AFPy/infra
AFPy
/
infra
9
0
Fork 2
Code Issues 5 Pull Requests Projects Releases Wiki Activity

Hello munin.afpy.org.

This commit is contained in:
Julien Palard 2023-02-01 16:15:04 +01:00
parent b3c765e67b
commit 4bf259b213
Signed by: mdk
GPG Key ID: 0EFC1AC1006886F8
7 changed files with 259 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
inventory
View File

@ -4,6 +4,9 @@ gitea1.afpy.org
[woodpeckers]
woodpecker1.afpy.org
[muninservers]
deb2.afpy.org
[webservers]
deb2.afpy.org

44
munin.yml Normal file
View File

@ -0,0 +1,44 @@
- hosts: muninservers
vars:
nginx_domain: "munin.afpy.org"
nginx_certificates: ["{{ nginx_domain }}"]
nginx_conf: |
server
{
listen 80;
listen [::]:80;
server_name {{ nginx_domain }};
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ nginx_domain }};
root /var/cache/munin/www;
index index.html;
include snippets/letsencrypt-{{ nginx_domain }}.conf;
location / {
try_files $uri $uri/ =404;
autoindex on;
}
location ^~ /munin-cgi/munin-cgi-graph/ {
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
include fastcgi_params;
}
}
roles:
- munin_server
- nginx
- hosts: all
roles:
- common # For nftables's *_NEIGHBORS
- munin_client

231
roles/common/tasks/main.yml
View File

@ -1,124 +1,145 @@
---
- block:
- name: Configure hostname
hostname:
name: "{{ inventory_hostname_short }}"
- name: Configure hostname
hostname:
name: "{{ inventory_hostname_short }}"
- name: Configure localhots
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1'
line: "127.0.0.1 localhost"
owner: root
group: root
mode: 0644
- name: Configure localhots
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1'
line: "127.0.0.1 localhost"
owner: root
group: root
mode: 0644
- name: Configure FQDN
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.1\.1'
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
owner: root
group: root
mode: 0644
- name: Configure FQDN
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.1\.1'
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
owner: root
group: root
mode: 0644
- package: name=nftables state=present
- name: Gather facts from all hosts
setup:
delegate_to: "{{ item }}"
delegate_facts: true
loop: "{{ groups['all'] }}"
- name: Copy nftables rules
copy:
content: |
#!/usr/sbin/nft -f
- package: name=nftables state=present
table inet filter
flush table inet filter
- name: Copy nftables rules
copy:
content: |
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0;
iif lo accept
ct state established,related accept
icmp type echo-request counter accept
icmpv6 type echo-request counter accept
table inet filter
flush table inet filter
# accept neighbour discovery otherwise connectivity breaks:
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
{{ nft_extra }}
counter drop
}
}
define V4_NEIGHBORS = {
{% for host in groups["all"] %}
{% if hostvars[host]['ansible_facts']['default_ipv4'] %}
{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
{% endif %}
{% endfor %}
}
dest: /etc/nftables.conf
owner: root
group: root
mode: 0755
notify: reload nftables
define V6_NEIGHBORS = {
{% for host in groups["all"] %}
{% if hostvars[host]['ansible_facts']['default_ipv6'] %}
{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
{% endif %}
{% endfor %}
}
- service: name=nftables enabled=yes state=started daemon_reload=yes
table inet filter {
chain input {
type filter hook input priority 0;
iif lo accept
ct state established,related accept
icmp type echo-request counter accept
icmpv6 type echo-request counter accept
ip saddr $V4_NEIGHBORS accept
ip6 saddr $V6_NEIGHBORS accept
- name: Update via apt (mandatory on first run)
apt:
update_cache: yes
cache_valid_time: 86400
# accept neighbour discovery otherwise connectivity breaks:
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
{{ nft_extra }}
counter drop
}
}
- name: Install some usefull packages
apt:
state: present
name:
- aptitude
- emacs-nox
- fail2ban
- git
- htop
- man
- ncdu
- needrestart
- ntp
- python3
- python3-dev
- python3-pip
- python3-setuptools
- python3-venv
- python3-wheel
- rsync
- sudo
- tcpdump
- vim-nox
dest: /etc/nftables.conf
owner: root
group: root
mode: 0755
notify: reload nftables
- name: Set authorized SSH keys for root user
blockinfile:
content: "{{ root_authorized_keys }}"
dest: /root/.ssh/authorized_keys
mode: 0600
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
- service: name=nftables enabled=yes state=started daemon_reload=yes
- name: Ensure mlocate and locate are not installed
apt:
name: ["mlocate", "locate"]
state: absent
- name: Update via apt (mandatory on first run)
apt:
update_cache: yes
cache_valid_time: 86400
# From https://infosec.mozilla.org/guidelines/openssh
- name: SSHd hardening
blockinfile:
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
path: /etc/ssh/sshd_config
state: present
create: true
block: |
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
- name: Install some usefull packages
apt:
state: present
name:
- aptitude
- emacs-nox
- fail2ban
- git
- htop
- man
- ncdu
- needrestart
- ntp
- python3
- python3-dev
- python3-pip
- python3-setuptools
- python3-venv
- python3-wheel
- rsync
- sudo
- tcpdump
- vim-nox
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
- name: Set authorized SSH keys for root user
blockinfile:
content: "{{ root_authorized_keys }}"
dest: /root/.ssh/authorized_keys
mode: 0600
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
AuthenticationMethods publickey
LogLevel VERBOSE
notify: restart sshd
tags: ssh
- name: Ensure mlocate and locate are not installed
apt:
name: ["mlocate", "locate"]
state: absent
tags: common
# From https://infosec.mozilla.org/guidelines/openssh
- name: SSHd hardening
blockinfile:
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
path: /etc/ssh/sshd_config
state: present
create: true
block: |
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
AuthenticationMethods publickey
LogLevel VERBOSE
notify: restart sshd
tags: ssh

4
roles/munin_client/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: munin
service: name=munin-node state=restarted

50
roles/munin_client/tasks/main.yml Normal file
View File

@ -0,0 +1,50 @@
---
- name: apt install munin-node
apt:
state: present
name: munin-node
register: install_munin
- name: Configure munin node
shell: munin-node-configure --shell | grep -v ip_ | sh
when: install_munin is changed
notify: munin
- name: Copy munin-node.conf
copy:
dest: /etc/munin/munin-node.conf
content: |
log_level 4
log_file /var/log/munin/munin-node.log
pid_file /var/run/munin/munin-node.pid
background 1
setsid 1
user root
group root
ignore_file [\#~]$
ignore_file DEADJOE$
ignore_file \.bak$
ignore_file %$
ignore_file \.dpkg-(tmp|new|old|dist)$
ignore_file \.rpm(save|new)$
ignore_file \.pod$
{% for host in groups["muninservers"] %}
allow ^{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}$
{% endfor %}
allow ^127.0.0.1$
host *
port 4949
notify: munin
- name: Cron for munin apt_all
cron:
name: "apt update"
hour: "*/4"
minute: "28"
job: "/usr/bin/apt-get update > /dev/null"

15
roles/munin_server/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Install munin
apt:
state: present
name: munin
- name: Gather facts from all hosts
setup:
delegate_to: "{{ item }}"
delegate_facts: true
loop: "{{ groups['all'] }}"
- name: Configure munin
template: src=munin.conf.j2 dest=/etc/munin/munin.conf

17
roles/munin_server/templates/munin.conf.j2 Normal file
View File

@ -0,0 +1,17 @@
dbdir /var/lib/munin
htmldir /var/cache/munin/www
logdir /var/log/munin
rundir /var/run/munin
contact.email.command mail -s "Munin-notification for ${var:group} :: ${var:host}" {{ admin_email }}
tmpldir /etc/munin/templates
graph_width 600
graph_height 400
max_graph_jobs 2
{% for host in groups["all"] %}
[{{ hostvars[host]['inventory_hostname'] }}]
address [{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}]
{% endfor %}