Hello munin.afpy.org.
This commit is contained in:
parent
b3c765e67b
commit
4bf259b213
|
@ -4,6 +4,9 @@ gitea1.afpy.org
|
||||||
[woodpeckers]
|
[woodpeckers]
|
||||||
woodpecker1.afpy.org
|
woodpecker1.afpy.org
|
||||||
|
|
||||||
|
[muninservers]
|
||||||
|
deb2.afpy.org
|
||||||
|
|
||||||
[webservers]
|
[webservers]
|
||||||
deb2.afpy.org
|
deb2.afpy.org
|
||||||
|
|
||||||
|
|
44
munin.yml
Normal file
44
munin.yml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
- hosts: muninservers
|
||||||
|
vars:
|
||||||
|
nginx_domain: "munin.afpy.org"
|
||||||
|
nginx_certificates: ["{{ nginx_domain }}"]
|
||||||
|
nginx_conf: |
|
||||||
|
server
|
||||||
|
{
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name {{ nginx_domain }};
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server
|
||||||
|
{
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_name {{ nginx_domain }};
|
||||||
|
root /var/cache/munin/www;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
include snippets/letsencrypt-{{ nginx_domain }}.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ^~ /munin-cgi/munin-cgi-graph/ {
|
||||||
|
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
|
||||||
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
|
fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
|
||||||
|
include fastcgi_params;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- munin_server
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- hosts: all
|
||||||
|
roles:
|
||||||
|
- common # For nftables's *_NEIGHBORS
|
||||||
|
- munin_client
|
|
@ -1,124 +1,145 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- block:
|
- name: Configure hostname
|
||||||
- name: Configure hostname
|
hostname:
|
||||||
hostname:
|
name: "{{ inventory_hostname_short }}"
|
||||||
name: "{{ inventory_hostname_short }}"
|
|
||||||
|
|
||||||
- name: Configure localhots
|
- name: Configure localhots
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/hosts
|
path: /etc/hosts
|
||||||
regexp: '^127\.0\.0\.1'
|
regexp: '^127\.0\.0\.1'
|
||||||
line: "127.0.0.1 localhost"
|
line: "127.0.0.1 localhost"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Configure FQDN
|
- name: Configure FQDN
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/hosts
|
path: /etc/hosts
|
||||||
regexp: '^127\.0\.1\.1'
|
regexp: '^127\.0\.1\.1'
|
||||||
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
|
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- package: name=nftables state=present
|
- name: Gather facts from all hosts
|
||||||
|
setup:
|
||||||
|
delegate_to: "{{ item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
loop: "{{ groups['all'] }}"
|
||||||
|
|
||||||
- name: Copy nftables rules
|
- package: name=nftables state=present
|
||||||
copy:
|
|
||||||
content: |
|
|
||||||
#!/usr/sbin/nft -f
|
|
||||||
|
|
||||||
table inet filter
|
- name: Copy nftables rules
|
||||||
flush table inet filter
|
copy:
|
||||||
|
content: |
|
||||||
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
table inet filter {
|
table inet filter
|
||||||
chain input {
|
flush table inet filter
|
||||||
type filter hook input priority 0;
|
|
||||||
iif lo accept
|
|
||||||
ct state established,related accept
|
|
||||||
icmp type echo-request counter accept
|
|
||||||
icmpv6 type echo-request counter accept
|
|
||||||
|
|
||||||
# accept neighbour discovery otherwise connectivity breaks:
|
define V4_NEIGHBORS = {
|
||||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
{% for host in groups["all"] %}
|
||||||
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
{% if hostvars[host]['ansible_facts']['default_ipv4'] %}
|
||||||
{{ nft_extra }}
|
{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
||||||
counter drop
|
{% endif %}
|
||||||
}
|
{% endfor %}
|
||||||
}
|
}
|
||||||
|
|
||||||
dest: /etc/nftables.conf
|
define V6_NEIGHBORS = {
|
||||||
owner: root
|
{% for host in groups["all"] %}
|
||||||
group: root
|
{% if hostvars[host]['ansible_facts']['default_ipv6'] %}
|
||||||
mode: 0755
|
{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
||||||
notify: reload nftables
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
|
||||||
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
table inet filter {
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
iif lo accept
|
||||||
|
ct state established,related accept
|
||||||
|
icmp type echo-request counter accept
|
||||||
|
icmpv6 type echo-request counter accept
|
||||||
|
ip saddr $V4_NEIGHBORS accept
|
||||||
|
ip6 saddr $V6_NEIGHBORS accept
|
||||||
|
|
||||||
- name: Update via apt (mandatory on first run)
|
# accept neighbour discovery otherwise connectivity breaks:
|
||||||
apt:
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||||
update_cache: yes
|
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
||||||
cache_valid_time: 86400
|
{{ nft_extra }}
|
||||||
|
counter drop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
- name: Install some usefull packages
|
dest: /etc/nftables.conf
|
||||||
apt:
|
owner: root
|
||||||
state: present
|
group: root
|
||||||
name:
|
mode: 0755
|
||||||
- aptitude
|
notify: reload nftables
|
||||||
- emacs-nox
|
|
||||||
- fail2ban
|
|
||||||
- git
|
|
||||||
- htop
|
|
||||||
- man
|
|
||||||
- ncdu
|
|
||||||
- needrestart
|
|
||||||
- ntp
|
|
||||||
- python3
|
|
||||||
- python3-dev
|
|
||||||
- python3-pip
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-venv
|
|
||||||
- python3-wheel
|
|
||||||
- rsync
|
|
||||||
- sudo
|
|
||||||
- tcpdump
|
|
||||||
- vim-nox
|
|
||||||
|
|
||||||
- name: Set authorized SSH keys for root user
|
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
||||||
blockinfile:
|
|
||||||
content: "{{ root_authorized_keys }}"
|
|
||||||
dest: /root/.ssh/authorized_keys
|
|
||||||
mode: 0600
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
|
|
||||||
|
|
||||||
- name: Ensure mlocate and locate are not installed
|
- name: Update via apt (mandatory on first run)
|
||||||
apt:
|
apt:
|
||||||
name: ["mlocate", "locate"]
|
update_cache: yes
|
||||||
state: absent
|
cache_valid_time: 86400
|
||||||
|
|
||||||
# From https://infosec.mozilla.org/guidelines/openssh
|
- name: Install some usefull packages
|
||||||
- name: SSHd hardening
|
apt:
|
||||||
blockinfile:
|
state: present
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
name:
|
||||||
path: /etc/ssh/sshd_config
|
- aptitude
|
||||||
state: present
|
- emacs-nox
|
||||||
create: true
|
- fail2ban
|
||||||
block: |
|
- git
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
- htop
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
- man
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
- ncdu
|
||||||
|
- needrestart
|
||||||
|
- ntp
|
||||||
|
- python3
|
||||||
|
- python3-dev
|
||||||
|
- python3-pip
|
||||||
|
- python3-setuptools
|
||||||
|
- python3-venv
|
||||||
|
- python3-wheel
|
||||||
|
- rsync
|
||||||
|
- sudo
|
||||||
|
- tcpdump
|
||||||
|
- vim-nox
|
||||||
|
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
- name: Set authorized SSH keys for root user
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
blockinfile:
|
||||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
content: "{{ root_authorized_keys }}"
|
||||||
|
dest: /root/.ssh/authorized_keys
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
|
||||||
|
|
||||||
AuthenticationMethods publickey
|
- name: Ensure mlocate and locate are not installed
|
||||||
LogLevel VERBOSE
|
apt:
|
||||||
notify: restart sshd
|
name: ["mlocate", "locate"]
|
||||||
tags: ssh
|
state: absent
|
||||||
|
|
||||||
tags: common
|
# From https://infosec.mozilla.org/guidelines/openssh
|
||||||
|
- name: SSHd hardening
|
||||||
|
blockinfile:
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
state: present
|
||||||
|
create: true
|
||||||
|
block: |
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
LogLevel VERBOSE
|
||||||
|
notify: restart sshd
|
||||||
|
tags: ssh
|
||||||
|
|
4
roles/munin_client/handlers/main.yml
Normal file
4
roles/munin_client/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: munin
|
||||||
|
service: name=munin-node state=restarted
|
50
roles/munin_client/tasks/main.yml
Normal file
50
roles/munin_client/tasks/main.yml
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: apt install munin-node
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: munin-node
|
||||||
|
register: install_munin
|
||||||
|
|
||||||
|
- name: Configure munin node
|
||||||
|
shell: munin-node-configure --shell | grep -v ip_ | sh
|
||||||
|
when: install_munin is changed
|
||||||
|
notify: munin
|
||||||
|
|
||||||
|
- name: Copy munin-node.conf
|
||||||
|
copy:
|
||||||
|
dest: /etc/munin/munin-node.conf
|
||||||
|
content: |
|
||||||
|
log_level 4
|
||||||
|
log_file /var/log/munin/munin-node.log
|
||||||
|
pid_file /var/run/munin/munin-node.pid
|
||||||
|
|
||||||
|
background 1
|
||||||
|
setsid 1
|
||||||
|
|
||||||
|
user root
|
||||||
|
group root
|
||||||
|
|
||||||
|
ignore_file [\#~]$
|
||||||
|
ignore_file DEADJOE$
|
||||||
|
ignore_file \.bak$
|
||||||
|
ignore_file %$
|
||||||
|
ignore_file \.dpkg-(tmp|new|old|dist)$
|
||||||
|
ignore_file \.rpm(save|new)$
|
||||||
|
ignore_file \.pod$
|
||||||
|
|
||||||
|
{% for host in groups["muninservers"] %}
|
||||||
|
allow ^{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}$
|
||||||
|
{% endfor %}
|
||||||
|
allow ^127.0.0.1$
|
||||||
|
|
||||||
|
host *
|
||||||
|
port 4949
|
||||||
|
notify: munin
|
||||||
|
|
||||||
|
- name: Cron for munin apt_all
|
||||||
|
cron:
|
||||||
|
name: "apt update"
|
||||||
|
hour: "*/4"
|
||||||
|
minute: "28"
|
||||||
|
job: "/usr/bin/apt-get update > /dev/null"
|
15
roles/munin_server/tasks/main.yml
Normal file
15
roles/munin_server/tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install munin
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: munin
|
||||||
|
|
||||||
|
- name: Gather facts from all hosts
|
||||||
|
setup:
|
||||||
|
delegate_to: "{{ item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
loop: "{{ groups['all'] }}"
|
||||||
|
|
||||||
|
- name: Configure munin
|
||||||
|
template: src=munin.conf.j2 dest=/etc/munin/munin.conf
|
17
roles/munin_server/templates/munin.conf.j2
Normal file
17
roles/munin_server/templates/munin.conf.j2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
dbdir /var/lib/munin
|
||||||
|
htmldir /var/cache/munin/www
|
||||||
|
logdir /var/log/munin
|
||||||
|
rundir /var/run/munin
|
||||||
|
|
||||||
|
contact.email.command mail -s "Munin-notification for ${var:group} :: ${var:host}" {{ admin_email }}
|
||||||
|
|
||||||
|
tmpldir /etc/munin/templates
|
||||||
|
|
||||||
|
graph_width 600
|
||||||
|
graph_height 400
|
||||||
|
max_graph_jobs 2
|
||||||
|
|
||||||
|
{% for host in groups["all"] %}
|
||||||
|
[{{ hostvars[host]['inventory_hostname'] }}]
|
||||||
|
address [{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}]
|
||||||
|
{% endfor %}
|
Loading…
Reference in New Issue
Block a user