Hello munin.afpy.org.
This commit is contained in:
parent
b3c765e67b
commit
4bf259b213
|
@ -4,6 +4,9 @@ gitea1.afpy.org
|
|||
[woodpeckers]
|
||||
woodpecker1.afpy.org
|
||||
|
||||
[muninservers]
|
||||
deb2.afpy.org
|
||||
|
||||
[webservers]
|
||||
deb2.afpy.org
|
||||
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
- hosts: muninservers
|
||||
vars:
|
||||
nginx_domain: "munin.afpy.org"
|
||||
nginx_certificates: ["{{ nginx_domain }}"]
|
||||
nginx_conf: |
|
||||
server
|
||||
{
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ nginx_domain }};
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
server
|
||||
{
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name {{ nginx_domain }};
|
||||
root /var/cache/munin/www;
|
||||
index index.html;
|
||||
|
||||
include snippets/letsencrypt-{{ nginx_domain }}.conf;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
location ^~ /munin-cgi/munin-cgi-graph/ {
|
||||
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
|
||||
include fastcgi_params;
|
||||
}
|
||||
}
|
||||
|
||||
roles:
|
||||
- munin_server
|
||||
- nginx
|
||||
|
||||
- hosts: all
|
||||
roles:
|
||||
- common # For nftables's *_NEIGHBORS
|
||||
- munin_client
|
|
@ -1,124 +1,145 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- name: Configure hostname
|
||||
hostname:
|
||||
name: "{{ inventory_hostname_short }}"
|
||||
- name: Configure hostname
|
||||
hostname:
|
||||
name: "{{ inventory_hostname_short }}"
|
||||
|
||||
- name: Configure localhots
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
regexp: '^127\.0\.0\.1'
|
||||
line: "127.0.0.1 localhost"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
- name: Configure localhots
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
regexp: '^127\.0\.0\.1'
|
||||
line: "127.0.0.1 localhost"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Configure FQDN
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
regexp: '^127\.0\.1\.1'
|
||||
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
- name: Configure FQDN
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
regexp: '^127\.0\.1\.1'
|
||||
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- package: name=nftables state=present
|
||||
- name: Gather facts from all hosts
|
||||
setup:
|
||||
delegate_to: "{{ item }}"
|
||||
delegate_facts: true
|
||||
loop: "{{ groups['all'] }}"
|
||||
|
||||
- name: Copy nftables rules
|
||||
copy:
|
||||
content: |
|
||||
#!/usr/sbin/nft -f
|
||||
- package: name=nftables state=present
|
||||
|
||||
table inet filter
|
||||
flush table inet filter
|
||||
- name: Copy nftables rules
|
||||
copy:
|
||||
content: |
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
iif lo accept
|
||||
ct state established,related accept
|
||||
icmp type echo-request counter accept
|
||||
icmpv6 type echo-request counter accept
|
||||
table inet filter
|
||||
flush table inet filter
|
||||
|
||||
# accept neighbour discovery otherwise connectivity breaks:
|
||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
||||
{{ nft_extra }}
|
||||
counter drop
|
||||
}
|
||||
}
|
||||
define V4_NEIGHBORS = {
|
||||
{% for host in groups["all"] %}
|
||||
{% if hostvars[host]['ansible_facts']['default_ipv4'] %}
|
||||
{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
dest: /etc/nftables.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
notify: reload nftables
|
||||
define V6_NEIGHBORS = {
|
||||
{% for host in groups["all"] %}
|
||||
{% if hostvars[host]['ansible_facts']['default_ipv6'] %}
|
||||
{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
iif lo accept
|
||||
ct state established,related accept
|
||||
icmp type echo-request counter accept
|
||||
icmpv6 type echo-request counter accept
|
||||
ip saddr $V4_NEIGHBORS accept
|
||||
ip6 saddr $V6_NEIGHBORS accept
|
||||
|
||||
- name: Update via apt (mandatory on first run)
|
||||
apt:
|
||||
update_cache: yes
|
||||
cache_valid_time: 86400
|
||||
# accept neighbour discovery otherwise connectivity breaks:
|
||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
||||
{{ nft_extra }}
|
||||
counter drop
|
||||
}
|
||||
}
|
||||
|
||||
- name: Install some usefull packages
|
||||
apt:
|
||||
state: present
|
||||
name:
|
||||
- aptitude
|
||||
- emacs-nox
|
||||
- fail2ban
|
||||
- git
|
||||
- htop
|
||||
- man
|
||||
- ncdu
|
||||
- needrestart
|
||||
- ntp
|
||||
- python3
|
||||
- python3-dev
|
||||
- python3-pip
|
||||
- python3-setuptools
|
||||
- python3-venv
|
||||
- python3-wheel
|
||||
- rsync
|
||||
- sudo
|
||||
- tcpdump
|
||||
- vim-nox
|
||||
dest: /etc/nftables.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
notify: reload nftables
|
||||
|
||||
- name: Set authorized SSH keys for root user
|
||||
blockinfile:
|
||||
content: "{{ root_authorized_keys }}"
|
||||
dest: /root/.ssh/authorized_keys
|
||||
mode: 0600
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
|
||||
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
||||
|
||||
- name: Ensure mlocate and locate are not installed
|
||||
apt:
|
||||
name: ["mlocate", "locate"]
|
||||
state: absent
|
||||
- name: Update via apt (mandatory on first run)
|
||||
apt:
|
||||
update_cache: yes
|
||||
cache_valid_time: 86400
|
||||
|
||||
# From https://infosec.mozilla.org/guidelines/openssh
|
||||
- name: SSHd hardening
|
||||
blockinfile:
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
||||
path: /etc/ssh/sshd_config
|
||||
state: present
|
||||
create: true
|
||||
block: |
|
||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
- name: Install some usefull packages
|
||||
apt:
|
||||
state: present
|
||||
name:
|
||||
- aptitude
|
||||
- emacs-nox
|
||||
- fail2ban
|
||||
- git
|
||||
- htop
|
||||
- man
|
||||
- ncdu
|
||||
- needrestart
|
||||
- ntp
|
||||
- python3
|
||||
- python3-dev
|
||||
- python3-pip
|
||||
- python3-setuptools
|
||||
- python3-venv
|
||||
- python3-wheel
|
||||
- rsync
|
||||
- sudo
|
||||
- tcpdump
|
||||
- vim-nox
|
||||
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
- name: Set authorized SSH keys for root user
|
||||
blockinfile:
|
||||
content: "{{ root_authorized_keys }}"
|
||||
dest: /root/.ssh/authorized_keys
|
||||
mode: 0600
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
|
||||
|
||||
AuthenticationMethods publickey
|
||||
LogLevel VERBOSE
|
||||
notify: restart sshd
|
||||
tags: ssh
|
||||
- name: Ensure mlocate and locate are not installed
|
||||
apt:
|
||||
name: ["mlocate", "locate"]
|
||||
state: absent
|
||||
|
||||
tags: common
|
||||
# From https://infosec.mozilla.org/guidelines/openssh
|
||||
- name: SSHd hardening
|
||||
blockinfile:
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
||||
path: /etc/ssh/sshd_config
|
||||
state: present
|
||||
create: true
|
||||
block: |
|
||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
AuthenticationMethods publickey
|
||||
LogLevel VERBOSE
|
||||
notify: restart sshd
|
||||
tags: ssh
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
- name: munin
|
||||
service: name=munin-node state=restarted
|
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
|
||||
- name: apt install munin-node
|
||||
apt:
|
||||
state: present
|
||||
name: munin-node
|
||||
register: install_munin
|
||||
|
||||
- name: Configure munin node
|
||||
shell: munin-node-configure --shell | grep -v ip_ | sh
|
||||
when: install_munin is changed
|
||||
notify: munin
|
||||
|
||||
- name: Copy munin-node.conf
|
||||
copy:
|
||||
dest: /etc/munin/munin-node.conf
|
||||
content: |
|
||||
log_level 4
|
||||
log_file /var/log/munin/munin-node.log
|
||||
pid_file /var/run/munin/munin-node.pid
|
||||
|
||||
background 1
|
||||
setsid 1
|
||||
|
||||
user root
|
||||
group root
|
||||
|
||||
ignore_file [\#~]$
|
||||
ignore_file DEADJOE$
|
||||
ignore_file \.bak$
|
||||
ignore_file %$
|
||||
ignore_file \.dpkg-(tmp|new|old|dist)$
|
||||
ignore_file \.rpm(save|new)$
|
||||
ignore_file \.pod$
|
||||
|
||||
{% for host in groups["muninservers"] %}
|
||||
allow ^{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}$
|
||||
{% endfor %}
|
||||
allow ^127.0.0.1$
|
||||
|
||||
host *
|
||||
port 4949
|
||||
notify: munin
|
||||
|
||||
- name: Cron for munin apt_all
|
||||
cron:
|
||||
name: "apt update"
|
||||
hour: "*/4"
|
||||
minute: "28"
|
||||
job: "/usr/bin/apt-get update > /dev/null"
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
- name: Install munin
|
||||
apt:
|
||||
state: present
|
||||
name: munin
|
||||
|
||||
- name: Gather facts from all hosts
|
||||
setup:
|
||||
delegate_to: "{{ item }}"
|
||||
delegate_facts: true
|
||||
loop: "{{ groups['all'] }}"
|
||||
|
||||
- name: Configure munin
|
||||
template: src=munin.conf.j2 dest=/etc/munin/munin.conf
|
|
@ -0,0 +1,17 @@
|
|||
dbdir /var/lib/munin
|
||||
htmldir /var/cache/munin/www
|
||||
logdir /var/log/munin
|
||||
rundir /var/run/munin
|
||||
|
||||
contact.email.command mail -s "Munin-notification for ${var:group} :: ${var:host}" {{ admin_email }}
|
||||
|
||||
tmpldir /etc/munin/templates
|
||||
|
||||
graph_width 600
|
||||
graph_height 400
|
||||
max_graph_jobs 2
|
||||
|
||||
{% for host in groups["all"] %}
|
||||
[{{ hostvars[host]['inventory_hostname'] }}]
|
||||
address [{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}]
|
||||
{% endfor %}
|
Loading…
Reference in New Issue