Browse Source

icinga: do not bind icinga service to icinga-host

Also prefer to explicitly reference groups['icinga-service-group'][0]
instead of looping over groups['icinga-service-group'] because the
architecture of the playbook is not designed for multiple icinga
master.

Fixes: main/infrastructure#219
keep-around/dc4d00ff737b43f12d952e4a46f5ef5979c3dbd6
Loïc Dachary 11 months ago
committed by Loic Dachary
parent
commit
dc4d00ff73
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 6
      docs/services/monitoring.rst
  2. 6
      docs/user-guide.rst
  3. 2
      enough-before-playbook.yml
  4. 3
      inventory/services.yml
  5. 4
      playbooks/api/inventory/services.yml
  6. 4
      playbooks/backup/inventory/services.yml
  7. 4
      playbooks/bind/inventory/services.yml
  8. 4
      playbooks/bind/roles/monitoring-bind/handlers/main.yml
  9. 4
      playbooks/bind/roles/monitoring-bind/tasks/main.yml
  10. 4
      playbooks/chat/inventory/services.yml
  11. 4
      playbooks/cloud/inventory/services.yml
  12. 4
      playbooks/enough/inventory/services.yml
  13. 4
      playbooks/firewall/inventory/services.yml
  14. 4
      playbooks/forum/inventory/services.yml
  15. 4
      playbooks/gitlab/inventory/services.yml
  16. 4
      playbooks/icinga/inventory/services.yml
  17. 5
      playbooks/icinga/roles/deploy_dummy_monitoring_objects/tasks/main.yml
  18. 21
      playbooks/icinga/roles/icinga2_client/tasks/main.yml
  19. 6
      playbooks/icinga/roles/icinga2_client/templates/zones.conf.client
  20. 3
      playbooks/icinga/roles/icinga2_common/handlers/main.yml
  21. 3
      playbooks/icinga/roles/monitor_http_vhost/handlers/main.yml
  22. 3
      playbooks/icinga/roles/monitor_http_vhost/tasks/main.yml
  23. 3
      playbooks/icinga/roles/monitor_tor_http_vhost/handlers/main.yml
  24. 5
      playbooks/icinga/roles/monitor_tor_http_vhost/tasks/main.yml
  25. 2
      playbooks/icinga/test-icinga-playbook.yml
  26. 4
      playbooks/openvpn/inventory/services.yml
  27. 1
      playbooks/openvpn/roles/openvpn/tasks/openvpn.yml
  28. 4
      playbooks/packages/inventory/services.yml
  29. 4
      playbooks/pad/inventory/services.yml
  30. 4
      playbooks/postfix/inventory/services.yml
  31. 1
      playbooks/postfix/roles/postfix_relay_monitoring/handlers/main.yml
  32. 4
      playbooks/postfix/roles/postfix_relay_monitoring/tasks/main.yml
  33. 5
      playbooks/securedrop/inventory/service.yml
  34. 4
      playbooks/wazuh/inventory/services.yml
  35. 4
      playbooks/weblate/inventory/services.yml
  36. 4
      playbooks/website/inventory/services.yml
  37. 4
      playbooks/wekan/inventory/services.yml
  38. 2
      tests/enough/common/test_common_service.py

6
docs/services/monitoring.rst

@ -8,6 +8,12 @@ hosts (disk space, load average, security updates, etc.). In addition
services may add specific monitoring probes such as loading a web page
and verifying its content is valid.
The service is created on the host specified by the `--host` argument:
.. code::
$ enough --domain example.com service create --host icinga-host icinga
The Icinga web interface is at `icinga.example.com`. The user name
and password with administrator rights must be defined in
`~/.enough/example.com/inventory/host_vars/icinga-host/icinga-secrets.yml`

6
docs/user-guide.rst

@ -81,7 +81,6 @@ its public IP must be used as a `GLUE record
+---------------+--------------+--------+-----------------------+-----------+--------+
| ID | Name | Status | Networks | Image | Flavor |
+---------------+--------------+--------+-----------------------+-----------+--------+
| e4f50405-f58b | icinga-host | ACTIVE | Ext-Net=51.178.60.119 | Debian 10 | s1-2 |
| 2b9a1bda-c2c0 | bind-host | ACTIVE | Ext-Net=51.178.60.121 | Debian 10 | s1-2 |
+---------------+--------------+--------+-----------------------+-----------+--------+
@ -120,6 +119,8 @@ Create or update a service
The following services are available:
* :doc:`bind <services/bind>` for `DNS server <https://www.isc.org/bind/>`__ at ``bind.examples.com``
* :doc:`icinga <services/monitoring>` for `monitoring <https://icinga.com/>`__ at ``icinga.example.com``.
* :doc:`postfix <services/postfix>` for `SMTP server <http://www.postfix.org/>`__ at ``postfix.example.com``.
* :doc:`OpenVPN <services/VPN>`, for `VPN <https://openvpn.net/>`__ at ``openvpn.example.com``
* :doc:`wazuh <services/ids>` for `Intrusion Detection System <https://wazuh.com/>`__ at ``wazuh.example.com``.
* :doc:`chat <services/mattermost>`, for `instant messaging <https://mattermost.com/>`__ at ``chat.example.com``
@ -296,8 +297,7 @@ Services
The following services are always available:
* :doc:`icinga <services/monitoring>` for `monitoring <https://icinga.com/>`__ at ``icinga.example.com``.
* :doc:`postfix <services/postfix>` for `SMTP server <http://www.postfix.org/>`__ at ``postfix.example.com``.
* :doc:`bind <services/bind>` for `DNS server <https://www.isc.org/bind/>`__ at ``bind.examples.com``
* `security groups <https://docs.openstack.org/nova/train/admin/security-groups.html>`__ for :ref:`firewall <firewall>`.
Background tasks

2
enough-before-playbook.yml

@ -12,7 +12,9 @@
- import_playbook: "{{ '$SHARE_DIR/playbooks/authorized_keys/authorized-keys-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/backup/backup-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/icinga/icinga-playbook.yml' | expandvars }}"
when: (groups['icinga-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/icinga/monitor-external-ressources-playbook.yml' | expandvars }}"
when: (groups['icinga-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/bind/bind-monitoring-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/postfix/postfix-playbook.yml' | expandvars }}"
when: (groups['postfix-service-group'] | length) > 0

3
inventory/services.yml

@ -34,8 +34,7 @@ postfix-client-group:
all-hosts:
icinga-service-group:
hosts:
icinga-host:
hosts: {}
icinga-service-hosts:
children:

4
playbooks/api/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/backup/inventory/services.yml

@ -1,4 +1,8 @@
---
icinga-service-group:
hosts:
icinga-host:
backup-service-group:
hosts:
bind-host:

4
playbooks/bind/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/bind/roles/monitoring-bind/handlers/main.yml

@ -4,6 +4,6 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
when: (groups['icinga-service-group'] | length) > 0

4
playbooks/bind/roles/monitoring-bind/tasks/main.yml

@ -15,8 +15,8 @@
insertafter: 'Define DNS zones and attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
marker: "/* {mark} Zone {{ bind_zone_name }} */"
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
when: (groups['icinga-service-group'] | length) > 0
notify: reload icinga2
- name: install sudo file for check named zone

4
playbooks/chat/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/cloud/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/enough/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/firewall/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/forum/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/gitlab/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/icinga/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

5
playbooks/icinga/roles/deploy_dummy_monitoring_objects/tasks/main.yml

@ -27,10 +27,9 @@
dir = "/root/icinga2"
}
insertafter: 'Define git repos and attributes'
path: /etc/icinga2/zones.d/master/icinga-host/host.conf
path: "/etc/icinga2/zones.d/master/{{ groups['icinga-service-group'][0] }}/host.conf"
marker: "/* {mark} Icinga2 Docker image git repo */"
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
- name: git clone https://github.com/jjethwa/icinga2
git:

21
playbooks/icinga/roles/icinga2_client/tasks/main.yml

@ -44,7 +44,7 @@
- name: wait for master availability
wait_for:
host: "{{ hostvars['icinga-host']['ansible_host'] }}"
host: "{{ hostvars[groups['icinga-service-group'][0]]['ansible_host'] }}"
port: 5665
state: drained
@ -54,7 +54,7 @@
--key /etc/icinga2/pki/{{ inventory_hostname }}.key \
--cert /etc/icinga2/pki/{{ inventory_hostname }}.crt \
--trustedcert /etc/icinga2/pki/trusted-master.crt \
--host {{ hostvars['icinga-host']['ansible_host'] }}
--host {{ hostvars[groups['icinga-service-group'][0]]['ansible_host'] }}
changed_when: False
register: output
until: output is success
@ -64,7 +64,7 @@
- name: generate ticket number on the master
shell: |
icinga2 pki ticket --cn {{ inventory_hostname }}
delegate_to: icinga-host
delegate_to: "{{ groups['icinga-service-group'][0] }}"
register: command_output
changed_when: False
@ -73,7 +73,7 @@
- name: wait for master availability
wait_for:
host: "{{ hostvars['icinga-host']['ansible_host'] }}"
host: "{{ hostvars[groups['icinga-service-group'][0]]['ansible_host'] }}"
port: 5665
state: drained
@ -82,9 +82,9 @@
icinga2 node setup \
--ticket {{ icinga_ticket }} \
--cn {{ inventory_hostname }} \
--endpoint icinga-host \
--endpoint {{ groups['icinga-service-group'][0] }} \
--zone {{ inventory_hostname }} \
--master_host {{ hostvars['icinga-host']['ansible_host'] }} \
--master_host {{ hostvars[groups['icinga-service-group'][0]]['ansible_host'] }} \
--trustedcert /etc/icinga2/pki/trusted-master.crt \
--accept-commands \
--accept-config
@ -115,20 +115,17 @@
file:
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}
state: directory
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
- name: install host definition on master
template:
src: templates/host.conf
dest: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
- name: install client zone definition on master
template:
src: templates/zones.conf.master
dest: /etc/icinga2/zones.d/{{ inventory_hostname }}.conf
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
notify: reload icinga2

6
playbooks/icinga/roles/icinga2_client/templates/zones.conf.client

@ -17,9 +17,9 @@ object Zone "global-templates" {
/* Master zone */
object Zone "master" {
endpoints = [ "icinga-host" ]
endpoints = [ "{{ groups['icinga-service-group'][0] }}" ]
}
object Endpoint "icinga-host" {
host = "{{ hostvars['icinga-host']['ansible_host'] }}"
object Endpoint "{{ groups['icinga-service-group'][0] }}" {
host = "{{ hostvars[groups['icinga-service-group'][0]]['ansible_host'] }}"
}

3
playbooks/icinga/roles/icinga2_common/handlers/main.yml

@ -4,6 +4,5 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"

3
playbooks/icinga/roles/monitor_http_vhost/handlers/main.yml

@ -4,5 +4,4 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"

3
playbooks/icinga/roles/monitor_http_vhost/tasks/main.yml

@ -19,6 +19,5 @@
insertafter: 'Define httpd services and attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
marker: "/* {mark} {{ http_vhost_name }} http vhost */"
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
notify: reload icinga2

3
playbooks/icinga/roles/monitor_tor_http_vhost/handlers/main.yml

@ -4,6 +4,5 @@
state: reloaded
enabled: True
changed_when: False
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"

5
playbooks/icinga/roles/monitor_tor_http_vhost/tasks/main.yml

@ -2,8 +2,7 @@
apt:
name: [ tor, torsocks ]
state: present
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
- name: restart tor
service:
@ -38,6 +37,6 @@
insertafter: 'Define tor services and attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
marker: "/* {mark} {{ tor_http_vhost_name }} tor http vhost on {{ item }} */"
delegate_to: icinga-host
delegate_to: "{{ groups['icinga-service-group'][0] }}"
notify: reload icinga2
loop: "{{ ansible_play_batch }}"

2
playbooks/icinga/test-icinga-playbook.yml

@ -7,7 +7,7 @@
roles:
- role: firewall
vars:
firewall_server: icinga-host
firewall_server: "{{ groups['icinga-service-group'][0] }}"
firewall_clients: [ 0.0.0.0/0 ]
firewall_protocols: [ tcp ]
firewall_ports: [ 5665 ]

4
playbooks/openvpn/inventory/services.yml

@ -1,4 +1,8 @@
---
icinga-service-group:
hosts:
icinga-host:
openvpn-service-group:
hosts:
website-host:

1
playbooks/openvpn/roles/openvpn/tasks/openvpn.yml

@ -1,5 +1,6 @@
---
- delegate_to: icinga-host
when: (groups['icinga-service-group'] | length) > 0
block:
- name: apt-get install nmap
apt:

4
playbooks/packages/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/pad/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/postfix/inventory/services.yml

@ -1,4 +1,8 @@
---
icinga-service-group:
hosts:
icinga-host:
postfix-service-group:
hosts:
postfix-host:

1
playbooks/postfix/roles/postfix_relay_monitoring/handlers/main.yml

@ -4,3 +4,4 @@
state: reloaded
enabled: True
changed_when: False
when: (groups['icinga-service-group'] | length) > 0

4
playbooks/postfix/roles/postfix_relay_monitoring/tasks/main.yml

@ -5,6 +5,6 @@
line: ' vars.postfix_relay= true'
insertafter: 'Define host attributes'
path: /etc/icinga2/zones.d/master/{{ inventory_hostname }}/host.conf
delegate_to: "{{ item }}"
loop: "{{groups['icinga-service-group']}}"
delegate_to: "{{ groups['icinga-service-group'][0] }}"
when: (groups['icinga-service-group'] | length) > 0
notify: reload icinga2

5
playbooks/securedrop/inventory/service.yml

@ -1,3 +1,8 @@
---
icinga-service-group:
hosts:
icinga-host:
securedrop-service-group:
hosts:
securedrop-host:

4
playbooks/wazuh/inventory/services.yml

@ -1,4 +1,8 @@
---
icinga-service-group:
hosts:
icinga-host:
wazuh-service-group:
hosts:
wazuh-host:

4
playbooks/weblate/inventory/services.yml

@ -1,4 +1,8 @@
---
icinga-service-group:
hosts:
icinga-host:
postfix-service-group:
hosts:
postfix-host:

4
playbooks/website/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

4
playbooks/wekan/inventory/services.yml

@ -0,0 +1,4 @@
---
icinga-service-group:
hosts:
icinga-host:

2
tests/enough/common/test_common_service.py

@ -33,7 +33,7 @@ def test_openstack_create_or_update(tmpdir, openstack_name, requests_mock):
def test_service_from_host():
s = service.Service(settings.CONFIG_DIR, settings.SHARE_DIR, domain='test.com')
assert s.service_from_host('icinga-host') in ('essential', 'openvpn', 'wekan', 'wazuh')
assert s.service_from_host('icinga-host') is None
assert s.service_from_host('cloud-host') == 'cloud'
assert s.service_from_host('unknown-host') is None

Loading…
Cancel
Save