cspark
/
Host-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add nagios files

This commit is contained in:
Curt Spark 2024-11-06 04:30:47 +00:00
parent 7ee5e4eed1
commit 095dd6a431
8 changed files with 396 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
proxy_resources/etc/nginx/sites-available/nagios.domain Normal file
View File

@ -0,0 +1,49 @@
# {{ ansible_managed }}
# Nagios Instance Proxy
server {
server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }};
location / {
proxy_pass http://10.0.0.199:4238/nagios4;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
include proxy_params;
}
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = www.nagios.{{ domain_name }}) {
return 301 https://$host$request_uri;
}
if ($host = nagios.{{ domain_name }}) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }};
return 404;
}

6
services/old_icinga2/ansible.cfg Normal file
View File

@ -0,0 +1,6 @@
[defaults]
inventory = hosts
[privilege_escalation]
become_method=doas
become_ask_pass=True

32
services/old_icinga2/deploy-service.yml Normal file
View File

@ -0,0 +1,32 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_icinga2
group: service_icinga2
state: directory
loop:
- "{{ services_directory }}/service_icinga2/icinga2-master-data"
- "{{ services_directory }}/service_icinga2/redis-data"
- "{{ services_directory }}/service_icinga2/postgres-data"
- "{{ services_directory }}/service_icinga2/postgres-data/icinga2-db"
- "{{ services_directory }}/service_icinga2/postgres-data/icinga2-web-db"
- "{{ services_directory }}/service_icinga2/icinga2-web-data"
- name: Copy docker compose config and other git files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_icinga2/{{ item }}"
owner: service_icinga2
group: service_icinga2
loop:
- docker-compose.yml
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

196
services/old_icinga2/docker-compose.yml Normal file
View File

@ -0,0 +1,196 @@
services:
# Gluetun is used to connect container to VPN
icinga2-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ icinga2_backend_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.198/32
- FIREWALL_VPN_INPUT_PORTS=8080,5665
networks:
icinga2:
ports:
# Web UI Port
- "8080:8080"
# Backend API Port
- "5665:5665"
deploy:
resources:
limits:
cpus: '0.10'
memory: 512M
# Backend service that does the checking and hosts API
icinga2-master:
network_mode: "service:icinga2-gluetun"
image: icinga/icinga2
container_name: icinga2-master
hostname: icinga2-master
volumes:
- ./icinga2-master-data:/data
environment:
- ICINGA_MASTER=1
depends_on:
- icinga2-dbhandler
deploy:
resources:
limits:
cpus: '0.25'
memory: 512M
# Service that handles everything between icinga SQL and icinga Redis databases
icinga2-dbhandler: image: icinga/icingadb
restart: always
environment:
- ICINGADB_REDIS_HOST=11.1.0.21
- ICINGADB_REDIS_PORT=6379
- ICINGADB_REDIS_PASSWORD="{{ service_icinga2_icinga2_redis_password }}"
- ICINGADB_DATABASE_TYPE=pgsql
- ICINGADB_DATABASE_HOST=11.1.0.22
- ICINGADB_DATABASE_PORT=5432
- ICINGADB_DATABASE_DATABASE=icinga2-db
- ICINGADB_DATABASE_USER=icinga2-db
- ICINGADB_DATABASE_PASSWORD="{{ service_icinga2_icinga2_db_postgres_password }}"
depends_on:
- icinga2-redis
- icinga2-db
networks:
icinga2:
ipv4_address:11.1.0.20
deploy:
resources:
limits:
cpus: '0.10'
memory: 256M
icinga2-redis:
image: "redis:alpine"
command: "redis-server --save 60 1 --loglevel warning --requirepass {{ service_icinga2_icinga2_redis_password }}"
volumes:
- ./redis-data:/data
networks:
icinga2:
ipv4_address:11.1.0.21
deploy:
resources:
limits:
cpus: '0.10'
memory: 128M
icinga2-db:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
volumes:
- ./postgres-data/icinga2-db:/var/lib/postgresql/data
environment:
POSTGRES_DB: icinga2-db
POSTGRES_USER: icinga2-db
POSTGRES_PASSWORD: "{{ service_icinga2_icinga2_db_postgres_password }}"
healthcheck:
test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
networks:
icinga2:
ipv4_address:11.1.0.22
deploy:
resources:
limits:
cpus: '0.10'
memory: 128M
icinga2-web-db:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
volumes:
- ./postgres-data/icinga2-web-db:/var/lib/postgresql/data
environment:
POSTGRES_DB: icinga2-web-db
POSTGRES_USER: icinga2-web-db
POSTGRES_PASSWORD: "{{ service_icinga2_icinga2_web_db_postgres_password }}"
healthcheck:
test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
networks:
icinga2:
ipv4_address:11.1.0.23
deploy:
resources:
limits:
cpus: '0.10'
memory: 128M
# Web UI
icinga2-web:
network_mode: "service:icinga2-gluetun"
image: icinga/icingaweb2
volumes:
- ./icinga2-web-data:/data
environment:
# Incingaweb General Configuration
- icingaweb.enabledModules=icingadb
- icingaweb.authentication.icingaweb2.backend=db
- icingaweb.authentication.icingaweb2.resource=icingaweb_db
- icingaweb.config.global.config_backend=db
- icingaweb.config.global.config_resource=icingaweb_db
- icingaweb.config.logging.log=php
- icingaweb.groups.icingaweb2.backend=db
- icingaweb.groups.icingaweb2.resource=icingaweb_db
# IncingaDB Redis Database configuration
- icingaweb.modules.icingadb.config.icingadb.resource=icingadb
- icingaweb.modules.icingadb.redis.redis1.host=11.1.0.21
- icingaweb.modules.icingadb.redis.redis1.port=6379
# Connection to backend Incinga server API
- icingaweb.modules.icingadb.commandtransports.icinga2.transport=api
- icingaweb.modules.icingadb.commandtransports.icinga2.host=127.0.0.1
- icingaweb.modules.icingadb.commandtransports.icinga2.username=root
- icingaweb.modules.icingadb.commandtransports.icinga2.password=123456
# Incinga Web SQL Database configuration
- icingaweb.resources.icingaweb_db.type=db
- icingaweb.resources.icingaweb_db.db=pgsql
- icingaweb.resources.icingaweb_db.host=11.1.0.23
- icingaweb.resources.icingaweb_db.dbname=icinga2-web-db
- icingaweb.resources.icingaweb_db.username=icinga2-web-db
- icingaweb.resources.icingaweb_db.password="{{ service_icinga2_icinga2_web_db_postgres_password }}"
- icingaweb.resources.icingaweb_db.charset=utf8mb4
# IncingaDB SQL Database configuration
- icingaweb.resources.icingadb.type=db
- icingaweb.resources.icingadb.db=pgsql
- icingaweb.resources.icingadb.host=11.1.0.22
- icingaweb.resources.icingadb.dbname=icinga2-db
- icingaweb.resources.icingadb.username=icinga2-db
- icingaweb.resources.icingadb.password="{{ service_icinga2_icinga2_db_postgres_password }}"
- icingaweb.resources.icingadb.charset=utf8mb4
# Incinga User/Admin Configuration
- icingaweb.passwords.icingaweb2.icingaadmin="{{ service_icinga2_icingaadmin_password }}"
- icingaweb.roles.Administrators.users=icingaadmin
- icingaweb.roles.Administrators.permissions=*
- icingaweb.roles.Administrators.groups=Administrators
depends_on:
- icinga2-master
- icinga2-web-db
deploy:
resources:
limits:
cpus: '0.25'
memory: 512M
networks:
icinga2:
driver: bridge
driver_opts:
com.docker.network.bridge.name: icinga2
# com.docker.network.driver.enable_ip_masquerade: 0
ipam:
config:
- subnet: 11.1.0.0/16
# gateway: 11.5.0.1

5
services/old_icinga2/servicesecrets.example Normal file
View File

@ -0,0 +1,5 @@
# Example service secrets for icinga2 docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_icinga2_incingaadmin_password: ***
service_icinga2_icinga2_redis_password: ***
service_icinga2_icinga2_web_db_postgres_password: ***
service_icinga2_icinga2_db_postgres_password: ***

3
services/service_nagios/post-rules.txt Normal file
View File

@ -0,0 +1,3 @@
iptables -t nat -A OUTPUT -d 10.0.0.198 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.198:11001
iptables -t nat -A OUTPUT -p tcp --dport 11001 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -t nat -p tcp --dport 11001 -j REDIRECT --to-port 8080

66
services/service_nagios/proxy_resources/etc/nginx/sites-available/nagios.domain Normal file
View File

@ -0,0 +1,66 @@
# {{ ansible_managed }}
server {
server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }};
client_max_body_size 0;
underscores_in_headers on;
location / {
proxy_pass http://10.0.0.198:11001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
proxy_buffering off;
proxy_redirect off;
proxy_max_temp_file_size 0;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# The redirects for CalDAV or CardDAV does not work if nagios is running behind a reverse proxy. The recommended solution is that your reverse proxy does the redirects.
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
}
server {
if ($host = www.nagios.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = nagios.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }};
return 404; # managed by Certbot
}

39
services/service_nagios/ssmtp.conf Normal file
View File

@ -0,0 +1,39 @@
#
# Config file for sSMTP sendmail
#
# Gmail configuration with help from
# http://askubuntu.com/questions/155248/how-can-i-have-nagios-alerts-emailed-to-my-gmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=mygmailaccount@gmail.com
# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
# For Gmail use the following
mailhub=smtp.gmail.com:587
# Where will the mail seem to come from?
#rewriteDomain=
# The full hostname
hostname=raspberrypi
# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
#FromLineOverride=YES
UseTLS=YES
UseSTARTTLS=YES
AuthMethod=LOGIN
AuthUser=mygmailaccount@gmail.com
AuthPass=passw
# TEMPLATE FOR GMAIL
# UseTLS=YES
# UseSTARTTLS=YES
# AuthMethod=LOGIN
# AuthUser=mygmailaccount@gmail.com
# AuthPass=passw