Hello munin.afpy.org.
This commit is contained in:
parent
b3c765e67b
commit
4bf259b213
|
@ -4,6 +4,9 @@ gitea1.afpy.org
|
||||||
[woodpeckers]
|
[woodpeckers]
|
||||||
woodpecker1.afpy.org
|
woodpecker1.afpy.org
|
||||||
|
|
||||||
|
[muninservers]
|
||||||
|
deb2.afpy.org
|
||||||
|
|
||||||
[webservers]
|
[webservers]
|
||||||
deb2.afpy.org
|
deb2.afpy.org
|
||||||
|
|
||||||
|
|
44
munin.yml
Normal file
44
munin.yml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
- hosts: muninservers
|
||||||
|
vars:
|
||||||
|
nginx_domain: "munin.afpy.org"
|
||||||
|
nginx_certificates: ["{{ nginx_domain }}"]
|
||||||
|
nginx_conf: |
|
||||||
|
server
|
||||||
|
{
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name {{ nginx_domain }};
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server
|
||||||
|
{
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_name {{ nginx_domain }};
|
||||||
|
root /var/cache/munin/www;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
include snippets/letsencrypt-{{ nginx_domain }}.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ^~ /munin-cgi/munin-cgi-graph/ {
|
||||||
|
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
|
||||||
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
|
fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
|
||||||
|
include fastcgi_params;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- munin_server
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- hosts: all
|
||||||
|
roles:
|
||||||
|
- common # For nftables's *_NEIGHBORS
|
||||||
|
- munin_client
|
|
@ -1,11 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- block:
|
- name: Configure hostname
|
||||||
- name: Configure hostname
|
|
||||||
hostname:
|
hostname:
|
||||||
name: "{{ inventory_hostname_short }}"
|
name: "{{ inventory_hostname_short }}"
|
||||||
|
|
||||||
- name: Configure localhots
|
- name: Configure localhots
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/hosts
|
path: /etc/hosts
|
||||||
regexp: '^127\.0\.0\.1'
|
regexp: '^127\.0\.0\.1'
|
||||||
|
@ -14,7 +13,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Configure FQDN
|
- name: Configure FQDN
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/hosts
|
path: /etc/hosts
|
||||||
regexp: '^127\.0\.1\.1'
|
regexp: '^127\.0\.1\.1'
|
||||||
|
@ -23,9 +22,15 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- package: name=nftables state=present
|
- name: Gather facts from all hosts
|
||||||
|
setup:
|
||||||
|
delegate_to: "{{ item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
loop: "{{ groups['all'] }}"
|
||||||
|
|
||||||
- name: Copy nftables rules
|
- package: name=nftables state=present
|
||||||
|
|
||||||
|
- name: Copy nftables rules
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
|
@ -33,6 +38,22 @@
|
||||||
table inet filter
|
table inet filter
|
||||||
flush table inet filter
|
flush table inet filter
|
||||||
|
|
||||||
|
define V4_NEIGHBORS = {
|
||||||
|
{% for host in groups["all"] %}
|
||||||
|
{% if hostvars[host]['ansible_facts']['default_ipv4'] %}
|
||||||
|
{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
|
||||||
|
define V6_NEIGHBORS = {
|
||||||
|
{% for host in groups["all"] %}
|
||||||
|
{% if hostvars[host]['ansible_facts']['default_ipv6'] %}
|
||||||
|
{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
|
@ -40,6 +61,8 @@
|
||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
icmp type echo-request counter accept
|
icmp type echo-request counter accept
|
||||||
icmpv6 type echo-request counter accept
|
icmpv6 type echo-request counter accept
|
||||||
|
ip saddr $V4_NEIGHBORS accept
|
||||||
|
ip6 saddr $V6_NEIGHBORS accept
|
||||||
|
|
||||||
# accept neighbour discovery otherwise connectivity breaks:
|
# accept neighbour discovery otherwise connectivity breaks:
|
||||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||||
|
@ -55,14 +78,14 @@
|
||||||
mode: 0755
|
mode: 0755
|
||||||
notify: reload nftables
|
notify: reload nftables
|
||||||
|
|
||||||
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
||||||
|
|
||||||
- name: Update via apt (mandatory on first run)
|
- name: Update via apt (mandatory on first run)
|
||||||
apt:
|
apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
cache_valid_time: 86400
|
cache_valid_time: 86400
|
||||||
|
|
||||||
- name: Install some usefull packages
|
- name: Install some usefull packages
|
||||||
apt:
|
apt:
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
|
@ -86,7 +109,7 @@
|
||||||
- tcpdump
|
- tcpdump
|
||||||
- vim-nox
|
- vim-nox
|
||||||
|
|
||||||
- name: Set authorized SSH keys for root user
|
- name: Set authorized SSH keys for root user
|
||||||
blockinfile:
|
blockinfile:
|
||||||
content: "{{ root_authorized_keys }}"
|
content: "{{ root_authorized_keys }}"
|
||||||
dest: /root/.ssh/authorized_keys
|
dest: /root/.ssh/authorized_keys
|
||||||
|
@ -95,13 +118,13 @@
|
||||||
group: root
|
group: root
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
|
||||||
|
|
||||||
- name: Ensure mlocate and locate are not installed
|
- name: Ensure mlocate and locate are not installed
|
||||||
apt:
|
apt:
|
||||||
name: ["mlocate", "locate"]
|
name: ["mlocate", "locate"]
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
# From https://infosec.mozilla.org/guidelines/openssh
|
# From https://infosec.mozilla.org/guidelines/openssh
|
||||||
- name: SSHd hardening
|
- name: SSHd hardening
|
||||||
blockinfile:
|
blockinfile:
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
|
@ -120,5 +143,3 @@
|
||||||
LogLevel VERBOSE
|
LogLevel VERBOSE
|
||||||
notify: restart sshd
|
notify: restart sshd
|
||||||
tags: ssh
|
tags: ssh
|
||||||
|
|
||||||
tags: common
|
|
||||||
|
|
4
roles/munin_client/handlers/main.yml
Normal file
4
roles/munin_client/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: munin
|
||||||
|
service: name=munin-node state=restarted
|
50
roles/munin_client/tasks/main.yml
Normal file
50
roles/munin_client/tasks/main.yml
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: apt install munin-node
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: munin-node
|
||||||
|
register: install_munin
|
||||||
|
|
||||||
|
- name: Configure munin node
|
||||||
|
shell: munin-node-configure --shell | grep -v ip_ | sh
|
||||||
|
when: install_munin is changed
|
||||||
|
notify: munin
|
||||||
|
|
||||||
|
- name: Copy munin-node.conf
|
||||||
|
copy:
|
||||||
|
dest: /etc/munin/munin-node.conf
|
||||||
|
content: |
|
||||||
|
log_level 4
|
||||||
|
log_file /var/log/munin/munin-node.log
|
||||||
|
pid_file /var/run/munin/munin-node.pid
|
||||||
|
|
||||||
|
background 1
|
||||||
|
setsid 1
|
||||||
|
|
||||||
|
user root
|
||||||
|
group root
|
||||||
|
|
||||||
|
ignore_file [\#~]$
|
||||||
|
ignore_file DEADJOE$
|
||||||
|
ignore_file \.bak$
|
||||||
|
ignore_file %$
|
||||||
|
ignore_file \.dpkg-(tmp|new|old|dist)$
|
||||||
|
ignore_file \.rpm(save|new)$
|
||||||
|
ignore_file \.pod$
|
||||||
|
|
||||||
|
{% for host in groups["muninservers"] %}
|
||||||
|
allow ^{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}$
|
||||||
|
{% endfor %}
|
||||||
|
allow ^127.0.0.1$
|
||||||
|
|
||||||
|
host *
|
||||||
|
port 4949
|
||||||
|
notify: munin
|
||||||
|
|
||||||
|
- name: Cron for munin apt_all
|
||||||
|
cron:
|
||||||
|
name: "apt update"
|
||||||
|
hour: "*/4"
|
||||||
|
minute: "28"
|
||||||
|
job: "/usr/bin/apt-get update > /dev/null"
|
15
roles/munin_server/tasks/main.yml
Normal file
15
roles/munin_server/tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install munin
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: munin
|
||||||
|
|
||||||
|
- name: Gather facts from all hosts
|
||||||
|
setup:
|
||||||
|
delegate_to: "{{ item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
loop: "{{ groups['all'] }}"
|
||||||
|
|
||||||
|
- name: Configure munin
|
||||||
|
template: src=munin.conf.j2 dest=/etc/munin/munin.conf
|
17
roles/munin_server/templates/munin.conf.j2
Normal file
17
roles/munin_server/templates/munin.conf.j2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
dbdir /var/lib/munin
|
||||||
|
htmldir /var/cache/munin/www
|
||||||
|
logdir /var/log/munin
|
||||||
|
rundir /var/run/munin
|
||||||
|
|
||||||
|
contact.email.command mail -s "Munin-notification for ${var:group} :: ${var:host}" {{ admin_email }}
|
||||||
|
|
||||||
|
tmpldir /etc/munin/templates
|
||||||
|
|
||||||
|
graph_width 600
|
||||||
|
graph_height 400
|
||||||
|
max_graph_jobs 2
|
||||||
|
|
||||||
|
{% for host in groups["all"] %}
|
||||||
|
[{{ hostvars[host]['inventory_hostname'] }}]
|
||||||
|
address [{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}]
|
||||||
|
{% endfor %}
|
Loading…
Reference in New Issue
Block a user