Commit 285e7d1a authored by Bernhard Geier's avatar Bernhard Geier
Browse files

Initial commit

parents
# Python3 statt Python 2 auf Servern benutzen
ansible_python_interpreter: /usr/bin/python3
admin:
# E-Mail-Adresse Serveradmin
email: admin@example.com
# Konfiguration SMTP-Server
mail:
#force_hostname: "monitoring.example.com" # Absender-Hostname (default: hostname -f)
senderemail: "monitoring@example.com" # Absender-E-Mailadresse
smtp: "smtp.example.com" # SMTP-Server
user: "blabla" # SMTP-Benutzername
pw: "P@55W0rD" # SMTP-Passwort
# Konfiguration Icinga2
icinga2:
userliste:
# User, die Zugriff auf IcingaWeb2 und Icinga2-API erhalten sollen
# Wenn "user" und "pw" existieren: Zugriff auf API und IcingaWeb2
# Wenn "email" existiert: E-Mail bei Alerts
# Wenn "jid" existiert: XMPP-Nachricht bei Alerts
- user: admin
pw: Admin1234
- user: weranders
email: ich@example.com
jid: ich@xmpp-example.com
# XMPP-Account von Icinga2
xmpp:
jid: monitoring-bot@example.com
pw: HAikd(sjslkls
nick: "Example Monitoring Bot"
# Notification-Intervalle für E-Mail und XMPP (0: keine Wiederholungen)
mail_interval: 6h
xmpp_interval: 24h
# Zusätzliche IcingaWeb2-Module
modules:
#- director
- cube
# Icinga2-Dashing
dashing:
release_tag: "3.1.0" # siehe https://hub.docker.com/r/dbodky/dashing-icinga2/tags (default: "latest")
topbar:
title: "Monitoring example.com"
links:
- "IcingaWeb2": "https://monitoring.example.com/icingaweb2"
- "API": "https://monitoring.example.com:5665/v1"
- "Doku/Code/Checks": "https://git.example.com/monitoring"
# Repository in dem die Checks, Services usw. liegen
checks:
repo: "git@git.example.com:monitoring/checks.git"
branch: "main"
[monitoring]
example.com ansible_ssh_host=123.45.67.89
- hosts: monitoring
remote_user: root
roles:
- set_passwords
- hostname
- unattended_upgrades
- certbot
- watchdog
- apache2
- exim4_daemon_light
- postgresql
- icinga2
- icingaweb2
- dashing-icinga2
- name: restart apache2
service:
name: apache2.service
state: restarted
- name: reload apache2
service:
name: apache2.service
state: reloaded
# Install Apache2
- name: Install Apache2
apt:
name: "apache2"
install_recommends: false
# Install PHP-FPM
- name: Install PHP-FPM
apt:
name: [ "php-fpm", "libapache2-mod-fcgid" ]
install_recommends: false
- name: Figure out PHP-FPM Apache configuration file
find:
paths: '/etc/apache2/conf-available/'
file_type: file
use_regex: yes
patterns: '^php[0-9\.]+\-fpm\.conf'
register: find_phpfpmconf
- name: Enable PHP-FPM Apache configuration file
file:
src: '/etc/apache2/conf-available/{{ item.path | basename }}'
dest: '/etc/apache2/conf-enabled/{{ item.path | basename }}'
state: link
loop: '{{ find_phpfpmconf.files }}'
notify: reload apache2
# Enable Apache2 modules
- name: Enable required Apache modules
apache2_module:
name: '{{ item }}'
state: present
loop:
- fcgid
- alias
- proxy_fcgi
- proxy_http
- setenvif
- ssl
notify: reload apache2
# Install AnonIP
- name: Install dependencies for AnonIP
apt:
name: 'git'
install_recommends: false
- name: Clone github repo for AnonIP
git:
repo: "https://github.com/DigitaleGesellschaft/Anonip.git"
dest: "/usr/local/Anonip.git"
clone: yes
update: yes
notify: restart apache2
tags:
- skip_ansible_lint
- name: Mark AnonIP python script as executable
file:
dest: /usr/local/Anonip.git/anonip.py
mode: "0755"
# Install index.html
- name: Install index.html
template:
src: index.html.j2
dest: /var/www/html/index.html
mode: 0664
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>
{{ icinga2.dashing.topbar.title | default("Monitoring") }}
</title>
<style>
html {
height: 100%;
}
body {
height: 100%;
overflow: hidden;
margin: 0;
font-family: monospace;
font-weight: bold;
color: rgba(255,255,255,0.97);
background-color: black;
}
a:link {
color: rgba(255,255,255,0.97);
}
a:active {
color: rgba(255,255,255,0.97);
}
a:hover {
color: rgba(255,255,255,0.97);
}
a:visited {
color: rgba(255,255,255,0.97);
}
div {
width: 100%;
padding-left: 2px;
padding-top: 2px;
padding-right: 5px;
padding-bottom: 2px;
}
</style>
<head>
<body>
<div>
<span style="font-size: 100%";>
{{ icinga2.dashing.topbar.title | default("Monitoring") }}
</span>
<span style="position: absolute; right: 5px; font-size: 90%;">
{% for item in icinga2.dashing.topbar.links %}
<a href="{{ item.values() | first }}">{{ item.keys() | first }}</a>
{% endfor %}
</span>
</div>
<iframe style="width: 100%; height: 100%; border: 0;" src="/icinga2">
</body>
</html>
#!/bin/sh
# Ansible managed
systemctl is-active --quiet apache2.service && systemctl reload apache2.service
- name: restart apache2
service:
name: apache2.service
state: restarted
- name: Install Certbot
apt:
name: "python3-certbot-apache"
install_recommends: false
- name: Check if certificate already exist
stat:
path: /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
register: letsencrypt_cert_stat
- name: Stop Apache2 to allow certbot to generate a cert
service:
name: "apache2"
state: stopped
when: not ansible_check_mode and not letsencrypt_cert_stat.stat.exists
notify: restart apache2
- name: Generate new certificate
command: /usr/bin/certbot certonly --standalone --noninteractive --agree-tos --email {{ admin.email }} -d {{ inventory_hostname }}
args:
creates: /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
notify: restart apache2
- name: Create directory for renewal hooks
file:
path: "/etc/letsencrypt/renewal-hooks/post/"
state: directory
mode: "0755"
- name: Add renewal hooks to certbot
copy:
src: "{{ item }}"
dest: "/etc/letsencrypt/renewal-hooks/post/{{ item }}"
mode: "0770"
loop:
- apache2.sh
- name: Add certbot cronjob
cron:
name: "Renew LetsEncrypt certificate, check weekly. After renewal the scripts in /etc/letsencrypt/renewal-hooks/post get executed to enable the new cert in Apache2"
job: "/usr/bin/certbot renew"
minute: "10"
hour: "1"
weekday: "0"
---
- name: restart docker
service:
name: docker
state: restarted
- name: docker-compose build and start
docker_compose:
project_src: "/usr/local/dashing-icinga2"
build: yes
- name: Install required packages
apt:
pkg: [ 'docker-compose', 'docker.io' ]
- name: Switch Docker logging to journald
copy:
src: "docker-daemon.json"
dest: "/etc/docker/daemon.json"
notify: restart docker
- name: Create installation directory
file:
path: "/usr/local/dashing-icinga2"
state: directory
mode: 0775
- name: Create configuration
template:
src: "dashing-icinga2.env.j2"
dest: "/usr/local/dashing-icinga2/dashing-icinga2.env"
mode: 0640
notify: docker-compose build and start
- name: Install docker-compose file
template:
src: "docker-compose.yml.j2"
dest: "/usr/local/dashing-icinga2/docker-compose.yml"
mode: 0640
notify: docker-compose build and start
# {{ ansible_managed }}
# docs: https://hub.docker.com/r/dbodky/dashing-icinga2#configuration
ICINGA2_API_HOST=192.168.123.1
ICINGA2_API_PORT=5665
ICINGA2_API_USERNAME=dashing
ICINGA2_API_PASSWORD={{ icinga2api_dashing_pwd }}
ICINGA2_API_NODENAME={{ inventory_hostname }}
ICINGAWEB2_URL=https://{{ inventory_hostname }}/icingaweb2
DASHBOARD_SHOW_ONLY_HARD_STATE_PROBLEMS=1
DASHBOARD_TIMEZONE=Europe/Berlin
# {{ ansible_managed }}
version: "3.7"
services:
dashing-icinga2:
image: dbodky/dashing-icinga2:{{ icinga2.dashing.release_tag | default("latest") }}
container_name: dashing-icinga2
restart: always
healthcheck:
test: "curl --fail --silent --output /dev/null http://localhost:8005/icinga2 || exit 1"
interval: 5m
timeout: 5s
retries: 3
env_file:
- dashing-icinga2.env
hostname: dashing-icinga2
networks:
gw99_net:
ipv4_address: 192.168.123.10
networks:
gw99_net:
ipam:
driver: default
config:
- subnet: 192.168.123.0/24
# exim4-daemon-light
Diese Rolle installiert den Mailserver exim4-daemon-light
E-Mails werden nur von localhost angenommen und dann an den in der Variable "mail" angegebenen SMTP-Server weitergeleitet.
## Konfiguration
Die Konfiguration erfolgt durch die Variable "mail":
```
mail:
senderemail: Bestimmte Absender-E-Mail-Adresse für alle von diesem Server gesendeten E-Mails erzwingen (optional)
smtp: SMTP-Server:Portnummer (Portnummer ist optional, Standard: 25)
user: Benutzername am SMTP-Server
pw: Passwort am SMTP-Server
force_hostname: Hostnamen, der für das SMTP-Helo am SMTP-Server verwendet wird (optional, default: Hostname des Servers)
```
**Beispiel:**
```
mail:
senderemail: icinga2@example.com
smtp: mail.foo.bar:587
user: benutzername
pw: geheim
force_hostname: gandalf.example.de
```
Als Absenderadresse wird immer "icinga2@example.com" verwendet.
Zur Authentifizierung am SMTP-Server "mail.foo.bar" wird der Benutzername "benutzername" und das Passwort "geheim" benutzt.
Beim SMTP-Helo wird "gandalf.example.de" als Hostname verwendet.
- name: restart exim4
service:
name: exim4
state: restarted
- name: update-exim4.conf
command: update-exim4.conf
- name: Install exim4-daemon-light
apt:
name: exim4-daemon-light
install_recommends: false
- name: Configure exim4
template:
src: "update-exim4.conf.conf.j2"
dest: "/etc/exim4/update-exim4.conf.conf"
mode: "0644"
notify:
- update-exim4.conf
- restart exim4
when: mail is defined
- name: Configure authentication at remote smtp server
template:
src: "passwd.client.j2"
dest: "/etc/exim4/passwd.client"
mode: "0640"
group: "Debian-exim"
notify: restart exim4
when: mail is defined
- name: Set sender email address
template:
src: "email-addresses.j2"
dest: "/etc/email-addresses"
mode: "0644"
notify: restart exim4
- name: Set same sender email address for all local users
replace:
path: "/etc/exim4/exim4.conf.template"
regexp: '^(.*\${lookup{\${local_part}})lsearch({\s*\/etc\/email-addresses\s*}.*)$'
replace: '\1wildlsearch\2'
notify: restart exim4
- name: Set forced hostname for SMTP Helo
blockinfile:
path: "/etc/exim4/exim4.conf.template"
marker: "# {mark} ANSIBLE MANAGED BLOCK - FORCE HOSTNAME"
block: |
MAIN_HARDCODE_PRIMARY_HOSTNAME = {{ mail.force_hostname }}
insertbefore: BOF
when: mail.force_hostname is defined
notify: restart exim4
- name: Remove forced hostname for SMTP Helo
blockinfile:
path: "/etc/exim4/exim4.conf.template"
marker: "# {mark} ANSIBLE MANAGED BLOCK - FORCE HOSTNAME"
state: absent
when: mail.force_hostname is not defined
notify: restart exim4
- name: Update logrotate cycle in /etc/logrotate.d/
replace:
dest: "{{ item }}"
regexp: 'daily|weekly|monthly'
replace: 'weekly'
with_items:
- /etc/logrotate.d/exim4-base
- /etc/logrotate.d/exim4-paniclog
- name: Update logrotate count in /etc/logrotate.d/
replace:
dest: "{{ item }}"
regexp: 'rotate[ \t]+[0-9]+'
replace: "rotate 2"
with_items:
- /etc/logrotate.d/exim4-base
- /etc/logrotate.d/exim4-paniclog
# {{ ansible_managed }}
{% if mail.senderemail is defined %}
*: {{ mail.senderemail }}
{% endif %}
\ No newline at end of file
# {{ ansible_managed }}
{{ mail.smtp.split(':')[0] }}:{{ mail.user }}:{{ mail.pw }}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment