wip

2022-03-06 23:30:32 +01:00 · 2022-03-06 23:30:32 +01:00 · fb818b2c74
commit fb818b2c74
parent 885588910a
9 changed files with 215 additions and 38 deletions
--- a/bundles/icinga2/files/conf.d/templates.conf
+++ b/bundles/icinga2/files/conf.d/templates.conf
@ -0,0 +1,13 @@
+template Host "generic-host" {
+  max_check_attempts = 3
+  check_interval = 1m
+  retry_interval = 30s
+
+  check_command = "hostalive"
+}
+
+template Service "generic-service" {
+  max_check_attempts = 5
+  check_interval = 1m
+  retry_interval = 30s
+}
--- a/bundles/icinga2/files/constants.conf
+++ b/bundles/icinga2/files/constants.conf
@ -0,0 +1,6 @@
+const PluginDir = "/usr/lib/nagios/plugins"
+const ManubulonPluginDir = "/usr/lib/nagios/plugins"
+const PluginContribDir = "/usr/lib/nagios/plugins"
+const NodeName = "${domain}"
+const ZoneName = NodeName
+const TicketSalt = ""
--- a/bundles/icinga2/files/features/ido-pgsql.conf
+++ b/bundles/icinga2/files/features/ido-pgsql.conf
--- a/bundles/icinga2/files/hosts.d/host.conf
+++ b/bundles/icinga2/files/hosts.d/host.conf
@ -0,0 +1,36 @@
+<%!
+    def render_value(key, value):
+        if isinstance(value, Fault):
+            return render_value(key, value.value)
+        elif isinstance(value, type(None)):
+            return '""'
+        elif isinstance(value, bool):
+            return 'true' if value else 'false'
+        elif isinstance(value, int):
+            return str(value)
+        elif isinstance(value, str):
+            if key.endswith('_interval'):
+                return value
+            else:
+                return f'"{value}"'
+        elif isinstance(value, (list, set)):
+            return '[' + ', '.join(render_value(e) for e in sorted(value)) + ']'
+        else:
+            raise Exception(f"cant process type '{type(value)}' of value '{value}'")
+%>
+
+object Host "${host_name}" {
+  import "generic-host"
+  % for key, value in sorted(host_settings.items()):
+  ${key} = ${render_value(key, value)}
+  % endfor
+}
+
+% for service_name, service_config in sorted(services.items(), key=lambda e: [e[1]['vars.bundle'], e[0]]):
+object Service "${service_name}" {
+  import "generic-service"
+  % for key, value in sorted(service_config.items()):
+  ${key} = ${render_value(key, value)}
+  % endfor
+}
+% endfor
--- a/bundles/icinga2/files/icinga2.conf
+++ b/bundles/icinga2/files/icinga2.conf
@ -0,0 +1,4 @@
+include "constants.conf"
+include_recursive "features.d"
+include_recursive "conf.d"
+include_recursive "hosts.d"
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@ -1,26 +1,65 @@
 # Git-Hash for Icinga1: b63bb0ef52bf213715e567c81e3ed097024e61af

-from json import load
-from os.path import join
-
-ICINGA_PLUGINS = {
+directories = {
+    '/etc/icinga2': {
+        'purge': True,
+        'owner': 'nagios',
+    },
+    '/etc/icinga2/conf.d': {
+        'purge': True,
+        'owner': 'nagios',
+    },
+    '/etc/icinga2/hosts.d': {
+        'purge': True,
+        'owner': 'nagios',
+    },
+    '/etc/icinga2/features.d': {
+        'purge': True,
+        'owner': 'nagios',
+    },
 }

-ENABLED_FEATURES = [
-    'ido-pgsql',
-    'notification',
-]
-for feature in ENABLED_FEATURES:
-    symlinks[f'/etc/icinga2/features-enabled/{feature}.conf'] = {
-        'target': f'/etc/icinga2/features-available/{feature}.conf',
+files = {
+    '/etc/icinga2/icinga2.conf': {
        'owner': 'nagios',
-        'group': 'nagios',
+    },
+    '/etc/icinga2/constants.conf': {
+        'owner': 'nagios',
+        'context': {
+            'hostname': node.metadata.get('icinga2/hostname')
+        },
+    },
+    '/etc/icinga2/conf.d/templates.conf': {
+        'source': 'conf.d/templates.conf',
+        'owner': 'nagios',
+    },
+    '/etc/icinga2/features/ido-pgsql.conf': {
+        'source': 'features/ido-pgsql.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'context': {
+            'db_password': node.metadata.get('postgresql/roles/icinga2/password')
+        },
        'needs': [
            'pkg_apt:icinga2-ido-pgsql',
        ],
-        'triggers': [
-            'svc_systemd:icinga2:restart',
-        ],
+    },
+    '/etc/icingaweb2/setup.token': {
+        'content': node.metadata.get('icingaweb2/setup_token'),
+        'owner': 'nagios',
+    },
+}
+
+for other_node in repo.nodes:
+    files[f'/etc/icinga2/hosts.d/{other_node.name}.conf'] = {
+        'content_type': 'mako',
+        'source': 'hosts.d/host.conf',
+        'owner': 'nagios',
+        'context': {
+            'host_name': other_node.name,
+            'host_settings': {},
+            'services': other_node.metadata.get('monitoring', {}),
+        },
    }

 svc_systemd = {
@ -31,24 +70,3 @@ svc_systemd = {
        ],
    },
 }
-
-directories = {
-    '/etc/icinga2/features-enabled': {
-        'purge': True,
-    },
-}
-
-files = {
-    '/etc/icinga2/features-available/ido-pgsql.conf': {
-        'source': 'ido-pgsql.conf',
-        'content_type': 'mako',
-        'context': {
-            'db_password': node.metadata.get('postgresql/roles/icinga2/password')
-        },
-        'owner': 'nagios',
-        'group': 'nagios',
-        'needs': [
-            'pkg_apt:icinga2-ido-pgsql',
-        ],
-    },
-}
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -1,3 +1,5 @@
+from hashlib import sha3_256
+
 defaults = {
    'apt': {
        'packages': {
@ -42,3 +44,31 @@ defaults = {
        },
    },
 }
+
+
+@metadata_reactor.provides(
+    'icingaweb2/setup_token',
+)
+def setup_token(metadata):
+    return {
+        'icingaweb2': {
+            'setup_token': sha3_256(metadata.get('id').encode()).hexdigest()[:16],
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('icinga2/hostname'): {
+                    'content': 'icingaweb2/vhost.conf',
+                    'context': {
+                    },
+                },
+            },
+        },
+    }
--- a/data/icingaweb2/vhost.conf
+++ b/data/icingaweb2/vhost.conf
@ -0,0 +1,70 @@
+server {
+      listen 443      ssl http2;
+      listen [::]:443 ssl http2;
+
+      server_name ${server_name};
+
+      ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+      ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
+       root /usr/share/icingaweb2/public;
+       index index.php index.html index.htm;
+       
+       location = /favicon.ico {
+                log_not_found off;
+                access_log off;
+                expires max;
+       }
+       location = /robots.txt {
+                allow all;
+                log_not_found off;
+                access_log off;
+       }
+       # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+       location ~ /\. {
+                deny all;
+                access_log off;
+                log_not_found off;
+       }
+       location / {
+                root   /usr/share/icinga/htdocs;
+                index  index.html;
+                auth_basic              "Restricted";
+                auth_basic_user_file    /etc/icinga/htpasswd.users;
+       }
+       location /icinga/stylesheets {
+                alias /etc/icinga/stylesheets;
+       }
+       location /stylesheets {
+                alias /etc/icinga/stylesheets;
+       }
+       location /icinga/images {
+                alias /usr/share/icinga/htdocs/images;
+       }
+       location ~ \.cgi$ {
+                # define root directory for CGIs
+                root /usr/lib/cgi-bin/icinga;
+                rewrite ^/icinga/cgi-bin/(.*)\.cgi /$1.cgi break;
+                rewrite ^/cgi-bin/icinga/(.*)\.cgi /$1.cgi break;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_pass  unix:/var/run/fcgiwrap.socket;
+                fastcgi_index index.php;
+                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+                auth_basic              "Restricted";
+                auth_basic_user_file    /etc/icinga/htpasswd.users;
+                fastcgi_param  AUTH_USER          $remote_user;
+                fastcgi_param  REMOTE_USER        $remote_user;
+       }
+       location ~ ^/icinga-api/(.+\.php)$ {
+                root   /usr/share/icinga/htdocs;
+                try_files $uri =404;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_pass 127.0.0.1:9000;
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                fastcgi_index index.php;
+                auth_basic              "Restricted";
+                auth_basic_user_file    /etc/icinga/htpasswd.users;
+                fastcgi_param  AUTH_USER          $remote_user;
+                fastcgi_param  REMOTE_USER        $remote_user;
+       }
+}
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@ -70,8 +70,8 @@
            'hostname': 'grafana.sublimity.de',
            'influxdb_node': 'home.server',
        },
-        'grub': {
-            'kernel_params': {'nomodeset'}, # nvidia GT1030 freeze fix
+        'icinga2': {
+            'hostname': 'icinga2.sublimity.de',
        },
        'influxdb': {
            'hostname': 'influxdb.sublimity.de',