diff --git a/proxy_resources/etc/nginx/sites-available/nagios.domain b/proxy_resources/etc/nginx/sites-available/nagios.domain new file mode 100644 index 0000000..2de22a0 --- /dev/null +++ b/proxy_resources/etc/nginx/sites-available/nagios.domain @@ -0,0 +1,49 @@ +# {{ ansible_managed }} + +# Nagios Instance Proxy +server { + + server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }}; + + location / { + proxy_pass http://10.0.0.199:4238/nagios4; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + include proxy_params; + } + + listen [::]:443 ssl; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + +} + +server { + if ($host = www.nagios.{{ domain_name }}) { + return 301 https://$host$request_uri; + } + + + if ($host = nagios.{{ domain_name }}) { + return 301 https://$host$request_uri; + } + + + listen 80; + listen [::]:80; + + server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }}; + return 404; + + + + +} + diff --git a/services/old_icinga2/ansible.cfg b/services/old_icinga2/ansible.cfg new file mode 100644 index 0000000..c36ea5d --- /dev/null +++ b/services/old_icinga2/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +inventory = hosts + +[privilege_escalation] +become_method=doas +become_ask_pass=True diff --git a/services/old_icinga2/deploy-service.yml b/services/old_icinga2/deploy-service.yml new file mode 100644 index 0000000..9f3ebcf --- /dev/null +++ b/services/old_icinga2/deploy-service.yml @@ -0,0 +1,32 @@ +- hosts: localhost + become: 'yes' + vars: + ansible_become_method: doas + tasks: + + - name: Create necessary directories + ansible.builtin.file: + path: "{{ item }}" + owner: service_icinga2 + group: service_icinga2 + state: directory + loop: + - "{{ services_directory }}/service_icinga2/icinga2-master-data" + - "{{ services_directory }}/service_icinga2/redis-data" + - "{{ services_directory }}/service_icinga2/postgres-data" + - "{{ services_directory }}/service_icinga2/postgres-data/icinga2-db" + - "{{ services_directory }}/service_icinga2/postgres-data/icinga2-web-db" + - "{{ services_directory }}/service_icinga2/icinga2-web-data" + + - name: Copy docker compose config and other git files + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ services_directory }}/service_icinga2/{{ item }}" + owner: service_icinga2 + group: service_icinga2 + loop: + - docker-compose.yml + + - name: Debug Finish message + debug: + msg: Ansible playbook has finished! diff --git a/services/old_icinga2/docker-compose.yml b/services/old_icinga2/docker-compose.yml new file mode 100644 index 0000000..102a2bf --- /dev/null +++ b/services/old_icinga2/docker-compose.yml @@ -0,0 +1,196 @@ +services: + + # Gluetun is used to connect container to VPN + icinga2-gluetun: + image: qmcgaw/gluetun + cap_add: + - NET_ADMIN + environment: + - VPN_SERVICE_PROVIDER=custom + - VPN_TYPE=wireguard + - VPN_ENDPOINT_IP={{ proxy_server_ip }} + - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }} + - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }} + - WIREGUARD_PRIVATE_KEY={{ icinga2_backend_privkey }} + - WIREGUARD_ADDRESSES=10.0.0.198/32 + - FIREWALL_VPN_INPUT_PORTS=8080,5665 + networks: + icinga2: + ports: + # Web UI Port + - "8080:8080" + # Backend API Port + - "5665:5665" + deploy: + resources: + limits: + cpus: '0.10' + memory: 512M + + # Backend service that does the checking and hosts API + icinga2-master: + network_mode: "service:icinga2-gluetun" + image: icinga/icinga2 + container_name: icinga2-master + hostname: icinga2-master + volumes: + - ./icinga2-master-data:/data + environment: + - ICINGA_MASTER=1 + depends_on: + - icinga2-dbhandler + deploy: + resources: + limits: + cpus: '0.25' + memory: 512M + + # Service that handles everything between icinga SQL and icinga Redis databases + icinga2-dbhandler: image: icinga/icingadb + restart: always + environment: + - ICINGADB_REDIS_HOST=11.1.0.21 + - ICINGADB_REDIS_PORT=6379 + - ICINGADB_REDIS_PASSWORD="{{ service_icinga2_icinga2_redis_password }}" + - ICINGADB_DATABASE_TYPE=pgsql + - ICINGADB_DATABASE_HOST=11.1.0.22 + - ICINGADB_DATABASE_PORT=5432 + - ICINGADB_DATABASE_DATABASE=icinga2-db + - ICINGADB_DATABASE_USER=icinga2-db + - ICINGADB_DATABASE_PASSWORD="{{ service_icinga2_icinga2_db_postgres_password }}" + depends_on: + - icinga2-redis + - icinga2-db + networks: + icinga2: + ipv4_address:11.1.0.20 + deploy: + resources: + limits: + cpus: '0.10' + memory: 256M + + icinga2-redis: + image: "redis:alpine" + command: "redis-server --save 60 1 --loglevel warning --requirepass {{ service_icinga2_icinga2_redis_password }}" + volumes: + - ./redis-data:/data + networks: + icinga2: + ipv4_address:11.1.0.21 + deploy: + resources: + limits: + cpus: '0.10' + memory: 128M + + icinga2-db: + image: docker.io/library/postgres:16-alpine + restart: unless-stopped + volumes: + - ./postgres-data/icinga2-db:/var/lib/postgresql/data + environment: + POSTGRES_DB: icinga2-db + POSTGRES_USER: icinga2-db + POSTGRES_PASSWORD: "{{ service_icinga2_icinga2_db_postgres_password }}" + healthcheck: + test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + networks: + icinga2: + ipv4_address:11.1.0.22 + deploy: + resources: + limits: + cpus: '0.10' + memory: 128M + + icinga2-web-db: + image: docker.io/library/postgres:16-alpine + restart: unless-stopped + volumes: + - ./postgres-data/icinga2-web-db:/var/lib/postgresql/data + environment: + POSTGRES_DB: icinga2-web-db + POSTGRES_USER: icinga2-web-db + POSTGRES_PASSWORD: "{{ service_icinga2_icinga2_web_db_postgres_password }}" + healthcheck: + test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + networks: + icinga2: + ipv4_address:11.1.0.23 + deploy: + resources: + limits: + cpus: '0.10' + memory: 128M + + # Web UI + icinga2-web: + network_mode: "service:icinga2-gluetun" + image: icinga/icingaweb2 + volumes: + - ./icinga2-web-data:/data + environment: + # Incingaweb General Configuration + - icingaweb.enabledModules=icingadb + - icingaweb.authentication.icingaweb2.backend=db + - icingaweb.authentication.icingaweb2.resource=icingaweb_db + - icingaweb.config.global.config_backend=db + - icingaweb.config.global.config_resource=icingaweb_db + - icingaweb.config.logging.log=php + - icingaweb.groups.icingaweb2.backend=db + - icingaweb.groups.icingaweb2.resource=icingaweb_db + + # IncingaDB Redis Database configuration + - icingaweb.modules.icingadb.config.icingadb.resource=icingadb + - icingaweb.modules.icingadb.redis.redis1.host=11.1.0.21 + - icingaweb.modules.icingadb.redis.redis1.port=6379 + + # Connection to backend Incinga server API + - icingaweb.modules.icingadb.commandtransports.icinga2.transport=api + - icingaweb.modules.icingadb.commandtransports.icinga2.host=127.0.0.1 + - icingaweb.modules.icingadb.commandtransports.icinga2.username=root + - icingaweb.modules.icingadb.commandtransports.icinga2.password=123456 + + # Incinga Web SQL Database configuration + - icingaweb.resources.icingaweb_db.type=db + - icingaweb.resources.icingaweb_db.db=pgsql + - icingaweb.resources.icingaweb_db.host=11.1.0.23 + - icingaweb.resources.icingaweb_db.dbname=icinga2-web-db + - icingaweb.resources.icingaweb_db.username=icinga2-web-db + - icingaweb.resources.icingaweb_db.password="{{ service_icinga2_icinga2_web_db_postgres_password }}" + - icingaweb.resources.icingaweb_db.charset=utf8mb4 + + # IncingaDB SQL Database configuration + - icingaweb.resources.icingadb.type=db + - icingaweb.resources.icingadb.db=pgsql + - icingaweb.resources.icingadb.host=11.1.0.22 + - icingaweb.resources.icingadb.dbname=icinga2-db + - icingaweb.resources.icingadb.username=icinga2-db + - icingaweb.resources.icingadb.password="{{ service_icinga2_icinga2_db_postgres_password }}" + - icingaweb.resources.icingadb.charset=utf8mb4 + + # Incinga User/Admin Configuration + - icingaweb.passwords.icingaweb2.icingaadmin="{{ service_icinga2_icingaadmin_password }}" + - icingaweb.roles.Administrators.users=icingaadmin + - icingaweb.roles.Administrators.permissions=* + - icingaweb.roles.Administrators.groups=Administrators + depends_on: + - icinga2-master + - icinga2-web-db + deploy: + resources: + limits: + cpus: '0.25' + memory: 512M + +networks: + icinga2: + driver: bridge + driver_opts: + com.docker.network.bridge.name: icinga2 + # com.docker.network.driver.enable_ip_masquerade: 0 + ipam: + config: + - subnet: 11.1.0.0/16 + # gateway: 11.5.0.1 diff --git a/services/old_icinga2/servicesecrets.example b/services/old_icinga2/servicesecrets.example new file mode 100644 index 0000000..95935c9 --- /dev/null +++ b/services/old_icinga2/servicesecrets.example @@ -0,0 +1,5 @@ +# Example service secrets for icinga2 docker service, to be encrypted with ansible vault and called servicesecrets.enc +service_icinga2_incingaadmin_password: *** +service_icinga2_icinga2_redis_password: *** +service_icinga2_icinga2_web_db_postgres_password: *** +service_icinga2_icinga2_db_postgres_password: *** diff --git a/services/service_nagios/post-rules.txt b/services/service_nagios/post-rules.txt new file mode 100644 index 0000000..dffda3e --- /dev/null +++ b/services/service_nagios/post-rules.txt @@ -0,0 +1,3 @@ +iptables -t nat -A OUTPUT -d 10.0.0.198 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.198:11001 +iptables -t nat -A OUTPUT -p tcp --dport 11001 -j REDIRECT --to-port 8080 +iptables -t nat -A PREROUTING -t nat -p tcp --dport 11001 -j REDIRECT --to-port 8080 diff --git a/services/service_nagios/proxy_resources/etc/nginx/sites-available/nagios.domain b/services/service_nagios/proxy_resources/etc/nginx/sites-available/nagios.domain new file mode 100644 index 0000000..f2f44a8 --- /dev/null +++ b/services/service_nagios/proxy_resources/etc/nginx/sites-available/nagios.domain @@ -0,0 +1,66 @@ +# {{ ansible_managed }} + +server { + + server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }}; + + client_max_body_size 0; + underscores_in_headers on; + + location / { + proxy_pass http://10.0.0.198:11001; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + add_header Front-End-Https on; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; + + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 64; + + proxy_buffering off; + proxy_redirect off; + proxy_max_temp_file_size 0; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + # The redirects for CalDAV or CardDAV does not work if nagios is running behind a reverse proxy. The recommended solution is that your reverse proxy does the redirects. + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + +} + +server { + if ($host = www.nagios.{{ domain_name }}) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + if ($host = nagios.{{ domain_name }}) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name nagios.{{ domain_name }} www.nagios.{{ domain_name }}; + return 404; # managed by Certbot + + + + +} + diff --git a/services/service_nagios/ssmtp.conf b/services/service_nagios/ssmtp.conf new file mode 100644 index 0000000..0bd9891 --- /dev/null +++ b/services/service_nagios/ssmtp.conf @@ -0,0 +1,39 @@ +# +# Config file for sSMTP sendmail +# +# Gmail configuration with help from +# http://askubuntu.com/questions/155248/how-can-i-have-nagios-alerts-emailed-to-my-gmail +# +# The person who gets all mail for userids < 1000 +# Make this empty to disable rewriting. +root=mygmailaccount@gmail.com + +# The place where the mail goes. The actual machine name is required no +# MX records are consulted. Commonly mailhosts are named mail.domain.com +# For Gmail use the following +mailhub=smtp.gmail.com:587 + +# Where will the mail seem to come from? +#rewriteDomain= + +# The full hostname +hostname=raspberrypi + +# Are users allowed to set their own From: address? +# YES - Allow the user to specify their own From: address +# NO - Use the system generated From: address +#FromLineOverride=YES + +UseTLS=YES +UseSTARTTLS=YES +AuthMethod=LOGIN +AuthUser=mygmailaccount@gmail.com +AuthPass=passw + + +# TEMPLATE FOR GMAIL +# UseTLS=YES +# UseSTARTTLS=YES +# AuthMethod=LOGIN +# AuthUser=mygmailaccount@gmail.com +# AuthPass=passw