Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

312 lines
8.2 KiB

---
# ***** Icinga2 *****
- name: 'PGSQL | preseed IDO debconf variables'
# When icinga2-ido-pgsql is installed for the first time:
# - db `icinga2` is automatically created as `postgres` user
# - user `nagios` for socket authentication is created
# - user `nagios` is granted privilegies on db `icinga2`
# - db `icinga2` is populated with DB IDO schema
# - pgsql is enabled as default DB IDO
debconf:
name: 'icinga2-ido-pgsql'
question: 'icinga2-ido-pgsql/{{ item[0] }}'
vtype: '{{ item[1] }}'
value: '{{ item[2] }}'
loop:
- [ 'dbconfig-install', 'boolean', 'true' ]
- [ 'enable', 'boolean', 'true' ]
- [ 'pgsql/authmethod-user', 'string', 'ident' ]
- [ 'pgsql/authmethod-admin', 'string', 'ident' ]
- [ 'pgsql/method', 'string', 'Unix socket' ]
- [ 'db/dbname', 'string', 'icinga2' ]
- [ 'db/app-user', 'string', 'nagios' ]
- [ 'dbconfig-reinstall', 'boolean', 'true' ]
- name: 'create icinga2 service role'
include_role: name='service'
vars:
service_name: 'icinga2'
service_packages:
- 'icinga2'
- 'icingacli'
- 'icinga2-ido-pgsql'
- 'monitoring-plugins'
- 'libnet-ldap-perl'
# - 'nagios-plugins-contrib'
- name: 'install extra monitoring plugins'
copy:
src: '{{ item }}'
dest: '/usr/lib/nagios/plugins/{{ item }}'
mode: '0755'
owner: 'nagios'
group: 'nagios'
loop:
- 'check_ldap_syncrepl_status.pl'
- 'check_backup.sh'
- name: 'create directory for hosts configuration'
file:
path: '/etc/icinga2/conf.d/hosts/'
state: 'directory'
owner: 'nagios'
group: 'nagios'
mode: '0770'
- name: 'customize icinga2 host conf.d'
copy:
src: 'icinga2/{{ item }}'
dest: '/etc/icinga2/conf.d/{{ item }}'
notify: 'reload icinga2'
loop:
- 'templates.conf'
- 'services.conf'
- 'apt.conf'
- 'command-ldapsync.conf'
- 'command-backup.conf'
- name: 'disable local host conf.d'
file:
path: '/etc/icinga2/conf.d/hosts.conf'
state: 'absent'
notify: 'reload icinga2'
- name: 'create icinga2 ssh config dir'
file:
path: '/var/lib/nagios/.ssh'
owner: 'nagios'
group: 'nagios'
mode: '0700'
state: 'directory'
tags:
- 'ssh_certs'
- name: 'upload user ssh ca'
copy:
content: |
{% for ca in ssh_user_ca %}
{{ ca }}
{% endfor %}
dest: '/var/lib/nagios/.ssh/user_ca.pub'
tags:
- 'ssh_certs'
- name: 'upload host ssh ca'
copy:
content: |
{% for ca in ssh_server_ca %}
@cert-authority *.dmz.{{ domain }} {{ ca }}
{% endfor %}
dest: '/var/lib/nagios/.ssh/known_hosts'
owner: 'nagios'
group: 'nagios'
tags:
- 'ssh_certs'
- name: 'generate and sign ssh user cert for icinga'
import_role: name='ca_cert'
vars:
ca_cert_common_name: 'icinga'
ca_cert_proto: 'ssh'
ca_cert_client: true
ca_cert_ssh_ca_path: '/var/lib/nagios/.ssh/user_ca.pub'
ca_cert_ssh_key_path: '/var/lib/nagios/.ssh/id_ed25519'
tags:
- 'ssh_certs'
- name: 'set private key ownership'
file:
path: '/var/lib/nagios/.ssh/id_ed25519'
owner: 'nagios'
group: 'nagios'
tags:
- 'ssh_certs'
# ***** IcingaWeb2 *****
- name: 'PGSQL | IcingaWeb2 tunings'
block:
- name: 'PGSQL | create IcingaWeb2 user preference DB'
postgresql_db:
name: 'icingaweb2'
register: icingaweb2_db
- name: 'PGSQL | create IcingaWeb2 socket authentication user'
postgresql_user:
db: 'icingaweb2'
name: 'www-data'
priv: 'ALL'
- name: 'PGSQL | GRANT CONNECT to IDO'
postgresql_privs:
db: 'icinga2'
privs: 'CONNECT'
type: 'database'
role: 'www-data'
- name: 'PGSQL | GRANT SCHEMA USAGE on IDO'
postgresql_privs:
db: 'icinga2'
privs: 'USAGE'
type: 'schema'
objs: 'public'
role: 'www-data'
- name: 'PGSQL | GRANT SELECT on all IDO tables (existing)'
postgresql_privs:
db: 'icinga2'
privs: 'SELECT'
type: 'table'
schema: 'public'
objs: 'ALL_IN_SCHEMA'
role: 'www-data'
- name: 'PGSQL | GRANT SELECT on all IDO tables (default privilege)'
postgresql_privs:
db: 'icinga2'
privs: 'SELECT'
type: 'default_privs'
schema: 'public'
objs: 'TABLES'
role: 'www-data'
target_roles: 'nagios'
become: true
become_method: 'su'
become_user: 'postgres'
- name: 'install IcingaWeb2 packages'
apt:
pkg:
- 'icingaweb2'
- 'icingaweb2-module-monitoring'
- 'php-ldap'
- 'php-pgsql'
- 'php-intl'
- 'php-imagick'
- 'php-fpm'
- 'rsync'
state: 'present'
update_cache: true
cache_valid_time: 3600
tags:
- 'packages'
- name: 'PGSQL | populate IcingaWeb2 user preference DB'
shell: 'cat /usr/share/icingaweb2/etc/schema/pgsql.schema.sql | psql -d icingaweb2'
become: true
become_method: 'su'
become_flags: '-p'
become_user: 'www-data'
when: icingaweb2_db.changed
- name: 'LDAP | upload client root ca'
copy:
content: '{{ ldap_tls_server_ca }}'
dest: '/etc/ldap/server_ca.crt'
tags:
- 'tls_int'
- name: 'LDAP | configure client'
copy:
src: 'ldap.conf'
dest: '/etc/ldap/ldap.conf'
when: ldap_tls_enabled
- name: 'try to read LDAP service password'
command: 'sed -n "s/^bind_pw\s\?=\s\?\"\(.\+\)\"$/\1/p" /etc/icingaweb2/resources.ini'
register: icingaweb2_read_ldap_passwd
failed_when: icingaweb2_read_ldap_passwd.rc > 2
no_log: true
tags:
- 'service_password'
- name: 'set LDAP service password'
set_fact:
icingaweb2_ldap_passwd: '{{ icingaweb2_read_ldap_passwd.stdout | d("") }}'
no_log: true
tags:
- 'service_password'
- block:
- name: 'LDAP | generate client service password'
gen_passwd: 'length=32'
register: 'icingaweb2_ldap_gen_passwd'
no_log: true
tags:
- 'service_password'
- name: 'LDAP | set client service password on server'
delegate_to: 'localhost'
ldap_passwd:
dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'
passwd: '{{ icingaweb2_ldap_gen_passwd.passwd }}'
server_uri: 'ldap://{{ ldap_server }}'
start_tls: '{{ ldap_tls_enabled }}'
bind_dn: '{{ ldap_admin_dn }}'
bind_pw: '{{ ldap_admin_pw }}'
no_log: true
- name: 'LDAP | set client service password on client'
set_fact:
icingaweb2_ldap_passwd: '{{ icingaweb2_ldap_gen_passwd.passwd }}'
no_log: true
when: icingaweb2_ldap_passwd == '' or ldap_renew_secret
tags:
- 'service_password'
- name: 'configure IcingaWeb2 (static files)'
synchronize:
src: 'icingaweb2'
dest: '/etc'
rsync_opts:
- "--chmod=Du+rwx,Dg+rwx,Do-rwx,Fu+rw,Fg+rw,Fo-rwx"
- "--chown=root:icingaweb2"
- name: 'create enabledModules folder'
file:
path: '/etc/icingaweb2/enabledModules/'
state: 'directory'
owner: 'root'
group: 'icingaweb2'
mode: '0770'
- name: 'enable IcingaWeb2 monitoring plugin'
file:
src: '/usr/share/icingaweb2/modules/monitoring'
dest: '/etc/icingaweb2/enabledModules/monitoring'
state: 'link'
- name: 'configure IcingaWeb2 (templates)'
template:
src: 'icingaweb2/{{ item }}.j2'
dest: '/etc/icingaweb2/{{ item }}'
owner: 'root'
group: 'icingaweb2'
mode: '0660'
loop:
- 'resources.ini'
- 'authentication.ini'
- 'groups.ini'
tags:
- 'service_password'
- name: 'NGINX | configure IcingaWeb2 locations'
template:
src: 'icinga.conf'
dest: "/etc/nginx/locations/{{ icingaweb2_nginx_fqdn }}/service.conf"
notify:
- 'reload nginx'
- name: 'MONITORING | add HTTP service'
block:
- name: 'MONITORING | add service to monitoring entry'
set_fact:
monitoring_entry: >
{{ monitoring_entry | default({}) | combine({
'address': ansible_host,
'vhosts_uri': { icingaweb2_nginx_fqdn: {'/icingaweb2': { 'onredirect': 'ok' }} },
}, recursive=true) }}
- name: 'MONITORING | update monitoring facts'
set_fact:
monitoring_facts: >
{{ hostvars[monitoring_host]['monitoring_facts']
| default({})
| combine({host_fqdn: monitoring_entry}) }}
delegate_facts: true
delegate_to: '{{ monitoring_host }}'
tags:
- 'monitoring'
...