This commit is contained in:
mwiegand 2022-08-16 19:14:39 +02:00
parent b9b025a316
commit 1320f6fcb3
13 changed files with 283 additions and 35 deletions

View file

@ -2,48 +2,59 @@
directories = { directories = {
'/etc/icinga2': { '/etc/icinga2': {
'purge': True, # 'purge': True,
'owner': 'nagios', 'owner': 'nagios',
'group': 'nagios',
'mode': '0750',
'needs': [
'pkg_apt:icinga2',
],
}, },
'/etc/icinga2/conf.d': { '/etc/icinga2/conf.d': {
'purge': True, # 'purge': True,
'owner': 'nagios', 'owner': 'nagios',
'group': 'nagios',
'mode': '0750',
}, },
'/etc/icinga2/hosts.d': { '/etc/icinga2/hosts.d': {
'purge': True, 'purge': True,
'owner': 'nagios', 'owner': 'nagios',
'group': 'nagios',
'mode': '0750',
}, },
'/etc/icinga2/features.d': { # '/etc/icinga2/features.d': {
'purge': True, # 'purge': True,
'owner': 'nagios', # 'owner': 'nagios',
}, # 'group': 'nagios',
# 'mode': '0750',
# },
} }
files = { files = {
'/etc/icinga2/icinga2.conf': { # '/etc/icinga2/icinga2.conf': {
'owner': 'nagios', # 'owner': 'nagios',
}, # },
'/etc/icinga2/constants.conf': { # '/etc/icinga2/constants.conf': {
'owner': 'nagios', # 'owner': 'nagios',
'context': { # 'context': {
'hostname': node.metadata.get('icinga2/hostname') # 'hostname': node.metadata.get('icinga2/hostname')
}, # },
}, # },
'/etc/icinga2/conf.d/templates.conf': { # '/etc/icinga2/conf.d/templates.conf': {
'source': 'conf.d/templates.conf', # 'source': 'conf.d/templates.conf',
'owner': 'nagios', # 'owner': 'nagios',
}, # },
'/etc/icinga2/features/ido-pgsql.conf': { # '/etc/icinga2/features/ido-pgsql.conf': {
'source': 'features/ido-pgsql.conf', # 'source': 'features/ido-pgsql.conf',
'content_type': 'mako', # 'content_type': 'mako',
'owner': 'nagios', # 'owner': 'nagios',
'context': { # 'context': {
'db_password': node.metadata.get('postgresql/roles/icinga2/password') # 'db_password': node.metadata.get('postgresql/roles/icinga2/password')
}, # },
'needs': [ # 'needs': [
'pkg_apt:icinga2-ido-pgsql', # 'pkg_apt:icinga2-ido-pgsql',
], # ],
}, # },
} }
for other_node in repo.nodes: for other_node in repo.nodes:

View file

@ -6,6 +6,7 @@ defaults = {
'icinga2': {}, 'icinga2': {},
'icinga2-ido-pgsql': {}, 'icinga2-ido-pgsql': {},
'icingacli': {}, 'icingacli': {},
'monitoring-plugins': {},
}, },
'sources': { 'sources': {
'deb https://packages.icinga.com/debian icinga-{release} main', 'deb https://packages.icinga.com/debian icinga-{release} main',

View file

@ -0,0 +1,4 @@
- apply
- open /icingaweb2/setup in browser
- fill in values from metadata
- apply

View file

@ -1,6 +1,36 @@
directories = {
'/etc/icingaweb2': {
# 'purge': True,
'owner': 'www-data',
'group': 'icingaweb2',
'mode': '2770',
'needs': [
'pkg_apt:icinga2',
'pkg_apt:icingaweb2',
],
},
}
files = { files = {
'/etc/icingaweb2/setup.token': { '/etc/icingaweb2/setup.token': {
'content': node.metadata.get('icingaweb2/setup_token'), 'content': node.metadata.get('icingaweb2/setup_token'),
'owner': 'nagios', 'owner': 'www-data',
'group': 'icingaweb2',
'mode': '0660',
}, },
} }
for name in [
'authentication.ini',
'config.ini',
'groups.ini',
'resources.ini',
'roles.ini',
]:
files[f'/etc/icingaweb2/{name}'] = {
'content': repo.libs.ini.dumps(node.metadata.get(f'icingaweb2/{name}')),
'owner': 'www-data',
'group': 'icingaweb2',
'mode': '0660',
}

View file

@ -4,12 +4,68 @@ defaults = {
'apt': { 'apt': {
'packages': { 'packages': {
'icingaweb2': {}, 'icingaweb2': {},
'php-ldap': {},
'php-json': {},
'php-intl': {},
'php-xml': {},
'php-gd': {},
'php-imagick': {},
'php-pgsql': {},
}, },
'sources': { 'sources': {
'deb https://packages.icinga.com/debian icinga-{release} main', 'deb https://packages.icinga.com/debian icinga-{release} main',
'deb https://packages.icinga.com/debian icinga-{release}-snapshots main', 'deb https://packages.icinga.com/debian icinga-{release}-snapshots main',
}, },
}, },
'icingaweb2': {
'authentication.ini': {
'icingaweb2': {
'backend': 'db',
'resource': 'icingaweb2_db',
},
},
'config.ini': {
'global': {
'show_stacktraces': '1',
'show_application_state_messages': '1',
#'module_path': '/usr/share/icingaweb2/modules',
'config_backend': 'db',
'config_resource': 'icingaweb2_db',
},
'logging': {
'log': 'syslog',
'level': 'INFO',
'application': 'icingaweb2',
'facility': 'user',
},
},
'groups.ini': {
'icingaweb2': {
'backend': 'db',
'resource': 'icingaweb2_db',
},
},
'resources.ini': {
'icingaweb2_db': {
'type': 'db',
'db': 'pgsql',
'host': 'localhost',
'port': '5432',
'dbname': 'icingaweb2',
'username': 'icingaweb2',
'password': str(repo.vault.password_for(f'psql icingaweb2 on {node.name}')),
'charset': '',
'use_ssl': '0',
},
},
'roles.ini': {
'Administrators': {
'users': 'root',
'permissions': '*',
'groups': 'Administrators',
},
},
},
'postgresql': { 'postgresql': {
'databases': { 'databases': {
'icingaweb2': { 'icingaweb2': {
@ -23,7 +79,7 @@ defaults = {
}, },
}, },
'redis': { 'redis': {
'icingadb': {}, 'icingaweb2': {},
}, },
} }
@ -41,11 +97,13 @@ def hostname(metadata):
@metadata_reactor.provides( @metadata_reactor.provides(
'icingaweb2/setup_token', 'icingaweb2/setup_token',
'icingaweb2/root_password',
) )
def setup_token(metadata): def setup_token(metadata):
return { return {
'icingaweb2': { 'icingaweb2': {
'setup_token': sha3_256(metadata.get('id').encode()).hexdigest()[:16], 'setup_token': sha3_256(metadata.get('id').encode()).hexdigest()[:16],
'root_password': str(repo.vault.password_for(f"icingaweb2 root user on {metadata.get('id')}")),
}, },
} }

View file

@ -0,0 +1,5 @@
dpkg-reconfigure -plow slapd
QqLeyREjjrWgK2kjNQ
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

View file

View file

@ -0,0 +1,8 @@
defaults = {
'apt': {
'packages': {
'slapd': {},
'ldap-utils': {},
},
},
}

63
bundles/web2ldap/items.py Normal file
View file

@ -0,0 +1,63 @@
from shlex import quote
users = {
'web2ldap': {},
}
directories = {
'/opt/web2ldap': {
'owner': 'web2ldap',
},
}
actions = {
'web2ldap_initialize_venv': {
'command': 'sudo -u web2ldap python3 -m venv /opt/web2ldap',
'unless': 'test -e /opt/web2ldap/bin/pip3',
'needs': [
'directory:/opt/web2ldap',
],
'triggers': [
'svc_systemd:web2ldap.service:restart',
],
},
'web2ldap_install': {
'command': """sudo -u web2ldap /opt/web2ldap/bin/pip3 install web2ldap""",
'unless': """sudo -u web2ldap /opt/web2ldap/bin/pip3 list --format=freeze | cut -d '=' -f 1 | grep -q '^web2ldap$'""",
'needs': [
'action:web2ldap_initialize_venv',
],
'triggers': [
'svc_systemd:web2ldap.service:restart',
],
},
'web2ldap_set_cookie_domain': {
'command': f"""sed -iE "s/^cookie_domain.*/cookie_domain = '{node.metadata.get('web2ldap/domain')}'/g" /opt/web2ldap/etc/web2ldap/web2ldapcnf/__init__.py""",
'unless': f"""grep -q "^cookie_domain = '{node.metadata.get('web2ldap/domain')}'$" /opt/web2ldap/etc/web2ldap/web2ldapcnf/__init__.py""",
'needs': [
'action:web2ldap_install',
],
'triggers': [
'svc_systemd:web2ldap.service:restart',
],
},
'web2ldap_upgrade_venv': {
'command': """sudo -u web2ldap /opt/web2ldap/bin/pip3 list --outdated --format=freeze | cut -d '=' -f 1 | xargs -n1 /opt/web2ldap/bin/pip3 install --upgrade""",
'unless': """sudo -u web2ldap /opt/web2ldap/bin/pip3 list --outdated --format=freeze | wc -l | grep -q '^0$'""",
'needs': [
'action:web2ldap_install',
],
'triggers': [
'svc_systemd:web2ldap.service:restart',
],
},
}
svc_systemd = {
'web2ldap.service': {
'needs': [
'action:web2ldap_initialize_venv',
'action:web2ldap_upgrade_venv',
],
},
}

View file

@ -0,0 +1,63 @@
from importlib.metadata import metadata
defaults = {
'apt': {
'packages': {
'libsasl2-dev': {},
'python3-dev': {},
'libldap2-dev': {},
'libssl-dev': {},
},
},
}
@metadata_reactor.provides(
'systemd/units/web2ldap.service',
)
def systemd(metadata):
return {
'systemd': {
'units': {
'web2ldap.service': {
'Unit': {
'Description': 'gitea',
'After': 'syslog.target',
'After': 'network.target',
},
'Service': {
'User': 'web2ldap',
'WorkingDirectory': '/opt/web2ldap',
'ExecStart': '/opt/web2ldap/bin/web2ldap 127.0.0.1 1760',
'Restart': 'always',
'Environment': [
'"SERVER_NAME=' + metadata.get('web2ldap/domain') + '"',
'"HTTP_HOST=' + metadata.get('web2ldap/domain') + '"',
],
},
'Install': {
'WantedBy': {'multi-user.target'},
},
},
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('web2ldap/domain'): {
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'http://127.0.0.1:1760',
}
},
},
},
}

View file

@ -5,10 +5,11 @@ server {
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name ${server_name}; server_name ${server_name};
root /usr/share/icingaweb2/public;
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem; ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem; ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
location / { location / {
return 302 /icingaweb2/index.php; return 302 /icingaweb2/index.php;
} }

View file

@ -2,7 +2,7 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name ${server_name}; server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem; ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem; ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;

View file

@ -19,10 +19,10 @@
# 'gollum', # 'gollum',
'grafana', 'grafana',
'icinga2', 'icinga2',
'icingadb',
'icingaweb2', 'icingaweb2',
'influxdb2', 'influxdb2',
'mirror', 'mirror',
'openldap',
'postgresql', 'postgresql',
'redis', 'redis',
'smartctl', 'smartctl',
@ -31,6 +31,7 @@
'systemd-swap', 'systemd-swap',
'raspberrymatic-cert', 'raspberrymatic-cert',
'tasmota-charge', 'tasmota-charge',
'web2ldap',
'wireguard', 'wireguard',
'wol-waker', 'wol-waker',
'zfs', 'zfs',
@ -134,6 +135,9 @@
'threads': 32, 'threads': 32,
'ram': 49152, 'ram': 49152,
}, },
'web2ldap': {
'domain': 'web2ldap.sublimity.de',
},
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.2/32', 'my_ip': '172.30.0.2/32',
's2s': { 's2s': {