'ALL_IN_SCHEMA'
role: 'www-data'
- name: 'PGSQL | GRANT SELECT on all IDO tables (default privilege)'
postgresql_privs:
db: 'icinga2'
privs: 'SELECT'
type: 'default_privs'
schema: 'public'
objs: 'TABLES'
role: 'www-data'
target_roles: 'nagios'
become: true
become_method: 'su'
become_user: 'postgres'
# - name: nasty dpkg-reconfigure
# command: "dpkg-reconfigure --frontend noninteractive icinga2-ido-pgsql"
#
# - name: configure icinga2-ido-pgsql (dbconfig-reinstall)
# debconf:
# name: 'icinga2-ido-pgsql'
# question: 'icinga2-ido-pgsql/dbconfig-reinstall'
# vtype: 'boolean'
# value: false
- name: 'install IcingaWeb2 packages'
apt:
pkg:
@ -121,11 +149,6 @@
dest: '/etc/icingaweb2/enabledModules/monitoring'
state: 'link'
- name:
command: grep -Po 'password = "\K.*?(?=")' /etc/icinga2/features-available/ido-pgsql.conf
register: icinga2_password
changed_when: false
- name: 'configure IcingaWeb2 (templates)'
template:
src: 'icingaweb2/{{ item }}.j2'


Write Preview
Loading…
Cancel
Save