cspark
/
Host-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Nagios setup for backend monitoring

This commit is contained in:
Curt Spark 2024-11-06 01:44:06 +00:00
parent e6e5346f25
commit 7ee5e4eed1
11 changed files with 115 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
prox-server-setup.yml
View File

@ -50,6 +50,16 @@
dest: "/etc/nginx/sites-enabled/cockpit.{{ domain_name }}" dest: "/etc/nginx/sites-enabled/cockpit.{{ domain_name }}"
state: link state: link
- name: Ensure reverse proxy nagios domain config is updated
template:
src: proxy_resources/etc/nginx/sites-available/nagios.domain
dest: "/etc/nginx/sites-available/nagios.{{ domain_name }}"
- name: Enable the reverse proxy nagios domain config
ansible.builtin.file:
src: "/etc/nginx/sites-available/nagios.{{ domain_name }}"
dest: "/etc/nginx/sites-enabled/nagios.{{ domain_name }}"
state: link
- name: Enable NGinx - name: Enable NGinx
ansible.builtin.systemd: ansible.builtin.systemd:
name: nginx name: nginx

2
proxy_resources/etc/nginx/sites-available/cockpit.domain
View File

@ -6,7 +6,7 @@ server {
server_name cockpit.{{ domain_name }} www.cockpit.{{ domain_name }}; server_name cockpit.{{ domain_name }} www.cockpit.{{ domain_name }};
location / { location / {
proxy_pass http://10.0.0.199:9090; proxy_pass https://10.0.0.199:9090;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

3
server-setup.yml
View File

@ -46,6 +46,9 @@
# Two Factor Authentication for Cockpit # Two Factor Authentication for Cockpit
- libpam-oath - libpam-oath
- oathtool - oathtool
# For LSP
- ansible-lint
available_servicedirs: [] available_servicedirs: []
tasks: tasks:

4
serversecrets.example
View File

@ -25,9 +25,9 @@ usbkey_keysdir: /mnt/keys
vpn_server_pubkey: *** vpn_server_pubkey: ***
# Other services - Private Keys # Other services - Private Keys
icinga2_backend_privkey: *** nagios_backend_privkey: ***
# Other services - Public Keys # Other services - Public Keys
icinga2_backend_pubkey: *** nagios_backend_pubkey: ***
# VPN Key to link reverse proxy and cockpit backend # VPN Key to link reverse proxy and cockpit backend
cockpit_backend_privkey: *** cockpit_backend_privkey: ***

32
services/service_icinga2/deploy-service.yml
View File

@ -1,32 +0,0 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_icinga2
group: service_icinga2
state: directory
loop:
- "{{ services_directory }}/service_icinga2/icinga2-master-data"
- "{{ services_directory }}/service_icinga2/redis-data"
- "{{ services_directory }}/service_icinga2/postgres-data"
- "{{ services_directory }}/service_icinga2/postgres-data/icinga2-db"
- "{{ services_directory }}/service_icinga2/postgres-data/icinga2-web-db"
- "{{ services_directory }}/service_icinga2/icinga2-web-data"
- name: Copy docker compose config and other git files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_icinga2/{{ item }}"
owner: service_icinga2
group: service_icinga2
loop:
- docker-compose.yml
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

189
services/service_icinga2/docker-compose.yml
View File

@ -1,189 +0,0 @@
services:
# Gluetun is used to connect container to VPN
icinga2-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ icinga2_backend_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.4/32
- FIREWALL_VPN_INPUT_PORTS=8080,5665
networks:
icinga2:
ports:
# Web UI Port
- "8080:8080"
# Backend API Port
- "5665:5665"
deploy:
limits:
cpus: '0.10'
memory: 512M
# Backend service that does the checking and hosts API
icinga2-master:
network_mode: "service:icinga2-gluetun"
image: icinga/icinga2
container_name: icinga2-master
hostname: icinga2-master
volumes:
- ./icinga2-master-data:/data
environment:
- ICINGA_MASTER=1
depends_on:
- icinga2-dbhandler
deploy:
limits:
cpus: '0.25'
memory: 512M
# Service that handles everything between icinga SQL and icinga Redis databases
icinga2-dbhandler: image: icinga/icingadb
restart: always
environment:
- ICINGADB_REDIS_HOST=11.1.0.21
- ICINGADB_REDIS_PORT=6379
- ICINGADB_REDIS_PASSWORD="{{ service_icinga2_icinga2-redis_password }}"
- ICINGADB_DATABASE_TYPE=pgsql
- ICINGADB_DATABASE_HOST=11.1.0.22
- ICINGADB_DATABASE_PORT=5432
- ICINGADB_DATABASE_DATABASE=icinga2-db
- ICINGADB_DATABASE_USER=icinga2-db
- ICINGADB_DATABASE_PASSWORD="{{ service_icinga2_icinga2-db_postgres_password }}"
depends_on:
- icinga2-redis
- icinga2-db
networks:
icinga2:
ipv4_address:11.1.0.20
deploy:
limits:
cpus: '0.10'
memory: 256M
icinga2-redis:
image: "redis:alpine"
command: "redis-server --save 60 1 --loglevel warning --requirepass {{ service_icinga2_icinga2-redis_password }}"
volumes:
- ./redis-data:/data
networks:
icinga2:
ipv4_address:11.1.0.21
deploy:
limits:
cpus: '0.10'
memory: 128M
icinga2-db:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
volumes:
- ./postgres-data/icinga2-db:/var/lib/postgresql/data
environment:
POSTGRES_DB: icinga2-db
POSTGRES_USER: icinga2-db
POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-db_postgres_password }}"
healthcheck:
test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
networks:
icinga2:
ipv4_address:11.1.0.22
deploy:
limits:
cpus: '0.10'
memory: 128M
icinga2-web-db:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
volumes:
- ./postgres-data/icinga2-web-db:/var/lib/postgresql/data
environment:
POSTGRES_DB: icinga2-web-db
POSTGRES_USER: icinga2-web-db
POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-web-db_postgres_password }}"
healthcheck:
test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
networks:
icinga2:
ipv4_address:11.1.0.23
deploy:
limits:
cpus: '0.10'
memory: 128M
# # Web UI
# icinga2-web:
# network_mode: "service:icinga2-gluetun"
# image: icinga/icingaweb2
# volumes:
# - ./icinga2-web-data:/data
# environment:
# # Incingaweb General Configuration
# - icingaweb.enabledModules=icingadb
# - icingaweb.authentication.icingaweb2.backend=db
# - icingaweb.authentication.icingaweb2.resource=icingaweb_db
# - icingaweb.config.global.config_backend=db
# - icingaweb.config.global.config_resource=icingaweb_db
# - icingaweb.config.logging.log=php
# - icingaweb.groups.icingaweb2.backend=db
# - icingaweb.groups.icingaweb2.resource=icingaweb_db
#
# # IncingaDB Redis Database configuration
# - icingaweb.modules.icingadb.config.icingadb.resource=icingadb
# - icingaweb.modules.icingadb.redis.redis1.host=11.1.0.21
# - icingaweb.modules.icingadb.redis.redis1.port=6379
#
# # Connection to backend Incinga server API
# - icingaweb.modules.icingadb.commandtransports.icinga2.transport=api
# - icingaweb.modules.icingadb.commandtransports.icinga2.host=127.0.0.1
# - icingaweb.modules.icingadb.commandtransports.icinga2.username=root
# - icingaweb.modules.icingadb.commandtransports.icinga2.password=123456
#
# # Incinga Web SQL Database configuration
# - icingaweb.resources.icingaweb_db.type=db
# - icingaweb.resources.icingaweb_db.db=pgsql
# - icingaweb.resources.icingaweb_db.host=11.1.0.23
# - icingaweb.resources.icingaweb_db.dbname=icinga2-web-db
# - icingaweb.resources.icingaweb_db.username=icinga2-web-db
# - icingaweb.resources.icingaweb_db.password="{{ service_icinga2_icinga2-web-db_postgres_password }}"
# - icingaweb.resources.icingaweb_db.charset=utf8mb4
#
# # IncingaDB SQL Database configuration
# - icingaweb.resources.icingadb.type=db
# - icingaweb.resources.icingadb.db=pgsql
# - icingaweb.resources.icingadb.host=11.1.0.22
# - icingaweb.resources.icingadb.dbname=icinga2-db
# - icingaweb.resources.icingadb.username=icinga2-db
# - icingaweb.resources.icingadb.password="{{ service_icinga2_icinga2-db_postgres_password }}"
# - icingaweb.resources.icingadb.charset=utf8mb4
#
# # Incinga User/Admin Configuration
# - icingaweb.passwords.icingaweb2.icingaadmin="{{ service_icinga2_icingaadmin_password }}"
# - icingaweb.roles.Administrators.users=icingaadmin
# - icingaweb.roles.Administrators.permissions=*
# - icingaweb.roles.Administrators.groups=Administrators
# depends_on:
# - icinga2-master
# - icinga2-web-db
# deploy:
# limits:
# cpus: '0.25'
# memory: 512M
networks:
icinga2:
driver: bridge
driver_opts:
com.docker.network.bridge.name: icinga2
# com.docker.network.driver.enable_ip_masquerade: 0
ipam:
config:
- subnet: 11.1.0.0/16
# gateway: 11.5.0.1

5
services/service_icinga2/servicesecrets.example
View File

@ -1,5 +0,0 @@
# Example service secrets for icinga2 docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_icinga2_incingaadmin_password: ***
service_icinga2_icinga2-redis_password: ***
service_icinga2_icinga2-web-db_postgres_password: ***
service_icinga2_icinga2-db_postgres_password: ***

6
services/service_nagios/ansible.cfg Normal file
View File

@ -0,0 +1,6 @@
[defaults]
inventory = ../../hosts
[privilege_escalation]
become_method=doas
become_ask_pass=True

32
services/service_nagios/deploy-service.yml Normal file
View File

@ -0,0 +1,32 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_nagios
group: service_nagios
state: directory
loop:
- "{{ services_directory }}/service_nagios/nagios-data"
- "{{ services_directory }}/service_nagios/nagios-data/etc"
- "{{ services_directory }}/service_nagios/nagios-data/var"
- "{{ services_directory }}/service_nagios/nagios-plugins"
- name: Copy docker compose config and other git files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_nagios/{{ item }}"
owner: service_nagios
group: service_nagios
loop:
- docker-compose.yml
- post-rules.txt
- ssmtp.conf
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

45
services/service_nagios/docker-compose.yml Normal file
View File

@ -0,0 +1,45 @@
services:
nagios-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ nagios_backend_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.198/32
- FIREWALL_VPN_INPUT_PORTS=11001,8080
ports:
# Web UI Port
- "11001:11001"
volumes:
# Custom IPTables forwarding rules to forward TCP(web) traffic from port 11001 to port 8080
- ./post-rules.txt:/iptables/post-rules.txt
deploy:
resources:
limits:
cpus: '0.10'
memory: 512M
nagios:
network_mode: "service:nagios-gluetun"
container_name: nagios
volumes:
- ./nagios-data/etc:/opt/nagios/etc/
- ./nagios-data/var:/opt/nagios/var/
- ./ssmtp.conf:/etc/ssmtp/ssmtp.conf
- ./nagios-plugins:/opt/Custom-Nagios-Plugins
environment:
- NAGIOSADMIN_USER={{ service_nagios_username }}
- NAGIOSADMIN_PASS={{ service_nagios_password }}
- TZ={{ service_nagios_timezone }}
image: manios/nagios:latest
deploy:
resources:
limits:
cpus: '0.10'
memory: 256M

4
services/service_nagios/servicesecrets.example Normal file
View File

@ -0,0 +1,4 @@
# Example service secrets for nagios docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_nagios_username: ***
service_nagios_password: ***
service_nagios_timezone: Europe/London