evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity

Compare commits

base: evolix:b2438dde804811e3976a98e9aa4ef5f6af7653e2
Branches Tags
evolix:dev
evolix:master
evolix:d481cf2b11e7c875525c3757ef24ae76d06b35ea
evolix:6.9.0
evolix:6.8.0
...
compare: evolix:a61f2423bcaf64b46a866609d6327477c4869053
Branches Tags
evolix:dev
evolix:master
evolix:d481cf2b11e7c875525c3757ef24ae76d06b35ea
evolix:6.9.0
evolix:6.8.0

15 commits
b2438dde80 ... a61f2423bc

Author SHA1 Message Date
Jérémy Dubois a61f2423bc Remove multiple spaces 2023-12-15 16:23:31 +01:00
Jérémy Dubois 7dd930afcb nagios-nrpe: configure allowed_hosts in template and make use of the 'nagios_nrpe_additional_allowed_hosts' var in inventory for additional IP 2023-12-15 15:46:15 +01:00
Jérémy Dubois 8e18b6972a post-install: execute motd-carp-state.sh every 10 minuts 2023-12-11 17:44:41 +01:00
Jérémy Dubois 63212accdd forwarding: added tags to distinguish IPv4 from IPv6 2023-11-13 17:45:33 +01:00
Jérémy Dubois aee18bfde9 base: configure "/var/log" for servers that have a mount on it 2023-11-13 16:01:47 +01:00
Jérémy Dubois 1f0011ad2a accounts, etc-git, evocheck, nagios-nrpe: multiple changes to not fail when run in check mode 2023-11-09 17:08:13 +01:00
Jérémy Dubois 6822eaa4f0 base: added handlers for entries in fstab 2023-11-09 17:06:00 +01:00
Jérémy Dubois aed20187de use Fully Qualified Collection Name everywhere 2023-10-23 09:33:54 +02:00
Jérémy Dubois 28021670f0 yamllint, ansible-lint, and tags everywhere 2023-10-23 09:33:33 +02:00
Jérémy Dubois a217bb2e56 base: deactivate insults in sudo 2023-10-13 11:52:41 +02:00
Jérémy Dubois 832e93da0d base: ignore errors on packages installation because it fails for some packages when run in check mode 2023-10-13 11:52:40 +02:00
Jérémy Dubois ced4098192 collectd: fix rights for collectd directory 2023-10-13 11:52:22 +02:00
Jérémy Dubois 7aa588528c base: doas configuration for ipmi_sensor NRPE check 2023-10-13 11:52:22 +02:00
Jérémy Dubois afba3ad7e1 nagios-nrpe: add the ipmi_sensor check 2023-10-13 11:52:21 +02:00
Jérémy Dubois 05bdef9ab8 etc-git: add versioning for /var/unbound/etc 2023-10-13 11:52:19 +02:00
43 changed files with 1320 additions and 197 deletions
Show stats Expand all files Collapse all files

13
CHANGELOG
View file

@ -29,6 +29,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* nagios-nrpe: allow older cipher suites for older Icinga version
* evobackup: execute canary script before executing backup script
* accounts: create only users who have a certain value for the `create` key (default: `always`)
* nagios-nrpe: add the ipmi_sensor check
* base: doas configuration for ipmi_sensor NRPE check
* base: deactivate insults in sudo
* base: added handlers for entries in fstab
* forwarding: added tags to distinguish IPv4 from IPv6
### Changed
@ -68,13 +73,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* nagios-nrpe: check_ipsecctl.sh is never used standalone for check_vpn, always called by check_ipsecctl_critiques.sh
* evobackup: zzz_evobackup upstream release 22.12, and call zzz_evobackup with bash
* base: install bash, now needed for zzz_evobackup script
* post-install: execute motd-carp-state.sh only once an hour
* post-install: execute motd-carp-state.sh every 10 minuts
* collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them
* base: install ncdu and htop often used as diagnostic tools
* base: dump-server-state.sh upstream release 23.06
* evocheck: upstream release 23.06
* base: add evobsd_alias_fwupdate variable and make kshrc file a template so we can set or not a fw_update alias to servers that need it
* etc-git: add versioning for /var/unbound/etc
* base: ignore errors on packages installation because it fails for some packages when run in check mode
* evomaintenance: upstream release 23.10.1
* accounts, etc-git, evocheck, nagios-nrpe: multiple changes to not fail when run in check mode
* base: configure "/var/log" for servers that have a mount on it
* nagios-nrpe: configure allowed_hosts in template and make use of the 'nagios_nrpe_additional_allowed_hosts' var in inventory for additional IP
### Fixed
@ -87,6 +97,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* logsentry: fix variables for configuration files
* nagios-nrpe: fix allowed_hosts configuration: keep potential added IP, but we cannot use backrefs if the line does not exist yet
* accounts: configure user home, ssh keys and groups only if it already exists, so that there is no error when run in check mode and user doesn't exist yet
* collectd: fix rights for collectd directory
### Removed

2
prerequisite.yml
View file

@ -12,7 +12,7 @@
- name: Install ansible's prerequisite
# yamllint disable-line rule:line-length
raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-3
ansible.builtin.raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-3
changed_when: true
# vim:ft=ansible

2
roles/accounts/handlers/main.yml
View file

@ -1,6 +1,6 @@
---
- name: reload sshd
service:
ansible.builtin.service:
name: sshd
state: reloaded

20
roles/accounts/tasks/main.yml
View file

@ -1,7 +1,7 @@
# yamllint disable rule:line-length
---
- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
group:
ansible.builtin.group:
name: "{{ item }}"
system: true
with_items:
@ -17,7 +17,7 @@
vars:
user: "{{ item.value }}"
with_dict: "{{ evolix_users }}"
when:
when:
- user.create == evobsd_users_create
- evolix_users != {}
tags:
@ -25,7 +25,7 @@
- admin
- name: "Verify AllowGroups directive"
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
ansible.builtin.command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
changed_when: false
failed_when: false
check_mode: false
@ -35,7 +35,7 @@
- admin
- name: "Verify AllowUsers directive"
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
ansible.builtin.command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: false
failed_when: false
check_mode: false
@ -45,7 +45,7 @@
- admin
- name: "Check that AllowUsers and AllowGroup do not override each other"
assert:
ansible.builtin.assert:
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
tags:
@ -53,7 +53,7 @@
- admin
- name: "If AllowGroups is present then use it"
set_fact:
ansible.builtin.set_fact:
ssh_allowgroups:
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
tags:
@ -61,7 +61,7 @@
- admin
- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evobsd_ssh_group }}"
insertafter: 'Subsystem'
@ -75,7 +75,7 @@
- admin
- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
replace:
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
replace: '\1 {{ evobsd_ssh_group }}'
@ -89,7 +89,7 @@
- admin
- name: "Security directives for EvoBSD"
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/ssh/sshd_config
marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
block: |
@ -107,7 +107,7 @@
- admin
- name: "Disable root login"
replace:
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin\s+(yes|without-password|prohibit-password)'
replace: "PermitRootLogin {{ evobsd_root_login }}"

28
roles/accounts/tasks/user.yml
View file

@ -1,7 +1,7 @@
# yamllint disable rule:line-length
---
- name: "Group '{{ user.name }}' is present"
group:
ansible.builtin.group:
state: present
name: "{{ user.name }}"
gid: "{{ user.uid }}"
@ -10,7 +10,7 @@
- admin
- name: "User '{{ user.name }}' is present"
user:
ansible.builtin.user:
state: present
name: '{{ user.name }}'
uid: '{{ user.uid }}'
@ -23,12 +23,15 @@
- accounts
- admin
- name: "Gather available local users"
getent:
- name: "Gather available local users for usage in check_mode"
ansible.builtin.getent:
database: passwd
tags:
- accounts
- admin
- name: "Home directory for '{{ user.name }}' is only accesible by owner"
file:
ansible.builtin.file:
name: '/home/{{ user.name }}'
mode: "0700"
owner: "{{ user.name }}"
@ -40,7 +43,7 @@
- admin
- name: "SSH public keys for '{{ user.name }}' are present"
authorized_key:
ansible.posix.authorized_key:
user: "{{ user.name }}"
key: "{{ ssk_key }}"
state: present
@ -54,8 +57,15 @@
- accounts
- admin
- name: "Gather available local groups for usage in check_mode"
ansible.builtin.getent:
database: group
tags:
- accounts
- admin
- name: "Add {{ user.name }} to {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
user:
ansible.builtin.user:
name: "{{ user.name }}"
groups: "{{ groups_item }}"
append: true
@ -65,7 +75,9 @@
- "{{ evobsd_sudo_group }}"
loop_control:
loop_var: groups_item
when: user.name in getent_passwd.keys()
when:
- user.name in getent_passwd.keys()
- groups_item in getent_group.keys()
tags:
- accounts
- admin

31
roles/base/handlers/main.yml
View file

@ -1,38 +1,53 @@
---
- name: newaliases
command: smtpctl update table aliases
ansible.builtin.command: smtpctl update table aliases
- name: remount / noatime
command: mount -u -o noatime /
ansible.builtin.command: mount -u -o noatime /
args:
warn: false
- name: remount /var noatime
command: mount -u -o noatime /var
ansible.builtin.command: mount -u -o noatime /var
args:
warn: false
- name: remount /var/log noatime
ansible.builtin.command: mount -u -o noatime /var/log
args:
warn: false
- name: remount /usr noatime
command: mount -u -o noatime /usr
ansible.builtin.command: mount -u -o noatime /usr
args:
warn: false
- name: remount /usr/X11R6 noatime
ansible.builtin.command: mount -u -o noatime /usr/X11R6
args:
warn: false
- name: remount /usr/local noatime
ansible.builtin.command: mount -u -o noatime /usr/local
args:
warn: false
- name: remount /tmp noexec
command: mount -u -o noexec /tmp
ansible.builtin.command: mount -u -o noexec /tmp
args:
warn: false
- name: remount /tmp noatime
command: mount -u -o noatime /tmp
ansible.builtin.command: mount -u -o noatime /tmp
args:
warn: false
- name: remount /home noatime
command: mount -u -o noatime /home
ansible.builtin.command: mount -u -o noatime /home
args:
warn: false
- name: restart ntpd
service:
ansible.builtin.service:
name: ntpd
state: restarted

2
roles/base/tasks/cron.yml
View file

@ -1,6 +1,6 @@
---
- name: "Customize PATH variable of root crontab"
cron:
ansible.builtin.cron:
name: PATH
env: true
value: "{{ cron_root_path }}"

3
roles/base/tasks/doas.yml
View file

@ -1,7 +1,7 @@
# yamllint disable rule:line-length
---
- name: "Configure doas"
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/doas.conf
owner: root
group: wheel
@ -24,5 +24,6 @@
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipmi_sensor
tags:
- doas

14
roles/base/tasks/dotfiles.yml
View file

@ -1,6 +1,6 @@
---
- name: "Customize root's .profile"
template:
ansible.builtin.template:
src: profile.j2
dest: /root/.profile
mode: "0644"
@ -9,7 +9,7 @@
- dotfiles
- name: "Copy vim default configuration"
copy:
ansible.builtin.copy:
src: vimrc
dest: /root/.vimrc
mode: "0644"
@ -18,7 +18,7 @@
- dotfiles
- name: "Customize .kshrc environment file"
template:
ansible.builtin.template:
src: kshrc.j2
dest: /root/.kshrc
mode: "0644"
@ -27,7 +27,7 @@
- dotfiles
- name: "Change default .profile skeleton"
template:
ansible.builtin.template:
src: profile.j2
dest: /etc/skel/.profile
mode: "0644"
@ -36,7 +36,7 @@
- dotfiles
- name: "Add evomaintenance trap .profile skeleton with doas"
lineinfile:
ansible.builtin.lineinfile:
state: present
dest: /etc/skel/.profile
mode: "0644"
@ -48,7 +48,7 @@
- dotfiles
- name: "Add vim configuration to dotfiles for new users"
copy:
ansible.builtin.copy:
src: vimrc
dest: /etc/skel/.vimrc
mode: "0644"
@ -57,7 +57,7 @@
- dotfiles
- name: "Customize .kshrc environment file for new users"
template:
ansible.builtin.template:
src: kshrc.j2
dest: /etc/skel/.kshrc
mode: "0644"

3
roles/base/tasks/fstab_entries.yml
View file

@ -1,6 +1,6 @@
---
- name: "Fetch fstab content"
command: "grep -v '^#' /etc/fstab"
ansible.builtin.command: "grep -v '^#' /etc/fstab"
check_mode: false
register: fstab_content
failed_when: false
@ -14,6 +14,7 @@
with_items:
- "/"
- "/var"
- "/var/log"
- "/usr"
- "/usr/X11R6"
- "/usr/local"

6
roles/base/tasks/fstab_entry.yml
View file

@ -1,7 +1,7 @@
# yamllint disable rule:line-length
---
- name: "{{ fstab_path }} partition is customized - softdep"
replace:
ansible.builtin.replace:
dest: /etc/fstab
regexp: '([^#]\s+{{ fstab_path }}\s+ffs\s+rw)(.*)'
replace: '\1,softdep\2'
@ -13,7 +13,7 @@
- fstab
- name: "{{ fstab_path }} partition is customized - noatime"
replace:
ansible.builtin.replace:
dest: /etc/fstab
regexp: '([^#]\s+{{ fstab_path }}\s+ffs\s+rw)(\S*)(\s+.*)'
replace: '\1\2,noatime\3'
@ -26,7 +26,7 @@
- fstab
- name: "{{ fstab_path }} partition is customized - noexec"
replace:
ansible.builtin.replace:
dest: /etc/fstab
regexp: '([^#]\s+{{ fstab_path }}\s+ffs\s+rw(,softdep)*)(.*)'
replace: '\1,noexec\3'

8
roles/base/tasks/mail.yml
View file

@ -1,6 +1,6 @@
---
- name: "Fetch rc.local content"
command: "grep -v '^#' /etc/rc.local"
ansible.builtin.command: "grep -v '^#' /etc/rc.local"
check_mode: false
register: rclocal_content
failed_when: false
@ -9,7 +9,7 @@
- alerting
- name: "Configure rc.local"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/rc.local
line:
'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
@ -23,7 +23,7 @@
- alerting
- name: "Delete rc.local entry of boot/reboot not precising hostname"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/rc.local
regexp:
"^.* mail -s (?!.*of.*).+$"
@ -32,7 +32,7 @@
- alerting
- name: "Set root mail alias"
replace:
ansible.builtin.replace:
dest: /etc/mail/aliases
regexp: "# root:"
replace: "root: {{ general_alert_email }}"

2
roles/base/tasks/newsyslog.yml
View file

@ -1,6 +1,6 @@
---
- name: "Customize newsyslog"
copy:
ansible.builtin.copy:
src: newsyslog.conf
dest: /etc/newsyslog.conf
mode: "0644"

2
roles/base/tasks/ntp.yml
View file

@ -1,6 +1,6 @@
---
- name: "Customize ntpd conf"
template:
ansible.builtin.template:
src: ntpd.conf.j2
dest: /etc/ntpd.conf
owner: root

7
roles/base/tasks/packages.yml
View file

@ -1,7 +1,7 @@
---
- name: "Configure installurl"
copy:
ansible.builtin.copy:
content: "{{ evobsd_install_url }}\n"
dest: /etc/installurl
mode: "0644"
@ -9,7 +9,7 @@
- pkg
- name: "Install packages (vim rsync mtr etc)"
openbsd_pkg:
community.general.openbsd_pkg:
name:
- wget
- vim--no_x11
@ -20,11 +20,12 @@
- bash
- ncdu
- htop
ignore_errors: true
tags:
- pkg
- name: "Disable sndiod"
service:
ansible.builtin.service:
name: sndiod
enabled: false
state: stopped

2
roles/base/tasks/resolvconf.yml
View file

@ -1,6 +1,6 @@
---
- name: "Configure resolv.conf"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/resolv.conf
line: "lookup file bind"
insertbefore: BOF

13
roles/base/tasks/sudo.yml
View file

@ -1,6 +1,6 @@
---
- name: "Configure sudoers umask"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/sudoers
insertafter: '# Defaults specification'
line: 'Defaults umask=0077'
@ -8,8 +8,17 @@
tags:
- sudo
- name: "Deactivate sudo insults"
ansible.builtin.lineinfile:
dest: /etc/sudoers
insertafter: 'Defaults umask=0077'
line: 'Defaults !insults'
validate: 'visudo -cf %s'
tags:
- sudo
- name: "Configure sudoers"
blockinfile:
ansible.builtin.blockinfile:
state: present
dest: /etc/sudoers
insertafter: EOF

4
roles/base/tasks/utils.yml
View file

@ -1,6 +1,6 @@
---
- name: "dump-server-state script is present"
copy:
ansible.builtin.copy:
src: "dump-server-state.sh"
dest: /usr/local/sbin/dump-server-state
force: true
@ -13,7 +13,7 @@
- utils
- name: "update-evobackup-canary script is present"
copy:
ansible.builtin.copy:
src: "update-evobackup-canary"
dest: /usr/local/bin/update-evobackup-canary
force: true

10
roles/bgp/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: "Deploy bgp check script"
template:
ansible.builtin.template:
src: bgpd-check-peers.sh.j2
dest: /usr/share/scripts/bgpd-check-peers.sh
when: group_names | select('search','bgp') | list | count > 0
@ -8,7 +8,7 @@
- bgp
- name: "Cron job for bgp check script is installed"
cron:
ansible.builtin.cron:
name: bgp check
job: "/bin/sh /usr/share/scripts/bgpd-check-peers.sh"
when: group_names | select('search','bgp') | list | count > 0
@ -16,7 +16,7 @@
- bgp
- name: "Create bgp log directory"
file:
ansible.builtin.file:
path: /var/log/bgp
state: directory
when: group_names | select('search','bgp') | list | count > 0
@ -24,7 +24,7 @@
- bgp
- name: "Daily best routes cron job is installed"
cron:
ansible.builtin.cron:
name: bgp best routes
minute: 0
hour: 4
@ -36,7 +36,7 @@
- bgp
- name: "Weekly best routes clean up cron job is installed"
cron:
ansible.builtin.cron:
name: bgp best routes clean up
minute: 0
hour: 4

2
roles/collectd/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: restart collectd
service:
ansible.builtin.service:
name: collectd
state: restarted

33
roles/collectd/tasks/main.yml
View file

@ -1,13 +1,13 @@
# yamllint disable rule:line-length
---
- name: "Install Collectd package"
openbsd_pkg:
community.general.openbsd_pkg:
name: "collectd"
tags:
- collectd
- name: "Deploy Collectd configuration"
template:
ansible.builtin.template:
src: "collectd.conf.j2"
dest: "/etc/collectd.conf"
notify: restart collectd
@ -15,15 +15,26 @@
- collectd
- name: "Enabling Collectd"
service:
ansible.builtin.service:
name: collectd
enabled: true
when: not ansible_check_mode
tags:
- collectd
- name: "Fix rights for collectd directory"
ansible.builtin.file:
path: /usr/local/share/collectd
state: directory
owner: "root"
group: "wheel"
mode: "0755"
when: collectd_plugin_exec_ifq_drops or collectd_plugin_exec_dns_stats or collectd_plugin_exec_dhcp_pool
tags:
- collectd
- name: "Create scripts directory for exec plugins"
file:
ansible.builtin.file:
path: /usr/local/share/collectd/scripts
state: directory
owner: "root"
@ -34,7 +45,7 @@
- collectd
- name: "Copy ifq_drops.sh"
copy:
ansible.builtin.copy:
src: ifq_drops.sh
dest: /usr/local/share/collectd/scripts/ifq_drops.sh
owner: "root"
@ -46,7 +57,7 @@
- collectd
- name: "Remove ifq_drops.sh"
file:
ansible.builtin.file:
path: /usr/local/share/collectd/scripts/ifq_drops.sh
state: absent
when: not collectd_plugin_exec_ifq_drops
@ -54,7 +65,7 @@
- collectd
- name: "Copy dns_stats.sh"
copy:
ansible.builtin.copy:
src: dns_stats.sh
dest: /usr/local/share/collectd/scripts/dns_stats.sh
owner: "root"
@ -66,7 +77,7 @@
- collectd
- name: "Remove dns_stats.sh"
file:
ansible.builtin.file:
path: /usr/local/share/collectd/scripts/dns_stats.sh
state: absent
when: not collectd_plugin_exec_dns_stats
@ -74,7 +85,7 @@
- collectd
- name: "Add doas configuration for dns_stats.sh execution"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/doas.conf
line: 'permit nopass _collectd as root cmd /usr/sbin/unbound-control args stats'
when: collectd_plugin_exec_dns_stats
@ -82,7 +93,7 @@
- collectd
- name: "Copy dhcp_pool.pl"
copy:
ansible.builtin.copy:
src: dhcp_pool.pl
dest: /usr/local/share/collectd/scripts/dhcp_pool.pl
owner: "root"
@ -94,7 +105,7 @@
- collectd
- name: "Remove dhcp_pool.pl"
file:
ansible.builtin.file:
path: /usr/local/share/collectd/scripts/dhcp_pool.pl
state: absent
when: not collectd_plugin_exec_dhcp_pool

5
roles/etc-git/tasks/commit.yml
View file

@ -2,10 +2,11 @@
---
- name: "Execute ansible-commit"
command: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\""
ansible.builtin.command: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\""
changed_when:
- _ansible_commit.stdout
- "'CHANGED:' in _ansible_commit.stdout"
ignore_errors: true
register: _ansible_commit
tags: always
tags:
- always

2
roles/etc-git/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: "Git is installed"
openbsd_pkg:
community.general.openbsd_pkg:
name: git
state: present
tags:

9
roles/etc-git/tasks/repositories.yml
View file

@ -12,7 +12,7 @@
- etc-git
- name: "Verify /usr/share/scripts presence"
stat:
ansible.builtin.stat:
path: /usr/share/scripts
register: _usr_share_scripts
tags:
@ -27,3 +27,10 @@
- _usr_share_scripts.stat.isdir
tags:
- etc-git
- include: repository.yml
vars:
repository_path: "/var/unbound/etc"
gitignore_items: []
tags:
- etc-git

29
roles/etc-git/tasks/repository.yml
View file

@ -1,7 +1,7 @@
---
- name: "{{ repository_path }} is versioned with git"
command: "git init ."
ansible.builtin.command: "git init ."
args:
chdir: "{{ repository_path }}"
creates: "{{ repository_path }}/.git/"
@ -11,16 +11,17 @@
- etc-git
- name: "Git user.email is configured"
git_config:
community.general.git_config:
name: user.email
repo: "{{ repository_path }}"
scope: local
value: "root@{{ inventory_hostname }}.{{ general_technical_realm }}"
when: not ansible_check_mode
tags:
- etc-git
- name: "{{ repository_path }}/.git is restricted to root"
file:
ansible.builtin.file:
path: "{{ repository_path }}/.git"
owner: root
mode: "0700"
@ -28,34 +29,28 @@
tags:
- etc-git
- name: "{{ repository_path }}/.gitignore is present"
copy:
src: gitignore
dest: "{{ repository_path }}/.gitignore"
owner: root
mode: "0600"
force: false
tags:
- etc-git
- name: "Some entries MUST be in the {{ repository_path }}/.gitignore file"
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ repository_path }}/.gitignore"
line: "{{ item }}"
owner: root
mode: "0600"
create: true
loop: "{{ gitignore_items | default([]) }}"
tags:
- etc-git
- name: "Set vim as default editor"
git_config:
community.general.git_config:
name: core.editor
scope: global
value: vim
when: not ansible_check_mode
tags:
- etc-git
- name: "Does {{ repository_path }}/ have any commit?"
command: "git log"
ansible.builtin.command: "git log"
args:
chdir: "{{ repository_path }}"
warn: false
@ -67,7 +62,7 @@
- etc-git
- name: "Initial commit is present?"
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
ansible.builtin.shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
args:
chdir: "{{ repository_path }}"
warn: false

26
roles/etc-git/tasks/utils.yml
View file

@ -2,7 +2,7 @@
---
- name: "evocommit script is installed"
copy:
ansible.builtin.copy:
src: evocommit
dest: /usr/local/bin/evocommit
mode: "0755"
@ -12,7 +12,7 @@
- etc-git-utils
- name: "ansible-commit script is installed"
copy:
ansible.builtin.copy:
src: ansible-commit
dest: /usr/local/bin/ansible-commit
mode: "0755"
@ -22,7 +22,7 @@
- etc-git-utils
- name: "etc-git-optimize script is installed"
copy:
ansible.builtin.copy:
src: etc-git-optimize
dest: /usr/share/scripts/etc-git-optimize
mode: "0755"
@ -32,7 +32,7 @@
- etc-git-utils
- name: "etc-git-status script is installed"
copy:
ansible.builtin.copy:
src: etc-git-status
dest: /usr/share/scripts/etc-git-status
mode: "0755"
@ -42,7 +42,7 @@
- etc-git-utils
- name: "Legacy monthly cron job for /etc/.git optimization is absent"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/monthly.local
line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet'
state: absent
@ -50,7 +50,7 @@
- etc-git
- name: "Legacy hourly cron job for /etc/.git status is absent"
cron:
ansible.builtin.cron:
name: git status
minute: "42"
job: who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short
@ -59,7 +59,7 @@
- etc-git
- name: "Legacy daily cron jobs for /etc/.git status are absent"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
line: "{{ item }}"
owner: root
@ -72,7 +72,7 @@
- etc-git
- name: "Cron job for monthly git optimization"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/monthly.local
line: "/usr/share/scripts/etc-git-optimize"
owner: root
@ -82,7 +82,7 @@
- etc-git
- name: "Cron job for monthly git optimization - next_part"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/monthly.local
line: 'next_part "Monthly optimization:"'
insertbefore: "/usr/share/scripts/etc-git-optimize"
@ -93,7 +93,7 @@
- etc-git
- name: "Cron job for hourly git status"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/hourly.local
line: "who > /dev/null || /usr/share/scripts/etc-git-status"
owner: root
@ -104,7 +104,7 @@
- etc-git
- name: "Cron job for hourly git status - next_part"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/hourly.local
line: 'next_part "Hourly warning for unclean Git repository if nobody is connected:"'
insertbefore: "who > /dev/null || /usr/share/scripts/etc-git-status"
@ -116,7 +116,7 @@
- etc-git
- name: "Cron job for daily git status"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
line: "/usr/share/scripts/etc-git-status"
owner: root
@ -127,7 +127,7 @@
- etc-git
- name: "Cron job for daily git status - next_part"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
line: 'next_part "Daily warning for unclean Git repository:"'
insertbefore: "/usr/share/scripts/etc-git-status"

2
roles/evobackup/files/000-update-evobackup-canary
View file

@ -1,3 +1,3 @@
#!/bin/sh
update-evobackup-canary --who @daily

15
roles/evobackup/tasks/main.yml
View file

@ -1,8 +1,9 @@
# yamllint disable rule:line-length
---
# Info : old zzz_evobackup used sh, and since "sh" match "bash", we keep "sh" for regex commands
- name: "Copy zzz_evobackup script"
copy:
ansible.builtin.copy:
src: zzz_evobackup
dest: /usr/share/scripts/zzz_evobackup
owner: root
@ -13,7 +14,7 @@
- evobackup
- name: "Copy update-evobackup-canary script"
copy:
ansible.builtin.copy:
src: 000-update-evobackup-canary
dest: /usr/share/scripts/000-update-evobackup-canary
owner: root
@ -24,7 +25,7 @@
- evobackup
- name: "Fetch daily.local content"
command: 'grep "sh /usr/share/scripts/zzz_evobackup" /etc/daily.local'
ansible.builtin.command: 'grep "sh /usr/share/scripts/zzz_evobackup" /etc/daily.local'
check_mode: false
register: daily_local_content
failed_when: false
@ -33,7 +34,7 @@
- evobackup
- name: "Add evobackup cron (disabled)"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
line: '#bash /usr/share/scripts/zzz_evobackup'
owner: root
@ -45,7 +46,7 @@
- evobackup
- name: "Add evobackup cron - next_part"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
line: 'next_part "EvoBackup output:"'
insertbefore: 'sh /usr/share/scripts/zzz_evobackup'
@ -56,7 +57,7 @@
- evobackup
- name: "Add canary cron"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
line: 'sh /usr/share/scripts/000-update-evobackup-canary'
insertafter: 'next_part "EvoBackup output:"'
@ -67,7 +68,7 @@
- evobackup
- name: "Delete legacy evobackup root crontab"
lineinfile:
ansible.builtin.lineinfile:
path: /var/cron/tabs/root
regexp: '/usr/share/scripts/zzz_evobackup'
validate: /usr/bin/crontab %s

11
roles/evocheck/tasks/exec.yml
View file

@ -1,11 +1,16 @@
---
- name: "Run evocheck"
command: "{{ evocheck_bin_dir }}/evocheck.sh"
ansible.builtin.command:
cmd: "{{ evocheck_bin_dir }}/evocheck.sh"
register: evocheck_run
changed_when: false
failed_when: false
check_mode: false
tags:
- evocheck-exec
- debug:
- ansible.builtin.debug:
var: evocheck_run.stdout_lines
when: evocheck_run.stdout | length != 0
when: evocheck_run.stdout | length > 0
tags:
- evocheck-exec

14
roles/evocheck/tasks/main.yml
View file

@ -1,7 +1,7 @@
# yamllint disable rule:line-length
---
- name: "Scripts dir is present"
file:
ansible.builtin.file:
path: "{{ evocheck_bin_dir }}"
state: directory
owner: root
@ -11,7 +11,7 @@
- evocheck
- name: "Copy evocheck.sh"
copy:
ansible.builtin.copy:
src: evocheck.sh
dest: "{{ evocheck_bin_dir }}/evocheck.sh"
mode: "0700"
@ -22,7 +22,7 @@
- evocheck-utils
- name: "Copy evocheck.cf"
copy:
ansible.builtin.copy:
src: evocheck.cf
dest: /etc/evocheck.cf
mode: "0644"
@ -31,7 +31,7 @@
- evocheck
- name: "Delete legacy evocheck cron"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
regexp: 'sh /usr/share/scripts/evocheck.sh --verbose --cron'
state: absent
@ -39,7 +39,7 @@
- evocheck
- name: "Add evocheck cron"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
insertbefore: BOF
line: 'sh /usr/share/scripts/evocheck.sh --verbose $cron_arg'
@ -50,7 +50,7 @@
- evocheck
- name: "Add evocheck cron - test for date"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
insertbefore: BOF
line: 'if [ $(date +%d) -eq "01" ]; then cron_arg=""; else cron_arg="--cron"; fi'
@ -61,7 +61,7 @@
- evocheck
- name: "Add evocheck cron - next_part"
lineinfile:
ansible.builtin.lineinfile:
path: /etc/daily.local
insertbefore: BOF
line: 'next_part "Evocheck output:"'

6
roles/evomaintenance/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: "Create scripts directory"
file:
ansible.builtin.file:
path: /usr/share/scripts/
state: directory
owner: root
@ -10,7 +10,7 @@
- evomaintenance
- name: "Copy evomaintenance script and template"
copy:
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: 'root'
@ -24,7 +24,7 @@
- evomaintenance-utils
- name: "Configure evomaintenance"
template:
ansible.builtin.template:
src: evomaintenance.j2
dest: /etc/evomaintenance.cf
owner: root

6
roles/forwarding/tasks/main.yml
View file

@ -1,18 +1,20 @@
---
- name: "Enable IPv4 forwarding"
sysctl:
ansible.posix.sysctl:
name: net.inet.ip.forwarding
value: "1"
state: present
reload: true
tags:
- forwarding
- forwarding-v4
- name: "Enable IPv6 forwarding"
sysctl:
ansible.posix.sysctl:
name: net.inet6.ip6.forwarding
value: "1"
state: present
reload: true
tags:
- forwarding
- forwarding-v6

12
roles/logsentry/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: "Install logsentry"
openbsd_pkg:
community.general.openbsd_pkg:
name:
- logsentry--
state: present
@ -8,7 +8,7 @@
- logsentry
- name: "Copy logsentry script to /usr/share/scripts"
copy:
ansible.builtin.copy:
src: logsentry.sh
dest: /usr/share/scripts/logsentry.sh
owner: root
@ -18,7 +18,7 @@
- logsentry
- name: "Copy custom logsentry configuration files"
copy:
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/logsentry/{{ item }}"
owner: root
@ -32,12 +32,14 @@
- logsentry-config
- name: "Delete unused default script"
file:
ansible.builtin.file:
state: absent
path: /etc/logsentry/logsentry.sh
tags:
- logsentry
- name: "Hourly cron job for logsentry.sh is installed"
cron:
ansible.builtin.cron:
name: logsentry
minute: "11"
job: >

1074
roles/nagios-nrpe/files/plugins_bsd/check_ipmi_sensor Executable file
View file

@ -0,0 +1,1074 @@
#!/usr/bin/perl
# check_ipmi_sensor: Nagios/Icinga plugin to check IPMI sensors
#
# Copyright (C) 2009-2019 Thomas-Krenn.AG,
# additional contributors see changelog.txt
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License along with
# this program; if not, see <http://www.gnu.org/licenses/>.
#
################################################################################
# The following guides provide helpful information if you want to extend this
# script:
# http://tldp.org/LDP/abs/html/ (Advanced Bash-Scripting Guide)
# http://www.gnu.org/software/gawk/manual/ (Gawk: Effective AWK Programming)
# http://de.wikibooks.org/wiki/Awk (awk Wikibook, in German)
# http://nagios.sourceforge.net/docs/3_0/customobjectvars.html (hints on
# custom object variables)
# http://nagiosplug.sourceforge.net/developer-guidelines.html (plug-in
# development guidelines)
# http://nagios.sourceforge.net/docs/3_0/pluginapi.html (plugin API)
################################################################################
use strict;
use warnings;
use Getopt::Long qw(:config no_ignore_case);
use IPC::Run qw( run ); #interact with processes
################################################################################
# set text variables
our $check_ipmi_sensor_version = "3.13";
sub get_version{
return <<EOT;
check_ipmi_sensor version $check_ipmi_sensor_version
Copyright (C) 2009-2019 Thomas-Krenn.AG
Current updates at https://github.com/thomas-krenn/check_ipmi_sensor_v3.git
EOT
}
sub get_usage{
return <<EOT;
Usage:
check_ipmi_sensor -H <hostname>
[-f <FreeIPMI config file> | -U <username> -P <password> -L <privilege level>]
[-O <FreeIPMI options>] [-b] [-T <sensor type(s)>] [-ST <SEL sensor type(s)>]
[-x <sensor id>] [-xT <sensor type(s)>] [-xST <SEL sensor type(s)]
[-i <sensor id>] [-o zenoss] [-D <protocol LAN version>] [-h] [-V]
[-fc <num_fans>] [--fru] [--nosel] [--selonly] [--seltail <count>]
[-sx|--selexclude <sel exclude file>] [-xx|--sexclude <exclude file>]
[-us|--unify-sensors <unify file>] [--nosudo [--nothresholds]
[--noentityabsent] [-s <ipmi-sensor output file>] [-h] [-V]
[-v|-vv|-vvv]
EOT
}
sub get_help{
return <<EOT;
[-H <hostname>]
hostname or IP of the IPMI interface.
For \"-H localhost\" or if no host is specified (local computer) the
Nagios/Icinga user must be allowed to run
ipmimonitoring/ipmi-sensors/ipmi-sel/[ipmi-fru] with root privileges
or via sudo (ipmimonitoring/ipmi-sensors/ipmi-sel/[ipmi-fru] must be
able to access the IPMI devices via the IPMI system interface).
[-f <FreeIPMI config file>]
path to the FreeIPMI configuration file.
Only neccessary for communication via network.
Not neccessary for access via IPMI system interface (\"-H localhost\").
It should contain IPMI username, IPMI password, and IPMI privilege-level,
for example:
username monitoring
password yourpassword
privilege-level user
As alternative you can use -U/-P/-L instead (see below).
[-U <username> -P <password> -L <privilege level>]
IPMI username, IPMI password and IPMI privilege level, provided as
parameters and not by a FreeIPMI configuration file. Useful for RHEL/
Centos 5.* with FreeIPMI 0.5.1 (this elder FreeIPMI version does not
support config files).
Warning: with this method the password is visible in the process list.
So whenever possible use a FreeIPMI confiugration file instead.
[-O <FreeIPMI options>]
additional options for FreeIPMI. Useful for RHEL/CentOS 5.* with
FreeIPMI 0.5.1 (this elder FreeIPMI version does not support config
files).
[-b]
backward compatibility mode for FreeIPMI 0.5.* (this omits the FreeIPMI
caching options --quiet-cache and --sdr-cache-recreate)
[-T <sensor type(s)>]
limit sensors to query based on IPMI sensor type.
Examples for IPMI sensor types are 'Fan', 'Temperature', 'Voltage', ...
See the output of the FreeIPMI command 'ipmi-sensors -L' and chapter
'42.2 Sensor Type Codes and Data' of the IPMI 2.0 spec for a full list
of possible sensor types. You can also find the full list of possible
sensor types at https://www.thomas-krenn.com/en/wiki/IPMI_Sensor_Types
The available types depend on your particular server and the available
sensors there.
Multiple sensor types can be specified as a comma-separated list.
[-ST <SEL sensor type(s)>]
limit SEL entries to specific types, run 'ipmi-sel -L' for a list of
types. All sensors are populated to the SEL and per default all sensor
types are monitored. E.g. to limit the sensor SEL types to Memory and
Processsor use -ST 'Memory,Processor'.
[-x <sensor id>]
exclude sensor matching <sensor id>. Useful for cases when unused
sensors cannot be deleted from SDR and are reported in a non-OK state.
Option can be specified multiple times. The <sensor id> is a numeric
value (sensor names are not used as some servers have multiple sensors
with the same name). Use -vvv option to query the <sensor ids>.
[-xT <sensor type(s)>]
exclude sensors based on IPMI sensor type.
Multiple sensor types can be specified as a comma-separated list.
[-xST <SEL sensor type(s)]
exclude SEL entries of specific sensor types.
Multiple sensor types can be specified as a comma-separated list.
[-i <sensor id>]
include only sensor matching <sensor id>. Useful for cases when only
specific sensors should be monitored. Be aware that only for the
specified sensor errors/warnings are generated. Use -vvv option to query
the <sensor ids>.
[-v|-vv|-vvv]
be verbose
(no -v) .. single line output
-v ..... single line output with additional details for warnings
-vv ..... multi line output, also with additional details for warnings
-vvv ..... debugging output, followed by normal multi line output
[-o]
change output format. Useful for using the plugin with other monitoring
software than Nagios or Icinga.
-o zenoss .. create ZENOSS compatible formatted output (output with
underscores instead of whitespaces and no single quotes)
[-D]
change the protocol LAN version. Normally LAN_2_0 is used as protocol
version if not overwritten with this option. Use 'default' here if you
don't want to use LAN_2_0.
[-fc <num fans>]
number of installed fans. If the number of current installed
fans reported by IPMI is not equal than <num fans> then a Warning state
is returned. Please use this option carefully as number of fans and
number of fan sensors can differ!
[--fru]
print the product serial number if it is available in the IPMI FRU data.
For this purpose the tool 'ipmi-fru' is used. E.g.:
IPMI Status: OK (9000096781)
[--nosel]
turn off system event log checking via ipmi-sel. If there are
unintentional entries in SEL, use 'ipmi-sel --clear' or the -sx or -xST
option.
[--selonly]
check only system event log checking via ipmi-sel. If there are
unintentional entries in SEL, use 'ipmi-sel --clear' or the -sx or -xST
option.
[--seltail <count>]
limit SEL output to specified count of last messages
[-sx|--selexclude <sel exclude file>]
use a sel exclude file to exclude entries from the system event log.
Specify name and type pipe delimitered in this file to exclude an entry,
for example: System Chassis Chassis Intru|Physical Security
To get valid names and types use the -vvv option and take a look at:
debug output for sel (-vvv is set). Don't use name and type from the
web interface as sensor descriptions are not complete there.
As with the '-xx' option if the first character of a line is '~' the
name is treated as a regular expression.
[-xx|--sexclude <exclude file>]
use an exclude file to exclude sensors, each line specifies an exclude.
Specify name and type pipe delimitered in this file to exclude a sensor,
for example: System Chassis Chassis Intru|Physical Security
If the first character of a line is '~' the name is treated as a regular
expression. E.g. to exclude all sensor names from CPU0 to CPU9:
~CPU[0-9] Temp|Temperature
To get valid names and types use the -vvv option.
[-us|--unify-sensors <unify file>]
use an unify file to unify sensor names. This is an easy way to rename
sensors with given patterns in the file. Once might use this option
to get the same sensor names accross different platforms, e.g. to only
have 'Mainboard Temperature' as sensor name and not 'MB1 Temperature' or 'System Temp'.
Rules in the file follow simple regex patterns e.g.:
^(MB1 Temperature|System Temp)\$/Mainboard Temperature
Temp\$/TEMP
[--nosudo]
turn off sudo usage on localhost or if ipmi host is ommited.
[--nothresholds]
turn off performance data thresholds from output-sensor-thresholds.
[--noentityabsent]
skip sensor checks for sensors that have 'noentityabsent' as event state
[-s <ipmi-sensor output file>]
simulation mode - test the plugin with an ipmi-sensor output redirected
to a file.
[-h]
show this help
[-V]
show version information
Examples:
\$ check_ipmi_sensor -H 192.0.2.1 -U monitor -P monitor -L user
IPMI Status: OK | 'System Temp'=30.00 'Peripheral Temp'=32.00
'FAN 1'=2775.00 [...]
\$ check_ipmi_sensor -H 192.0.2.1 -U monitor -P monitor -L user -x 205
IPMI Status: OK | 'System Temp'=30.00 'Peripheral Temp'=32.00
'FAN 2'=2775.00 [...]
\$ check_ipmi_sensor -H 192.0.2.1 -U monitor -P monitor -L user -i 4,71
IPMI Status: OK | 'System Temp'=30.00 'Peripheral Temp'=32.00
\$ check_ipmi_sensor -H 192.0.2.1 -U monitor -P monitor -L user -i 4 --fru
IPMI Status: OK (0000012345) | 'System Temp'=30.00
Further information about this plugin can be found at
http://www.thomas-krenn.com/en/wiki/IPMI_Sensor_Monitoring_Plugin
Use the github repo at https://github.com/thomas-krenn/check_ipmi_sensor_v3.git
to submit patches, suggest improvements or if you have questions regarding
use of this plugin.
Attention: the mailing list is no longer in use but an archive can be found at
http://lists.thomas-krenn.com/
EOT
}
sub usage{
my ($arg) = @_; #the list of inputs
my ($exitcode);
if ( defined $arg ){
if ( $arg =~ m/^\d+$/ ){
$exitcode = $arg;
}
else{
print STDOUT $arg, "\n";
$exitcode = 1;
}
}
print STDOUT get_usage();
exit($exitcode) if defined $exitcode;
}
################################################################################
# set ipmimonitoring path
our $MISSING_COMMAND_TEXT = '';
our $IPMICOMMAND ="";
if(-x "/usr/sbin/ipmimonitoring"){
$IPMICOMMAND = "/usr/sbin/ipmimonitoring";
}
elsif (-x "/usr/bin/ipmimonitoring"){
$IPMICOMMAND = "/usr/bin/ipmimonitoring";
}
elsif (-x "/usr/local/sbin/ipmimonitoring"){
$IPMICOMMAND = "/usr/local/sbin/ipmimonitoring";
}
elsif (-x "/usr/local/bin/ipmimonitoring"){
$IPMICOMMAND = "/usr/local/bin/ipmimonitoring";
}
else{
$MISSING_COMMAND_TEXT = " ipmimonitoring/ipmi-sensors command not found!\n";
}
# Identify the version of the ipmi-tool
sub get_ipmi_version{
my @ipmi_version_output = '';
my $ipmi_version = '';
@ipmi_version_output = `$IPMICOMMAND -V`;
$ipmi_version = shift(@ipmi_version_output);
$ipmi_version =~ /(\d+)\.(\d+)\.(\d+)/;
@ipmi_version_output = ();
push @ipmi_version_output,$1,$2,$3;
return @ipmi_version_output;
}
sub simulate{
my $output = '';
my $simul_file = $_[0];
if( !defined $simul_file || (-x '\"'.$simul_file.'\"')){
print "DEBUG: Using simulation file: $simul_file\n";
print "Error: Simulation file with ipmi output not found.\n";
exit(3);
}
return ($output = `cat $simul_file`);
}
sub get_fru{
my @frucmd = @{(shift)};
my $verbosity = shift;
my $fru;
if(-e '/usr/sbin/ipmi-fru'){
$fru = '/usr/sbin/ipmi-fru';
}
else{
chomp($fru = `which ipmi-fru`);
}
#if sudo is used the command is the second element
if($frucmd[0] eq 'sudo'){
$frucmd[1] = $fru;
}
else{
$frucmd[0] = $fru;
}
#skip checksum validation
push @frucmd,'-s';
my $fruoutput;
my $returncode;
run \@frucmd, '>&', \$fruoutput;
#the upper eight bits contain the error condition (exit code)
#see http://perldoc.perl.org/perlvar.html#Error-Variables
$returncode = $? >> 8;
if ( $returncode != 0 ){
print "$fruoutput\n";
print "-> Execution of $fru failed with return code $returncode.\n";
print "-> $fru was executed with the following parameters:\n";
print " ", join(' ', @frucmd), "\n";
exit(3);
}
if($verbosity == 3){
print "------------- debug output for fru (-vvv is set): ------------\n";
print " $fru was executed with the following parameters:\n";
print " ", join(' ', @frucmd), "\n";
print " output of FreeIPMI:\n";
print "$fruoutput";
}
return split('\n', $fruoutput);
}
sub get_sel{
my @selcmd = @{(shift)};
my $verbosity = shift;
my @sel_sensor_types = @{(shift)};
my @exclude_sel_sensor_types = @{(shift)};
my $sel;
if(-e '/usr/sbin/ipmi-sel'){
$sel = '/usr/sbin/ipmi-sel';
}
else{
chomp($sel = `which ipmi-sel`);
}
#if sudo is used the command is the second element
if($selcmd[0] eq 'sudo'){
$selcmd[1] = $sel;
}
else{
$selcmd[0] = $sel;
}
push @selcmd, '--output-event-state', '--interpret-oem-data', '--entity-sensor-names';
push @selcmd, '--sensor-types=' . join(',', @sel_sensor_types);
push @selcmd, '--exclude-sensor-types=' . join(',', @exclude_sel_sensor_types);
my $seloutput;
my $returncode;
run \@selcmd, '>&', \$seloutput;
$returncode = $? >> 8;
if ( $returncode != 0 ){
print "$seloutput\n";
print "-> Execution of $sel failed with return code $returncode.\n";
print "-> $sel was executed with the following parameters:\n";
print " ", join(' ', @selcmd), "\n";
exit(3);
}
if($verbosity == 3){
print "------------- debug output for sel (-vvv is set): ------------\n";
print " $sel was executed with the following parameters:\n";
print " ", join(' ', @selcmd), "\n";
print " output of FreeIPMI:\n";
print "$seloutput";
}
return split('\n', $seloutput);
}
sub parse_sel{
my $selcmd = shift;
my $verbosity = shift;
my $sel_xfile = shift;
my $sel_sensor_types = shift;
my $exclude_sel_sensor_types = shift;
my @seloutput = get_sel($selcmd, $verbosity, $sel_sensor_types, $exclude_sel_sensor_types);
@seloutput = map { [ map { s/^\s*//; s/\s*$//; $_; } split(m/\|/, $_) ] } @seloutput;
my $header = shift(@seloutput);
my @sel_rows;
foreach my $row (@seloutput){
my %curr_row;
for(my $i = 0; $i < scalar(@{$header}); $i++){
my $key = lc $header->[$i];
$curr_row{$key} = $row->[$i];
}
if(!(exclude_with_file($sel_xfile, $curr_row{'name'}, $curr_row{'type'}))){
push @sel_rows, \%curr_row;
}
}
return \@sel_rows;
}
sub get_dcmi{
my @dcmicmd = @{(shift)};
my $verbosity = shift;
my $dcmi;
if(-e '/usr/sbin/ipmi-dcmi'){
$dcmi = '/usr/sbin/ipmi-dcmi';
}
else{
chomp($dcmi = `which ipmi-dcmi`);
}
#if sudo is used the command is the second element
if($dcmicmd[0] eq 'sudo'){
$dcmicmd[1] = $dcmi;
}
else{
$dcmicmd[0] = $dcmi;
}
push @dcmicmd, '--get-system-power-statistics';
my $dcmioutput;
my $returncode;
run \@dcmicmd, '>&', \$dcmioutput;
$returncode = $? >> 8;
if ( $returncode == 0 ){
return split('\n', $dcmioutput);
}
}
sub parse_dcmi{
my $dcmicmd = shift;
my $verbosity = shift;
my @dcmioutput = get_dcmi($dcmicmd, $verbosity);
if(@dcmioutput){
@dcmioutput = map { [ map { s/^\s*//; s/\s*$//; $_; } split(m/\:/, $_) ] } @dcmioutput;
my %current_power;
my $power_available = 0;
foreach my $power (@dcmioutput){
if(defined($power) && defined($power->[0]) && $power->[0] ne ''){
if($power->[0] eq 'Current Power'){
$power->[1] =~ m/^(\d+)/;
my $watts = $1;
$current_power{'Current Power'} = $watts;
}
if($power->[0] eq 'Power Measurement'){
if($power->[1] eq 'Active'){
$power_available = 1;
}
}
}
}
if($power_available == 1){
return \%current_power;
}
}
}
# Excludes a name and type pair if it is present in the given file, pipe
# delimitered.
# @return 1 if name should be skipped, 0 if not
sub exclude_with_file{
my $file_name = shift;
my $name = shift;
my $type = shift;
my @xlist;
my $skip = 0;
if($file_name){
if(!(open (FH, "< $file_name"))){
print "-> Reading exclude file $file_name failed with: $!.\n";
exit(3);
};
@xlist = <FH>;
}
foreach my $exclude (@xlist){
my @curr_exclude = map { s/^\s*//; s/\s*$//; $_; } split(/\|/,$exclude);
if(@curr_exclude && $curr_exclude[0] ne '' && $curr_exclude[1] ne ''){
#if the first char of the name in the exclude file is a '~' treat it as regex
if(substr($curr_exclude[0], 0, 1 ) eq '~'){
my $regex_curr_exclude = substr $curr_exclude[0], 1;
if($name =~ m/$regex_curr_exclude/ && $curr_exclude[1] eq $type){
$skip = 1;
}
}
elsif($curr_exclude[0] eq $name && $curr_exclude[1] eq $type){
$skip = 1;
}
}
}
close FH;
return $skip;
}
# Reads regular expressions from a file and applies the rules to sensor names.
# This unifies sensor names across different platforms.
# @return The sensor name with specified unify rules applied
sub unify_with_file{
my $file_name = shift;
my $name = shift;# given sensor name
my @ulist;# list of rules to apply
if($file_name){
if(!(open (FH, "< $file_name"))){
print "-> Reading unify file $file_name failed with: $!.\n";
exit(3);
};
@ulist = <FH>;
}
foreach my $unify_rule (@ulist){
#split at the only / that is not masked with a \,
#this is the separator in s/x/y/g to get x and y
my @curr_rule = map { s/^\s*//; s/\s*$//; $_; } split(/(?<!\\)\//,$unify_rule);
if(@curr_rule && $curr_rule[0] ne '' && $curr_rule[1] ne ''){
$name =~ s/$curr_rule[0]/$curr_rule[1]/g;
}
}
close FH;
return $name;
}
#define entire hashes
our %hdrmap = (
'Record_ID' => 'id', # FreeIPMI ...,0.7.x
'Record ID' => 'id', # FreeIPMI 0.8.x,... with --legacy-output
'ID' => 'id', # FreeIPMI 0.8.x
'Sensor Name' => 'name',
'Name' => 'name', # FreeIPMI 0.8.x
'Sensor Group' => 'type',
'Type' => 'type', # FreeIPMI 0.8.x
'Monitoring Status' => 'state',
'State' => 'state', # FreeIPMI 0.8.x
'Sensor Units' => 'units',
'Units' => 'units', # FreeIPMI 0.8.x
'Sensor Reading' => 'reading',
'Reading' => 'reading', # FreeIPMI 0.8.x
'Event' => 'event', # FreeIPMI 0.8.x
'Lower C' => 'lowerC',
'Lower NC' => 'lowerNC',
'Upper C' => 'upperC',
'Upper NC' => 'upperNC',
'Lower NR' => 'lowerNR',
'Upper NR' => 'upperNR',
);
our $verbosity = 0;
MAIN: {
$| = 1; #force a flush after every write or print
my @ARGV_SAVE = @ARGV;#keep args for verbose output
my ($show_help, $show_version);
my ($ipmi_host, $ipmi_user, $ipmi_password, $ipmi_privilege_level, $ipmi_config_file, $ipmi_outformat);
my (@freeipmi_options, $freeipmi_compat);
my (@ipmi_sensor_types, @ipmi_exclude_sensor_types, @ipmi_xlist, @ipmi_ilist);
my (@ipmi_version);
my $ipmi_sensors = 0;#states to use ipmi-sensors instead of ipmimonitoring
my $fan_count;#number of fans that should be installed in unit
my $lanVersion;#if desired use a different protocol version
my $abort_text = '';
my $zenoss = 0;
my @sel_sensor_types;
my @exclude_sel_sensor_types;
my $sel_issues_present = 0;
my $simulate = '';
my ($use_fru, $no_sel, $sel_only, $sel_tail, $no_sudo, $use_thresholds, $no_thresholds, $sel_xfile, $s_xfile, $s_ufile, $no_entity_absent);
#read in command line arguments and init hash variables with the given values from argv
if ( !( GetOptions(
'H|host=s' => \$ipmi_host,
'f|config-file=s' => \$ipmi_config_file,
'U|user=s' => \$ipmi_user,
'P|password=s' => \$ipmi_password,
'L|privilege-level=s' => \$ipmi_privilege_level,
'O|options=s' => \@freeipmi_options,
'b|compat' => \$freeipmi_compat,
'T|sensor-types=s' => \@ipmi_sensor_types,
'xT|exclude-sensor-types=s' => \@ipmi_exclude_sensor_types,
'ST|sel-sensor-types=s' => \@sel_sensor_types,
'xST|exclude-sel-sensor-types=s' => \@exclude_sel_sensor_types,
'fru' => \$use_fru,
'nosel' => \$no_sel,
'selonly' => \$sel_only,
'seltail=s' => \$sel_tail,
'nosudo' => \$no_sudo,
'nothresholds' => \$no_thresholds,
'noentityabsent' => \$no_entity_absent,
'v|verbosity' => \$verbosity,
'vv' => sub{$verbosity=2},
'vvv' => sub{$verbosity=3},
'x|exclude=s' => \@ipmi_xlist,
'sx|selexclude=s' => \$sel_xfile,
'xx|sexclude=s' => \$s_xfile,
'us|unify-sensors=s'=> \$s_ufile,
'i|include=s' => \@ipmi_ilist,
'o|outformat=s' => \$ipmi_outformat,
'fc|fancount=i' => \$fan_count,
'D=s' => \$lanVersion,
's=s' => \$simulate,
'h|help' =>
sub{print STDOUT get_version();
print STDOUT "\n";
print STDOUT get_usage();
print STDOUT "\n";
print STDOUT get_help();
exit(0)
},
'V|version' =>
sub{
print STDOUT get_version();
exit(0);
},
'usage|?' =>
sub{print STDOUT get_usage();
exit(3);
}
) ) ){
usage(1);#call usage if GetOptions failed
}
usage(1) if @ARGV;#print usage if unknown arg list is left
################################################################################
# check for ipmimonitoring or ipmi-sensors. Since version > 0.8 ipmi-sensors is used
# if '--legacy-output' is given ipmi-sensors cannot be used
if( $MISSING_COMMAND_TEXT ne "" ){
print STDOUT "Error:$MISSING_COMMAND_TEXT";
exit(3);
}
else{
@ipmi_version = get_ipmi_version();
if( $ipmi_version[0] > 0 && (grep(/legacy\-output/,@freeipmi_options)) == 0){
$IPMICOMMAND =~ s/ipmimonitoring/ipmi-sensors/;
$ipmi_sensors = 1;
}
if( $ipmi_version[0] > 0 && (grep(/legacy\-output/,@freeipmi_options)) == 1){
print "Error: Cannot use ipmi-sensors with option \'--legacy-output\'. Remove it to work correctly.\n";
exit(3);
}
# check if output-sensor-thresholds can be used, this is supported
# since 1.2.1. Version 1.2.0 was not released, so skip the third minor
# version number
if($ipmi_version[0] > 1 || ($ipmi_version[0] == 1 && $ipmi_version[1] >= 2)){
$use_thresholds = 1;
}
else{
$use_thresholds = 0;
}
}
###############################################################################
# verify if all mandatory parameters are set and initialize various variables
#\s defines any whitespace characters
#first join the list, then split it at whitespace ' '
#also cf. http://perldoc.perl.org/Getopt/Long.html#Options-with-multiple-values
@freeipmi_options = split(/\s+/, join(' ', @freeipmi_options)); # a bit hack, shell word splitting should be implemented...
@ipmi_sensor_types = split(/,/, join(',', @ipmi_sensor_types));
@ipmi_exclude_sensor_types = split(/,/, join(',', @ipmi_exclude_sensor_types));
@sel_sensor_types = split(/,/, join(',', @sel_sensor_types));
@exclude_sel_sensor_types = split(/,/, join(',', @exclude_sel_sensor_types));
@ipmi_xlist = split(/,/, join(',', @ipmi_xlist));
@ipmi_ilist = split(/,/, join(',', @ipmi_ilist));
#check for zenoss output
if(defined $ipmi_outformat && $ipmi_outformat eq "zenoss"){
$zenoss = 1;
}
# Per default monitor all sensor types, use -ST to specify your sensor types
if(!@sel_sensor_types){
@sel_sensor_types = ('all');
}
# If -xST has not been set, set this array to empty.
if(!@exclude_sel_sensor_types){
@exclude_sel_sensor_types = ('');
}
# Define basic ipmi command
my @basecmd = $IPMICOMMAND;
# If host is omitted localhost is assumed, if not turned off sudo is used
if(!(defined $ipmi_host) || ($ipmi_host eq 'localhost')){
if(!defined($no_sudo)){
# Only add sudo if not already root
@basecmd = ($> != 0 ? 'sudo' : (), $IPMICOMMAND);
}
}
# If we are not local, we need authentication credentials
else{
# Add the ipmi desired host
push @basecmd, '-h', $ipmi_host;
if(defined $ipmi_config_file){
push @basecmd, '--config-file', $ipmi_config_file;
}
elsif(defined $ipmi_user && defined $ipmi_password && defined $ipmi_privilege_level ){
push @basecmd, '-u', $ipmi_user, '-p', $ipmi_password, '-l', $ipmi_privilege_level;
}
else{
$abort_text = $abort_text . " -f <FreeIPMI config file> or -U <username> -P <password> -L <privilege level>";
}
if( $abort_text ne ""){
print STDOUT "Error: " . $abort_text . " missing.";
print STDOUT get_usage();
exit(3);
}
}
# copy command for fru usage
my @frucmd;
if($use_fru){
@frucmd = @basecmd
}
my @selcmd = @basecmd;
my @dcmicmd = @basecmd;
if(@ipmi_sensor_types){
# , is the seperator in the new string
# -g option is older name for ipmi-sensors -t or --sensor-types and
# compatible with both older and newer version of FreeIPMI
push @basecmd, '-g', join(',', @ipmi_sensor_types);
}
# add sensor types to exclude
if(@ipmi_exclude_sensor_types){
push @basecmd, '--exclude-sensor-types', join(',', @ipmi_exclude_sensor_types);
}
if(@freeipmi_options){
push @basecmd, @freeipmi_options;
}
#keep original basecmd for later usage
my @getstatus = @basecmd;
#if -b is not defined, caching options are used
if( !(defined $freeipmi_compat) ){
push @getstatus, '--quiet-cache', '--sdr-cache-recreate';
}
#since version 0.8 it is possible to interpret OEM data
if( ($ipmi_version[0] == 0 && $ipmi_version[1] > 7) ||
$ipmi_version[0] > 0){
push @getstatus, '--interpret-oem-data';
}
#since version 0.8 it is necessary to add the legacy option
if( ($ipmi_version[0] == 0 && $ipmi_version[1] > 7) && (grep(/legacy\-output/,@freeipmi_options) == 0)){
push @getstatus, '--legacy-output';
}
#if ipmi-sensors is used show the state of sensors and ignore N/A
if($ipmi_sensors){
push @getstatus, '--output-sensor-state', '--ignore-not-available-sensors';
}
#if not stated otherwise we use protocol lan version 2 per default
if(!defined($lanVersion)){
$lanVersion = 'LAN_2_0';
}
if($lanVersion ne 'default' && defined $ipmi_host && $ipmi_host ne 'localhost'){
push @getstatus, "--driver-type=$lanVersion";
if(!$no_sel){
push @selcmd, "--driver-type=$lanVersion";
}
if($use_fru){
push @frucmd, "--driver-type=$lanVersion";
}
}
if($use_thresholds && !$no_thresholds){
push @getstatus, '--output-sensor-thresholds';
}
if(defined($sel_tail)){
push @selcmd, "--tail=$sel_tail";
}
################################################################################
#execute status command and redirect stdout and stderr to ipmioutput
my $ipmioutput;
my $returncode;
if ($sel_only){
$returncode = 0;
}
elsif(!$simulate){
run \@getstatus, '>&', \$ipmioutput;
#the upper eight bits contain the error condition (exit code)
#see http://perldoc.perl.org/perlvar.html#Error-Variables
$returncode = $? >> 8;
}
else{
$ipmioutput = simulate($simulate);
print "DEBUG: Using simulation mode\n";
$returncode = 0;
}
my @fruoutput;
if($use_fru){
@fruoutput = get_fru(\@frucmd, $verbosity);
}
my $seloutput;
if(!$no_sel){
$seloutput = parse_sel(\@selcmd, $verbosity, $sel_xfile, \@sel_sensor_types, \@exclude_sel_sensor_types);
}
my $dcmioutput;
$dcmioutput = parse_dcmi(\@dcmicmd, $verbosity);
################################################################################
# print debug output when verbosity is set to 3 (-vvv)
if ( $verbosity == 3 && !$sel_only ){
my $ipmicommandversion;
run [$IPMICOMMAND, '-V'], '2>&1', '|', ['head', '-n', 1], '&>', \$ipmicommandversion;
#remove trailing newline with chomp
chomp $ipmicommandversion;
print "------------- debug output for sensors (-vvv is set): ------------\n";
print " script was executed with the following parameters:\n";
print " $0 ", join(' ', @ARGV_SAVE), "\n";
print " check_ipmi_sensor version:\n";
print " $check_ipmi_sensor_version\n";
print " FreeIPMI version:\n";
print " $ipmicommandversion\n";
print " FreeIPMI was executed with the following parameters:\n";
print " ", join(' ', @getstatus), "\n";
print " FreeIPMI return code: $returncode\n";
print " output of FreeIPMI:\n";
print "$ipmioutput\n";
print "--------------------- end of debug output ---------------------\n";
}
################################################################################
# generate main output
if ( $returncode != 0 ){
print "$ipmioutput\n";
print "-> Execution of $IPMICOMMAND failed with return code $returncode.\n";
print "-> $IPMICOMMAND was executed with the following parameters:\n";
print " ", join(' ', @getstatus), "\n";
exit(3);
}
else{
my @outputRows;
if(defined($ipmioutput)){
@outputRows = split('\n', $ipmioutput);
}
if(!$sel_only && (!defined($ipmioutput) || scalar(@outputRows) == 1)){
print "-> Your server seems to be powered off.";
print " (Execution of FreeIPMI returned an empty output or only 1 header row!)\n";
print "-> $IPMICOMMAND was executed with the following parameters:\n";
print " ", join(' ', @getstatus), "\n";
exit(3);
}
#print desired filter types
if ( @ipmi_sensor_types ){
print "Sensor Type(s) ", join(', ', @ipmi_sensor_types), " Status: ";
}
elsif ($sel_only){
print "SEL Status: ";
}
else{
print "IPMI Status: ";
}
#start with main output
my $exit = 0;
my $w_sensors = '';#sensors with warnings
my $sel_w_sensors = '';#verbose output for sel entries with warnings
my $perf = '';#performance sensor
my $curr_fans = 0;
my @ipmioutput2;#filtered original ipmi output
#skip ipmi output, if only SEL queried
if (!$sel_only){
#split at newlines, fetch array with lines of output
my @ipmioutput = split('\n', $ipmioutput);
#remove sudo errors and warnings like they appear on dns resolving issues
@ipmioutput = map { /^sudo:/ ? () : $_ } @ipmioutput;
#remove leading and trailing whitespace characters, split at the pipe delimiter
@ipmioutput = map { [ map { s/^\s*//; s/\s*$//; $_; } split(m/\|/, $_) ] } @ipmioutput;
#shift out the header as it is the first line
my $header = shift @ipmioutput;
if(!defined($header)){
print "$ipmioutput\n";
print " FreeIPMI returned an empty header map (first line)";
if(@ipmi_sensor_types){
print " FreeIPMI could not find any sensors for the given sensor type (option '-T').\n";
}
exit(3);
}
my %header;
for(my $i = 0; $i < @$header; $i++)
{
#assigning %header with (key from hdrmap) => $i
#checking at which position in the header is which key
$header{$hdrmap{$header->[$i]}} = $i;
}
foreach my $row ( @ipmioutput ){
my %row;
#fetch keys from header and assign existent values to row
#this maps the values from row(ipmioutput) to the header values
while ( my ($key, $index) = each %header ){
#check if the option to unify sensor names is active
if($key eq 'name' && $s_ufile && $s_ufile ne ''){
$row{$key} = unify_with_file($s_ufile, $row->[$index]);
}
else{
$row{$key} = $row->[$index];
}
}
if(!(exclude_with_file($s_xfile, $row{'name'}, $row{'type'}))){
push @ipmioutput2, \%row;
}
}
#create hash with sensor name an 1
my %ipmi_xlist = map { ($_, 1) } @ipmi_xlist;
#filter out the desired sensor values
@ipmioutput2 = grep(!exists $ipmi_xlist{$_->{'id'}}, @ipmioutput2);
#check for an include list
if(@ipmi_ilist){
my %ipmi_ilist = map { ($_, 1) } @ipmi_ilist;
#only include sensors from include list
@ipmioutput2 = grep(exists $ipmi_ilist{$_->{'id'}}, @ipmioutput2);
}
foreach my $row ( @ipmioutput2 ){
if( $zenoss ){
$row->{'name'} =~ s/ /_/g;
}
my $check_sensor_state = 1;
if($no_entity_absent){
if(exists $row->{'event'} && ($row->{'event'} =~ /\'.*((Device|Entity) (Absent|Removed)).*\'/)){
$check_sensor_state = 0;
}
if(exists $row->{'reading'} && ($row->{'reading'} =~ /\'.*((Device|Entity) (Absent|Removed)).*\'/)){
$check_sensor_state = 0;
}
}
#check for warning sensors
if($check_sensor_state && ($row->{'state'} ne 'Nominal' && $row->{'state'} ne 'N/A')){
$exit = 1 if $exit < 1;
$exit = 2 if $exit < 2 && $row->{'state'} ne 'Warning';
#don't insert a , the first time
$w_sensors .= ", " unless $w_sensors eq '';
$w_sensors .= "$row->{'name'} = $row->{'state'}";
if( $verbosity ){
if( $row->{'reading'} ne 'N/A'){
$w_sensors .= " ($row->{'reading'})" ;
}
else{
$w_sensors .= " ($row->{'event'})";
}
}
}
if($check_sensor_state && ($row->{'units'} ne 'N/A')){
my $val = $row->{'reading'};
my $perf_data;
my $perf_thresholds;
if($zenoss){
$perf_data = $row->{'name'}."=".$val;
}
else{
$perf_data = "'".$row->{'name'}."'=".$val;
}
if($use_thresholds && !$no_thresholds){
if(($row->{'lowerNC'} ne 'N/A') && ($row->{'upperNC'} ne 'N/A')){
$perf_thresholds = $row->{'lowerNC'}.":".$row->{'upperNC'}.";";
}
elsif(($row->{'lowerNC'} ne 'N/A') && ($row->{'upperNC'} eq 'N/A')){
$perf_thresholds = $row->{'lowerNC'}.":;";
}
elsif(($row->{'lowerNC'} eq 'N/A') && ($row->{'upperNC'} ne 'N/A')){
$perf_thresholds = "~:".$row->{'upperNC'}.";";
}
elsif(($row->{'lowerNC'} eq 'N/A') && ($row->{'upperNC'} eq 'N/A')){
$perf_thresholds = ";";
}
if(($row->{'lowerC'} ne 'N/A') && ($row->{'upperC'} ne 'N/A')){
$perf_thresholds .= $row->{'lowerC'}.":".$row->{'upperC'};
}
elsif(($row->{'lowerC'} ne 'N/A') && ($row->{'upperC'} eq 'N/A')){
$perf_thresholds .= $row->{'lowerC'}.":";
}
elsif(($row->{'lowerC'} eq 'N/A') && ($row->{'upperC'} ne 'N/A')){
$perf_thresholds .= "~:".$row->{'upperC'};
}
# Add thresholds to performance data
if(($row->{'lowerNC'} ne 'N/A') || ($row->{'upperNC'} ne 'N/A') ||
($row->{'lowerC'} ne 'N/A') || ($row->{'upperC'} ne 'N/A')){
$perf_data .= ";".$perf_thresholds;
}
}
$perf .= $perf_data." ";
}
if( $row->{'type'} eq 'Fan' && $row->{'reading'} ne 'N/A' ){
$curr_fans++;
}
}
}
foreach my $row (@{$seloutput}){
if( $zenoss ){
$row->{'name'} =~ s/ /_/g;
}
if ($row->{'state'} ne 'Nominal'){
$sel_issues_present += 1;
$exit = 1 if $exit < 1;
$exit = 2 if $exit < 2 && $row->{'state'} ne 'Warning';
if( $verbosity ){
$sel_w_sensors .= ", " unless $sel_w_sensors eq '';
$sel_w_sensors .= "($row->{'name'} = $row->{'state'},";
$sel_w_sensors .= " $row->{'type'}," ;
$sel_w_sensors .= " $row->{'event'})" ;
}
}
}
if ( $sel_issues_present ){
$w_sensors .= ", " unless $w_sensors eq '';
if ( $sel_issues_present == 1 ){
$w_sensors .= "1 system event log (SEL) entry present";
}else{
$w_sensors .= $sel_issues_present." system event log (SEL) entries present";
}
if( $verbosity ){
$w_sensors .= " - details: ";
$w_sensors .= $sel_w_sensors;
$w_sensors .= " - fix the reported issues and clear your SEL";
$w_sensors .= " or exclude specific SEL entries using the -sx or -xST option";
}
}
#now check if num fans equals desired unit fans
if( $fan_count ){
if( $curr_fans < $fan_count ){
$exit = 1 if $exit < 1;
$w_sensors .= ", " unless $w_sensors eq '';
$w_sensors .= "Fan = Warning";
if( $verbosity ){
$w_sensors .= " ($curr_fans)" ;
}
}
}
#check for the FRU serial number
my @server_serial;
my $serial_number;
if( $use_fru ){
@server_serial = grep(/Product Serial Number/,@fruoutput);
if(@server_serial){
$server_serial[0] =~ m/(\d+)/;
$serial_number = $1;
}
}
if(defined($dcmioutput) && $dcmioutput ne ''){
my $power_perf = '';
if(exists $dcmioutput->{'Current Power'}){
my $power_key = 'Current Power';
if($s_ufile && $s_ufile ne ''){
$power_key = unify_with_file($s_ufile, $power_key);
}
if( $zenoss ){
$power_key =~ s/ /_/g;
}
$power_perf = "\'$power_key\'=" . $dcmioutput->{'Current Power'};
}
$perf = $power_perf . ' ' . $perf;
}
$perf = substr($perf, 0, -1);#cut off the last chars
if ( $exit == 0 ){
print "OK";
}
elsif ( $exit == 1 ){
print "Warning [$w_sensors]";
}
else{
print "Critical [$w_sensors]";
}
if( $use_fru && defined($serial_number)){
print " ($serial_number)";
}
print " | ", $perf if $perf ne '';
print "\n";
if ( $verbosity > 1 ){
foreach my $row (@ipmioutput2){
if( $row->{'state'} eq 'N/A'){
next;
}
elsif( $row->{'reading'} ne 'N/A'){
print "$row->{'name'} = $row->{'reading'} ";
}
elsif( $row->{'event'} ne 'N/A'){
print "$row->{'name'} = $row->{'event'} ";
}
else{
next;
}
print "(Status: $row->{'state'})\n";
}
}
exit $exit;
}
};

3
roles/nagios-nrpe/handlers/main.yml
View file

@ -1,5 +1,6 @@
---
- name: restart nrpe
service:
ansible.builtin.service:
name: nrpe
state: restarted
when: nrpe_exists.stat.exists

64
roles/nagios-nrpe/tasks/main.yml
View file

@ -1,7 +1,7 @@
# yamllint disable rule:line-length
---
- name: "Install nrpe"
openbsd_pkg:
community.general.openbsd_pkg:
name:
- nrpe--
state: present
@ -9,7 +9,7 @@
- nagios-nrpe
- name: "Install monitoring packages"
openbsd_pkg:
community.general.openbsd_pkg:
name:
- monitoring-plugins
- check_bioctl
@ -18,7 +18,7 @@
- nagios-nrpe
- name: "Create nrpe.d dir"
file:
ansible.builtin.file:
path: /etc/nrpe.d
state: directory
owner: root
@ -28,14 +28,20 @@
- nagios-nrpe
- name: "Include nrpe.d dir in nrpe.cfg"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/nrpe.cfg
line: 'include_dir=/etc/nrpe.d'
create: true
tags:
- nagios-nrpe
- name: "Check if nrpe service exists, for usage in check_mode"
stat:
path: /etc/rc.d/nrpe
register: nrpe_exists
- name: "Custom configuration is present"
blockinfile:
ansible.builtin.blockinfile:
block: "{{ lookup('template', 'evolix_bsd.cfg.j2') }}"
path: /etc/nrpe.d/evolix.cfg
marker: "## {mark} ANSIBLE MANAGED BLOCK : Custom NRPE configuration file from EvoBSD"
@ -46,46 +52,8 @@
tags:
- nagios-nrpe
- name: "Fetch nrpe config content"
command: 'grep "allowed_hosts=" /etc/nrpe.d/evolix.cfg'
check_mode: false
register: nrpe_config_content
failed_when: false
changed_when: false
tags:
- nagios-nrpe
- name: "Allow NRPE hosts - if no allowed_hosts configured"
lineinfile:
dest: /etc/nrpe.d/evolix.cfg
insertbefore: BOF
regex: "allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}"
line: 'allowed_hosts={{ nagios_nrpe_allowed_hosts | join(",") }}'
when: nrpe_config_content.rc != 0
tags:
- nagios-nrpe
- name: "Allow NRPE hosts - if allowed_hosts already configured : keep added IP"
lineinfile:
dest: /etc/nrpe.d/evolix.cfg
backrefs: true
insertbefore: BOF
regex: "allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}(.*)*"
line: 'allowed_hosts={{ nagios_nrpe_allowed_hosts | join(",") }}\1'
when: nrpe_config_content.rc == 0
tags:
- nagios-nrpe
- name: "Allow NRPE hosts - add comment"
lineinfile:
dest: /etc/nrpe.d/evolix.cfg
insertbefore: BOF
line: "# Allowed IPs"
tags:
- nagios-nrpe
- name: "Create nrpe plugins dir"
file:
ansible.builtin.file:
path: /usr/local/libexec/nagios/plugins/
state: directory
owner: root
@ -95,7 +63,7 @@
- nagios-nrpe
- name: "Nagios plugins are installed"
copy:
ansible.builtin.copy:
src: plugins_bsd/{{ item.name }}
dest: /usr/local/libexec/nagios/plugins/{{ item.name }}
owner: root
@ -116,13 +84,14 @@
- {name: 'check_mailq.pl', force: true}
- {name: 'check_dhcp_pool', force: false}
- {name: 'check_dhcpd.sh', force: false}
- {name: 'check_ipmi_sensor', force: true}
notify: restart nrpe
tags:
- nagios-nrpe
- nagios-nrpe-utils
- name: "Nagios plugins are installed - template"
template:
ansible.builtin.template:
src: plugins_bsd/{{ item.name }}.j2
dest: /usr/local/libexec/nagios/plugins/{{ item.name }}
owner: root
@ -137,9 +106,10 @@
- nagios-nrpe-utils
- name: "Starting and enabling nrpe"
service:
ansible.builtin.service:
name: nrpe
enabled: true
state: started
when: nrpe_exists.stat.exists
tags:
- nagios-nrpe

4
roles/nagios-nrpe/templates/evolix_bsd.cfg.j2
View file

@ -1,3 +1,6 @@
# Allowed IPs
allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
{% if ansible_distribution_version is version_compare("7.2",'>=') %}
# Allow older cipher suites for older Icinga version
ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
@ -45,3 +48,4 @@ command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_co
command[check_packetfilter]=doas /usr/local/libexec/nagios/plugins/check_packetfilter.sh
command[check_dhcpd]=/usr/local/libexec/nagios/plugins/check_dhcpd.sh
command[check_dhcp_pool]=/usr/local/libexec/nagios/plugins/check_dhcp_pool
command[check_ipmi_sensors]=doas /usr/local/libexec/nagios/plugins/check_ipmi_sensor

4
roles/ospf/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: "Deploy ospf check scripts"
template:
ansible.builtin.template:
src: "{{ item }}.j2"
dest: /usr/share/scripts/{{ item }}
with_items:
@ -11,7 +11,7 @@
- ospf
- name: "Cron job for ospf check scripts is installed"
cron:
ansible.builtin.cron:
name: "{{ item }} check"
job: "/bin/sh /usr/share/scripts/{{ item }}-check-peers.sh"
with_items:

2
roles/pf/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: "Setup pf.conf"
template:
ansible.builtin.template:
src: pf.conf.j2
dest: /etc/pf.conf
mode: "0600"

6
roles/post-install/tasks/ldif.yml
View file

@ -1,6 +1,6 @@
---
- name: "Copy generateldif.sh"
template:
ansible.builtin.template:
src: generateldif.sh.j2
dest: '{{ general_scripts_dir }}/generateldif.sh'
owner: root
@ -11,7 +11,7 @@
- generateldif
- name: "Run generateldif"
command: '{{ general_scripts_dir }}/generateldif.sh'
ansible.builtin.command: '{{ general_scripts_dir }}/generateldif.sh'
register: generateldif_run
changed_when: false
failed_when: false
@ -21,7 +21,7 @@
- generateldif
- generateldif-exec
- debug:
- ansible.builtin.debug:
var: generateldif_run.stdout_lines
verbosity: 1
tags:

8
roles/post-install/tasks/motd.yml
View file

@ -1,6 +1,6 @@
---
- name: "Deploy dynamic motd script for CARP master or backup"
copy:
ansible.builtin.copy:
src: motd-carp-state.sh
dest: /usr/share/scripts/motd-carp-state.sh
force: true
@ -13,7 +13,7 @@
- motd-utils
- name: "Fetch root crontab content"
command: >
ansible.builtin.command: >
grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root
check_mode: false
register: root_crontab_content
@ -24,10 +24,10 @@
- motd
- name: "Cron job for dynamic motd script is installed"
cron:
ansible.builtin.cron:
name: dynamic motd for CARP
job: "/bin/sh /usr/share/scripts/motd-carp-state.sh"
minute: "0"
minute: "*/10"
disabled: true
when:
- not (root_crontab_content.stdout

2
roles/post-install/tasks/update.yml
View file

@ -1,6 +1,6 @@
---
- name: "Check and install updates (erratas) if available"
command: /usr/sbin/syspatch
ansible.builtin.command: /usr/sbin/syspatch
ignore_errors: true
when: ansible_distribution_version is version_compare("6.1",'>=')
tags:

6
update-utils.yml
View file

@ -14,7 +14,7 @@
- vars/evolix-main.yml
pre_tasks:
- include_role:
- ansible.builtin.include_role:
name: etc-git
tasks_from: commit.yml
vars:
@ -31,7 +31,7 @@
- post-install
post_tasks:
- include_role:
- ansible.builtin.include_role:
name: etc-git
tasks_from: commit.yml
vars:
@ -39,6 +39,6 @@
when: not ansible_check_mode
tags: always
- include_role:
- ansible.builtin.include_role:
name: evocheck
tasks_from: exec.yml