diff --git a/prox-server-setup.yml b/prox-server-setup.yml index b5ba658..1c42a3b 100755 --- a/prox-server-setup.yml +++ b/prox-server-setup.yml @@ -50,6 +50,16 @@ dest: "/etc/nginx/sites-enabled/cockpit.{{ domain_name }}" state: link + - name: Ensure reverse proxy nagios domain config is updated + template: + src: proxy_resources/etc/nginx/sites-available/nagios.domain + dest: "/etc/nginx/sites-available/nagios.{{ domain_name }}" + - name: Enable the reverse proxy nagios domain config + ansible.builtin.file: + src: "/etc/nginx/sites-available/nagios.{{ domain_name }}" + dest: "/etc/nginx/sites-enabled/nagios.{{ domain_name }}" + state: link + - name: Enable NGinx ansible.builtin.systemd: name: nginx diff --git a/proxy_resources/etc/nginx/sites-available/cockpit.domain b/proxy_resources/etc/nginx/sites-available/cockpit.domain index e107f3d..f08b653 100644 --- a/proxy_resources/etc/nginx/sites-available/cockpit.domain +++ b/proxy_resources/etc/nginx/sites-available/cockpit.domain @@ -6,7 +6,7 @@ server { server_name cockpit.{{ domain_name }} www.cockpit.{{ domain_name }}; location / { - proxy_pass http://10.0.0.199:9090; + proxy_pass https://10.0.0.199:9090; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/server-setup.yml b/server-setup.yml index 4415db6..a9c4ac5 100644 --- a/server-setup.yml +++ b/server-setup.yml @@ -13,17 +13,17 @@ - doas # Headless KVM Setup - - qemu-kvm - - libvirt-clients - - libvirt-daemon-system - - bridge-utils - - virtinst + - qemu-kvm + - libvirt-clients + - libvirt-daemon-system + - bridge-utils + - virtinst - libvirt-daemon - - cpu-checker - - libguestfs-tools + - cpu-checker + - libguestfs-tools - libosinfo-bin - # File Server + # File Server - zfsutils-linux - samba @@ -46,6 +46,9 @@ # Two Factor Authentication for Cockpit - libpam-oath - oathtool + + # For LSP + - ansible-lint available_servicedirs: [] tasks: @@ -68,7 +71,7 @@ path: "/etc/environment" state: present regexp: "^{{ item.key }}=" - line: "{{ item.key }}={{ item.value}}" + line: "{{ item.key }}={{ item.value }}" loop: - { key: "ANSIBLE_CONFIG", value: "{{ ansibleconf_directory }}/ansible.cfg" } @@ -285,7 +288,7 @@ - docker-buildx-plugin - docker-compose-plugin state: present - update_cache:true + update_cache: true # Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory - name : Find all service directories available in ansible configuration @@ -295,13 +298,13 @@ use_regex: yes patterns: ['service_'] recurse: no - register: findoutput + register: findoutput - name: Add found ansible configuration service directories to service directories variable #no_log: true set_fact: available_servicedirs: "{{ available_servicedirs + [item.path | split('/') | last]}}" - with_items: "{{ findoutput.files }}" + with_items: "{{ findoutput.files }}" - name: Automatically create service users based on found ansible conf service directories become: yes diff --git a/serversecrets.example b/serversecrets.example index 0f26cf3..29b3b02 100644 --- a/serversecrets.example +++ b/serversecrets.example @@ -25,9 +25,9 @@ usbkey_keysdir: /mnt/keys vpn_server_pubkey: *** # Other services - Private Keys -icinga2_backend_privkey: *** +nagios_backend_privkey: *** # Other services - Public Keys -icinga2_backend_pubkey: *** +nagios_backend_pubkey: *** # VPN Key to link reverse proxy and cockpit backend cockpit_backend_privkey: *** diff --git a/services/service_icinga2/deploy-service.yml b/services/service_icinga2/deploy-service.yml deleted file mode 100644 index 9f3ebcf..0000000 --- a/services/service_icinga2/deploy-service.yml +++ /dev/null @@ -1,32 +0,0 @@ -- hosts: localhost - become: 'yes' - vars: - ansible_become_method: doas - tasks: - - - name: Create necessary directories - ansible.builtin.file: - path: "{{ item }}" - owner: service_icinga2 - group: service_icinga2 - state: directory - loop: - - "{{ services_directory }}/service_icinga2/icinga2-master-data" - - "{{ services_directory }}/service_icinga2/redis-data" - - "{{ services_directory }}/service_icinga2/postgres-data" - - "{{ services_directory }}/service_icinga2/postgres-data/icinga2-db" - - "{{ services_directory }}/service_icinga2/postgres-data/icinga2-web-db" - - "{{ services_directory }}/service_icinga2/icinga2-web-data" - - - name: Copy docker compose config and other git files - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ services_directory }}/service_icinga2/{{ item }}" - owner: service_icinga2 - group: service_icinga2 - loop: - - docker-compose.yml - - - name: Debug Finish message - debug: - msg: Ansible playbook has finished! diff --git a/services/service_icinga2/docker-compose.yml b/services/service_icinga2/docker-compose.yml deleted file mode 100644 index 5c04f6e..0000000 --- a/services/service_icinga2/docker-compose.yml +++ /dev/null @@ -1,189 +0,0 @@ -services: - - # Gluetun is used to connect container to VPN - icinga2-gluetun: - image: qmcgaw/gluetun - cap_add: - - NET_ADMIN - environment: - - VPN_SERVICE_PROVIDER=custom - - VPN_TYPE=wireguard - - VPN_ENDPOINT_IP={{ proxy_server_ip }} - - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }} - - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }} - - WIREGUARD_PRIVATE_KEY={{ icinga2_backend_privkey }} - - WIREGUARD_ADDRESSES=10.0.0.4/32 - - FIREWALL_VPN_INPUT_PORTS=8080,5665 - networks: - icinga2: - ports: - # Web UI Port - - "8080:8080" - # Backend API Port - - "5665:5665" - deploy: - limits: - cpus: '0.10' - memory: 512M - - # Backend service that does the checking and hosts API - icinga2-master: - network_mode: "service:icinga2-gluetun" - image: icinga/icinga2 - container_name: icinga2-master - hostname: icinga2-master - volumes: - - ./icinga2-master-data:/data - environment: - - ICINGA_MASTER=1 - depends_on: - - icinga2-dbhandler - deploy: - limits: - cpus: '0.25' - memory: 512M - - # Service that handles everything between icinga SQL and icinga Redis databases - icinga2-dbhandler: image: icinga/icingadb - restart: always - environment: - - ICINGADB_REDIS_HOST=11.1.0.21 - - ICINGADB_REDIS_PORT=6379 - - ICINGADB_REDIS_PASSWORD="{{ service_icinga2_icinga2-redis_password }}" - - ICINGADB_DATABASE_TYPE=pgsql - - ICINGADB_DATABASE_HOST=11.1.0.22 - - ICINGADB_DATABASE_PORT=5432 - - ICINGADB_DATABASE_DATABASE=icinga2-db - - ICINGADB_DATABASE_USER=icinga2-db - - ICINGADB_DATABASE_PASSWORD="{{ service_icinga2_icinga2-db_postgres_password }}" - depends_on: - - icinga2-redis - - icinga2-db - networks: - icinga2: - ipv4_address:11.1.0.20 - deploy: - limits: - cpus: '0.10' - memory: 256M - - icinga2-redis: - image: "redis:alpine" - command: "redis-server --save 60 1 --loglevel warning --requirepass {{ service_icinga2_icinga2-redis_password }}" - volumes: - - ./redis-data:/data - networks: - icinga2: - ipv4_address:11.1.0.21 - deploy: - limits: - cpus: '0.10' - memory: 128M - - icinga2-db: - image: docker.io/library/postgres:16-alpine - restart: unless-stopped - volumes: - - ./postgres-data/icinga2-db:/var/lib/postgresql/data - environment: - POSTGRES_DB: icinga2-db - POSTGRES_USER: icinga2-db - POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-db_postgres_password }}" - healthcheck: - test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] - networks: - icinga2: - ipv4_address:11.1.0.22 - deploy: - limits: - cpus: '0.10' - memory: 128M - - icinga2-web-db: - image: docker.io/library/postgres:16-alpine - restart: unless-stopped - volumes: - - ./postgres-data/icinga2-web-db:/var/lib/postgresql/data - environment: - POSTGRES_DB: icinga2-web-db - POSTGRES_USER: icinga2-web-db - POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-web-db_postgres_password }}" - healthcheck: - test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] - networks: - icinga2: - ipv4_address:11.1.0.23 - deploy: - limits: - cpus: '0.10' - memory: 128M - - # # Web UI - # icinga2-web: - # network_mode: "service:icinga2-gluetun" - # image: icinga/icingaweb2 - # volumes: - # - ./icinga2-web-data:/data - # environment: - # # Incingaweb General Configuration - # - icingaweb.enabledModules=icingadb - # - icingaweb.authentication.icingaweb2.backend=db - # - icingaweb.authentication.icingaweb2.resource=icingaweb_db - # - icingaweb.config.global.config_backend=db - # - icingaweb.config.global.config_resource=icingaweb_db - # - icingaweb.config.logging.log=php - # - icingaweb.groups.icingaweb2.backend=db - # - icingaweb.groups.icingaweb2.resource=icingaweb_db - # - # # IncingaDB Redis Database configuration - # - icingaweb.modules.icingadb.config.icingadb.resource=icingadb - # - icingaweb.modules.icingadb.redis.redis1.host=11.1.0.21 - # - icingaweb.modules.icingadb.redis.redis1.port=6379 - # - # # Connection to backend Incinga server API - # - icingaweb.modules.icingadb.commandtransports.icinga2.transport=api - # - icingaweb.modules.icingadb.commandtransports.icinga2.host=127.0.0.1 - # - icingaweb.modules.icingadb.commandtransports.icinga2.username=root - # - icingaweb.modules.icingadb.commandtransports.icinga2.password=123456 - # - # # Incinga Web SQL Database configuration - # - icingaweb.resources.icingaweb_db.type=db - # - icingaweb.resources.icingaweb_db.db=pgsql - # - icingaweb.resources.icingaweb_db.host=11.1.0.23 - # - icingaweb.resources.icingaweb_db.dbname=icinga2-web-db - # - icingaweb.resources.icingaweb_db.username=icinga2-web-db - # - icingaweb.resources.icingaweb_db.password="{{ service_icinga2_icinga2-web-db_postgres_password }}" - # - icingaweb.resources.icingaweb_db.charset=utf8mb4 - # - # # IncingaDB SQL Database configuration - # - icingaweb.resources.icingadb.type=db - # - icingaweb.resources.icingadb.db=pgsql - # - icingaweb.resources.icingadb.host=11.1.0.22 - # - icingaweb.resources.icingadb.dbname=icinga2-db - # - icingaweb.resources.icingadb.username=icinga2-db - # - icingaweb.resources.icingadb.password="{{ service_icinga2_icinga2-db_postgres_password }}" - # - icingaweb.resources.icingadb.charset=utf8mb4 - # - # # Incinga User/Admin Configuration - # - icingaweb.passwords.icingaweb2.icingaadmin="{{ service_icinga2_icingaadmin_password }}" - # - icingaweb.roles.Administrators.users=icingaadmin - # - icingaweb.roles.Administrators.permissions=* - # - icingaweb.roles.Administrators.groups=Administrators - # depends_on: - # - icinga2-master - # - icinga2-web-db - # deploy: - # limits: - # cpus: '0.25' - # memory: 512M - -networks: - icinga2: - driver: bridge - driver_opts: - com.docker.network.bridge.name: icinga2 - # com.docker.network.driver.enable_ip_masquerade: 0 - ipam: - config: - - subnet: 11.1.0.0/16 - # gateway: 11.5.0.1 diff --git a/services/service_icinga2/servicesecrets.example b/services/service_icinga2/servicesecrets.example deleted file mode 100644 index d13683e..0000000 --- a/services/service_icinga2/servicesecrets.example +++ /dev/null @@ -1,5 +0,0 @@ -# Example service secrets for icinga2 docker service, to be encrypted with ansible vault and called servicesecrets.enc -service_icinga2_incingaadmin_password: *** -service_icinga2_icinga2-redis_password: *** -service_icinga2_icinga2-web-db_postgres_password: *** -service_icinga2_icinga2-db_postgres_password: *** diff --git a/services/service_nagios/ansible.cfg b/services/service_nagios/ansible.cfg new file mode 100644 index 0000000..b46bfad --- /dev/null +++ b/services/service_nagios/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +inventory = ../../hosts + +[privilege_escalation] +become_method=doas +become_ask_pass=True diff --git a/services/service_nagios/deploy-service.yml b/services/service_nagios/deploy-service.yml new file mode 100644 index 0000000..c572ea5 --- /dev/null +++ b/services/service_nagios/deploy-service.yml @@ -0,0 +1,32 @@ +- hosts: localhost + become: 'yes' + vars: + ansible_become_method: doas + tasks: + + - name: Create necessary directories + ansible.builtin.file: + path: "{{ item }}" + owner: service_nagios + group: service_nagios + state: directory + loop: + - "{{ services_directory }}/service_nagios/nagios-data" + - "{{ services_directory }}/service_nagios/nagios-data/etc" + - "{{ services_directory }}/service_nagios/nagios-data/var" + - "{{ services_directory }}/service_nagios/nagios-plugins" + + - name: Copy docker compose config and other git files + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ services_directory }}/service_nagios/{{ item }}" + owner: service_nagios + group: service_nagios + loop: + - docker-compose.yml + - post-rules.txt + - ssmtp.conf + + - name: Debug Finish message + debug: + msg: Ansible playbook has finished! diff --git a/services/service_nagios/docker-compose.yml b/services/service_nagios/docker-compose.yml new file mode 100644 index 0000000..7025f02 --- /dev/null +++ b/services/service_nagios/docker-compose.yml @@ -0,0 +1,45 @@ +services: + + nagios-gluetun: + image: qmcgaw/gluetun + cap_add: + - NET_ADMIN + environment: + - VPN_SERVICE_PROVIDER=custom + - VPN_TYPE=wireguard + - VPN_ENDPOINT_IP={{ proxy_server_ip }} + - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }} + - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }} + - WIREGUARD_PRIVATE_KEY={{ nagios_backend_privkey }} + - WIREGUARD_ADDRESSES=10.0.0.198/32 + - FIREWALL_VPN_INPUT_PORTS=11001,8080 + ports: + # Web UI Port + - "11001:11001" + volumes: + # Custom IPTables forwarding rules to forward TCP(web) traffic from port 11001 to port 8080 + - ./post-rules.txt:/iptables/post-rules.txt + deploy: + resources: + limits: + cpus: '0.10' + memory: 512M + + nagios: + network_mode: "service:nagios-gluetun" + container_name: nagios + volumes: + - ./nagios-data/etc:/opt/nagios/etc/ + - ./nagios-data/var:/opt/nagios/var/ + - ./ssmtp.conf:/etc/ssmtp/ssmtp.conf + - ./nagios-plugins:/opt/Custom-Nagios-Plugins + environment: + - NAGIOSADMIN_USER={{ service_nagios_username }} + - NAGIOSADMIN_PASS={{ service_nagios_password }} + - TZ={{ service_nagios_timezone }} + image: manios/nagios:latest + deploy: + resources: + limits: + cpus: '0.10' + memory: 256M diff --git a/services/service_nagios/servicesecrets.example b/services/service_nagios/servicesecrets.example new file mode 100644 index 0000000..276ed99 --- /dev/null +++ b/services/service_nagios/servicesecrets.example @@ -0,0 +1,4 @@ +# Example service secrets for nagios docker service, to be encrypted with ansible vault and called servicesecrets.enc +service_nagios_username: *** +service_nagios_password: *** +service_nagios_timezone: Europe/London