Browse Source

refactor icinga playbook (not yet fully functionnal)

keep-around/441bb62798e1d13de9e6fa259e2b013ebcc09baf
François Poulain 4 years ago
parent
commit
b9de2756ce
  1. 3
      group_vars/all/infrastructure.yml
  2. 15
      host_vars/icinga-host/monitoring.yml
  3. 82
      molecule/icinga/icinga-playbook.yml
  4. 9
      molecule/icinga/molecule.yml
  5. 8
      molecule/icinga/playbook.yml
  6. 2
      molecule/icinga/roles/icinga2/templates/host.conf
  7. 2
      molecule/icinga/roles/icinga2/templates/nginx.conf
  8. 10
      molecule/icinga/test-icinga-client-playbook.yml
  9. 9
      molecule/icinga/test-icinga-playbook.yml

3
group_vars/all/infrastructure.yml

@ -0,0 +1,3 @@
domain: securedrop.club
monitoring_master: icinga-host

15
host_vars/icinga-host/monitoring.yml

@ -0,0 +1,15 @@
---
icingaadmins_email: icingaadmins@{{ domain }}
# vhost_fqdn: icinga.{{ domain }}
vhost_fqdn: _
# with_https: true
# available but un-needed options for let's encrypt
# certbot_redirect: true
# use fake LE
# molecule verify will fail with it
# certbot_test: true

82
molecule/icinga/icinga-playbook.yml

@ -1,37 +1,59 @@
---
# Note
# To add https via letsencrypt:
# 1- define 'vhost_fqdn'
# 2- un-comment 'https_redirect: true'
# 3- un-comment 'role: certbot-nginx'
- name: configure firewall
hosts: localhost
connection: local
gather_facts: False
vars:
os_security_group_tcp: [ 5665 ]
tasks:
roles:
- role: firewall
os_security_group_tcp: [ 5665 ]
- name: configure firewall
include_role:
name: firewall
- name: install icinga VM
hosts: icinga-host
vars:
domain: securedrop.club
# icingaadmins_email and vhost_fqdn used by icinga2 and certbot-nginx roles
vhost_fqdn: _
icingaadmins_email: icingaadmins@{{ domain }}
roles:
- role: icinga2
# force https redirection
# https_redirect: true
#- role: certbot-nginx
# available but un-needed options
# certbot_redirect: true
# use fake LE
# molecule verify will fail with it
# certbot_test: true
- role: icinga2_common
become: True
- name: install icinga master
hosts: all
become: true
tasks:
- name: install icinga master
include_role:
name: icinga2
when:
- 'monitoring_master == inventory_hostname'
- name: install letsencrypt
include_role:
name: certbot-nginx
when:
- 'monitoring_master == inventory_hostname'
- 'with_https is defined'
- name: install icinga clients
hosts: all
become: true
tasks:
- name: install icinga client
include_role:
name: icinga2_client
when:
- 'monitoring_master != inventory_hostname'
- 'not_monitored is undefined'
- name: install icinga monitoring capabilities
hosts: all
become: true
tasks:
- name: install icinga monitoring capabilities
include_role:
name: icinga2_common
when:
- 'not_monitored is undefined'

9
molecule/icinga/molecule.yml

@ -14,6 +14,15 @@ provisioner:
name: ansible-lint
env:
ANSIBLE_ROLES_PATH: roles:../../../infrastructure/roles
inventory:
group_vars:
all:
monitoring_master: icinga-host
domain: securedrop.club
host_vars:
icinga-host:
icingaadmins_email: icingaadmins@{{ domain }}
vhost_fqdn: _
scenario:
name: icinga
test_sequence:

8
molecule/icinga/playbook.yml

@ -1,5 +1,9 @@
---
- import_playbook: ../sexy-debian/sexy-debian-playbook.yml
- import_playbook: icinga-playbook.yml
- import_playbook: test-icinga-playbook.yml
- import_playbook: test-icinga-client-playbook.yml
- name: deploy dummy monitoring object in molecule environment
hosts: monitoring-client-host
become: true
roles:
- role: deploy_dummy_monitoring_objects

2
molecule/icinga/roles/icinga2/templates/host.conf

@ -29,7 +29,7 @@ object Host "{{ inventory_hostname }}" {
{% endif %}
http_uri = "/icingaweb2/authentication/login"
http_expect = "HTTP/1.1 302 Found,Location: /icingaweb2/authentication/login?_checkCookie=1"
{% if https_redirect is defined %}
{% if with_https is defined %}
http_ssl = true
{% endif %}
}

2
molecule/icinga/roles/icinga2/templates/nginx.conf

@ -6,7 +6,7 @@ server {
server_name {{ vhost_fqdn }};
{% if https_redirect is defined %}
{% if with_https is defined %}
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;

10
molecule/icinga/test-icinga-client-playbook.yml

@ -1,10 +0,0 @@
---
- name: install monitoring client
hosts: monitoring-client-host
vars:
domain: 'securedrop.club'
roles:
- { role: icinga2_client }
- { role: icinga2_common }
- { role: deploy_dummy_monitoring_objects }
become: True

9
molecule/icinga/test-icinga-playbook.yml

@ -1,9 +0,0 @@
---
- name: configure firewall
hosts: localhost
connection: local
gather_facts: False
roles:
- role: firewall
os_security_group_tcp_external: [ 5665 ]
Loading…
Cancel
Save