--- # ***** Icinga2 ***** - name: 'PGSQL | preseed IDO debconf variables' # When icinga2-ido-pgsql is installed for the first time: # - db `icinga2` is automatically created as `postgres` user # - user `nagios` for socket authentication is created # - user `nagios` is granted privilegies on db `icinga2` # - db `icinga2` is populated with DB IDO schema # - pgsql is enabled as default DB IDO debconf: name: 'icinga2-ido-pgsql' question: 'icinga2-ido-pgsql/{{ item[0] }}' vtype: '{{ item[1] }}' value: '{{ item[2] }}' loop: - [ 'dbconfig-install', 'boolean', 'true' ] - [ 'enable', 'boolean', 'true' ] - [ 'pgsql/authmethod-user', 'string', 'ident' ] - [ 'pgsql/authmethod-admin', 'string', 'ident' ] - [ 'pgsql/method', 'string', 'Unix socket' ] - [ 'db/dbname', 'string', 'icinga2' ] - [ 'db/app-user', 'string', 'nagios' ] - [ 'dbconfig-reinstall', 'boolean', 'true' ] - name: 'create icinga2 service role' include_role: name='service' vars: service_name: 'icinga2' service_packages: - 'icinga2' - 'icingacli' - 'icinga2-ido-pgsql' - 'monitoring-plugins' - 'nagios-plugins-contrib' - name: 'create directory for hosts configuration' file: path: '/etc/icinga2/conf.d/hosts/' state: 'directory' owner: 'nagios' group: 'nagios' mode: '0770' - name: 'customize icinga2 host conf.d' copy: src: 'icinga2/{{ item }}' dest: '/etc/icinga2/conf.d/{{ item }}' notify: 'reload icinga2' loop: - 'templates.conf' - 'services.conf' - 'apt.conf' - name: 'disable local host conf.d' file: path: '/etc/icinga2/conf.d/hosts.conf' state: 'absent' notify: 'reload icinga2' - name: 'create icinga2 ssh config dir' file: path: '/var/lib/nagios/.ssh' owner: 'nagios' group: 'nagios' mode: '0700' state: 'directory' tags: - 'ssh_certs' - name: 'upload user ssh ca' copy: content: | {% for ca in ssh_user_ca %} {{ ca }} {% endfor %} dest: '/var/lib/nagios/.ssh/user_ca.pub' tags: - 'ssh_certs' - name: 'upload host ssh ca' copy: content: | {% for ca in ssh_server_ca %} @cert-authority *.dmz.{{ domain }} {{ ca }} {% endfor %} dest: '/var/lib/nagios/.ssh/known_hosts' owner: 'nagios' group: 'nagios' tags: - 'ssh_certs' - name: 'generate and sign ssh user cert for icinga' import_role: name='ca_cert' vars: ca_cert_common_name: 'icinga' ca_cert_proto: 'ssh' ca_cert_client: true ca_cert_ssh_ca_path: '/var/lib/nagios/.ssh/user_ca.pub' ca_cert_ssh_key_path: '/var/lib/nagios/.ssh/id_ed25519' tags: - 'ssh_certs' - name: 'set private key ownership' file: path: '/var/lib/nagios/.ssh/id_ed25519' owner: 'nagios' group: 'nagios' tags: - 'ssh_certs' # ***** IcingaWeb2 ***** - name: 'PGSQL | IcingaWeb2 tunings' block: - name: 'PGSQL | create IcingaWeb2 user preference DB' postgresql_db: name: 'icingaweb2' register: icingaweb2_db - name: 'PGSQL | create IcingaWeb2 socket authentication user' postgresql_user: db: 'icingaweb2' name: 'www-data' priv: 'ALL' - name: 'PGSQL | GRANT CONNECT to IDO' postgresql_privs: db: 'icinga2' privs: 'CONNECT' type: 'database' role: 'www-data' - name: 'PGSQL | GRANT SCHEMA USAGE on IDO' postgresql_privs: db: 'icinga2' privs: 'USAGE' type: 'schema' objs: 'public' role: 'www-data' - name: 'PGSQL | GRANT SELECT on all IDO tables (existing)' postgresql_privs: db: 'icinga2' privs: 'SELECT' type: 'table' schema: 'public' objs: 'ALL_IN_SCHEMA' role: 'www-data' - name: 'PGSQL | GRANT SELECT on all IDO tables (default privilege)' postgresql_privs: db: 'icinga2' privs: 'SELECT' type: 'default_privs' schema: 'public' objs: 'TABLES' role: 'www-data' target_roles: 'nagios' become: true become_method: 'su' become_user: 'postgres' - name: 'install IcingaWeb2 packages' apt: pkg: - 'icingaweb2' - 'icingaweb2-module-monitoring' - 'php-ldap' - 'php-pgsql' - 'php-intl' - 'php-imagick' - 'php-fpm' - 'rsync' state: 'present' update_cache: true cache_valid_time: 3600 tags: - 'packages' - name: 'PGSQL | populate IcingaWeb2 user preference DB' shell: 'cat /usr/share/icingaweb2/etc/schema/pgsql.schema.sql | psql -d icingaweb2' become: true become_method: 'su' become_flags: '-p' become_user: 'www-data' when: icingaweb2_db.changed - name: 'LDAP | upload client root ca' copy: content: '{{ ldap_tls_server_ca }}' dest: '/etc/ldap/server_ca.crt' tags: - 'tls_int' - name: 'LDAP | configure client' copy: src: 'ldap.conf' dest: '/etc/ldap/ldap.conf' when: ldap_tls_enabled - name: 'LDAP | generate client service password' gen_passwd: 'length=32' register: 'icingaweb2_ldap_passwd' no_log: true tags: - 'service_password' - name: 'LDAP | set client service password on server' delegate_to: 'localhost' ldap_passwd: dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}' passwd: '{{ icingaweb2_ldap_passwd.passwd }}' server_uri: 'ldap://{{ ldap_server }}' start_tls: '{{ ldap_tls_enabled }}' bind_dn: '{{ ldap_admin_dn }}' bind_pw: '{{ ldap_admin_pw }}' no_log: true tags: - 'service_password' - name: 'configure IcingaWeb2 (static files)' synchronize: src: 'icingaweb2' dest: '/etc' rsync_opts: - "--chmod=Du+rwx,Dg+rwx,Do-rwx,Fu+rw,Fg+rw,Fo-rwx" - "--chown=root:icingaweb2" - name: 'create enabledModules folder' file: path: '/etc/icingaweb2/enabledModules/' state: 'directory' owner: 'root' group: 'icingaweb2' mode: '0770' - name: 'enable IcingaWeb2 monitoring plugin' file: src: '/usr/share/icingaweb2/modules/monitoring' dest: '/etc/icingaweb2/enabledModules/monitoring' state: 'link' - name: 'configure IcingaWeb2 (templates)' template: src: 'icingaweb2/{{ item }}.j2' dest: '/etc/icingaweb2/{{ item }}' owner: 'root' group: 'icingaweb2' mode: '0660' loop: - 'resources.ini' - 'authentication.ini' - 'groups.ini' - name: 'NGINX | configure IcingaWeb2 locations' template: src: 'icinga.conf' dest: "/etc/nginx/locations/{{ icingaweb2_nginx_fqdn }}/service.conf" notify: - 'reload nginx' - name: 'MONITORING | add HTTP service' block: - name: 'MONITORING | add service to monitoring entry' set_fact: monitoring_entry: > {{ monitoring_entry | default({}) | combine({ 'address': ansible_host, 'vhosts_uri': { icingaweb2_nginx_fqdn: {'/icingaweb2': { 'onredirect': 'ok' }} }, }, recursive=true) }} - name: 'MONITORING | update monitoring facts' set_fact: monitoring_facts: > {{ hostvars[monitoring_host]['monitoring_facts'] | default({}) | combine({host_fqdn: monitoring_entry}) }} delegate_facts: true delegate_to: '{{ monitoring_host }}' tags: - 'monitoring' ...