Commit 6e46c99d authored by Bernhard Geier's avatar Bernhard Geier
Browse files

IcingaWeb2: Performance-Grafiken mit Graphite-Carbon

parent 3b01dd9f
Subproject commit 1d3ca97924fde41074837b15390877c189f042f0
Subproject commit 67082b407f3818ba48f63d4d8d09e2a5d440e08c
......@@ -37,6 +37,7 @@ icinga2:
# Zusätzliche IcingaWeb2-Module
modules:
#- director
- graphite
- cube
# Icinga2-Dashing
......@@ -46,7 +47,7 @@ icinga2:
title: "Monitoring example.com"
links:
- "IcingaWeb2": "https://monitoring.example.com/icingaweb2"
- "API": "https://monitoring.example.com:5665/v1"
- "API": "https://monitoring.example.com:5665"
- "Doku/Code/Checks": "https://git.example.com/monitoring"
# Repository in dem die Checks, Services usw. liegen
......
......@@ -4,7 +4,6 @@
- set_passwords
- hostname
- unattended_upgrades
- certbot
- watchdog
- apache2
- exim4_daemon_light
......
- name: Install dependencies for AnonIP
apt:
name: 'git'
install_recommends: false
- name: Clone github repo for AnonIP
git:
repo: "https://github.com/DigitaleGesellschaft/Anonip.git"
dest: "/usr/local/Anonip.git"
clone: yes
update: yes
notify: restart apache2
tags:
- skip_ansible_lint
- name: Mark AnonIP python script as executable
file:
dest: /usr/local/Anonip.git/anonip.py
mode: "0755"
......@@ -9,6 +9,7 @@
apt:
name: [ "php-fpm", "libapache2-mod-fcgid" ]
install_recommends: false
notify: reload apache2
- name: Figure out PHP-FPM Apache configuration file
find:
......@@ -26,40 +27,37 @@
loop: '{{ find_phpfpmconf.files }}'
notify: reload apache2
# Enable Apache2 modules
# Other Apache2 modules
- name: Install additional Apache2 modules
apt:
name: '{{ item }}'
install_recommends: false
loop:
- libapache2-mod-wsgi-py3
notify: reload apache2
- name: Enable required Apache modules
apache2_module:
name: '{{ item }}'
state: present
loop:
- fcgid
- rewrite
- alias
- proxy_fcgi
- proxy_http
- setenvif
- ssl
- wsgi
notify: reload apache2
# Install AnonIP
- name: Install dependencies for AnonIP
apt:
name: 'git'
install_recommends: false
include: anonip.yml
- name: Clone github repo for AnonIP
git:
repo: "https://github.com/DigitaleGesellschaft/Anonip.git"
dest: "/usr/local/Anonip.git"
clone: yes
update: yes
notify: restart apache2
tags:
- skip_ansible_lint
- name: Mark AnonIP python script as executable
file:
dest: /usr/local/Anonip.git/anonip.py
mode: "0755"
# Install Certbot
- name: Install Certbot
include: certbot.yml
# Install index.html
- name: Install index.html
......@@ -67,3 +65,20 @@
src: index.html.j2
dest: /var/www/html/index.html
mode: 0664
# Site configurations
- name: Disable unneeded site configs
file:
path: "/etc/apache2/sites-enabled/{{ item }}"
state: absent
loop:
- 000-default.conf
- default-ssl.conf
notify: reload apache2
- name: Enable default site configuration
template:
src: default.conf.j2
dest: /etc/apache2/sites-enabled/default.conf
mode: 0664
notify: reload apache2
# {{ ansible_managed }}
ServerName {{ inventory_hostname }}
ServerAdmin {{ admin.email }}
# Logging
ErrorLog /var/log/apache2/error.log
CustomLog "|/usr/bin/python3 /usr/local/Anonip.git/anonip.py --skip-private --output /var/log/apache2/access.log" combined env=!dontlog
# TLS Intermediate configuration
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
# Redirect HTTP to HTTPS
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{SERVER_NAME} ={{ inventory_hostname }}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
- name: restart apache2
service:
name: apache2.service
state: restarted
<Location /icinga2>
ProxyPass http://192.168.123.10:8005/icinga2
ProxyPassReverse http://192.168.123.10:8005/icinga2
</Location>
<Location /assets/>
ProxyPass http://192.168.123.10:8005/assets/
ProxyPassReverse http://192.168.123.10:8005/assets/
</Location>
<Location /events>
ProxyPass http://192.168.123.10:8005/events
ProxyPassReverse http://192.168.123.10:8005/events
</Location>
<Location /views/>
ProxyPass http://192.168.123.10:8005/views/
ProxyPassReverse http://192.168.123.10:8005/views/
</Location>
---
- name: restart docker
service:
name: docker
......@@ -8,3 +7,8 @@
docker_compose:
project_src: "/usr/local/dashing-icinga2"
build: yes
- name: reload apache2
service:
name: apache2
state: reloaded
......@@ -27,3 +27,10 @@
dest: "/usr/local/dashing-icinga2/docker-compose.yml"
mode: 0640
notify: docker-compose build and start
- name: Set up Apache2 config
copy:
src: "conf-icinga2-dashing.conf"
dest: "/etc/apache2/conf-available/icinga2-dashing.conf"
mode: 0644
notify: reload apache2
# Ansible managed
# File is identical to /usr/share/graphite-web/apache2-graphite.conf, except VirtualHost's IP address and port number
Listen 127.0.0.1:8000
<VirtualHost 127.0.0.1:8000>
WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite
WSGIProcessGroup _graphite
WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}
WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi
Alias /static/ /usr/share/graphite-web/static/
<Location "/static/">
SetHandler None
</Location>
ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined
</VirtualHost>
# Ansible managed
Listen 5665 https
<VirtualHost *:5665>
SSLEngine on
# Upstream Icinga2 API uses a self signed cert, so disable all checks
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyProtocol all -SSLv3 -SSLv2
ProxyTimeout 1200
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://127.0.0.1:5664/ retry=0 timeout=300 keepalive=on
ProxyPassReverse / https://127.0.0.1:5664/
# Silence warnings about missing client cert as we're using Basic Auth for Icinga2 API
LogLevel ssl:error
</VirtualHost>
# Ansible managed
Package: *
Pin: release o=Debian,a=testing
Pin-Priority: 400
# Ansible managed
deb http://deb.debian.org/debian/ testing main
deb-src http://deb.debian.org/debian/ testing main
deb http://security.debian.org/debian-security testing-security main
deb-src http://security.debian.org/debian-security testing-security main
deb http://deb.debian.org/debian/ testing-updates main
deb-src http://deb.debian.org/debian/ testing-updates main
# Ansible managed
[carbon]
pattern = ^carbon\.
retentions = 60:90d
[icinga2_default]
# intervals like PNP4Nagios uses them per default
pattern = ^icinga2\.
retentions = 1m:2d,5m:10d,30m:90d,360m:4y
[default_1min_for_1day]
pattern = .*
retentions = 60s:1d
---
- name: reload apache2
service:
name: apache2.service
state: reloaded
- name: restart apache2
service:
name: apache2.service
state: restarted
- name: reload icinga2
service:
name: icinga2
name: icinga2.service
state: reloaded
- name: reload apache2
- name: restart carbon-cache
service:
name: apache2
state: reloaded
name: carbon-cache.service
state: restarted
File mode changed from 100755 to 100644
File mode changed from 100755 to 100644
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment