config-mgmt/salt-states
0
0
Fork 0
Code Releases Activity

switching vps to be the icinga master

Browse Source
This commit is contained in:
Keiran Snowden
2023-12-09 18:49:30 -05:00
parent 1333c3e4a0
commit fa41a5bfd3
8 changed files with 166 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
gitea/files/install.sh
View File

@@ -1,4 +1,5 @@
#!/bin/bash
{# code: lang=jinja-shell #}
{% set gitea_version = salt.pillar.get('gitea:version') %}
{% set base_path = salt.pillar.get('gitea:path') %}

2
icinga2/files/client_sudo.jinja
View File

@@ -1,3 +1,3 @@
# monitoring sudoers rules
nagios ALL=(ALL) NOPASSWD: \
icinga ALL=(ALL) NOPASSWD: \
{{ salt.pillar.get('icinga2:client_sudo') | join(", \\\n") | indent(2) }}

25
icinga2/files/git_clone_icinga2_conf.sh Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
{# code: lang=jinja-shell #}
if ! id icinga &>/dev/null; then
echo icinga user is missing
exit 1
fi
if [ -d /etc/icinga2/.git ]; then
echo already cloned
exit 1
fi
# show commands executed
set -x
# exit on errors
set -e
rm -rf /etc/icinga2
cd /etc/
git clone '{{ salt.pillar.get('icinga2:server:conf_git_url') }}' icinga2
chown -R icinga.icinga /etc/icinga2

42
icinga2/files/icingaweb2.jinja
View File

@@ -1,42 +0,0 @@
server {
server_name icinga.keiran.us;
rewrite ^/$ https://icinga.keiran.us/icingaweb2 permanent;
location ~ ^/icingaweb2/index\.php(.*)$ {
# fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
fastcgi_param REMOTE_USER $remote_user;
}
location ~ ^/icingaweb2(.+)? {
alias /usr/share/icingaweb2/public;
index index.php;
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/icinga.keiran.us/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/icinga.keiran.us/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = icinga.keiran.us) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name icinga.keiran.us;
listen 80;
return 404; # managed by Certbot
}

7
icinga2/init.sls Normal file
View File

@@ -0,0 +1,7 @@
include:
{% if salt.pillar.get("icinga2:ssh_client", None) is not none %}
- icinga2.ssh_client
{% endif %}
{% if salt.pillar.get("icinga2:server", None) is not none %}
- icinga2.server
{% endif %}

115
icinga2/server.sls
View File

@@ -1,24 +1,4 @@
include:
- nginx
icinga_packages:
pkg.installed:
- pkgs:
- vim-icinga2
- icinga2
- icingaweb2
- icinga2-ido-mysql
- certbot
- python-certbot-nginx
apache2:
service.dead:
- enable: False
- require_by:
- pkg: nginx
file.absent:
- name: /etc/apache2
{#
icingaweb2_vhost:
file.managed:
- name: /etc/nginx/sites-available/icingaweb2
@@ -30,23 +10,88 @@ icingaweb2_vhost:
- pkg: nginx
- watch_by:
- service: nginx
#}
/etc/icinga2:
git.cloned:
- name: ssh://keiran5@git.keiran.us:9022/config-mgmt/icinga2-conf.git
- user: nagios
- target: /etc/icinga2
/etc/pki/rpm-gpg/icinga.key:
file.managed:
- user: root
- group: root
- mode: 644
- source: https://packages.icinga.com/icinga.key
- source_hash: be677e07972ed57b99ffc2fd211379ac11b9c6a7c8d9460086b447b96b0a82bb
# icingacli setup config directory
# icingacli setup token create
# icingacli setup token show
# visit /icingaweb2/setup
icingacmd:
group.present: []
icingaweb2_enable:
icinga:
user.present:
- shell: /bin/bash
- home: /var/spool/icinga2
- createhome: true
- groups:
- icingacmd
- system: true
- require:
- group: icingacmd
pkgrepo.managed:
- humanname: ICINGA (stable release)
- baseurl: https://packages.icinga.com/epel/$releasever/release/
- enabled: 1
- gpgcheck: 1
- gpgkey: file:///etc/pki/rpm-gpg/icinga.key
- require:
- file: /etc/pki/rpm-gpg/icinga.key
- user: icinga
pkg.installed:
- pkgs:
- vim-icinga2
- icinga2
- nagios-plugins-by_ssh
- nagios-plugins-ping
- nagios-plugins-ssh
- nagios-plugins-http
- icinga2-ido-mysql
- require:
- pkgrepo: icinga
# You'll need to add a temporary deploy key for root, then create a permanent
# one for the icinga user
'git clone /etc/icinga2':
cmd.script:
- shell: /bin/bash
- source: 'salt://icinga2/files/git_clone_icinga2_conf.sh'
- runas: root
- template: jinja
- creates: /etc/icinga2/.git
- require:
- pkg: icinga
/var/spool/icinga2/conf:
file.symlink:
- name: /etc/nginx/sites-enabled/icingaweb2
- target: /etc/nginx/sites-available/icingaweb2
- watch_by:
- service: nginx
- target: /etc/icinga2
- require:
- user: icinga
/var/spool/icinga2/.ssh:
file.directory:
- user: icinga
- group: icinga
- mode: 700
- require:
- user: icinga
/var/spool/icinga2/.ssh/authorized_keys:
file.managed:
- user: icinga
- group: icinga
- mode: 400
- contents_pillar: icinga2:server:icinga_user_authkeys
#icingaweb2_enable:
# file.symlink:
# - name: /etc/nginx/sites-enabled/icingaweb2
# - target: /etc/nginx/sites-available/icingaweb2
# - watch_by:
# - service: nginx
# apt --no-install-recommends install nagios-nrpe-plugin

61
icinga2/ssh_client.sls
View File

@@ -1,44 +1,73 @@
# todo: git clone to /usr/local/lib/nagios
# A deploy key must be added for this to work!
{{ salt.pillar.get("icinga2:monitoring_plugins_git_url") | yaml_encode }}:
/usr/local/lib/nagios:
git.cloned:
- name: {{ salt.pillar.get("icinga2:monitoring_plugins_git_url") | yaml_encode }}
- target: /usr/local/lib/nagios
- branch: master
- user: root
/usr/local/lib/nagios/venv:
cmd.run:
{% if 'inmotionhosting' in grains.fqdn %}
- name: imh-python3 -m venv /usr/local/lib/nagios/venv
{% else %}
- name: python3 -m venv /usr/local/lib/nagios/venv
{% endif %}
- creates: /usr/local/lib/nagios/venv
- require:
- git: /usr/local/lib/nagios
- pkg: monitoring_packages
# TODO: make all this venv stuff a cmd.script
venv-ensurepip:
cmd.run:
- name: /usr/local/lib/nagios/venv/bin/python3 -m ensurepip
- creates: /usr/local/lib/nagios/venv/bin/pip3
- require:
- cmd: /usr/local/lib/nagios/venv
venv-psutil:
cmd.run:
- name: /usr/local/lib/nagios/venv/bin/pip3 install psutil
- require:
- cmd: venv-ensurepip
monitoring_packages:
pkg.installed:
- pkgs:
# TODO: these are the Debian names. Figure out the others
- monitoring-plugins-basic
- smartmontools
{% if grains.os_family == 'Debian' %}
- python3-venv
{% endif %}
nagios:
icinga:
user.present:
- shell: /bin/bash
- home: /var/lib/nagios
- home: /var/lib/icinga
- system: true
- createhome: true
/var/lib/nagios/.ssh:
/var/lib/icinga/.ssh:
file.directory:
- user: nagios
- group: nagios
- user: icinga
- group: icinga
- mode: 700
- require:
- user: nagios
- user: icinga
/var/lib/nagios/.ssh/authorized_keys:
/var/lib/icinga/.ssh/authorized_keys:
file.managed:
- user: nagios
- group: nagios
- user: icinga
- group: icinga
- mode: 400
- contents_pillar: icinga2:nagios_rsa_pubkey
- contents_pillar: icinga2:icinga_rsa_pubkey
- require:
- file: /var/lib/nagios/.ssh
- file: /var/lib/icinga/.ssh
/etc/sudoers.d/nagios:
/etc/sudoers.d/icinga:
file.managed:
- user: root
- group: root

13
top.sls
View File

@@ -1,4 +1,4 @@
{{saltenv}}:
{{ saltenv }}:
'*':
- salt
- common
@@ -7,16 +7,17 @@
or salt.pillar.get('restic:server', None) is not none %}
- restic
{% endif %}
{% if salt.pillar.get("icinga2:ssh_client", None) is not none %}
- icinga2.ssh_client
{% if salt.pillar.get("icinga2:ssh_client", None) is not none
or salt.pillar.get("icinga2:server", None) is not none %}
- icinga2
{% endif %}
{% if salt.pillar.get("gitea", None) is not none %}
- gitea
{% endif %}
'*.keiran.us':
- firewall
- resolvers
'vps47492.inmotionhosting.com':
- gitea
'kpi.keiran.us':
- icinga2.server
- nginx
- restic
- samba