Compare commits

..

118 commits

Author SHA1 Message Date
Jérémy Lecour 9e63ae90c8
Elastic Stack : default to version 8.x
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3128|0|3128|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-17 10:46:34 +02:00
William Hirigoyen 3f52318bd9 nagios-nrpe: new monitoringctl command
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3134|0|3134|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-14 16:27:29 +02:00
Mathieu Gauthier-Pilote e19ece1c03 ansible.builtin. prefix for modules
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3113|0|3113|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-14 09:14:12 -04:00
Mathieu Gauthier-Pilote 0ce1e1d701 hedgedoc_ prefix for role vars
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3143|0|3143|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-13 15:35:11 -04:00
mgauthier bdb6ccb02d Merge pull request 'hedgedoc' (#186) from hedgedoc into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3147|0|3147|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #186
2024-06-12 21:53:43 +02:00
Mathieu Gauthier-Pilote e787d62926 WIP: Deploying v1.9.9 with Node 18.x on Deb 12
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3149|0|3149|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 15:46:54 -04:00
Mathieu Gauthier-Pilote e6969d76ba Now installs a LE SSL cert via certbot by default 2024-06-12 15:46:54 -04:00
Mathieu Gauthier-Pilote fa6433c00e Update README.md/LISEZMOI.md: use node_version in example playbook 2024-06-12 15:46:54 -04:00
Mathieu Gauthier-Pilote ecd79e5a16 New role for hedgedoc 2024-06-12 15:46:54 -04:00
mgauthier 284d6fc50f Merge pull request 'etherpad' (#185) from etherpad into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3064|0|3064|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #185
2024-06-12 21:13:11 +02:00
Mathieu Gauthier-Pilote 33e2e54d7a WIP: support for v2.0.x
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3065|0|3065|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 15:01:48 -04:00
Mathieu Gauthier-Pilote a068ca6d6a Handlers; service => systemd; shell => command 2024-06-12 15:01:48 -04:00
Mathieu Gauthier-Pilote 598650db85 ansible.builtin. prefix for modules 2024-06-12 15:01:48 -04:00
Mathieu Gauthier-Pilote eae92e7d13 Prefix variables with etherpad_ 2024-06-12 15:01:48 -04:00
Mathieu Gauthier-Pilote 98e25060e2 Needed because of mariadb default conf change on Debian 12 2024-06-12 15:01:48 -04:00
Mathieu Gauthier-Pilote f9bd840ce2 etherpad ugrade : v1.8.18 => v1.9.6 2024-06-12 15:01:48 -04:00
Mathieu Gauthier-Pilote e6f449ed22 Now installs a LE SSL cert via certbot by default 2024-06-12 15:01:48 -04:00
Mathieu Gauthier-Pilote 1ded781c4e New role to install + upgrade Etherpad 2024-06-12 15:01:48 -04:00
mgauthier 87b6e219af Merge pull request 'peertube' (#184) from peertube into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3021|0|3021|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #184
2024-06-12 20:42:01 +02:00
Mathieu Gauthier-Pilote 2ac447a936 Install nodejs + yarn via external role on Deb 12 also
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |3023|0|3023|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote e8e30fca3a Not needed when nodejs installed from deb.nodesource.com 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote 5fc3aeca38 npm only need on Debian 12 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote cfd951f678 Install v6.1.0 by default 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote d72eb3371a ansible.builtin. prefix for modules 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote ce15220a75 Debian 12 or above 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote f7d0b87cba npm + corepack + yarn on Debian 12 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote ce51048ce7 Prefix variables with peertube_ 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote a3fbe25e33 v6.0.2 => v6.0.3 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote 869ae4d788 No blank space here 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote 971e1fe87b Upgrade PeerTube : v5.2.0 => v6.0.1 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote 70b8591c42 Pour PeerTube 5.2.0 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote 2ee49e6f70 Correct port number to go with https: true 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote 8c23e3594d For certbot 2024-06-12 14:36:08 -04:00
Mathieu Gauthier-Pilote c340c31451 New role to install + upgrade PeerTube 2024-06-12 14:36:08 -04:00
Patrick Marchand 2568c02e44 Added peertube role
Not finished, I got to webapps/peertube/tasks/postgres-user.yml
before committing what I'd done.
2024-06-12 14:36:08 -04:00
mgauthier 28d6fedbc3 Merge pull request 'privatebin' (#183) from privatebin into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2976|0|2976|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #183
2024-06-12 20:35:09 +02:00
Mathieu Gauthier-Pilote 73cd25538a Handlers; service => systemd; shell => command
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2977|0|2977|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 14:28:17 -04:00
Mathieu Gauthier-Pilote 7aca208909 ansible.builtin. prefix for modules 2024-06-12 14:28:17 -04:00
Mathieu Gauthier-Pilote a7ad33f4ee Prefix variables with privatebin_ 2024-06-12 14:28:17 -04:00
Mathieu Gauthier-Pilote 1122b79a06 Now installs a LE SSL cert via certbot by default 2024-06-12 14:28:17 -04:00
Mathieu Gauthier-Pilote bb377ffc52 New role to install + upgrade PrivateBin 2024-06-12 14:28:17 -04:00
mgauthier 0f76db2a6e Merge pull request 'mattermost' (#182) from mattermost into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2938|0|2938|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #182
2024-06-12 20:26:28 +02:00
Mathieu Gauthier-Pilote c6393508f4 ansible.builtin. prefix for modules
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2938|0|2938|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 14:20:37 -04:00
Mathieu Gauthier-Pilote 59189e0260 Prefix variables with mattermost_ 2024-06-12 14:20:37 -04:00
Mathieu Gauthier-Pilote c01c90fddc Now installs a LE SSL cert via certbot by default + configurable base path for user's home 2024-06-12 14:20:37 -04:00
Mathieu Gauthier-Pilote 2f570d06b0 New role to install + upgrade Mattermost 2024-06-12 14:20:37 -04:00
mgauthier 8051ef7170 Merge pull request 'gitea' (#181) from gitea into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2900|0|2900|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #181
2024-06-12 20:19:54 +02:00
Mathieu Gauthier-Pilote 1de20769a8 ansible.builtin. prefix for modules
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2902|0|2902|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 14:13:23 -04:00
Mathieu Gauthier-Pilote 40050b05d8 Prefix variables with gitea_ 2024-06-12 14:13:23 -04:00
Mathieu Gauthier-Pilote 7912185c05 Gitea upgrade : v1.18.5 => v1.21.3 2024-06-12 14:13:23 -04:00
Mathieu Gauthier-Pilote ce36697089 Now installs a LE SSL cert via certbot by default 2024-06-12 14:13:23 -04:00
Mathieu Gauthier-Pilote 80dd996ee5 New role to install + upgrade Gitea 2024-06-12 14:13:23 -04:00
mgauthier 6c52ad5213 Merge pull request 'mastodon' (#180) from mastodon into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2871|0|2871|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #180
2024-06-12 20:12:04 +02:00
Mathieu Gauthier-Pilote f29fa00eff ansible.builtin. prefix for modules
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2869|0|2869|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote f061bb6f64 mastodon_ prefix for role vars 2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote 98d2ece11c With post-deployement the 2nd time; allow to upgrade rbenv if needed; upgrade browsers list db to remove warnings 2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote a03ed08b4a use ansible_processor_count + fix db dump path 2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote e2ab83dbfa Ajust permissions of files in public folder 2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote d8a7a439b2 Allow nginx to read public assets 2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote c09fe9605b Install LE cert. when there is none 2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote 8b89be02fa README.md + LISEZMOI.md 2024-06-12 14:05:32 -04:00
Mathieu Gauthier-Pilote 0bac8bed84 p10166 Rôle pour mastodon 2024-06-12 14:05:32 -04:00
mgauthier 10601d0fee Merge pull request 'jitsimeet' (#176) from jitsimeet into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2807|0|2807|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #176
2024-06-12 20:02:17 +02:00
Mathieu Gauthier-Pilote 21d1d42c0c Fix wrong indentation 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 725fa03b1d Adding handlers 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 4326690eee 1 more command instead of shell + more jitsimeet_ prefix 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote bbbf1fe04a new apt_sources.yml ; systemd + command instead of service + shell 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote fab1165215 jitsimeet_ prefix for vars + ansible.builtin. prefix for modules 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 3d28466a67 Make it a variable 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote c17e9384c0 To enable colibri stats and allow external visualisation 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 6ae4e9fd9a 3rd-party repo management for Deb 12 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 313fcf534d CORS for xmpp-websocket in multidomain setup 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote a320710590 Deploy with additional domains 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote f2bc498e67 To allow for other domains 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 27a47ce3ce Remove hardcoded value 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 9ce75f835d To preserve custom changes to welcomePageAdditionalContent.html 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote cf471284ef pied perso + proxy stream 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 9fc135af39 Simple manual upgrade with .deb packages 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 7cf4d9b0d1 More generic 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 9fdc5a126b certbot --deploy-hook 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 6ea0463e57 coturn 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote b6e0118a25 Fix bug with jvb/websocket/colibri 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 96edf6833b Enabling websockets 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 108a31a901 Not needed 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 6dc9d21e4c Replace hardcoded value with variable 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote f61d9b951c Installs a Let's Encrypt cert 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 330b678f38 Basic install; self-signed cert; no websocket in prosody; public stun server used; sctp disabled 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 82a7ab45a7 New variables for secrets and muc nickname 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 662170e225 variable domain 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote f534e79652 debconf, templates, etc 2024-06-12 20:01:37 +02:00
Mathieu Gauthier-Pilote 910c391151 WIP 2024-06-12 20:01:37 +02:00
mgauthier 59b9bd9b6d Merge pull request 'Fix wrong module params when templating apt sources on Debian 12+' (#179) from fix_nodejs_deb12 into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2745|0|2745|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #179
2024-06-12 20:01:06 +02:00
Mathieu Gauthier-Pilote 66a1411910 Fix wrong module params when templating apt sources on Debian 12+ 2024-06-12 20:00:12 +02:00
William Hirigoyen e93a68d27a Revert "evolinux-users, nagios-nrpe: sudoers conf for nagios splitted and moved from evolinux-users to nagios-nrpe"
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2746|0|2746|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
This reverts commit adc79e0d8d.
2024-06-12 11:07:04 +02:00
William Hirigoyen d55da041ae Revert "minifirewall: add nagios sudo command in proper file"
This reverts commit 935f041611.
2024-06-12 11:05:04 +02:00
William Hirigoyen 9bbea554ec Revert "split is an irregular verb"
This reverts commit 992fa0543f.
2024-06-12 11:05:01 +02:00
Jérémy Lecour 992fa0543f
split is an irregular verb
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2747|0|2747|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 09:58:24 +02:00
Jérémy Lecour 935f041611
minifirewall: add nagios sudo command in proper file
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2747|0|2747|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-12 09:57:53 +02:00
Alexis Ben Miloud--Josselin 26d495df8c evolinux-base: Customize logcheck recipient when serveur-base is installed
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2745|0|2745|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-10 16:46:30 +02:00
Jérémy Dubois 4b0e088090 Merge pull request 'Install ipmi plugin on dedicated hard' (#178) from munin_ipmi into unstable
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2745|0|2745|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Reviewed-on: #178
2024-06-10 16:11:52 +02:00
William Hirigoyen d00fbbe518 proftpd: add new munin graph (users count)5
Some checks failed
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2746|0|2746|0|:zzz:
gitea/ansible-roles/pipeline/head There was a failure building this commit
2024-06-10 13:03:37 +02:00
William Hirigoyen 4fb25d91ec Chagenlog for previous commit (add check_ftp_users)
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2744|0|2744|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-10 11:50:17 +02:00
William Hirigoyen 8d5d28091a P10920 ajout check NRPE ftp_users
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2743|0|2743|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-10 11:48:57 +02:00
Jérémy Dubois 0ad7dbad6e openvpn: Make it work on OpenBSD in check mode
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2744|0|2744|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-10 10:31:50 +02:00
William Hirigoyen adc79e0d8d evolinux-users, nagios-nrpe: sudoers conf for nagios splitted and moved from evolinux-users to nagios-nrpe
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2744|0|2744|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-07 10:37:04 +02:00
Ludovic Poujol c524ffb472
bind: New variables to change IPs bind will listen on & send notify/transfer commands
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2745|0|2745|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-06 11:07:03 +02:00
Tom David--Broglio a7570a49a3 fail2ban: remount-usr added because it is needed for last task
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2749|0|2749|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-05 18:08:02 +02:00
Tom David--Broglio 0589271110 certbot: allow haproxy deploy hook to work with evoacme too
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2746|0|2746|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-05 17:13:50 +02:00
William Hirigoyen 1474f06927 lxc-solr: update solr9 version + fix URL in README
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2747|0|2747|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-05 15:42:16 +02:00
William Hirigoyen 114d857e89 lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org)
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2748|0|2748|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-06-03 17:37:05 +02:00
William Hirigoyen aa13676cc4 log2mail: add missing default vars (see previous commit)
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2747|0|2747|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-05-31 10:21:58 +02:00
William Hirigoyen f05a6aa25c log2mail: task log2mail.yml of evolinux-base converted to a role
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2747|0|2747|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-05-31 10:12:05 +02:00
William Hirigoyen 56fbe99164 log2mail: add missing tags
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2745|0|2745|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-05-31 09:27:08 +02:00
David Prevot 229d2f366e Use lxc_php_container_name instead of lxc_php_version
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2745|0|2745|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
Fixes phpXY-new containers build.
2024-05-27 12:04:13 +02:00
Alexis Ben Miloud--Josselin b7e24fc3ea evolinux-base: Create custom SSH configuration file
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2747|0|2747|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-05-24 11:57:50 +02:00
William Hirigoyen de953a30db Add munin: linux_psi plugcontrib plugin
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2744|0|2744|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-05-23 11:48:08 +02:00
Jérémy Lecour aea1404a21
evolinux-base: install evobackup-client (default: true)
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2746|0|2746|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-05-21 18:26:33 +02:00
Mathieu Gauthier-Pilote 3accb0442c Install ipmi plugin on dedicated hard
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2725|0|2725|0|:zzz:
gitea/ansible-roles/pipeline/head This commit looks good
2024-05-06 17:07:34 +02:00
193 changed files with 11641 additions and 511 deletions

View file

@ -13,10 +13,26 @@ The **patch** part is incremented if multiple releases happen the same month
### Added ### Added
* bind: New variables to change IPs bind will listen on & send notify/transfer commands
* evolinux-base: Create custom SSH configuration file
* evolinux-base: install evobackup-client (default: true)
* lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org)
* munin: add linux_psi contrib plugin
* nagios-nrpe: add new check_ftp_users
* proftpd: add new munin graph (users count)
* nagios-nrpe: new monitoringctl command
### Changed ### Changed
* Elastic Stack : default to version 8.x
* evolinux-base: Customize logcheck recipient when serveur-base is installed
* log2mail: task log2mail.yml of evolinux-base converted to a role
* lxc-solr: update solr9 version + fix URL in README
### Fixed ### Fixed
* openvpn: Make it work on OpenBSD in check mode
### Removed ### Removed
### Security ### Security
@ -29,6 +45,7 @@ The **patch** part is incremented if multiple releases happen the same month
### Changed ### Changed
* certbot: allow haproxy deploy hook to work with evoacme too (using env variables)
* evobackup-client: upstream release 24.05.1 * evobackup-client: upstream release 24.05.1
* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
* evolinux-users: improve SSH configuration * evolinux-users: improve SSH configuration
@ -38,6 +55,7 @@ The **patch** part is incremented if multiple releases happen the same month
### Fixed ### Fixed
* apt: use archive.debian.org with Buster * apt: use archive.debian.org with Buster
* fail2ban: remount-usr added because it is needed for last task
## [24.04] 2024-04-30 ## [24.04] 2024-04-30

View file

@ -1,12 +1,26 @@
--- ---
bind_recursive_server: False bind_recursive_server: false
bind_authoritative_server: True bind_authoritative_server: true
bind_chroot_set: True bind_chroot_set: true
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
#bind_chroot_path: /var/chroot-bind
bind_systemd_service_path: /etc/systemd/system/bind9.service bind_systemd_service_path: /etc/systemd/system/bind9.service
bind_statistics_file: /var/run/named.stats bind_statistics_file: /var/run/named.stats
bind_log_file: /var/log/bind.log bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log bind_query_file: /var/log/bind_queries.log
bind_query_file_enabled: False bind_query_file_enabled: false
bind_cache_dir: /var/cache/bind bind_cache_dir: /var/cache/bind
# String (bind syntax) of IPv4/ to listen on (or any by default)
# eg. "192.0.2.1; 192.0.2.3" or all interfaces : "any ;"
bind_listen_on_ipv4: "any;"
# String (bind syntax) of IPv6 to listen on (or any by default)
# eg. "2001:db8::1; 2001:db8::42" or all interfaces : "any ;" or not at all "none;"
bind_listen_on_ipv6: "any;"
# For server with multiples IP Adresses, enforce the usage of a specific IP for NOTIFY commands
bind_notify_source: ''
# For server with multiples IP Adresses, enforce the usage of a specific IP for TRANSFER commands
bind_transfer_source: ''

View file

@ -10,8 +10,15 @@ options {
masterfile-format text; masterfile-format text;
statistics-file "{{ bind_statistics_file }}"; statistics-file "{{ bind_statistics_file }}";
listen-on-v6 { any; }; listen-on { {{ bind_listen_on_ipv4 }} };
listen-on { any; }; listen-on-v6 { {{ bind_listen_on_ipv6 }} };
{% if bind_notify_source is defined and bind_notify_source|length %}
notify-source {{ bind_notify_source }};
{% endif %}
{% if bind_transfer_source is defined and bind_transfer_source|length %}
transfer-source {{ bind_transfer_source }};
{% endif %}
allow-query { localhost; }; allow-query { localhost; };
allow-recursion { localhost; }; allow-recursion { localhost; };

View file

@ -1,4 +1,6 @@
#!/bin/sh #!/bin/sh
# /!\ MODIFIED to work with evoacme OR certbot
private_keys_dirs="/etc/ssl/private" # Only used for evoacme
error() { error() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
@ -13,7 +15,7 @@ daemon_found_and_running() {
test -n "$(pidof haproxy)" && test -n "${haproxy_bin}" test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
} }
found_renewed_lineage() { found_renewed_lineage() {
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${private_key}"
} }
config_check() { config_check() {
${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1 ${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
@ -24,7 +26,7 @@ concat_files() {
chown root: "${haproxy_cert_dir}" chown root: "${haproxy_cert_dir}"
debug "Concatenating certificate files to ${haproxy_cert_file}" debug "Concatenating certificate files to ${haproxy_cert_file}"
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}" cat "${RENEWED_LINEAGE}/fullchain.pem" "${private_key}" > "${haproxy_cert_file}"
chmod 600 "${haproxy_cert_file}" chmod 600 "${haproxy_cert_file}"
chown root: "${haproxy_cert_file}" chown root: "${haproxy_cert_file}"
} }
@ -58,10 +60,19 @@ main() {
if daemon_found_and_running; then if daemon_found_and_running; then
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg" readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir) readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
if [ -z "${EVOACME_VHOST_NAME}" ]; then
# CERTBOT
private_key=${RENEWED_LINEAGE}/privkey.pem
cert_name=$(basename "${RENEWED_LINEAGE}")
else
# EVOACME
private_key=${private_keys_dirs}/$(basename $(dirname ${RENEWED_LINEAGE})).key
cert_name=$(basename $(dirname "${RENEWED_LINEAGE}"))
fi
if found_renewed_lineage; then if found_renewed_lineage; then
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" haproxy_cert_file="${haproxy_cert_dir}/${cert_name}.pem"
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" failed_cert_file="/root/${cert_name}.failed.pem"
concat_files concat_files
@ -77,7 +88,8 @@ main() {
error "HAProxy config is broken, you must fix it !" error "HAProxy config is broken, you must fix it !"
fi fi
else else
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or "${private_key}""
fi fi
else else
debug "HAProxy is not running or missing. Skip." debug "HAProxy is not running or missing. Skip."
@ -91,3 +103,4 @@ readonly QUIET=${QUIET:-"0"}
readonly haproxy_bin=$(command -v haproxy) readonly haproxy_bin=$(command -v haproxy)
main main

View file

@ -1,5 +1,5 @@
--- ---
elastic_stack_version: "7.x" elastic_stack_version: "8.x"
elasticsearch_cluster_name: Null elasticsearch_cluster_name: Null
elasticsearch_cluster_members: Null elasticsearch_cluster_members: Null

View file

@ -243,3 +243,6 @@ evolinux_utils_include: True
# Autosysadmin # Autosysadmin
evolinux_autosysadmin_include: false evolinux_autosysadmin_include: false
# Evobackup client
evolinux_evobackup_client_include: True

View file

@ -74,11 +74,6 @@
name: postfix name: postfix
state: reloaded state: reloaded
- name: restart log2mail
ansible.builtin.service:
name: log2mail
state: restarted
- name: restart systemd-journald - name: restart systemd-journald
ansible.builtin.service: ansible.builtin.service:
name: systemd-journald.service name: systemd-journald.service

View file

@ -116,7 +116,8 @@
when: evolinux_provider_orange_fce_include | bool when: evolinux_provider_orange_fce_include | bool
- name: Override Log2mail service - name: Override Log2mail service
ansible.builtin.import_tasks: log2mail.yml ansible.builtin.include_role:
name: evolix/log2mail
when: evolinux_log2mail_include | bool when: evolinux_log2mail_include | bool
- ansible.builtin.import_tasks: motd.yml - ansible.builtin.import_tasks: motd.yml
@ -158,6 +159,11 @@
name: 'evolix/autosysadmin-restart_nrpe' name: 'evolix/autosysadmin-restart_nrpe'
when: evolinux_autosysadmin_include | bool when: evolinux_autosysadmin_include | bool
- name: Evobackup (client)
ansible.builtin.include_role:
name: 'evolix/evobackup-client'
when: evolinux_evobackup_client_include | bool
- name: fail2ban - name: fail2ban
ansible.builtin.include_role: ansible.builtin.include_role:
name: evolix/fail2ban name: evolix/fail2ban

View file

@ -111,7 +111,9 @@
dest: /etc/logcheck/logcheck.conf dest: /etc/logcheck/logcheck.conf
regexp: '^SENDMAILTO=".*"$' regexp: '^SENDMAILTO=".*"$'
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
when: evolinux_packages_logcheck_recipient | bool when:
- evolinux_packages_serveur_base | bool
- evolinux_packages_logcheck_recipient | bool
- name: Deleting rpcbind and nfs-common - name: Deleting rpcbind and nfs-common
ansible.builtin.apt: ansible.builtin.apt:

View file

@ -16,6 +16,14 @@
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
mode: "0644" mode: "0644"
- name: create custom SSH server configuration file
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/zzz-evolinux-custom.conf
state: touch
mode: "0644"
modification_time: preserve
access_time: preserve
# Should we allow the current user? # Should we allow the current user?
- name: Allow the current user - name: Allow the current user
block: block:

View file

@ -112,6 +112,9 @@
tags: tags:
- fail2ban - fail2ban
- include_role:
name: evolix/remount-usr
- name: Script unban_ip is installed - name: Script unban_ip is installed
ansible.builtin.copy: ansible.builtin.copy:
src: unban_ip.sh src: unban_ip.sh

View file

@ -1,5 +1,5 @@
--- ---
elastic_stack_version: "7.x" elastic_stack_version: "8.x"
filebeat_logstash_plugin: False filebeat_logstash_plugin: False

View file

@ -75,7 +75,7 @@
- name: NRPE check is configured - name: NRPE check is configured
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/nagios/nrpe.d/evolix.cfg path: /etc/nagios/nrpe.d/evolix.cfg
line: 'command[check_fluentd]=/usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}' line: 'command[check_fluentd]=/usr/local/lib/monitoringctl/alerts_wrapper --name fluentd /usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
notify: "restart nagios-nrpe-server" notify: "restart nagios-nrpe-server"
tags: tags:
- fluentd - fluentd

View file

@ -36,7 +36,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/nagios/nrpe.d/evolix.cfg dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: 'command\[check_keepalived\]' regexp: 'command\[check_keepalived\]'
replace: 'command[check_keepalived]=/usr/local/lib/nagios/plugins/check_keepalived' replace: 'command[check_keepalived]=/usr/local/lib/monitoringctl/alerts_wrapper --name keepalived /usr/local/lib/nagios/plugins/check_keepalived'
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
tags: tags:
- keepalived - keepalived

View file

@ -1,5 +1,5 @@
--- ---
elastic_stack_version: "7.x" elastic_stack_version: "8.x"
kibana_server_host: "127.0.0.1" kibana_server_host: "127.0.0.1"
kibana_server_basepath: "" kibana_server_basepath: ""

View file

@ -0,0 +1,3 @@
---
log2mail_alert_email: Null
general_alert_email: "root@localhost"

View file

@ -0,0 +1,5 @@
---
- name: restart log2mail
ansible.builtin.service:
name: log2mail
state: restarted

View file

@ -23,18 +23,14 @@
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE" marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
state: absent state: absent
notify: restart log2mail notify: restart log2mail
tags:
- log2mail
- name: log2mail evolinux-defaults config is present - name: log2mail evolinux-defaults config is present
ansible.builtin.template: ansible.builtin.template:
src: log2mail/evolinux-defaults.j2 src: evolinux-defaults.j2
dest: /etc/log2mail/config/evolinux-defaults dest: /etc/log2mail/config/evolinux-defaults
owner: log2mail owner: log2mail
group: adm group: adm
mode: "0640" mode: "0640"
force: yes force: yes
notify: restart log2mail notify: restart log2mail
tags:
- log2mail

View file

@ -1,5 +1,5 @@
--- ---
elastic_stack_version: "7.x" elastic_stack_version: "8.x"
logstash_jvm_xms: 256m logstash_jvm_xms: 256m
logstash_jvm_xmx: 512g logstash_jvm_xmx: 512g

View file

@ -1,11 +1,11 @@
--- ---
- name: "{{ lxc_php_version }} - Install PHP packages" - name: "{{ lxc_php_container_name }} - Install PHP packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer" container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
ansible.builtin.template: ansible.builtin.template:
src: z-evolinux-defaults.ini.j2 src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}" dest: "{{ line_item }}"

View file

@ -1,11 +1,11 @@
--- ---
- name: "{{ lxc_php_version }} - Install PHP packages" - name: "{{ lxc_php_container_name }} - Install PHP packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
ansible.builtin.template: ansible.builtin.template:
src: z-evolinux-defaults.ini.j2 src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}" dest: "{{ line_item }}"

View file

@ -1,17 +1,17 @@
--- ---
- name: "{{ lxc_php_version }} - Install PHP packages" - name: "{{ lxc_php_container_name }} - Install PHP packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - fix bullseye repository" - name: "{{ lxc_php_container_name }} - fix bullseye repository"
ansible.builtin.replace: ansible.builtin.replace:
dest: "{{ lxc_rootfs }}/etc/apt/sources.list" dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
regexp: 'bullseye/updates' regexp: 'bullseye/updates'
replace: 'bullseye-security' replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
ansible.builtin.template: ansible.builtin.template:
src: z-evolinux-defaults.ini.j2 src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}" dest: "{{ line_item }}"

View file

@ -5,18 +5,18 @@
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages" - name: "{{ lxc_php_container_name }} - Install dependency packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository" - name: "{{ lxc_php_container_name }} - fix bullseye repository"
ansible.builtin.replace: ansible.builtin.replace:
dest: "{{ lxc_rootfs }}/etc/apt/sources.list" dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
regexp: 'bullseye/updates' regexp: 'bullseye/updates'
replace: 'bullseye-security' replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo" - name: "{{ lxc_php_container_name }} - Add sury repo"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
line: "{{ item }}" line: "{{ item }}"
@ -51,17 +51,17 @@
owner: root owner: root
group: root group: root
- name: "{{ lxc_php_version }} - Update APT cache" - name: "{{ lxc_php_container_name }} - Update APT cache"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt update" container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages" - name: "{{ lxc_php_container_name }} - Install PHP packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
ansible.builtin.template: ansible.builtin.template:
src: z-evolinux-defaults.ini.j2 src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}" dest: "{{ line_item }}"

View file

@ -4,18 +4,18 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages" - name: "{{ lxc_php_container_name }} - Install dependency packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository" - name: "{{ lxc_php_container_name }} - fix bullseye repository"
ansible.builtin.replace: ansible.builtin.replace:
dest: "{{ lxc_rootfs }}/etc/apt/sources.list" dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
regexp: 'bullseye/updates' regexp: 'bullseye/updates'
replace: 'bullseye-security' replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo" - name: "{{ lxc_php_container_name }} - Add sury repo"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
line: "{{ item }}" line: "{{ item }}"
@ -50,17 +50,17 @@
owner: root owner: root
group: root group: root
- name: "{{ lxc_php_version }} - Update APT cache" - name: "{{ lxc_php_container_name }} - Update APT cache"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt update" container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages" - name: "{{ lxc_php_container_name }} - Install PHP packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
ansible.builtin.template: ansible.builtin.template:
src: z-evolinux-defaults.ini.j2 src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}" dest: "{{ line_item }}"

View file

@ -4,24 +4,24 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages" - name: "{{ lxc_php_container_name }} - Install dependency packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository" - name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
ansible.builtin.file: ansible.builtin.file:
path: "{{ lxc_rootfs }}/etc/apt/sources.list" path: "{{ lxc_rootfs }}/etc/apt/sources.list"
state: absent state: absent
- name: "{{ lxc_php_version }} - system bookworm repository" - name: "{{ lxc_php_container_name }} - system bookworm repository"
ansible.builtin.template: ansible.builtin.template:
src: bookworm_basics.sources.j2 src: bookworm_basics.sources.j2
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
force: true force: true
mode: "0644" mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository" - name: "{{ lxc_php_container_name }} - security bookworm repository"
ansible.builtin.template: ansible.builtin.template:
src: bookworm_security.sources.j2 src: bookworm_security.sources.j2
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
@ -44,17 +44,17 @@
owner: root owner: root
group: root group: root
- name: "{{ lxc_php_version }} - Update APT cache" - name: "{{ lxc_php_container_name }} - Update APT cache"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt update" container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages" - name: "{{ lxc_php_container_name }} - Install PHP packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
ansible.builtin.template: ansible.builtin.template:
src: z-evolinux-defaults.ini.j2 src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}" dest: "{{ line_item }}"

View file

@ -4,38 +4,38 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages" - name: "{{ lxc_php_container_name }} - Install dependency packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository" - name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
ansible.builtin.file: ansible.builtin.file:
path: "{{ lxc_rootfs }}/etc/apt/sources.list" path: "{{ lxc_rootfs }}/etc/apt/sources.list"
state: absent state: absent
- name: "{{ lxc_php_version }} - system bookworm repository" - name: "{{ lxc_php_container_name }} - system bookworm repository"
ansible.builtin.template: ansible.builtin.template:
src: bookworm_basics.sources.j2 src: bookworm_basics.sources.j2
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
force: true force: true
mode: "0644" mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository" - name: "{{ lxc_php_container_name }} - security bookworm repository"
ansible.builtin.template: ansible.builtin.template:
src: bookworm_security.sources.j2 src: bookworm_security.sources.j2
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
force: true force: true
mode: "0644" mode: "0644"
- name: "{{ lxc_php_version }} - Add sury repo" - name: "{{ lxc_php_container_name }} - Add sury repo"
ansible.builtin.template: ansible.builtin.template:
src: sury.sources.j2 src: sury.sources.j2
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources"
force: true force: true
mode: "0644" mode: "0644"
- name: "{{ lxc_php_version }} - Add sury failsafe repo" - name: "{{ lxc_php_container_name }} - Add sury failsafe repo"
ansible.builtin.template: ansible.builtin.template:
src: evolix_sury.sources.j2 src: evolix_sury.sources.j2
dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources" dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources"
@ -66,17 +66,17 @@
owner: root owner: root
group: root group: root
- name: "{{ lxc_php_version }} - Update APT cache" - name: "{{ lxc_php_container_name }} - Update APT cache"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt update" container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages" - name: "{{ lxc_php_container_name }} - Install PHP packages"
community.general.lxc_container: community.general.lxc_container:
name: "{{ lxc_php_version }}" name: "{{ lxc_php_container_name }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
ansible.builtin.template: ansible.builtin.template:
src: z-evolinux-defaults.ini.j2 src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}" dest: "{{ line_item }}"

View file

@ -15,7 +15,7 @@ Since this role depend on the lxc role, please refer to it for a full variable l
* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty). * `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
* `name`: name of the LXC container to create. * `name`: name of the LXC container to create.
* `release`: Debian version to install * `release`: Debian version to install
* `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)* * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/solr/solr/ for a full version list)*
* `solr_port`: port for Solr to listen on * `solr_port`: port for Solr to listen on
Eg.: Eg.:
``` ```

View file

@ -16,7 +16,7 @@
# solr_port: 8985 # solr_port: 8985
# - name: solr9 # - name: solr9
# release: bullseye # release: bullseye
# solr_version: 9.0.0 # solr_version: 9.6.1
# solr_port: 8985 # solr_port: 8985
lxc_containers: [] lxc_containers: []

View file

@ -8,6 +8,10 @@ lxc_network_type: "none"
# Partition to bind mount into containers. # Partition to bind mount into containers.
lxc_mount_part: "/home" lxc_mount_part: "/home"
# Mirror URL (optionnal).
# For old Debian, use https://archive.debian.org/debian/
lxc_template_mirror: ""
# List of LXC containers to create. # List of LXC containers to create.
# Eg.: # Eg.:
# lxc_containers: # lxc_containers:

View file

@ -6,13 +6,16 @@
check_mode: no check_mode: no
register: container_exists register: container_exists
- ansible.builtin.set_fact:
lxc_template_mirror_option: "{{ '--mirror ' + lxc_template_mirror if lxc_template_mirror != '' else '' }}"
- name: "Create container {{ name }}" - name: "Create container {{ name }}"
community.general.lxc_container: community.general.lxc_container:
name: "{{ name }}" name: "{{ name }}"
container_log: true container_log: true
template: debian template: debian
state: stopped state: stopped
template_options: "--arch amd64 --release {{ release }}" template_options: "--arch amd64 --release {{ release }} {{ lxc_template_mirror_option }}"
when: container_exists.stdout_lines | length == 0 when: container_exists.stdout_lines | length == 0
- name: "Disable network configuration inside container {{ name }}" - name: "Disable network configuration inside container {{ name }}"

View file

@ -34,7 +34,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
name: /etc/nagios/nrpe.d/evolix.cfg name: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_memcached\]=' regexp: '^command\[check_memcached\]='
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}' line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
when: memcached_instance_name | length == 0 when: memcached_instance_name | length == 0
@ -42,7 +42,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
name: /etc/nagios/nrpe.d/evolix.cfg name: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_memcached\]=' regexp: '^command\[check_memcached\]='
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances' line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached_instances'
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
when: memcached_instance_name | length > 0 when: memcached_instance_name | length > 0

View file

@ -1,5 +1,5 @@
--- ---
elastic_stack_version: "7.x" elastic_stack_version: "8.x"
metricbeat_elasticsearch_hosts: metricbeat_elasticsearch_hosts:
- "localhost:9200" - "localhost:9200"

View file

@ -46,7 +46,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/nagios/nrpe.d/evolix.cfg dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: 'command\[check_minifirewall\]' regexp: 'command\[check_minifirewall\]'
line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall' line: 'command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall'
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
when: nrpe_evolix_cfg.stat.exists when: nrpe_evolix_cfg.stat.exists

View file

@ -0,0 +1,360 @@
#!/bin/bash
: << =cut
=head1 NAME
linux_psi - Plugin to monitor the pressure stall information for CPU, Memory and
IO as reported by the Linux kernel.
This plugin monitors the pressure stall information (psi) as reported by the
Linux Kernel. By default it reports all average intervals (10 seconds,
60 seconds and 300 seconds) as well as the total values as a rate of change
(DERIVE) for all resources (cpu, memory, io). The average intervals can be
configured if you only deem some of them useful. See CONFIGURATION for
explanations on that.
This is a multigraph plugin that, by default, will create six detail graphs and
one summary graph (so seven in total). The summary graph will contain the 300
seconds average percentages of all resources. The detail graphs are split in two
graphs per resource. One combining all average intervals and one for the
"totals" (rate of change) for the given resource.
There are no defaults for warnings and criticals, because this highly depends on
the system, so you need to configure them yourself (if you want any). It is
recommended that you first lookup the meaning of the different values.
For more information on psi see:
https://www.kernel.org/doc/html/latest/accounting/psi.html
=head1 CONFIGURATION
Simply create a symlink in your plugins directory like with any other plugin.
No additional configuration needed, no specific user required (typically).
If you want to configure alerts, just add "warn_" or "crit_" in front of the
internal name.
Optional configuration examples:
[linux_psi]
env.resources cpu io memory - Specify the resources to monitor. Leave one
out if you don't want this one to be
monitored.
env.intervals avg10 avg60 avg300 - Sepcify the average intervals to monitor.
Leave one out if you don't want this one to
be monitored
env.scopes some full - Specify the scopes to monitor. Leave one out
If you don't want it to be monitored.
env.summary_interval avg300 - Specify the interval to be used for the
summary-graph.
env.warn_psi_cpu_avg300_some 5 - Set a warning-level of 5 for
"psi_cpu_avg300_some"
env.crit_psi_io_total_full 2000 - Set a critical-level of 2000 for
"psi_io_total_full"
=head1 AUTHOR
2022, HaseHarald
=head1 LICENSE
LGPLv3
=head1 BUGS
=head1 TODO
=head1 MAGIC MARKERS
#%# family=auto
#%# capabilities=autoconf
=cut
# This file contains a munin-plugin to graph the psi (pressure) for CPU, Memory
# and IO, as reported by the Linux kernel.
#
# This is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this plugin. If not, see <http://www.gnu.org/licenses/>.
resource_defaults=('cpu' 'io' 'memory')
interval_defaults=('avg10' 'avg60' 'avg300')
scope_defaults=('some' 'full')
pressure_dir=${pressure_dir:-'/proc/pressure/'}
pressure_resources=( "${resources[@]:-${resource_defaults[@]}}" )
pressure_intervals=( "${intervals[@]:-${interval_defaults[@]}}" )
pressure_scopes=( "${scopes[@]:-${scope_defaults[@]}}" )
summary_interval="${summary_interval:-avg300}"
check_autoconf() {
if [ -d "${pressure_dir}" ]; then
printf "yes\n"
else
printf "no (%s not found)\n" "${pressure_dir}"
fi
}
get_pressure_value() {
local resource
local interval
local scope
resource="$1"
interval="$2"
scope="${3:-some}"
grep "$scope" "${pressure_dir}/${resource}" | grep -o -E "${interval}=[0-9]{1,}(\.[0-9]{1,}){0,1}" | cut -d '=' -f 2
}
get_printable_name() {
local kind
local value
local printable_name
kind="$1"
value="$2"
printable_name=""
case "$kind" in
interval)
case "$interval" in
avg10)
printable_name="10sec"
;;
avg60)
printable_name="60sec"
;;
avg300)
printable_name="5min"
;;
total)
printable_name="Total"
;;
*)
printf "ERROR: Could not determine interval %s ! Must be one of 'avg10' 'avg60' 'avg300' 'total'\n" "$value" >&2
exit 2
;;
esac
;;
scope)
case "$value" in
some)
printable_name="Some"
;;
full)
printable_name="Full"
;;
*)
printf "ERROR: Could not determine scope %s ! Must be one of 'full' 'some'.\n" "$value" >&2
exit 2
;;
esac
;;
resource)
case "$value" in
cpu)
printable_name="CPU"
;;
io)
printable_name="IO"
;;
memory)
printable_name="Memory"
;;
*)
printf "ERROR: Could not determine resource-type %s ! Must be one of 'cpu' 'io' 'memory'.\n" "$value" >&2
exit 2
;;
esac
;;
*)
printf "ERROR: Could not determine kind %s ! Must be one of 'interval' 'scope' 'resource'\n" "$kind" >&2
exit 2
;;
esac
printf "%s" "$printable_name"
}
iterate_config() {
for resource in "${pressure_resources[@]}"; do
local printable_resource
printable_resource=$( get_printable_name resource "$resource" )
printf "multigraph linux_psi.%s_avg\n" "$resource"
printf "graph_title %s Pressure Stall Information - Average\n" "$printable_resource"
printf "graph_category system\n"
printf "graph_info Average PSI based latency caused by lack of %s resources.\n" "$printable_resource"
printf "graph_vlabel %%\n"
printf "graph_scale no\n"
for interval in "${pressure_intervals[@]}"; do
local printable_interval
printable_interval=$( get_printable_name interval "$interval" )
output_config "$resource" "$interval"
done
echo ""
done
for resource in "${pressure_resources[@]}"; do
local interval
local printable_resource
interval="total"
printable_resource=$( get_printable_name resource "$resource" )
printf "multigraph linux_psi.%s_total\n" "$resource"
printf "graph_title %s Pressure Stall Information - Rate\n" "$printable_resource"
printf "graph_category system\n"
printf "graph_info Total PSI based latency rate caused by lack of %s resources.\n" "$printable_resource"
printf "graph_vlabel rate\n"
output_config "$resource" "$interval"
echo ""
done
printf "multigraph linux_psi\n"
printf "graph_title Pressure Stall Information - Average\n"
printf "graph_vlabel %%\n"
printf "graph_scale no\n"
printf "graph_category system\n"
printf "graph_info Average PSI based latency caused by lack of resources.\n"
for resource in "${pressure_resources[@]}"; do
output_config "$resource" "$summary_interval"
done
echo ""
}
iterate_values() {
for resource in "${pressure_resources[@]}"; do
printf "multigraph linux_psi.%s_avg\n" "$resource"
for interval in "${pressure_intervals[@]}"; do
output_values "$resource" "$interval"
done
echo ""
done
for resource in "${pressure_resources[@]}"; do
local interval
interval="total"
printf "multigraph linux_psi.%s_total\n" "$resource"
output_values "$resource" "$interval"
echo ""
done
printf "multigraph linux_psi\n"
for resource in "${pressure_resources[@]}"; do
output_values "$resource" "$summary_interval"
done
echo ""
}
output_config() {
local resource
local interval
local printable_resource
local printable_interval
resource="$1"
interval="$2"
printable_resource=$( get_printable_name resource "$resource" )
printable_interval=$( get_printable_name interval "$interval" )
for scope in "${pressure_scopes[@]}"; do
if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
continue
else
local printable_scope
local this_warn_var
local this_crit_var
printable_scope=$( get_printable_name scope "$scope" )
this_warn_var=$( echo "warn_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
this_crit_var=$( echo "crit_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
printf "psi_%s_%s_%s.min 0\n" "$resource" "$interval" "$scope"
printf "psi_%s_%s_%s.label %s %s %s\n" "$resource" "$interval" "$scope" "$printable_resource" "$printable_interval" "$printable_scope"
if [ -n "${!this_warn_var}" ]; then
printf "psi_%s_%s_%s.warning %s\n" "$resource" "$interval" "$scope" "${!this_warn_var}"
fi
if [ -n "${!this_crit_var}" ]; then
printf "psi_%s_%s_%s.critical %s\n" "$resource" "$interval" "$scope" "${!this_crit_var}"
fi
if [ "$interval" == "total" ]; then
printf "psi_%s_%s_%s.type DERIVE\n" "$resource" "$interval" "$scope"
fi
fi
done
}
output_values() {
local resource
local interval
resource="$1"
interval="$2"
for scope in "${pressure_scopes[@]}"; do
if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
continue
else
printf "psi_%s_%s_%s.value %s\n" "$resource" "$interval" "$scope" "$(get_pressure_value "$resource" "$interval" "$scope")"
fi
done
}
output_usage() {
printf >&2 "%s - munin plugin to graph pressure stall information for CPU, Memory and IO as reported by the Linux kernel.\n" "${0##*/}"
printf >&2 "Usage: %s [config]\n" "${0##*/}"
printf >&2 "You may use environment settings in a plugin-config file, used by munin (for example /etc/munin/plugin-conf.d/munin-node) to further adjust settings.\n"
printf >&2 "You can use these settings to configure which resources, intervals or scopes are monitored or to configure warning and critical levels.\n"
printf >&2 "To do so use a syntax like this:\n"
printf >&2 "[linux_psi]\n"
printf >&2 "env.resources cpu io memory\n"
printf >&2 "env.intervals avg10 avg60 avg300\n"
printf >&2 "env.scopes some full\n"
printf >&2 "env.summary_interval avg300\n"
printf >&2 "env.warn_psi_cpu_avg300_some 5\n"
printf >&2 "env.crit_psi_io_total_full 2000\n"
}
case "$#" in
0)
iterate_values
;;
1)
case "$1" in
autoconf)
check_autoconf
;;
config)
iterate_config
;;
fetch)
iterate_values
;;
*)
output_usage
exit 1
;;
esac
;;
*)
output_usage
exit 1
;;
esac

View file

@ -46,6 +46,8 @@
dest: '/usr/share/munin/plugins/{{ item }}' dest: '/usr/share/munin/plugins/{{ item }}'
loop: loop:
- dhcp_pool - dhcp_pool
- linux-psi
- ipmi_
tags: tags:
- munin - munin
@ -77,6 +79,7 @@
- postfix_mailqueue - postfix_mailqueue
- postfix_mailstats - postfix_mailstats
- postfix_mailvolume - postfix_mailvolume
- linux-psi
notify: restart munin-node notify: restart munin-node
tags: tags:
- munin - munin
@ -106,6 +109,14 @@
- temp - temp
- power - power
- volts - volts
- amp
- name: Ensure ipmitool is installed on dedicated hardware
ansible.builtin.apt:
name: ipmitool
state: present
when: ansible_virtualization_role == "host"
notify: restart munin-node
- name: adjustments for grsec kernel - name: adjustments for grsec kernel
ansible.builtin.blockinfile: ansible.builtin.blockinfile:

210
nagios-nrpe/files/alerts_switch Normal file → Executable file
View file

@ -1,83 +1,143 @@
#!/bin/bash #!/bin/bash
# https://forge.evolix.org/projects/evolix-private/repository
# #
# You should not alter this file. # Source:
# If you need to, create and customize a copy. # https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
#
set -e
readonly PROGNAME=$(basename $0) readonly PROGNAME=$(basename $0)
readonly PROGDIR=$(readlink -m $(dirname $0)) readonly VERSION="24.06.00"
readonly ARGS="$@"
usage() { # Load common functions and vars
echo "$PROGNAME action prefix" readonly lib_dir="/usr/local/lib/monitoringctl"
} if [ -r "${lib_dir}/common" ]; then
# shellcheck source=monitoringctl_common
disable_alerts () { source "${lib_dir}/common"
disabled_file="$1_disabled" else
enabled_file="$1_enabled" >&2 echo "Error: missing ${lib_dir}/common file."
if [ -e "${enabled_file}" ]; then
mv "${enabled_file}" "${disabled_file}"
else
touch "${disabled_file}"
chmod 0644 "${disabled_file}"
fi
}
enable_alerts () {
disabled_file="$1_disabled"
enabled_file="$1_enabled"
if [ -e "${disabled_file}" ]; then
mv "${disabled_file}" "${enabled_file}"
else
touch "${enabled_file}"
chmod 0644 "${enabled_file}"
fi
}
now () {
date --iso-8601=seconds
}
log_disable () {
echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
}
log_enable () {
echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
}
main () {
local action=$1
local prefix=$2
local base_dir="/var/lib/misc"
mkdir -p "${base_dir}"
local file_path="${base_dir}/${prefix}_alerts"
local log_file="/var/log/${prefix}_alerts.log"
case "$action" in
enable)
enable_alerts ${file_path}
log_enable ${log_file}
;;
disable)
disable_alerts ${file_path}
log_disable ${log_file}
;;
help)
usage
;;
*)
>&2 echo "Unknown action '$action'"
exit 1 exit 1
;; fi
esac
if [ ! -e "${var_dir}" ]; then
>&2 echo "Warning: missing ${var_dir} directory."
fi
function show_help() {
cat <<END
$PROGNAME disables or enables NRPE alerts wrapped by the script 'alerts_wrapper' in NRPE configuration.
Usage: $PROGNAME disable [-d|--during <DURATION>] [--message '<DISABLE_MESSAGE>'] <WRAPPER_NAME|all>
$PROGNAME enable [--message '<ENABLE_MESSAGE>'] <WRAPPER_NAME|all>
$PROGNAME help
WRAPPER_NAME: The name given to '--name' option of 'alerts_wrapper'.
DURATION: Duration of alert disabling.
Can be '1d' for 1 day, '5m' for 5 minutes or more complex
expressions like '1w2d10m42s' (if no time unit is provided,
hour is assumed)
Default value: 1h
DISABLE_MESSAGE: Message that will be logged and printed by alerts_wrapper
when alert is disabled.
ENABLE_MESSAGE: Message that will be logged when alert is enabled
END
} }
main $ARGS function disable_alerts() {
# $1: wrapper name, $2: duration_sec, $3: disable message
now_secs=$(date +"%s")
disable_until_secs=$(( now_secs + ${2} ))
disable_file_path="$(get_disable_file_path "${1}")"
echo "${disable_until_secs}" > "${disable_file_path}"
echo "$(logname || echo unknown): \"${3}\"" >> "${disable_file_path}"
chmod 0644 "${disable_file_path}"
log "${1} alerts disabled by $(logname || echo unknown)"
log "Disable message: ${3}"
}
function enable_alerts() {
# $1: wrapper name, $2: enable message
disable_file_path="$(get_disable_file_path "${1}")"
if [ -e "${disable_file_path}" ]; then
rm "${disable_file_path}"
fi
log "${1} alerts enabled by $(logname || echo unknown)"
log "Enable message: ${2}"
}
function main() {
if [ "${action}" == 'enable' ]; then
if [ "${wrapper_name}" == "all" ]; then
for wrapper in $(get_wrappers_names); do
enable_alerts "${wrapper}" "${message}"
done
else
enable_alerts "${wrapper_name}" "${message}"
fi
elif [ "${action}" == 'disable' ]; then
duration_sec=$(time_to_seconds "${duration}")
if [ "${wrapper_name}" == "all" ]; then
for wrapper in $(get_wrappers_names); do
disable_alerts "${wrapper}" "${duration_sec}" "${message}"
done
else
disable_alerts "${wrapper_name}" "${duration_sec}" "${message}"
fi
elif [ "${action}" == 'help' ]; then
show_help
fi
}
while :; do
case "${1}" in
enable|disable|help)
action="${1}"
shift;;
-d|--during)
if [ "$#" -gt 1 ]; then
if filter_duration "${2}"; then
duration="${2}"
else
usage_error "Option --during: \"${2}\" is not a valid duration."
fi
else
error "Missing --during argument."
fi
shift; shift;;
-m|--message)
if [ "$#" -gt 1 ]; then
message="${2}"
else
error "Missing --message argument."
fi
shift; shift;;
*)
if [ -n "${1}" ]; then
if is_wrapper "${1}" || [ "${1}" == "all" ]; then
wrapper_name="${1}"
else
error "Unknown argument '${1}', or NAME not defined in NRPE configuration."
fi
else
if [ -z "${action}" ]; then
error "Missing action argument."
elif [ -z "${1}" ]; then
break
fi
fi
shift;;
esac
done
if [ -z "${wrapper_name}" ] && [ "${action}" != 'help' ] ; then
error "Missing WRAPPER_NAME."
fi
if [ -z "${duration}" ]; then
duration="${default_disabled_time}"
fi
readonly wrapper_name duration action
main

215
nagios-nrpe/files/alerts_wrapper Normal file → Executable file
View file

@ -1,114 +1,101 @@
#!/bin/bash #!/bin/bash
# https://forge.evolix.org/projects/evolix-private/repository
# #
# You should not alter this file. # Source:
# If you need to, create and customize a copy. # https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
#
VERSION="21.04" readonly PROGNAME=$(basename $0)
readonly VERSION readonly VERSION="24.06.00"
# base functions # Load common functions and vars
readonly lib_dir="/usr/local/lib/monitoringctl"
if [ -r "${lib_dir}/common" ]; then
# shellcheck source=monitoringctl_common
source "${lib_dir}/common"
else
>&2 echo "Error: missing ${lib_dir}/common file."
exit 1
fi
show_version() { if [ ! -e "${var_dir}" ]; then
>&2 echo "Warning: missing ${var_dir} directory."
fi
function show_help() {
cat <<END cat <<END
alerts_wrapper version ${VERSION} alerts_wrapper wraps an NRPE command and overrides the return code.
Copyright 2018-2021 Evolix <info@evolix.fr>, Usage: alerts_wrapper --name <WRAPPER_NAME> <CHECK_COMMAND>
Jérémy Lecour <jlecour@evolix.fr> Usage: alerts_wrapper <WRAPPER_NAME> <CHECK_COMMAND> (deprecated)
and others.
alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
or alerts_wrapper --name=check_name command with optional arguments
or alerts_wrapper check_name command with optional arguments
Options Options
--limit max age of the "check file" ; --name Wrapper name, it is very recommended to use the check name (like load, disk1…).
can be "1d" for 1 day, "5m" for 5 minutes… Special name: 'all' is already hard-coded.
or more complex expressions like "1w2d10m42s" -h, --help Print this message and exit.
--name check name -V, --version Print version and exit.
-h, --help print this message and exit
-V, --version print version and exit
END END
} }
time_in_seconds() { function enable_wrapper() {
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then # $1: wrapper name
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
echo "${1} * 3600" | xargs expr
else
return 1
fi
}
delay_from_alerts_disabled_file() {
last_change=$(stat -c %Z "${alerts_disabled_file}")
limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}")
limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
echo $(( last_change - limit_date ))
}
enable_check() {
if [ "$(id -u)" -eq "0" ] ; then if [ "$(id -u)" -eq "0" ] ; then
/usr/local/bin/alerts_switch enable "${check_name}" /usr/local/bin/alerts_switch enable "${1}"
else else
sudo /usr/local/bin/alerts_switch enable "${check_name}" sudo /usr/local/bin/alerts_switch enable "${1}"
fi fi
} }
main() { function main() {
${check_command} > "${check_stdout}" is_disabled="$(is_disabled_wrapper "${wrapper_name}")"
if [ -e "${disable_file}" ] && [ "${is_disabled}" = "False" ]; then
enable_wrapper "${wrapper_name}"
fi
timeout_command=""
if [ "${is_disabled}" = "True" ]; then
timeout_command="timeout 8"
fi
check_stdout="$(${timeout_command} ${check_command})"
check_rc=$? check_rc=$?
readonly check_rc
delay=0 if [ "${is_disabled}" = "True" ] && [ "${check_rc}" -eq 124 ] && [ -z "${check_stdout}" ]; then
check_stdout="Check timeout (> 8 sec)"
if [ -e "${alerts_disabled_file}" ]; then
delay=$(delay_from_alerts_disabled_file)
if [ "${delay}" -le "0" ]; then
enable_check
fi
fi fi
if [ -e "${alerts_disabled_file}" ]; then if [ "${is_disabled}" = "True" ]; then
formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c') enable_time="$(get_enable_time "${wrapper_name}")"
readonly formatted_last_change enable_delay="$(enable_delay "${enable_time}")"
delay_str="$(delay_to_string "${enable_delay}")"
enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
disable_msg="$(get_disable_message "${wrapper_name}")"
if [ -n "${disable_msg}" ]; then
disable_msg="- ${disable_msg} "
fi
echo "ALERT DISABLED until ${enable_date} (${delay_str} left) ${disable_msg}- Check output: ${check_stdout}"
else
echo "${check_stdout}"
fi
echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")" if [ "${is_disabled}" = "True" ]; then
if [ ${check_rc} = 0 ]; then if [ ${check_rc} = 0 ]; then
# Nagios OK exit 0 # Nagios OK
exit 0
else else
# Nagios WARNING exit 1 # Nagios WARNING
exit 1
fi fi
else else
cat "${check_stdout}"
exit ${check_rc} exit ${check_rc}
fi fi
} }
# Default: 1 day before re-enabling the check
wrapper_limit_default="1d"
readonly wrapper_limit_default
if [[ "${1}" =~ -.* ]]; then if [[ "${1}" =~ -.* ]]; then
# parse options # parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do while :; do
case $1 in case "${1}" in
-h|-\?|--help) -h|-\?|--help)
show_help show_help
exit 0 exit 0
@ -117,47 +104,25 @@ if [[ "${1}" =~ -.* ]]; then
show_version show_version
exit 0 exit 0
;; ;;
-n|--name)
--limit)
# with value separated by space # with value separated by space
if [ -n "$2" ]; then if [ -n "${2}" ]; then
wrapper_limit=$2 wrapper_name="${2}"
shift
else
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--limit=?*)
# with value speparated by =
wrapper_limit=${1#*=}
;;
--limit=)
# without value
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
exit 1
;;
--name)
# with value separated by space
if [ -n "$2" ]; then
check_name=$2
shift shift
else else
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2 printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
exit 1 exit 2
fi fi
;; ;;
--name=?*) -n|--name=?*)
# with value speparated by = # with value separated by =
check_name=${1#*=} wrapper_name="${1#*=}"
;; ;;
--name=) -n|--name=)
# without value # without value
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2 printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
exit 1 exit 2
;; ;;
--) --)
# End of all options. # End of all options.
shift shift
@ -165,8 +130,8 @@ if [[ "${1}" =~ -.* ]]; then
;; ;;
-?*) -?*)
# ignore unknown options # ignore unknown options
printf 'WARN: Unknown option : %s\n' "$1" >&2 printf 'ERROR: Unknown option : %s\n' "${1}" >&2
exit 1 exit 2
;; ;;
*) *)
# Default case: If no more options then break out of the loop. # Default case: If no more options then break out of the loop.
@ -180,38 +145,22 @@ if [[ "${1}" =~ -.* ]]; then
check_command="$*" check_command="$*"
else else
# no option is passed (backward compatibility with previous version) # no option is passed (backward compatibility with previous version)
# treat the first argument as check_name and the rest as the command # treat the first argument as wrapper_name and the rest as the command
check_name="${1}" wrapper_name="${1}"
shift shift
check_command="$*" check_command="$*"
fi fi
# Default values or errors if [ -z "${wrapper_name}" ]; then
if [ -z "${wrapper_limit}" ]; then printf 'ERROR: You must specify a wrapper name, with --names.\n' >&2
wrapper_limit="${wrapper_limit_default}" exit 2
fi
if [ -z "${check_name}" ]; then
printf 'ERROR: You must specify a check name, with --name.\n' >&2
exit 1
fi fi
if [ -z "${check_command}" ]; then if [ -z "${check_command}" ]; then
printf 'ERROR: You must specify a command to execute.\n' >&2 printf 'ERROR: You must specify a command to execute.\n' >&2
exit 1 exit 2
fi fi
readonly check_name disable_file="$(get_disable_file_path "${wrapper_name}")"
readonly check_command readonly wrapper_name check_command disable_file
readonly wrapper_limit
alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
readonly alerts_disabled_file
check_file="/var/lib/misc/${check_name}_alerts_disabled"
readonly check_file
check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
readonly check_stdout
# shellcheck disable=SC2064
trap "rm ${check_stdout}" EXIT
main main

35
nagios-nrpe/files/check-local Executable file → Normal file
View file

@ -1,36 +1,9 @@
#!/usr/bin/env bash #!/usr/bin/env bash
CHECK_BIN=/usr/lib/nagios/plugins/check_nrpe readonly orange="\e[0;33m"
readonly nocolor="\e[0m"
server_address="127.0.0.1" echo -e "${orange}'check-local' is now an alias for 'monitoringctl check'. See 'monitoringctl -h' for more information.${nocolor}"
if ! test -f "${CHECK_BIN}"; then
echo "${CHECK_BIN} is missing, please install nagios-nrpe-plugin package."
exit 1
fi
for file in /etc/nagios/{nrpe.cfg,nrpe_local.cfg,nrpe.d/evolix.cfg}; do
if [ -r ${file} ]; then
command_search=$(grep "\[check_$1\]" "${file}" | grep -v '^[[:blank:]]*#' | tail -n1 | cut -d'=' -f2-)
fi
if [ -n "${command_search}" ]; then
command="${command_search}"
fi
if [ -r ${file} ]; then
server_address_search=$(grep "server_address" "${file}" | grep -v '^[[:blank:]]*#' | cut -d'=' -f2)
fi
if [ -n "${server_address_search}" ]; then
server_address="${server_address_search}"
fi
done
if [ -n "${command}" ]; then
echo "Found command in /etc/nagios (take care, in some cases, Nagios can play another command):"
echo " ${command}"
fi
echo "NRPE daemon output:"
"${CHECK_BIN}" -H "${server_address}" -c "check_$1"
monitoringctl check "${1}"

12
nagios-nrpe/files/check-local_completion Normal file → Executable file
View file

@ -1,10 +1,14 @@
#!/usr/bin/env bash #!/usr/bin/env bash
function _get_checks_names() {
grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]=" /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
}
# List of available checks
_check_local_dynamic_completion() { _check_local_dynamic_completion() {
local cur; local cur=${COMP_WORDS[COMP_CWORD]};
cur=${COMP_WORDS[COMP_CWORD]};
COMPREPLY=(); COMPREPLY=( $( compgen -W '$(_get_checks_names)' -- "${cur}" ) );
COMPREPLY=( $( compgen -W '$(grep "\[check_" -Rs /etc/nagios/ | grep -vE "^[[:blank:]]*#" | awk -F"[\\\[\\\]=]" "{print \$2}" | sed "s/check_//" | sort | uniq)' -- $cur ) );
} }
complete -F _check_local_dynamic_completion check-local complete -F _check_local_dynamic_completion check-local

0
nagios-nrpe/files/check_async Normal file → Executable file
View file

634
nagios-nrpe/files/monitoringctl Executable file
View file

@ -0,0 +1,634 @@
#!/usr/bin/env bash
#set -x
readonly VERSION="24.06.00"
function show_help() {
cat <<EOF
${bold}monitoringctl${no_bold} version ${VERSION}.
${bold}monitoringctl${no_bold} gives some control over NRPE checks and alerts.
Usage: ${bold}monitoringctl${no_bold} [OPTIONS] ACTION ARGUMENTS
${bold}GENERAL OPTIONS${no_bold}
-h, --help Print this message and exit.
-V, --version Print version number and exit.
${bold}ACTIONS${no_bold}
${bold}list${no_bold}
List the checks defined in NRPE configuration.
${bold}status [CHECK_NAME|all]${no_bold}
Print whether alerts are enabled or not (silenced).
If alerts are disabled (silenced), show disable message and time left before automatic re-enabling.
${bold}check [-b|--bypass-nrpe] CHECK_NAME|all${no_bold}
Ask CHECK_NAME status to NRPE as an HTTP request.
Indicates which command NRPE has supposedly run (from its configuration).
-b, --bypass-nrpe Execute directly command from NRPE configuration,
as user nagios, without passing the request to NRPE.
${bold}disable CHECK_NAME|all [-d|--during DURATION] [-m|--message 'DISABLE MESSAGE']${no_bold}
Disable (silence) CHECK_NAME or all alerts for DURATION and write DISABLE MESSAGE into the log.
Checks output is still printed, so alerts history won't be lost.
-d, --during DURATION See section DURATION.
-m, --message 'DISABLE MESSAGE' See section MESSAGE.
${bold}enable CHECK_NAME|all [-m|--message 'ENABLE MESSAGE']${no_bold}
Re-enable CHECK_NAME or all alerts
-m, --message 'ENABLE MESSAGE' See section MESSAGE.
${bold}show CHECK_NAME${no_bold}
Show NPRE command(s) configured for CHECK_NAME
${bold}MESSAGE${no_bold}
Message that will be written in log and in check output when disabled.
It is mandatory, but in interactive shells it can be omitted. In tgis case it is asked interactively.
Warning: In non-interactive shells (scripts, crons…), this option is mandatory.
${bold}DURATION${no_bold}
Time (string) during which alerts will be disabled (optional, default: "1h").
${bold}Format${no_bold}
You can use 'd' (day), 'h' (hour) and 'm' (minute) , or a combination of them, to specify a duration.
Examples: '2d', '1h', '10m', '1h10' ('m' is guessed).
${bold}OTHER NOTES${no_bold}
For actions disable, enable and status, CHECK_NAME is actually the --name option passed to alerts_wrapper, and not the NRPE check name. Both check name and alerts_wrapper --name option should be equal in NRPE configuration to avoid confusion.
Log path: ${log_file}
EOF
}
function list_checks() {
checks="$(get_checks_names)"
for check in $checks; do
echo "${check}"
done
}
function check() {
# $1: check name, "all" or empty
readonly check_nrpe_bin="/usr/lib/nagios/plugins/check_nrpe"
if [ ! -f "${check_nrpe_bin}" ]; then
>&2 echo "${check_nrpe_bin} is missing, please install nagios-nrpe-plugin package."
exit 1
fi
conf_lines="$(get_nrpe_conf "${nrpe_conf_path}")"
server_address=$(echo "$conf_lines" | grep "server_address" | tail -n1 | cut -d'=' -f2)
if [ -z "${server_address}" ]; then server_address="127.0.0.1"; fi
server_port=$(echo "$conf_lines" | grep "server_port" | tail -n1 | cut -d'=' -f2)
if [ -z "${server_port}" ]; then server_port="5666"; fi
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
# Array header for multi-checks
checks="$(get_checks_names)"
header="Check\tStatus\tOutput (truncated)"
underline="-----\t------\t------------------"
str_out="\n${header}\n${underline}\n"
else
checks="${1}"
fi
for check in $checks; do
printf "\033[KChecking %s…\r" "${check}"
err_msg=""
if [ "${bypass_nrpe}" = "False" ]; then
request_command="${check_nrpe_bin} -H ${server_address} -p ${server_port} -c check_${check} 2&>1"
else
check_commands="$(get_check_commands "${check}")"
if [ -n "${check_commands}" ]; then
check_command="$(echo "${check_commands}" | tail -n1)"
request_command="sudo -u nagios -- ${check_command}"
else
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
err_msg="Check command not found in NRPE configuration."
else
err_msg="Error: no command found in NRPE configuration for check '${check}'. Aborted."
fi
fi
fi
if [ -z "${err_msg}" ]; then
check_output="$(${request_command})"
rc="$?"
check_output="$(echo "${check_output}" | tr '\n' ' ')"
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
if [ "${#check_output}" -gt 60 ]; then
check_output="$(echo "${check_output}" | cut -c-80) [...]"
fi
fi
else
check_output="${err_msg}"
rc="3"
fi
case "${rc}" in
0)
rc_str="OK"
color="${green}"
;;
1)
rc_str="Warning"
color="${orange}"
;;
2)
rc_str="Critical"
color="${red}"
;;
3)
rc_str="Unknown"
color="${purple}"
;;
*)
rc_str="Unknown"
color="${purple}"
esac
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
str_out="${str_out}${color}${check}\t${rc_str}${nocolor}\t${check_output}\n"
fi
done
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
echo -e "${str_out}" | column -t -s $'\t'
else
printf "\033[K\n" # erase tmp line « Checking check_toto…»
if [ "${bypass_nrpe}" = "False" ]; then
echo -e "NRPE service output (on ${server_address}:${server_port}):\n"
else
echo -e "Direct check output (bypassing NRPE):\n"
fi
echo -e "${color}${check_output}${nocolor}\n" | sed 's/|/\n/g'
exit "${rc}"
fi
}
# Print error message and exit if not installed
function alerts_switch_is_installed() {
if ! command -v alerts_switch &> /dev/null; then
error "Error: script 'alerts_switch' is not installed. Aborted."
fi
}
function disable_alerts() {
# $1: check name | all
# $2: disable message
alerts_switch_is_installed
if [ "${1}" = "all" ]; then
checks="$(get_checks_names)"
else
checks="${1}"
fi
warn_not_wrapped "${checks}"
warn_wrapper_names "${checks}"
if [ -z "${2}" ]; then
if [ "${is_interactive}" = "False" ]; then
error "Error: disable message option is mandatory in non-interactive shell."
fi
echo -n "> Please provide a disable message (for logging and check output): "
read -r message
echo ''
if [ -z "${message}" ]; then
error "${red}Error:${nocolor} disable message is mandatory."
fi
else
message="${2}"
fi
default_msg=""
if [ "${default_duration}" = "True" ]; then
default_msg=" (use --during to change default time)"
fi
if [ "${1}" = "all" ]; then
check_txt="All checks"
else
check_txt="Check ${1}"
fi
echo_box "${check_txt} will be disabled for ${duration}${default_msg}."
cat <<EOF
Additional information:
* Alerts history is kept in our monitoring system.
* To see when the will be re-enabled, execute 'monitoringctl status ${1}'.
* To re-enable alert(s) before ${duration}, execute as root or with sudo: 'monitoringctl enable ${1}'.
EOF
if [ "${1}" != "all" ]; then
if is_check "${1}"; then
wrapper="$(get_check_wrapper_name "${1}")"
else
wrapper="${1}"
fi
checks="$(get_wrapper_checks "${wrapper}")"
n_checks="$(echo "${checks}" | wc -w)"
if [ "${n_checks}" -gt 1 ]; then
>&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, disabling ${1} will disable: ${checks}.\n"
log "Warning: disabling ${1} will disable ${checks} (which have the same wrapper name)."
fi
else
wrapper="all"
fi
if [ "${is_interactive}" = "True" ]; then
echo -n "> Confirm (y/N)? "
read -r answer
if [ "${answer}" != "Y" ] && [ "${answer}" != "y" ]; then
echo -e "${orange}Canceled.${nocolor}" && exit 0
fi
fi
log "Action disable ${1} requested for ${duration} by user $(logname || echo unknown)."
alerts_switch disable "${wrapper}" --during "${duration}" --message "${message}"
if [ "${1}" != "all" ]; then
if [ "${n_checks}" -eq 1 ]; then
echo -e "${orange}Check ${1} alerts are now disabled for ${duration}.${nocolor}"
else
echo -e "${orange}Alerts are now disabled for ${duration} for checks: ${checks}.${nocolor}"
fi
else
echo -e "${orange}All alerts are now disabled for ${duration}.${nocolor}"
fi
}
function enable_alerts() {
# $1: check name, $2: enable message
alerts_switch_is_installed
if [ "${1}" != "all" ]; then
# Verify that check is not already enabled
is_disabled="$(is_disabled_check "${1}")"
if [ "${is_disabled}" = "False" ]; then
echo "${1} is already enabled, see 'monitoringctl status'"
exit 0
fi
fi
if [ -z "${2}" ]; then
if [ "${is_interactive}" = "False" ]; then
error "Error: disable message option is mandatory in non-interactive shell."
fi
echo -n "> Please provide an enable message (for logging): "
read -r message
echo ''
if [ -z "${message}" ]; then
error "${red}Error:${nocolor} disable message is mandatory."
fi
else
message="${2}"
fi
log "Action enable ${1} requested by user $(logname || echo unknown)."
if [ "${1}" != "all" ]; then
if is_check "${1}"; then
wrapper="$(get_check_wrapper_name "${1}")"
else
wrapper="${1}"
fi
checks="$(get_wrapper_checks "${wrapper}")"
n_checks="$(echo "${checks}" | wc -w)"
if [ "${n_checks}" -gt 1 ]; then
>&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, enabling ${1} will enable: ${checks}.\n"
log "Warning: check ${1} will enable ${checks} (which have the same wrapper name)."
fi
else
wrapper="all"
fi
alerts_switch enable "${wrapper}" --message "${message}"
if [ "${1}" != "all" ]; then
if [ "${n_checks}" -eq 1 ]; then
echo -e "${green}Check ${1} alerts are now enabled.${nocolor}"
else
echo -e "${green}Alerts are now enabled for checks: ${checks}.${nocolor}"
fi
else
echo -e "${green}All alerts are now enabled.${nocolor}"
fi
}
# Show NRPE command(s) configured for a check
function show_check_commands() {
# $1: check name
check_commands=$(get_check_commands "${1}")
if [ -z "${check_commands}" ]; then
usage_error "Error: no command found in NRPE configuration for check '${1}."
fi
n_commands="$(echo "${check_commands}" | wc -l)"
if [ "${n_commands}" -ne 1 ]; then
echo "Available commands (in config order, the last one overwrites the others):"
echo " $check_commands"
fi
check_command=$(echo "${check_commands}" | tail -n1)
echo "Command used by NRPE:"
echo " ${check_command}"
}
# Print a warning if some wrappers have the same name
# or if a name is different from the check.
function warn_wrapper_names() {
#$1: checks to verify
warned="False"
for check in ${1}; do
wrapper_name="$(get_check_wrapper_name "${check}")"
if [ -n "${wrapper_name}" ] && [ "${wrapper_name}" != "${check}" ]; then
>&2 echo -e "${orange}Warning:${nocolor} ${check} check has wrapper name ${wrapper_name}."
warned="True"
fi
done
if [ "${warned}" = "True" ]; then
>&2 echo -e "${orange}It is recommanded to name the wrappers the same as the checks.${nocolor}\n"
fi
}
# Print a warning if some checks are not wrapped
function warn_not_wrapped() {
#$1: checks to verify
unwrappeds="$(not_wrapped_checks)"
unwrapped_checks="$(comm -12 <(echo "${1}") <(echo "${unwrappeds}"))"
if [ -n "${unwrapped_checks}" ]; then
n_checks="$(echo "${1}" | wc -w)"
n_unwrapped="$(echo "${unwrapped_checks}" | wc -w)"
if [ "${n_unwrapped}" == "${n_checks}" ]; then
if [ "${n_unwrapped}" -eq 1 ]; then
error "${red}Error:${nocolor} ${1} check is not wrapped, it cannot be disabled."
else
error "${red}Error:${nocolor} these checks are not wrapped, they cannot be disabled: $(echo "${unwrapped_checks}" | xargs)"
fi
else
if [ "${n_unwrapped}" -eq 1 ]; then
>&2 echo -e "${orange}Warning:${nocolor} ${unwrapped_checks} check is not wrapped, it will not be disabled."
else
>&2 echo -e -n "${orange}Warning:${nocolor} some checks are not configured, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)\n\n"
fi
fi
log "Warning: some checks have no alerts_wrapper, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)"
fi
}
# Echo a message in a box
function echo_box() {
# $1: message
msg_len="${#1}"
line="$(printf '─%.0s' $(eval "echo {1.."${msg_len}"}"))"
cat <<EOF
┌${line}┐
│${1}│
└${line}┘
EOF
}
# Echo which checks are enabled or disabled and time left
function alerts_status() {
# $1: check name, "all" or empty
if [ -z "${1}" ] || [ "${1}" = "all" ]; then
checks="$(get_checks_names)"
else
checks="${1}"
fi
warn_wrapper_names "${checks}"
header="Check\tStatus\tRe-enable time\tDisable message"
underline="-----\t------\t--------------\t---------------"
str_out="${header}\n${underline}\n"
for check in $checks; do
enable_str=""
status_str="Enabled"
disable_msg=""
if ! is_wrapped "${check}"; then
status_str="Not configured"
else
is_disabled="$(is_disabled_check "${check}")"
wrapper_name="$(get_check_wrapper_name "${check}")"
if [ "${is_disabled}" = "True" ]; then
status_str="Disabled"
enable_time="$(get_enable_time "${wrapper_name}")"
enable_delay="$(enable_delay "${enable_time}")"
delay_str="$(delay_to_string "${enable_delay}")"
enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
enable_str="${enable_date} (${delay_str} left)"
disable_msg="$(get_disable_message "${wrapper_name}")"
fi
fi
case "${status_str}" in
"Enabled")
color="${green}"
;;
"Disabled")
color="${orange}"
;;
*)
color="${red}"
esac
str_out="${str_out}${color}${check}\t${status_str}${nocolor}\t${enable_str}\t${disable_msg}\n"
done
echo -e "${str_out}" | column -t -s $'\t'
}
### MAIN #########################################
red=''
green=''
orange=''
purple=''
nocolor=''
bold=''
no_bold=''
# Is interactive shell ?
if [ -t 0 ] && [ -t 1 ]; then
readonly is_interactive="True"
red="\e[0;31m"
green="\e[0;32m"
orange="\e[0;33m"
purple="\e[0;35m"
nocolor="\e[0m"
bold="$(tput bold)"
no_bold="$(tput sgr0)"
else
readonly is_interactive="False"
fi
# Load common functions and vars
readonly lib_dir="/usr/local/lib/monitoringctl"
if [ -r "${lib_dir}/common" ]; then
# shellcheck source=monitoringctl_common
source "${lib_dir}/common"
else
>&2 echo "Error: missing ${lib_dir}/common file."
exit 1
fi
if [[ ! "${PATH}" =~ /usr/local/bin ]]; then
PATH="/usr/local/bin:${PATH}"
fi
# Must be root
if [ "$(id -u)" -ne 0 ]; then
>&2 echo "You need to be root (or use sudo) to run ${0}!"
exit 1
fi
# No argument
if [ "$#" = "0" ]; then
show_help
exit 1
fi
# Default arguments and options
action=""
message=""
duration="${default_disabled_time}"
bypass_nrpe="False"
default_duration="True"
# Parse arguments and options
while :; do
case "${1}" in
-h|-\?|--help)
show_help
exit 0;;
-V|--version)
show_version
exit 0;;
-b|--bypass-nrpe)
bypass_nrpe="True"
shift;;
-d|--during)
if [ "${default_duration}" = "False" ]; then
usage_error "Option --during: defined multiple times."
fi
if [ "$#" -lt 2 ]; then
usage_error "Option --during: missing value."
fi
if filter_duration "${2}"; then
duration="${2}"
else
usage_error "Option --during: \"${2}\" is not a valid duration."
fi
default_duration="False"
shift; shift;;
-m|--message)
if [ "$#" -lt 2 ]; then
usage_error "Option --message: missing message string."
fi
message="${2}"
shift; shift;;
status|check|enable|disable|show|list)
action="${1}"
shift;;
*)
if [ -z "${1}" ]; then
break
fi
case "${action}" in
status|check)
if is_check "${1}" || [ "${1}" = "all" ]; then
check_name="${1}"
else
usage_error "Action ${action}: unknown check '${1}'."
fi
;;
show)
if is_check "${1}"; then
check_name="${1}"
else
usage_error "Action ${action}: unknown check '${1}'."
fi
;;
enable|disable)
if is_wrapper "${1}" || is_check "${1}" || [ "${1}" = "all" ]; then
check_name="${1}"
else
# We use the word "check" for the end user,
# but this is actually "unknown wrapper"
usage_error "Action ${action}: unknown check '${1}'."
fi
;;
*)
usage_error "Missing or invalid ACTION argument."
;;
esac
shift;;
esac
done
if [ "$#" -gt 0 ]; then
usage_error "Too many arguments."
fi
case "${action}" in
disable|enable|show)
if [ -z "${check_name}" ]; then
usage_error "Action ${action}: missing CHECK_NAME argument."
fi
;;
esac
if [ ! "${action}" = "disable" ]; then
if [ "${default_duration}" = "False" ]; then
usage_error "Action ${action}: there is no --during option."
fi
fi
case "${action}" in
list)
list_checks
;;
status)
alerts_status "${check_name}"
;;
check)
check "${check_name}"
;;
show)
show_check_commands "${check_name}"
;;
enable)
enable_alerts "${check_name}" "${message}"
;;
disable)
disable_alerts "${check_name}" "${message}"
;;
esac

View file

@ -0,0 +1,292 @@
#!/usr/bin/env bash
# Location of disable files
readonly var_dir="/var/lib/monitoringctl"
readonly log_file="/var/log/monitoringctl.log"
readonly nrpe_conf_path="/etc/nagios/nrpe.cfg"
debian_major_version="$(cut -d "." -f 1 < /etc/debian_version)"
readonly debian_major_version
# If no time limit is provided in CLI or found in file, this value is used
readonly default_disabled_time="1h"
_nrpe_conf_lines='' # populated at the end of the file
function error() {
# $1: error message
>&2 echo -e "${1}"
exit 1
}
function usage_error() {
# $1: error message
>&2 echo "${1}"
>&2 echo "Execute \"${PROGNAME} --help\" for information on usage."
exit 1
}
function log() {
# $1: message
echo "$(now_iso) - ${PROGNAME}: ${1}" >> "${log_file}"
}
function show_version() {
cat <<END
${PROGNAME} version ${VERSION}.
Copyright 2018-2024 Evolix <info@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>
and others.
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
# Fail if argument does not respect format: XwXdXhXmXs, XhX, XmX
function filter_duration() {
# $1: duration in format specified above
_time_regex="^([0-9]+d)?(([0-9]+h(([0-9]+m?)|([0-9]+m([0-9]+s?)?))?)|(([0-9]+m([0-9]+s?)?)?))?$"
if [[ "${1}" =~ ${_time_regex} ]]; then
return 0
fi
return 1
}
# Convert human writable duration into seconds
function time_to_seconds() {
# $1: formated time string
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
elif echo "${1}" | grep -E -q '^([0-9]+h[0-9]+$)'; then
echo "${1}" | sed 's/h/ * 3600 + /g; s/$/ * 60/' | xargs expr
elif echo "${1}" | grep -E -q '^([0-9]+m[0-9]+$)'; then
echo "${1}" | sed 's/m/ * 60 + /g' | xargs expr
else
error "Invalid duration: '${1}'."
fi
}
# Print re-enable time in secs
function get_enable_time() {
# $1: wrapper name
_disable_file_path="$(get_disable_file_path "${1}")"
if [ ! -e "${_disable_file_path}" ]; then
return
fi
_enable_secs="$(grep -v -E "^\s*#" "${_disable_file_path}" | sed '/^$/d' | head -n1 | awk '/^[0-9]+$/ {print $1}')"
# If file is empty, use file last change date plus default disabled time
if [ -z "${_enable_secs}" ]; then
_file_last_change_secs="$(stat -c %Z "${_disable_file_path}")"
_default_disabled_time_secs="$(time_to_seconds "${default_disabled_time}")"
_enable_secs="$(( _file_last_change_secs + _default_disabled_time_secs ))"
fi
echo "${_enable_secs}"
}
# Print disable message
function get_disable_message() {
# $1: wrapper name
_disable_file_path="$(get_disable_file_path "${1}")"
if [ ! -e "${_disable_file_path}" ]; then
return
fi
_disable_msg="$(sed '/^$/d' "${_disable_file_path}" | tail -n+2 | tr '\n' ' ' | awk '{$1=$1;print}')"
echo "${_disable_msg}"
}
function now_secs() {
date +"%s"
}
function now_iso() {
date --iso-8601=seconds
}
# Print delay before re-enable in secs
function enable_delay() {
# $1: re-enable time in secs
echo $(( ${1} - $(now_secs) ))
}
# Converts delay (in seconds) into human readable duration
function delay_to_string() {
# $1: delay in secs
_delay_days="$(( ${1} /86400 ))"
if [ "${_delay_days}" -eq 0 ]; then _delay_days=""
else _delay_days="${_delay_days}d"; fi
_delay_hours="$(( (${1} %86400) /3600 ))"
if [ "${_delay_hours}" -eq 0 ]; then _delay_hours=""
else _delay_hours="${_delay_hours}h"; fi
_delay_minutes="$(( ((${1} %86400) %3600) /60 ))"
if [ "${_delay_minutes}" -eq 0 ]; then _delay_minutes=""
else _delay_minutes="${_delay_minutes}m"; fi
_delay_seconds="$(( ((${1} %86400) %3600) %60 ))"
if [ "${_delay_seconds}" -eq 0 ]; then _delay_seconds=""
else _delay_seconds="${_delay_seconds}s"; fi
echo "${_delay_days}${_delay_hours}${_delay_minutes}${_delay_seconds}"
}
function is_disabled_check() {
# $1: check name
_wrapper="$(get_check_wrapper_name "${1}")"
is_disabled_wrapper "${_wrapper}"
}
function is_disabled_wrapper() {
# $1: wrapper name
_wrapper="${1}"
_disable_file_path="$(get_disable_file_path "${_wrapper}")"
if [ -e "${_disable_file_path}" ]; then
_enable_time="$(get_enable_time "${_wrapper}")"
_enable_delay="$(enable_delay "${_enable_time}")"
if [ "${_enable_delay}" -le "0" ]; then
echo "False"
else
echo "True"
fi
else
echo False
fi
}
function get_disable_file_path() {
# $1: wrapper name
echo "${var_dir}/${1}_alerts_disabled"
}
### Nagios configuration functions ####################
# Print NRPE configuration, with includes, without comments
# and in the same order than NRPE does (taking account that
# order changes from Deb10)
function get_nrpe_conf() {
echo "${_nrpe_conf_lines}"
}
# Private function to recursively get NRPE conf from file
function _get_conf_from_file() {
# $1: NRPE conf file (.cfg)
if [ ! -f "${1}" ]; then return; fi
_conf_lines=$(grep -E -R -v --no-filename "^\s*(#.*|)$" "${1}")
while read -r _line; do
if [[ "${_line}" =~ .*'include='.* ]]; then
_conf_file=$(echo "${_line}" | cut -d= -f2)
_get_conf_from_file "${_conf_file}"
elif [[ "${_line}" =~ .*'include_dir='.* ]]; then
_conf_dir=$(echo "${_line}" | cut -d= -f2)
_get_conf_from_dir "${_conf_dir}"
else
echo "${_line}"
fi
done <<< "${_conf_lines}"
}
# Private function to recursively get NRPE conf from directory
function _get_conf_from_dir() {
# $1: NRPE conf dir
if [ ! -d "${1}" ]; then return; fi
if [ "${debian_major_version}" -ge 10 ]; then
# From Deb10, NRPE use scandir() with alphasort() function
_sort_command="sort"
else
# Before Deb10, NRPE use loaddir(), like find utility
_sort_command="cat -"
fi
# Add conf files in dir to be processed recursively
for _file in $(find "${1}" -maxdepth 1 -name "*.cfg" 2> /dev/null | ${_sort_command}); do
if [ -f "${_file}" ]; then
_get_conf_from_file "${_file}"
elif [ -d "${_file}" ]; then
_get_conf_from_dir "${_file}"
fi
done
}
# Print the checks that are configured in NRPE
function get_checks_names() {
echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
}
# Print the commands defined for check $1 in NRPE configuration
function get_check_commands() {
# $1: check name
echo "${_nrpe_conf_lines}" | grep -E "command\[check_${1}\]" | cut -d'=' -f2-
}
# Print the checks that have no alerts_wrapper in NRPE configuration
function not_wrapped_checks() {
for _check in $(get_checks_names); do
if ! is_wrapped "${_check}"; then
echo "${_check}"
fi
done
}
# Fail if check is not wrapped
function is_wrapped() {
# $1: check name
_cmd=$(get_check_commands "${1}" | tail -n1)
if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
return 0
fi
return 1
}
# Print the names that are defined in the wrappers of the checks
function get_wrappers_names() {
echo "${_nrpe_conf_lines}" | grep -s "alerts_wrapper" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
}
# Print the wrapper name of the check
function get_check_wrapper_name() {
# $1: check name
_cmd=$(get_check_commands "${1}" | tail -n1)
if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
echo "${_cmd}" | awk '/--name/ {match($0, /--name\s*([a-zA-Z0-9_\-]*)\s*/, m); print m[1]}'
fi
}
function is_check() {
# $1: check name
_checks="$(get_checks_names)"
if echo "${_checks}" | grep --quiet -E "^${1}$"; then
return 0
fi
return 1
}
function is_wrapper() {
# $1: wrapper name
_wrappers="$(get_wrappers_names)"
if echo "${_wrappers}" | grep --quiet -E "^${1}$"; then
return 0
fi
return 1
}
# Print the checks that name this wrapper
function get_wrapper_checks() {
# $1: wrapper name
echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | grep -E "\-\-name\s*${1}" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq | xargs
}
# Load NRPE configuration
_nrpe_conf_lines="$(_get_conf_from_file "${nrpe_conf_path}")"

View file

@ -0,0 +1,88 @@
#!/usr/bin/bash
#
function _get_wrappers_names() {
grep "alerts_wrapper" --no-filename --no-messages -R /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
}
function _get_checks_names() {
grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]=" /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
}
function _monitoringctl_completion() {
local cur=${COMP_WORDS[COMP_CWORD]};
local prev=${COMP_WORDS[COMP_CWORD-1]};
local action=""
for w in "${COMP_WORDS[@]}"; do
case "$w" in
status|check|enable|disable|show|list)
action="${w}"
;;
esac
done
local words="--help"
case "${action}" in
check|show)
checks="$(_get_checks_names)"
check=""
for w in "${COMP_WORDS[@]}"; do
for c in ${checks}; do
if [ "${c}" == "${w}" ]; then
check="${w}"
break
fi
done
done
if [ -z "${check}" ]; then
words="${checks} ${words}"
fi
if [ "${action}" == "check" ]; then
words="all --bypass-nrpe ${words}"
fi
;;
status)
if [ "${prev}" == "status" ]; then
words="all $(_get_checks_names)"
fi
;;
enable)
if [ "${prev}" == "enable" ]; then
words="all $(_get_wrappers_names)"
else
words="--message ${words}"
fi
;;
disable)
if [ "${prev}" == "disable" ]; then
words="all $(_get_wrappers_names)"
elif [ "${prev}" == "-d" ] || [ "${prev}" == "--during" ]; then
words="1d 1d12h 1h 1h30m 1m 1m30s 30s"
else
words="--during --message ${words}"
fi
;;
*)
words="status check enable disable show list ${words}"
;;
esac
# Avoid double
opts=();
for i in ${words}; do
for j in "${COMP_WORDS[@]}"; do
if [[ "$i" == "$j" ]]; then
continue 2
fi
done
opts+=("$i")
done
COMPREPLY=($(compgen -W "${opts[*]}" -- "${cur}"))
return 0
}
complete -F _monitoringctl_completion monitoringctl

View file

@ -0,0 +1,75 @@
#!/usr/bin/env bash
function help() {
echo "Check the number of proftpd user with 'ftpcount' output."
echo "Usage:"
echo " check_proftpd_user -w|warning <WARN_THRESHOLD> -c|critical <CRITICAL_THRESHOLD>"
}
warn="-1"
crit="-1"
while [ $# -gt 0 ]; do
case "${1}" in
-h|--help)
show_help
exit 0
;;
-c|--critical)
crit="${2}"
shift
shift
;;
-w|--warning)
warn="${2}"
shift
shift
;;
*)
>&2 echo "Error: unknown argument ${1}, exit."
help
exit 3
esac
done
if [ "${warn}" == "-1" ]; then
echo "Error: warning threshold no defined, exit."
help
exit 3
fi
if [ "${crit}" == "-1" ]; then
echo "Error: critical threshold no defined, exit."
help
exit 3
fi
if [[ "${warn}" =~ [^0-9] ]]; then
echo "Error: warning threshold must be an integer, exit."
help
exit 3
fi
if [[ "${crit}" =~ [^0-9] ]]; then
echo "Error: critical threshold must be an integer, exit."
help
exit 3
fi
if ! command -v ftpcount > /dev/null; then
echo "Error: missing 'ftpcount' command, cannot check users count."
exit 3
fi
n_users="$(ftpcount | awk '/users/{print $4}')"
if [ "${n_users}" -gt "${crit}" ]; then
echo "CRITICAL - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
exit 2
elif [ "${n_users}" -gt "${warn}" ]; then
echo "WARNING - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
exit 1
else
echo "OK - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
exit 0
fi

View file

@ -1,34 +0,0 @@
---
# Install check-local utilitary
- name: Package nagios-nrpe-plugin is intalled
ansible.builtin.apt:
name: nagios-nrpe-plugin
- name: "Remount /usr if needed"
ansible.builtin.include_role:
name: remount-usr
- name: Utilitary check-local is installed
ansible.builtin.copy:
src: check-local
dest: /usr/local/bin/check-local
mode: "0755"
- name: Package bash-completion is installed
ansible.builtin.apt:
name: bash-completion
- name: Directory /etc/bash_completion.d exists
ansible.builtin.file:
path: '/etc/bash_completion.d'
state: directory
mode: '0644'
- name: Completion for utilitary check-local is installed
ansible.builtin.copy:
src: check-local_completion
dest: /etc/bash_completion.d/check-local
mode: "0755"

View file

@ -91,6 +91,5 @@
tags: tags:
- nagios-nrpe - nagios-nrpe
- ansible.builtin.include_tasks: wrapper.yml - ansible.builtin.include_tasks: monitoringctl.yml
- ansible.builtin.include_tasks: check-local.yml

View file

@ -0,0 +1,162 @@
---
- name: "Remount /usr if needed"
ansible.builtin.include_role:
name: remount-usr
### alerts_wrapper and alerts_switch section
- name: "dir /usr/local/lib/monitoringctl/ exists"
ansible.builtin.file:
path: /usr/local/lib/monitoringctl/
state: directory
mode: '0755'
- name: "check if old alerts_switch script is present"
ansible.builtin.stat:
path: /usr/share/scripts/alerts_switch
register: old_alerts_switch
- name: "alerts_switch is at the right place"
ansible.builtin.command:
cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
args:
creates: /usr/local/bin/alerts_switch
when: old_alerts_switch.stat.exists
- name: "copy alerts_switch"
ansible.builtin.copy:
src: alerts_switch
dest: /usr/local/bin/alerts_switch
owner: root
group: root
mode: "0750"
force: true
- name: "alerts_switch symlink for backward compatibility"
ansible.builtin.file:
src: /usr/local/bin/alerts_switch
path: /usr/share/scripts/alerts_switch
state: link
when: old_alerts_switch.stat.exists
- name: "nagios user can run alerts_switch with sudo (used by alerts_wrapper)"
ansible.builtin.lineinfile:
path: /etc/sudoers.d/monitoringctl
regexp: "nagios.*alerts_switch"
line: "nagios ALL = NOPASSWD:/usr/local/bin/alerts_switch *"
create: true
owner: root
group: root
mode: "640"
validate: "visudo -c -f %s"
- name: "check if old alerts_wrapper script is present"
ansible.builtin.stat:
path: "{{ nagios_plugins_directory }}/alerts_wrapper"
register: old_alerts_wrapper
- name: "alerts_wrapper is at the right place"
ansible.builtin.command:
cmd: "mv {{ nagios_plugins_directory }}/alerts_wrapper /usr/local/lib/monitoringctl/alerts_wrapper"
creates: /usr/local/lib/monitoringctl/alerts_wrapper
when: old_alerts_wrapper.stat.exists
- name: "copy alerts_wrapper"
ansible.builtin.copy:
src: alerts_wrapper
dest: "/usr/local/lib/monitoringctl/alerts_wrapper"
owner: root
group: staff
mode: "0755"
force: true
- name: "alerts_wrapper symlink for backward compatibility"
ansible.builtin.file:
src: /usr/local/lib/monitoringctl/alerts_wrapper
path: "{{ nagios_plugins_directory }}/alerts_wrapper"
state: link
when:
- old_alerts_wrapper.stat.exists
- not ansible_check_mode
- name: "copy monitoringctl_common lib"
ansible.builtin.copy:
src: monitoringctl_common
dest: /usr/local/lib/monitoringctl/common
owner: root
group: root
mode: "0644"
force: true
### monitoringctl section
- name: "package bash-completion is installed"
ansible.builtin.apt:
name: bash-completion
- name: "package nagios-nrpe-plugin is installed"
ansible.builtin.apt:
name: nagios-nrpe-plugin
- name: "directory /etc/bash_completion.d exists"
ansible.builtin.file:
path: '/etc/bash_completion.d'
state: directory
mode: '0755'
- name: "dir /var/lib/monitoringctl/ exists"
ansible.builtin.file:
path: /var/lib/monitoringctl/
state: directory
mode: '0755'
- name: "monitoringctl is not in /usr/local/sbin/"
ansible.builtin.file:
path: /usr/local/sbin/monitoringctl
state: absent
- name: "copy monitoringctl"
ansible.builtin.copy:
src: monitoringctl
dest: /usr/local/bin/monitoringctl
owner: root
group: root
mode: "0755"
force: true
- name: "copy monitoringctl_common lib"
ansible.builtin.copy:
src: monitoringctl_common
dest: /usr/local/lib/monitoringctl/common
owner: root
group: root
mode: "0644"
force: true
- name: "copy monitoringctl_completion script"
ansible.builtin.copy:
src: monitoringctl_completion
dest: /etc/bash_completion.d/monitoringctl
owner: root
group: root
mode: "0644"
force: true
- name: "copy check-local (it's just a wrapper calling 'monitoringctl check' for backward compatibility)"
ansible.builtin.copy:
src: check-local
dest: /usr/local/bin/check-local
owner: root
group: root
mode: "0755"
force: true
- name: "copy completion for check-local"
ansible.builtin.copy:
src: check-local_completion
dest: /etc/bash_completion.d/check-local
mode: "0755"

View file

@ -1,43 +0,0 @@
---
- name: "Remount /usr if needed"
ansible.builtin.include_role:
name: remount-usr
- name: check if old script is present
ansible.builtin.stat:
path: /usr/share/scripts/alerts_switch
register: old_alerts_switch
- name: alerts_switch is at the right place
ansible.builtin.command:
cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
args:
creates: /usr/local/bin/alerts_switch
when: old_alerts_switch.stat.exists
- name: "copy alerts_switch"
ansible.builtin.copy:
src: alerts_switch
dest: /usr/local/bin/alerts_switch
owner: root
group: root
mode: "0750"
force: true
- name: "symlink for backward compatibility"
ansible.builtin.file:
src: /usr/local/bin/alerts_switch
dest: /usr/share/scripts/alerts_switch
state: link
when: old_alerts_switch.stat.exists
- name: "copy alerts_wrapper"
ansible.builtin.copy:
src: alerts_wrapper
dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
owner: root
group: staff
mode: "0755"
force: true

View file

@ -6,94 +6,102 @@
# Allowed IPs # Allowed IPs
allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
# System checks # Default activated checks
command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
# Generic services checks ## System checks
command[check_smtp]=/usr/lib/nagios/plugins/check_smtp -H localhost command[check_disk1]=/usr/local/lib/monitoringctl/alerts_wrapper --name disk1 /usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
command[check_dns]=/usr/lib/nagios/plugins/check_dns -H evolix.net command[check_load]=/usr/local/lib/monitoringctl/alerts_wrapper --name load /usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
command[check_ntp]=/usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }} command[check_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name mem {{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
command[check_ssh]=/usr/lib/nagios/plugins/check_ssh localhost command[check_pressure_cpu]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_cpu /usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000
command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20 command[check_pressure_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_mem /usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000
command[check_pressure_io]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_io /usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000
command[check_swap]=/usr/local/lib/monitoringctl/alerts_wrapper --name swap /usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
command[check_total_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name total_procs sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
command[check_users]=/usr/local/lib/monitoringctl/alerts_wrapper --name users /usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_zombie_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name zombie_procs sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
# Specific services checks ## Generic services checks
command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}' command[check_dns]=/usr/local/lib/monitoringctl/alerts_wrapper --name dns /usr/lib/nagios/plugins/check_dns -H evolix.net
command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf command[check_mailq]=/usr/local/lib/monitoringctl/alerts_wrapper --name mailq /usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600 command[check_ntp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ntp /usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }}
command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini command[check_smtp]=/usr/local/lib/monitoringctl/alerts_wrapper --name smtp /usr/lib/nagios/plugins/check_smtp -H localhost
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini command[check_ssh]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssh /usr/lib/nagios/plugins/check_ssh localhost
command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
command[check_http]=/usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
command[check_https]=/usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
command[check_tse]=/usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
command[check_jboss-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
command[check_jboss-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379
command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup
command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails
# "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
command[check_bkctld]=sudo /usr/sbin/bkctld check
command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
command[check_dhcpd]=/usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor
command[check_raid_status]=/usr/lib/nagios/plugins/check_raid
command[check_dockerd]=/usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
# Local checks (not packaged) ## Local checks (not packaged)
command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10 command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall
command[check_amavis]={{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
command[check_spamd]={{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
command[check_nfsclient]=sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient # Optionnal checks
command[check_evobackup]={{ nagios_plugins_directory }}/check_evobackup
command[check_process]={{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }} ## Specific services checks
command[check_drbd]={{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone #command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect #command[check_mysql]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql /usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0 #command[check_mysql_slave]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql_slave /usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord #command[check_ldap]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldap /usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4 #command[check_ldaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldaps /usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain #command[check_imap]=/usr/local/lib/monitoringctl/alerts_wrapper --name imap /usr/lib/nagios/plugins/check_imap -H localhost
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall #command[check_imaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name imaps /usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances #command[check_imapproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name imapproxy /usr/lib/nagios/plugins/check_imap -H localhost -p 1143
command[check_sentinel]=sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf #command[check_pop]=/usr/local/lib/monitoringctl/alerts_wrapper --name pop /usr/lib/nagios/plugins/check_pop -H localhost
command[check_hpraid]={{ nagios_plugins_directory }}/check_hpraid #command[check_pops]=/usr/local/lib/monitoringctl/alerts_wrapper --name pops /usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
command[check_php-fpm]={{ nagios_plugins_directory }}/check_phpfpm_multi #command[check_ftp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ftp /usr/lib/nagios/plugins/check_ftp -H localhost
command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/ #command[check_ftp_users]=/usr/local/lib/monitoringctl/alerts_wrapper --name ftp_users /usr/local/lib/nagios/plugins/check_ftp_users -w 20 -c 40
command[check_php-fpm70]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/ #command[check_http]=/usr/local/lib/monitoringctl/alerts_wrapper --name http /usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/ #command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https /usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/ #command[check_bind]=/usr/local/lib/monitoringctl/alerts_wrapper --name bind /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ #command[check_unbound]=/usr/local/lib/monitoringctl/alerts_wrapper --name unbound /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ #command[check_smb]=/usr/local/lib/monitoringctl/alerts_wrapper --name smb /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ #command[check_tse]=/usr/local/lib/monitoringctl/alerts_wrapper --name tse /usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ #command[check_jboss-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-http /usr/lib/nagios/plugins/check_tcp -p 8080
command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool #command[check_jboss-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local #command[check_tomcat-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-http /usr/lib/nagios/plugins/check_tcp -p 8080
command[check_pressure_cpu]=/usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000 #command[check_tomcat-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
command[check_pressure_mem]=/usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000 #command[check_proxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name proxy /usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
command[check_pressure_io]=/usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000 #command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis /usr/lib/nagios/plugins/check_tcp -p 6379
#command[check_clamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamd /usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
#command[check_clamav_db]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamav_db /usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
#command[check_ssl]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl /usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
#command[check_elasticsearch]=/usr/local/lib/monitoringctl/alerts_wrapper --name elasticsearch /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
#command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
#command[check_opendkim]=/usr/local/lib/monitoringctl/alerts_wrapper --name opendkim /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
#command[check_bkctld_setup]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_setup sudo /usr/sbin/bkctld check-setup
#command[check_bkctld_jails]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_jails sudo /usr/sbin/bkctld check-jails
## "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
#command[check_bkctld]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld sudo /usr/sbin/bkctld check
#command[check_postgrey]=/usr/local/lib/monitoringctl/alerts_wrapper --name postgrey /usr/lib/nagios/plugins/check_tcp -p10023
#command[check_influxdb]=/usr/local/lib/monitoringctl/alerts_wrapper --name influxdb /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
#command[check_dhcpd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcpd /usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
#command[check_ipmi_sensors]=/usr/local/lib/monitoringctl/alerts_wrapper --name ipmi_sensors sudo /usr/lib/nagios/plugins/check_ipmi_sensor
#command[check_raid_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name raid_status /usr/lib/nagios/plugins/check_raid
#command[check_dockerd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dockerd /usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
## Local checks (not packaged)
#command[check_amavis]=/usr/local/lib/monitoringctl/alerts_wrapper --name amavis {{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
#command[check_spamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name spamd {{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
#command[check_nfsclient]=/usr/local/lib/monitoringctl/alerts_wrapper --name nfsclient sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient
#command[check_evobackup]=/usr/local/lib/monitoringctl/alerts_wrapper --name evobackup {{ nagios_plugins_directory }}/check_evobackup
#command[check_process]=/usr/local/lib/monitoringctl/alerts_wrapper --name process {{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }}
#command[check_drbd]=/usr/local/lib/monitoringctl/alerts_wrapper --name drbd {{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone
#command[check_mongodb_connect]=/usr/local/lib/monitoringctl/alerts_wrapper --name mongodb_connect {{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect
#command[check_glusterfs]=/usr/local/lib/monitoringctl/alerts_wrapper --name glusterfs {{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
#command[check_supervisord_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name supervisord_status {{ nagios_plugins_directory }}/check_supervisord
#command[check_varnish]=/usr/local/lib/monitoringctl/alerts_wrapper --name varnish {{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
#command[check_haproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name haproxy sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain
#command[check_redis_instances]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis_instances {{ nagios_plugins_directory }}/check_redis_instances
#command[check_sentinel]=/usr/local/lib/monitoringctl/alerts_wrapper --name sentinel sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf
#command[check_hpraid]=/usr/local/lib/monitoringctl/alerts_wrapper --name hpraid {{ nagios_plugins_directory }}/check_hpraid
#command[check_php-fpm]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm {{ nagios_plugins_directory }}/check_phpfpm_multi
#command[check_php-fpm56]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm56 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
#command[check_php-fpm70]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm70 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
#command[check_php-fpm73]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm73 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
#command[check_php-fpm74]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm74 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
#command[check_php-fpm80]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm80 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
#command[check_php-fpm81]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm81 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
#command[check_php-fpm82]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm82 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
#command[check_php-fpm83]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm83 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
#command[check_dhcp_pool]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcp_pool {{ nagios_plugins_directory }}/check_dhcp_pool
#command[check_ssl_local]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl_local {{ nagios_plugins_directory }}/check_ssl_local
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates). # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
# Beware! All checks must not take more than 10s! # Beware! All checks must not take more than 10s!
#command[check_https]={{ nagios_plugins_directory }}/check_http_many #command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https {{ nagios_plugins_directory }}/check_http_many

View file

@ -38,7 +38,6 @@
ansible.builtin.template: ansible.builtin.template:
src: nodesource.sources.j2 src: nodesource.sources.j2
dest: /etc/apt/sources.list.d/nodesource.sources dest: /etc/apt/sources.list.d/nodesource.sources
state: present
register: nodesource_sources register: nodesource_sources
tags: tags:
- system - system

View file

@ -37,8 +37,6 @@
ansible.builtin.template: ansible.builtin.template:
src: yarn.sources.j2 src: yarn.sources.j2
dest: /etc/apt/sources.list.d/yarn.sources dest: /etc/apt/sources.list.d/yarn.sources
state: present
update_cache: yes
register: yarn_sources register: yarn_sources
tags: tags:
- system - system

View file

@ -201,7 +201,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: "/etc/nagios/nrpe.d/evolix.cfg" dest: "/etc/nagios/nrpe.d/evolix.cfg"
regexp: '^command\[check_openvpn\]=' regexp: '^command\[check_openvpn\]='
line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" line: "command[check_openvpn]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn /usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
when: nrpe_evolix_config.stat.exists when: nrpe_evolix_config.stat.exists
@ -233,7 +233,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: "/etc/nagios/nrpe.d/evolix.cfg" dest: "/etc/nagios/nrpe.d/evolix.cfg"
regexp: '^command\[check_openvpn_certificates\]=' regexp: '^command\[check_openvpn_certificates\]='
line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" line: "command[check_openvpn_certificates]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn_certificates sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
when: nrpe_evolix_config.stat.exists when: nrpe_evolix_config.stat.exists

View file

@ -9,6 +9,7 @@
ansible.builtin.command: ansible.builtin.command:
cmd: pkg_info -Iq inst:openvpn cmd: pkg_info -Iq inst:openvpn
register: is_installed register: is_installed
check_mode: false
ignore_errors: true ignore_errors: true
changed_when: false changed_when: false
@ -138,6 +139,7 @@
ansible.builtin.command: ansible.builtin.command:
cmd: pkg_info -Iq inst:p5-Net-Telnet cmd: pkg_info -Iq inst:p5-Net-Telnet
register: is_installed register: is_installed
check_mode: false
ignore_errors: true ignore_errors: true
changed_when: false changed_when: false

View file

@ -43,7 +43,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
name: /etc/nagios/nrpe.d/evolix.cfg name: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_pgsql\]=' regexp: '^command\[check_pgsql\]='
line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"' line: 'command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"'
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
when: postgresql_create_nrpe_user is changed when: postgresql_create_nrpe_user is changed
when: nrpe_evolix_config.stat.exists when: nrpe_evolix_config.stat.exists

View file

@ -0,0 +1,18 @@
#! /bin/bash
#
if [ "$1" = 'config' ]; then
echo "graph_args --base 1000 -l 0"
echo "graph_title ProFTPd"
echo "graph_category network"
echo "graph_vlabel Stats Proftpd"
echo "users_count.label Connected users"
echo "users_count.draw AREA"
fi
n_users="$(ftpcount | awk '/users/{print $4}')"
echo "users_count.value ${n_users}"
exit 0

View file

@ -96,3 +96,15 @@
- ansible.builtin.include: accounts.yml - ansible.builtin.include: accounts.yml
when: proftpd_accounts | length > 0 when: proftpd_accounts | length > 0
- name: Munin plugin is copied
ansible.builtin.copy:
src: munin_plugin
dest: /usr/share/munin/plugins/proftpd
mode: 755
- name: Munin plugin is enabled
ansible.builtin.file:
src: /usr/share/munin/plugins/proftpd
dest: /etc/munin/plugins/proftpd
state: link

View file

@ -40,7 +40,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/nagios/nrpe.d/evolix.cfg dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: 'command\[check_rab_connection_count\]' regexp: 'command\[check_rab_connection_count\]'
line: 'command[check_rab_connection_count]=sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}' line: 'command[check_rab_connection_count]=/usr/local/lib/monitoringctl/alerts_wrapper --name rab_connection_count sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}'
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
- name: sudo without password for nagios - name: sudo without password for nagios

View file

@ -60,7 +60,7 @@
ansible.builtin.replace: ansible.builtin.replace:
dest: /etc/nagios/nrpe.d/evolix.cfg dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_redis\]=.+' regexp: '^command\[check_redis\]=.+'
replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}' replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
when: redis_instance_name is undefined when: redis_instance_name is undefined
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
tags: tags:
@ -99,7 +99,7 @@
ansible.builtin.replace: ansible.builtin.replace:
dest: /etc/nagios/nrpe.d/evolix.cfg dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_redis\]=.+' regexp: '^command\[check_redis\]=.+'
replace: 'command[check_redis]=sudo /usr/local/lib/nagios/plugins/check_redis_instances' replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo /usr/local/lib/nagios/plugins/check_redis_instances'
when: redis_instance_name is defined when: redis_instance_name is defined
notify: restart nagios-nrpe-server notify: restart nagios-nrpe-server
tags: tags:

View file

@ -0,0 +1,58 @@
etherpad
=========
Ce rôle installe le serveur d'Etherpad, une application rédaction collaborative en temps-réel.
Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle etherpad sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
Requis
------
...
Variables du rôle
-----------------
Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
Dépendances
------------
Ce rôle Ansible dépend des rôles suivants :
- nodejs
Exemple de playbook
-------------------
```
- name: "Déployer un serveur Etherpad"
hosts:
- all
vars:
# Supplanter ici les variables du rôle
service: 'mon-etherpad'
etherpad_domains: ['votre-vrai-domaine.org']
etherpad_db_host: 'localhost'
etherpad_db_user: "{{ service }}"
etherpad_db_name: "{{ service }}"
etherpad_db_password: 'zKEh-CHANGEZ-MOI-qIKc'
pre_tasks:
- name: "Installer les rôles systèmes"
roles:
- { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
roles:
- { role: webapps/etherpad , tags: "etherpad" }
```
Licence
-------
GPLv3
Infos sur l'auteur
------------------
Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.

View file

@ -0,0 +1,58 @@
etherpad
=========
This role installs or upgrades the server for the real-time collaborative editor Etherpad.
FRENCH: Voir le fichier LISEZMOI.md pour le français.
Requirements
------------
...
Role Variables
--------------
Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
Dependencies
------------
This Ansible role depends on the following other roles:
- nodejs
Example Playbook
----------------
```
- name: "Deploy an Etherpad server"
hosts:
- all
vars:
# Overwrite the role variable here
service: 'my-etherpad'
etherpad_domains: ['your-real-domain.org']
etherpad_db_host: 'localhost'
etherpad_db_user: "{{ service }}"
etherpad_db_name: "{{ service }}"
etherpad_db_password: 'zKEh-CHANGE-ME-qIKc'
pre_tasks:
- name: "Install system roles"
roles:
- { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
roles:
- { role: webapps/etherpad , tags: "etherpad" }
```
License
-------
GPLv3
Author Information
------------------
Mathieu Gauthier-Pilote, sys. admin. at Evolix.

View file

@ -0,0 +1,28 @@
---
# defaults file for etherpad
service: 'example'
etherpad_system_dep: "['apt-transport-https', 'mariadb-server', 'python3-mysqldb', 'nginx', 'ssl-cert', 'git', 'wget', 'certbot', 'npm']"
etherpad_git_url: 'https://github.com/ether/etherpad-lite.git'
etherpad_git_version: '1.8.18'
etherpad_node_version: 'node_18.x'
etherpad_node_port: '9001'
etherpad_domains: ['example.domain.org']
etherpad_certbot_admin_email: 'mgauthier@evolix.ca'
etherpad_db_host: '127.0.0.1'
etherpad_db_port: '3306'
etherpad_db_user: "{{ service }}"
etherpad_db_name: "{{ service }}"
etherpad_db_password: 'CHANGE_ME'
etherpad_app_ip: '127.0.0.1'
etherpad_app_title: 'My Etherpad'
etherpad_app_db_type: 'mysql'
etherpad_app_skin_name: 'colibris'
etherpad_app_skin_variants: 'super-light-toolbar super-light-editor light-background'
etherpad_app_trust_proxy: 'true'
etherpad_app_require_authentication: 'false'
etherpad_app_require_authorization: 'true'
etherpad_app_admin_password: 'CHANGE_ME_TOO'
etherpad_app_default_pad_text: 'Bienvenue sur Etherpad !\n\nLe texte de ce bloc-notes est synchronisé sur le serveur au fur et à mesure que vous tapez, de sorte que toutes les personnes qui consultent cette page voient le même texte. Cela vous permet de collaborer de manière transparente et collaborative sur des documents !\n\nParticipez à Etherpad sur https:\/\/etherpad.org\n'
etherpad_app_file_ends: 'false'

View file

@ -0,0 +1,11 @@
---
# handlers file for etherpad
- name: reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: restart etherpad
ansible.builtin.systemd:
name: "{{ service }}.service"
state: restarted

View file

@ -0,0 +1,52 @@
galaxy_info:
author: Mathieu Gauthier-Pilote
description: sys. admin.
company: Evolix
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license GPL-3.0-only
min_ansible_version: 2.10
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View file

@ -0,0 +1,142 @@
---
# tasks file for etherpad install
- name: Install main system dependencies
ansible.builtin.apt:
name: "{{ etherpad_system_dep }}"
update_cache: yes
- name: Install pnpm (via npm)
ansible.builtin.command:
cmd: npm install -g pnpm
- name: Fix permissions for pnpm
ansible.builtin.file:
path: /usr/local/lib/node_modules/
state: directory
mode: o+rx
recurse: yes
- name: Add UNIX account
ansible.builtin.user:
name: "{{ service }}"
shell: /bin/bash
- name: Add database
ansible.builtin.mysql_db:
name: "{{ etherpad_db_name }}"
- name: Add database user
ansible.builtin.mysql_user:
name: "{{ etherpad_db_user }}"
password: "{{ etherpad_db_password }}"
priv: "{{ etherpad_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
update_password: on_create
- name: Clone etherpad repo (git)
ansible.builtin.git:
repo: "{{ etherpad_git_url }}"
dest: "~/etherpad-lite/"
version: "{{ etherpad_git_version | default(omit) }}"
update: yes
force: true
umask: '0022'
become_user: "{{ service }}"
- name: Fix run.sh so it does not start etherpad at the end
ansible.builtin.lineinfile:
path: "~/etherpad-lite/bin/run.sh"
state: absent
regexp: '^exec pnpm run dev'
become_user: "{{ service }}"
- name: Run setup
ansible.builtin.shell: "bin/run.sh"
args:
chdir: "~/etherpad-lite"
become_user: "{{ service }}"
- name: Template json config file
ansible.builtin.template:
src: "settings.json.j2"
dest: "~{{ service }}/etherpad-lite/settings.json"
owner: "{{ service }}"
group: "{{ service }}"
mode: "0640"
- name: Add systemd unit
ansible.builtin.template:
src: "etherpad.service.j2"
dest: "/etc/systemd/system/{{ service }}.service"
- name: Enable systemd unit
ansible.builtin.systemd:
name: "{{ service }}.service"
enabled: yes
daemon_reload: yes
notify:
- restart etherpad
- name: Template nginx snippet for Let's Encrypt/Certbot
ansible.builtin.template:
src: "letsencrypt.conf.j2"
dest: "/etc/nginx/snippets/letsencrypt.conf"
- name: Check if SSL certificate is present and register result
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
register: ssl
- name: Generate certificate only if required (first time)
block:
- name: Template vhost without SSL for successfull LE challengce
ansible.builtin.template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ service }}.conf"
- name: Enable temporary nginx vhost for LE
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ service }}.conf"
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
state: link
notify:
- reload nginx
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Make sure /var/lib/letsencrypt exists and has correct permissions
ansible.builtin.file:
path: /var/lib/letsencrypt
state: directory
mode: '0755'
- name: Generate certificate with certbot
ansible.builtin.command:
cmd: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ etherpad_certbot_admin_email }} -d {{ etherpad_domains |first }}
- name: Create the ssl dir if needed
ansible.builtin.file:
path: /etc/nginx/ssl
state: directory
mode: '0750'
- name: Template ssl bloc for nginx vhost
ansible.builtin.template:
src: "ssl.conf.j2"
dest: "/etc/nginx/ssl/{{ etherpad_domains |first }}.conf"
when: ssl.stat.exists != true
- name: (Re)check if SSL certificate is present and register result
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
register: ssl
- name: (Re)template conf file for nginx vhost with SSL
ansible.builtin.template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ service }}.conf"
notify:
- reload nginx
- name: Enable nginx vhost for etherpad
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ service }}.conf"
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
state: link
notify:
- reload nginx

View file

@ -0,0 +1,52 @@
---
# tasks file for etherpad upgrade
- name: Dump database to a file with compression
ansible.builtin.mysql_db:
name: "{{ service }}"
state: dump
target: "~/{{ service }}.sql.gz"
- name: Stop service
ansible.builtin.systemd:
name: "{{ service }}.service"
state: stopped
- name: Clone etherpad repo (git)
ansible.builtin.git:
repo: "{{ etherpad_git_url }}"
dest: "~/etherpad-lite/"
version: "{{ etherpad_git_version }}"
update: yes
force: true
become_user: "{{ service }}"
- name: Fix run.sh so it does not start etherpad at the end
ansible.builtin.lineinfile:
path: "~/etherpad-lite/src/bin/run.sh"
state: absent
regexp: 'exec node src/node/server.js'
become_user: "{{ service }}"
- name: Run setup
ansible.builtin.shell: "src/bin/run.sh"
args:
chdir: "~/etherpad-lite"
become_user: "{{ service }}"
- name: Start service
ansible.builtin.systemd:
name: "{{ service }}.service"
state: started
- name: Define variable to skip next task by default
ansible.builtin.set_fact:
keep_db_dump: true
- name: Remove database dump
ansible.builtin.file:
path: "~/{{ service }}.sql.gz"
state: absent
when: keep_db_dump is undefined
tags: clean
notify: reload nginx

View file

@ -0,0 +1,17 @@
[Unit]
Description=Etherpad - open source online editor for real-time collaborative editing.
Documentation=https://etherpad.org/doc/v1.8.18/
After=network.target
After=mariadb.service
[Service]
Type=simple
Environment=NODE_ENV=production
ExecStart=pnpm run prod
Restart=always
User={{service}}
Group={{service}}
WorkingDirectory=/home/{{service}}/etherpad-lite
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,5 @@
location ~ /.well-known/acme-challenge {
alias /var/lib/letsencrypt/;
try_files $uri =404;
allow all;
}

View file

@ -0,0 +1,641 @@
/*
* This file must be valid JSON. But comments are allowed
*
* Please edit settings.json, not settings.json.template
*
* Please note that starting from Etherpad 1.6.0 you can store DB credentials in
* a separate file (credentials.json).
*
*
* ENVIRONMENT VARIABLE SUBSTITUTION
* =================================
*
* All the configuration values can be read from environment variables using the
* syntax "${ENV_VAR}" or "${ENV_VAR:default_value}".
*
* This is useful, for example, when running in a Docker container.
*
* DETAILED RULES:
* - If the environment variable is set to the string "true" or "false", the
* value becomes Boolean true or false.
* - If the environment variable is set to the string "null", the value
* becomes null.
* - If the environment variable is set to the string "undefined", the setting
* is removed entirely, except when used as the member of an array in which
* case it becomes null.
* - If the environment variable is set to a string representation of a finite
* number, the string is converted to that number.
* - If the environment variable is set to any other string, including the
* empty string, the value is that string.
* - If the environment variable is unset and a default value is provided, the
* value is as if the environment variable was set to the provided default:
* - "${UNSET_VAR:}" becomes the empty string.
* - "${UNSET_VAR:foo}" becomes the string "foo".
* - "${UNSET_VAR:true}" and "${UNSET_VAR:false}" become true and false.
* - "${UNSET_VAR:null}" becomes null.
* - "${UNSET_VAR:undefined}" causes the setting to be removed (or be set
* to null, if used as a member of an array).
* - If the environment variable is unset and no default value is provided,
* the value becomes null. THIS BEHAVIOR MAY CHANGE IN A FUTURE VERSION OF
* ETHERPAD; if you want the default value to be null, you should explicitly
* specify "null" as the default value.
*
* EXAMPLE:
* "port": "${PORT:9001}"
* "minify": "${MINIFY}"
* "skinName": "${SKIN_NAME:colibris}"
*
* Would read the configuration values for those items from the environment
* variables PORT, MINIFY and SKIN_NAME.
*
* If PORT and SKIN_NAME variables were not defined, the default values 9001 and
* "colibris" would be used.
* The configuration value "minify", on the other hand, does not have a
* designated default value. Thus, if the environment variable MINIFY were
* undefined, "minify" would be null.
*
* REMARKS:
* 1) please note that variable substitution always needs to be quoted.
*
* "port": 9001, <-- Literal values. When not using
* "minify": false substitution, only strings must be
* "skinName": "colibris" quoted. Booleans and numbers must not.
*
* "port": "${PORT:9001}" <-- CORRECT: if you want to use a variable
* "minify": "${MINIFY:true}" substitution, put quotes around its name,
* "skinName": "${SKIN_NAME}" even if the required value is a number or
* a boolean.
* Etherpad will take care of rewriting it
* to the proper type if necessary.
*
* "port": ${PORT:9001} <-- ERROR: this is not valid json. Quotes
* "minify": ${MINIFY} around variable names are missing.
* "skinName": ${SKIN_NAME}
*
* 2) Beware of undefined variables and default values: nulls and empty strings
* are different!
*
* This is particularly important for user's passwords (see the relevant
* section):
*
* "password": "${PASSW}" // if PASSW is not defined would result in password === null
* "password": "${PASSW:}" // if PASSW is not defined would result in password === ''
*
* If you want to use an empty value (null) as default value for a variable,
* simply do not set it, without putting any colons: "${ABIWORD}".
*
* 3) if you want to use newlines in the default value of a string parameter,
* use "\n" as usual.
*
* "defaultPadText" : "${DEFAULT_PAD_TEXT}Line 1\nLine 2"
*/
{
/*
* Name your instance!
*/
"title": "{{ etherpad_app_title }}",
/*
* Pathname of the favicon you want to use. If null, the skin's favicon is
* used if one is provided by the skin, otherwise the default Etherpad favicon
* is used. If this is a relative path it is interpreted as relative to the
* Etherpad root directory.
*/
"favicon": null,
/*
* Skin name.
*
* Its value has to be an existing directory under src/static/skins.
* You can write your own, or use one of the included ones:
*
* - "no-skin": an empty skin (default). This yields the unmodified,
* traditional Etherpad theme.
* - "colibris": the new experimental skin (since Etherpad 1.8), candidate to
* become the default in Etherpad 2.0
*/
"skinName": "{{ etherpad_app_skin_name }}",
/*
* Skin Variants
*
* Use the UI skin variants builder at /p/test#skinvariantsbuilder
*
* For the colibris skin only, you can choose how to render the three main
* containers:
* - toolbar (top menu with icons)
* - editor (containing the text of the pad)
* - background (area outside of editor, mostly visible when using page style)
*
* For each of the 3 containers you can choose 4 color combinations:
* super-light, light, dark, super-dark.
*
* For example, to make the toolbar dark, you will include "dark-toolbar" into
* skinVariants.
*
* You can provide multiple skin variants separated by spaces. Default
* skinVariant is "super-light-toolbar super-light-editor light-background".
*
* For the editor container, you can also make it full width by adding
* "full-width-editor" variant (by default editor is rendered as a page, with
* a max-width of 900px).
*/
"skinVariants": "{{ etherpad_app_skin_variants }}",
/*
* IP and port which Etherpad should bind at.
*
* Binding to a Unix socket is also supported: just use an empty string for
* the ip, and put the full path to the socket in the port parameter.
*
* EXAMPLE USING UNIX SOCKET:
* "ip": "", // <-- has to be an empty string
* "port" : "/somepath/etherpad.socket", // <-- path to a Unix socket
*/
"ip": "{{ etherpad_app_ip }}",
"port": {{ etherpad_node_port }},
/*
* Option to hide/show the settings.json in admin page.
*
* Default option is set to true
*/
"showSettingsInAdminPage": true,
/*
* Node native SSL support
*
* This is disabled by default.
* Make sure to have the minimum and correct file access permissions set so
* that the Etherpad server can access them
*/
/*
"ssl" : {
"key" : "/path-to-your/epl-server.key",
"cert" : "/path-to-your/epl-server.crt",
"ca": ["/path-to-your/epl-intermediate-cert1.crt", "/path-to-your/epl-intermediate-cert2.crt"]
},
*/
/*
* The type of the database.
*
* You can choose between many DB drivers, for example: dirty, postgres,
* sqlite, mysql.
*
* You shouldn't use "dirty" for for anything else than testing or
* development.
*
*
* Database specific settings are dependent on dbType, and go in dbSettings.
* Remember that since Etherpad 1.6.0 you can also store this information in
* credentials.json.
*
* For a complete list of the supported drivers, please refer to:
* https://www.npmjs.com/package/ueberdb2
*/
/*
"dbType": "dirty",
"dbSettings": {
"filename": "var/dirty.db"
},
*/
/*
* An Example of MySQL Configuration (commented out).
*
* See: https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL
*/
"dbType" : "mysql",
"dbSettings" : {
"user": "{{ etherpad_db_user }}",
"host": "{{ etherpad_db_host }}",
"port": "{{ etherpad_db_port }}",
"password": "{{ etherpad_db_password }}",
"database": "{{ etherpad_db_name }}",
"charset": "utf8mb4"
},
/*
* The default text of a pad
*/
"defaultPadText" : "{{ etherpad_app_default_pad_text }}",
/*
* Default Pad behavior.
*
* Change them if you want to override.
*/
"padOptions": {
"noColors": false,
"showControls": true,
"showChat": true,
"showLineNumbers": true,
"useMonospaceFont": false,
"userName": null,
"userColor": null,
"rtl": false,
"alwaysShowChat": false,
"chatAndUsers": false,
"lang": null
},
/*
* Pad Shortcut Keys
*/
"padShortcutEnabled" : {
"altF9": true, /* focus on the File Menu and/or editbar */
"altC": true, /* focus on the Chat window */
"cmdShift2": true, /* shows a gritter popup showing a line author */
"delete": true,
"return": true,
"esc": true, /* in mozilla versions 14-19 avoid reconnecting pad */
"cmdS": true, /* save a revision */
"tab": true, /* indent */
"cmdZ": true, /* undo/redo */
"cmdY": true, /* redo */
"cmdI": true, /* italic */
"cmdB": true, /* bold */
"cmdU": true, /* underline */
"cmd5": true, /* strike through */
"cmdShiftL": true, /* unordered list */
"cmdShiftN": true, /* ordered list */
"cmdShift1": true, /* ordered list */
"cmdShiftC": true, /* clear authorship */
"cmdH": true, /* backspace */
"ctrlHome": true, /* scroll to top of pad */
"pageUp": true,
"pageDown": true
},
/*
* Should we suppress errors from being visible in the default Pad Text?
*/
"suppressErrorsInPadText": false,
/*
* If this option is enabled, a user must have a session to access pads.
* This effectively allows only group pads to be accessed.
*/
"requireSession": false,
/*
* Users may edit pads but not create new ones.
*
* Pad creation is only via the API.
* This applies both to group pads and regular pads.
*/
"editOnly": false,
/*
* If true, all css & js will be minified before sending to the client.
*
* This will improve the loading performance massively, but makes it difficult
* to debug the javascript/css
*/
"minify": true,
/*
* How long may clients use served javascript code (in seconds)?
*
* Not setting this may cause problems during deployment.
* Set to 0 to disable caching.
*/
"maxAge": 21600, // 60 * 60 * 6 = 6 hours
/*
* Absolute path to the Abiword executable.
*
* Abiword is needed to get advanced import/export features of pads. Setting
* it to null disables Abiword and will only allow plain text and HTML
* import/exports.
*/
"abiword": null,
/*
* This is the absolute path to the soffice executable.
*
* LibreOffice can be used in lieu of Abiword to export pads.
* Setting it to null disables LibreOffice exporting.
*/
"soffice": null,
/*
* Allow import of file types other than the supported ones:
* txt, doc, docx, rtf, odt, html & htm
*/
"allowUnknownFileEnds": {{ etherpad_app_file_ends }},
/*
* This setting is used if you require authentication of all users.
*
* Note: "/admin" always requires authentication.
*/
"requireAuthentication": {{ etherpad_app_require_authentication }},
/*
* Require authorization by a module, or a user with is_admin set, see below.
*/
"requireAuthorization": {{ etherpad_app_require_authorization }},
/*
* When you use NGINX or another proxy/load-balancer set this to true.
*
* This is especially necessary when the reverse proxy performs SSL
* termination, otherwise the cookies will not have the "secure" flag.
*
* The other effect will be that the logs will contain the real client's IP,
* instead of the reverse proxy's IP.
*/
"trustProxy": {{ etherpad_app_trust_proxy }},
/*
* Settings controlling the session cookie issued by Etherpad.
*/
"cookie": {
/*
* How often (in milliseconds) the key used to sign the express_sid cookie
* should be rotated. Long rotation intervals reduce signature verification
* overhead (because there are fewer historical keys to check) and database
* load (fewer historical keys to store, and less frequent queries to
* get/update the keys). Short rotation intervals are slightly more secure.
*
* Multiple Etherpad processes sharing the same database (table) is
* supported as long as the clock sync error is significantly less than this
* value.
*
* Key rotation can be disabled (not recommended) by setting this to 0 or
* null, or by disabling session expiration (see sessionLifetime).
*/
"keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
/*
* Value of the SameSite cookie property. "Lax" is recommended unless
* Etherpad will be embedded in an iframe from another site, in which case
* this must be set to "None". Note: "None" will not work (the browser will
* not send the cookie to Etherpad) unless https is used to access Etherpad
* (either directly or via a reverse proxy with "trustProxy" set to true).
*
* "Strict" is not recommended because it has few security benefits but
* significant usability drawbacks vs. "Lax". See
* https://stackoverflow.com/q/41841880 for discussion.
*/
"sameSite": "Lax",
/*
* How long (in milliseconds) after navigating away from Etherpad before the
* user is required to log in again. (The express_sid cookie is set to
* expire at time now + sessionLifetime when first created, and its
* expiration time is periodically refreshed to a new now + sessionLifetime
* value.) If requireAuthentication is false then this value does not really
* matter.
*
* The "best" value depends on your users' usage patterns and the amount of
* convenience you desire. A long lifetime is more convenient (users won't
* have to log back in as often) but has some drawbacks:
* - It increases the amount of state kept in the database.
* - It might weaken security somewhat: The cookie expiration is refreshed
* indefinitely without consulting authentication or authorization
* hooks, so once a user has accessed a pad, the user can continue to
* use the pad until the user leaves for longer than sessionLifetime.
* - More historical keys (sessionLifetime / keyRotationInterval) must be
* checked when verifying signatures.
*
* Session lifetime can be set to infinity (not recommended) by setting this
* to null or 0. Note that if the session does not expire, most browsers
* will delete the cookie when the browser exits, but a session record is
* kept in the database forever.
*/
"sessionLifetime": 864000000, // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
/*
* How long (in milliseconds) before the expiration time of an active user's
* session is refreshed (to now + sessionLifetime). This setting affects the
* following:
* - How often a new session expiration time will be written to the
* database.
* - How often each user's browser will ping the Etherpad server to
* refresh the expiration time of the session cookie.
*
* High values reduce the load on the database and the load from browsers,
* but can shorten the effective session lifetime if Etherpad is restarted
* or the user navigates away.
*
* Automatic session refreshes can be disabled (not recommended) by setting
* this to null.
*/
"sessionRefreshInterval": 86400000 // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
},
/*
* Privacy: disable IP logging
*/
"disableIPlogging": false,
/*
* Time (in seconds) to automatically reconnect pad when a "Force reconnect"
* message is shown to user.
*
* Set to 0 to disable automatic reconnection.
*/
"automaticReconnectionTimeout": 0,
/*
* By default, when caret is moved out of viewport, it scrolls the minimum
* height needed to make this line visible.
*/
"scrollWhenFocusLineIsOutOfViewport": {
/*
* Percentage of viewport height to be additionally scrolled.
*
* E.g.: use "percentage.editionAboveViewport": 0.5, to place caret line in
* the middle of viewport, when user edits a line above of the
* viewport
*
* Set to 0 to disable extra scrolling
*/
"percentage": {
"editionAboveViewport": 0,
"editionBelowViewport": 0
},
/*
* Time (in milliseconds) used to animate the scroll transition.
* Set to 0 to disable animation
*/
"duration": 0,
/*
* Flag to control if it should scroll when user places the caret in the
* last line of the viewport
*/
"scrollWhenCaretIsInTheLastLineOfViewport": false,
/*
* Percentage of viewport height to be additionally scrolled when user
* presses arrow up in the line of the top of the viewport.
*
* Set to 0 to let the scroll to be handled as default by Etherpad
*/
"percentageToScrollWhenUserPressesArrowUp": 0
},
/*
* User accounts. These accounts are used by:
* - default HTTP basic authentication if no plugin handles authentication
* - some but not all authentication plugins
* - some but not all authorization plugins
*
* User properties:
* - password: The user's password. Some authentication plugins will ignore
* this.
* - is_admin: true gives access to /admin. Defaults to false. If you do not
* uncomment this, /admin will not be available!
* - readOnly: If true, this user will not be able to create new pads or
* modify existing pads. Defaults to false.
* - canCreate: If this is true and readOnly is false, this user can create
* new pads. Defaults to true.
*
* Authentication and authorization plugins may define additional properties.
*
* WARNING: passwords should not be stored in plaintext in this file.
* If you want to mitigate this, please install ep_hash_auth and
* follow the section "secure your installation" in README.md
*/
"users": {
"admin": {
// 1) "password" can be replaced with "hash" if you install ep_hash_auth
// 2) please note that if password is null, the user will not be created
"password": "{{ etherpad_app_admin_password }}",
"is_admin": true
}
},
/*
* Restrict socket.io transport methods
*/
"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
"socketIo": {
/*
* Maximum permitted client message size (in bytes). All messages from
* clients that are larger than this will be rejected. Large values make it
* possible to paste large amounts of text, and plugins may require a larger
* value to work properly, but increasing the value increases susceptibility
* to denial of service attacks (malicious clients can exhaust memory).
*/
"maxHttpBufferSize": 10000
},
/*
* Allow Load Testing tools to hit the Etherpad Instance.
*
* WARNING: this will disable security on the instance.
*/
"loadTest": false,
/**
* Disable dump of objects preventing a clean exit
*/
"dumpOnUncleanExit": false,
/*
* Disable indentation on new line when previous line ends with some special
* chars (':', '[', '(', '{')
*/
/*
"indentationOnNewLine": false,
*/
/*
* From Etherpad 1.8.3 onwards, import and export of pads is always rate
* limited.
*
* The default is to allow at most 10 requests per IP in a 90 seconds window.
* After that the import/export request is rejected.
*
* See https://github.com/nfriedly/express-rate-limit for more options
*/
"importExportRateLimiting": {
// duration of the rate limit window (milliseconds)
"windowMs": 90000,
// maximum number of requests per IP to allow during the rate limit window
"max": 10
},
/*
* From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
* file is always bounded.
*
* File size is specified in bytes. Default is 50 MB.
*/
"importMaxFileSize": 52428800, // 50 * 1024 * 1024
/*
* From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited
*
* The default is to allow at most 10 changes per IP in a 1 second window.
* After that the change is rejected.
*
* See https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#websocket-single-connection-prevent-flooding for more options
*/
"commitRateLimiting": {
// duration of the rate limit window (seconds)
"duration": 1,
// maximum number of changes per IP to allow during the rate limit window
"points": 10
},
/*
* Toolbar buttons configuration.
*
* Uncomment to customize.
*/
/*
"toolbar": {
"left": [
["bold", "italic", "underline", "strikethrough"],
["orderedlist", "unorderedlist", "indent", "outdent"],
["undo", "redo"],
["clearauthorship"]
],
"right": [
["importexport", "timeslider", "savedrevision"],
["settings", "embed"],
["showusers"]
],
"timeslider": [
["timeslider_export", "timeslider_returnToPad"]
]
},
*/
/*
* Expose Etherpad version in the web interface and in the Server http header.
*
* Do not enable on production machines.
*/
"exposeVersion": false,
/*
* The log level we are using.
*
* Valid values: DEBUG, INFO, WARN, ERROR
*/
"loglevel": "INFO",
/* Override any strings found in locale directories */
"customLocaleStrings": {},
/* Disable Admin UI tests */
"enableAdminUITests": false
}

View file

@ -0,0 +1,22 @@
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
ssl_certificate /etc/letsencrypt/live/{{ etherpad_domains | first }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ etherpad_domains | first }}/privkey.pem;
##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
ssl_session_timeout 1d; # defaults to 5m
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

View file

@ -0,0 +1,49 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ etherpad_domains |first }};
# For certbot
include /etc/nginx/snippets/letsencrypt.conf;
{% if ssl.stat.exists %}
location / { return 301 https://$host$request_uri; }
{% endif %}
}
{% if ssl.stat.exists %}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ etherpad_domains |first }};
access_log /var/log/nginx/{{ service }}.access.log;
error_log /var/log/nginx/{{ service }}.error.log;
include /etc/nginx/snippets/letsencrypt.conf;
include /etc/nginx/ssl/{{ etherpad_domains | first }}.conf;
location / {
proxy_pass http://127.0.0.1:{{ etherpad_node_port }};
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass these headers etc too.
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
{% endif %}

View file

@ -0,0 +1,2 @@
localhost

View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- hedgedoc

View file

@ -0,0 +1,2 @@
---
# vars file

49
webapps/gitea/LISEZMOI.md Normal file
View file

@ -0,0 +1,49 @@
gitea
=====
Ce rôle installe un serveur gitea.
Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle gitea sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
Requis
------
...
Variables du rôle
-----------------
Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
Dépendances
------------
Ce rôle Ansible dépend des rôles suivants :
- nodejs
Exemple de playbook
-------------------
```
- name: "Déployer un serveur gitea"
hosts:
- all
vars:
# Supplanter ici les variables du rôle
domains: ['votre-vrai-domaine.org']
service: 'mon-gitea'
roles:
- { role: webapps/gitea , tags: "gitea" }
```
Licence
-------
GPLv3
Infos sur l'auteur
------------------
Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.

49
webapps/gitea/README.md Normal file
View file

@ -0,0 +1,49 @@
gitea
=====
This role installs or upgrades the server for gitea.
FRENCH: Voir le fichier LISEZMOI.md pour le français.
Requirements
------------
...
Role Variables
--------------
Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
Dependencies
------------
This Ansible role depends on the following other roles:
- nodejs
Example Playbook
----------------
```
- name: "Deploy an gitea server"
hosts:
- all
vars:
# Overwrite the role variable here
domains: ['your-real-domain.org']
service: 'my-gitea'
roles:
- { role: webapps/gitea , tags: "gitea" }
```
License
-------
GPLv3
Author Information
------------------
Mathieu Gauthier-Pilote, sys. admin. at Evolix.

View file

@ -0,0 +1,14 @@
---
# defaults file for vars
gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
gitea_git_version: '1.21.3'
gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64"
gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
gitea_domains: ['example.domain.org']
gitea_certbot_admin_email: 'security@example.domain.org'
gitea_db_host: '127.0.0.1:3306'
gitea_db_name: "{{ gitea_service }}"
gitea_db_user: "{{ gitea_service }}"
gitea_db_password: 'UQ6_CHANGE_ME_Gzb'
gitea_redis_maxclients: '128'
gitea_redis_maxmemory: '300M'

View file

@ -0,0 +1,2 @@
---
# handlers file

View file

@ -0,0 +1,52 @@
galaxy_info:
author: Mathieu Gauthier-Pilote
description: sys. admin.
company: Evolix
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license GPL-3.0-only
min_ansible_version: 2.10
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View file

@ -0,0 +1,165 @@
---
# tasks file for gitea install
- name: Install main system dependencies
ansible.builtin.apt:
name: "{{ gitea_system_dep }}"
update_cache: yes
- name: Download gitea binary
ansible.builtin.get_url:
url: "{{ gitea_url }}"
dest: /usr/local/bin
checksum: "{{ gitea_checksum }}"
mode: '0755'
- name: Create symbolic link
ansible.builtin.file:
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
dest: "/usr/local/bin/gitea"
state: link
- name: Add UNIX account
ansible.builtin.user:
name: "{{ gitea_service }}"
shell: /bin/bash
- name: Add www-data (nginx) to service's group
ansible.builtin.user:
name: www-data
#group: www-data
groups: "{{ gitea_service }}"
append: true
- name: Add database
ansible.builtin.mysql_db:
name: "{{ gitea_db_name }}"
- name: Add database user
ansible.builtin.mysql_user:
name: "{{ gitea_db_user }}"
password: "{{ gitea_db_password }}"
priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
update_password: on_create
- name: Create the gitea conf dir if needed
ansible.builtin.file:
path: /etc/gitea
state: directory
mode: '0755'
- name: Template gitea ini file
ansible.builtin.template:
src: "gitea.ini.j2"
dest: "/etc/gitea/{{ gitea_service }}.ini"
owner: 'root'
group: "{{ gitea_service }}"
mode: '0660'
- name: Template gitea systemd unit
ansible.builtin.template:
src: "gitea.service.j2"
dest: "/etc/systemd/system/gitea@.service"
- name: Start gitea systemd unit
ansible.builtin.service:
name: "gitea@{{ gitea_service }}"
state: restarted
- name: Create the redis dir if needed
ansible.builtin.file:
path: /home/{{ gitea_service }}/redis
state: directory
owner: "{{ gitea_service }}"
group: "{{ gitea_service }}"
mode: '0750'
- name: Create the log dir if needed
ansible.builtin.file:
path: /home/{{ gitea_service }}/log
state: directory
owner: "{{ gitea_service }}"
group: "{{ gitea_service }}"
mode: '0750'
- name: Template redis conf
ansible.builtin.template:
src: "redis.conf.j2"
dest: "/home/{{ gitea_service }}/redis/redis.conf"
owner: "{{ gitea_service }}"
group: "{{ gitea_service }}"
mode: '0640'
- name: Template redis systemd unit
ansible.builtin.template:
src: "redis.service.j2"
dest: "/etc/systemd/system/redis@.service"
- name: Start redis systemd unit
ansible.builtin.service:
name: "redis@{{ gitea_service }}"
state: started
- name: Template nginx snippet for Let's Encrypt/Certbot
ansible.builtin.template:
src: "letsencrypt.conf.j2"
dest: "/etc/nginx/snippets/letsencrypt.conf"
- name: Check if SSL certificate is present and register result
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
register: ssl
- name: Generate certificate only if required (first time)
block:
- name: Template vhost without SSL for successfull LE challengce
ansible.builtin.template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
- name: Enable temporary nginx vhost for gitea
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
state: link
- name: Reload nginx conf
ansible.builtin.service:
name: nginx
state: reloaded
- name: Make sure /var/lib/letsencrypt exists and has correct permissions
ansible.builtin.file:
path: /var/lib/letsencrypt
state: directory
mode: '0755'
- name: Generate certificate with certbot
ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }}
- name: Create the ssl dir if needed
ansible.builtin.file:
path: /etc/nginx/ssl
state: directory
mode: '0750'
- name: Template ssl bloc for nginx vhost
ansible.builtin.template:
src: "ssl.conf.j2"
dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf"
when: ssl.stat.exists != true
- name: (Re)check if SSL certificate is present and register result
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
register: ssl
- name: (Re)template conf file for nginx vhost with SSL
ansible.builtin.template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
- name: Enable nginx vhost for gitea
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
state: link
- name: Reload nginx conf
ansible.builtin.service:
name: nginx
state: reloaded

View file

@ -0,0 +1,26 @@
---
# tasks file for gitea upgrade
- name: Download gitea binary
ansible.builtin.get_url:
url: "{{ gitea_url }}"
dest: /usr/local/bin
checksum: "{{ gitea_checksum }}"
mode: '0755'
- name: Create symbolic link
ansible.builtin.file:
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
dest: "/usr/local/bin/gitea"
state: link
- name: Start gitea systemd unit
ansible.builtin.service:
name: "gitea@{{ gitea_service }}"
state: restarted
- name: Reload nginx conf
ansible.builtin.service:
name: nginx
state: reloaded

View file

@ -0,0 +1,39 @@
APP_NAME = Gitea
RUN_USER = {{ gitea_service }}
RUN_MODE = prod
[server]
PROTOCOL = unix
DOMAIN = {{ gitea_domains | first }}
HTTP_ADDR = /home/{{ gitea_service }}/gitea.sock
UNIX_SOCKET_PERMISSION = 660
OFFLINE_MODE = true
SSH_DOMAIN = {{ gitea_domains | first }}
ROOT_URL = https://{{ gitea_domains | first }}/
[repository]
ROOT = /home/{{ gitea_service }}/repositories
[log]
ROOT_PATH = /home/{{ gitea_service }}/log/
MODE = console
LEVEL = info
[i18n]
LANGS = fr-FR, en-US
NAMES = Français,English
[database]
DB_TYPE = mysql
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
PASSWD = {{ gitea_db_password }}
[session]
PROVIDER = redis
PROVIDER_CONFIG = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
[cache]
ADAPTER = redis
HOST = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180

View file

@ -0,0 +1,22 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=mysqld.service
[Service]
User=%i
Group=%i
Type=simple
RestartSec=2s
Restart=always
WorkingDirectory=/home/%i
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/%i.ini
Environment=GITEA_WORK_DIR=/home/%i/internals
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,5 @@
location ~ /.well-known/acme-challenge {
alias /var/lib/letsencrypt/;
try_files $uri =404;
allow all;
}

View file

@ -0,0 +1,22 @@
bind 127.0.0.1 ::1
protected-mode yes
port 0
unixsocket /home/{{ gitea_service }}/redis/redis.sock
unixsocketperm 770
timeout 0
tcp-keepalive 300
loglevel notice
logfile /home/{{ gitea_service }}/log/redis-server.log
databases 16
save 900 1
save 300 10
save 60 10000
dbfilename dump.rdb
dir /home/{{ gitea_service }}/redis
maxclients {{ gitea_redis_maxclients }}
maxmemory {{ gitea_redis_maxmemory }}

View file

@ -0,0 +1,14 @@
[Unit]
Description=Advanced key-value store
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/redis-server /home/%i/redis/redis.conf
TimeoutStopSec=0
Restart=always
User=%i
Group=%i
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,22 @@
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
ssl_certificate /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem;
##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
ssl_session_timeout 1d; # defaults to 5m
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

View file

@ -0,0 +1,38 @@
upstream gitea_{{ gitea_service }} {
server unix:/home/{{ gitea_service }}/gitea.sock;
}
server {
listen 80;
listen [::]:80;
server_name {{ gitea_domains | first }};
# For certbot
include /etc/nginx/snippets/letsencrypt.conf;
{% if ssl.stat.exists %}
location / { return 301 https://$host$request_uri; }
{% endif %}
}
{% if ssl.stat.exists %}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ gitea_domains | first }};
access_log /var/log/nginx/{{ gitea_service }}.access.log;
error_log /var/log/nginx/{{ gitea_service }}.error.log;
include /etc/nginx/snippets/letsencrypt.conf;
include /etc/nginx/ssl/{{ gitea_domains | first }}.conf;
location / {
proxy_pass http://gitea_{{ gitea_service }};
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_read_timeout 10;
}
}
{% endif %}

View file

@ -0,0 +1,2 @@
localhost

View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- privatebin

View file

@ -0,0 +1,2 @@
---
# vars file

View file

@ -0,0 +1,58 @@
hedgedoc
=========
Ce rôle installe le serveur de HedgeDoc, une application rédaction collaborative en temps-réel utilisant la syntaxe Markdown.
Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle hedgedoc sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
Requis
------
...
Variables du rôle
-----------------
Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
Dépendances
------------
Ce rôle Ansible dépend des rôles suivants :
- nodejs
Exemple de playbook
-------------------
```
- name: "Déployer un serveur HedgeDoc"
hosts:
- all
vars:
# Supplanter ici les variables du rôle
domains: ['votre-vrai-domaine.org']
service: 'mon-hedgedoc'
db_host: 'localhost'
db_user: "{{ service }}"
db_name: "{{ service }}"
db_password: 'zKEh-CHANGEZ-MOI-qIKc'
pre_tasks:
- name: "Installer les rôles systèmes"
roles:
- { role: nodejs, nodejs_apt_version: "{{ node_version }}" }
roles:
- { role: webapps/hedgedoc , tags: "hedgedoc" }
```
Licence
-------
GPLv3
Infos sur l'auteur
------------------
Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.

View file

@ -0,0 +1,58 @@
hedgedoc
=========
This role installs or upgrades the server for the real-time markdown collaborative editor HedgeDoc.
FRENCH: Voir le fichier LISEZMOI.md pour le français.
Requirements
------------
...
Role Variables
--------------
Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
Dependencies
------------
This Ansible role depends on the following other roles:
- nodejs
Example Playbook
----------------
```
- name: "Deploy a HedgeDoc server"
hosts:
- all
vars:
# Overwrite the role variable here
domains: ['your-real-domain.org']
service: 'my-hedgedoc'
db_host: 'localhost'
db_user: "{{ service }}"
db_name: "{{ service }}"
db_password: 'zKEh-CHANGE-ME-qIKc'
pre_tasks:
- name: "Install system roles"
roles:
- { role: nodejs, nodejs_apt_version: "{{ node_version }}" }
roles:
- { role: webapps/hedgedoc , tags: "hedgedoc" }
```
License
-------
GPLv3
Author Information
------------------
Mathieu Gauthier-Pilote, sys. admin. at Evolix.

View file

@ -0,0 +1,15 @@
---
# defaults file for mastodon
hedgedoc_system_dep: "['apt-transport-https', 'postgresql', 'python3-psycopg2', 'nginx', 'git', 'wget', 'certbot']"
hedgedoc_git_url: 'https://github.com/hedgedoc/hedgedoc.git'
hedgedoc_git_version: '1.9.9'
hedgedoc_node_version: 'node_18.x'
hedgedoc_node_port: '3000'
hedgedoc_service: 'example'
hedgedoc_domains: ['example.domain.org']
hedgedoc_certbot_admin_email: 'security@example.org'
hedgedoc_db_host: 'localhost'
hedgedoc_db_user: "{{ hedgedoc_service }}"
hedgedoc_db_name: "{{ hedgedoc_service }}"
hedgedoc_db_password: 'CHANGE_ME'

View file

@ -0,0 +1,2 @@
---
# handlers file for mastodon

View file

@ -0,0 +1,52 @@
galaxy_info:
author: Mathieu Gauthier-Pilote
description: sys. admin.
company: Evolix
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license GPL-3.0-only
min_ansible_version: 2.10
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View file

@ -0,0 +1,151 @@
---
# tasks file for hedgedoc install
- name: Install main system dependencies
ansible.builtin.apt:
name: "{{ hedgedoc_system_dep }}"
update_cache: yes
#- name: Install node-gyp from npm
# ansible.builtin.shell: npm install --global node-gyp corepack
#- name: Enable yarn (via corepack)
# ansible.builtin.shell: "corepack enable"
#- name: Fix permissions
# ansible.builtin.file:
# path: /usr/local/lib/node_modules
# mode: g+rx,o+rx
# recurse: yes
- name: Add UNIX account
ansible.builtin.user:
name: "{{ hedgedoc_service }}"
shell: /bin/bash
- name: Add PostgreSQL user
community.postgresql.postgresql_user:
name: "{{ hedgedoc_db_user }}"
password: "{{ hedgedoc_db_password }}"
no_password_changes: true
become_user: postgres
- name: Add PostgreSQL database
community.postgresql.postgresql_db:
name: "{{ hedgedoc_db_name }}"
owner: "{{ hedgedoc_db_user }}"
become_user: postgres
- block:
- name: Clone hedgedoc repo (git)
ansible.builtin.git:
repo: "{{ hedgedoc_git_url }}"
dest: "~/hedgedoc/"
version: "{{ hedgedoc_git_version | default(omit) }}"
update: yes
umask: '0022'
# - name: Set cache dir for yarn
# ansible.builtin.shell: yarn config set cache-folder /var/tmp/cache/yarn
# args:
# chdir: "~/"
- name: Run setup
ansible.builtin.shell: "bin/setup"
args:
chdir: "~/hedgedoc"
- name: Install dependencies for frontend app
ansible.builtin.shell: "yarn install --frozen-lockfile"
args:
chdir: "~/hedgedoc"
- name: Build frontend app
ansible.builtin.shell: "yarn build"
args:
chdir: "~/hedgedoc"
become_user: "{{ hedgedoc_service }}"
- name: Template json config file
ansible.builtin.template:
src: "config.json.j2"
dest: "~{{ hedgedoc_service }}/hedgedoc/config.json"
owner: "{{ hedgedoc_service }}"
group: "{{ hedgedoc_service }}"
mode: "0640"
- name: Add systemd unit
ansible.builtin.template:
src: "hedgedoc.service.j2"
dest: "/etc/systemd/system/{{ hedgedoc_service }}.service"
- name: Enable systemd units
ansible.builtin.systemd:
name: "{{ hedgedoc_service }}.service"
enabled: yes
daemon_reload: yes
- name: Start service
ansible.builtin.service:
name: "{{ hedgedoc_service }}.service"
state: restarted
- name: Template nginx snippet for Let's Encrypt/Certbot
ansible.builtin.template:
src: "letsencrypt.conf.j2"
dest: "/etc/nginx/snippets/letsencrypt.conf"
- name: Check if SSL certificate is present and register result
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
register: ssl
- name: Generate certificate only if required (first time)
block:
- name: Template vhost without SSL for successfull LE challengce
ansible.builtin.template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
- name: Enable temporary nginx vhost for LE
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
state: link
- name: Reload nginx conf
ansible.builtin.service:
name: nginx
state: reloaded
- name: Make sure /var/lib/letsencrypt exists and has correct permissions
ansible.builtin.file:
path: /var/lib/letsencrypt
state: directory
mode: '0755'
- name: Generate certificate with certbot
ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ hedgedoc_certbot_admin_email }} -d {{ hedgedoc_domains |first }}
- name: Create the ssl dir if needed
ansible.builtin.file:
path: /etc/nginx/ssl
state: directory
mode: '0750'
- name: Template ssl bloc for nginx vhost
ansible.builtin.template:
src: "ssl.conf.j2"
dest: "/etc/nginx/ssl/{{ hedgedoc_domains |first }}.conf"
when: ssl.stat.exists != true
- name: (Re)check if SSL certificate is present and register result
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
register: ssl
- name: (Re)template conf file for nginx vhost with SSL
ansible.builtin.template:
src: "vhost.conf.j2"
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
- name: Enable nginx vhost for hedgedoc
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
state: link
- name: Reload nginx conf
ansible.builtin.service:
name: nginx
state: reloaded

View file

@ -0,0 +1,57 @@
---
# tasks file for hedgedoc upgrade
- name: Dump database to a file with compression
community.postgresql.postgresql_db:
name: "{{ hedgedoc_service }}"
state: dump
target: "~/{{ hedgedoc_service }}.sql.gz"
become_user: postgres
- name: Stop service
ansible.builtin.service:
name: "{{ hedgedoc_service }}.service"
state: stopped
- block:
- name: Clone hedgedoc repo (git)
ansible.builtin.git:
repo: "{{ hedgedoc_git_url }}"
dest: "~/hedgedoc/"
version: "{{ hedgedoc_git_version }}"
update: yes
- name: Run setup
ansible.builtin.shell: "bin/setup"
args:
chdir: "~/hedgedoc"
- name: Install dependencies for frontend app
ansible.builtin.shell: "yarn install --frozen-lockfile"
args:
chdir: "~/hedgedoc"
- name: Build frontend app
ansible.builtin.shell: "yarn build"
args:
chdir: "~/hedgedoc"
become_user: "{{ hedgedoc_service }}"
- name: Restart services
ansible.builtin.service:
name: "{{ hedgedoc_service }}.service"
state: restarted
- name: Define variable to skip next task by default
ansible.builtin.set_fact:
keep_db_dump: true
- name: Remove database dump
ansible.builtin.file:
path: "~/{{ hedgedoc_service }}.sql.gz"
state: absent
become_user: postgres
when: keep_db_dump is undefined
tags: clean
- name: Reload nginx conf
ansible.builtin.service:
name: nginx
state: reloaded

View file

@ -0,0 +1,46 @@
{
"test": {
"db": {
"dialect": "sqlite",
"storage": ":memory:"
},
"linkifyHeaderStyle": "gfm"
},
"development": {
"loglevel": "debug",
"db": {
"dialect": "sqlite",
"storage": "./db.hedgedoc.sqlite"
},
"domain": "localhost",
"urlAddPort": true
},
"production": {
"domain": "{{ hedgedoc_domains }}",
"loglevel": "info",
"protocolUseSSL": "true",
"urlAddPort": false,
"hsts": {
"enable": true,
"maxAgeSeconds": 31536000,
"includeSubdomains": true,
"preload": true
},
"csp": {
"enable": true,
"directives": {
},
"upgradeInsecureRequests": "auto",
"addDefaults": true
},
"cookiePolicy": "lax",
"db": {
"username": "{{ hedgedoc_db_user }}",
"password": "{{ hedgedoc_db_password }}",
"database": "{{ hedgedoc_db_name }}",
"host": "{{ hedgedoc_db_host }}",
"port": "5432",
"dialect": "postgres"
}
}
}

Some files were not shown because too many files have changed in this diff Show more