Unverified Commit 1c3101cc authored by Marius Hellmann's avatar Marius Hellmann Committed by GitHub

Merge pull request #137 from citronalco/icinga-server

icinga2-server: Repariere "bind_host" der API, verschiebe IcingaWeb2 nach /
parents 49bf97d1 08569f78
......@@ -22,12 +22,14 @@ Die Konfiguration erfolgt durch Variable "icinga2":
http_listener:
address: "192.168.102.69"
port: "81"
mail_interval: "2h"
```
- **api:** Icinga2-API ein- (=true) oder ausschalten (=false). Wenn nicht gesetzt wird "false" angenommen. Über die API ist nur Monitoring erlaubt, kein Anlegen/Ändern/Löschen von Objekten u.ä..
- **icingaweb2:** IcingaWeb2-Weboberfläche ein- (=true) oder ausschalten (=false).
- **userliste:** Enthält eine Liste mit Benutzern. Ein Benutzer muss Benutzername und Passwort und/oder E-Mailadresse haben.
- **api_lister:** Ändert die IP-Adresse und den Ports für Icinga2-API. Wenn nicht gesetzt wird als "address" "::" und als "port" "5665" verwendet, womit die Icinga2-API an alle Netzwerkschnittstellen auf Port 5665 verfügbar ist.
- **http_listener:** Ändern die IP-Adresse und den Ports für IcingaWeb2. Wenn nicht gesetzt wird als "address" "*" und als "port" "80" verwendet, womit IcingaWeb2 an alle Netzwerkschnittstellen auf Port 80 verfügbar ist.
- **mail_interval:** Icinga2 kann bei länger andauernden Alerts nicht nur einmalig, sondern regelmäßig per E-Mail informieren. Hier kann eingestellt werden, in welchen Abständen diese E-Mails versendet werden sollen (z.B. "30m" für alle 30 Minuten, "2h" für alle zwei Stunden usw., "0" für keine regelmäßigen E-Mails). Standardwert ist "30m".
Falls die Icinga2-API und/oder IcingaWeb2 eingeschaltet ist, dann haben alle in "userliste" mit Benutzername ("user") und Passwort ("pw") angebenen Benutzer darauf Zugriff.
An alle in "userliste" angegebenen E-Mail-Adressen ("email") versendet Icinga2 Notifications. Dazu ist die Rolle exim4-daemon-light nötig, die die E-Mails lokal annimmt und an einen SMTP-Server weiterleitet.
......
# Ansible managed
RedirectMatch ^/$ /icingaweb2
<Directory "/usr/share/icingaweb2/public">
AuthType Basic
AuthName "Icingaweb2"
AuthUserFile /etc/icingaweb2/.http-users
<RequireAny>
require valid-user
</RequireAny>
</Directory>
......@@ -56,6 +56,24 @@
mode: '0660'
directory_mode: '2770'
### Logging
- name: Configure logging
copy:
src: 'icingaweb2/config.ini'
dest: '/etc/icingaweb2/config.ini'
owner: 'www-data'
group: 'icingaweb2'
mode: '0640'
### Users
- name: Configure user roles
template:
src: 'icingaweb2/roles.ini.j2'
dest: '/etc/icingaweb2/roles.ini'
owner: 'www-data'
group: 'icingaweb2'
mode: '0640'
## Enable Apache PHP-FPM
- name: Enable required Apache modules
apache2_module:
......@@ -83,23 +101,41 @@
notify: reload apache2
### Enable IcingaWeb2 in Apache
- name: Enable IcingaWeb2 in Apache
- name: Disable default IcingaWeb2 Apache2 configuration
file:
src: '/etc/apache2/conf-available/icingaweb2.conf'
dest: '/etc/apache2/conf-enabled/icingaweb2.conf'
state: link
path: '/etc/apache2/conf-enabled/icingaweb2.conf'
state: absent
notify: reload apache2
### Set up Apache Authentication
- name: Configure basic authentication in Apache
copy:
src: 'apache2-icingaweb2-local.conf'
dest: '/etc/apache2/conf-enabled/icingaweb2-local.conf'
owner: 'root'
group: 'root'
mode: '0644'
- name: Add IcingaWeb2 site config to Apache2
template:
src: "apache2/site-icingaweb2.conf.j2"
dest: "/etc/apache2/sites-available/icingaweb2.conf"
notify: reload apache2
- name: Enable IcingaWeb2 site config
file:
src: "/etc/apache2/sites-available/icingaweb2.conf"
dest: "/etc/apache2/sites-enabled/icingaweb2.conf"
state: link
notify: reload apache2
ignore_errors: "{{ ansible_check_mode }}"
- name: Get all enabled Apache2 sites
shell: "/usr/bin/grep -Li '^[[:space:]]*SSL' /etc/apache2/sites-enabled/*"
register: httpsitesenabled
failed_when: "httpsitesenabled.rc == 2"
check_mode: no
changed_when: httpsitesenabled.stdout | length > 0
- name: Disable unneeded site configs
file:
path: "{{ item }}"
state: absent
with_items: "{{ httpsitesenabled.stdout_lines }}"
when: httpsitesenabled.stdout | length > 0 and item != "/etc/apache2/sites-enabled/icingaweb2.conf"
### Set up Apache Authentication
- name: Delete old htpasswd file to force password updates and to get rid of deprecated users
file:
path: '/etc/icingaweb2/.http-users'
......@@ -131,36 +167,3 @@
dest: "/etc/apache2/ports.conf"
notify: reload apache2
- name: Get all enabled non-SSL Apache2 sites
shell: "/usr/bin/grep -Li '^[[:space:]]*SSL' /etc/apache2/sites-enabled/*"
register: httpsitesenabled
failed_when: "httpsitesenabled.rc == 2"
check_mode: no
changed_when: httpsitesenabled.stdout | length > 0
- name: Set HTTP listening ports in all enabled non-SSL Apache2 sites
lineinfile:
path: "{{ item }}"
regexp: '(?i)<VirtualHost (.+?):(\d+)>'
line: "<VirtualHost {{ icinga2.http_listener.address | default('*') }}:{{ icinga2.http_listener.port | default(80) }}>"
backrefs: yes
with_items: "{{ httpsitesenabled.stdout_lines }}"
when: httpsitesenabled.stdout | length > 0
### Logging
- name: Configure logging
copy:
src: 'icingaweb2/config.ini'
dest: '/etc/icingaweb2/config.ini'
owner: 'www-data'
group: 'icingaweb2'
mode: '0640'
### Users
- name: Configure user roles
template:
src: 'icingaweb2/roles.ini.j2'
dest: '/etc/icingaweb2/roles.ini'
owner: 'www-data'
group: 'icingaweb2'
mode: '0640'
# {{ ansible_managed }}
ServerName {{ inventory_hostname_short }}.{{ freifunk.domain }}
<VirtualHost {{ icinga2.http_listener.address | default("*") }}:{{ icinga2.http_listener.port | default(80) }}>
ServerAdmin {{ freifunk.email }}
DocumentRoot "/usr/share/icingaweb2/public"
<Directory "/usr/share/icingaweb2/public">
Options SymLinksIfOwnerMatch
AllowOverride None
AuthType Basic
AuthName "Icingaweb2"
AuthUserFile /etc/icingaweb2/.http-users
<RequireAny>
require valid-user
</RequireAny>
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
EnableSendfile Off
<IfModule mod_rewrite.c>
RewriteEngine on
# RewriteBase /icingaweb2/
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>
<IfModule !mod_rewrite.c>
DirectoryIndex error_norewrite.html
ErrorDocument 404 /error_norewrite.html
</IfModule>
</Directory>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
......@@ -15,7 +15,7 @@ apply Notification "mail-icingaadmin" to Host {
user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users
//interval = 2h
interval = {{ icinga2.mail_interval | default("30m") }}
//vars.notification_logtosyslog = true
......@@ -27,7 +27,7 @@ apply Notification "mail-icingaadmin" to Service {
user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users
//interval = 2h
interval = {{ icinga2.mail_interval | default("30m") }}
//vars.notification_logtosyslog = true
......
......@@ -10,5 +10,5 @@ object ApiListener "{{ inventory_hostname_short }}.{{ freifunk.domain }}" {
ticket_salt = TicketSalt
bind_port = "{{ icinga2.api_listener.port | default(5665) }}"
bind_host = "{{ icinga2.api_listener.host | default("::") }}"
bind_host = "{{ icinga2.api_listener.address | default("::") }}"
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment