From fb818b2c745e188083f3ec0699243b2698ac2c9f Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sun, 6 Mar 2022 23:30:32 +0100 Subject: [PATCH] wip --- bundles/icinga2/files/conf.d/templates.conf | 13 +++ bundles/icinga2/files/constants.conf | 6 ++ .../files/{ => features}/ido-pgsql.conf | 0 bundles/icinga2/files/hosts.d/host.conf | 36 ++++++++ bundles/icinga2/files/icinga2.conf | 4 + bundles/icinga2/items.py | 90 +++++++++++-------- bundles/icinga2/metadata.py | 30 +++++++ data/icingaweb2/vhost.conf | 70 +++++++++++++++ nodes/home.server.py | 4 +- 9 files changed, 215 insertions(+), 38 deletions(-) create mode 100644 bundles/icinga2/files/conf.d/templates.conf create mode 100644 bundles/icinga2/files/constants.conf rename bundles/icinga2/files/{ => features}/ido-pgsql.conf (100%) create mode 100644 bundles/icinga2/files/hosts.d/host.conf create mode 100644 bundles/icinga2/files/icinga2.conf create mode 100644 data/icingaweb2/vhost.conf diff --git a/bundles/icinga2/files/conf.d/templates.conf b/bundles/icinga2/files/conf.d/templates.conf new file mode 100644 index 0000000..10769fe --- /dev/null +++ b/bundles/icinga2/files/conf.d/templates.conf @@ -0,0 +1,13 @@ +template Host "generic-host" { + max_check_attempts = 3 + check_interval = 1m + retry_interval = 30s + + check_command = "hostalive" +} + +template Service "generic-service" { + max_check_attempts = 5 + check_interval = 1m + retry_interval = 30s +} diff --git a/bundles/icinga2/files/constants.conf b/bundles/icinga2/files/constants.conf new file mode 100644 index 0000000..d2d0206 --- /dev/null +++ b/bundles/icinga2/files/constants.conf @@ -0,0 +1,6 @@ +const PluginDir = "/usr/lib/nagios/plugins" +const ManubulonPluginDir = "/usr/lib/nagios/plugins" +const PluginContribDir = "/usr/lib/nagios/plugins" +const NodeName = "${domain}" +const ZoneName = NodeName +const TicketSalt = "" diff --git a/bundles/icinga2/files/ido-pgsql.conf b/bundles/icinga2/files/features/ido-pgsql.conf similarity index 100% rename from bundles/icinga2/files/ido-pgsql.conf rename to bundles/icinga2/files/features/ido-pgsql.conf diff --git a/bundles/icinga2/files/hosts.d/host.conf b/bundles/icinga2/files/hosts.d/host.conf new file mode 100644 index 0000000..b62cd62 --- /dev/null +++ b/bundles/icinga2/files/hosts.d/host.conf @@ -0,0 +1,36 @@ +<%! + def render_value(key, value): + if isinstance(value, Fault): + return render_value(key, value.value) + elif isinstance(value, type(None)): + return '""' + elif isinstance(value, bool): + return 'true' if value else 'false' + elif isinstance(value, int): + return str(value) + elif isinstance(value, str): + if key.endswith('_interval'): + return value + else: + return f'"{value}"' + elif isinstance(value, (list, set)): + return '[' + ', '.join(render_value(e) for e in sorted(value)) + ']' + else: + raise Exception(f"cant process type '{type(value)}' of value '{value}'") +%> + +object Host "${host_name}" { + import "generic-host" + % for key, value in sorted(host_settings.items()): + ${key} = ${render_value(key, value)} + % endfor +} + +% for service_name, service_config in sorted(services.items(), key=lambda e: [e[1]['vars.bundle'], e[0]]): +object Service "${service_name}" { + import "generic-service" + % for key, value in sorted(service_config.items()): + ${key} = ${render_value(key, value)} + % endfor +} +% endfor diff --git a/bundles/icinga2/files/icinga2.conf b/bundles/icinga2/files/icinga2.conf new file mode 100644 index 0000000..cb7f7ee --- /dev/null +++ b/bundles/icinga2/files/icinga2.conf @@ -0,0 +1,4 @@ +include "constants.conf" +include_recursive "features.d" +include_recursive "conf.d" +include_recursive "hosts.d" diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 1cad764..2c70ca9 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -1,26 +1,65 @@ # Git-Hash for Icinga1: b63bb0ef52bf213715e567c81e3ed097024e61af -from json import load -from os.path import join - -ICINGA_PLUGINS = { +directories = { + '/etc/icinga2': { + 'purge': True, + 'owner': 'nagios', + }, + '/etc/icinga2/conf.d': { + 'purge': True, + 'owner': 'nagios', + }, + '/etc/icinga2/hosts.d': { + 'purge': True, + 'owner': 'nagios', + }, + '/etc/icinga2/features.d': { + 'purge': True, + 'owner': 'nagios', + }, } -ENABLED_FEATURES = [ - 'ido-pgsql', - 'notification', -] -for feature in ENABLED_FEATURES: - symlinks[f'/etc/icinga2/features-enabled/{feature}.conf'] = { - 'target': f'/etc/icinga2/features-available/{feature}.conf', +files = { + '/etc/icinga2/icinga2.conf': { 'owner': 'nagios', - 'group': 'nagios', + }, + '/etc/icinga2/constants.conf': { + 'owner': 'nagios', + 'context': { + 'hostname': node.metadata.get('icinga2/hostname') + }, + }, + '/etc/icinga2/conf.d/templates.conf': { + 'source': 'conf.d/templates.conf', + 'owner': 'nagios', + }, + '/etc/icinga2/features/ido-pgsql.conf': { + 'source': 'features/ido-pgsql.conf', + 'content_type': 'mako', + 'owner': 'nagios', + 'context': { + 'db_password': node.metadata.get('postgresql/roles/icinga2/password') + }, 'needs': [ 'pkg_apt:icinga2-ido-pgsql', ], - 'triggers': [ - 'svc_systemd:icinga2:restart', - ], + }, + '/etc/icingaweb2/setup.token': { + 'content': node.metadata.get('icingaweb2/setup_token'), + 'owner': 'nagios', + }, +} + +for other_node in repo.nodes: + files[f'/etc/icinga2/hosts.d/{other_node.name}.conf'] = { + 'content_type': 'mako', + 'source': 'hosts.d/host.conf', + 'owner': 'nagios', + 'context': { + 'host_name': other_node.name, + 'host_settings': {}, + 'services': other_node.metadata.get('monitoring', {}), + }, } svc_systemd = { @@ -31,24 +70,3 @@ svc_systemd = { ], }, } - -directories = { - '/etc/icinga2/features-enabled': { - 'purge': True, - }, -} - -files = { - '/etc/icinga2/features-available/ido-pgsql.conf': { - 'source': 'ido-pgsql.conf', - 'content_type': 'mako', - 'context': { - 'db_password': node.metadata.get('postgresql/roles/icinga2/password') - }, - 'owner': 'nagios', - 'group': 'nagios', - 'needs': [ - 'pkg_apt:icinga2-ido-pgsql', - ], - }, -} diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index c988f7a..b9b71ea 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -1,3 +1,5 @@ +from hashlib import sha3_256 + defaults = { 'apt': { 'packages': { @@ -42,3 +44,31 @@ defaults = { }, }, } + + +@metadata_reactor.provides( + 'icingaweb2/setup_token', +) +def setup_token(metadata): + return { + 'icingaweb2': { + 'setup_token': sha3_256(metadata.get('id').encode()).hexdigest()[:16], + }, + } + + +@metadata_reactor.provides( + 'nginx/vhosts', +) +def nginx(metadata): + return { + 'nginx': { + 'vhosts': { + metadata.get('icinga2/hostname'): { + 'content': 'icingaweb2/vhost.conf', + 'context': { + }, + }, + }, + }, + } diff --git a/data/icingaweb2/vhost.conf b/data/icingaweb2/vhost.conf new file mode 100644 index 0000000..ed2dd1d --- /dev/null +++ b/data/icingaweb2/vhost.conf @@ -0,0 +1,70 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${server_name}; + + ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem; + + root /usr/share/icingaweb2/public; + index index.php index.html index.htm; + + location = /favicon.ico { + log_not_found off; + access_log off; + expires max; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + location / { + root /usr/share/icinga/htdocs; + index index.html; + auth_basic "Restricted"; + auth_basic_user_file /etc/icinga/htpasswd.users; + } + location /icinga/stylesheets { + alias /etc/icinga/stylesheets; + } + location /stylesheets { + alias /etc/icinga/stylesheets; + } + location /icinga/images { + alias /usr/share/icinga/htdocs/images; + } + location ~ \.cgi$ { + # define root directory for CGIs + root /usr/lib/cgi-bin/icinga; + rewrite ^/icinga/cgi-bin/(.*)\.cgi /$1.cgi break; + rewrite ^/cgi-bin/icinga/(.*)\.cgi /$1.cgi break; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + auth_basic "Restricted"; + auth_basic_user_file /etc/icinga/htpasswd.users; + fastcgi_param AUTH_USER $remote_user; + fastcgi_param REMOTE_USER $remote_user; + } + location ~ ^/icinga-api/(.+\.php)$ { + root /usr/share/icinga/htdocs; + try_files $uri =404; + include /etc/nginx/fastcgi_params; + fastcgi_pass 127.0.0.1:9000; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + auth_basic "Restricted"; + auth_basic_user_file /etc/icinga/htpasswd.users; + fastcgi_param AUTH_USER $remote_user; + fastcgi_param REMOTE_USER $remote_user; + } +} diff --git a/nodes/home.server.py b/nodes/home.server.py index a1ca3e1..e59794e 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -70,8 +70,8 @@ 'hostname': 'grafana.sublimity.de', 'influxdb_node': 'home.server', }, - 'grub': { - 'kernel_params': {'nomodeset'}, # nvidia GT1030 freeze fix + 'icinga2': { + 'hostname': 'icinga2.sublimity.de', }, 'influxdb': { 'hostname': 'influxdb.sublimity.de',