diff --git a/server-setup.yml b/server-setup.yml index 6df5c0c..4415db6 100644 --- a/server-setup.yml +++ b/server-setup.yml @@ -264,6 +264,84 @@ group: root mode: '1700' +# Docker Setup + - name: Add Docker GPG apt Key + become: yes + apt_key: + url: https://download.docker.com/linux/debian/gpg + state: present + - name: Add Docker Repository + become: yes + apt_repository: + repo: deb https://download.docker.com/linux/debian bullseye stable + state: present + - name: Install docker packages + become: yes + apt: + pkg: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: present + update_cache:true + + # Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory + - name : Find all service directories available in ansible configuration + find: + paths: "{{ ansibleconf_directory }}/services" + file_type: directory + use_regex: yes + patterns: ['service_'] + recurse: no + register: findoutput + + - name: Add found ansible configuration service directories to service directories variable + #no_log: true + set_fact: + available_servicedirs: "{{ available_servicedirs + [item.path | split('/') | last]}}" + with_items: "{{ findoutput.files }}" + + - name: Automatically create service users based on found ansible conf service directories + become: yes + ansible.builtin.user: + name: "{{ item }}" + state: present + shell: /bin/bash + groups: docker + append: yes + loop: "{{ available_servicedirs }}" + + # Services Configuration - Permissions + # Services + - name: Ensure service directory exists + become: yes + ansible.builtin.file: + path: "{{ services_directory }}" + state: directory + owner: root + group: root + mode: '1755' + + - name: Automatically create all services directory based on found ansible conf service directories + become: yes + ansible.builtin.file: + path: "{{ services_directory }}/{{ item }}" + state: directory + owner: "{{ item }}" + group: "{{ item }}" + mode: '1700' + loop: "{{ available_servicedirs }}" + + - name: Ensure service users upon login start in their respective service directory + become: yes + ansible.builtin.lineinfile: + path: "/home/{{ item }}/.profile" + line: "cd {{ services_directory }}/{{ item }}" + loop: "{{ available_servicedirs }}" + + - name: Reset doas configuration back to default become: yes template: diff --git a/serversecrets.example b/serversecrets.example index f6cc8dc..0f26cf3 100644 --- a/serversecrets.example +++ b/serversecrets.example @@ -24,6 +24,11 @@ usbkey_keysdir: /mnt/keys # Frontend reverse proxy VPN key vpn_server_pubkey: *** +# Other services - Private Keys +icinga2_backend_privkey: *** +# Other services - Public Keys +icinga2_backend_pubkey: *** + # VPN Key to link reverse proxy and cockpit backend cockpit_backend_privkey: *** diff --git a/services/service_icinga2/deploy-service.yml b/services/service_icinga2/deploy-service.yml new file mode 100644 index 0000000..9f3ebcf --- /dev/null +++ b/services/service_icinga2/deploy-service.yml @@ -0,0 +1,32 @@ +- hosts: localhost + become: 'yes' + vars: + ansible_become_method: doas + tasks: + + - name: Create necessary directories + ansible.builtin.file: + path: "{{ item }}" + owner: service_icinga2 + group: service_icinga2 + state: directory + loop: + - "{{ services_directory }}/service_icinga2/icinga2-master-data" + - "{{ services_directory }}/service_icinga2/redis-data" + - "{{ services_directory }}/service_icinga2/postgres-data" + - "{{ services_directory }}/service_icinga2/postgres-data/icinga2-db" + - "{{ services_directory }}/service_icinga2/postgres-data/icinga2-web-db" + - "{{ services_directory }}/service_icinga2/icinga2-web-data" + + - name: Copy docker compose config and other git files + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ services_directory }}/service_icinga2/{{ item }}" + owner: service_icinga2 + group: service_icinga2 + loop: + - docker-compose.yml + + - name: Debug Finish message + debug: + msg: Ansible playbook has finished! diff --git a/services/service_icinga2/docker-compose.yml b/services/service_icinga2/docker-compose.yml new file mode 100644 index 0000000..5c04f6e --- /dev/null +++ b/services/service_icinga2/docker-compose.yml @@ -0,0 +1,189 @@ +services: + + # Gluetun is used to connect container to VPN + icinga2-gluetun: + image: qmcgaw/gluetun + cap_add: + - NET_ADMIN + environment: + - VPN_SERVICE_PROVIDER=custom + - VPN_TYPE=wireguard + - VPN_ENDPOINT_IP={{ proxy_server_ip }} + - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }} + - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }} + - WIREGUARD_PRIVATE_KEY={{ icinga2_backend_privkey }} + - WIREGUARD_ADDRESSES=10.0.0.4/32 + - FIREWALL_VPN_INPUT_PORTS=8080,5665 + networks: + icinga2: + ports: + # Web UI Port + - "8080:8080" + # Backend API Port + - "5665:5665" + deploy: + limits: + cpus: '0.10' + memory: 512M + + # Backend service that does the checking and hosts API + icinga2-master: + network_mode: "service:icinga2-gluetun" + image: icinga/icinga2 + container_name: icinga2-master + hostname: icinga2-master + volumes: + - ./icinga2-master-data:/data + environment: + - ICINGA_MASTER=1 + depends_on: + - icinga2-dbhandler + deploy: + limits: + cpus: '0.25' + memory: 512M + + # Service that handles everything between icinga SQL and icinga Redis databases + icinga2-dbhandler: image: icinga/icingadb + restart: always + environment: + - ICINGADB_REDIS_HOST=11.1.0.21 + - ICINGADB_REDIS_PORT=6379 + - ICINGADB_REDIS_PASSWORD="{{ service_icinga2_icinga2-redis_password }}" + - ICINGADB_DATABASE_TYPE=pgsql + - ICINGADB_DATABASE_HOST=11.1.0.22 + - ICINGADB_DATABASE_PORT=5432 + - ICINGADB_DATABASE_DATABASE=icinga2-db + - ICINGADB_DATABASE_USER=icinga2-db + - ICINGADB_DATABASE_PASSWORD="{{ service_icinga2_icinga2-db_postgres_password }}" + depends_on: + - icinga2-redis + - icinga2-db + networks: + icinga2: + ipv4_address:11.1.0.20 + deploy: + limits: + cpus: '0.10' + memory: 256M + + icinga2-redis: + image: "redis:alpine" + command: "redis-server --save 60 1 --loglevel warning --requirepass {{ service_icinga2_icinga2-redis_password }}" + volumes: + - ./redis-data:/data + networks: + icinga2: + ipv4_address:11.1.0.21 + deploy: + limits: + cpus: '0.10' + memory: 128M + + icinga2-db: + image: docker.io/library/postgres:16-alpine + restart: unless-stopped + volumes: + - ./postgres-data/icinga2-db:/var/lib/postgresql/data + environment: + POSTGRES_DB: icinga2-db + POSTGRES_USER: icinga2-db + POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-db_postgres_password }}" + healthcheck: + test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + networks: + icinga2: + ipv4_address:11.1.0.22 + deploy: + limits: + cpus: '0.10' + memory: 128M + + icinga2-web-db: + image: docker.io/library/postgres:16-alpine + restart: unless-stopped + volumes: + - ./postgres-data/icinga2-web-db:/var/lib/postgresql/data + environment: + POSTGRES_DB: icinga2-web-db + POSTGRES_USER: icinga2-web-db + POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-web-db_postgres_password }}" + healthcheck: + test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + networks: + icinga2: + ipv4_address:11.1.0.23 + deploy: + limits: + cpus: '0.10' + memory: 128M + + # # Web UI + # icinga2-web: + # network_mode: "service:icinga2-gluetun" + # image: icinga/icingaweb2 + # volumes: + # - ./icinga2-web-data:/data + # environment: + # # Incingaweb General Configuration + # - icingaweb.enabledModules=icingadb + # - icingaweb.authentication.icingaweb2.backend=db + # - icingaweb.authentication.icingaweb2.resource=icingaweb_db + # - icingaweb.config.global.config_backend=db + # - icingaweb.config.global.config_resource=icingaweb_db + # - icingaweb.config.logging.log=php + # - icingaweb.groups.icingaweb2.backend=db + # - icingaweb.groups.icingaweb2.resource=icingaweb_db + # + # # IncingaDB Redis Database configuration + # - icingaweb.modules.icingadb.config.icingadb.resource=icingadb + # - icingaweb.modules.icingadb.redis.redis1.host=11.1.0.21 + # - icingaweb.modules.icingadb.redis.redis1.port=6379 + # + # # Connection to backend Incinga server API + # - icingaweb.modules.icingadb.commandtransports.icinga2.transport=api + # - icingaweb.modules.icingadb.commandtransports.icinga2.host=127.0.0.1 + # - icingaweb.modules.icingadb.commandtransports.icinga2.username=root + # - icingaweb.modules.icingadb.commandtransports.icinga2.password=123456 + # + # # Incinga Web SQL Database configuration + # - icingaweb.resources.icingaweb_db.type=db + # - icingaweb.resources.icingaweb_db.db=pgsql + # - icingaweb.resources.icingaweb_db.host=11.1.0.23 + # - icingaweb.resources.icingaweb_db.dbname=icinga2-web-db + # - icingaweb.resources.icingaweb_db.username=icinga2-web-db + # - icingaweb.resources.icingaweb_db.password="{{ service_icinga2_icinga2-web-db_postgres_password }}" + # - icingaweb.resources.icingaweb_db.charset=utf8mb4 + # + # # IncingaDB SQL Database configuration + # - icingaweb.resources.icingadb.type=db + # - icingaweb.resources.icingadb.db=pgsql + # - icingaweb.resources.icingadb.host=11.1.0.22 + # - icingaweb.resources.icingadb.dbname=icinga2-db + # - icingaweb.resources.icingadb.username=icinga2-db + # - icingaweb.resources.icingadb.password="{{ service_icinga2_icinga2-db_postgres_password }}" + # - icingaweb.resources.icingadb.charset=utf8mb4 + # + # # Incinga User/Admin Configuration + # - icingaweb.passwords.icingaweb2.icingaadmin="{{ service_icinga2_icingaadmin_password }}" + # - icingaweb.roles.Administrators.users=icingaadmin + # - icingaweb.roles.Administrators.permissions=* + # - icingaweb.roles.Administrators.groups=Administrators + # depends_on: + # - icinga2-master + # - icinga2-web-db + # deploy: + # limits: + # cpus: '0.25' + # memory: 512M + +networks: + icinga2: + driver: bridge + driver_opts: + com.docker.network.bridge.name: icinga2 + # com.docker.network.driver.enable_ip_masquerade: 0 + ipam: + config: + - subnet: 11.1.0.0/16 + # gateway: 11.5.0.1 diff --git a/services/service_icinga2/servicesecrets.example b/services/service_icinga2/servicesecrets.example new file mode 100644 index 0000000..d13683e --- /dev/null +++ b/services/service_icinga2/servicesecrets.example @@ -0,0 +1,5 @@ +# Example service secrets for icinga2 docker service, to be encrypted with ansible vault and called servicesecrets.enc +service_icinga2_incingaadmin_password: *** +service_icinga2_icinga2-redis_password: *** +service_icinga2_icinga2-web-db_postgres_password: *** +service_icinga2_icinga2-db_postgres_password: ***