From c310482ba6d3e948d963bb8c3cf7355291e1debc Mon Sep 17 00:00:00 2001
From: William Hirigoyen <whirigoyen+git@evolix.fr>
Date: Thu, 15 Sep 2022 10:25:06 +0200
Subject: [PATCH] domains: revert commits moved to dev branch domains

---
 CHANGELOG.md                                  |   2 -
 evolinux-base/files/domains.py                | 325 ------------------
 evolinux-base/tasks/domains.yml               |   8 -
 nagios-nrpe/README.md                         |   6 -
 nagios-nrpe/files/plugins/check_domains       |  14 -
 nagios-nrpe/tasks/configure_check_domains.yml |  25 --
 nagios-nrpe/tasks/main.yml                    |   1 -
 nagios-nrpe/templates/evolix.cfg.j2           |   1 -
 8 files changed, 382 deletions(-)
 delete mode 100755 evolinux-base/files/domains.py
 delete mode 100644 evolinux-base/tasks/domains.yml
 delete mode 100755 nagios-nrpe/files/plugins/check_domains
 delete mode 100644 nagios-nrpe/tasks/configure_check_domains.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 009f5625..067a2bf2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,7 +16,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * php: install php-xml with recent PHP versions
 * vrrp: add an `ip.yml` task file to help create VRRP addresses
 * webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php.
-* inspect-domains: Add role
 * memcached: NRPE check for multi-instance setup
 * proftpd: Add options to override configs (and add a warning if file was overriden)
 * proftpd: Allow user auth with ssh keys
@@ -28,7 +27,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * generate-ldif: Support any MariaDB version
 * minifirewall: use handlers to restart minifirewall
 * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
-* nagios-nrpe: Add check_domains
 * generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) 
 * openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
 * nagios-nrpe: Upgrade check_mongo
diff --git a/evolinux-base/files/domains.py b/evolinux-base/files/domains.py
deleted file mode 100755
index 23dd28ee..00000000
--- a/evolinux-base/files/domains.py
+++ /dev/null
@@ -1,325 +0,0 @@
-#!/usr/bin/python3
-# 
-# Vérifie si les domaines listés dans les configurations de Apache,
-# Nginx et Haproxy pointent bien sur le serveur.
-# 
-# Développé par Will
-# 
-
-list_domains_path = '/usr/local/sbin/list_domains.py'
-excludes_path = '/etc/nagios/domains_exclude.list'
-includes_path = '/etc/nagios/domains_include.list'
-
-import os
-import sys
-import re
-import subprocess
-import threading
-import time
-import argparse
-import json
-
-#import importlib.machinery
-#list_domains = importlib.machinery.SourceFileLoader('list_domains.py', list_domains_path).load_module()
-
-
-def execute(cmd):
-    """Execute Bash command cmd.
-    Return stdout and stderr as arrays of UTF-8 strings."""
-
-    proc = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    stdout, stderr = proc.communicate()
-
-    stdout_lines = stdout.decode('utf-8').splitlines()
-    stderr_lines = stderr.decode('utf-8').splitlines()
-
-    return stdout_lines, stderr_lines
-
-
-def get_my_ips():
-    """Return localhost IPs."""
-    stdout, stderr = execute('hostname -I')
-    if not stdout:
-        return []
-    return stdout[0].strip(' \t').split()
-
-
-def dig(domain):
-    """Return dig +short result on domain as a list."""
-    stdout, stderr = execute('dig +short {}'.format(domain))
-    return stdout
-
-
-def strip_comments(string):
-    """Return string with any # comment removed.""" 
-    return string.split('#')[0]
-
-
-def list_apache_domains():
-    """Return a dict containing :
-    - key: Apache domain (from command "apache2ctl -D DUMP_VHOSTS").
-    - value: a list of strings "apache:<VHOST_PATH>:<LINE_IN_BLOCK>"
-    """
-    domains = {}
-
-    try:
-        stdout, stderr = execute('apache2ctl -D DUMP_VHOSTS')
-    except:
-        # Apache is not present on the server
-        return domains
-
-    vhost_infos = ''
-    for line in stdout:
-        dom = ''
-        words = line.strip(' \t').split()
-
-        if 'namevhost' in line and len(words) >= 5:
-            # line format: port <PORT> namevhost <DOMAIN> (<VHOST_PATH>:<LINE_IN_BLOCK>)
-            dom = words[3].strip()
-            vhost_infos = 'apache:' + words[4].strip('()')
-
-        elif 'alias' in line and len(words) >= 2:
-            # line format: alias <DOMAIN>
-            dom = words[1].strip()  # vhost_infos defined in previous lines
-
-        if dom:
-            if dom not in domains:
-                domains[dom] = []
-            if vhost_infos not in domains[dom]:
-                domains[dom].append(vhost_infos)
-
-    return domains
-
-
-def list_nginx_domains():
-    """Return a dict containing :
-    - key: Nginx domain (from command "nginx -T").
-    - value: a list of strings "nginx:<VHOST_PATH>:<LINE_IN_BLOCK>"
-    """
-    domains = {}
-
-    try:
-        stdout, stderr = execute('nginx -T')
-    except:
-        # Nginx is not present on the server
-        return domains
-
-    line_number = 1
-    config_file_path = ''
-
-    for line in stdout:
-        if '# configuration file' in line:
-            # line format : # configuration file <PATH>:
-            words = line.strip(' \t;').split()
-            config_file_path = words[3].strip(' :')
-            continue
-         
-        if 'server_name ' in line:
-            # TODO: améliorer le if (cas tabulation)
-            # line format : server_name <DOMAIN1> [<DOMAINS2 ...];
-            line = strip_comments(line)
-            words = line.strip(' \t;').split()
-
-            for d in words[1:]:
-                dom = d.strip()
-                vhost_infos = 'nginx:{}:{}'.format(config_file_path, line_number)
-
-                if dom not in domains:
-                    domains[dom] = []
-                if vhost_infos not in domains[d]:
-                    domains[dom].append(vhost_infos)
-
-        line_number += 1  # increment line number for next round
-        
-        if 'server {' in line:
-            # TODO: améliorer le if (cas plusieurs espaces)
-            # line format : server {
-            line_number = 0
-
-    return domains
-
-
-class ResolutionThread(threading.Thread):
-    
-    def __init__(self, domain):
-        threading.Thread.__init__(self, daemon=True)
-        self.domain = domain
-        self.ips = []
-
-    def run(self):
-        """Resolve domain with dig."""
-        try:
-            dig_results = dig(self.domain)
-            
-            if not dig_results:
-                return
-
-            for line in dig_results:
-                match = re.search('^([0-9abcdef\.:]+)$', line)
-                if match:
-                    ip = match.group(1)
-                    if ip not in self.ips:
-                        self.ips.append(ip)
-
-        except Exception as e:
-            #print(e)
-            return
-
-
-def run_check_domains(domains):
-    """Check resolution of domains (list)."""
-
-    excludes = ['_']
-    timeout = 5
-
-    my_ips = get_my_ips()
-
-    domains_noexcludes = [dom for dom in domains if dom not in excludes]
-
-    jobs = []
-    for dom in domains_noexcludes:
-        #print(d)
-        t = ResolutionThread(dom)
-        t.start()
-        jobs.append(t)
-    
-    # Let <timeout> secs to DNS servers to answer in jobs threads
-    time.sleep(timeout)
-
-    timeout_domains = []
-    none_domains = []
-    outside_ips = {}
-    ok_domains = []
-
-    for j in jobs:
-        if j.is_alive():
-            timeout_domains.append(j.domain)
-            continue
-
-        if not j.ips:
-            none_domains.append(j.domain)
-            continue
-        
-        is_outside = False
-        for ip in j.ips:
-            if ip not in my_ips:
-                is_outside = True
-                break
-        if is_outside:
-            outside_ips[j.domain] = j.ips
-        else:
-            ok_domains.append(j.domain)
-
-    return timeout_domains, none_domains, outside_ips, ok_domains
-   
-
-def output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains):
-    """Output result for check mode.
-    For now, consider everyting as warnings to avoid too much alerts.
-    """
-    
-    n_ok = len(ok_domains)
-    n_warnings = len(timeout_domains) + len(none_domains) + len(outside_ips)
-
-    msg = 'WARNING' if n_warnings else 'OK'
-
-    print('{} - 0 UNK / 0 CRIT / {} WARN / {} OK \n'.format(msg, n_warnings, n_ok))
-    
-    if timeout_domains or none_domains or outside_ips:
-        for d in timeout_domains:
-            print('WARNING - timeout resolving {}'.format(d))
-        for d in none_domains:
-            print('WARNING - no resolution for {}'.format(d))
-        for d in outside_ips:
-            print('WARNING - {} pointing elsewhere ({})'.format(d, ' '.join(outside_ips[d])))
-    
-    sys.exit(1) if n_warnings else sys.exit(0)
-
-
-def output_human_mode(doms, timeout_domains, none_domains, outside_ips):
-    if timeout_domains or none_domains or outside_ips:
-        if timeout_domains: print('\nTimeouts:')
-        for d in timeout_domains:
-            print('\t{} {}'.format(d, ' '.join(doms[d])))
-        if none_domains: print('\nNo resolution:')
-        for d in none_domains:
-            print('\t{} {}'.format(d, ' '.join(doms[d])))
-        if outside_ips: print('\nPointing elsewhere:')
-        for d in outside_ips:
-            print('\t{} {} -> [{}]'.format(d, ' '.join(doms[d]), ' '.join(outside_ips[d])))
-
-        sys.exit(1)
-
-    print('Domains resolve to right IPs !')
-
-
-def main(argv):
-    parser = argparse.ArgumentParser()
-    parser.add_argument('action', metavar='ACTION', help='Values: check-dns, list')
-    parser.add_argument('-o', '--output-style', help='Values: json (default for action list), human (default for action check-dns), nrpe')
-    parser.add_argument('-a', '--all-domains', action='store_true', help='Include all domains (default).')
-    parser.add_argument('-ap', '--apache-domains', action='store_true', help='Include Apache domains.')
-    parser.add_argument('-ng', '--nginx-domains', action='store_true', help='Include Nginx domains.')
-    parser.add_argument('-ha', '--haproxy-domains', action='store_true', help='Include HaProxy domains (not supported yet).')
-    args = parser.parse_args()
-    
-    if args.action not in ['check-dns', 'list']:
-        if args.output_style == 'nrpe':
-            print('UNKNOWN - unknown {} action, use -h option for help.'.format(args.action))
-            sys.exit(3)
-        else:
-            print('Unknown {} action, use -h option for help.'.format(args.action))
-            sys.exit(1)
-   
-    if not (args.all_domains or args.apache_domains or args.nginx_domains or args.haproxy_domains):
-        print('Domains scope not specified, looking for all domains.')
-        args.all_domains = True
-
-    doms = {}
-   
-    if args.all_domains:
-        doms.update(list_apache_domains())
-    
-    else:
-        if args.apache_domains:
-            doms.update(list_apache_domains())
-        if args.nginx_domains:
-            doms.update(list_nginx_domains())
-        if args.haproxy_domains:
-            print('Option --haproxy-domains not supported yet.')
-    
-    if not doms:
-        if args.output_style == 'nrpe':
-            print('UNKNOWN - No domain found on this server.')
-            sys.exit(3)
-        else: # == 'json' or 'human'
-            print('No domain found on this server.')
-            sys.exit(1)
-    
-    if args.action == 'check-dns':
-        timeout_domains, none_domains, outside_ips, ok_domains = run_check_domains(doms.keys())
-        
-        if args.output_style == 'nrpe':
-            output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains)
-    
-        elif args.output_style == 'json':
-            print('Option --output-style json not implemented yet for action check-dns.')
-
-        else:  # args.output_style == 'human'
-            output_human_mode(doms, timeout_domains, none_domains, outside_ips)
-
-    elif args.action == 'list':
-
-        if args.output_style == 'nrpe':
-            print('Action list is not for --output-style nrpe.')
-
-        elif args.output_style == 'json':
-            print(json.dumps(doms, sort_keys=True, indent=4))
-
-        else:
-            print('Option --output-style human not implemented yet for action list, fallback to --output-style json.')
-            print(json.dumps(doms, sort_keys=True, indent=4))
-        
-
-if __name__ == '__main__':
-    main(sys.argv[1:])
diff --git a/evolinux-base/tasks/domains.yml b/evolinux-base/tasks/domains.yml
deleted file mode 100644
index f2a1ddb3..00000000
--- a/evolinux-base/tasks/domains.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-- name: Copy inspect-domains script to local sbin
-  ansible.builtin.copy:
-    src: domains.py
-    dest: /usr/local/sbin/domains
-    mode: '0700'
-
-
-
diff --git a/nagios-nrpe/README.md b/nagios-nrpe/README.md
index c52cab05..6d72920e 100644
--- a/nagios-nrpe/README.md
+++ b/nagios-nrpe/README.md
@@ -12,9 +12,3 @@ Everything is in the `tasks/main.yml` file.
 * `nagios_nrpe_force_update_allowed_hosts` : force update list of allowed hosts (default: `False`)
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
-
-## Available tags
-
-* `nagios-nrpe` : install Nagios and plugins (idempotent)
-* `nagios-plugins` : install only plugins (idempotent)
-
diff --git a/nagios-nrpe/files/plugins/check_domains b/nagios-nrpe/files/plugins/check_domains
deleted file mode 100755
index 98068a0b..00000000
--- a/nagios-nrpe/files/plugins/check_domains
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-#
-# Check domains using script domains.
-#
-# Written by Will
-#
-
-if ! command -v domains >/dev/null; then
-    echo 'UNKNOWN - Missing dependency domains.'
-    exit 3
-fi
-
-domains -o nrpe -a check-dns
-
diff --git a/nagios-nrpe/tasks/configure_check_domains.yml b/nagios-nrpe/tasks/configure_check_domains.yml
deleted file mode 100644
index 2d5dd2fd..00000000
--- a/nagios-nrpe/tasks/configure_check_domains.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-- name: Install check_domains dependency
-  include_role:
-    name: domains
-
-- name: Configure check_domains in /etc/nagios/nrpe.d/evolix.cfg
-  ansible.builtin.lineinfile:
-    path: /etc/nagios/nrpe.d/evolix.cfg
-    regexp: '^command\[check_domains\]='
-    line: command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains
-  notify: restart nagios-nrpe-server
-
-- name: Is evolinux sudoers installed?
-  ansible.builtin.stat:
-    path: /etc/sudoers.d/evolinux
-  register: sudoers_evolinux
-
-- name: Allow nagios user to execute check_domains without sudo password 
-  ansible.builtin.lineinfile:
-    path: /etc/sudoers.d/evolinux
-    regexp: 'check_domains'
-    line: 'nagios          ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_domains'
-    insertafter: '^nagios'
-    validate: "visudo -cf %s"
-  when: sudoers_evolinux.stat.exists 
-
diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml
index 28ab11a9..77770020 100644
--- a/nagios-nrpe/tasks/main.yml
+++ b/nagios-nrpe/tasks/main.yml
@@ -22,7 +22,6 @@
     - ansible_distribution == "Debian"
     - ansible_distribution_major_version is version('10', '>=')
   tags:
-    - nagios-nrpe
     - nagios-plugins
 
 - name: custom configuration is present
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 7546f2bc..ae0e0abd 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -47,7 +47,6 @@ command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_
 command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379
 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
 command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb
-command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains
 command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
 command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local
 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex