Compare commits
118 commits
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Lecour | 9e63ae90c8 | ||
3f52318bd9 | |||
e19ece1c03 | |||
0ce1e1d701 | |||
mgauthier | bdb6ccb02d | ||
e787d62926 | |||
e6969d76ba | |||
fa6433c00e | |||
ecd79e5a16 | |||
mgauthier | 284d6fc50f | ||
33e2e54d7a | |||
a068ca6d6a | |||
598650db85 | |||
eae92e7d13 | |||
98e25060e2 | |||
f9bd840ce2 | |||
e6f449ed22 | |||
1ded781c4e | |||
mgauthier | 87b6e219af | ||
2ac447a936 | |||
e8e30fca3a | |||
5fc3aeca38 | |||
cfd951f678 | |||
d72eb3371a | |||
ce15220a75 | |||
f7d0b87cba | |||
ce51048ce7 | |||
a3fbe25e33 | |||
869ae4d788 | |||
971e1fe87b | |||
70b8591c42 | |||
2ee49e6f70 | |||
8c23e3594d | |||
c340c31451 | |||
Patrick Marchand | 2568c02e44 | ||
mgauthier | 28d6fedbc3 | ||
73cd25538a | |||
7aca208909 | |||
a7ad33f4ee | |||
1122b79a06 | |||
bb377ffc52 | |||
mgauthier | 0f76db2a6e | ||
c6393508f4 | |||
59189e0260 | |||
c01c90fddc | |||
2f570d06b0 | |||
mgauthier | 8051ef7170 | ||
1de20769a8 | |||
40050b05d8 | |||
7912185c05 | |||
ce36697089 | |||
80dd996ee5 | |||
mgauthier | 6c52ad5213 | ||
f29fa00eff | |||
f061bb6f64 | |||
98d2ece11c | |||
a03ed08b4a | |||
e2ab83dbfa | |||
d8a7a439b2 | |||
c09fe9605b | |||
8b89be02fa | |||
0bac8bed84 | |||
mgauthier | 10601d0fee | ||
21d1d42c0c | |||
725fa03b1d | |||
4326690eee | |||
bbbf1fe04a | |||
fab1165215 | |||
3d28466a67 | |||
c17e9384c0 | |||
6ae4e9fd9a | |||
313fcf534d | |||
a320710590 | |||
f2bc498e67 | |||
27a47ce3ce | |||
9ce75f835d | |||
cf471284ef | |||
9fc135af39 | |||
7cf4d9b0d1 | |||
9fdc5a126b | |||
6ea0463e57 | |||
b6e0118a25 | |||
96edf6833b | |||
108a31a901 | |||
6dc9d21e4c | |||
f61d9b951c | |||
330b678f38 | |||
82a7ab45a7 | |||
662170e225 | |||
f534e79652 | |||
910c391151 | |||
mgauthier | 59b9bd9b6d | ||
66a1411910 | |||
e93a68d27a | |||
d55da041ae | |||
9bbea554ec | |||
Jérémy Lecour | 992fa0543f | ||
Jérémy Lecour | 935f041611 | ||
26d495df8c | |||
Jérémy Dubois | 4b0e088090 | ||
d00fbbe518 | |||
4fb25d91ec | |||
8d5d28091a | |||
Jérémy Dubois | 0ad7dbad6e | ||
adc79e0d8d | |||
Ludovic Poujol | c524ffb472 | ||
a7570a49a3 | |||
0589271110 | |||
1474f06927 | |||
114d857e89 | |||
aa13676cc4 | |||
f05a6aa25c | |||
56fbe99164 | |||
229d2f366e | |||
b7e24fc3ea | |||
de953a30db | |||
Jérémy Lecour | aea1404a21 | ||
3accb0442c |
18
CHANGELOG.md
18
CHANGELOG.md
|
@ -13,10 +13,26 @@ The **patch** part is incremented if multiple releases happen the same month
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
|
* bind: New variables to change IPs bind will listen on & send notify/transfer commands
|
||||||
|
* evolinux-base: Create custom SSH configuration file
|
||||||
|
* evolinux-base: install evobackup-client (default: true)
|
||||||
|
* lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org)
|
||||||
|
* munin: add linux_psi contrib plugin
|
||||||
|
* nagios-nrpe: add new check_ftp_users
|
||||||
|
* proftpd: add new munin graph (users count)
|
||||||
|
* nagios-nrpe: new monitoringctl command
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
* Elastic Stack : default to version 8.x
|
||||||
|
* evolinux-base: Customize logcheck recipient when serveur-base is installed
|
||||||
|
* log2mail: task log2mail.yml of evolinux-base converted to a role
|
||||||
|
* lxc-solr: update solr9 version + fix URL in README
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
* openvpn: Make it work on OpenBSD in check mode
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
@ -29,6 +45,7 @@ The **patch** part is incremented if multiple releases happen the same month
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
* certbot: allow haproxy deploy hook to work with evoacme too (using env variables)
|
||||||
* evobackup-client: upstream release 24.05.1
|
* evobackup-client: upstream release 24.05.1
|
||||||
* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
|
* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
|
||||||
* evolinux-users: improve SSH configuration
|
* evolinux-users: improve SSH configuration
|
||||||
|
@ -38,6 +55,7 @@ The **patch** part is incremented if multiple releases happen the same month
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* apt: use archive.debian.org with Buster
|
* apt: use archive.debian.org with Buster
|
||||||
|
* fail2ban: remount-usr added because it is needed for last task
|
||||||
|
|
||||||
## [24.04] 2024-04-30
|
## [24.04] 2024-04-30
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,26 @@
|
||||||
---
|
---
|
||||||
bind_recursive_server: False
|
bind_recursive_server: false
|
||||||
bind_authoritative_server: True
|
bind_authoritative_server: true
|
||||||
bind_chroot_set: True
|
bind_chroot_set: true
|
||||||
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
|
|
||||||
#bind_chroot_path: /var/chroot-bind
|
|
||||||
bind_systemd_service_path: /etc/systemd/system/bind9.service
|
bind_systemd_service_path: /etc/systemd/system/bind9.service
|
||||||
|
|
||||||
bind_statistics_file: /var/run/named.stats
|
bind_statistics_file: /var/run/named.stats
|
||||||
bind_log_file: /var/log/bind.log
|
bind_log_file: /var/log/bind.log
|
||||||
bind_query_file: /var/log/bind_queries.log
|
bind_query_file: /var/log/bind_queries.log
|
||||||
bind_query_file_enabled: False
|
bind_query_file_enabled: false
|
||||||
bind_cache_dir: /var/cache/bind
|
bind_cache_dir: /var/cache/bind
|
||||||
|
|
||||||
|
# String (bind syntax) of IPv4/ to listen on (or any by default)
|
||||||
|
# eg. "192.0.2.1; 192.0.2.3" or all interfaces : "any ;"
|
||||||
|
bind_listen_on_ipv4: "any;"
|
||||||
|
|
||||||
|
# String (bind syntax) of IPv6 to listen on (or any by default)
|
||||||
|
# eg. "2001:db8::1; 2001:db8::42" or all interfaces : "any ;" or not at all "none;"
|
||||||
|
bind_listen_on_ipv6: "any;"
|
||||||
|
|
||||||
|
# For server with multiples IP Adresses, enforce the usage of a specific IP for NOTIFY commands
|
||||||
|
bind_notify_source: ''
|
||||||
|
|
||||||
|
# For server with multiples IP Adresses, enforce the usage of a specific IP for TRANSFER commands
|
||||||
|
bind_transfer_source: ''
|
||||||
|
|
|
@ -10,8 +10,15 @@ options {
|
||||||
masterfile-format text;
|
masterfile-format text;
|
||||||
statistics-file "{{ bind_statistics_file }}";
|
statistics-file "{{ bind_statistics_file }}";
|
||||||
|
|
||||||
listen-on-v6 { any; };
|
listen-on { {{ bind_listen_on_ipv4 }} };
|
||||||
listen-on { any; };
|
listen-on-v6 { {{ bind_listen_on_ipv6 }} };
|
||||||
|
|
||||||
|
{% if bind_notify_source is defined and bind_notify_source|length %}
|
||||||
|
notify-source {{ bind_notify_source }};
|
||||||
|
{% endif %}
|
||||||
|
{% if bind_transfer_source is defined and bind_transfer_source|length %}
|
||||||
|
transfer-source {{ bind_transfer_source }};
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
allow-query { localhost; };
|
allow-query { localhost; };
|
||||||
allow-recursion { localhost; };
|
allow-recursion { localhost; };
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
# /!\ MODIFIED to work with evoacme OR certbot
|
||||||
|
private_keys_dirs="/etc/ssl/private" # Only used for evoacme
|
||||||
|
|
||||||
error() {
|
error() {
|
||||||
>&2 echo "${PROGNAME}: $1"
|
>&2 echo "${PROGNAME}: $1"
|
||||||
|
@ -13,7 +15,7 @@ daemon_found_and_running() {
|
||||||
test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
|
test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
|
||||||
}
|
}
|
||||||
found_renewed_lineage() {
|
found_renewed_lineage() {
|
||||||
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${private_key}"
|
||||||
}
|
}
|
||||||
config_check() {
|
config_check() {
|
||||||
${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
|
${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
|
||||||
|
@ -24,7 +26,7 @@ concat_files() {
|
||||||
chown root: "${haproxy_cert_dir}"
|
chown root: "${haproxy_cert_dir}"
|
||||||
|
|
||||||
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
||||||
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
cat "${RENEWED_LINEAGE}/fullchain.pem" "${private_key}" > "${haproxy_cert_file}"
|
||||||
chmod 600 "${haproxy_cert_file}"
|
chmod 600 "${haproxy_cert_file}"
|
||||||
chown root: "${haproxy_cert_file}"
|
chown root: "${haproxy_cert_file}"
|
||||||
}
|
}
|
||||||
|
@ -58,10 +60,19 @@ main() {
|
||||||
if daemon_found_and_running; then
|
if daemon_found_and_running; then
|
||||||
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
|
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
|
||||||
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
|
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
|
||||||
|
if [ -z "${EVOACME_VHOST_NAME}" ]; then
|
||||||
|
# CERTBOT
|
||||||
|
private_key=${RENEWED_LINEAGE}/privkey.pem
|
||||||
|
cert_name=$(basename "${RENEWED_LINEAGE}")
|
||||||
|
else
|
||||||
|
# EVOACME
|
||||||
|
private_key=${private_keys_dirs}/$(basename $(dirname ${RENEWED_LINEAGE})).key
|
||||||
|
cert_name=$(basename $(dirname "${RENEWED_LINEAGE}"))
|
||||||
|
fi
|
||||||
|
|
||||||
if found_renewed_lineage; then
|
if found_renewed_lineage; then
|
||||||
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
haproxy_cert_file="${haproxy_cert_dir}/${cert_name}.pem"
|
||||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
failed_cert_file="/root/${cert_name}.failed.pem"
|
||||||
|
|
||||||
concat_files
|
concat_files
|
||||||
|
|
||||||
|
@ -77,7 +88,8 @@ main() {
|
||||||
error "HAProxy config is broken, you must fix it !"
|
error "HAProxy config is broken, you must fix it !"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
|
|
||||||
|
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or "${private_key}""
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
debug "HAProxy is not running or missing. Skip."
|
debug "HAProxy is not running or missing. Skip."
|
||||||
|
@ -91,3 +103,4 @@ readonly QUIET=${QUIET:-"0"}
|
||||||
readonly haproxy_bin=$(command -v haproxy)
|
readonly haproxy_bin=$(command -v haproxy)
|
||||||
|
|
||||||
main
|
main
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "7.x"
|
elastic_stack_version: "8.x"
|
||||||
|
|
||||||
elasticsearch_cluster_name: Null
|
elasticsearch_cluster_name: Null
|
||||||
elasticsearch_cluster_members: Null
|
elasticsearch_cluster_members: Null
|
||||||
|
|
|
@ -243,3 +243,6 @@ evolinux_utils_include: True
|
||||||
|
|
||||||
# Autosysadmin
|
# Autosysadmin
|
||||||
evolinux_autosysadmin_include: false
|
evolinux_autosysadmin_include: false
|
||||||
|
|
||||||
|
# Evobackup client
|
||||||
|
evolinux_evobackup_client_include: True
|
||||||
|
|
|
@ -74,11 +74,6 @@
|
||||||
name: postfix
|
name: postfix
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: restart log2mail
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: log2mail
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: restart systemd-journald
|
- name: restart systemd-journald
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: systemd-journald.service
|
name: systemd-journald.service
|
||||||
|
|
|
@ -116,7 +116,8 @@
|
||||||
when: evolinux_provider_orange_fce_include | bool
|
when: evolinux_provider_orange_fce_include | bool
|
||||||
|
|
||||||
- name: Override Log2mail service
|
- name: Override Log2mail service
|
||||||
ansible.builtin.import_tasks: log2mail.yml
|
ansible.builtin.include_role:
|
||||||
|
name: evolix/log2mail
|
||||||
when: evolinux_log2mail_include | bool
|
when: evolinux_log2mail_include | bool
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: motd.yml
|
- ansible.builtin.import_tasks: motd.yml
|
||||||
|
@ -158,6 +159,11 @@
|
||||||
name: 'evolix/autosysadmin-restart_nrpe'
|
name: 'evolix/autosysadmin-restart_nrpe'
|
||||||
when: evolinux_autosysadmin_include | bool
|
when: evolinux_autosysadmin_include | bool
|
||||||
|
|
||||||
|
- name: Evobackup (client)
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: 'evolix/evobackup-client'
|
||||||
|
when: evolinux_evobackup_client_include | bool
|
||||||
|
|
||||||
- name: fail2ban
|
- name: fail2ban
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: evolix/fail2ban
|
name: evolix/fail2ban
|
||||||
|
|
|
@ -111,7 +111,9 @@
|
||||||
dest: /etc/logcheck/logcheck.conf
|
dest: /etc/logcheck/logcheck.conf
|
||||||
regexp: '^SENDMAILTO=".*"$'
|
regexp: '^SENDMAILTO=".*"$'
|
||||||
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
|
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
|
||||||
when: evolinux_packages_logcheck_recipient | bool
|
when:
|
||||||
|
- evolinux_packages_serveur_base | bool
|
||||||
|
- evolinux_packages_logcheck_recipient | bool
|
||||||
|
|
||||||
- name: Deleting rpcbind and nfs-common
|
- name: Deleting rpcbind and nfs-common
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
|
|
@ -16,6 +16,14 @@
|
||||||
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: create custom SSH server configuration file
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/ssh/sshd_config.d/zzz-evolinux-custom.conf
|
||||||
|
state: touch
|
||||||
|
mode: "0644"
|
||||||
|
modification_time: preserve
|
||||||
|
access_time: preserve
|
||||||
|
|
||||||
# Should we allow the current user?
|
# Should we allow the current user?
|
||||||
- name: Allow the current user
|
- name: Allow the current user
|
||||||
block:
|
block:
|
||||||
|
|
|
@ -112,6 +112,9 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: Script unban_ip is installed
|
- name: Script unban_ip is installed
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: unban_ip.sh
|
src: unban_ip.sh
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "7.x"
|
elastic_stack_version: "8.x"
|
||||||
|
|
||||||
filebeat_logstash_plugin: False
|
filebeat_logstash_plugin: False
|
||||||
|
|
||||||
|
|
|
@ -75,7 +75,7 @@
|
||||||
- name: NRPE check is configured
|
- name: NRPE check is configured
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/nagios/nrpe.d/evolix.cfg
|
path: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
line: 'command[check_fluentd]=/usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
|
line: 'command[check_fluentd]=/usr/local/lib/monitoringctl/alerts_wrapper --name fluentd /usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
|
||||||
notify: "restart nagios-nrpe-server"
|
notify: "restart nagios-nrpe-server"
|
||||||
tags:
|
tags:
|
||||||
- fluentd
|
- fluentd
|
||||||
|
|
|
@ -36,7 +36,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: 'command\[check_keepalived\]'
|
regexp: 'command\[check_keepalived\]'
|
||||||
replace: 'command[check_keepalived]=/usr/local/lib/nagios/plugins/check_keepalived'
|
replace: 'command[check_keepalived]=/usr/local/lib/monitoringctl/alerts_wrapper --name keepalived /usr/local/lib/nagios/plugins/check_keepalived'
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
tags:
|
tags:
|
||||||
- keepalived
|
- keepalived
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "7.x"
|
elastic_stack_version: "8.x"
|
||||||
|
|
||||||
kibana_server_host: "127.0.0.1"
|
kibana_server_host: "127.0.0.1"
|
||||||
kibana_server_basepath: ""
|
kibana_server_basepath: ""
|
||||||
|
|
3
log2mail/defaults/main.yml
Normal file
3
log2mail/defaults/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
log2mail_alert_email: Null
|
||||||
|
general_alert_email: "root@localhost"
|
5
log2mail/handlers/main.yml
Normal file
5
log2mail/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: restart log2mail
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: log2mail
|
||||||
|
state: restarted
|
|
@ -23,18 +23,14 @@
|
||||||
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
|
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
|
||||||
state: absent
|
state: absent
|
||||||
notify: restart log2mail
|
notify: restart log2mail
|
||||||
tags:
|
|
||||||
- log2mail
|
|
||||||
|
|
||||||
- name: log2mail evolinux-defaults config is present
|
- name: log2mail evolinux-defaults config is present
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: log2mail/evolinux-defaults.j2
|
src: evolinux-defaults.j2
|
||||||
dest: /etc/log2mail/config/evolinux-defaults
|
dest: /etc/log2mail/config/evolinux-defaults
|
||||||
owner: log2mail
|
owner: log2mail
|
||||||
group: adm
|
group: adm
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
force: yes
|
force: yes
|
||||||
notify: restart log2mail
|
notify: restart log2mail
|
||||||
tags:
|
|
||||||
- log2mail
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "7.x"
|
elastic_stack_version: "8.x"
|
||||||
|
|
||||||
logstash_jvm_xms: 256m
|
logstash_jvm_xms: 256m
|
||||||
logstash_jvm_xmx: 512g
|
logstash_jvm_xmx: 512g
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install PHP packages"
|
- name: "{{ lxc_php_container_name }} - Install PHP packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
|
- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
dest: "{{ line_item }}"
|
dest: "{{ line_item }}"
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install PHP packages"
|
- name: "{{ lxc_php_container_name }} - Install PHP packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
|
- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
dest: "{{ line_item }}"
|
dest: "{{ line_item }}"
|
||||||
|
|
|
@ -1,17 +1,17 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install PHP packages"
|
- name: "{{ lxc_php_container_name }} - Install PHP packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - fix bullseye repository"
|
- name: "{{ lxc_php_container_name }} - fix bullseye repository"
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
||||||
regexp: 'bullseye/updates'
|
regexp: 'bullseye/updates'
|
||||||
replace: 'bullseye-security'
|
replace: 'bullseye-security'
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
|
- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
dest: "{{ line_item }}"
|
dest: "{{ line_item }}"
|
||||||
|
|
|
@ -5,18 +5,18 @@
|
||||||
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
||||||
|
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install dependency packages"
|
- name: "{{ lxc_php_container_name }} - Install dependency packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - fix bullseye repository"
|
- name: "{{ lxc_php_container_name }} - fix bullseye repository"
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
||||||
regexp: 'bullseye/updates'
|
regexp: 'bullseye/updates'
|
||||||
replace: 'bullseye-security'
|
replace: 'bullseye-security'
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Add sury repo"
|
- name: "{{ lxc_php_container_name }} - Add sury repo"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
|
@ -51,17 +51,17 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Update APT cache"
|
- name: "{{ lxc_php_container_name }} - Update APT cache"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install PHP packages"
|
- name: "{{ lxc_php_container_name }} - Install PHP packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
|
- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
dest: "{{ line_item }}"
|
dest: "{{ line_item }}"
|
||||||
|
|
|
@ -4,18 +4,18 @@
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install dependency packages"
|
- name: "{{ lxc_php_container_name }} - Install dependency packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - fix bullseye repository"
|
- name: "{{ lxc_php_container_name }} - fix bullseye repository"
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
||||||
regexp: 'bullseye/updates'
|
regexp: 'bullseye/updates'
|
||||||
replace: 'bullseye-security'
|
replace: 'bullseye-security'
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Add sury repo"
|
- name: "{{ lxc_php_container_name }} - Add sury repo"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
|
@ -50,17 +50,17 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Update APT cache"
|
- name: "{{ lxc_php_container_name }} - Update APT cache"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install PHP packages"
|
- name: "{{ lxc_php_container_name }} - Install PHP packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
|
- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
dest: "{{ line_item }}"
|
dest: "{{ line_item }}"
|
||||||
|
|
|
@ -4,24 +4,24 @@
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install dependency packages"
|
- name: "{{ lxc_php_container_name }} - Install dependency packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
|
- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
path: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - system bookworm repository"
|
- name: "{{ lxc_php_container_name }} - system bookworm repository"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: bookworm_basics.sources.j2
|
src: bookworm_basics.sources.j2
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
|
||||||
force: true
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - security bookworm repository"
|
- name: "{{ lxc_php_container_name }} - security bookworm repository"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: bookworm_security.sources.j2
|
src: bookworm_security.sources.j2
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
|
||||||
|
@ -44,17 +44,17 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Update APT cache"
|
- name: "{{ lxc_php_container_name }} - Update APT cache"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install PHP packages"
|
- name: "{{ lxc_php_container_name }} - Install PHP packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
|
- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
dest: "{{ line_item }}"
|
dest: "{{ line_item }}"
|
||||||
|
|
|
@ -4,38 +4,38 @@
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install dependency packages"
|
- name: "{{ lxc_php_container_name }} - Install dependency packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
|
- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
path: "{{ lxc_rootfs }}/etc/apt/sources.list"
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - system bookworm repository"
|
- name: "{{ lxc_php_container_name }} - system bookworm repository"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: bookworm_basics.sources.j2
|
src: bookworm_basics.sources.j2
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
|
||||||
force: true
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - security bookworm repository"
|
- name: "{{ lxc_php_container_name }} - security bookworm repository"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: bookworm_security.sources.j2
|
src: bookworm_security.sources.j2
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
|
||||||
force: true
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Add sury repo"
|
- name: "{{ lxc_php_container_name }} - Add sury repo"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: sury.sources.j2
|
src: sury.sources.j2
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources"
|
||||||
force: true
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Add sury failsafe repo"
|
- name: "{{ lxc_php_container_name }} - Add sury failsafe repo"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: evolix_sury.sources.j2
|
src: evolix_sury.sources.j2
|
||||||
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources"
|
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources"
|
||||||
|
@ -66,17 +66,17 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Update APT cache"
|
- name: "{{ lxc_php_container_name }} - Update APT cache"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt update"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Install PHP packages"
|
- name: "{{ lxc_php_container_name }} - Install PHP packages"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_container_name }}"
|
||||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
|
||||||
|
|
||||||
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
|
- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
dest: "{{ line_item }}"
|
dest: "{{ line_item }}"
|
||||||
|
|
|
@ -15,7 +15,7 @@ Since this role depend on the lxc role, please refer to it for a full variable l
|
||||||
* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
|
* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
|
||||||
* `name`: name of the LXC container to create.
|
* `name`: name of the LXC container to create.
|
||||||
* `release`: Debian version to install
|
* `release`: Debian version to install
|
||||||
* `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
|
* `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/solr/solr/ for a full version list)*
|
||||||
* `solr_port`: port for Solr to listen on
|
* `solr_port`: port for Solr to listen on
|
||||||
Eg.:
|
Eg.:
|
||||||
```
|
```
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
# solr_port: 8985
|
# solr_port: 8985
|
||||||
# - name: solr9
|
# - name: solr9
|
||||||
# release: bullseye
|
# release: bullseye
|
||||||
# solr_version: 9.0.0
|
# solr_version: 9.6.1
|
||||||
# solr_port: 8985
|
# solr_port: 8985
|
||||||
lxc_containers: []
|
lxc_containers: []
|
||||||
|
|
||||||
|
|
|
@ -8,6 +8,10 @@ lxc_network_type: "none"
|
||||||
# Partition to bind mount into containers.
|
# Partition to bind mount into containers.
|
||||||
lxc_mount_part: "/home"
|
lxc_mount_part: "/home"
|
||||||
|
|
||||||
|
# Mirror URL (optionnal).
|
||||||
|
# For old Debian, use https://archive.debian.org/debian/
|
||||||
|
lxc_template_mirror: ""
|
||||||
|
|
||||||
# List of LXC containers to create.
|
# List of LXC containers to create.
|
||||||
# Eg.:
|
# Eg.:
|
||||||
# lxc_containers:
|
# lxc_containers:
|
||||||
|
|
|
@ -6,13 +6,16 @@
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: container_exists
|
register: container_exists
|
||||||
|
|
||||||
|
- ansible.builtin.set_fact:
|
||||||
|
lxc_template_mirror_option: "{{ '--mirror ' + lxc_template_mirror if lxc_template_mirror != '' else '' }}"
|
||||||
|
|
||||||
- name: "Create container {{ name }}"
|
- name: "Create container {{ name }}"
|
||||||
community.general.lxc_container:
|
community.general.lxc_container:
|
||||||
name: "{{ name }}"
|
name: "{{ name }}"
|
||||||
container_log: true
|
container_log: true
|
||||||
template: debian
|
template: debian
|
||||||
state: stopped
|
state: stopped
|
||||||
template_options: "--arch amd64 --release {{ release }}"
|
template_options: "--arch amd64 --release {{ release }} {{ lxc_template_mirror_option }}"
|
||||||
when: container_exists.stdout_lines | length == 0
|
when: container_exists.stdout_lines | length == 0
|
||||||
|
|
||||||
- name: "Disable network configuration inside container {{ name }}"
|
- name: "Disable network configuration inside container {{ name }}"
|
||||||
|
|
|
@ -34,7 +34,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
name: /etc/nagios/nrpe.d/evolix.cfg
|
name: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: '^command\[check_memcached\]='
|
regexp: '^command\[check_memcached\]='
|
||||||
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
|
line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
when: memcached_instance_name | length == 0
|
when: memcached_instance_name | length == 0
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
name: /etc/nagios/nrpe.d/evolix.cfg
|
name: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: '^command\[check_memcached\]='
|
regexp: '^command\[check_memcached\]='
|
||||||
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances'
|
line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached_instances'
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
when: memcached_instance_name | length > 0
|
when: memcached_instance_name | length > 0
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "7.x"
|
elastic_stack_version: "8.x"
|
||||||
|
|
||||||
metricbeat_elasticsearch_hosts:
|
metricbeat_elasticsearch_hosts:
|
||||||
- "localhost:9200"
|
- "localhost:9200"
|
||||||
|
|
|
@ -46,7 +46,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: 'command\[check_minifirewall\]'
|
regexp: 'command\[check_minifirewall\]'
|
||||||
line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
|
line: 'command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall'
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
when: nrpe_evolix_cfg.stat.exists
|
when: nrpe_evolix_cfg.stat.exists
|
||||||
|
|
||||||
|
|
360
munin/files/plugins/linux-psi
Normal file
360
munin/files/plugins/linux-psi
Normal file
|
@ -0,0 +1,360 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
|
||||||
|
: << =cut
|
||||||
|
|
||||||
|
=head1 NAME
|
||||||
|
|
||||||
|
linux_psi - Plugin to monitor the pressure stall information for CPU, Memory and
|
||||||
|
IO as reported by the Linux kernel.
|
||||||
|
|
||||||
|
This plugin monitors the pressure stall information (psi) as reported by the
|
||||||
|
Linux Kernel. By default it reports all average intervals (10 seconds,
|
||||||
|
60 seconds and 300 seconds) as well as the total values as a rate of change
|
||||||
|
(DERIVE) for all resources (cpu, memory, io). The average intervals can be
|
||||||
|
configured if you only deem some of them useful. See CONFIGURATION for
|
||||||
|
explanations on that.
|
||||||
|
|
||||||
|
This is a multigraph plugin that, by default, will create six detail graphs and
|
||||||
|
one summary graph (so seven in total). The summary graph will contain the 300
|
||||||
|
seconds average percentages of all resources. The detail graphs are split in two
|
||||||
|
graphs per resource. One combining all average intervals and one for the
|
||||||
|
"totals" (rate of change) for the given resource.
|
||||||
|
|
||||||
|
There are no defaults for warnings and criticals, because this highly depends on
|
||||||
|
the system, so you need to configure them yourself (if you want any). It is
|
||||||
|
recommended that you first lookup the meaning of the different values.
|
||||||
|
|
||||||
|
For more information on psi see:
|
||||||
|
https://www.kernel.org/doc/html/latest/accounting/psi.html
|
||||||
|
|
||||||
|
=head1 CONFIGURATION
|
||||||
|
|
||||||
|
Simply create a symlink in your plugins directory like with any other plugin.
|
||||||
|
No additional configuration needed, no specific user required (typically).
|
||||||
|
|
||||||
|
If you want to configure alerts, just add "warn_" or "crit_" in front of the
|
||||||
|
internal name.
|
||||||
|
|
||||||
|
Optional configuration examples:
|
||||||
|
|
||||||
|
[linux_psi]
|
||||||
|
env.resources cpu io memory - Specify the resources to monitor. Leave one
|
||||||
|
out if you don't want this one to be
|
||||||
|
monitored.
|
||||||
|
env.intervals avg10 avg60 avg300 - Sepcify the average intervals to monitor.
|
||||||
|
Leave one out if you don't want this one to
|
||||||
|
be monitored
|
||||||
|
env.scopes some full - Specify the scopes to monitor. Leave one out
|
||||||
|
If you don't want it to be monitored.
|
||||||
|
env.summary_interval avg300 - Specify the interval to be used for the
|
||||||
|
summary-graph.
|
||||||
|
env.warn_psi_cpu_avg300_some 5 - Set a warning-level of 5 for
|
||||||
|
"psi_cpu_avg300_some"
|
||||||
|
env.crit_psi_io_total_full 2000 - Set a critical-level of 2000 for
|
||||||
|
"psi_io_total_full"
|
||||||
|
|
||||||
|
=head1 AUTHOR
|
||||||
|
|
||||||
|
2022, HaseHarald
|
||||||
|
|
||||||
|
=head1 LICENSE
|
||||||
|
|
||||||
|
LGPLv3
|
||||||
|
|
||||||
|
=head1 BUGS
|
||||||
|
|
||||||
|
=head1 TODO
|
||||||
|
|
||||||
|
=head1 MAGIC MARKERS
|
||||||
|
|
||||||
|
#%# family=auto
|
||||||
|
#%# capabilities=autoconf
|
||||||
|
|
||||||
|
=cut
|
||||||
|
|
||||||
|
|
||||||
|
# This file contains a munin-plugin to graph the psi (pressure) for CPU, Memory
|
||||||
|
# and IO, as reported by the Linux kernel.
|
||||||
|
#
|
||||||
|
# This is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU Lesser General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU Lesser General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU Lesser General Public License
|
||||||
|
# along with this plugin. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
|
||||||
|
resource_defaults=('cpu' 'io' 'memory')
|
||||||
|
interval_defaults=('avg10' 'avg60' 'avg300')
|
||||||
|
scope_defaults=('some' 'full')
|
||||||
|
pressure_dir=${pressure_dir:-'/proc/pressure/'}
|
||||||
|
pressure_resources=( "${resources[@]:-${resource_defaults[@]}}" )
|
||||||
|
pressure_intervals=( "${intervals[@]:-${interval_defaults[@]}}" )
|
||||||
|
pressure_scopes=( "${scopes[@]:-${scope_defaults[@]}}" )
|
||||||
|
summary_interval="${summary_interval:-avg300}"
|
||||||
|
|
||||||
|
check_autoconf() {
|
||||||
|
if [ -d "${pressure_dir}" ]; then
|
||||||
|
printf "yes\n"
|
||||||
|
else
|
||||||
|
printf "no (%s not found)\n" "${pressure_dir}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
get_pressure_value() {
|
||||||
|
local resource
|
||||||
|
local interval
|
||||||
|
local scope
|
||||||
|
|
||||||
|
resource="$1"
|
||||||
|
interval="$2"
|
||||||
|
scope="${3:-some}"
|
||||||
|
|
||||||
|
grep "$scope" "${pressure_dir}/${resource}" | grep -o -E "${interval}=[0-9]{1,}(\.[0-9]{1,}){0,1}" | cut -d '=' -f 2
|
||||||
|
}
|
||||||
|
|
||||||
|
get_printable_name() {
|
||||||
|
local kind
|
||||||
|
local value
|
||||||
|
local printable_name
|
||||||
|
kind="$1"
|
||||||
|
value="$2"
|
||||||
|
printable_name=""
|
||||||
|
|
||||||
|
case "$kind" in
|
||||||
|
|
||||||
|
interval)
|
||||||
|
case "$interval" in
|
||||||
|
avg10)
|
||||||
|
printable_name="10sec"
|
||||||
|
;;
|
||||||
|
avg60)
|
||||||
|
printable_name="60sec"
|
||||||
|
;;
|
||||||
|
avg300)
|
||||||
|
printable_name="5min"
|
||||||
|
;;
|
||||||
|
total)
|
||||||
|
printable_name="Total"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
printf "ERROR: Could not determine interval %s ! Must be one of 'avg10' 'avg60' 'avg300' 'total'\n" "$value" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
|
||||||
|
scope)
|
||||||
|
case "$value" in
|
||||||
|
some)
|
||||||
|
printable_name="Some"
|
||||||
|
;;
|
||||||
|
full)
|
||||||
|
printable_name="Full"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
printf "ERROR: Could not determine scope %s ! Must be one of 'full' 'some'.\n" "$value" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
|
||||||
|
resource)
|
||||||
|
case "$value" in
|
||||||
|
cpu)
|
||||||
|
printable_name="CPU"
|
||||||
|
;;
|
||||||
|
io)
|
||||||
|
printable_name="IO"
|
||||||
|
;;
|
||||||
|
memory)
|
||||||
|
printable_name="Memory"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
printf "ERROR: Could not determine resource-type %s ! Must be one of 'cpu' 'io' 'memory'.\n" "$value" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
printf "ERROR: Could not determine kind %s ! Must be one of 'interval' 'scope' 'resource'\n" "$kind" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
printf "%s" "$printable_name"
|
||||||
|
}
|
||||||
|
|
||||||
|
iterate_config() {
|
||||||
|
for resource in "${pressure_resources[@]}"; do
|
||||||
|
local printable_resource
|
||||||
|
printable_resource=$( get_printable_name resource "$resource" )
|
||||||
|
printf "multigraph linux_psi.%s_avg\n" "$resource"
|
||||||
|
printf "graph_title %s Pressure Stall Information - Average\n" "$printable_resource"
|
||||||
|
printf "graph_category system\n"
|
||||||
|
printf "graph_info Average PSI based latency caused by lack of %s resources.\n" "$printable_resource"
|
||||||
|
printf "graph_vlabel %%\n"
|
||||||
|
printf "graph_scale no\n"
|
||||||
|
for interval in "${pressure_intervals[@]}"; do
|
||||||
|
local printable_interval
|
||||||
|
printable_interval=$( get_printable_name interval "$interval" )
|
||||||
|
output_config "$resource" "$interval"
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
done
|
||||||
|
|
||||||
|
for resource in "${pressure_resources[@]}"; do
|
||||||
|
local interval
|
||||||
|
local printable_resource
|
||||||
|
interval="total"
|
||||||
|
printable_resource=$( get_printable_name resource "$resource" )
|
||||||
|
|
||||||
|
printf "multigraph linux_psi.%s_total\n" "$resource"
|
||||||
|
printf "graph_title %s Pressure Stall Information - Rate\n" "$printable_resource"
|
||||||
|
printf "graph_category system\n"
|
||||||
|
printf "graph_info Total PSI based latency rate caused by lack of %s resources.\n" "$printable_resource"
|
||||||
|
printf "graph_vlabel rate\n"
|
||||||
|
output_config "$resource" "$interval"
|
||||||
|
echo ""
|
||||||
|
done
|
||||||
|
|
||||||
|
printf "multigraph linux_psi\n"
|
||||||
|
printf "graph_title Pressure Stall Information - Average\n"
|
||||||
|
printf "graph_vlabel %%\n"
|
||||||
|
printf "graph_scale no\n"
|
||||||
|
printf "graph_category system\n"
|
||||||
|
printf "graph_info Average PSI based latency caused by lack of resources.\n"
|
||||||
|
for resource in "${pressure_resources[@]}"; do
|
||||||
|
output_config "$resource" "$summary_interval"
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
}
|
||||||
|
|
||||||
|
iterate_values() {
|
||||||
|
for resource in "${pressure_resources[@]}"; do
|
||||||
|
printf "multigraph linux_psi.%s_avg\n" "$resource"
|
||||||
|
for interval in "${pressure_intervals[@]}"; do
|
||||||
|
output_values "$resource" "$interval"
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
done
|
||||||
|
|
||||||
|
for resource in "${pressure_resources[@]}"; do
|
||||||
|
local interval
|
||||||
|
interval="total"
|
||||||
|
printf "multigraph linux_psi.%s_total\n" "$resource"
|
||||||
|
output_values "$resource" "$interval"
|
||||||
|
echo ""
|
||||||
|
done
|
||||||
|
|
||||||
|
printf "multigraph linux_psi\n"
|
||||||
|
for resource in "${pressure_resources[@]}"; do
|
||||||
|
output_values "$resource" "$summary_interval"
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
}
|
||||||
|
|
||||||
|
output_config() {
|
||||||
|
local resource
|
||||||
|
local interval
|
||||||
|
local printable_resource
|
||||||
|
local printable_interval
|
||||||
|
|
||||||
|
resource="$1"
|
||||||
|
interval="$2"
|
||||||
|
printable_resource=$( get_printable_name resource "$resource" )
|
||||||
|
printable_interval=$( get_printable_name interval "$interval" )
|
||||||
|
|
||||||
|
for scope in "${pressure_scopes[@]}"; do
|
||||||
|
if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
|
||||||
|
continue
|
||||||
|
else
|
||||||
|
local printable_scope
|
||||||
|
local this_warn_var
|
||||||
|
local this_crit_var
|
||||||
|
|
||||||
|
printable_scope=$( get_printable_name scope "$scope" )
|
||||||
|
this_warn_var=$( echo "warn_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
|
||||||
|
this_crit_var=$( echo "crit_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
|
||||||
|
|
||||||
|
printf "psi_%s_%s_%s.min 0\n" "$resource" "$interval" "$scope"
|
||||||
|
printf "psi_%s_%s_%s.label %s %s %s\n" "$resource" "$interval" "$scope" "$printable_resource" "$printable_interval" "$printable_scope"
|
||||||
|
if [ -n "${!this_warn_var}" ]; then
|
||||||
|
printf "psi_%s_%s_%s.warning %s\n" "$resource" "$interval" "$scope" "${!this_warn_var}"
|
||||||
|
fi
|
||||||
|
if [ -n "${!this_crit_var}" ]; then
|
||||||
|
printf "psi_%s_%s_%s.critical %s\n" "$resource" "$interval" "$scope" "${!this_crit_var}"
|
||||||
|
fi
|
||||||
|
if [ "$interval" == "total" ]; then
|
||||||
|
printf "psi_%s_%s_%s.type DERIVE\n" "$resource" "$interval" "$scope"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
output_values() {
|
||||||
|
local resource
|
||||||
|
local interval
|
||||||
|
resource="$1"
|
||||||
|
interval="$2"
|
||||||
|
|
||||||
|
for scope in "${pressure_scopes[@]}"; do
|
||||||
|
if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
|
||||||
|
continue
|
||||||
|
else
|
||||||
|
printf "psi_%s_%s_%s.value %s\n" "$resource" "$interval" "$scope" "$(get_pressure_value "$resource" "$interval" "$scope")"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
output_usage() {
|
||||||
|
printf >&2 "%s - munin plugin to graph pressure stall information for CPU, Memory and IO as reported by the Linux kernel.\n" "${0##*/}"
|
||||||
|
printf >&2 "Usage: %s [config]\n" "${0##*/}"
|
||||||
|
printf >&2 "You may use environment settings in a plugin-config file, used by munin (for example /etc/munin/plugin-conf.d/munin-node) to further adjust settings.\n"
|
||||||
|
printf >&2 "You can use these settings to configure which resources, intervals or scopes are monitored or to configure warning and critical levels.\n"
|
||||||
|
printf >&2 "To do so use a syntax like this:\n"
|
||||||
|
printf >&2 "[linux_psi]\n"
|
||||||
|
printf >&2 "env.resources cpu io memory\n"
|
||||||
|
printf >&2 "env.intervals avg10 avg60 avg300\n"
|
||||||
|
printf >&2 "env.scopes some full\n"
|
||||||
|
printf >&2 "env.summary_interval avg300\n"
|
||||||
|
printf >&2 "env.warn_psi_cpu_avg300_some 5\n"
|
||||||
|
printf >&2 "env.crit_psi_io_total_full 2000\n"
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$#" in
|
||||||
|
0)
|
||||||
|
iterate_values
|
||||||
|
;;
|
||||||
|
|
||||||
|
1)
|
||||||
|
case "$1" in
|
||||||
|
autoconf)
|
||||||
|
check_autoconf
|
||||||
|
;;
|
||||||
|
config)
|
||||||
|
iterate_config
|
||||||
|
;;
|
||||||
|
fetch)
|
||||||
|
iterate_values
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
output_usage
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
output_usage
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
|
@ -46,6 +46,8 @@
|
||||||
dest: '/usr/share/munin/plugins/{{ item }}'
|
dest: '/usr/share/munin/plugins/{{ item }}'
|
||||||
loop:
|
loop:
|
||||||
- dhcp_pool
|
- dhcp_pool
|
||||||
|
- linux-psi
|
||||||
|
- ipmi_
|
||||||
tags:
|
tags:
|
||||||
- munin
|
- munin
|
||||||
|
|
||||||
|
@ -77,6 +79,7 @@
|
||||||
- postfix_mailqueue
|
- postfix_mailqueue
|
||||||
- postfix_mailstats
|
- postfix_mailstats
|
||||||
- postfix_mailvolume
|
- postfix_mailvolume
|
||||||
|
- linux-psi
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
tags:
|
tags:
|
||||||
- munin
|
- munin
|
||||||
|
@ -106,6 +109,14 @@
|
||||||
- temp
|
- temp
|
||||||
- power
|
- power
|
||||||
- volts
|
- volts
|
||||||
|
- amp
|
||||||
|
|
||||||
|
- name: Ensure ipmitool is installed on dedicated hardware
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: ipmitool
|
||||||
|
state: present
|
||||||
|
when: ansible_virtualization_role == "host"
|
||||||
|
notify: restart munin-node
|
||||||
|
|
||||||
- name: adjustments for grsec kernel
|
- name: adjustments for grsec kernel
|
||||||
ansible.builtin.blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
|
|
210
nagios-nrpe/files/alerts_switch
Normal file → Executable file
210
nagios-nrpe/files/alerts_switch
Normal file → Executable file
|
@ -1,83 +1,143 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# https://forge.evolix.org/projects/evolix-private/repository
|
|
||||||
#
|
#
|
||||||
# You should not alter this file.
|
# Source:
|
||||||
# If you need to, create and customize a copy.
|
# https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
|
||||||
|
#
|
||||||
set -e
|
|
||||||
|
|
||||||
readonly PROGNAME=$(basename $0)
|
readonly PROGNAME=$(basename $0)
|
||||||
readonly PROGDIR=$(readlink -m $(dirname $0))
|
readonly VERSION="24.06.00"
|
||||||
readonly ARGS="$@"
|
|
||||||
|
|
||||||
usage() {
|
# Load common functions and vars
|
||||||
echo "$PROGNAME action prefix"
|
readonly lib_dir="/usr/local/lib/monitoringctl"
|
||||||
}
|
if [ -r "${lib_dir}/common" ]; then
|
||||||
|
# shellcheck source=monitoringctl_common
|
||||||
disable_alerts () {
|
source "${lib_dir}/common"
|
||||||
disabled_file="$1_disabled"
|
else
|
||||||
enabled_file="$1_enabled"
|
>&2 echo "Error: missing ${lib_dir}/common file."
|
||||||
|
|
||||||
if [ -e "${enabled_file}" ]; then
|
|
||||||
mv "${enabled_file}" "${disabled_file}"
|
|
||||||
else
|
|
||||||
touch "${disabled_file}"
|
|
||||||
chmod 0644 "${disabled_file}"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
enable_alerts () {
|
|
||||||
disabled_file="$1_disabled"
|
|
||||||
enabled_file="$1_enabled"
|
|
||||||
|
|
||||||
if [ -e "${disabled_file}" ]; then
|
|
||||||
mv "${disabled_file}" "${enabled_file}"
|
|
||||||
else
|
|
||||||
touch "${enabled_file}"
|
|
||||||
chmod 0644 "${enabled_file}"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
now () {
|
|
||||||
date --iso-8601=seconds
|
|
||||||
}
|
|
||||||
|
|
||||||
log_disable () {
|
|
||||||
echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
|
|
||||||
}
|
|
||||||
|
|
||||||
log_enable () {
|
|
||||||
echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
|
|
||||||
}
|
|
||||||
|
|
||||||
main () {
|
|
||||||
local action=$1
|
|
||||||
local prefix=$2
|
|
||||||
|
|
||||||
local base_dir="/var/lib/misc"
|
|
||||||
mkdir -p "${base_dir}"
|
|
||||||
|
|
||||||
local file_path="${base_dir}/${prefix}_alerts"
|
|
||||||
local log_file="/var/log/${prefix}_alerts.log"
|
|
||||||
|
|
||||||
case "$action" in
|
|
||||||
enable)
|
|
||||||
enable_alerts ${file_path}
|
|
||||||
log_enable ${log_file}
|
|
||||||
;;
|
|
||||||
disable)
|
|
||||||
disable_alerts ${file_path}
|
|
||||||
log_disable ${log_file}
|
|
||||||
;;
|
|
||||||
help)
|
|
||||||
usage
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
>&2 echo "Unknown action '$action'"
|
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
fi
|
||||||
esac
|
|
||||||
|
if [ ! -e "${var_dir}" ]; then
|
||||||
|
>&2 echo "Warning: missing ${var_dir} directory."
|
||||||
|
fi
|
||||||
|
|
||||||
|
function show_help() {
|
||||||
|
cat <<END
|
||||||
|
$PROGNAME disables or enables NRPE alerts wrapped by the script 'alerts_wrapper' in NRPE configuration.
|
||||||
|
|
||||||
|
Usage: $PROGNAME disable [-d|--during <DURATION>] [--message '<DISABLE_MESSAGE>'] <WRAPPER_NAME|all>
|
||||||
|
$PROGNAME enable [--message '<ENABLE_MESSAGE>'] <WRAPPER_NAME|all>
|
||||||
|
$PROGNAME help
|
||||||
|
|
||||||
|
WRAPPER_NAME: The name given to '--name' option of 'alerts_wrapper'.
|
||||||
|
DURATION: Duration of alert disabling.
|
||||||
|
Can be '1d' for 1 day, '5m' for 5 minutes or more complex
|
||||||
|
expressions like '1w2d10m42s' (if no time unit is provided,
|
||||||
|
hour is assumed)
|
||||||
|
Default value: 1h
|
||||||
|
DISABLE_MESSAGE: Message that will be logged and printed by alerts_wrapper
|
||||||
|
when alert is disabled.
|
||||||
|
ENABLE_MESSAGE: Message that will be logged when alert is enabled
|
||||||
|
END
|
||||||
}
|
}
|
||||||
|
|
||||||
main $ARGS
|
function disable_alerts() {
|
||||||
|
# $1: wrapper name, $2: duration_sec, $3: disable message
|
||||||
|
now_secs=$(date +"%s")
|
||||||
|
disable_until_secs=$(( now_secs + ${2} ))
|
||||||
|
disable_file_path="$(get_disable_file_path "${1}")"
|
||||||
|
echo "${disable_until_secs}" > "${disable_file_path}"
|
||||||
|
echo "$(logname || echo unknown): \"${3}\"" >> "${disable_file_path}"
|
||||||
|
chmod 0644 "${disable_file_path}"
|
||||||
|
log "${1} alerts disabled by $(logname || echo unknown)"
|
||||||
|
log "Disable message: ${3}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function enable_alerts() {
|
||||||
|
# $1: wrapper name, $2: enable message
|
||||||
|
disable_file_path="$(get_disable_file_path "${1}")"
|
||||||
|
if [ -e "${disable_file_path}" ]; then
|
||||||
|
rm "${disable_file_path}"
|
||||||
|
fi
|
||||||
|
log "${1} alerts enabled by $(logname || echo unknown)"
|
||||||
|
log "Enable message: ${2}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function main() {
|
||||||
|
if [ "${action}" == 'enable' ]; then
|
||||||
|
if [ "${wrapper_name}" == "all" ]; then
|
||||||
|
for wrapper in $(get_wrappers_names); do
|
||||||
|
enable_alerts "${wrapper}" "${message}"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
enable_alerts "${wrapper_name}" "${message}"
|
||||||
|
fi
|
||||||
|
elif [ "${action}" == 'disable' ]; then
|
||||||
|
duration_sec=$(time_to_seconds "${duration}")
|
||||||
|
if [ "${wrapper_name}" == "all" ]; then
|
||||||
|
for wrapper in $(get_wrappers_names); do
|
||||||
|
disable_alerts "${wrapper}" "${duration_sec}" "${message}"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
disable_alerts "${wrapper_name}" "${duration_sec}" "${message}"
|
||||||
|
fi
|
||||||
|
elif [ "${action}" == 'help' ]; then
|
||||||
|
show_help
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
while :; do
|
||||||
|
case "${1}" in
|
||||||
|
enable|disable|help)
|
||||||
|
action="${1}"
|
||||||
|
shift;;
|
||||||
|
-d|--during)
|
||||||
|
if [ "$#" -gt 1 ]; then
|
||||||
|
if filter_duration "${2}"; then
|
||||||
|
duration="${2}"
|
||||||
|
else
|
||||||
|
usage_error "Option --during: \"${2}\" is not a valid duration."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
error "Missing --during argument."
|
||||||
|
fi
|
||||||
|
shift; shift;;
|
||||||
|
-m|--message)
|
||||||
|
if [ "$#" -gt 1 ]; then
|
||||||
|
message="${2}"
|
||||||
|
else
|
||||||
|
error "Missing --message argument."
|
||||||
|
fi
|
||||||
|
shift; shift;;
|
||||||
|
*)
|
||||||
|
if [ -n "${1}" ]; then
|
||||||
|
if is_wrapper "${1}" || [ "${1}" == "all" ]; then
|
||||||
|
wrapper_name="${1}"
|
||||||
|
else
|
||||||
|
error "Unknown argument '${1}', or NAME not defined in NRPE configuration."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ -z "${action}" ]; then
|
||||||
|
error "Missing action argument."
|
||||||
|
elif [ -z "${1}" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
shift;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "${wrapper_name}" ] && [ "${action}" != 'help' ] ; then
|
||||||
|
error "Missing WRAPPER_NAME."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "${duration}" ]; then
|
||||||
|
duration="${default_disabled_time}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
readonly wrapper_name duration action
|
||||||
|
|
||||||
|
main
|
||||||
|
|
||||||
|
|
215
nagios-nrpe/files/alerts_wrapper
Normal file → Executable file
215
nagios-nrpe/files/alerts_wrapper
Normal file → Executable file
|
@ -1,114 +1,101 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# https://forge.evolix.org/projects/evolix-private/repository
|
|
||||||
#
|
#
|
||||||
# You should not alter this file.
|
# Source:
|
||||||
# If you need to, create and customize a copy.
|
# https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
|
||||||
|
#
|
||||||
|
|
||||||
VERSION="21.04"
|
readonly PROGNAME=$(basename $0)
|
||||||
readonly VERSION
|
readonly VERSION="24.06.00"
|
||||||
|
|
||||||
# base functions
|
# Load common functions and vars
|
||||||
|
readonly lib_dir="/usr/local/lib/monitoringctl"
|
||||||
|
if [ -r "${lib_dir}/common" ]; then
|
||||||
|
# shellcheck source=monitoringctl_common
|
||||||
|
source "${lib_dir}/common"
|
||||||
|
else
|
||||||
|
>&2 echo "Error: missing ${lib_dir}/common file."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
show_version() {
|
if [ ! -e "${var_dir}" ]; then
|
||||||
|
>&2 echo "Warning: missing ${var_dir} directory."
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
function show_help() {
|
||||||
cat <<END
|
cat <<END
|
||||||
alerts_wrapper version ${VERSION}
|
alerts_wrapper wraps an NRPE command and overrides the return code.
|
||||||
|
|
||||||
Copyright 2018-2021 Evolix <info@evolix.fr>,
|
Usage: alerts_wrapper --name <WRAPPER_NAME> <CHECK_COMMAND>
|
||||||
Jérémy Lecour <jlecour@evolix.fr>
|
Usage: alerts_wrapper <WRAPPER_NAME> <CHECK_COMMAND> (deprecated)
|
||||||
and others.
|
|
||||||
|
|
||||||
alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
|
|
||||||
and you are welcome to redistribute it under certain conditions.
|
|
||||||
See the GNU General Public License v3.0 for details.
|
|
||||||
END
|
|
||||||
}
|
|
||||||
show_help() {
|
|
||||||
cat <<END
|
|
||||||
alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
|
|
||||||
|
|
||||||
Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
|
|
||||||
or alerts_wrapper --name=check_name command with optional arguments
|
|
||||||
or alerts_wrapper check_name command with optional arguments
|
|
||||||
|
|
||||||
Options
|
Options
|
||||||
--limit max age of the "check file" ;
|
--name Wrapper name, it is very recommended to use the check name (like load, disk1…).
|
||||||
can be "1d" for 1 day, "5m" for 5 minutes…
|
Special name: 'all' is already hard-coded.
|
||||||
or more complex expressions like "1w2d10m42s"
|
-h, --help Print this message and exit.
|
||||||
--name check name
|
-V, --version Print version and exit.
|
||||||
-h, --help print this message and exit
|
|
||||||
-V, --version print version and exit
|
|
||||||
END
|
END
|
||||||
}
|
}
|
||||||
|
|
||||||
time_in_seconds() {
|
function enable_wrapper() {
|
||||||
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
|
# $1: wrapper name
|
||||||
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
|
|
||||||
elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
|
|
||||||
echo "${1} * 3600" | xargs expr
|
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
delay_from_alerts_disabled_file() {
|
|
||||||
last_change=$(stat -c %Z "${alerts_disabled_file}")
|
|
||||||
limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}")
|
|
||||||
limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
|
|
||||||
|
|
||||||
echo $(( last_change - limit_date ))
|
|
||||||
}
|
|
||||||
|
|
||||||
enable_check() {
|
|
||||||
if [ "$(id -u)" -eq "0" ] ; then
|
if [ "$(id -u)" -eq "0" ] ; then
|
||||||
/usr/local/bin/alerts_switch enable "${check_name}"
|
/usr/local/bin/alerts_switch enable "${1}"
|
||||||
else
|
else
|
||||||
sudo /usr/local/bin/alerts_switch enable "${check_name}"
|
sudo /usr/local/bin/alerts_switch enable "${1}"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
main() {
|
function main() {
|
||||||
${check_command} > "${check_stdout}"
|
is_disabled="$(is_disabled_wrapper "${wrapper_name}")"
|
||||||
|
|
||||||
|
if [ -e "${disable_file}" ] && [ "${is_disabled}" = "False" ]; then
|
||||||
|
enable_wrapper "${wrapper_name}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
timeout_command=""
|
||||||
|
if [ "${is_disabled}" = "True" ]; then
|
||||||
|
timeout_command="timeout 8"
|
||||||
|
fi
|
||||||
|
|
||||||
|
check_stdout="$(${timeout_command} ${check_command})"
|
||||||
check_rc=$?
|
check_rc=$?
|
||||||
readonly check_rc
|
|
||||||
|
|
||||||
delay=0
|
if [ "${is_disabled}" = "True" ] && [ "${check_rc}" -eq 124 ] && [ -z "${check_stdout}" ]; then
|
||||||
|
check_stdout="Check timeout (> 8 sec)"
|
||||||
if [ -e "${alerts_disabled_file}" ]; then
|
|
||||||
delay=$(delay_from_alerts_disabled_file)
|
|
||||||
|
|
||||||
if [ "${delay}" -le "0" ]; then
|
|
||||||
enable_check
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -e "${alerts_disabled_file}" ]; then
|
if [ "${is_disabled}" = "True" ]; then
|
||||||
formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
|
enable_time="$(get_enable_time "${wrapper_name}")"
|
||||||
readonly formatted_last_change
|
enable_delay="$(enable_delay "${enable_time}")"
|
||||||
|
delay_str="$(delay_to_string "${enable_delay}")"
|
||||||
|
enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
|
||||||
|
disable_msg="$(get_disable_message "${wrapper_name}")"
|
||||||
|
if [ -n "${disable_msg}" ]; then
|
||||||
|
disable_msg="- ${disable_msg} "
|
||||||
|
fi
|
||||||
|
echo "ALERT DISABLED until ${enable_date} (${delay_str} left) ${disable_msg}- Check output: ${check_stdout}"
|
||||||
|
else
|
||||||
|
echo "${check_stdout}"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
|
if [ "${is_disabled}" = "True" ]; then
|
||||||
if [ ${check_rc} = 0 ]; then
|
if [ ${check_rc} = 0 ]; then
|
||||||
# Nagios OK
|
exit 0 # Nagios OK
|
||||||
exit 0
|
|
||||||
else
|
else
|
||||||
# Nagios WARNING
|
exit 1 # Nagios WARNING
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
cat "${check_stdout}"
|
|
||||||
exit ${check_rc}
|
exit ${check_rc}
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Default: 1 day before re-enabling the check
|
|
||||||
wrapper_limit_default="1d"
|
|
||||||
readonly wrapper_limit_default
|
|
||||||
|
|
||||||
if [[ "${1}" =~ -.* ]]; then
|
if [[ "${1}" =~ -.* ]]; then
|
||||||
# parse options
|
# parse options
|
||||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
while :; do
|
while :; do
|
||||||
case $1 in
|
case "${1}" in
|
||||||
-h|-\?|--help)
|
-h|-\?|--help)
|
||||||
show_help
|
show_help
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -117,47 +104,25 @@ if [[ "${1}" =~ -.* ]]; then
|
||||||
show_version
|
show_version
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
-n|--name)
|
||||||
--limit)
|
|
||||||
# with value separated by space
|
# with value separated by space
|
||||||
if [ -n "$2" ]; then
|
if [ -n "${2}" ]; then
|
||||||
wrapper_limit=$2
|
wrapper_name="${2}"
|
||||||
shift
|
|
||||||
else
|
|
||||||
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
--limit=?*)
|
|
||||||
# with value speparated by =
|
|
||||||
wrapper_limit=${1#*=}
|
|
||||||
;;
|
|
||||||
--limit=)
|
|
||||||
# without value
|
|
||||||
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
|
|
||||||
--name)
|
|
||||||
# with value separated by space
|
|
||||||
if [ -n "$2" ]; then
|
|
||||||
check_name=$2
|
|
||||||
shift
|
shift
|
||||||
else
|
else
|
||||||
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
||||||
exit 1
|
exit 2
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
--name=?*)
|
-n|--name=?*)
|
||||||
# with value speparated by =
|
# with value separated by =
|
||||||
check_name=${1#*=}
|
wrapper_name="${1#*=}"
|
||||||
;;
|
;;
|
||||||
--name=)
|
-n|--name=)
|
||||||
# without value
|
# without value
|
||||||
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
||||||
exit 1
|
exit 2
|
||||||
;;
|
;;
|
||||||
|
|
||||||
--)
|
--)
|
||||||
# End of all options.
|
# End of all options.
|
||||||
shift
|
shift
|
||||||
|
@ -165,8 +130,8 @@ if [[ "${1}" =~ -.* ]]; then
|
||||||
;;
|
;;
|
||||||
-?*)
|
-?*)
|
||||||
# ignore unknown options
|
# ignore unknown options
|
||||||
printf 'WARN: Unknown option : %s\n' "$1" >&2
|
printf 'ERROR: Unknown option : %s\n' "${1}" >&2
|
||||||
exit 1
|
exit 2
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
# Default case: If no more options then break out of the loop.
|
# Default case: If no more options then break out of the loop.
|
||||||
|
@ -180,38 +145,22 @@ if [[ "${1}" =~ -.* ]]; then
|
||||||
check_command="$*"
|
check_command="$*"
|
||||||
else
|
else
|
||||||
# no option is passed (backward compatibility with previous version)
|
# no option is passed (backward compatibility with previous version)
|
||||||
# treat the first argument as check_name and the rest as the command
|
# treat the first argument as wrapper_name and the rest as the command
|
||||||
check_name="${1}"
|
wrapper_name="${1}"
|
||||||
shift
|
shift
|
||||||
check_command="$*"
|
check_command="$*"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Default values or errors
|
if [ -z "${wrapper_name}" ]; then
|
||||||
if [ -z "${wrapper_limit}" ]; then
|
printf 'ERROR: You must specify a wrapper name, with --names.\n' >&2
|
||||||
wrapper_limit="${wrapper_limit_default}"
|
exit 2
|
||||||
fi
|
|
||||||
if [ -z "${check_name}" ]; then
|
|
||||||
printf 'ERROR: You must specify a check name, with --name.\n' >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
if [ -z "${check_command}" ]; then
|
if [ -z "${check_command}" ]; then
|
||||||
printf 'ERROR: You must specify a command to execute.\n' >&2
|
printf 'ERROR: You must specify a command to execute.\n' >&2
|
||||||
exit 1
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
readonly check_name
|
disable_file="$(get_disable_file_path "${wrapper_name}")"
|
||||||
readonly check_command
|
readonly wrapper_name check_command disable_file
|
||||||
readonly wrapper_limit
|
|
||||||
alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
|
|
||||||
readonly alerts_disabled_file
|
|
||||||
|
|
||||||
check_file="/var/lib/misc/${check_name}_alerts_disabled"
|
|
||||||
readonly check_file
|
|
||||||
|
|
||||||
check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
|
|
||||||
readonly check_stdout
|
|
||||||
|
|
||||||
# shellcheck disable=SC2064
|
|
||||||
trap "rm ${check_stdout}" EXIT
|
|
||||||
|
|
||||||
main
|
main
|
||||||
|
|
35
nagios-nrpe/files/check-local
Executable file → Normal file
35
nagios-nrpe/files/check-local
Executable file → Normal file
|
@ -1,36 +1,9 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
CHECK_BIN=/usr/lib/nagios/plugins/check_nrpe
|
readonly orange="\e[0;33m"
|
||||||
|
readonly nocolor="\e[0m"
|
||||||
|
|
||||||
server_address="127.0.0.1"
|
echo -e "${orange}'check-local' is now an alias for 'monitoringctl check'. See 'monitoringctl -h' for more information.${nocolor}"
|
||||||
|
|
||||||
if ! test -f "${CHECK_BIN}"; then
|
|
||||||
echo "${CHECK_BIN} is missing, please install nagios-nrpe-plugin package."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
for file in /etc/nagios/{nrpe.cfg,nrpe_local.cfg,nrpe.d/evolix.cfg}; do
|
|
||||||
if [ -r ${file} ]; then
|
|
||||||
command_search=$(grep "\[check_$1\]" "${file}" | grep -v '^[[:blank:]]*#' | tail -n1 | cut -d'=' -f2-)
|
|
||||||
fi
|
|
||||||
if [ -n "${command_search}" ]; then
|
|
||||||
command="${command_search}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -r ${file} ]; then
|
|
||||||
server_address_search=$(grep "server_address" "${file}" | grep -v '^[[:blank:]]*#' | cut -d'=' -f2)
|
|
||||||
fi
|
|
||||||
if [ -n "${server_address_search}" ]; then
|
|
||||||
server_address="${server_address_search}"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "${command}" ]; then
|
|
||||||
echo "Found command in /etc/nagios (take care, in some cases, Nagios can play another command):"
|
|
||||||
echo " ${command}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "NRPE daemon output:"
|
|
||||||
"${CHECK_BIN}" -H "${server_address}" -c "check_$1"
|
|
||||||
|
|
||||||
|
monitoringctl check "${1}"
|
||||||
|
|
||||||
|
|
12
nagios-nrpe/files/check-local_completion
Normal file → Executable file
12
nagios-nrpe/files/check-local_completion
Normal file → Executable file
|
@ -1,10 +1,14 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
function _get_checks_names() {
|
||||||
|
grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]=" /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
|
||||||
|
}
|
||||||
|
|
||||||
|
# List of available checks
|
||||||
_check_local_dynamic_completion() {
|
_check_local_dynamic_completion() {
|
||||||
local cur;
|
local cur=${COMP_WORDS[COMP_CWORD]};
|
||||||
cur=${COMP_WORDS[COMP_CWORD]};
|
|
||||||
COMPREPLY=();
|
COMPREPLY=( $( compgen -W '$(_get_checks_names)' -- "${cur}" ) );
|
||||||
COMPREPLY=( $( compgen -W '$(grep "\[check_" -Rs /etc/nagios/ | grep -vE "^[[:blank:]]*#" | awk -F"[\\\[\\\]=]" "{print \$2}" | sed "s/check_//" | sort | uniq)' -- $cur ) );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
complete -F _check_local_dynamic_completion check-local
|
complete -F _check_local_dynamic_completion check-local
|
||||||
|
|
0
nagios-nrpe/files/check_async
Normal file → Executable file
0
nagios-nrpe/files/check_async
Normal file → Executable file
634
nagios-nrpe/files/monitoringctl
Executable file
634
nagios-nrpe/files/monitoringctl
Executable file
|
@ -0,0 +1,634 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
#set -x
|
||||||
|
|
||||||
|
readonly VERSION="24.06.00"
|
||||||
|
|
||||||
|
function show_help() {
|
||||||
|
cat <<EOF
|
||||||
|
${bold}monitoringctl${no_bold} version ${VERSION}.
|
||||||
|
|
||||||
|
${bold}monitoringctl${no_bold} gives some control over NRPE checks and alerts.
|
||||||
|
|
||||||
|
Usage: ${bold}monitoringctl${no_bold} [OPTIONS] ACTION ARGUMENTS
|
||||||
|
|
||||||
|
${bold}GENERAL OPTIONS${no_bold}
|
||||||
|
|
||||||
|
-h, --help Print this message and exit.
|
||||||
|
-V, --version Print version number and exit.
|
||||||
|
|
||||||
|
${bold}ACTIONS${no_bold}
|
||||||
|
|
||||||
|
${bold}list${no_bold}
|
||||||
|
|
||||||
|
List the checks defined in NRPE configuration.
|
||||||
|
|
||||||
|
${bold}status [CHECK_NAME|all]${no_bold}
|
||||||
|
|
||||||
|
Print whether alerts are enabled or not (silenced).
|
||||||
|
If alerts are disabled (silenced), show disable message and time left before automatic re-enabling.
|
||||||
|
|
||||||
|
${bold}check [-b|--bypass-nrpe] CHECK_NAME|all${no_bold}
|
||||||
|
|
||||||
|
Ask CHECK_NAME status to NRPE as an HTTP request.
|
||||||
|
Indicates which command NRPE has supposedly run (from its configuration).
|
||||||
|
|
||||||
|
-b, --bypass-nrpe Execute directly command from NRPE configuration,
|
||||||
|
as user nagios, without passing the request to NRPE.
|
||||||
|
|
||||||
|
${bold}disable CHECK_NAME|all [-d|--during DURATION] [-m|--message 'DISABLE MESSAGE']${no_bold}
|
||||||
|
|
||||||
|
Disable (silence) CHECK_NAME or all alerts for DURATION and write DISABLE MESSAGE into the log.
|
||||||
|
Checks output is still printed, so alerts history won't be lost.
|
||||||
|
|
||||||
|
-d, --during DURATION See section DURATION.
|
||||||
|
-m, --message 'DISABLE MESSAGE' See section MESSAGE.
|
||||||
|
|
||||||
|
${bold}enable CHECK_NAME|all [-m|--message 'ENABLE MESSAGE']${no_bold}
|
||||||
|
|
||||||
|
Re-enable CHECK_NAME or all alerts
|
||||||
|
|
||||||
|
-m, --message 'ENABLE MESSAGE' See section MESSAGE.
|
||||||
|
|
||||||
|
${bold}show CHECK_NAME${no_bold}
|
||||||
|
|
||||||
|
Show NPRE command(s) configured for CHECK_NAME
|
||||||
|
|
||||||
|
${bold}MESSAGE${no_bold}
|
||||||
|
|
||||||
|
Message that will be written in log and in check output when disabled.
|
||||||
|
It is mandatory, but in interactive shells it can be omitted. In tgis case it is asked interactively.
|
||||||
|
|
||||||
|
Warning: In non-interactive shells (scripts, crons…), this option is mandatory.
|
||||||
|
|
||||||
|
${bold}DURATION${no_bold}
|
||||||
|
|
||||||
|
Time (string) during which alerts will be disabled (optional, default: "1h").
|
||||||
|
|
||||||
|
${bold}Format${no_bold}
|
||||||
|
You can use 'd' (day), 'h' (hour) and 'm' (minute) , or a combination of them, to specify a duration.
|
||||||
|
Examples: '2d', '1h', '10m', '1h10' ('m' is guessed).
|
||||||
|
|
||||||
|
${bold}OTHER NOTES${no_bold}
|
||||||
|
|
||||||
|
For actions disable, enable and status, CHECK_NAME is actually the --name option passed to alerts_wrapper, and not the NRPE check name. Both check name and alerts_wrapper --name option should be equal in NRPE configuration to avoid confusion.
|
||||||
|
|
||||||
|
Log path: ${log_file}
|
||||||
|
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
function list_checks() {
|
||||||
|
checks="$(get_checks_names)"
|
||||||
|
for check in $checks; do
|
||||||
|
echo "${check}"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
function check() {
|
||||||
|
# $1: check name, "all" or empty
|
||||||
|
readonly check_nrpe_bin="/usr/lib/nagios/plugins/check_nrpe"
|
||||||
|
if [ ! -f "${check_nrpe_bin}" ]; then
|
||||||
|
>&2 echo "${check_nrpe_bin} is missing, please install nagios-nrpe-plugin package."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
conf_lines="$(get_nrpe_conf "${nrpe_conf_path}")"
|
||||||
|
|
||||||
|
server_address=$(echo "$conf_lines" | grep "server_address" | tail -n1 | cut -d'=' -f2)
|
||||||
|
if [ -z "${server_address}" ]; then server_address="127.0.0.1"; fi
|
||||||
|
|
||||||
|
server_port=$(echo "$conf_lines" | grep "server_port" | tail -n1 | cut -d'=' -f2)
|
||||||
|
if [ -z "${server_port}" ]; then server_port="5666"; fi
|
||||||
|
|
||||||
|
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
|
||||||
|
# Array header for multi-checks
|
||||||
|
checks="$(get_checks_names)"
|
||||||
|
header="Check\tStatus\tOutput (truncated)"
|
||||||
|
underline="-----\t------\t------------------"
|
||||||
|
str_out="\n${header}\n${underline}\n"
|
||||||
|
else
|
||||||
|
checks="${1}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for check in $checks; do
|
||||||
|
printf "\033[KChecking %s…\r" "${check}"
|
||||||
|
err_msg=""
|
||||||
|
if [ "${bypass_nrpe}" = "False" ]; then
|
||||||
|
request_command="${check_nrpe_bin} -H ${server_address} -p ${server_port} -c check_${check} 2&>1"
|
||||||
|
else
|
||||||
|
check_commands="$(get_check_commands "${check}")"
|
||||||
|
if [ -n "${check_commands}" ]; then
|
||||||
|
check_command="$(echo "${check_commands}" | tail -n1)"
|
||||||
|
request_command="sudo -u nagios -- ${check_command}"
|
||||||
|
else
|
||||||
|
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
|
||||||
|
err_msg="Check command not found in NRPE configuration."
|
||||||
|
else
|
||||||
|
err_msg="Error: no command found in NRPE configuration for check '${check}'. Aborted."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -z "${err_msg}" ]; then
|
||||||
|
check_output="$(${request_command})"
|
||||||
|
rc="$?"
|
||||||
|
check_output="$(echo "${check_output}" | tr '\n' ' ')"
|
||||||
|
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
|
||||||
|
if [ "${#check_output}" -gt 60 ]; then
|
||||||
|
check_output="$(echo "${check_output}" | cut -c-80) [...]"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
check_output="${err_msg}"
|
||||||
|
rc="3"
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "${rc}" in
|
||||||
|
0)
|
||||||
|
rc_str="OK"
|
||||||
|
color="${green}"
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
rc_str="Warning"
|
||||||
|
color="${orange}"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
rc_str="Critical"
|
||||||
|
color="${red}"
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
rc_str="Unknown"
|
||||||
|
color="${purple}"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
rc_str="Unknown"
|
||||||
|
color="${purple}"
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
|
||||||
|
str_out="${str_out}${color}${check}\t${rc_str}${nocolor}\t${check_output}\n"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
|
||||||
|
echo -e "${str_out}" | column -t -s $'\t'
|
||||||
|
else
|
||||||
|
printf "\033[K\n" # erase tmp line « Checking check_toto…»
|
||||||
|
if [ "${bypass_nrpe}" = "False" ]; then
|
||||||
|
echo -e "NRPE service output (on ${server_address}:${server_port}):\n"
|
||||||
|
else
|
||||||
|
echo -e "Direct check output (bypassing NRPE):\n"
|
||||||
|
fi
|
||||||
|
echo -e "${color}${check_output}${nocolor}\n" | sed 's/|/\n/g'
|
||||||
|
exit "${rc}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print error message and exit if not installed
|
||||||
|
function alerts_switch_is_installed() {
|
||||||
|
if ! command -v alerts_switch &> /dev/null; then
|
||||||
|
error "Error: script 'alerts_switch' is not installed. Aborted."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function disable_alerts() {
|
||||||
|
# $1: check name | all
|
||||||
|
# $2: disable message
|
||||||
|
alerts_switch_is_installed
|
||||||
|
|
||||||
|
if [ "${1}" = "all" ]; then
|
||||||
|
checks="$(get_checks_names)"
|
||||||
|
else
|
||||||
|
checks="${1}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
warn_not_wrapped "${checks}"
|
||||||
|
warn_wrapper_names "${checks}"
|
||||||
|
|
||||||
|
if [ -z "${2}" ]; then
|
||||||
|
if [ "${is_interactive}" = "False" ]; then
|
||||||
|
error "Error: disable message option is mandatory in non-interactive shell."
|
||||||
|
fi
|
||||||
|
echo -n "> Please provide a disable message (for logging and check output): "
|
||||||
|
read -r message
|
||||||
|
echo ''
|
||||||
|
if [ -z "${message}" ]; then
|
||||||
|
error "${red}Error:${nocolor} disable message is mandatory."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
message="${2}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
default_msg=""
|
||||||
|
if [ "${default_duration}" = "True" ]; then
|
||||||
|
default_msg=" (use --during to change default time)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${1}" = "all" ]; then
|
||||||
|
check_txt="All checks"
|
||||||
|
else
|
||||||
|
check_txt="Check ${1}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo_box "${check_txt} will be disabled for ${duration}${default_msg}."
|
||||||
|
cat <<EOF
|
||||||
|
|
||||||
|
Additional information:
|
||||||
|
* Alerts history is kept in our monitoring system.
|
||||||
|
* To see when the will be re-enabled, execute 'monitoringctl status ${1}'.
|
||||||
|
* To re-enable alert(s) before ${duration}, execute as root or with sudo: 'monitoringctl enable ${1}'.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "${1}" != "all" ]; then
|
||||||
|
if is_check "${1}"; then
|
||||||
|
wrapper="$(get_check_wrapper_name "${1}")"
|
||||||
|
else
|
||||||
|
wrapper="${1}"
|
||||||
|
fi
|
||||||
|
checks="$(get_wrapper_checks "${wrapper}")"
|
||||||
|
n_checks="$(echo "${checks}" | wc -w)"
|
||||||
|
if [ "${n_checks}" -gt 1 ]; then
|
||||||
|
>&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, disabling ${1} will disable: ${checks}.\n"
|
||||||
|
log "Warning: disabling ${1} will disable ${checks} (which have the same wrapper name)."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
wrapper="all"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${is_interactive}" = "True" ]; then
|
||||||
|
echo -n "> Confirm (y/N)? "
|
||||||
|
read -r answer
|
||||||
|
if [ "${answer}" != "Y" ] && [ "${answer}" != "y" ]; then
|
||||||
|
echo -e "${orange}Canceled.${nocolor}" && exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Action disable ${1} requested for ${duration} by user $(logname || echo unknown)."
|
||||||
|
|
||||||
|
alerts_switch disable "${wrapper}" --during "${duration}" --message "${message}"
|
||||||
|
|
||||||
|
if [ "${1}" != "all" ]; then
|
||||||
|
if [ "${n_checks}" -eq 1 ]; then
|
||||||
|
echo -e "${orange}Check ${1} alerts are now disabled for ${duration}.${nocolor}"
|
||||||
|
else
|
||||||
|
echo -e "${orange}Alerts are now disabled for ${duration} for checks: ${checks}.${nocolor}"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo -e "${orange}All alerts are now disabled for ${duration}.${nocolor}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function enable_alerts() {
|
||||||
|
# $1: check name, $2: enable message
|
||||||
|
alerts_switch_is_installed
|
||||||
|
|
||||||
|
if [ "${1}" != "all" ]; then
|
||||||
|
# Verify that check is not already enabled
|
||||||
|
is_disabled="$(is_disabled_check "${1}")"
|
||||||
|
if [ "${is_disabled}" = "False" ]; then
|
||||||
|
echo "${1} is already enabled, see 'monitoringctl status'"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "${2}" ]; then
|
||||||
|
if [ "${is_interactive}" = "False" ]; then
|
||||||
|
error "Error: disable message option is mandatory in non-interactive shell."
|
||||||
|
fi
|
||||||
|
echo -n "> Please provide an enable message (for logging): "
|
||||||
|
read -r message
|
||||||
|
echo ''
|
||||||
|
if [ -z "${message}" ]; then
|
||||||
|
error "${red}Error:${nocolor} disable message is mandatory."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
message="${2}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Action enable ${1} requested by user $(logname || echo unknown)."
|
||||||
|
|
||||||
|
if [ "${1}" != "all" ]; then
|
||||||
|
if is_check "${1}"; then
|
||||||
|
wrapper="$(get_check_wrapper_name "${1}")"
|
||||||
|
else
|
||||||
|
wrapper="${1}"
|
||||||
|
fi
|
||||||
|
checks="$(get_wrapper_checks "${wrapper}")"
|
||||||
|
n_checks="$(echo "${checks}" | wc -w)"
|
||||||
|
if [ "${n_checks}" -gt 1 ]; then
|
||||||
|
>&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, enabling ${1} will enable: ${checks}.\n"
|
||||||
|
log "Warning: check ${1} will enable ${checks} (which have the same wrapper name)."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
wrapper="all"
|
||||||
|
fi
|
||||||
|
|
||||||
|
alerts_switch enable "${wrapper}" --message "${message}"
|
||||||
|
|
||||||
|
if [ "${1}" != "all" ]; then
|
||||||
|
if [ "${n_checks}" -eq 1 ]; then
|
||||||
|
echo -e "${green}Check ${1} alerts are now enabled.${nocolor}"
|
||||||
|
else
|
||||||
|
echo -e "${green}Alerts are now enabled for checks: ${checks}.${nocolor}"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo -e "${green}All alerts are now enabled.${nocolor}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Show NRPE command(s) configured for a check
|
||||||
|
function show_check_commands() {
|
||||||
|
# $1: check name
|
||||||
|
check_commands=$(get_check_commands "${1}")
|
||||||
|
|
||||||
|
if [ -z "${check_commands}" ]; then
|
||||||
|
usage_error "Error: no command found in NRPE configuration for check '${1}."
|
||||||
|
fi
|
||||||
|
|
||||||
|
n_commands="$(echo "${check_commands}" | wc -l)"
|
||||||
|
if [ "${n_commands}" -ne 1 ]; then
|
||||||
|
echo "Available commands (in config order, the last one overwrites the others):"
|
||||||
|
echo " $check_commands"
|
||||||
|
fi
|
||||||
|
|
||||||
|
check_command=$(echo "${check_commands}" | tail -n1)
|
||||||
|
echo "Command used by NRPE:"
|
||||||
|
echo " ${check_command}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print a warning if some wrappers have the same name
|
||||||
|
# or if a name is different from the check.
|
||||||
|
function warn_wrapper_names() {
|
||||||
|
#$1: checks to verify
|
||||||
|
warned="False"
|
||||||
|
for check in ${1}; do
|
||||||
|
wrapper_name="$(get_check_wrapper_name "${check}")"
|
||||||
|
if [ -n "${wrapper_name}" ] && [ "${wrapper_name}" != "${check}" ]; then
|
||||||
|
>&2 echo -e "${orange}Warning:${nocolor} ${check} check has wrapper name ${wrapper_name}."
|
||||||
|
warned="True"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "${warned}" = "True" ]; then
|
||||||
|
>&2 echo -e "${orange}It is recommanded to name the wrappers the same as the checks.${nocolor}\n"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print a warning if some checks are not wrapped
|
||||||
|
function warn_not_wrapped() {
|
||||||
|
#$1: checks to verify
|
||||||
|
unwrappeds="$(not_wrapped_checks)"
|
||||||
|
unwrapped_checks="$(comm -12 <(echo "${1}") <(echo "${unwrappeds}"))"
|
||||||
|
if [ -n "${unwrapped_checks}" ]; then
|
||||||
|
n_checks="$(echo "${1}" | wc -w)"
|
||||||
|
n_unwrapped="$(echo "${unwrapped_checks}" | wc -w)"
|
||||||
|
if [ "${n_unwrapped}" == "${n_checks}" ]; then
|
||||||
|
if [ "${n_unwrapped}" -eq 1 ]; then
|
||||||
|
error "${red}Error:${nocolor} ${1} check is not wrapped, it cannot be disabled."
|
||||||
|
else
|
||||||
|
error "${red}Error:${nocolor} these checks are not wrapped, they cannot be disabled: $(echo "${unwrapped_checks}" | xargs)"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "${n_unwrapped}" -eq 1 ]; then
|
||||||
|
>&2 echo -e "${orange}Warning:${nocolor} ${unwrapped_checks} check is not wrapped, it will not be disabled."
|
||||||
|
else
|
||||||
|
>&2 echo -e -n "${orange}Warning:${nocolor} some checks are not configured, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)\n\n"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Warning: some checks have no alerts_wrapper, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Echo a message in a box
|
||||||
|
function echo_box() {
|
||||||
|
# $1: message
|
||||||
|
msg_len="${#1}"
|
||||||
|
line="$(printf '─%.0s' $(eval "echo {1.."${msg_len}"}"))"
|
||||||
|
cat <<EOF
|
||||||
|
┌${line}┐
|
||||||
|
│${1}│
|
||||||
|
└${line}┘
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
# Echo which checks are enabled or disabled and time left
|
||||||
|
function alerts_status() {
|
||||||
|
# $1: check name, "all" or empty
|
||||||
|
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
|
||||||
|
checks="$(get_checks_names)"
|
||||||
|
else
|
||||||
|
checks="${1}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
warn_wrapper_names "${checks}"
|
||||||
|
|
||||||
|
header="Check\tStatus\tRe-enable time\tDisable message"
|
||||||
|
underline="-----\t------\t--------------\t---------------"
|
||||||
|
str_out="${header}\n${underline}\n"
|
||||||
|
|
||||||
|
for check in $checks; do
|
||||||
|
enable_str=""
|
||||||
|
status_str="Enabled"
|
||||||
|
disable_msg=""
|
||||||
|
if ! is_wrapped "${check}"; then
|
||||||
|
status_str="Not configured"
|
||||||
|
else
|
||||||
|
is_disabled="$(is_disabled_check "${check}")"
|
||||||
|
wrapper_name="$(get_check_wrapper_name "${check}")"
|
||||||
|
if [ "${is_disabled}" = "True" ]; then
|
||||||
|
status_str="Disabled"
|
||||||
|
enable_time="$(get_enable_time "${wrapper_name}")"
|
||||||
|
enable_delay="$(enable_delay "${enable_time}")"
|
||||||
|
delay_str="$(delay_to_string "${enable_delay}")"
|
||||||
|
enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
|
||||||
|
enable_str="${enable_date} (${delay_str} left)"
|
||||||
|
disable_msg="$(get_disable_message "${wrapper_name}")"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
case "${status_str}" in
|
||||||
|
"Enabled")
|
||||||
|
color="${green}"
|
||||||
|
;;
|
||||||
|
"Disabled")
|
||||||
|
color="${orange}"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
color="${red}"
|
||||||
|
esac
|
||||||
|
str_out="${str_out}${color}${check}\t${status_str}${nocolor}\t${enable_str}\t${disable_msg}\n"
|
||||||
|
done
|
||||||
|
|
||||||
|
echo -e "${str_out}" | column -t -s $'\t'
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
### MAIN #########################################
|
||||||
|
|
||||||
|
red=''
|
||||||
|
green=''
|
||||||
|
orange=''
|
||||||
|
purple=''
|
||||||
|
nocolor=''
|
||||||
|
bold=''
|
||||||
|
no_bold=''
|
||||||
|
|
||||||
|
# Is interactive shell ?
|
||||||
|
if [ -t 0 ] && [ -t 1 ]; then
|
||||||
|
readonly is_interactive="True"
|
||||||
|
red="\e[0;31m"
|
||||||
|
green="\e[0;32m"
|
||||||
|
orange="\e[0;33m"
|
||||||
|
purple="\e[0;35m"
|
||||||
|
nocolor="\e[0m"
|
||||||
|
bold="$(tput bold)"
|
||||||
|
no_bold="$(tput sgr0)"
|
||||||
|
else
|
||||||
|
readonly is_interactive="False"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Load common functions and vars
|
||||||
|
readonly lib_dir="/usr/local/lib/monitoringctl"
|
||||||
|
if [ -r "${lib_dir}/common" ]; then
|
||||||
|
# shellcheck source=monitoringctl_common
|
||||||
|
source "${lib_dir}/common"
|
||||||
|
else
|
||||||
|
>&2 echo "Error: missing ${lib_dir}/common file."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ! "${PATH}" =~ /usr/local/bin ]]; then
|
||||||
|
PATH="/usr/local/bin:${PATH}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Must be root
|
||||||
|
if [ "$(id -u)" -ne 0 ]; then
|
||||||
|
>&2 echo "You need to be root (or use sudo) to run ${0}!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# No argument
|
||||||
|
if [ "$#" = "0" ]; then
|
||||||
|
show_help
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Default arguments and options
|
||||||
|
action=""
|
||||||
|
message=""
|
||||||
|
duration="${default_disabled_time}"
|
||||||
|
bypass_nrpe="False"
|
||||||
|
default_duration="True"
|
||||||
|
|
||||||
|
# Parse arguments and options
|
||||||
|
while :; do
|
||||||
|
case "${1}" in
|
||||||
|
-h|-\?|--help)
|
||||||
|
show_help
|
||||||
|
exit 0;;
|
||||||
|
-V|--version)
|
||||||
|
show_version
|
||||||
|
exit 0;;
|
||||||
|
-b|--bypass-nrpe)
|
||||||
|
bypass_nrpe="True"
|
||||||
|
shift;;
|
||||||
|
-d|--during)
|
||||||
|
if [ "${default_duration}" = "False" ]; then
|
||||||
|
usage_error "Option --during: defined multiple times."
|
||||||
|
fi
|
||||||
|
if [ "$#" -lt 2 ]; then
|
||||||
|
usage_error "Option --during: missing value."
|
||||||
|
fi
|
||||||
|
if filter_duration "${2}"; then
|
||||||
|
duration="${2}"
|
||||||
|
else
|
||||||
|
usage_error "Option --during: \"${2}\" is not a valid duration."
|
||||||
|
fi
|
||||||
|
default_duration="False"
|
||||||
|
shift; shift;;
|
||||||
|
-m|--message)
|
||||||
|
if [ "$#" -lt 2 ]; then
|
||||||
|
usage_error "Option --message: missing message string."
|
||||||
|
fi
|
||||||
|
message="${2}"
|
||||||
|
shift; shift;;
|
||||||
|
status|check|enable|disable|show|list)
|
||||||
|
action="${1}"
|
||||||
|
shift;;
|
||||||
|
*)
|
||||||
|
if [ -z "${1}" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "${action}" in
|
||||||
|
status|check)
|
||||||
|
if is_check "${1}" || [ "${1}" = "all" ]; then
|
||||||
|
check_name="${1}"
|
||||||
|
else
|
||||||
|
usage_error "Action ${action}: unknown check '${1}'."
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
show)
|
||||||
|
if is_check "${1}"; then
|
||||||
|
check_name="${1}"
|
||||||
|
else
|
||||||
|
usage_error "Action ${action}: unknown check '${1}'."
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
enable|disable)
|
||||||
|
if is_wrapper "${1}" || is_check "${1}" || [ "${1}" = "all" ]; then
|
||||||
|
check_name="${1}"
|
||||||
|
else
|
||||||
|
# We use the word "check" for the end user,
|
||||||
|
# but this is actually "unknown wrapper"
|
||||||
|
usage_error "Action ${action}: unknown check '${1}'."
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage_error "Missing or invalid ACTION argument."
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$#" -gt 0 ]; then
|
||||||
|
usage_error "Too many arguments."
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "${action}" in
|
||||||
|
disable|enable|show)
|
||||||
|
if [ -z "${check_name}" ]; then
|
||||||
|
usage_error "Action ${action}: missing CHECK_NAME argument."
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ ! "${action}" = "disable" ]; then
|
||||||
|
if [ "${default_duration}" = "False" ]; then
|
||||||
|
usage_error "Action ${action}: there is no --during option."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "${action}" in
|
||||||
|
list)
|
||||||
|
list_checks
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
alerts_status "${check_name}"
|
||||||
|
;;
|
||||||
|
check)
|
||||||
|
check "${check_name}"
|
||||||
|
;;
|
||||||
|
show)
|
||||||
|
show_check_commands "${check_name}"
|
||||||
|
;;
|
||||||
|
enable)
|
||||||
|
enable_alerts "${check_name}" "${message}"
|
||||||
|
;;
|
||||||
|
disable)
|
||||||
|
disable_alerts "${check_name}" "${message}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
292
nagios-nrpe/files/monitoringctl_common
Normal file
292
nagios-nrpe/files/monitoringctl_common
Normal file
|
@ -0,0 +1,292 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Location of disable files
|
||||||
|
readonly var_dir="/var/lib/monitoringctl"
|
||||||
|
|
||||||
|
readonly log_file="/var/log/monitoringctl.log"
|
||||||
|
|
||||||
|
readonly nrpe_conf_path="/etc/nagios/nrpe.cfg"
|
||||||
|
|
||||||
|
debian_major_version="$(cut -d "." -f 1 < /etc/debian_version)"
|
||||||
|
readonly debian_major_version
|
||||||
|
|
||||||
|
# If no time limit is provided in CLI or found in file, this value is used
|
||||||
|
readonly default_disabled_time="1h"
|
||||||
|
|
||||||
|
_nrpe_conf_lines='' # populated at the end of the file
|
||||||
|
|
||||||
|
|
||||||
|
function error() {
|
||||||
|
# $1: error message
|
||||||
|
>&2 echo -e "${1}"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
function usage_error() {
|
||||||
|
# $1: error message
|
||||||
|
>&2 echo "${1}"
|
||||||
|
>&2 echo "Execute \"${PROGNAME} --help\" for information on usage."
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
function log() {
|
||||||
|
# $1: message
|
||||||
|
echo "$(now_iso) - ${PROGNAME}: ${1}" >> "${log_file}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function show_version() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} version ${VERSION}.
|
||||||
|
|
||||||
|
Copyright 2018-2024 Evolix <info@evolix.fr>,
|
||||||
|
Jérémy Lecour <jlecour@evolix.fr>
|
||||||
|
and others.
|
||||||
|
|
||||||
|
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
|
||||||
|
and you are welcome to redistribute it under certain conditions.
|
||||||
|
See the GNU General Public License v3.0 for details.
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
|
# Fail if argument does not respect format: XwXdXhXmXs, XhX, XmX
|
||||||
|
function filter_duration() {
|
||||||
|
# $1: duration in format specified above
|
||||||
|
_time_regex="^([0-9]+d)?(([0-9]+h(([0-9]+m?)|([0-9]+m([0-9]+s?)?))?)|(([0-9]+m([0-9]+s?)?)?))?$"
|
||||||
|
if [[ "${1}" =~ ${_time_regex} ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Convert human writable duration into seconds
|
||||||
|
function time_to_seconds() {
|
||||||
|
# $1: formated time string
|
||||||
|
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
|
||||||
|
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
|
||||||
|
elif echo "${1}" | grep -E -q '^([0-9]+h[0-9]+$)'; then
|
||||||
|
echo "${1}" | sed 's/h/ * 3600 + /g; s/$/ * 60/' | xargs expr
|
||||||
|
elif echo "${1}" | grep -E -q '^([0-9]+m[0-9]+$)'; then
|
||||||
|
echo "${1}" | sed 's/m/ * 60 + /g' | xargs expr
|
||||||
|
else
|
||||||
|
error "Invalid duration: '${1}'."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print re-enable time in secs
|
||||||
|
function get_enable_time() {
|
||||||
|
# $1: wrapper name
|
||||||
|
_disable_file_path="$(get_disable_file_path "${1}")"
|
||||||
|
if [ ! -e "${_disable_file_path}" ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
_enable_secs="$(grep -v -E "^\s*#" "${_disable_file_path}" | sed '/^$/d' | head -n1 | awk '/^[0-9]+$/ {print $1}')"
|
||||||
|
# If file is empty, use file last change date plus default disabled time
|
||||||
|
if [ -z "${_enable_secs}" ]; then
|
||||||
|
_file_last_change_secs="$(stat -c %Z "${_disable_file_path}")"
|
||||||
|
_default_disabled_time_secs="$(time_to_seconds "${default_disabled_time}")"
|
||||||
|
_enable_secs="$(( _file_last_change_secs + _default_disabled_time_secs ))"
|
||||||
|
fi
|
||||||
|
echo "${_enable_secs}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print disable message
|
||||||
|
function get_disable_message() {
|
||||||
|
# $1: wrapper name
|
||||||
|
_disable_file_path="$(get_disable_file_path "${1}")"
|
||||||
|
if [ ! -e "${_disable_file_path}" ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
_disable_msg="$(sed '/^$/d' "${_disable_file_path}" | tail -n+2 | tr '\n' ' ' | awk '{$1=$1;print}')"
|
||||||
|
echo "${_disable_msg}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function now_secs() {
|
||||||
|
date +"%s"
|
||||||
|
}
|
||||||
|
|
||||||
|
function now_iso() {
|
||||||
|
date --iso-8601=seconds
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print delay before re-enable in secs
|
||||||
|
function enable_delay() {
|
||||||
|
# $1: re-enable time in secs
|
||||||
|
echo $(( ${1} - $(now_secs) ))
|
||||||
|
}
|
||||||
|
|
||||||
|
# Converts delay (in seconds) into human readable duration
|
||||||
|
function delay_to_string() {
|
||||||
|
# $1: delay in secs
|
||||||
|
_delay_days="$(( ${1} /86400 ))"
|
||||||
|
if [ "${_delay_days}" -eq 0 ]; then _delay_days=""
|
||||||
|
else _delay_days="${_delay_days}d"; fi
|
||||||
|
|
||||||
|
_delay_hours="$(( (${1} %86400) /3600 ))"
|
||||||
|
if [ "${_delay_hours}" -eq 0 ]; then _delay_hours=""
|
||||||
|
else _delay_hours="${_delay_hours}h"; fi
|
||||||
|
|
||||||
|
_delay_minutes="$(( ((${1} %86400) %3600) /60 ))"
|
||||||
|
if [ "${_delay_minutes}" -eq 0 ]; then _delay_minutes=""
|
||||||
|
else _delay_minutes="${_delay_minutes}m"; fi
|
||||||
|
|
||||||
|
_delay_seconds="$(( ((${1} %86400) %3600) %60 ))"
|
||||||
|
if [ "${_delay_seconds}" -eq 0 ]; then _delay_seconds=""
|
||||||
|
else _delay_seconds="${_delay_seconds}s"; fi
|
||||||
|
|
||||||
|
echo "${_delay_days}${_delay_hours}${_delay_minutes}${_delay_seconds}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function is_disabled_check() {
|
||||||
|
# $1: check name
|
||||||
|
_wrapper="$(get_check_wrapper_name "${1}")"
|
||||||
|
is_disabled_wrapper "${_wrapper}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function is_disabled_wrapper() {
|
||||||
|
# $1: wrapper name
|
||||||
|
_wrapper="${1}"
|
||||||
|
_disable_file_path="$(get_disable_file_path "${_wrapper}")"
|
||||||
|
if [ -e "${_disable_file_path}" ]; then
|
||||||
|
_enable_time="$(get_enable_time "${_wrapper}")"
|
||||||
|
_enable_delay="$(enable_delay "${_enable_time}")"
|
||||||
|
if [ "${_enable_delay}" -le "0" ]; then
|
||||||
|
echo "False"
|
||||||
|
else
|
||||||
|
echo "True"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo False
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function get_disable_file_path() {
|
||||||
|
# $1: wrapper name
|
||||||
|
echo "${var_dir}/${1}_alerts_disabled"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Nagios configuration functions ####################
|
||||||
|
|
||||||
|
# Print NRPE configuration, with includes, without comments
|
||||||
|
# and in the same order than NRPE does (taking account that
|
||||||
|
# order changes from Deb10)
|
||||||
|
function get_nrpe_conf() {
|
||||||
|
echo "${_nrpe_conf_lines}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Private function to recursively get NRPE conf from file
|
||||||
|
function _get_conf_from_file() {
|
||||||
|
# $1: NRPE conf file (.cfg)
|
||||||
|
if [ ! -f "${1}" ]; then return; fi
|
||||||
|
|
||||||
|
_conf_lines=$(grep -E -R -v --no-filename "^\s*(#.*|)$" "${1}")
|
||||||
|
while read -r _line; do
|
||||||
|
if [[ "${_line}" =~ .*'include='.* ]]; then
|
||||||
|
_conf_file=$(echo "${_line}" | cut -d= -f2)
|
||||||
|
_get_conf_from_file "${_conf_file}"
|
||||||
|
elif [[ "${_line}" =~ .*'include_dir='.* ]]; then
|
||||||
|
_conf_dir=$(echo "${_line}" | cut -d= -f2)
|
||||||
|
_get_conf_from_dir "${_conf_dir}"
|
||||||
|
else
|
||||||
|
echo "${_line}"
|
||||||
|
fi
|
||||||
|
done <<< "${_conf_lines}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Private function to recursively get NRPE conf from directory
|
||||||
|
function _get_conf_from_dir() {
|
||||||
|
# $1: NRPE conf dir
|
||||||
|
if [ ! -d "${1}" ]; then return; fi
|
||||||
|
|
||||||
|
if [ "${debian_major_version}" -ge 10 ]; then
|
||||||
|
# From Deb10, NRPE use scandir() with alphasort() function
|
||||||
|
_sort_command="sort"
|
||||||
|
else
|
||||||
|
# Before Deb10, NRPE use loaddir(), like find utility
|
||||||
|
_sort_command="cat -"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Add conf files in dir to be processed recursively
|
||||||
|
for _file in $(find "${1}" -maxdepth 1 -name "*.cfg" 2> /dev/null | ${_sort_command}); do
|
||||||
|
if [ -f "${_file}" ]; then
|
||||||
|
_get_conf_from_file "${_file}"
|
||||||
|
elif [ -d "${_file}" ]; then
|
||||||
|
_get_conf_from_dir "${_file}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print the checks that are configured in NRPE
|
||||||
|
function get_checks_names() {
|
||||||
|
echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print the commands defined for check $1 in NRPE configuration
|
||||||
|
function get_check_commands() {
|
||||||
|
# $1: check name
|
||||||
|
echo "${_nrpe_conf_lines}" | grep -E "command\[check_${1}\]" | cut -d'=' -f2-
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print the checks that have no alerts_wrapper in NRPE configuration
|
||||||
|
function not_wrapped_checks() {
|
||||||
|
for _check in $(get_checks_names); do
|
||||||
|
if ! is_wrapped "${_check}"; then
|
||||||
|
echo "${_check}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Fail if check is not wrapped
|
||||||
|
function is_wrapped() {
|
||||||
|
# $1: check name
|
||||||
|
_cmd=$(get_check_commands "${1}" | tail -n1)
|
||||||
|
if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print the names that are defined in the wrappers of the checks
|
||||||
|
function get_wrappers_names() {
|
||||||
|
echo "${_nrpe_conf_lines}" | grep -s "alerts_wrapper" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print the wrapper name of the check
|
||||||
|
function get_check_wrapper_name() {
|
||||||
|
# $1: check name
|
||||||
|
_cmd=$(get_check_commands "${1}" | tail -n1)
|
||||||
|
if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
|
||||||
|
echo "${_cmd}" | awk '/--name/ {match($0, /--name\s*([a-zA-Z0-9_\-]*)\s*/, m); print m[1]}'
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function is_check() {
|
||||||
|
# $1: check name
|
||||||
|
_checks="$(get_checks_names)"
|
||||||
|
if echo "${_checks}" | grep --quiet -E "^${1}$"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
function is_wrapper() {
|
||||||
|
# $1: wrapper name
|
||||||
|
_wrappers="$(get_wrappers_names)"
|
||||||
|
if echo "${_wrappers}" | grep --quiet -E "^${1}$"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Print the checks that name this wrapper
|
||||||
|
function get_wrapper_checks() {
|
||||||
|
# $1: wrapper name
|
||||||
|
echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | grep -E "\-\-name\s*${1}" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq | xargs
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Load NRPE configuration
|
||||||
|
_nrpe_conf_lines="$(_get_conf_from_file "${nrpe_conf_path}")"
|
88
nagios-nrpe/files/monitoringctl_completion
Normal file
88
nagios-nrpe/files/monitoringctl_completion
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
#!/usr/bin/bash
|
||||||
|
#
|
||||||
|
|
||||||
|
function _get_wrappers_names() {
|
||||||
|
grep "alerts_wrapper" --no-filename --no-messages -R /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
|
||||||
|
}
|
||||||
|
|
||||||
|
function _get_checks_names() {
|
||||||
|
grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]=" /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
|
||||||
|
}
|
||||||
|
|
||||||
|
function _monitoringctl_completion() {
|
||||||
|
local cur=${COMP_WORDS[COMP_CWORD]};
|
||||||
|
local prev=${COMP_WORDS[COMP_CWORD-1]};
|
||||||
|
|
||||||
|
local action=""
|
||||||
|
for w in "${COMP_WORDS[@]}"; do
|
||||||
|
case "$w" in
|
||||||
|
status|check|enable|disable|show|list)
|
||||||
|
action="${w}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
local words="--help"
|
||||||
|
case "${action}" in
|
||||||
|
check|show)
|
||||||
|
checks="$(_get_checks_names)"
|
||||||
|
check=""
|
||||||
|
for w in "${COMP_WORDS[@]}"; do
|
||||||
|
for c in ${checks}; do
|
||||||
|
if [ "${c}" == "${w}" ]; then
|
||||||
|
check="${w}"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
if [ -z "${check}" ]; then
|
||||||
|
words="${checks} ${words}"
|
||||||
|
fi
|
||||||
|
if [ "${action}" == "check" ]; then
|
||||||
|
words="all --bypass-nrpe ${words}"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
if [ "${prev}" == "status" ]; then
|
||||||
|
words="all $(_get_checks_names)"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
enable)
|
||||||
|
if [ "${prev}" == "enable" ]; then
|
||||||
|
words="all $(_get_wrappers_names)"
|
||||||
|
else
|
||||||
|
words="--message ${words}"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
disable)
|
||||||
|
if [ "${prev}" == "disable" ]; then
|
||||||
|
words="all $(_get_wrappers_names)"
|
||||||
|
elif [ "${prev}" == "-d" ] || [ "${prev}" == "--during" ]; then
|
||||||
|
words="1d 1d12h 1h 1h30m 1m 1m30s 30s"
|
||||||
|
else
|
||||||
|
words="--during --message ${words}"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
words="status check enable disable show list ${words}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Avoid double
|
||||||
|
opts=();
|
||||||
|
for i in ${words}; do
|
||||||
|
for j in "${COMP_WORDS[@]}"; do
|
||||||
|
if [[ "$i" == "$j" ]]; then
|
||||||
|
continue 2
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
opts+=("$i")
|
||||||
|
done
|
||||||
|
|
||||||
|
COMPREPLY=($(compgen -W "${opts[*]}" -- "${cur}"))
|
||||||
|
return 0
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
complete -F _monitoringctl_completion monitoringctl
|
||||||
|
|
75
nagios-nrpe/files/plugins/check_ftp_users
Executable file
75
nagios-nrpe/files/plugins/check_ftp_users
Executable file
|
@ -0,0 +1,75 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
function help() {
|
||||||
|
echo "Check the number of proftpd user with 'ftpcount' output."
|
||||||
|
echo "Usage:"
|
||||||
|
echo " check_proftpd_user -w|warning <WARN_THRESHOLD> -c|critical <CRITICAL_THRESHOLD>"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
warn="-1"
|
||||||
|
crit="-1"
|
||||||
|
|
||||||
|
while [ $# -gt 0 ]; do
|
||||||
|
case "${1}" in
|
||||||
|
-h|--help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-c|--critical)
|
||||||
|
crit="${2}"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-w|--warning)
|
||||||
|
warn="${2}"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
>&2 echo "Error: unknown argument ${1}, exit."
|
||||||
|
help
|
||||||
|
exit 3
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "${warn}" == "-1" ]; then
|
||||||
|
echo "Error: warning threshold no defined, exit."
|
||||||
|
help
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${crit}" == "-1" ]; then
|
||||||
|
echo "Error: critical threshold no defined, exit."
|
||||||
|
help
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
if [[ "${warn}" =~ [^0-9] ]]; then
|
||||||
|
echo "Error: warning threshold must be an integer, exit."
|
||||||
|
help
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
if [[ "${crit}" =~ [^0-9] ]]; then
|
||||||
|
echo "Error: critical threshold must be an integer, exit."
|
||||||
|
help
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! command -v ftpcount > /dev/null; then
|
||||||
|
echo "Error: missing 'ftpcount' command, cannot check users count."
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
n_users="$(ftpcount | awk '/users/{print $4}')"
|
||||||
|
|
||||||
|
if [ "${n_users}" -gt "${crit}" ]; then
|
||||||
|
echo "CRITICAL - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
|
||||||
|
exit 2
|
||||||
|
elif [ "${n_users}" -gt "${warn}" ]; then
|
||||||
|
echo "WARNING - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "OK - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
---
|
|
||||||
# Install check-local utilitary
|
|
||||||
|
|
||||||
- name: Package nagios-nrpe-plugin is intalled
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: nagios-nrpe-plugin
|
|
||||||
|
|
||||||
- name: "Remount /usr if needed"
|
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: remount-usr
|
|
||||||
|
|
||||||
- name: Utilitary check-local is installed
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: check-local
|
|
||||||
dest: /usr/local/bin/check-local
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
- name: Package bash-completion is installed
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: bash-completion
|
|
||||||
|
|
||||||
- name: Directory /etc/bash_completion.d exists
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: '/etc/bash_completion.d'
|
|
||||||
state: directory
|
|
||||||
mode: '0644'
|
|
||||||
|
|
||||||
- name: Completion for utilitary check-local is installed
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: check-local_completion
|
|
||||||
dest: /etc/bash_completion.d/check-local
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
|
|
|
@ -91,6 +91,5 @@
|
||||||
tags:
|
tags:
|
||||||
- nagios-nrpe
|
- nagios-nrpe
|
||||||
|
|
||||||
- ansible.builtin.include_tasks: wrapper.yml
|
- ansible.builtin.include_tasks: monitoringctl.yml
|
||||||
|
|
||||||
- ansible.builtin.include_tasks: check-local.yml
|
|
||||||
|
|
162
nagios-nrpe/tasks/monitoringctl.yml
Normal file
162
nagios-nrpe/tasks/monitoringctl.yml
Normal file
|
@ -0,0 +1,162 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Remount /usr if needed"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: remount-usr
|
||||||
|
|
||||||
|
### alerts_wrapper and alerts_switch section
|
||||||
|
|
||||||
|
- name: "dir /usr/local/lib/monitoringctl/ exists"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /usr/local/lib/monitoringctl/
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: "check if old alerts_switch script is present"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /usr/share/scripts/alerts_switch
|
||||||
|
register: old_alerts_switch
|
||||||
|
|
||||||
|
- name: "alerts_switch is at the right place"
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
|
||||||
|
args:
|
||||||
|
creates: /usr/local/bin/alerts_switch
|
||||||
|
when: old_alerts_switch.stat.exists
|
||||||
|
|
||||||
|
- name: "copy alerts_switch"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: alerts_switch
|
||||||
|
dest: /usr/local/bin/alerts_switch
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
force: true
|
||||||
|
|
||||||
|
- name: "alerts_switch symlink for backward compatibility"
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: /usr/local/bin/alerts_switch
|
||||||
|
path: /usr/share/scripts/alerts_switch
|
||||||
|
state: link
|
||||||
|
when: old_alerts_switch.stat.exists
|
||||||
|
|
||||||
|
- name: "nagios user can run alerts_switch with sudo (used by alerts_wrapper)"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/sudoers.d/monitoringctl
|
||||||
|
regexp: "nagios.*alerts_switch"
|
||||||
|
line: "nagios ALL = NOPASSWD:/usr/local/bin/alerts_switch *"
|
||||||
|
create: true
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "640"
|
||||||
|
validate: "visudo -c -f %s"
|
||||||
|
|
||||||
|
- name: "check if old alerts_wrapper script is present"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "{{ nagios_plugins_directory }}/alerts_wrapper"
|
||||||
|
register: old_alerts_wrapper
|
||||||
|
|
||||||
|
- name: "alerts_wrapper is at the right place"
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "mv {{ nagios_plugins_directory }}/alerts_wrapper /usr/local/lib/monitoringctl/alerts_wrapper"
|
||||||
|
creates: /usr/local/lib/monitoringctl/alerts_wrapper
|
||||||
|
when: old_alerts_wrapper.stat.exists
|
||||||
|
|
||||||
|
- name: "copy alerts_wrapper"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: alerts_wrapper
|
||||||
|
dest: "/usr/local/lib/monitoringctl/alerts_wrapper"
|
||||||
|
owner: root
|
||||||
|
group: staff
|
||||||
|
mode: "0755"
|
||||||
|
force: true
|
||||||
|
|
||||||
|
- name: "alerts_wrapper symlink for backward compatibility"
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: /usr/local/lib/monitoringctl/alerts_wrapper
|
||||||
|
path: "{{ nagios_plugins_directory }}/alerts_wrapper"
|
||||||
|
state: link
|
||||||
|
when:
|
||||||
|
- old_alerts_wrapper.stat.exists
|
||||||
|
- not ansible_check_mode
|
||||||
|
|
||||||
|
- name: "copy monitoringctl_common lib"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: monitoringctl_common
|
||||||
|
dest: /usr/local/lib/monitoringctl/common
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
force: true
|
||||||
|
|
||||||
|
|
||||||
|
### monitoringctl section
|
||||||
|
|
||||||
|
- name: "package bash-completion is installed"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: bash-completion
|
||||||
|
|
||||||
|
- name: "package nagios-nrpe-plugin is installed"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: nagios-nrpe-plugin
|
||||||
|
|
||||||
|
- name: "directory /etc/bash_completion.d exists"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '/etc/bash_completion.d'
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: "dir /var/lib/monitoringctl/ exists"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /var/lib/monitoringctl/
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: "monitoringctl is not in /usr/local/sbin/"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /usr/local/sbin/monitoringctl
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: "copy monitoringctl"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: monitoringctl
|
||||||
|
dest: /usr/local/bin/monitoringctl
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
force: true
|
||||||
|
|
||||||
|
- name: "copy monitoringctl_common lib"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: monitoringctl_common
|
||||||
|
dest: /usr/local/lib/monitoringctl/common
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
force: true
|
||||||
|
|
||||||
|
- name: "copy monitoringctl_completion script"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: monitoringctl_completion
|
||||||
|
dest: /etc/bash_completion.d/monitoringctl
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
force: true
|
||||||
|
|
||||||
|
- name: "copy check-local (it's just a wrapper calling 'monitoringctl check' for backward compatibility)"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: check-local
|
||||||
|
dest: /usr/local/bin/check-local
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
force: true
|
||||||
|
|
||||||
|
- name: "copy completion for check-local"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: check-local_completion
|
||||||
|
dest: /etc/bash_completion.d/check-local
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
|
|
@ -1,43 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
|
|
||||||
- name: "Remount /usr if needed"
|
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: remount-usr
|
|
||||||
|
|
||||||
- name: check if old script is present
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: /usr/share/scripts/alerts_switch
|
|
||||||
register: old_alerts_switch
|
|
||||||
|
|
||||||
- name: alerts_switch is at the right place
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
|
|
||||||
args:
|
|
||||||
creates: /usr/local/bin/alerts_switch
|
|
||||||
when: old_alerts_switch.stat.exists
|
|
||||||
|
|
||||||
- name: "copy alerts_switch"
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: alerts_switch
|
|
||||||
dest: /usr/local/bin/alerts_switch
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0750"
|
|
||||||
force: true
|
|
||||||
|
|
||||||
- name: "symlink for backward compatibility"
|
|
||||||
ansible.builtin.file:
|
|
||||||
src: /usr/local/bin/alerts_switch
|
|
||||||
dest: /usr/share/scripts/alerts_switch
|
|
||||||
state: link
|
|
||||||
when: old_alerts_switch.stat.exists
|
|
||||||
|
|
||||||
- name: "copy alerts_wrapper"
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: alerts_wrapper
|
|
||||||
dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
|
|
||||||
owner: root
|
|
||||||
group: staff
|
|
||||||
mode: "0755"
|
|
||||||
force: true
|
|
|
@ -6,94 +6,102 @@
|
||||||
# Allowed IPs
|
# Allowed IPs
|
||||||
allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
|
allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
|
||||||
|
|
||||||
# System checks
|
# Default activated checks
|
||||||
command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
|
|
||||||
command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
|
|
||||||
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
|
|
||||||
command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
|
|
||||||
command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
|
|
||||||
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
|
|
||||||
|
|
||||||
# Generic services checks
|
## System checks
|
||||||
command[check_smtp]=/usr/lib/nagios/plugins/check_smtp -H localhost
|
command[check_disk1]=/usr/local/lib/monitoringctl/alerts_wrapper --name disk1 /usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
|
||||||
command[check_dns]=/usr/lib/nagios/plugins/check_dns -H evolix.net
|
command[check_load]=/usr/local/lib/monitoringctl/alerts_wrapper --name load /usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
|
||||||
command[check_ntp]=/usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }}
|
command[check_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name mem {{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
|
||||||
command[check_ssh]=/usr/lib/nagios/plugins/check_ssh localhost
|
command[check_pressure_cpu]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_cpu /usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000
|
||||||
command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
|
command[check_pressure_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_mem /usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000
|
||||||
|
command[check_pressure_io]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_io /usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000
|
||||||
|
command[check_swap]=/usr/local/lib/monitoringctl/alerts_wrapper --name swap /usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
|
||||||
|
command[check_total_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name total_procs sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
|
||||||
|
command[check_users]=/usr/local/lib/monitoringctl/alerts_wrapper --name users /usr/lib/nagios/plugins/check_users -w 5 -c 10
|
||||||
|
command[check_zombie_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name zombie_procs sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
|
||||||
|
|
||||||
# Specific services checks
|
## Generic services checks
|
||||||
command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
|
command[check_dns]=/usr/local/lib/monitoringctl/alerts_wrapper --name dns /usr/lib/nagios/plugins/check_dns -H evolix.net
|
||||||
command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
|
command[check_mailq]=/usr/local/lib/monitoringctl/alerts_wrapper --name mailq /usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
|
||||||
command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
|
command[check_ntp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ntp /usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }}
|
||||||
command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
|
command[check_smtp]=/usr/local/lib/monitoringctl/alerts_wrapper --name smtp /usr/lib/nagios/plugins/check_smtp -H localhost
|
||||||
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
|
command[check_ssh]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssh /usr/lib/nagios/plugins/check_ssh localhost
|
||||||
command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
|
|
||||||
command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
|
|
||||||
command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
|
|
||||||
command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
|
|
||||||
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
|
|
||||||
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
|
|
||||||
command[check_http]=/usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
|
|
||||||
command[check_https]=/usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
|
|
||||||
command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
|
|
||||||
command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
|
|
||||||
command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
|
|
||||||
command[check_tse]=/usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
|
|
||||||
command[check_jboss-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
|
|
||||||
command[check_jboss-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
|
|
||||||
command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
|
|
||||||
command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
|
|
||||||
command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
|
|
||||||
command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379
|
|
||||||
command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
|
|
||||||
command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
|
|
||||||
command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
|
|
||||||
command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
|
|
||||||
command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
|
|
||||||
command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
|
|
||||||
command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup
|
|
||||||
command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails
|
|
||||||
# "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
|
|
||||||
command[check_bkctld]=sudo /usr/sbin/bkctld check
|
|
||||||
command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
|
|
||||||
command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
|
|
||||||
command[check_dhcpd]=/usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
|
|
||||||
command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor
|
|
||||||
command[check_raid_status]=/usr/lib/nagios/plugins/check_raid
|
|
||||||
command[check_dockerd]=/usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
|
|
||||||
|
|
||||||
# Local checks (not packaged)
|
## Local checks (not packaged)
|
||||||
command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
|
command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall
|
||||||
command[check_amavis]={{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
|
|
||||||
command[check_spamd]={{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
|
|
||||||
command[check_nfsclient]=sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient
|
# Optionnal checks
|
||||||
command[check_evobackup]={{ nagios_plugins_directory }}/check_evobackup
|
|
||||||
command[check_process]={{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }}
|
## Specific services checks
|
||||||
command[check_drbd]={{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone
|
#command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
|
||||||
command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect
|
#command[check_mysql]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql /usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
|
||||||
command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
|
#command[check_mysql_slave]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql_slave /usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
|
||||||
command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
|
#command[check_ldap]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldap /usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
|
||||||
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
|
#command[check_ldaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldaps /usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
|
||||||
command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain
|
#command[check_imap]=/usr/local/lib/monitoringctl/alerts_wrapper --name imap /usr/lib/nagios/plugins/check_imap -H localhost
|
||||||
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
|
#command[check_imaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name imaps /usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
|
||||||
command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances
|
#command[check_imapproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name imapproxy /usr/lib/nagios/plugins/check_imap -H localhost -p 1143
|
||||||
command[check_sentinel]=sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf
|
#command[check_pop]=/usr/local/lib/monitoringctl/alerts_wrapper --name pop /usr/lib/nagios/plugins/check_pop -H localhost
|
||||||
command[check_hpraid]={{ nagios_plugins_directory }}/check_hpraid
|
#command[check_pops]=/usr/local/lib/monitoringctl/alerts_wrapper --name pops /usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
|
||||||
command[check_php-fpm]={{ nagios_plugins_directory }}/check_phpfpm_multi
|
#command[check_ftp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ftp /usr/lib/nagios/plugins/check_ftp -H localhost
|
||||||
command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
|
#command[check_ftp_users]=/usr/local/lib/monitoringctl/alerts_wrapper --name ftp_users /usr/local/lib/nagios/plugins/check_ftp_users -w 20 -c 40
|
||||||
command[check_php-fpm70]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
|
#command[check_http]=/usr/local/lib/monitoringctl/alerts_wrapper --name http /usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
|
||||||
command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
|
#command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https /usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
|
||||||
command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
|
#command[check_bind]=/usr/local/lib/monitoringctl/alerts_wrapper --name bind /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
|
||||||
command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
|
#command[check_unbound]=/usr/local/lib/monitoringctl/alerts_wrapper --name unbound /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
|
||||||
command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
|
#command[check_smb]=/usr/local/lib/monitoringctl/alerts_wrapper --name smb /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
|
||||||
command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
|
#command[check_tse]=/usr/local/lib/monitoringctl/alerts_wrapper --name tse /usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
|
||||||
command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
|
#command[check_jboss-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-http /usr/lib/nagios/plugins/check_tcp -p 8080
|
||||||
command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool
|
#command[check_jboss-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
|
||||||
command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local
|
#command[check_tomcat-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-http /usr/lib/nagios/plugins/check_tcp -p 8080
|
||||||
command[check_pressure_cpu]=/usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000
|
#command[check_tomcat-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
|
||||||
command[check_pressure_mem]=/usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000
|
#command[check_proxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name proxy /usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
|
||||||
command[check_pressure_io]=/usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000
|
#command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis /usr/lib/nagios/plugins/check_tcp -p 6379
|
||||||
|
#command[check_clamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamd /usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
|
||||||
|
#command[check_clamav_db]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamav_db /usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
|
||||||
|
#command[check_ssl]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl /usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
|
||||||
|
#command[check_elasticsearch]=/usr/local/lib/monitoringctl/alerts_wrapper --name elasticsearch /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
|
||||||
|
#command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
|
||||||
|
#command[check_opendkim]=/usr/local/lib/monitoringctl/alerts_wrapper --name opendkim /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
|
||||||
|
#command[check_bkctld_setup]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_setup sudo /usr/sbin/bkctld check-setup
|
||||||
|
#command[check_bkctld_jails]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_jails sudo /usr/sbin/bkctld check-jails
|
||||||
|
## "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
|
||||||
|
#command[check_bkctld]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld sudo /usr/sbin/bkctld check
|
||||||
|
#command[check_postgrey]=/usr/local/lib/monitoringctl/alerts_wrapper --name postgrey /usr/lib/nagios/plugins/check_tcp -p10023
|
||||||
|
#command[check_influxdb]=/usr/local/lib/monitoringctl/alerts_wrapper --name influxdb /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
|
||||||
|
#command[check_dhcpd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcpd /usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
|
||||||
|
#command[check_ipmi_sensors]=/usr/local/lib/monitoringctl/alerts_wrapper --name ipmi_sensors sudo /usr/lib/nagios/plugins/check_ipmi_sensor
|
||||||
|
#command[check_raid_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name raid_status /usr/lib/nagios/plugins/check_raid
|
||||||
|
#command[check_dockerd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dockerd /usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
|
||||||
|
|
||||||
|
## Local checks (not packaged)
|
||||||
|
#command[check_amavis]=/usr/local/lib/monitoringctl/alerts_wrapper --name amavis {{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
|
||||||
|
#command[check_spamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name spamd {{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
|
||||||
|
#command[check_nfsclient]=/usr/local/lib/monitoringctl/alerts_wrapper --name nfsclient sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient
|
||||||
|
#command[check_evobackup]=/usr/local/lib/monitoringctl/alerts_wrapper --name evobackup {{ nagios_plugins_directory }}/check_evobackup
|
||||||
|
#command[check_process]=/usr/local/lib/monitoringctl/alerts_wrapper --name process {{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }}
|
||||||
|
#command[check_drbd]=/usr/local/lib/monitoringctl/alerts_wrapper --name drbd {{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone
|
||||||
|
#command[check_mongodb_connect]=/usr/local/lib/monitoringctl/alerts_wrapper --name mongodb_connect {{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect
|
||||||
|
#command[check_glusterfs]=/usr/local/lib/monitoringctl/alerts_wrapper --name glusterfs {{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
|
||||||
|
#command[check_supervisord_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name supervisord_status {{ nagios_plugins_directory }}/check_supervisord
|
||||||
|
#command[check_varnish]=/usr/local/lib/monitoringctl/alerts_wrapper --name varnish {{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
|
||||||
|
#command[check_haproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name haproxy sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain
|
||||||
|
#command[check_redis_instances]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis_instances {{ nagios_plugins_directory }}/check_redis_instances
|
||||||
|
#command[check_sentinel]=/usr/local/lib/monitoringctl/alerts_wrapper --name sentinel sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf
|
||||||
|
#command[check_hpraid]=/usr/local/lib/monitoringctl/alerts_wrapper --name hpraid {{ nagios_plugins_directory }}/check_hpraid
|
||||||
|
#command[check_php-fpm]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm {{ nagios_plugins_directory }}/check_phpfpm_multi
|
||||||
|
#command[check_php-fpm56]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm56 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
|
||||||
|
#command[check_php-fpm70]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm70 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
|
||||||
|
#command[check_php-fpm73]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm73 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
|
||||||
|
#command[check_php-fpm74]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm74 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
|
||||||
|
#command[check_php-fpm80]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm80 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
|
||||||
|
#command[check_php-fpm81]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm81 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
|
||||||
|
#command[check_php-fpm82]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm82 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
|
||||||
|
#command[check_php-fpm83]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm83 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
|
||||||
|
#command[check_dhcp_pool]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcp_pool {{ nagios_plugins_directory }}/check_dhcp_pool
|
||||||
|
#command[check_ssl_local]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl_local {{ nagios_plugins_directory }}/check_ssl_local
|
||||||
|
|
||||||
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
|
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
|
||||||
# Beware! All checks must not take more than 10s!
|
# Beware! All checks must not take more than 10s!
|
||||||
#command[check_https]={{ nagios_plugins_directory }}/check_http_many
|
#command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https {{ nagios_plugins_directory }}/check_http_many
|
||||||
|
|
|
@ -38,7 +38,6 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: nodesource.sources.j2
|
src: nodesource.sources.j2
|
||||||
dest: /etc/apt/sources.list.d/nodesource.sources
|
dest: /etc/apt/sources.list.d/nodesource.sources
|
||||||
state: present
|
|
||||||
register: nodesource_sources
|
register: nodesource_sources
|
||||||
tags:
|
tags:
|
||||||
- system
|
- system
|
||||||
|
|
|
@ -37,8 +37,6 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: yarn.sources.j2
|
src: yarn.sources.j2
|
||||||
dest: /etc/apt/sources.list.d/yarn.sources
|
dest: /etc/apt/sources.list.d/yarn.sources
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
register: yarn_sources
|
register: yarn_sources
|
||||||
tags:
|
tags:
|
||||||
- system
|
- system
|
||||||
|
|
|
@ -201,7 +201,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "/etc/nagios/nrpe.d/evolix.cfg"
|
dest: "/etc/nagios/nrpe.d/evolix.cfg"
|
||||||
regexp: '^command\[check_openvpn\]='
|
regexp: '^command\[check_openvpn\]='
|
||||||
line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
|
line: "command[check_openvpn]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn /usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
when: nrpe_evolix_config.stat.exists
|
when: nrpe_evolix_config.stat.exists
|
||||||
|
|
||||||
|
@ -233,7 +233,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "/etc/nagios/nrpe.d/evolix.cfg"
|
dest: "/etc/nagios/nrpe.d/evolix.cfg"
|
||||||
regexp: '^command\[check_openvpn_certificates\]='
|
regexp: '^command\[check_openvpn_certificates\]='
|
||||||
line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
|
line: "command[check_openvpn_certificates]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn_certificates sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
when: nrpe_evolix_config.stat.exists
|
when: nrpe_evolix_config.stat.exists
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: pkg_info -Iq inst:openvpn
|
cmd: pkg_info -Iq inst:openvpn
|
||||||
register: is_installed
|
register: is_installed
|
||||||
|
check_mode: false
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
@ -138,6 +139,7 @@
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: pkg_info -Iq inst:p5-Net-Telnet
|
cmd: pkg_info -Iq inst:p5-Net-Telnet
|
||||||
register: is_installed
|
register: is_installed
|
||||||
|
check_mode: false
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
name: /etc/nagios/nrpe.d/evolix.cfg
|
name: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: '^command\[check_pgsql\]='
|
regexp: '^command\[check_pgsql\]='
|
||||||
line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"'
|
line: 'command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"'
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
when: postgresql_create_nrpe_user is changed
|
when: postgresql_create_nrpe_user is changed
|
||||||
when: nrpe_evolix_config.stat.exists
|
when: nrpe_evolix_config.stat.exists
|
||||||
|
|
18
proftpd/files/munin_plugin
Normal file
18
proftpd/files/munin_plugin
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
#! /bin/bash
|
||||||
|
#
|
||||||
|
|
||||||
|
if [ "$1" = 'config' ]; then
|
||||||
|
echo "graph_args --base 1000 -l 0"
|
||||||
|
echo "graph_title ProFTPd"
|
||||||
|
echo "graph_category network"
|
||||||
|
echo "graph_vlabel Stats Proftpd"
|
||||||
|
echo "users_count.label Connected users"
|
||||||
|
echo "users_count.draw AREA"
|
||||||
|
fi
|
||||||
|
|
||||||
|
n_users="$(ftpcount | awk '/users/{print $4}')"
|
||||||
|
|
||||||
|
echo "users_count.value ${n_users}"
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
|
@ -96,3 +96,15 @@
|
||||||
|
|
||||||
- ansible.builtin.include: accounts.yml
|
- ansible.builtin.include: accounts.yml
|
||||||
when: proftpd_accounts | length > 0
|
when: proftpd_accounts | length > 0
|
||||||
|
|
||||||
|
- name: Munin plugin is copied
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: munin_plugin
|
||||||
|
dest: /usr/share/munin/plugins/proftpd
|
||||||
|
mode: 755
|
||||||
|
|
||||||
|
- name: Munin plugin is enabled
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: /usr/share/munin/plugins/proftpd
|
||||||
|
dest: /etc/munin/plugins/proftpd
|
||||||
|
state: link
|
||||||
|
|
|
@ -40,7 +40,7 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: 'command\[check_rab_connection_count\]'
|
regexp: 'command\[check_rab_connection_count\]'
|
||||||
line: 'command[check_rab_connection_count]=sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}'
|
line: 'command[check_rab_connection_count]=/usr/local/lib/monitoringctl/alerts_wrapper --name rab_connection_count sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}'
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
|
|
||||||
- name: sudo without password for nagios
|
- name: sudo without password for nagios
|
||||||
|
|
|
@ -60,7 +60,7 @@
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: '^command\[check_redis\]=.+'
|
regexp: '^command\[check_redis\]=.+'
|
||||||
replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
|
replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
|
||||||
when: redis_instance_name is undefined
|
when: redis_instance_name is undefined
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
tags:
|
tags:
|
||||||
|
@ -99,7 +99,7 @@
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: '^command\[check_redis\]=.+'
|
regexp: '^command\[check_redis\]=.+'
|
||||||
replace: 'command[check_redis]=sudo /usr/local/lib/nagios/plugins/check_redis_instances'
|
replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo /usr/local/lib/nagios/plugins/check_redis_instances'
|
||||||
when: redis_instance_name is defined
|
when: redis_instance_name is defined
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
tags:
|
tags:
|
||||||
|
|
58
webapps/etherpad/LISEZMOI.md
Normal file
58
webapps/etherpad/LISEZMOI.md
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
etherpad
|
||||||
|
=========
|
||||||
|
|
||||||
|
Ce rôle installe le serveur d'Etherpad, une application rédaction collaborative en temps-réel.
|
||||||
|
|
||||||
|
Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle etherpad sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
|
||||||
|
|
||||||
|
Requis
|
||||||
|
------
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Variables du rôle
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
|
||||||
|
|
||||||
|
Dépendances
|
||||||
|
------------
|
||||||
|
|
||||||
|
Ce rôle Ansible dépend des rôles suivants :
|
||||||
|
|
||||||
|
- nodejs
|
||||||
|
|
||||||
|
Exemple de playbook
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
```
|
||||||
|
- name: "Déployer un serveur Etherpad"
|
||||||
|
hosts:
|
||||||
|
- all
|
||||||
|
vars:
|
||||||
|
# Supplanter ici les variables du rôle
|
||||||
|
service: 'mon-etherpad'
|
||||||
|
etherpad_domains: ['votre-vrai-domaine.org']
|
||||||
|
etherpad_db_host: 'localhost'
|
||||||
|
etherpad_db_user: "{{ service }}"
|
||||||
|
etherpad_db_name: "{{ service }}"
|
||||||
|
etherpad_db_password: 'zKEh-CHANGEZ-MOI-qIKc'
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: "Installer les rôles systèmes"
|
||||||
|
roles:
|
||||||
|
- { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: webapps/etherpad , tags: "etherpad" }
|
||||||
|
```
|
||||||
|
|
||||||
|
Licence
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPLv3
|
||||||
|
|
||||||
|
Infos sur l'auteur
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
|
58
webapps/etherpad/README.md
Normal file
58
webapps/etherpad/README.md
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
etherpad
|
||||||
|
=========
|
||||||
|
|
||||||
|
This role installs or upgrades the server for the real-time collaborative editor Etherpad.
|
||||||
|
|
||||||
|
FRENCH: Voir le fichier LISEZMOI.md pour le français.
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
------------
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Role Variables
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
------------
|
||||||
|
|
||||||
|
This Ansible role depends on the following other roles:
|
||||||
|
|
||||||
|
- nodejs
|
||||||
|
|
||||||
|
Example Playbook
|
||||||
|
----------------
|
||||||
|
|
||||||
|
```
|
||||||
|
- name: "Deploy an Etherpad server"
|
||||||
|
hosts:
|
||||||
|
- all
|
||||||
|
vars:
|
||||||
|
# Overwrite the role variable here
|
||||||
|
service: 'my-etherpad'
|
||||||
|
etherpad_domains: ['your-real-domain.org']
|
||||||
|
etherpad_db_host: 'localhost'
|
||||||
|
etherpad_db_user: "{{ service }}"
|
||||||
|
etherpad_db_name: "{{ service }}"
|
||||||
|
etherpad_db_password: 'zKEh-CHANGE-ME-qIKc'
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: "Install system roles"
|
||||||
|
roles:
|
||||||
|
- { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: webapps/etherpad , tags: "etherpad" }
|
||||||
|
```
|
||||||
|
|
||||||
|
License
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPLv3
|
||||||
|
|
||||||
|
Author Information
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Mathieu Gauthier-Pilote, sys. admin. at Evolix.
|
28
webapps/etherpad/defaults/main.yml
Normal file
28
webapps/etherpad/defaults/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
# defaults file for etherpad
|
||||||
|
service: 'example'
|
||||||
|
etherpad_system_dep: "['apt-transport-https', 'mariadb-server', 'python3-mysqldb', 'nginx', 'ssl-cert', 'git', 'wget', 'certbot', 'npm']"
|
||||||
|
etherpad_git_url: 'https://github.com/ether/etherpad-lite.git'
|
||||||
|
etherpad_git_version: '1.8.18'
|
||||||
|
etherpad_node_version: 'node_18.x'
|
||||||
|
etherpad_node_port: '9001'
|
||||||
|
etherpad_domains: ['example.domain.org']
|
||||||
|
etherpad_certbot_admin_email: 'mgauthier@evolix.ca'
|
||||||
|
|
||||||
|
etherpad_db_host: '127.0.0.1'
|
||||||
|
etherpad_db_port: '3306'
|
||||||
|
etherpad_db_user: "{{ service }}"
|
||||||
|
etherpad_db_name: "{{ service }}"
|
||||||
|
etherpad_db_password: 'CHANGE_ME'
|
||||||
|
|
||||||
|
etherpad_app_ip: '127.0.0.1'
|
||||||
|
etherpad_app_title: 'My Etherpad'
|
||||||
|
etherpad_app_db_type: 'mysql'
|
||||||
|
etherpad_app_skin_name: 'colibris'
|
||||||
|
etherpad_app_skin_variants: 'super-light-toolbar super-light-editor light-background'
|
||||||
|
etherpad_app_trust_proxy: 'true'
|
||||||
|
etherpad_app_require_authentication: 'false'
|
||||||
|
etherpad_app_require_authorization: 'true'
|
||||||
|
etherpad_app_admin_password: 'CHANGE_ME_TOO'
|
||||||
|
etherpad_app_default_pad_text: 'Bienvenue sur Etherpad !\n\nLe texte de ce bloc-notes est synchronisé sur le serveur au fur et à mesure que vous tapez, de sorte que toutes les personnes qui consultent cette page voient le même texte. Cela vous permet de collaborer de manière transparente et collaborative sur des documents !\n\nParticipez à Etherpad sur https:\/\/etherpad.org\n'
|
||||||
|
etherpad_app_file_ends: 'false'
|
11
webapps/etherpad/handlers/main.yml
Normal file
11
webapps/etherpad/handlers/main.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
# handlers file for etherpad
|
||||||
|
- name: reload nginx
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart etherpad
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "{{ service }}.service"
|
||||||
|
state: restarted
|
52
webapps/etherpad/meta/main.yml
Normal file
52
webapps/etherpad/meta/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: Mathieu Gauthier-Pilote
|
||||||
|
description: sys. admin.
|
||||||
|
company: Evolix
|
||||||
|
|
||||||
|
# If the issue tracker for your role is not on github, uncomment the
|
||||||
|
# next line and provide a value
|
||||||
|
# issue_tracker_url: http://example.com/issue/tracker
|
||||||
|
|
||||||
|
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||||
|
# - BSD-3-Clause (default)
|
||||||
|
# - MIT
|
||||||
|
# - GPL-2.0-or-later
|
||||||
|
# - GPL-3.0-only
|
||||||
|
# - Apache-2.0
|
||||||
|
# - CC-BY-4.0
|
||||||
|
license: license GPL-3.0-only
|
||||||
|
|
||||||
|
min_ansible_version: 2.10
|
||||||
|
|
||||||
|
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||||
|
# min_ansible_container_version:
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
# platforms:
|
||||||
|
# - name: Fedora
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 25
|
||||||
|
# - name: SomePlatform
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 1.0
|
||||||
|
# - 7
|
||||||
|
# - 99.99
|
||||||
|
|
||||||
|
galaxy_tags: []
|
||||||
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
#
|
||||||
|
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||||
|
# Maximum 20 tags per role.
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||||
|
# if you add dependencies to this list.
|
142
webapps/etherpad/tasks/main.yml
Normal file
142
webapps/etherpad/tasks/main.yml
Normal file
|
@ -0,0 +1,142 @@
|
||||||
|
---
|
||||||
|
# tasks file for etherpad install
|
||||||
|
|
||||||
|
- name: Install main system dependencies
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "{{ etherpad_system_dep }}"
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: Install pnpm (via npm)
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: npm install -g pnpm
|
||||||
|
|
||||||
|
- name: Fix permissions for pnpm
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /usr/local/lib/node_modules/
|
||||||
|
state: directory
|
||||||
|
mode: o+rx
|
||||||
|
recurse: yes
|
||||||
|
|
||||||
|
- name: Add UNIX account
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ service }}"
|
||||||
|
shell: /bin/bash
|
||||||
|
|
||||||
|
- name: Add database
|
||||||
|
ansible.builtin.mysql_db:
|
||||||
|
name: "{{ etherpad_db_name }}"
|
||||||
|
|
||||||
|
- name: Add database user
|
||||||
|
ansible.builtin.mysql_user:
|
||||||
|
name: "{{ etherpad_db_user }}"
|
||||||
|
password: "{{ etherpad_db_password }}"
|
||||||
|
priv: "{{ etherpad_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
|
||||||
|
update_password: on_create
|
||||||
|
|
||||||
|
- name: Clone etherpad repo (git)
|
||||||
|
ansible.builtin.git:
|
||||||
|
repo: "{{ etherpad_git_url }}"
|
||||||
|
dest: "~/etherpad-lite/"
|
||||||
|
version: "{{ etherpad_git_version | default(omit) }}"
|
||||||
|
update: yes
|
||||||
|
force: true
|
||||||
|
umask: '0022'
|
||||||
|
become_user: "{{ service }}"
|
||||||
|
|
||||||
|
- name: Fix run.sh so it does not start etherpad at the end
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "~/etherpad-lite/bin/run.sh"
|
||||||
|
state: absent
|
||||||
|
regexp: '^exec pnpm run dev'
|
||||||
|
become_user: "{{ service }}"
|
||||||
|
|
||||||
|
- name: Run setup
|
||||||
|
ansible.builtin.shell: "bin/run.sh"
|
||||||
|
args:
|
||||||
|
chdir: "~/etherpad-lite"
|
||||||
|
become_user: "{{ service }}"
|
||||||
|
|
||||||
|
- name: Template json config file
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "settings.json.j2"
|
||||||
|
dest: "~{{ service }}/etherpad-lite/settings.json"
|
||||||
|
owner: "{{ service }}"
|
||||||
|
group: "{{ service }}"
|
||||||
|
mode: "0640"
|
||||||
|
|
||||||
|
- name: Add systemd unit
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "etherpad.service.j2"
|
||||||
|
dest: "/etc/systemd/system/{{ service }}.service"
|
||||||
|
|
||||||
|
- name: Enable systemd unit
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "{{ service }}.service"
|
||||||
|
enabled: yes
|
||||||
|
daemon_reload: yes
|
||||||
|
notify:
|
||||||
|
- restart etherpad
|
||||||
|
|
||||||
|
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "letsencrypt.conf.j2"
|
||||||
|
dest: "/etc/nginx/snippets/letsencrypt.conf"
|
||||||
|
|
||||||
|
- name: Check if SSL certificate is present and register result
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
|
||||||
|
register: ssl
|
||||||
|
|
||||||
|
- name: Generate certificate only if required (first time)
|
||||||
|
block:
|
||||||
|
- name: Template vhost without SSL for successfull LE challengce
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "vhost.conf.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||||
|
- name: Enable temporary nginx vhost for LE
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
||||||
|
state: link
|
||||||
|
notify:
|
||||||
|
- reload nginx
|
||||||
|
- name: Flush handlers
|
||||||
|
ansible.builtin.meta: flush_handlers
|
||||||
|
- name: Make sure /var/lib/letsencrypt exists and has correct permissions
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /var/lib/letsencrypt
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
- name: Generate certificate with certbot
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ etherpad_certbot_admin_email }} -d {{ etherpad_domains |first }}
|
||||||
|
- name: Create the ssl dir if needed
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/nginx/ssl
|
||||||
|
state: directory
|
||||||
|
mode: '0750'
|
||||||
|
- name: Template ssl bloc for nginx vhost
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "ssl.conf.j2"
|
||||||
|
dest: "/etc/nginx/ssl/{{ etherpad_domains |first }}.conf"
|
||||||
|
when: ssl.stat.exists != true
|
||||||
|
|
||||||
|
- name: (Re)check if SSL certificate is present and register result
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
|
||||||
|
register: ssl
|
||||||
|
|
||||||
|
- name: (Re)template conf file for nginx vhost with SSL
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "vhost.conf.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||||
|
notify:
|
||||||
|
- reload nginx
|
||||||
|
|
||||||
|
- name: Enable nginx vhost for etherpad
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
||||||
|
state: link
|
||||||
|
notify:
|
||||||
|
- reload nginx
|
52
webapps/etherpad/tasks/upgrade.yml
Normal file
52
webapps/etherpad/tasks/upgrade.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
---
|
||||||
|
# tasks file for etherpad upgrade
|
||||||
|
|
||||||
|
- name: Dump database to a file with compression
|
||||||
|
ansible.builtin.mysql_db:
|
||||||
|
name: "{{ service }}"
|
||||||
|
state: dump
|
||||||
|
target: "~/{{ service }}.sql.gz"
|
||||||
|
|
||||||
|
- name: Stop service
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "{{ service }}.service"
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- name: Clone etherpad repo (git)
|
||||||
|
ansible.builtin.git:
|
||||||
|
repo: "{{ etherpad_git_url }}"
|
||||||
|
dest: "~/etherpad-lite/"
|
||||||
|
version: "{{ etherpad_git_version }}"
|
||||||
|
update: yes
|
||||||
|
force: true
|
||||||
|
become_user: "{{ service }}"
|
||||||
|
|
||||||
|
- name: Fix run.sh so it does not start etherpad at the end
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "~/etherpad-lite/src/bin/run.sh"
|
||||||
|
state: absent
|
||||||
|
regexp: 'exec node src/node/server.js'
|
||||||
|
become_user: "{{ service }}"
|
||||||
|
|
||||||
|
- name: Run setup
|
||||||
|
ansible.builtin.shell: "src/bin/run.sh"
|
||||||
|
args:
|
||||||
|
chdir: "~/etherpad-lite"
|
||||||
|
become_user: "{{ service }}"
|
||||||
|
|
||||||
|
- name: Start service
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "{{ service }}.service"
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Define variable to skip next task by default
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
keep_db_dump: true
|
||||||
|
|
||||||
|
- name: Remove database dump
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "~/{{ service }}.sql.gz"
|
||||||
|
state: absent
|
||||||
|
when: keep_db_dump is undefined
|
||||||
|
tags: clean
|
||||||
|
notify: reload nginx
|
17
webapps/etherpad/templates/etherpad.service.j2
Normal file
17
webapps/etherpad/templates/etherpad.service.j2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Etherpad - open source online editor for real-time collaborative editing.
|
||||||
|
Documentation=https://etherpad.org/doc/v1.8.18/
|
||||||
|
After=network.target
|
||||||
|
After=mariadb.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
Environment=NODE_ENV=production
|
||||||
|
ExecStart=pnpm run prod
|
||||||
|
Restart=always
|
||||||
|
User={{service}}
|
||||||
|
Group={{service}}
|
||||||
|
WorkingDirectory=/home/{{service}}/etherpad-lite
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
5
webapps/etherpad/templates/letsencrypt.conf.j2
Normal file
5
webapps/etherpad/templates/letsencrypt.conf.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
location ~ /.well-known/acme-challenge {
|
||||||
|
alias /var/lib/letsencrypt/;
|
||||||
|
try_files $uri =404;
|
||||||
|
allow all;
|
||||||
|
}
|
641
webapps/etherpad/templates/settings.json.j2
Normal file
641
webapps/etherpad/templates/settings.json.j2
Normal file
|
@ -0,0 +1,641 @@
|
||||||
|
/*
|
||||||
|
* This file must be valid JSON. But comments are allowed
|
||||||
|
*
|
||||||
|
* Please edit settings.json, not settings.json.template
|
||||||
|
*
|
||||||
|
* Please note that starting from Etherpad 1.6.0 you can store DB credentials in
|
||||||
|
* a separate file (credentials.json).
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* ENVIRONMENT VARIABLE SUBSTITUTION
|
||||||
|
* =================================
|
||||||
|
*
|
||||||
|
* All the configuration values can be read from environment variables using the
|
||||||
|
* syntax "${ENV_VAR}" or "${ENV_VAR:default_value}".
|
||||||
|
*
|
||||||
|
* This is useful, for example, when running in a Docker container.
|
||||||
|
*
|
||||||
|
* DETAILED RULES:
|
||||||
|
* - If the environment variable is set to the string "true" or "false", the
|
||||||
|
* value becomes Boolean true or false.
|
||||||
|
* - If the environment variable is set to the string "null", the value
|
||||||
|
* becomes null.
|
||||||
|
* - If the environment variable is set to the string "undefined", the setting
|
||||||
|
* is removed entirely, except when used as the member of an array in which
|
||||||
|
* case it becomes null.
|
||||||
|
* - If the environment variable is set to a string representation of a finite
|
||||||
|
* number, the string is converted to that number.
|
||||||
|
* - If the environment variable is set to any other string, including the
|
||||||
|
* empty string, the value is that string.
|
||||||
|
* - If the environment variable is unset and a default value is provided, the
|
||||||
|
* value is as if the environment variable was set to the provided default:
|
||||||
|
* - "${UNSET_VAR:}" becomes the empty string.
|
||||||
|
* - "${UNSET_VAR:foo}" becomes the string "foo".
|
||||||
|
* - "${UNSET_VAR:true}" and "${UNSET_VAR:false}" become true and false.
|
||||||
|
* - "${UNSET_VAR:null}" becomes null.
|
||||||
|
* - "${UNSET_VAR:undefined}" causes the setting to be removed (or be set
|
||||||
|
* to null, if used as a member of an array).
|
||||||
|
* - If the environment variable is unset and no default value is provided,
|
||||||
|
* the value becomes null. THIS BEHAVIOR MAY CHANGE IN A FUTURE VERSION OF
|
||||||
|
* ETHERPAD; if you want the default value to be null, you should explicitly
|
||||||
|
* specify "null" as the default value.
|
||||||
|
*
|
||||||
|
* EXAMPLE:
|
||||||
|
* "port": "${PORT:9001}"
|
||||||
|
* "minify": "${MINIFY}"
|
||||||
|
* "skinName": "${SKIN_NAME:colibris}"
|
||||||
|
*
|
||||||
|
* Would read the configuration values for those items from the environment
|
||||||
|
* variables PORT, MINIFY and SKIN_NAME.
|
||||||
|
*
|
||||||
|
* If PORT and SKIN_NAME variables were not defined, the default values 9001 and
|
||||||
|
* "colibris" would be used.
|
||||||
|
* The configuration value "minify", on the other hand, does not have a
|
||||||
|
* designated default value. Thus, if the environment variable MINIFY were
|
||||||
|
* undefined, "minify" would be null.
|
||||||
|
*
|
||||||
|
* REMARKS:
|
||||||
|
* 1) please note that variable substitution always needs to be quoted.
|
||||||
|
*
|
||||||
|
* "port": 9001, <-- Literal values. When not using
|
||||||
|
* "minify": false substitution, only strings must be
|
||||||
|
* "skinName": "colibris" quoted. Booleans and numbers must not.
|
||||||
|
*
|
||||||
|
* "port": "${PORT:9001}" <-- CORRECT: if you want to use a variable
|
||||||
|
* "minify": "${MINIFY:true}" substitution, put quotes around its name,
|
||||||
|
* "skinName": "${SKIN_NAME}" even if the required value is a number or
|
||||||
|
* a boolean.
|
||||||
|
* Etherpad will take care of rewriting it
|
||||||
|
* to the proper type if necessary.
|
||||||
|
*
|
||||||
|
* "port": ${PORT:9001} <-- ERROR: this is not valid json. Quotes
|
||||||
|
* "minify": ${MINIFY} around variable names are missing.
|
||||||
|
* "skinName": ${SKIN_NAME}
|
||||||
|
*
|
||||||
|
* 2) Beware of undefined variables and default values: nulls and empty strings
|
||||||
|
* are different!
|
||||||
|
*
|
||||||
|
* This is particularly important for user's passwords (see the relevant
|
||||||
|
* section):
|
||||||
|
*
|
||||||
|
* "password": "${PASSW}" // if PASSW is not defined would result in password === null
|
||||||
|
* "password": "${PASSW:}" // if PASSW is not defined would result in password === ''
|
||||||
|
*
|
||||||
|
* If you want to use an empty value (null) as default value for a variable,
|
||||||
|
* simply do not set it, without putting any colons: "${ABIWORD}".
|
||||||
|
*
|
||||||
|
* 3) if you want to use newlines in the default value of a string parameter,
|
||||||
|
* use "\n" as usual.
|
||||||
|
*
|
||||||
|
* "defaultPadText" : "${DEFAULT_PAD_TEXT}Line 1\nLine 2"
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Name your instance!
|
||||||
|
*/
|
||||||
|
"title": "{{ etherpad_app_title }}",
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Pathname of the favicon you want to use. If null, the skin's favicon is
|
||||||
|
* used if one is provided by the skin, otherwise the default Etherpad favicon
|
||||||
|
* is used. If this is a relative path it is interpreted as relative to the
|
||||||
|
* Etherpad root directory.
|
||||||
|
*/
|
||||||
|
"favicon": null,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Skin name.
|
||||||
|
*
|
||||||
|
* Its value has to be an existing directory under src/static/skins.
|
||||||
|
* You can write your own, or use one of the included ones:
|
||||||
|
*
|
||||||
|
* - "no-skin": an empty skin (default). This yields the unmodified,
|
||||||
|
* traditional Etherpad theme.
|
||||||
|
* - "colibris": the new experimental skin (since Etherpad 1.8), candidate to
|
||||||
|
* become the default in Etherpad 2.0
|
||||||
|
*/
|
||||||
|
"skinName": "{{ etherpad_app_skin_name }}",
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Skin Variants
|
||||||
|
*
|
||||||
|
* Use the UI skin variants builder at /p/test#skinvariantsbuilder
|
||||||
|
*
|
||||||
|
* For the colibris skin only, you can choose how to render the three main
|
||||||
|
* containers:
|
||||||
|
* - toolbar (top menu with icons)
|
||||||
|
* - editor (containing the text of the pad)
|
||||||
|
* - background (area outside of editor, mostly visible when using page style)
|
||||||
|
*
|
||||||
|
* For each of the 3 containers you can choose 4 color combinations:
|
||||||
|
* super-light, light, dark, super-dark.
|
||||||
|
*
|
||||||
|
* For example, to make the toolbar dark, you will include "dark-toolbar" into
|
||||||
|
* skinVariants.
|
||||||
|
*
|
||||||
|
* You can provide multiple skin variants separated by spaces. Default
|
||||||
|
* skinVariant is "super-light-toolbar super-light-editor light-background".
|
||||||
|
*
|
||||||
|
* For the editor container, you can also make it full width by adding
|
||||||
|
* "full-width-editor" variant (by default editor is rendered as a page, with
|
||||||
|
* a max-width of 900px).
|
||||||
|
*/
|
||||||
|
"skinVariants": "{{ etherpad_app_skin_variants }}",
|
||||||
|
|
||||||
|
/*
|
||||||
|
* IP and port which Etherpad should bind at.
|
||||||
|
*
|
||||||
|
* Binding to a Unix socket is also supported: just use an empty string for
|
||||||
|
* the ip, and put the full path to the socket in the port parameter.
|
||||||
|
*
|
||||||
|
* EXAMPLE USING UNIX SOCKET:
|
||||||
|
* "ip": "", // <-- has to be an empty string
|
||||||
|
* "port" : "/somepath/etherpad.socket", // <-- path to a Unix socket
|
||||||
|
*/
|
||||||
|
"ip": "{{ etherpad_app_ip }}",
|
||||||
|
"port": {{ etherpad_node_port }},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Option to hide/show the settings.json in admin page.
|
||||||
|
*
|
||||||
|
* Default option is set to true
|
||||||
|
*/
|
||||||
|
"showSettingsInAdminPage": true,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Node native SSL support
|
||||||
|
*
|
||||||
|
* This is disabled by default.
|
||||||
|
* Make sure to have the minimum and correct file access permissions set so
|
||||||
|
* that the Etherpad server can access them
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
"ssl" : {
|
||||||
|
"key" : "/path-to-your/epl-server.key",
|
||||||
|
"cert" : "/path-to-your/epl-server.crt",
|
||||||
|
"ca": ["/path-to-your/epl-intermediate-cert1.crt", "/path-to-your/epl-intermediate-cert2.crt"]
|
||||||
|
},
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The type of the database.
|
||||||
|
*
|
||||||
|
* You can choose between many DB drivers, for example: dirty, postgres,
|
||||||
|
* sqlite, mysql.
|
||||||
|
*
|
||||||
|
* You shouldn't use "dirty" for for anything else than testing or
|
||||||
|
* development.
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* Database specific settings are dependent on dbType, and go in dbSettings.
|
||||||
|
* Remember that since Etherpad 1.6.0 you can also store this information in
|
||||||
|
* credentials.json.
|
||||||
|
*
|
||||||
|
* For a complete list of the supported drivers, please refer to:
|
||||||
|
* https://www.npmjs.com/package/ueberdb2
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
"dbType": "dirty",
|
||||||
|
"dbSettings": {
|
||||||
|
"filename": "var/dirty.db"
|
||||||
|
},
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* An Example of MySQL Configuration (commented out).
|
||||||
|
*
|
||||||
|
* See: https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL
|
||||||
|
*/
|
||||||
|
"dbType" : "mysql",
|
||||||
|
"dbSettings" : {
|
||||||
|
"user": "{{ etherpad_db_user }}",
|
||||||
|
"host": "{{ etherpad_db_host }}",
|
||||||
|
"port": "{{ etherpad_db_port }}",
|
||||||
|
"password": "{{ etherpad_db_password }}",
|
||||||
|
"database": "{{ etherpad_db_name }}",
|
||||||
|
"charset": "utf8mb4"
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The default text of a pad
|
||||||
|
*/
|
||||||
|
"defaultPadText" : "{{ etherpad_app_default_pad_text }}",
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Default Pad behavior.
|
||||||
|
*
|
||||||
|
* Change them if you want to override.
|
||||||
|
*/
|
||||||
|
"padOptions": {
|
||||||
|
"noColors": false,
|
||||||
|
"showControls": true,
|
||||||
|
"showChat": true,
|
||||||
|
"showLineNumbers": true,
|
||||||
|
"useMonospaceFont": false,
|
||||||
|
"userName": null,
|
||||||
|
"userColor": null,
|
||||||
|
"rtl": false,
|
||||||
|
"alwaysShowChat": false,
|
||||||
|
"chatAndUsers": false,
|
||||||
|
"lang": null
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Pad Shortcut Keys
|
||||||
|
*/
|
||||||
|
"padShortcutEnabled" : {
|
||||||
|
"altF9": true, /* focus on the File Menu and/or editbar */
|
||||||
|
"altC": true, /* focus on the Chat window */
|
||||||
|
"cmdShift2": true, /* shows a gritter popup showing a line author */
|
||||||
|
"delete": true,
|
||||||
|
"return": true,
|
||||||
|
"esc": true, /* in mozilla versions 14-19 avoid reconnecting pad */
|
||||||
|
"cmdS": true, /* save a revision */
|
||||||
|
"tab": true, /* indent */
|
||||||
|
"cmdZ": true, /* undo/redo */
|
||||||
|
"cmdY": true, /* redo */
|
||||||
|
"cmdI": true, /* italic */
|
||||||
|
"cmdB": true, /* bold */
|
||||||
|
"cmdU": true, /* underline */
|
||||||
|
"cmd5": true, /* strike through */
|
||||||
|
"cmdShiftL": true, /* unordered list */
|
||||||
|
"cmdShiftN": true, /* ordered list */
|
||||||
|
"cmdShift1": true, /* ordered list */
|
||||||
|
"cmdShiftC": true, /* clear authorship */
|
||||||
|
"cmdH": true, /* backspace */
|
||||||
|
"ctrlHome": true, /* scroll to top of pad */
|
||||||
|
"pageUp": true,
|
||||||
|
"pageDown": true
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Should we suppress errors from being visible in the default Pad Text?
|
||||||
|
*/
|
||||||
|
"suppressErrorsInPadText": false,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If this option is enabled, a user must have a session to access pads.
|
||||||
|
* This effectively allows only group pads to be accessed.
|
||||||
|
*/
|
||||||
|
"requireSession": false,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Users may edit pads but not create new ones.
|
||||||
|
*
|
||||||
|
* Pad creation is only via the API.
|
||||||
|
* This applies both to group pads and regular pads.
|
||||||
|
*/
|
||||||
|
"editOnly": false,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If true, all css & js will be minified before sending to the client.
|
||||||
|
*
|
||||||
|
* This will improve the loading performance massively, but makes it difficult
|
||||||
|
* to debug the javascript/css
|
||||||
|
*/
|
||||||
|
"minify": true,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* How long may clients use served javascript code (in seconds)?
|
||||||
|
*
|
||||||
|
* Not setting this may cause problems during deployment.
|
||||||
|
* Set to 0 to disable caching.
|
||||||
|
*/
|
||||||
|
"maxAge": 21600, // 60 * 60 * 6 = 6 hours
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Absolute path to the Abiword executable.
|
||||||
|
*
|
||||||
|
* Abiword is needed to get advanced import/export features of pads. Setting
|
||||||
|
* it to null disables Abiword and will only allow plain text and HTML
|
||||||
|
* import/exports.
|
||||||
|
*/
|
||||||
|
"abiword": null,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This is the absolute path to the soffice executable.
|
||||||
|
*
|
||||||
|
* LibreOffice can be used in lieu of Abiword to export pads.
|
||||||
|
* Setting it to null disables LibreOffice exporting.
|
||||||
|
*/
|
||||||
|
"soffice": null,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Allow import of file types other than the supported ones:
|
||||||
|
* txt, doc, docx, rtf, odt, html & htm
|
||||||
|
*/
|
||||||
|
"allowUnknownFileEnds": {{ etherpad_app_file_ends }},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This setting is used if you require authentication of all users.
|
||||||
|
*
|
||||||
|
* Note: "/admin" always requires authentication.
|
||||||
|
*/
|
||||||
|
"requireAuthentication": {{ etherpad_app_require_authentication }},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Require authorization by a module, or a user with is_admin set, see below.
|
||||||
|
*/
|
||||||
|
"requireAuthorization": {{ etherpad_app_require_authorization }},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* When you use NGINX or another proxy/load-balancer set this to true.
|
||||||
|
*
|
||||||
|
* This is especially necessary when the reverse proxy performs SSL
|
||||||
|
* termination, otherwise the cookies will not have the "secure" flag.
|
||||||
|
*
|
||||||
|
* The other effect will be that the logs will contain the real client's IP,
|
||||||
|
* instead of the reverse proxy's IP.
|
||||||
|
*/
|
||||||
|
"trustProxy": {{ etherpad_app_trust_proxy }},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Settings controlling the session cookie issued by Etherpad.
|
||||||
|
*/
|
||||||
|
"cookie": {
|
||||||
|
/*
|
||||||
|
* How often (in milliseconds) the key used to sign the express_sid cookie
|
||||||
|
* should be rotated. Long rotation intervals reduce signature verification
|
||||||
|
* overhead (because there are fewer historical keys to check) and database
|
||||||
|
* load (fewer historical keys to store, and less frequent queries to
|
||||||
|
* get/update the keys). Short rotation intervals are slightly more secure.
|
||||||
|
*
|
||||||
|
* Multiple Etherpad processes sharing the same database (table) is
|
||||||
|
* supported as long as the clock sync error is significantly less than this
|
||||||
|
* value.
|
||||||
|
*
|
||||||
|
* Key rotation can be disabled (not recommended) by setting this to 0 or
|
||||||
|
* null, or by disabling session expiration (see sessionLifetime).
|
||||||
|
*/
|
||||||
|
"keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Value of the SameSite cookie property. "Lax" is recommended unless
|
||||||
|
* Etherpad will be embedded in an iframe from another site, in which case
|
||||||
|
* this must be set to "None". Note: "None" will not work (the browser will
|
||||||
|
* not send the cookie to Etherpad) unless https is used to access Etherpad
|
||||||
|
* (either directly or via a reverse proxy with "trustProxy" set to true).
|
||||||
|
*
|
||||||
|
* "Strict" is not recommended because it has few security benefits but
|
||||||
|
* significant usability drawbacks vs. "Lax". See
|
||||||
|
* https://stackoverflow.com/q/41841880 for discussion.
|
||||||
|
*/
|
||||||
|
"sameSite": "Lax",
|
||||||
|
|
||||||
|
/*
|
||||||
|
* How long (in milliseconds) after navigating away from Etherpad before the
|
||||||
|
* user is required to log in again. (The express_sid cookie is set to
|
||||||
|
* expire at time now + sessionLifetime when first created, and its
|
||||||
|
* expiration time is periodically refreshed to a new now + sessionLifetime
|
||||||
|
* value.) If requireAuthentication is false then this value does not really
|
||||||
|
* matter.
|
||||||
|
*
|
||||||
|
* The "best" value depends on your users' usage patterns and the amount of
|
||||||
|
* convenience you desire. A long lifetime is more convenient (users won't
|
||||||
|
* have to log back in as often) but has some drawbacks:
|
||||||
|
* - It increases the amount of state kept in the database.
|
||||||
|
* - It might weaken security somewhat: The cookie expiration is refreshed
|
||||||
|
* indefinitely without consulting authentication or authorization
|
||||||
|
* hooks, so once a user has accessed a pad, the user can continue to
|
||||||
|
* use the pad until the user leaves for longer than sessionLifetime.
|
||||||
|
* - More historical keys (sessionLifetime / keyRotationInterval) must be
|
||||||
|
* checked when verifying signatures.
|
||||||
|
*
|
||||||
|
* Session lifetime can be set to infinity (not recommended) by setting this
|
||||||
|
* to null or 0. Note that if the session does not expire, most browsers
|
||||||
|
* will delete the cookie when the browser exits, but a session record is
|
||||||
|
* kept in the database forever.
|
||||||
|
*/
|
||||||
|
"sessionLifetime": 864000000, // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
|
||||||
|
|
||||||
|
/*
|
||||||
|
* How long (in milliseconds) before the expiration time of an active user's
|
||||||
|
* session is refreshed (to now + sessionLifetime). This setting affects the
|
||||||
|
* following:
|
||||||
|
* - How often a new session expiration time will be written to the
|
||||||
|
* database.
|
||||||
|
* - How often each user's browser will ping the Etherpad server to
|
||||||
|
* refresh the expiration time of the session cookie.
|
||||||
|
*
|
||||||
|
* High values reduce the load on the database and the load from browsers,
|
||||||
|
* but can shorten the effective session lifetime if Etherpad is restarted
|
||||||
|
* or the user navigates away.
|
||||||
|
*
|
||||||
|
* Automatic session refreshes can be disabled (not recommended) by setting
|
||||||
|
* this to null.
|
||||||
|
*/
|
||||||
|
"sessionRefreshInterval": 86400000 // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Privacy: disable IP logging
|
||||||
|
*/
|
||||||
|
"disableIPlogging": false,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Time (in seconds) to automatically reconnect pad when a "Force reconnect"
|
||||||
|
* message is shown to user.
|
||||||
|
*
|
||||||
|
* Set to 0 to disable automatic reconnection.
|
||||||
|
*/
|
||||||
|
"automaticReconnectionTimeout": 0,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* By default, when caret is moved out of viewport, it scrolls the minimum
|
||||||
|
* height needed to make this line visible.
|
||||||
|
*/
|
||||||
|
"scrollWhenFocusLineIsOutOfViewport": {
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Percentage of viewport height to be additionally scrolled.
|
||||||
|
*
|
||||||
|
* E.g.: use "percentage.editionAboveViewport": 0.5, to place caret line in
|
||||||
|
* the middle of viewport, when user edits a line above of the
|
||||||
|
* viewport
|
||||||
|
*
|
||||||
|
* Set to 0 to disable extra scrolling
|
||||||
|
*/
|
||||||
|
"percentage": {
|
||||||
|
"editionAboveViewport": 0,
|
||||||
|
"editionBelowViewport": 0
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Time (in milliseconds) used to animate the scroll transition.
|
||||||
|
* Set to 0 to disable animation
|
||||||
|
*/
|
||||||
|
"duration": 0,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Flag to control if it should scroll when user places the caret in the
|
||||||
|
* last line of the viewport
|
||||||
|
*/
|
||||||
|
"scrollWhenCaretIsInTheLastLineOfViewport": false,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Percentage of viewport height to be additionally scrolled when user
|
||||||
|
* presses arrow up in the line of the top of the viewport.
|
||||||
|
*
|
||||||
|
* Set to 0 to let the scroll to be handled as default by Etherpad
|
||||||
|
*/
|
||||||
|
"percentageToScrollWhenUserPressesArrowUp": 0
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* User accounts. These accounts are used by:
|
||||||
|
* - default HTTP basic authentication if no plugin handles authentication
|
||||||
|
* - some but not all authentication plugins
|
||||||
|
* - some but not all authorization plugins
|
||||||
|
*
|
||||||
|
* User properties:
|
||||||
|
* - password: The user's password. Some authentication plugins will ignore
|
||||||
|
* this.
|
||||||
|
* - is_admin: true gives access to /admin. Defaults to false. If you do not
|
||||||
|
* uncomment this, /admin will not be available!
|
||||||
|
* - readOnly: If true, this user will not be able to create new pads or
|
||||||
|
* modify existing pads. Defaults to false.
|
||||||
|
* - canCreate: If this is true and readOnly is false, this user can create
|
||||||
|
* new pads. Defaults to true.
|
||||||
|
*
|
||||||
|
* Authentication and authorization plugins may define additional properties.
|
||||||
|
*
|
||||||
|
* WARNING: passwords should not be stored in plaintext in this file.
|
||||||
|
* If you want to mitigate this, please install ep_hash_auth and
|
||||||
|
* follow the section "secure your installation" in README.md
|
||||||
|
*/
|
||||||
|
|
||||||
|
"users": {
|
||||||
|
"admin": {
|
||||||
|
// 1) "password" can be replaced with "hash" if you install ep_hash_auth
|
||||||
|
// 2) please note that if password is null, the user will not be created
|
||||||
|
"password": "{{ etherpad_app_admin_password }}",
|
||||||
|
"is_admin": true
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Restrict socket.io transport methods
|
||||||
|
*/
|
||||||
|
"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
|
||||||
|
|
||||||
|
"socketIo": {
|
||||||
|
/*
|
||||||
|
* Maximum permitted client message size (in bytes). All messages from
|
||||||
|
* clients that are larger than this will be rejected. Large values make it
|
||||||
|
* possible to paste large amounts of text, and plugins may require a larger
|
||||||
|
* value to work properly, but increasing the value increases susceptibility
|
||||||
|
* to denial of service attacks (malicious clients can exhaust memory).
|
||||||
|
*/
|
||||||
|
"maxHttpBufferSize": 10000
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Allow Load Testing tools to hit the Etherpad Instance.
|
||||||
|
*
|
||||||
|
* WARNING: this will disable security on the instance.
|
||||||
|
*/
|
||||||
|
"loadTest": false,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Disable dump of objects preventing a clean exit
|
||||||
|
*/
|
||||||
|
"dumpOnUncleanExit": false,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Disable indentation on new line when previous line ends with some special
|
||||||
|
* chars (':', '[', '(', '{')
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
"indentationOnNewLine": false,
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* From Etherpad 1.8.3 onwards, import and export of pads is always rate
|
||||||
|
* limited.
|
||||||
|
*
|
||||||
|
* The default is to allow at most 10 requests per IP in a 90 seconds window.
|
||||||
|
* After that the import/export request is rejected.
|
||||||
|
*
|
||||||
|
* See https://github.com/nfriedly/express-rate-limit for more options
|
||||||
|
*/
|
||||||
|
"importExportRateLimiting": {
|
||||||
|
// duration of the rate limit window (milliseconds)
|
||||||
|
"windowMs": 90000,
|
||||||
|
|
||||||
|
// maximum number of requests per IP to allow during the rate limit window
|
||||||
|
"max": 10
|
||||||
|
},
|
||||||
|
|
||||||
|
/*
|
||||||
|
* From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
|
||||||
|
* file is always bounded.
|
||||||
|
*
|
||||||
|
* File size is specified in bytes. Default is 50 MB.
|
||||||
|
*/
|
||||||
|
"importMaxFileSize": 52428800, // 50 * 1024 * 1024
|
||||||
|
|
||||||
|
/*
|
||||||
|
* From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited
|
||||||
|
*
|
||||||
|
* The default is to allow at most 10 changes per IP in a 1 second window.
|
||||||
|
* After that the change is rejected.
|
||||||
|
*
|
||||||
|
* See https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#websocket-single-connection-prevent-flooding for more options
|
||||||
|
*/
|
||||||
|
"commitRateLimiting": {
|
||||||
|
// duration of the rate limit window (seconds)
|
||||||
|
"duration": 1,
|
||||||
|
|
||||||
|
// maximum number of changes per IP to allow during the rate limit window
|
||||||
|
"points": 10
|
||||||
|
},
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Toolbar buttons configuration.
|
||||||
|
*
|
||||||
|
* Uncomment to customize.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
"toolbar": {
|
||||||
|
"left": [
|
||||||
|
["bold", "italic", "underline", "strikethrough"],
|
||||||
|
["orderedlist", "unorderedlist", "indent", "outdent"],
|
||||||
|
["undo", "redo"],
|
||||||
|
["clearauthorship"]
|
||||||
|
],
|
||||||
|
"right": [
|
||||||
|
["importexport", "timeslider", "savedrevision"],
|
||||||
|
["settings", "embed"],
|
||||||
|
["showusers"]
|
||||||
|
],
|
||||||
|
"timeslider": [
|
||||||
|
["timeslider_export", "timeslider_returnToPad"]
|
||||||
|
]
|
||||||
|
},
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Expose Etherpad version in the web interface and in the Server http header.
|
||||||
|
*
|
||||||
|
* Do not enable on production machines.
|
||||||
|
*/
|
||||||
|
"exposeVersion": false,
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The log level we are using.
|
||||||
|
*
|
||||||
|
* Valid values: DEBUG, INFO, WARN, ERROR
|
||||||
|
*/
|
||||||
|
"loglevel": "INFO",
|
||||||
|
|
||||||
|
/* Override any strings found in locale directories */
|
||||||
|
"customLocaleStrings": {},
|
||||||
|
|
||||||
|
/* Disable Admin UI tests */
|
||||||
|
"enableAdminUITests": false
|
||||||
|
}
|
22
webapps/etherpad/templates/ssl.conf.j2
Normal file
22
webapps/etherpad/templates/ssl.conf.j2
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
##
|
||||||
|
# Certificates
|
||||||
|
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||||
|
##
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{ etherpad_domains | first }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{ etherpad_domains | first }}/privkey.pem;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Security hardening (as of Nov 15, 2020)
|
||||||
|
# based on Mozilla Guideline v5.6
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
|
||||||
|
ssl_session_timeout 1d; # defaults to 5m
|
||||||
|
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
|
||||||
|
ssl_session_tickets off;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
|
||||||
|
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
49
webapps/etherpad/templates/vhost.conf.j2
Normal file
49
webapps/etherpad/templates/vhost.conf.j2
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name {{ etherpad_domains |first }};
|
||||||
|
|
||||||
|
# For certbot
|
||||||
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
|
||||||
|
{% if ssl.stat.exists %}
|
||||||
|
location / { return 301 https://$host$request_uri; }
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% if ssl.stat.exists %}
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ etherpad_domains |first }};
|
||||||
|
|
||||||
|
access_log /var/log/nginx/{{ service }}.access.log;
|
||||||
|
error_log /var/log/nginx/{{ service }}.error.log;
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
include /etc/nginx/ssl/{{ etherpad_domains | first }}.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ etherpad_node_port }};
|
||||||
|
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass_header Server;
|
||||||
|
|
||||||
|
# Note you might want to pass these headers etc too.
|
||||||
|
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
|
||||||
|
proxy_http_version 1.1; # recommended with keepalive connections
|
||||||
|
|
||||||
|
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif %}
|
2
webapps/etherpad/tests/inventory
Normal file
2
webapps/etherpad/tests/inventory
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
localhost
|
||||||
|
|
5
webapps/etherpad/tests/test.yml
Normal file
5
webapps/etherpad/tests/test.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
remote_user: root
|
||||||
|
roles:
|
||||||
|
- hedgedoc
|
2
webapps/etherpad/vars/main.yml
Normal file
2
webapps/etherpad/vars/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# vars file
|
49
webapps/gitea/LISEZMOI.md
Normal file
49
webapps/gitea/LISEZMOI.md
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
gitea
|
||||||
|
=====
|
||||||
|
|
||||||
|
Ce rôle installe un serveur gitea.
|
||||||
|
|
||||||
|
Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle gitea sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
|
||||||
|
|
||||||
|
Requis
|
||||||
|
------
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Variables du rôle
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
|
||||||
|
|
||||||
|
Dépendances
|
||||||
|
------------
|
||||||
|
|
||||||
|
Ce rôle Ansible dépend des rôles suivants :
|
||||||
|
|
||||||
|
- nodejs
|
||||||
|
|
||||||
|
Exemple de playbook
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
```
|
||||||
|
- name: "Déployer un serveur gitea"
|
||||||
|
hosts:
|
||||||
|
- all
|
||||||
|
vars:
|
||||||
|
# Supplanter ici les variables du rôle
|
||||||
|
domains: ['votre-vrai-domaine.org']
|
||||||
|
service: 'mon-gitea'
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: webapps/gitea , tags: "gitea" }
|
||||||
|
```
|
||||||
|
|
||||||
|
Licence
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPLv3
|
||||||
|
|
||||||
|
Infos sur l'auteur
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
|
49
webapps/gitea/README.md
Normal file
49
webapps/gitea/README.md
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
gitea
|
||||||
|
=====
|
||||||
|
|
||||||
|
This role installs or upgrades the server for gitea.
|
||||||
|
|
||||||
|
FRENCH: Voir le fichier LISEZMOI.md pour le français.
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
------------
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Role Variables
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
------------
|
||||||
|
|
||||||
|
This Ansible role depends on the following other roles:
|
||||||
|
|
||||||
|
- nodejs
|
||||||
|
|
||||||
|
Example Playbook
|
||||||
|
----------------
|
||||||
|
|
||||||
|
```
|
||||||
|
- name: "Deploy an gitea server"
|
||||||
|
hosts:
|
||||||
|
- all
|
||||||
|
vars:
|
||||||
|
# Overwrite the role variable here
|
||||||
|
domains: ['your-real-domain.org']
|
||||||
|
service: 'my-gitea'
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: webapps/gitea , tags: "gitea" }
|
||||||
|
```
|
||||||
|
|
||||||
|
License
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPLv3
|
||||||
|
|
||||||
|
Author Information
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Mathieu Gauthier-Pilote, sys. admin. at Evolix.
|
14
webapps/gitea/defaults/main.yml
Normal file
14
webapps/gitea/defaults/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
# defaults file for vars
|
||||||
|
gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
|
||||||
|
gitea_git_version: '1.21.3'
|
||||||
|
gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||||
|
gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
|
||||||
|
gitea_domains: ['example.domain.org']
|
||||||
|
gitea_certbot_admin_email: 'security@example.domain.org'
|
||||||
|
gitea_db_host: '127.0.0.1:3306'
|
||||||
|
gitea_db_name: "{{ gitea_service }}"
|
||||||
|
gitea_db_user: "{{ gitea_service }}"
|
||||||
|
gitea_db_password: 'UQ6_CHANGE_ME_Gzb'
|
||||||
|
gitea_redis_maxclients: '128'
|
||||||
|
gitea_redis_maxmemory: '300M'
|
2
webapps/gitea/handlers/main.yml
Normal file
2
webapps/gitea/handlers/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# handlers file
|
52
webapps/gitea/meta/main.yml
Normal file
52
webapps/gitea/meta/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: Mathieu Gauthier-Pilote
|
||||||
|
description: sys. admin.
|
||||||
|
company: Evolix
|
||||||
|
|
||||||
|
# If the issue tracker for your role is not on github, uncomment the
|
||||||
|
# next line and provide a value
|
||||||
|
# issue_tracker_url: http://example.com/issue/tracker
|
||||||
|
|
||||||
|
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||||
|
# - BSD-3-Clause (default)
|
||||||
|
# - MIT
|
||||||
|
# - GPL-2.0-or-later
|
||||||
|
# - GPL-3.0-only
|
||||||
|
# - Apache-2.0
|
||||||
|
# - CC-BY-4.0
|
||||||
|
license: license GPL-3.0-only
|
||||||
|
|
||||||
|
min_ansible_version: 2.10
|
||||||
|
|
||||||
|
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||||
|
# min_ansible_container_version:
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
# platforms:
|
||||||
|
# - name: Fedora
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 25
|
||||||
|
# - name: SomePlatform
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 1.0
|
||||||
|
# - 7
|
||||||
|
# - 99.99
|
||||||
|
|
||||||
|
galaxy_tags: []
|
||||||
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
#
|
||||||
|
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||||
|
# Maximum 20 tags per role.
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||||
|
# if you add dependencies to this list.
|
165
webapps/gitea/tasks/main.yml
Normal file
165
webapps/gitea/tasks/main.yml
Normal file
|
@ -0,0 +1,165 @@
|
||||||
|
---
|
||||||
|
# tasks file for gitea install
|
||||||
|
|
||||||
|
- name: Install main system dependencies
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "{{ gitea_system_dep }}"
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: Download gitea binary
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: "{{ gitea_url }}"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
checksum: "{{ gitea_checksum }}"
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Create symbolic link
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||||
|
dest: "/usr/local/bin/gitea"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: Add UNIX account
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ gitea_service }}"
|
||||||
|
shell: /bin/bash
|
||||||
|
|
||||||
|
- name: Add www-data (nginx) to service's group
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: www-data
|
||||||
|
#group: www-data
|
||||||
|
groups: "{{ gitea_service }}"
|
||||||
|
append: true
|
||||||
|
|
||||||
|
- name: Add database
|
||||||
|
ansible.builtin.mysql_db:
|
||||||
|
name: "{{ gitea_db_name }}"
|
||||||
|
|
||||||
|
- name: Add database user
|
||||||
|
ansible.builtin.mysql_user:
|
||||||
|
name: "{{ gitea_db_user }}"
|
||||||
|
password: "{{ gitea_db_password }}"
|
||||||
|
priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
|
||||||
|
update_password: on_create
|
||||||
|
|
||||||
|
- name: Create the gitea conf dir if needed
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/gitea
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Template gitea ini file
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "gitea.ini.j2"
|
||||||
|
dest: "/etc/gitea/{{ gitea_service }}.ini"
|
||||||
|
owner: 'root'
|
||||||
|
group: "{{ gitea_service }}"
|
||||||
|
mode: '0660'
|
||||||
|
|
||||||
|
- name: Template gitea systemd unit
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "gitea.service.j2"
|
||||||
|
dest: "/etc/systemd/system/gitea@.service"
|
||||||
|
|
||||||
|
- name: Start gitea systemd unit
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "gitea@{{ gitea_service }}"
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Create the redis dir if needed
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /home/{{ gitea_service }}/redis
|
||||||
|
state: directory
|
||||||
|
owner: "{{ gitea_service }}"
|
||||||
|
group: "{{ gitea_service }}"
|
||||||
|
mode: '0750'
|
||||||
|
|
||||||
|
- name: Create the log dir if needed
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /home/{{ gitea_service }}/log
|
||||||
|
state: directory
|
||||||
|
owner: "{{ gitea_service }}"
|
||||||
|
group: "{{ gitea_service }}"
|
||||||
|
mode: '0750'
|
||||||
|
|
||||||
|
- name: Template redis conf
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "redis.conf.j2"
|
||||||
|
dest: "/home/{{ gitea_service }}/redis/redis.conf"
|
||||||
|
owner: "{{ gitea_service }}"
|
||||||
|
group: "{{ gitea_service }}"
|
||||||
|
mode: '0640'
|
||||||
|
|
||||||
|
- name: Template redis systemd unit
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "redis.service.j2"
|
||||||
|
dest: "/etc/systemd/system/redis@.service"
|
||||||
|
|
||||||
|
- name: Start redis systemd unit
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "redis@{{ gitea_service }}"
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "letsencrypt.conf.j2"
|
||||||
|
dest: "/etc/nginx/snippets/letsencrypt.conf"
|
||||||
|
|
||||||
|
- name: Check if SSL certificate is present and register result
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
|
||||||
|
register: ssl
|
||||||
|
|
||||||
|
- name: Generate certificate only if required (first time)
|
||||||
|
block:
|
||||||
|
- name: Template vhost without SSL for successfull LE challengce
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "vhost.conf.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
|
- name: Enable temporary nginx vhost for gitea
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
|
||||||
|
state: link
|
||||||
|
- name: Reload nginx conf
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
- name: Make sure /var/lib/letsencrypt exists and has correct permissions
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /var/lib/letsencrypt
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
- name: Generate certificate with certbot
|
||||||
|
ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }}
|
||||||
|
- name: Create the ssl dir if needed
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/nginx/ssl
|
||||||
|
state: directory
|
||||||
|
mode: '0750'
|
||||||
|
- name: Template ssl bloc for nginx vhost
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "ssl.conf.j2"
|
||||||
|
dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf"
|
||||||
|
when: ssl.stat.exists != true
|
||||||
|
|
||||||
|
- name: (Re)check if SSL certificate is present and register result
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
|
||||||
|
register: ssl
|
||||||
|
|
||||||
|
- name: (Re)template conf file for nginx vhost with SSL
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "vhost.conf.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
|
|
||||||
|
- name: Enable nginx vhost for gitea
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: Reload nginx conf
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
26
webapps/gitea/tasks/upgrade.yml
Normal file
26
webapps/gitea/tasks/upgrade.yml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
---
|
||||||
|
# tasks file for gitea upgrade
|
||||||
|
|
||||||
|
- name: Download gitea binary
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: "{{ gitea_url }}"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
checksum: "{{ gitea_checksum }}"
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Create symbolic link
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||||
|
dest: "/usr/local/bin/gitea"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: Start gitea systemd unit
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "gitea@{{ gitea_service }}"
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Reload nginx conf
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
39
webapps/gitea/templates/gitea.ini.j2
Normal file
39
webapps/gitea/templates/gitea.ini.j2
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
APP_NAME = Gitea
|
||||||
|
RUN_USER = {{ gitea_service }}
|
||||||
|
RUN_MODE = prod
|
||||||
|
|
||||||
|
[server]
|
||||||
|
PROTOCOL = unix
|
||||||
|
DOMAIN = {{ gitea_domains | first }}
|
||||||
|
HTTP_ADDR = /home/{{ gitea_service }}/gitea.sock
|
||||||
|
UNIX_SOCKET_PERMISSION = 660
|
||||||
|
OFFLINE_MODE = true
|
||||||
|
SSH_DOMAIN = {{ gitea_domains | first }}
|
||||||
|
ROOT_URL = https://{{ gitea_domains | first }}/
|
||||||
|
|
||||||
|
[repository]
|
||||||
|
ROOT = /home/{{ gitea_service }}/repositories
|
||||||
|
|
||||||
|
[log]
|
||||||
|
ROOT_PATH = /home/{{ gitea_service }}/log/
|
||||||
|
MODE = console
|
||||||
|
LEVEL = info
|
||||||
|
|
||||||
|
[i18n]
|
||||||
|
LANGS = fr-FR, en-US
|
||||||
|
NAMES = Français,English
|
||||||
|
|
||||||
|
[database]
|
||||||
|
DB_TYPE = mysql
|
||||||
|
HOST = {{ gitea_db_host }}
|
||||||
|
NAME = {{ gitea_db_name }}
|
||||||
|
USER = {{ gitea_db_user }}
|
||||||
|
PASSWD = {{ gitea_db_password }}
|
||||||
|
|
||||||
|
[session]
|
||||||
|
PROVIDER = redis
|
||||||
|
PROVIDER_CONFIG = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
|
||||||
|
|
||||||
|
[cache]
|
||||||
|
ADAPTER = redis
|
||||||
|
HOST = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180
|
22
webapps/gitea/templates/gitea.service.j2
Normal file
22
webapps/gitea/templates/gitea.service.j2
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Gitea (Git with a cup of tea)
|
||||||
|
After=syslog.target
|
||||||
|
After=network.target
|
||||||
|
After=mysqld.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=%i
|
||||||
|
Group=%i
|
||||||
|
|
||||||
|
Type=simple
|
||||||
|
RestartSec=2s
|
||||||
|
Restart=always
|
||||||
|
|
||||||
|
WorkingDirectory=/home/%i
|
||||||
|
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/%i.ini
|
||||||
|
Environment=GITEA_WORK_DIR=/home/%i/internals
|
||||||
|
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
5
webapps/gitea/templates/letsencrypt.conf.j2
Normal file
5
webapps/gitea/templates/letsencrypt.conf.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
location ~ /.well-known/acme-challenge {
|
||||||
|
alias /var/lib/letsencrypt/;
|
||||||
|
try_files $uri =404;
|
||||||
|
allow all;
|
||||||
|
}
|
22
webapps/gitea/templates/redis.conf.j2
Normal file
22
webapps/gitea/templates/redis.conf.j2
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
bind 127.0.0.1 ::1
|
||||||
|
protected-mode yes
|
||||||
|
|
||||||
|
port 0
|
||||||
|
unixsocket /home/{{ gitea_service }}/redis/redis.sock
|
||||||
|
unixsocketperm 770
|
||||||
|
timeout 0
|
||||||
|
tcp-keepalive 300
|
||||||
|
|
||||||
|
loglevel notice
|
||||||
|
logfile /home/{{ gitea_service }}/log/redis-server.log
|
||||||
|
|
||||||
|
databases 16
|
||||||
|
save 900 1
|
||||||
|
save 300 10
|
||||||
|
save 60 10000
|
||||||
|
|
||||||
|
dbfilename dump.rdb
|
||||||
|
dir /home/{{ gitea_service }}/redis
|
||||||
|
|
||||||
|
maxclients {{ gitea_redis_maxclients }}
|
||||||
|
maxmemory {{ gitea_redis_maxmemory }}
|
14
webapps/gitea/templates/redis.service.j2
Normal file
14
webapps/gitea/templates/redis.service.j2
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Advanced key-value store
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/bin/redis-server /home/%i/redis/redis.conf
|
||||||
|
TimeoutStopSec=0
|
||||||
|
Restart=always
|
||||||
|
User=%i
|
||||||
|
Group=%i
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
22
webapps/gitea/templates/ssl.conf.j2
Normal file
22
webapps/gitea/templates/ssl.conf.j2
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
##
|
||||||
|
# Certificates
|
||||||
|
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||||
|
##
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Security hardening (as of Nov 15, 2020)
|
||||||
|
# based on Mozilla Guideline v5.6
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
|
||||||
|
ssl_session_timeout 1d; # defaults to 5m
|
||||||
|
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
|
||||||
|
ssl_session_tickets off;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
|
||||||
|
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
38
webapps/gitea/templates/vhost.conf.j2
Normal file
38
webapps/gitea/templates/vhost.conf.j2
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
upstream gitea_{{ gitea_service }} {
|
||||||
|
server unix:/home/{{ gitea_service }}/gitea.sock;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name {{ gitea_domains | first }};
|
||||||
|
|
||||||
|
# For certbot
|
||||||
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
|
||||||
|
{% if ssl.stat.exists %}
|
||||||
|
location / { return 301 https://$host$request_uri; }
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% if ssl.stat.exists %}
|
||||||
|
server {
|
||||||
|
listen 0.0.0.0:443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ gitea_domains | first }};
|
||||||
|
|
||||||
|
access_log /var/log/nginx/{{ gitea_service }}.access.log;
|
||||||
|
error_log /var/log/nginx/{{ gitea_service }}.error.log;
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
include /etc/nginx/ssl/{{ gitea_domains | first }}.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://gitea_{{ gitea_service }};
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_read_timeout 10;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif %}
|
2
webapps/gitea/tests/inventory
Normal file
2
webapps/gitea/tests/inventory
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
localhost
|
||||||
|
|
5
webapps/gitea/tests/test.yml
Normal file
5
webapps/gitea/tests/test.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
remote_user: root
|
||||||
|
roles:
|
||||||
|
- privatebin
|
2
webapps/gitea/vars/main.yml
Normal file
2
webapps/gitea/vars/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# vars file
|
58
webapps/hedgedoc/LISEZMOI.md
Normal file
58
webapps/hedgedoc/LISEZMOI.md
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
hedgedoc
|
||||||
|
=========
|
||||||
|
|
||||||
|
Ce rôle installe le serveur de HedgeDoc, une application rédaction collaborative en temps-réel utilisant la syntaxe Markdown.
|
||||||
|
|
||||||
|
Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle hedgedoc sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
|
||||||
|
|
||||||
|
Requis
|
||||||
|
------
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Variables du rôle
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
|
||||||
|
|
||||||
|
Dépendances
|
||||||
|
------------
|
||||||
|
|
||||||
|
Ce rôle Ansible dépend des rôles suivants :
|
||||||
|
|
||||||
|
- nodejs
|
||||||
|
|
||||||
|
Exemple de playbook
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
```
|
||||||
|
- name: "Déployer un serveur HedgeDoc"
|
||||||
|
hosts:
|
||||||
|
- all
|
||||||
|
vars:
|
||||||
|
# Supplanter ici les variables du rôle
|
||||||
|
domains: ['votre-vrai-domaine.org']
|
||||||
|
service: 'mon-hedgedoc'
|
||||||
|
db_host: 'localhost'
|
||||||
|
db_user: "{{ service }}"
|
||||||
|
db_name: "{{ service }}"
|
||||||
|
db_password: 'zKEh-CHANGEZ-MOI-qIKc'
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: "Installer les rôles systèmes"
|
||||||
|
roles:
|
||||||
|
- { role: nodejs, nodejs_apt_version: "{{ node_version }}" }
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: webapps/hedgedoc , tags: "hedgedoc" }
|
||||||
|
```
|
||||||
|
|
||||||
|
Licence
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPLv3
|
||||||
|
|
||||||
|
Infos sur l'auteur
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
|
58
webapps/hedgedoc/README.md
Normal file
58
webapps/hedgedoc/README.md
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
hedgedoc
|
||||||
|
=========
|
||||||
|
|
||||||
|
This role installs or upgrades the server for the real-time markdown collaborative editor HedgeDoc.
|
||||||
|
|
||||||
|
FRENCH: Voir le fichier LISEZMOI.md pour le français.
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
------------
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Role Variables
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
------------
|
||||||
|
|
||||||
|
This Ansible role depends on the following other roles:
|
||||||
|
|
||||||
|
- nodejs
|
||||||
|
|
||||||
|
Example Playbook
|
||||||
|
----------------
|
||||||
|
|
||||||
|
```
|
||||||
|
- name: "Deploy a HedgeDoc server"
|
||||||
|
hosts:
|
||||||
|
- all
|
||||||
|
vars:
|
||||||
|
# Overwrite the role variable here
|
||||||
|
domains: ['your-real-domain.org']
|
||||||
|
service: 'my-hedgedoc'
|
||||||
|
db_host: 'localhost'
|
||||||
|
db_user: "{{ service }}"
|
||||||
|
db_name: "{{ service }}"
|
||||||
|
db_password: 'zKEh-CHANGE-ME-qIKc'
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: "Install system roles"
|
||||||
|
roles:
|
||||||
|
- { role: nodejs, nodejs_apt_version: "{{ node_version }}" }
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: webapps/hedgedoc , tags: "hedgedoc" }
|
||||||
|
```
|
||||||
|
|
||||||
|
License
|
||||||
|
-------
|
||||||
|
|
||||||
|
GPLv3
|
||||||
|
|
||||||
|
Author Information
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Mathieu Gauthier-Pilote, sys. admin. at Evolix.
|
15
webapps/hedgedoc/defaults/main.yml
Normal file
15
webapps/hedgedoc/defaults/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
# defaults file for mastodon
|
||||||
|
hedgedoc_system_dep: "['apt-transport-https', 'postgresql', 'python3-psycopg2', 'nginx', 'git', 'wget', 'certbot']"
|
||||||
|
hedgedoc_git_url: 'https://github.com/hedgedoc/hedgedoc.git'
|
||||||
|
hedgedoc_git_version: '1.9.9'
|
||||||
|
hedgedoc_node_version: 'node_18.x'
|
||||||
|
hedgedoc_node_port: '3000'
|
||||||
|
hedgedoc_service: 'example'
|
||||||
|
hedgedoc_domains: ['example.domain.org']
|
||||||
|
hedgedoc_certbot_admin_email: 'security@example.org'
|
||||||
|
|
||||||
|
hedgedoc_db_host: 'localhost'
|
||||||
|
hedgedoc_db_user: "{{ hedgedoc_service }}"
|
||||||
|
hedgedoc_db_name: "{{ hedgedoc_service }}"
|
||||||
|
hedgedoc_db_password: 'CHANGE_ME'
|
2
webapps/hedgedoc/handlers/main.yml
Normal file
2
webapps/hedgedoc/handlers/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# handlers file for mastodon
|
52
webapps/hedgedoc/meta/main.yml
Normal file
52
webapps/hedgedoc/meta/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: Mathieu Gauthier-Pilote
|
||||||
|
description: sys. admin.
|
||||||
|
company: Evolix
|
||||||
|
|
||||||
|
# If the issue tracker for your role is not on github, uncomment the
|
||||||
|
# next line and provide a value
|
||||||
|
# issue_tracker_url: http://example.com/issue/tracker
|
||||||
|
|
||||||
|
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||||
|
# - BSD-3-Clause (default)
|
||||||
|
# - MIT
|
||||||
|
# - GPL-2.0-or-later
|
||||||
|
# - GPL-3.0-only
|
||||||
|
# - Apache-2.0
|
||||||
|
# - CC-BY-4.0
|
||||||
|
license: license GPL-3.0-only
|
||||||
|
|
||||||
|
min_ansible_version: 2.10
|
||||||
|
|
||||||
|
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||||
|
# min_ansible_container_version:
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
# platforms:
|
||||||
|
# - name: Fedora
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 25
|
||||||
|
# - name: SomePlatform
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 1.0
|
||||||
|
# - 7
|
||||||
|
# - 99.99
|
||||||
|
|
||||||
|
galaxy_tags: []
|
||||||
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
#
|
||||||
|
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||||
|
# Maximum 20 tags per role.
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||||
|
# if you add dependencies to this list.
|
151
webapps/hedgedoc/tasks/main.yml
Normal file
151
webapps/hedgedoc/tasks/main.yml
Normal file
|
@ -0,0 +1,151 @@
|
||||||
|
---
|
||||||
|
# tasks file for hedgedoc install
|
||||||
|
|
||||||
|
- name: Install main system dependencies
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: "{{ hedgedoc_system_dep }}"
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
|
#- name: Install node-gyp from npm
|
||||||
|
# ansible.builtin.shell: npm install --global node-gyp corepack
|
||||||
|
|
||||||
|
#- name: Enable yarn (via corepack)
|
||||||
|
# ansible.builtin.shell: "corepack enable"
|
||||||
|
|
||||||
|
#- name: Fix permissions
|
||||||
|
# ansible.builtin.file:
|
||||||
|
# path: /usr/local/lib/node_modules
|
||||||
|
# mode: g+rx,o+rx
|
||||||
|
# recurse: yes
|
||||||
|
|
||||||
|
- name: Add UNIX account
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ hedgedoc_service }}"
|
||||||
|
shell: /bin/bash
|
||||||
|
|
||||||
|
- name: Add PostgreSQL user
|
||||||
|
community.postgresql.postgresql_user:
|
||||||
|
name: "{{ hedgedoc_db_user }}"
|
||||||
|
password: "{{ hedgedoc_db_password }}"
|
||||||
|
no_password_changes: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Add PostgreSQL database
|
||||||
|
community.postgresql.postgresql_db:
|
||||||
|
name: "{{ hedgedoc_db_name }}"
|
||||||
|
owner: "{{ hedgedoc_db_user }}"
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Clone hedgedoc repo (git)
|
||||||
|
ansible.builtin.git:
|
||||||
|
repo: "{{ hedgedoc_git_url }}"
|
||||||
|
dest: "~/hedgedoc/"
|
||||||
|
version: "{{ hedgedoc_git_version | default(omit) }}"
|
||||||
|
update: yes
|
||||||
|
umask: '0022'
|
||||||
|
# - name: Set cache dir for yarn
|
||||||
|
# ansible.builtin.shell: yarn config set cache-folder /var/tmp/cache/yarn
|
||||||
|
# args:
|
||||||
|
# chdir: "~/"
|
||||||
|
- name: Run setup
|
||||||
|
ansible.builtin.shell: "bin/setup"
|
||||||
|
args:
|
||||||
|
chdir: "~/hedgedoc"
|
||||||
|
- name: Install dependencies for frontend app
|
||||||
|
ansible.builtin.shell: "yarn install --frozen-lockfile"
|
||||||
|
args:
|
||||||
|
chdir: "~/hedgedoc"
|
||||||
|
- name: Build frontend app
|
||||||
|
ansible.builtin.shell: "yarn build"
|
||||||
|
args:
|
||||||
|
chdir: "~/hedgedoc"
|
||||||
|
become_user: "{{ hedgedoc_service }}"
|
||||||
|
|
||||||
|
- name: Template json config file
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "config.json.j2"
|
||||||
|
dest: "~{{ hedgedoc_service }}/hedgedoc/config.json"
|
||||||
|
owner: "{{ hedgedoc_service }}"
|
||||||
|
group: "{{ hedgedoc_service }}"
|
||||||
|
mode: "0640"
|
||||||
|
|
||||||
|
- name: Add systemd unit
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "hedgedoc.service.j2"
|
||||||
|
dest: "/etc/systemd/system/{{ hedgedoc_service }}.service"
|
||||||
|
|
||||||
|
- name: Enable systemd units
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "{{ hedgedoc_service }}.service"
|
||||||
|
enabled: yes
|
||||||
|
daemon_reload: yes
|
||||||
|
|
||||||
|
- name: Start service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ hedgedoc_service }}.service"
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "letsencrypt.conf.j2"
|
||||||
|
dest: "/etc/nginx/snippets/letsencrypt.conf"
|
||||||
|
|
||||||
|
- name: Check if SSL certificate is present and register result
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
|
||||||
|
register: ssl
|
||||||
|
|
||||||
|
- name: Generate certificate only if required (first time)
|
||||||
|
block:
|
||||||
|
- name: Template vhost without SSL for successfull LE challengce
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "vhost.conf.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
|
- name: Enable temporary nginx vhost for LE
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
|
||||||
|
state: link
|
||||||
|
- name: Reload nginx conf
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
- name: Make sure /var/lib/letsencrypt exists and has correct permissions
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /var/lib/letsencrypt
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
- name: Generate certificate with certbot
|
||||||
|
ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ hedgedoc_certbot_admin_email }} -d {{ hedgedoc_domains |first }}
|
||||||
|
- name: Create the ssl dir if needed
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/nginx/ssl
|
||||||
|
state: directory
|
||||||
|
mode: '0750'
|
||||||
|
- name: Template ssl bloc for nginx vhost
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "ssl.conf.j2"
|
||||||
|
dest: "/etc/nginx/ssl/{{ hedgedoc_domains |first }}.conf"
|
||||||
|
when: ssl.stat.exists != true
|
||||||
|
|
||||||
|
- name: (Re)check if SSL certificate is present and register result
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
|
||||||
|
register: ssl
|
||||||
|
|
||||||
|
- name: (Re)template conf file for nginx vhost with SSL
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "vhost.conf.j2"
|
||||||
|
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
|
|
||||||
|
- name: Enable nginx vhost for hedgedoc
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: Reload nginx conf
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
57
webapps/hedgedoc/tasks/upgrade.yml
Normal file
57
webapps/hedgedoc/tasks/upgrade.yml
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
---
|
||||||
|
# tasks file for hedgedoc upgrade
|
||||||
|
|
||||||
|
- name: Dump database to a file with compression
|
||||||
|
community.postgresql.postgresql_db:
|
||||||
|
name: "{{ hedgedoc_service }}"
|
||||||
|
state: dump
|
||||||
|
target: "~/{{ hedgedoc_service }}.sql.gz"
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Stop service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ hedgedoc_service }}.service"
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Clone hedgedoc repo (git)
|
||||||
|
ansible.builtin.git:
|
||||||
|
repo: "{{ hedgedoc_git_url }}"
|
||||||
|
dest: "~/hedgedoc/"
|
||||||
|
version: "{{ hedgedoc_git_version }}"
|
||||||
|
update: yes
|
||||||
|
- name: Run setup
|
||||||
|
ansible.builtin.shell: "bin/setup"
|
||||||
|
args:
|
||||||
|
chdir: "~/hedgedoc"
|
||||||
|
- name: Install dependencies for frontend app
|
||||||
|
ansible.builtin.shell: "yarn install --frozen-lockfile"
|
||||||
|
args:
|
||||||
|
chdir: "~/hedgedoc"
|
||||||
|
- name: Build frontend app
|
||||||
|
ansible.builtin.shell: "yarn build"
|
||||||
|
args:
|
||||||
|
chdir: "~/hedgedoc"
|
||||||
|
become_user: "{{ hedgedoc_service }}"
|
||||||
|
|
||||||
|
- name: Restart services
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ hedgedoc_service }}.service"
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Define variable to skip next task by default
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
keep_db_dump: true
|
||||||
|
|
||||||
|
- name: Remove database dump
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "~/{{ hedgedoc_service }}.sql.gz"
|
||||||
|
state: absent
|
||||||
|
become_user: postgres
|
||||||
|
when: keep_db_dump is undefined
|
||||||
|
tags: clean
|
||||||
|
|
||||||
|
- name: Reload nginx conf
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
46
webapps/hedgedoc/templates/config.json.j2
Normal file
46
webapps/hedgedoc/templates/config.json.j2
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
{
|
||||||
|
"test": {
|
||||||
|
"db": {
|
||||||
|
"dialect": "sqlite",
|
||||||
|
"storage": ":memory:"
|
||||||
|
},
|
||||||
|
"linkifyHeaderStyle": "gfm"
|
||||||
|
},
|
||||||
|
"development": {
|
||||||
|
"loglevel": "debug",
|
||||||
|
"db": {
|
||||||
|
"dialect": "sqlite",
|
||||||
|
"storage": "./db.hedgedoc.sqlite"
|
||||||
|
},
|
||||||
|
"domain": "localhost",
|
||||||
|
"urlAddPort": true
|
||||||
|
},
|
||||||
|
"production": {
|
||||||
|
"domain": "{{ hedgedoc_domains }}",
|
||||||
|
"loglevel": "info",
|
||||||
|
"protocolUseSSL": "true",
|
||||||
|
"urlAddPort": false,
|
||||||
|
"hsts": {
|
||||||
|
"enable": true,
|
||||||
|
"maxAgeSeconds": 31536000,
|
||||||
|
"includeSubdomains": true,
|
||||||
|
"preload": true
|
||||||
|
},
|
||||||
|
"csp": {
|
||||||
|
"enable": true,
|
||||||
|
"directives": {
|
||||||
|
},
|
||||||
|
"upgradeInsecureRequests": "auto",
|
||||||
|
"addDefaults": true
|
||||||
|
},
|
||||||
|
"cookiePolicy": "lax",
|
||||||
|
"db": {
|
||||||
|
"username": "{{ hedgedoc_db_user }}",
|
||||||
|
"password": "{{ hedgedoc_db_password }}",
|
||||||
|
"database": "{{ hedgedoc_db_name }}",
|
||||||
|
"host": "{{ hedgedoc_db_host }}",
|
||||||
|
"port": "5432",
|
||||||
|
"dialect": "postgres"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue