switching vps to be the icinga master

2023-12-09 18:49:30 -05:00
parent 1333c3e4a0
commit fa41a5bfd3
8 changed files with 166 additions and 100 deletions
--- a/gitea/files/install.sh
+++ b/gitea/files/install.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 {# code: lang=jinja-shell #}
 {% set gitea_version = salt.pillar.get('gitea:version') %}
 {% set base_path = salt.pillar.get('gitea:path') %}
--- a/icinga2/files/client_sudo.jinja
+++ b/icinga2/files/client_sudo.jinja
@@ -1,3 +1,3 @@
 # monitoring sudoers rules
-nagios ALL=(ALL) NOPASSWD: \
+icinga ALL=(ALL) NOPASSWD: \
  {{ salt.pillar.get('icinga2:client_sudo') | join(", \\\n") | indent(2) }}
--- a/icinga2/files/git_clone_icinga2_conf.sh
+++ b/icinga2/files/git_clone_icinga2_conf.sh
@@ -0,0 +1,25 @@
 #!/bin/bash
 {# code: lang=jinja-shell #}
 if ! id icinga &>/dev/null; then
  echo icinga user is missing
  exit 1
 fi
 if [ -d /etc/icinga2/.git ]; then
  echo already cloned
  exit 1
 fi
 # show commands executed
 set -x
 # exit on errors
 set -e
 rm -rf /etc/icinga2
 cd /etc/
 git clone '{{ salt.pillar.get('icinga2:server:conf_git_url') }}' icinga2
 chown -R icinga.icinga /etc/icinga2
--- a/icinga2/files/icingaweb2.jinja
+++ b/icinga2/files/icingaweb2.jinja
@@ -1,42 +0,0 @@
 server {
 server_name icinga.keiran.us;
 rewrite ^/$ https://icinga.keiran.us/icingaweb2 permanent;
  location ~ ^/icingaweb2/index\.php(.*)$ {
    # fastcgi_pass 127.0.0.1:9000;
    fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
    fastcgi_param REMOTE_USER $remote_user;
  }
  location ~ ^/icingaweb2(.+)? {
    alias /usr/share/icingaweb2/public;
    index index.php;
    try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
  }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/icinga.keiran.us/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/icinga.keiran.us/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }
 server {
    if ($host = icinga.keiran.us) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 server_name icinga.keiran.us;
    listen 80;
    return 404; # managed by Certbot
 }
--- a/icinga2/init.sls
+++ b/icinga2/init.sls
@@ -0,0 +1,7 @@
 include:
 {% if salt.pillar.get("icinga2:ssh_client", None) is not none %}
  - icinga2.ssh_client
 {% endif %}
 {% if salt.pillar.get("icinga2:server", None) is not none %}
  - icinga2.server
 {% endif %}
--- a/icinga2/server.sls
+++ b/icinga2/server.sls
@@ -1,24 +1,4 @@
-include:
+{#
  - nginx
 icinga_packages:
  pkg.installed:
    - pkgs:
      - vim-icinga2
      - icinga2
      - icingaweb2
      - icinga2-ido-mysql
      - certbot
      - python-certbot-nginx
 apache2:
  service.dead:
    - enable: False
    - require_by:
      - pkg: nginx
  file.absent:
    - name: /etc/apache2
 icingaweb2_vhost:
  file.managed:
    - name: /etc/nginx/sites-available/icingaweb2
@@ -30,23 +10,88 @@ icingaweb2_vhost:
      - pkg: nginx
    - watch_by:
      - service: nginx
 #}
-/etc/icinga2:
+/etc/pki/rpm-gpg/icinga.key:
-  git.cloned:
+  file.managed:
-    - name: ssh://keiran5@git.keiran.us:9022/config-mgmt/icinga2-conf.git
+    - user: root
-    - user: nagios
+    - group: root
-    - target: /etc/icinga2
+    - mode: 644
    - source: https://packages.icinga.com/icinga.key
    - source_hash: be677e07972ed57b99ffc2fd211379ac11b9c6a7c8d9460086b447b96b0a82bb
-# icingacli setup config directory
+icingacmd:
-# icingacli setup token create
+  group.present: []
 # icingacli setup token show
 # visit /icingaweb2/setup
-icingaweb2_enable:
+icinga:
  user.present:
    - shell: /bin/bash
    - home: /var/spool/icinga2
    - createhome: true
    - groups:
      - icingacmd
    - system: true
    - require:
      - group: icingacmd
  pkgrepo.managed:
    - humanname: ICINGA (stable release)
    - baseurl: https://packages.icinga.com/epel/$releasever/release/
    - enabled: 1
    - gpgcheck: 1
    - gpgkey: file:///etc/pki/rpm-gpg/icinga.key
    - require:
      - file: /etc/pki/rpm-gpg/icinga.key
      - user: icinga
  pkg.installed:
    - pkgs:
      - vim-icinga2
      - icinga2
      - nagios-plugins-by_ssh
      - nagios-plugins-ping
      - nagios-plugins-ssh
      - nagios-plugins-http
      - icinga2-ido-mysql
    - require:
      - pkgrepo: icinga
 # You'll need to add a temporary deploy key for root, then create a permanent
 # one for the icinga user
 'git clone /etc/icinga2':
  cmd.script:
    - shell: /bin/bash
    - source: 'salt://icinga2/files/git_clone_icinga2_conf.sh'
    - runas: root
    - template: jinja
    - creates: /etc/icinga2/.git
    - require:
      - pkg: icinga
 /var/spool/icinga2/conf:
  file.symlink:
-    - name: /etc/nginx/sites-enabled/icingaweb2
+    - target: /etc/icinga2
-    - target: /etc/nginx/sites-available/icingaweb2
+    - require:
-    - watch_by:
+      - user: icinga
-      - service: nginx
+
 /var/spool/icinga2/.ssh:
  file.directory:
    - user: icinga
    - group: icinga
    - mode: 700
    - require:
      - user: icinga
 /var/spool/icinga2/.ssh/authorized_keys:
  file.managed:
    - user: icinga
    - group: icinga
    - mode: 400
    - contents_pillar: icinga2:server:icinga_user_authkeys
 #icingaweb2_enable:
 #  file.symlink:
 #    - name: /etc/nginx/sites-enabled/icingaweb2
 #    - target: /etc/nginx/sites-available/icingaweb2
 #    - watch_by:
 #      - service: nginx
 # apt --no-install-recommends install nagios-nrpe-plugin
--- a/icinga2/ssh_client.sls
+++ b/icinga2/ssh_client.sls
@@ -1,44 +1,73 @@
 # todo: git clone to /usr/local/lib/nagios
 # A deploy key must be added for this to work!
-{{ salt.pillar.get("icinga2:monitoring_plugins_git_url") | yaml_encode }}:
+/usr/local/lib/nagios:
  git.cloned:
    - name: {{ salt.pillar.get("icinga2:monitoring_plugins_git_url") | yaml_encode }}
    - target: /usr/local/lib/nagios
    - branch: master
    - user: root
 /usr/local/lib/nagios/venv:
  cmd.run:
 {% if 'inmotionhosting' in grains.fqdn %}
    - name: imh-python3 -m venv /usr/local/lib/nagios/venv
 {% else %}
    - name: python3 -m venv /usr/local/lib/nagios/venv
 {% endif %}
    - creates: /usr/local/lib/nagios/venv
    - require:
      - git: /usr/local/lib/nagios
      - pkg: monitoring_packages
 # TODO: make all this venv stuff a cmd.script
 venv-ensurepip:
  cmd.run:
    - name: /usr/local/lib/nagios/venv/bin/python3 -m ensurepip
    - creates: /usr/local/lib/nagios/venv/bin/pip3
    - require:
      - cmd: /usr/local/lib/nagios/venv
 venv-psutil:
  cmd.run:
    - name: /usr/local/lib/nagios/venv/bin/pip3 install psutil
    - require:
      - cmd: venv-ensurepip
 monitoring_packages:
  pkg.installed:
    - pkgs:
      # TODO: these are the Debian names. Figure out the others
      - monitoring-plugins-basic
      - smartmontools
      {% if grains.os_family == 'Debian' %}
      - python3-venv
      {% endif %}
-nagios:
+icinga:
  user.present:
    - shell: /bin/bash
-    - home: /var/lib/nagios
+    - home: /var/lib/icinga
    - system: true
    - createhome: true
-/var/lib/nagios/.ssh:
+/var/lib/icinga/.ssh:
  file.directory:
-    - user: nagios
+    - user: icinga
-    - group: nagios
+    - group: icinga
    - mode: 700
    - require:
-      - user: nagios
+      - user: icinga
-/var/lib/nagios/.ssh/authorized_keys:
+/var/lib/icinga/.ssh/authorized_keys:
  file.managed:
-    - user: nagios
+    - user: icinga
-    - group: nagios
+    - group: icinga
    - mode: 400
-    - contents_pillar: icinga2:nagios_rsa_pubkey
+    - contents_pillar: icinga2:icinga_rsa_pubkey
    - require:
-      - file: /var/lib/nagios/.ssh
+      - file: /var/lib/icinga/.ssh
-/etc/sudoers.d/nagios:
+/etc/sudoers.d/icinga:
  file.managed:
    - user: root
    - group: root
--- a/top.sls
+++ b/top.sls
@@ -1,4 +1,4 @@
-{{saltenv}}:
+{{ saltenv }}:
  '*':
    - salt
    - common
@@ -7,16 +7,17 @@
   or salt.pillar.get('restic:server', None) is not none %}
    - restic
 {% endif %}
-{% if salt.pillar.get("icinga2:ssh_client", None) is not none %}
+{% if salt.pillar.get("icinga2:ssh_client", None) is not none
-    - icinga2.ssh_client
+   or salt.pillar.get("icinga2:server", None) is not none %}
    - icinga2
 {% endif %}
 {% if salt.pillar.get("gitea", None) is not none %}
    - gitea
 {% endif %}
  '*.keiran.us':
    - firewall
    - resolvers
  'vps47492.inmotionhosting.com':
    - gitea
  'kpi.keiran.us':
    - icinga2.server
    - nginx
    - restic
    - samba