Hello munin.afpy.org.

2023-02-01 16:15:04 +01:00 · 2023-02-01 16:15:04 +01:00 · 4bf259b213
parent b3c765e67b
commit 4bf259b213
7 changed files with 259 additions and 105 deletions
--- a/3
+++ b/3
@ -4,6 +4,9 @@ gitea1.afpy.org
 [woodpeckers]
 woodpecker1.afpy.org

+[muninservers]
+deb2.afpy.org
+
 [webservers]
 deb2.afpy.org

--- a/munin.yml
+++ b/munin.yml
@ -0,0 +1,44 @@
+- hosts: muninservers
+  vars:
+    nginx_domain: "munin.afpy.org"
+    nginx_certificates: ["{{ nginx_domain }}"]
+    nginx_conf: |
+      server
+      {
+          listen 80;
+          listen [::]:80;
+          server_name {{ nginx_domain }};
+          return 301 https://$server_name$request_uri;
+      }
+
+      server
+      {
+          listen 443 ssl;
+          listen [::]:443 ssl;
+          server_name {{ nginx_domain }};
+          root /var/cache/munin/www;
+          index index.html;
+
+          include snippets/letsencrypt-{{ nginx_domain }}.conf;
+
+          location / {
+              try_files $uri $uri/ =404;
+              autoindex on;
+          }
+
+          location ^~ /munin-cgi/munin-cgi-graph/ {
+               fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
+               fastcgi_param PATH_INFO $fastcgi_path_info;
+               fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
+               include fastcgi_params;
+          }
+      }
+
+  roles:
+    - munin_server
+    - nginx
+
+- hosts: all
+  roles:
+    - common  # For nftables's *_NEIGHBORS
+    - munin_client
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -1,6 +1,5 @@
 ---

- block:
 - name: Configure hostname
  hostname:
    name: "{{ inventory_hostname_short }}"
@ -23,6 +22,12 @@
    group: root
    mode: 0644

+- name: Gather facts from all hosts
+  setup:
+  delegate_to: "{{ item }}"
+  delegate_facts: true
+  loop: "{{ groups['all'] }}"
+
 - package: name=nftables state=present

 - name: Copy nftables rules
@ -33,6 +38,22 @@
      table inet filter
      flush table inet filter

+      define V4_NEIGHBORS = {
+      {% for host in groups["all"] %}
+      {% if hostvars[host]['ansible_facts']['default_ipv4'] %}
+        {{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }},  # {{ hostvars[host]['ansible_facts']['nodename'] }}
+      {% endif %}
+      {% endfor %}
+      }
+
+      define V6_NEIGHBORS = {
+      {% for host in groups["all"] %}
+      {% if hostvars[host]['ansible_facts']['default_ipv6'] %}
+        {{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }},  # {{ hostvars[host]['ansible_facts']['nodename'] }}
+      {% endif %}
+      {% endfor %}
+      }
+
      table inet filter {
          chain input {
              type filter hook input priority 0;
@ -40,6 +61,8 @@
              ct state established,related accept
              icmp type echo-request counter accept
              icmpv6 type echo-request counter accept
+              ip saddr $V4_NEIGHBORS accept
+              ip6 saddr $V6_NEIGHBORS accept

              # accept neighbour discovery otherwise connectivity breaks:
              icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
@ -120,5 +143,3 @@
      LogLevel VERBOSE
  notify: restart sshd
  tags: ssh
-
-  tags: common
--- a/roles/munin_client/handlers/main.yml
+++ b/roles/munin_client/handlers/main.yml
@ -0,0 +1,4 @@
+---
+
+- name: munin
+  service: name=munin-node state=restarted
--- a/roles/munin_client/tasks/main.yml
+++ b/roles/munin_client/tasks/main.yml
@ -0,0 +1,50 @@
+---
+
+- name: apt install munin-node
+  apt:
+    state: present
+    name: munin-node
+  register: install_munin
+
+- name: Configure munin node
+  shell: munin-node-configure --shell | grep -v ip_ | sh
+  when: install_munin is changed
+  notify: munin
+
+- name: Copy munin-node.conf
+  copy:
+    dest: /etc/munin/munin-node.conf
+    content: |
+      log_level 4
+      log_file /var/log/munin/munin-node.log
+      pid_file /var/run/munin/munin-node.pid
+
+      background 1
+      setsid 1
+
+      user root
+      group root
+
+      ignore_file [\#~]$
+      ignore_file DEADJOE$
+      ignore_file \.bak$
+      ignore_file %$
+      ignore_file \.dpkg-(tmp|new|old|dist)$
+      ignore_file \.rpm(save|new)$
+      ignore_file \.pod$
+
+      {% for host in groups["muninservers"] %}
+      allow ^{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}$
+      {% endfor %}
+      allow ^127.0.0.1$
+
+      host *
+      port 4949
+  notify: munin
+
+- name: Cron for munin apt_all
+  cron:
+    name: "apt update"
+    hour: "*/4"
+    minute: "28"
+    job: "/usr/bin/apt-get update > /dev/null"
--- a/roles/munin_server/tasks/main.yml
+++ b/roles/munin_server/tasks/main.yml
@ -0,0 +1,15 @@
+---
+
+- name: Install munin
+  apt:
+    state: present
+    name: munin
+
+- name: Gather facts from all hosts
+  setup:
+  delegate_to: "{{ item }}"
+  delegate_facts: true
+  loop: "{{ groups['all'] }}"
+
+- name: Configure munin
+  template: src=munin.conf.j2 dest=/etc/munin/munin.conf
--- a/roles/munin_server/templates/munin.conf.j2
+++ b/roles/munin_server/templates/munin.conf.j2
@ -0,0 +1,17 @@
+dbdir   /var/lib/munin
+htmldir /var/cache/munin/www
+logdir  /var/log/munin
+rundir  /var/run/munin
+
+contact.email.command mail -s "Munin-notification for ${var:group} :: ${var:host}" {{ admin_email }}
+
+tmpldir /etc/munin/templates
+
+graph_width 600
+graph_height 400
+max_graph_jobs 2
+
+{% for host in groups["all"] %}
+[{{ hostvars[host]['inventory_hostname'] }}]
+address [{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}]
+{% endfor %}