From a42d0464d77e3fc93d7da81d26b2e148a1c6c8a2 Mon Sep 17 00:00:00 2001 From: Ruben De Smet Date: Thu, 23 Mar 2017 19:56:51 +0100 Subject: [PATCH 1/3] Implement automatic zones --- icinga2-ansible-add-zones/defaults/main.yml | 6 + icinga2-ansible-add-zones/handlers/main.yml | 12 ++ icinga2-ansible-add-zones/meta/main.yml | 128 ++++++++++++++++++ .../tasks/icinga2_add_zones.yml | 29 ++++ icinga2-ansible-add-zones/tasks/main.yml | 11 ++ .../templates/endpoint_zones.j2 | 14 ++ icinga2-ansible-add-zones/templates/zone.j2 | 12 ++ .../templates/zones.conf | 1 + 8 files changed, 213 insertions(+) create mode 100644 icinga2-ansible-add-zones/defaults/main.yml create mode 100644 icinga2-ansible-add-zones/handlers/main.yml create mode 100644 icinga2-ansible-add-zones/meta/main.yml create mode 100644 icinga2-ansible-add-zones/tasks/icinga2_add_zones.yml create mode 100644 icinga2-ansible-add-zones/tasks/main.yml create mode 100644 icinga2-ansible-add-zones/templates/endpoint_zones.j2 create mode 100644 icinga2-ansible-add-zones/templates/zone.j2 create mode 100644 icinga2-ansible-add-zones/templates/zones.conf diff --git a/icinga2-ansible-add-zones/defaults/main.yml b/icinga2-ansible-add-zones/defaults/main.yml new file mode 100644 index 00000000..0443be13 --- /dev/null +++ b/icinga2-ansible-add-zones/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# defaults file for icinga2-ansible-add-zones + +icinga2_zones_dir: "/etc/icinga2/zones.d/" +icinga_master_zone: "master" +icinga_merged_zones: '{{icinga_zones|combine({ icinga_master_zone : {} })}}' diff --git a/icinga2-ansible-add-zones/handlers/main.yml b/icinga2-ansible-add-zones/handlers/main.yml new file mode 100644 index 00000000..866546ae --- /dev/null +++ b/icinga2-ansible-add-zones/handlers/main.yml @@ -0,0 +1,12 @@ +--- +# handlers file for icinga2-ansible-add-zones + +- name: restart icinga2 + service: name=icinga2 + state=restarted + enabled=yes + +- name: reload icinga2 + service: name=icinga2 + state=reloaded + enabled=yes diff --git a/icinga2-ansible-add-zones/meta/main.yml b/icinga2-ansible-add-zones/meta/main.yml new file mode 100644 index 00000000..aee201dc --- /dev/null +++ b/icinga2-ansible-add-zones/meta/main.yml @@ -0,0 +1,128 @@ +--- +galaxy_info: + author: your name + description: + company: your company (optional) + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + min_ansible_version: 1.2 + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + platforms: + - name: EL + versions: + # - all + # - 5 + - 6 + - 7 + #- name: GenericUNIX + # versions: + # - all + # - any + - name: Fedora + versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + - 20 + - 21 + - 22 + - 23 + - 24 + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + #- name: GenericBSD + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + #- name: Ubuntu + # versions: + # - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + #- name: GenericLinux + # versions: + # - all + # - any + #- name: Debian + # versions: + # - all + # - etch + # - lenny + # - squeeze + # - wheezy + # + # Below are all categories currently available. Just as with + # the platforms above, uncomment those that apply to your role. + # + #categories: + #- cloud + #- cloud:ec2 + #- cloud:gce + #- cloud:rax + #- clustering + #- database + #- database:nosql + #- database:sql + #- development + #- monitoring + #- networking + #- packaging + #- system + #- web +dependencies: [] + # List your role dependencies here, one per line. Only + # dependencies available via galaxy should be listed here. + # Be sure to remove the '[]' above if you add dependencies + # to this list. + diff --git a/icinga2-ansible-add-zones/tasks/icinga2_add_zones.yml b/icinga2-ansible-add-zones/tasks/icinga2_add_zones.yml new file mode 100644 index 00000000..f79acaa2 --- /dev/null +++ b/icinga2-ansible-add-zones/tasks/icinga2_add_zones.yml @@ -0,0 +1,29 @@ +--- +- name: Copy Endpoint Zone Definitions + template: src=endpoint_zones.j2 + dest={{ icinga2_zones_dir }}/{{ hostvars[item]['ansible_fqdn'] }}.conf + owner=icinga + group=icinga + mode=0640 + with_items: "{{ groups['all'] }}" + notify: + - reload icinga2 + +- name: Copy Zone Definitions + template: + src: zone.j2 + dest: "{{ icinga2_zones_dir }}/{{ item }}.conf" + owner: icinga + group: icinga + mode: 0640 + with_items: "{{ icinga_merged_zones }}" + notify: + - reload icinga2 + +- name: Copy zones.conf + template: + src: zones.conf + dest: /etc/icinga2/zones.conf + owner: icinga + group: icinga + mode: 0640 diff --git a/icinga2-ansible-add-zones/tasks/main.yml b/icinga2-ansible-add-zones/tasks/main.yml new file mode 100644 index 00000000..c60a86a9 --- /dev/null +++ b/icinga2-ansible-add-zones/tasks/main.yml @@ -0,0 +1,11 @@ +--- +# tasks file for icinga2-ansible-add-zones + +- name: Ensure existance of {{ icinga2_zones_dir }} + file: + name: "{{ icinga2_zones_dir }}" + state: directory + owner: icinga + group: icinga + +- include: icinga2_add_zones.yml diff --git a/icinga2-ansible-add-zones/templates/endpoint_zones.j2 b/icinga2-ansible-add-zones/templates/endpoint_zones.j2 new file mode 100644 index 00000000..11f4a08e --- /dev/null +++ b/icinga2-ansible-add-zones/templates/endpoint_zones.j2 @@ -0,0 +1,14 @@ +object Endpoint "{{ hostvars[item]['ansible_fqdn'] }}" { + host = "{{ hostvars[item]['ansible_fqdn'] }}" +} + +{% if 'icinga_zone' in hostvars[item] %} +object Zone "{{ hostvars[item]['ansible_fqdn'] }}" { + endpoints = [ "{{ hostvars[item]['ansible_fqdn'] }}" ] + {% if 'icinga_zone' in hostvars[item] %} + parent = "{{ hostvars[item]['icinga_zone'] }}" + {% else %} + parent = "{{ icinga_master_zone }}" + {% endif %} +} +{% endif %} diff --git a/icinga2-ansible-add-zones/templates/zone.j2 b/icinga2-ansible-add-zones/templates/zone.j2 new file mode 100644 index 00000000..ebf5aaa0 --- /dev/null +++ b/icinga2-ansible-add-zones/templates/zone.j2 @@ -0,0 +1,12 @@ +object Zone "{{ item }}" { + {% if 'parent' in icinga_merged_zones[item] %} + parent = "{{ icinga_merged_zones[item].parent }}" + {% endif %} + + endpoints = [ + {% for host, params in hostvars.iteritems() %} + {% if item == icinga_master_zone and 'icinga_zone' not in params %} + "{{ host }}", + {% endif %}{% endfor %} + ] +} diff --git a/icinga2-ansible-add-zones/templates/zones.conf b/icinga2-ansible-add-zones/templates/zones.conf new file mode 100644 index 00000000..e11f55b0 --- /dev/null +++ b/icinga2-ansible-add-zones/templates/zones.conf @@ -0,0 +1 @@ +include_recursive "zones.d" From d0075e0dfb9431eebbc545e12ede977f2c6c9c7c Mon Sep 17 00:00:00 2001 From: Ruben De Smet Date: Thu, 16 Mar 2017 14:21:40 +0100 Subject: [PATCH 2/3] Add option to enable icinga2 api --- icinga2-ansible-no-ui/defaults/main.yml | 3 +++ .../tasks/icinga2_enable_api.yml | 21 +++++++++++++++++++ icinga2-ansible-no-ui/tasks/main.yml | 3 +++ 3 files changed, 27 insertions(+) create mode 100644 icinga2-ansible-no-ui/tasks/icinga2_enable_api.yml diff --git a/icinga2-ansible-no-ui/defaults/main.yml b/icinga2-ansible-no-ui/defaults/main.yml index fbadde39..eb8caa81 100644 --- a/icinga2-ansible-no-ui/defaults/main.yml +++ b/icinga2-ansible-no-ui/defaults/main.yml @@ -25,3 +25,6 @@ icinga2_yum: icinga2_main_conf: "/etc/icinga2/icinga2.conf" icinga2_conf_d: "/etc/icinga2/conf.d" + +icinga2_enable_api: false +icinga2_master_zone: localdomain diff --git a/icinga2-ansible-no-ui/tasks/icinga2_enable_api.yml b/icinga2-ansible-no-ui/tasks/icinga2_enable_api.yml new file mode 100644 index 00000000..991b02f4 --- /dev/null +++ b/icinga2-ansible-no-ui/tasks/icinga2_enable_api.yml @@ -0,0 +1,21 @@ +--- +- name: Enable Icinga2 API + command: > + icinga2 node setup + --master + --accept-config + args: + creates: "/etc/icinga2/pki/{{ icinga2_master_zone }}.crt" + notify: + restart icinga2 + # --zone arg The name of the local zone + # --master_host arg The name of the master host for auto-signing the csr; + # syntax: host[,port] + # --endpoint arg Connect to remote endpoint; syntax: cn[,host,port] + # --listen arg Listen on host,port + # --ticket arg Generated ticket number for this request + # --trustedcert arg Trusted master certificate file + # --cn arg The certificate's common name + # --accept-config Accept config from master + # --accept-commands Accept commands from master + # --master Use setup for a master instance diff --git a/icinga2-ansible-no-ui/tasks/main.yml b/icinga2-ansible-no-ui/tasks/main.yml index acd9c57b..158df3c5 100644 --- a/icinga2-ansible-no-ui/tasks/main.yml +++ b/icinga2-ansible-no-ui/tasks/main.yml @@ -16,3 +16,6 @@ - include: icinga2_configure.yml tags: - icinga2_configure + +- include: icinga2_enable_api.yml + when: icinga2_enable_api From 57cb079d2648847da7a7f42b5e1f547572ca5491 Mon Sep 17 00:00:00 2001 From: Ruben De Smet Date: Thu, 23 Mar 2017 19:58:57 +0100 Subject: [PATCH 3/3] Add possibility of satellite Icinga nodes --- icinga2-ansible-satellite/defaults/main.yml | 2 + icinga2-ansible-satellite/tasks/main.yml | 95 +++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 icinga2-ansible-satellite/defaults/main.yml create mode 100644 icinga2-ansible-satellite/tasks/main.yml diff --git a/icinga2-ansible-satellite/defaults/main.yml b/icinga2-ansible-satellite/defaults/main.yml new file mode 100644 index 00000000..49b85f0f --- /dev/null +++ b/icinga2-ansible-satellite/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for icinga2-ansible-satellite diff --git a/icinga2-ansible-satellite/tasks/main.yml b/icinga2-ansible-satellite/tasks/main.yml new file mode 100644 index 00000000..a5184486 --- /dev/null +++ b/icinga2-ansible-satellite/tasks/main.yml @@ -0,0 +1,95 @@ +--- +- name: Check registration of host + stat: + path: /etc/icinga2/pki/ca.crt + register: st + +- set_fact: + pki_configured: true + when: st.stat.isfile is defined and st.stat.isfile + +- set_fact: + pki_configured: false + when: st.stat.isfile is not defined or not st.stat.isfile + +- block: + - name: Create pki directory + file: + dest: /etc/icinga2/pki + state: directory + owner: icinga + group: icinga + mode: 0700 + + - name: Create local cert + command: > + icinga2 pki new-cert + --cn "{{ inventory_hostname }}" + --key /etc/icinga2/pki/{{ inventory_hostname }}.key + --cert /etc/icinga2/pki/{{ inventory_hostname }}.crt + args: + creates: /etc/icinga2/pki/{{ inventory_hostname }}.key + + - name: Set trusted master certificate + command: > + icinga2 pki save-cert + --key /etc/icinga2/pki/{{ inventory_hostname }}.key + --cert /etc/icinga2/pki/{{ inventory_hostname }}.crt + --trustedcert /etc/icinga2/pki/trusted-master.crt + --host {{ icinga2_master }} + args: + creates: /etc/icinga2/pki/trusted-master.crt + + - name: Request Icinga2 ticket + command: > + icinga2 pki ticket + --cn "{{ inventory_hostname }}" + register: key + delegate_to: "{{ icinga2_master }}" + + - name: Request PKI + command: > + icinga2 pki request + --host {{ icinga2_master }} + --port 5665 + --ticket {{ key.stdout }} + --key /etc/icinga2/pki/{{ inventory_hostname }}.key + --cert /etc/icinga2/pki/{{ inventory_hostname }}.crt + --trustedcert /etc/icinga2/pki/trusted-master.crt + --ca /etc/icinga2/pki/ca.crt + args: + creates: /etc/icinga2/pki/ca.crt + + - name: Setup Icinga as satellite node + command: > + icinga2 node setup + --cn {{ inventory_hostname }} + --ticket {{ key.stdout }} + --endpoint "{{ icinga2_master }}" + --master_host "{{ icinga2_master }}" + --zone "{{ inventory_hostname }}" + --trustedcert /etc/icinga2/pki/trusted-master.crt + --accept-config + --accept-commands + # --zone arg # The name of the local zone + # --master_host arg # The name of the master host for auto-signing the csr; + # # syntax: host[,port] + # --endpoint arg # Connect to remote endpoint; syntax: cn[,host,port] + # --listen arg # Listen on host,port + # --ticket arg # Generated ticket number for this request + # --trustedcert arg # Trusted master certificate file + # --cn arg # The certificate's common name + # --accept-config # Accept config from master + # --accept-commands # Accept commands from master + # --master # Use setup for a master instance + - name: Restart Icinga + service: + name: icinga2 + state: reloaded + + - name: Restart Icinga master + service: + name: icinga2 + state: reloaded + delegate_to: "{{ icinga2_master }}" + when: not pki_configured