diff --git a/.ansible-lint b/.ansible-lint index 7d8facb..7313c5b 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,5 @@ +--- + skip_list: - '405' - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern' diff --git a/.github/workflows/ansible-ci.yml b/.github/workflows/ansible-ci.yml index 6402742..18a4ff6 100644 --- a/.github/workflows/ansible-ci.yml +++ b/.github/workflows/ansible-ci.yml @@ -3,9 +3,9 @@ name: CI - Linting on: push: - branches: [ master ] + branches: [master] pull_request: - branches: [ master ] + branches: [master] jobs: # This workflow contains a single job called "build" @@ -14,8 +14,6 @@ jobs: steps: - uses: actions/checkout@v2 - with: - path: icinga2_web # Checkout Adfinis lint-rules - uses: actions/checkout@v2 @@ -24,7 +22,7 @@ jobs: path: lint-rules - name: ansible-lint - uses: ansible/ansible-lint-action@master + uses: ansible/ansible-lint@main with: targets: icinga2_web args: "-R -r lint-rules" @@ -33,6 +31,3 @@ jobs: ansible-lint~=5.0 - name: yamllint uses: karancode/yamllint-github-action@v2.0.0 - with: - yamllint_config_filepath: icinga2_web/.testenv/yamllint.yml - yamllint_file_or_dir: icinga2_web diff --git a/.testenv/yamllint.yml b/.yamllint similarity index 100% rename from .testenv/yamllint.yml rename to .yamllint diff --git a/README.md b/README.md new file mode 100644 index 0000000..2cc6078 --- /dev/null +++ b/README.md @@ -0,0 +1,185 @@ +ROLE ICINGA2_WEB +================ + +[![image](https://img.shields.io/github/license/adfinis/ansible-role-icinga2_web.svg?style=flat-square)](https://github.com/adfinis/ansible-role-icinga2_web/blob/master/LICENSE) + +[![image](https://img.shields.io/github/actions/workflow/status/adfinis/ansible-role-icinga2_web/ansible-ci.yml?branch=master&style=flat-square)](https://github.com/adfinis/ansible-role-icinga2_web/actions/workflows/ansible-ci.yml) + +[![image](https://img.shields.io/badge/galaxy-adfinis.icinga2_web-660198.svg?style=flat-square)](https://galaxy.ansible.com/ui/standalone/roles/adfinis/icinga2_web/) + +This role installs and configures icingaweb2. + +# Requirements + +What you will need to benefit from this role is a webserver installed on +the system. At Adfinis, we use the following role: + +- [adfinis-sygroup.nginx](https://galaxy.ansible.com/adfinis-sygroup/nginx) + +## Role dependencies +This role has the following dependencies: + +``` yaml +roles: +- name: 'adfinis.icinga2_agent' + +collections: + - ansible.posix + - community.general + - community.mysql + - robertdebock.roles +``` + +For all dependencies to be correcty installed, you need to create a +`requirements.yml` in your project with the content above. + + +# Role Variables + +``` yaml +# The icingaweb2 web ui password +icinga2_web_admin_pass: 'passw0rd' + +# icinga2 API host +icinga2_web_api_host: 127.0.0.1 + +# icinga2 API port +icinga2_web_api_port: 5665 + +# icinga2 API user +icinga2_web_api_user: icingaweb2 + +# icinga2 API password +icinga2_web_api_pass: 'passw0rd' + + +## icingaweb2 database settings +# The icingaweb2 database name +icinga2_web_icingaweb2_database_name: icingaweb2 + +# The icingaweb2 database user +icinga2_web_icingaweb2_database_user: icingaweb2 + +# The icingaweb2 database password +icinga2_web_icingaweb2_database_pass: 'passw0rd' + +# The icingaweb2 database host +icinga2_web_icingaweb2_database_host: 127.0.0.1 + +# The icingaweb2 database port +icinga2_web_icingaweb2_database_port: 3306 + + +## Icinga2 database settings +# icinga2 database name +icinga2_web_icinga2_database_name: icinga2 +# +# icinga2 database host +icinga2_web_icinga2_database_host: 127.0.0.1 + +# icinga2 database port +icinga2_web_icinga2_database_port: 3306 + +# icinga2 database user +icinga2_web_icinga2_database_user: icinga2 + +# icinga2 database password +icinga2_web_icinga2_database_pass: 'passw0rd' +``` + +## LDAP Authentication + +To configure LDAP authentication, the following variables MUST be +configured. It is possible to enable multiple configuration backends. + +``` yaml +# Icingaweb2 LDAP authentication +# For further information, consult the official icingaweb2 documentation at +# https://icinga.com/docs/icingaweb2/latest/doc/04-Resources/#ldap +#icinga2_web_ldap: +# - name: res_ldap_example_com +# host: ldap.example.com +# port: 636 +# encryption: ldaps +# root_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' +# bind_dn: 'uid=icingaweb2.auth,cn=systems,dc=ldap,dc=example,dc=com' +# bind_pw: 'ldap password' +# timeout: 5 +``` + +``` yaml +# Icingaweb2 LDAP User configuration +# For further information, consult the official icingaweb2 documentation at +# https://icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#ldap +# +#icinga2_web_ldap_userconf: +# - name: user_ldap_example_com # required +# resource: 'res_ldap_example_com' # required +# user_class: 'inetOrgPerson' # required +# user_name_attribute: 'uid' # required +# base_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' # optional +# filter: "(somefilter)" # optional + +icinga2_web_ldap_userconf: [] +``` + +``` yaml +# Icingaweb2 LDAP Group configuration +# For further information, consult the official icingaweb2 documentation at +# https://icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#ldap-groups +# +#icinga2_web_ldap_groupconf: +# - name: group_ldap_example_com # required +# resource: 'res_ldap_example_com' # required +# user_backend = "user_ldap_examle_com" # required +# user_class: 'user' # optional +# user_name_attribute: 'uid' # optional +# group_class: 'group' # optional +# group_name_attribute: 'gid' # optional +# group_member_attribute: 'memberUid' # optional +# group_filter: '(somefilter)' # optional +``` + +## Icingaweb2 permissions + +``` yaml +# Icinga2 Permissions configuration +# For further information, consult the official icingaweb2 documentation at +# https://icinga.com/docs/icingaweb2/latest/doc/06-Security/#configuration +# +#icinga2_web_permissions: +# - name: Administrators +# users: +# - admin +# groups: +# - Administrators +# permissions: +# '*' +# object_filter: "" +# - name: customer +# users: +# - customer1 +# permissions: +# 'monitoring/command/*,module/*' +# object_filter: 'host_name=*.customer.example.com"' +``` + +# Example Playbook + +``` yaml +- hosts: servers + roles: + - { role: adfinis.icinga2_web } +``` + +# License + +[GPL-3.0](https://github.com/adfinis/ansible-role-icinga2_web/blob/master/LICENSE) + +# Author Information + +icinga2_web role was written by: + +- Adfinis AG \| [Website](https://www.adfinis.com/) \| + [Twitter](https://twitter.com/adfinis) \| + [GitHub](https://github.com/adfinis) diff --git a/README.rst b/README.rst deleted file mode 100644 index ef588bf..0000000 --- a/README.rst +++ /dev/null @@ -1,195 +0,0 @@ -================ -ROLE ICINGA2_WEB -================ - -.. image:: https://img.shields.io/github/license/adfinis-sygroup/ansible-role-icinga2_web.svg?style=flat-square - :target: https://github.com/adfinis-sygroup/ansible-role-icinga2_web/blob/master/LICENSE - -.. image:: https://img.shields.io/travis/adfinis-sygroup/ansible-role-icinga2_web.svg?style=flat-square - :target: https://travis-ci.org/adfinis-sygroup/ansible-role-icinga2_web - -.. image:: https://img.shields.io/badge/galaxy-adfinis--sygroup.icinga2_web-660198.svg?style=flat-square - :target: https://galaxy.ansible.com/adfinis-sygroup/icinga2_web - -This role installs and configures icingaweb2. - - -Requirements -============= - -What you will need to benefit from this role a webserver installed on the system. -At Adfinis, we use the following role: - -* `adfinis-sygroup.nginx `_ - - - -Role Variables -=============== - -.. code-block:: yaml - - # The icingaweb2 web ui password - icinga2_web_admin_pass: 'passw0rd' - - # icinga2 API host - icinga2_web_api_host: 127.0.0.1 - - # icinga2 API port - icinga2_web_api_port: 5665 - - # icinga2 API user - icinga2_web_api_user: icingaweb2 - - # icinga2 API password - icinga2_web_api_pass: 'passw0rd' - - - ## icingaweb2 database settings - # The icingaweb2 database name - icinga2_web_icingaweb2_database_name: icingaweb2 - - # The icingaweb2 database user - icinga2_web_icingaweb2_database_user: icingaweb2 - - # The icingaweb2 database password - icinga2_web_icingaweb2_database_pass: 'passw0rd' - - # The icingaweb2 database host - icinga2_web_icingaweb2_database_host: 127.0.0.1 - - # The icingaweb2 database port - icinga2_web_icingaweb2_database_port: 3306 - - - ## Icinga2 database settings - # icinga2 database name - icinga2_web_icinga2_database_name: icinga2 - # - # icinga2 database host - icinga2_web_icinga2_database_host: 127.0.0.1 - - # icinga2 database port - icinga2_web_icinga2_database_port: 3306 - - # icinga2 database user - icinga2_web_icinga2_database_user: icinga2 - - # icinga2 database password - icinga2_web_icinga2_database_pass: 'passw0rd' - - -LDAP Authentication -------------------- - -To configure LDAP authentication, the following variables MUST be configured. -It is possible to enable multiple configuration backends. - -.. code-block:: yaml - - # Icingaweb2 LDAP authentication - # For further information, consult the official icingaweb2 documentation at - # https://icinga.com/docs/icingaweb2/latest/doc/04-Resources/#ldap - #icinga2_web_ldap: - # - name: res_ldap_example_com - # host: ldap.example.com - # port: 636 - # encryption: ldaps - # root_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' - # bind_dn: 'uid=icingaweb2.auth,cn=systems,dc=ldap,dc=example,dc=com' - # bind_pw: 'ldap password' - # timeout: 5 - - -.. code-block:: yaml - - # Icingaweb2 LDAP User configuration - # For further information, consult the official icingaweb2 documentation at - # https://icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#ldap - # - #icinga2_web_ldap_userconf: - # - name: user_ldap_example_com # required - # resource: 'res_ldap_example_com' # required - # user_class: 'inetOrgPerson' # required - # user_name_attribute: 'uid' # required - # base_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' # optional - # filter: "(somefilter)" # optional - - icinga2_web_ldap_userconf: [] - - -.. code-block:: yaml - - # Icingaweb2 LDAP Group configuration - # For further information, consult the official icingaweb2 documentation at - # https://icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#ldap-groups - # - #icinga2_web_ldap_groupconf: - # - name: group_ldap_example_com # required - # resource: 'res_ldap_example_com' # required - # user_backend = "user_ldap_examle_com" # required - # user_class: 'user' # optional - # user_name_attribute: 'uid' # optional - # group_class: 'group' # optional - # group_name_attribute: 'gid' # optional - # group_member_attribute: 'memberUid' # optional - # group_filter: '(somefilter)' # optional - - -Icingaweb2 permissions ----------------------- - -.. code-block:: yaml - - # Icinga2 Permissions configuration - # For further information, consult the official icingaweb2 documentation at - # https://icinga.com/docs/icingaweb2/latest/doc/06-Security/#configuration - # - #icinga2_web_permissions: - # - name: Administrators - # users: - # - admin - # groups: - # - Administrators - # permissions: - # '*' - # object_filter: "" - # - name: customer - # users: - # - customer1 - # permissions: - # 'monitoring/command/*,module/*' - # object_filter: 'host_name=*.customer.example.com"' - - -Dependencies -============= - -This role depends on the following roles: - -* `adfinis-sygroup.php_fpm `_ -* `adfinis-sygroup.icinga2_master `_ - - -Example Playbook -================= - -.. code-block:: yaml - - - hosts: servers - roles: - - { role: adfinis-sygroup.icinga2_web } - - -License -======== - -`GPL-3.0 `_ - - -Author Information -=================== - -icinga2_web role was written by: - -* Adfinis SyGroup AG | `Website `_ | `Twitter `_ | `GitHub `_ diff --git a/defaults/main.yml b/defaults/main.yml index 5c47b93..45753df 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -92,30 +92,38 @@ icinga2_web_managed_config_files: - groups.ini icinga2_web_modules: [] - #- name: graphite - # version: master - #- name: ipl - # version: v0.5.0 - #- name: incubator - # version: v0.5.0 - #- name: reactbundle - # version: v0.7.0 - #- name: director - # version: v1.7.2 +# - name: graphite +# url: 'https://github.com/icinga/icingaweb2-module-graphite.git' +# version: master +# - name: ipl +# url: 'https://github.com/icinga/icingaweb2-module-ipl.git' +# version: v0.5.0 +# - name: incubator +# url: 'https://github.com/icinga/icingaweb2-module-incubator.git' +# version: v0.5.0 +# - name: reactbundle +# url: 'https://github.com/icinga/icingaweb2-module-reactbundle.git' +# version: v0.7.0 +# - name: director +# url: 'https://github.com/icinga/icingaweb2-module-director.git' +# version: v1.7.2 +# - name: audit +# url: 'https://github.com/adfinis/icingaweb2-module-audit.git' +# version: master # Icingaweb2 LDAP authentication # For further information, consult the official icingaweb2 documentation at # https://icinga.com/docs/icingaweb2/latest/doc/04-Resources/#ldap # -#icinga2_web_ldap: -# - name: res_ldap_example_com -# host: ldap.example.com -# port: 636 -# encryption: ldaps -# root_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' -# bind_dn: 'uid=icingaweb2.auth,cn=systems,dc=ldap,dc=example,dc=com' -# bind_pw: 'ldap password' -# timeout: 5 +# icinga2_web_ldap: +# - name: res_ldap_example_com +# host: ldap.example.com +# port: 636 +# encryption: ldaps +# root_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' +# bind_dn: 'uid=icingaweb2.auth,cn=systems,dc=ldap,dc=example,dc=com' +# bind_pw: 'ldap password' +# timeout: 5 icinga2_web_ldap: [] @@ -123,13 +131,13 @@ icinga2_web_ldap: [] # For further information, consult the official icingaweb2 documentation at # https://icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#ldap # -#icinga2_web_ldap_userconf: -# - name: user_ldap_example_com # required -# resource: 'res_ldap_example_com' # required -# user_class: 'inetOrgPerson' # required -# user_name_attribute: 'uid' # required -# base_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' # optional -# filter: "(somefilter)" # optional +# icinga2_web_ldap_userconf: +# - name: user_ldap_example_com # required +# resource: 'res_ldap_example_com' # required +# user_class: 'inetOrgPerson' # required +# user_name_attribute: 'uid' # required +# base_dn: 'cn=accounts,dc=ldap,dc=example,dc=com' # optional +# filter: "(somefilter)" # optional icinga2_web_ldap_userconf: [] @@ -137,16 +145,16 @@ icinga2_web_ldap_userconf: [] # For further information, consult the official icingaweb2 documentation at # https://icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#ldap-groups # -#icinga2_web_ldap_groupconf: -# - name: group_ldap_example_com # required -# resource: 'res_ldap_example_com' # required -# user_backend: 'user_ldap_examle_com' # required -# user_class: 'user' # optional -# user_name_attribute: 'uid' # optional -# group_class: 'group' # optional -# group_name_attribute: 'gid' # optional -# group_member_attribute: 'memberUid' # optional -# group_filter: '(somefilter)' # optional +# icinga2_web_ldap_groupconf: +# - name: group_ldap_example_com # required +# resource: 'res_ldap_example_com' # required +# user_backend: 'user_ldap_examle_com' # required +# user_class: 'user' # optional +# user_name_attribute: 'uid' # optional +# group_class: 'group' # optional +# group_name_attribute: 'gid' # optional +# group_member_attribute: 'memberUid' # optional +# group_filter: '(somefilter)' # optional icinga2_web_ldap_groupconf: [] @@ -154,32 +162,32 @@ icinga2_web_ldap_groupconf: [] # For further information, consult the official icingaweb2 documentation at # https://icinga.com/docs/icinga-web-2/latest/doc/05-Authentication/#database-groups # -#icinga2_web_database_groupconf: -# - name: icingaweb2 -# backend: db -# resource: icingaweb_db -# +# icinga2_web_database_groupconf: +# - name: icingaweb2 +# backend: db +# resource: icingaweb_db + icinga2_web_database_groupconf: [] # Icinga2 Permissions configuration # For further information, consult the official icingaweb2 documentation at # https://icinga.com/docs/icingaweb2/latest/doc/06-Security/#configuration # -#icinga2_web_permissions: -# - name: Administrators -# users: -# - admin -# groups: -# - Administrators -# permissions: -# '*' -# object_filter: "" -# - name: customer -# users: -# - customer1 -# permissions: -# 'monitoring/command/*,module/*' -# object_filter: 'host_name=*.customer.example.com"' +# icinga2_web_permissions: +# - name: Administrators +# users: +# - admin +# groups: +# - Administrators +# permissions: +# '*' +# object_filter: "" +# - name: customer +# users: +# - customer1 +# permissions: +# 'monitoring/command/*,module/*' +# object_filter: 'host_name=*.customer.example.com"' icinga2_web_permissions: - name: Administrators @@ -194,51 +202,51 @@ icinga2_web_permissions: # For further information, consult the official icingaweb2 documentation at # https://icinga.com/docs/director/latest/doc/03-Automation/ -#icinga2_web_director: -# - name: 'director_db' -# db: 'mysql' -# host: 'db.example.com' -# port: '3306' -# dbname: 'director' -# username: 'director@example.com' -# password: '3xample' -# charset: 'utf-8' -# use_ssl: '1' -# ssl_ca: '/etc/pki/tls/certs/ca-bundle.crt' +# icinga2_web_director: +# - name: 'director_db' +# db: 'mysql' +# host: 'db.example.com' +# port: '3306' +# dbname: 'director' +# username: 'director@example.com' +# password: '3xample' +# charset: 'utf-8' +# use_ssl: '1' +# ssl_ca: '/etc/pki/tls/certs/ca-bundle.crt' icinga2_web_director: [] # Reporting resources configuration -#icinga2_web_reporting: -# - name: 'reporting_db' -# db: 'mysql' -# host: 'db.example.com' -# port: '3306' -# dbname: 'reporting' -# username: 'reporting@example.com' -# password: '3xample' -# charset: 'utf8mb4' -# use_ssl: '1' -# ssl_ca: '/etc/pki/tls/certs/ca-bundle.crt' +# icinga2_web_reporting: +# - name: 'reporting_db' +# db: 'mysql' +# host: 'db.example.com' +# port: '3306' +# dbname: 'reporting' +# username: 'reporting@example.com' +# password: '3xample' +# charset: 'utf8mb4' +# use_ssl: '1' +# ssl_ca: '/etc/pki/tls/certs/ca-bundle.crt' icinga2_web_reporting: [] # Grafana configuration -icinga2_web_grafana: - enabled: false - #domain: example.com - #oidc: - #enabled: true - #config: - #name: Example SSO - #allow_sign_up: true - #client_id: example-client - #client_secret: example-secret - #scopes: openid,email,profile - #email_attribute_name: email - #email_attribute_path: email - #auth_url: https://sso.example.com/auth/realms/example/protocol/openid-connect/auth - #token_url: https://sso.example.com/auth/realms/example/protocol/openid-connect/token - #api_url: https://sso.example.com/auth/realms/example/protocol/openid-connect/userinfo - #role_attribute_path: contains(groups[*], '/admin') && 'Admin' +# icinga2_web_grafana: +# enabled: false +# domain: example.com +# oidc: +# enabled: true +# config: +# name: Example SSO +# allow_sign_up: true +# client_id: example-client +# client_secret: example-secret +# scopes: openid,email,profile +# email_attribute_name: email +# email_attribute_path: email +# auth_url: https://sso.example.com/auth/realms/example/protocol/openid-connect/auth +# token_url: https://sso.example.com/auth/realms/example/protocol/openid-connect/token +# api_url: https://sso.example.com/auth/realms/example/protocol/openid-connect/userinfo +# role_attribute_path: contains(groups[*], '/admin') && 'Admin' diff --git a/handlers/main.yml b/handlers/main.yml index d1ae437..ac32774 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,11 +1,11 @@ --- -- name: icinga2_web reload icinga2 - service: +- name: Icinga2_web reload icinga2 + ansible.builtin.service: name: icinga2 state: reloaded -- name: icinga2_web restart grafana-server - service: +- name: Icinga2_web restart grafana-server + ansible.builtin.service: name: grafana-server state: restarted diff --git a/meta/main.yml b/meta/main.yml index 6e869b5..c93e7ed 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,20 +1,28 @@ --- dependencies: - - name: 'adfinis-sygroup.icinga2_agent' + - name: 'adfinis.icinga2_agent' galaxy_info: role_name: 'icinga2_web' - author: 'Adfinis SyGroup AG' + namespace: adfinis + author: 'Adfinis AG' description: 'This role installs and configures icingaweb2' - company: 'Adfinis SyGroup AG' + company: 'Adfinis AG' license: 'GNU General Public License v3' min_ansible_version: '2.6.0' platforms: - name: EL versions: - - 7 + - "7" galaxy_tags: - 'icinga2' - 'monitoring' - 'icingaweb2' + github_branch: master + +collections: + - ansible.posix + - community.general + - community.mysql + - robertdebock.roles diff --git a/tasks/configuration.yml b/tasks/configuration.yml index 4186b4c..a9f9b23 100644 --- a/tasks/configuration.yml +++ b/tasks/configuration.yml @@ -1,125 +1,125 @@ --- -- name: configure icingaweb2 - template: +- name: Configure icingaweb2 + ansible.builtin.template: src: 'templates/etc/icingaweb2/{{ item }}.j2' dest: '/etc/icingaweb2/{{ item }}' owner: root group: icingaweb2 - mode: 0660 + mode: "0660" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 loop: '{{ icinga2_web_managed_config_files }}' -- name: enable the icingaweb2 monitoring module - file: +- name: Enable the icingaweb2 monitoring module + ansible.builtin.file: src: /usr/share/icingaweb2/modules/monitoring dest: /etc/icingaweb2/enabledModules/monitoring state: link - mode: 0755 + mode: "0755" -- name: ensure icingaweb2 modules directory is present - file: +- name: Ensure icingaweb2 modules directory is present + ansible.builtin.file: name: /etc/icingaweb2/modules/monitoring state: directory owner: root group: icingaweb2 - mode: 0755 + mode: "0755" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 -- name: configure icingaweb2 monitoring module - template: +- name: Configure icingaweb2 monitoring module + ansible.builtin.template: src: templates/etc/icingaweb2/modules/monitoring/config.ini.j2 dest: /etc/icingaweb2/modules/monitoring/config.ini owner: root group: icingaweb2 - mode: 0660 + mode: "0660" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 -- name: configure icingaweb2 monitoring module commandtransport - template: +- name: Configure icingaweb2 monitoring module commandtransport + ansible.builtin.template: src: templates/etc/icingaweb2/modules/monitoring/commandtransports.ini.j2 dest: /etc/icingaweb2/modules/monitoring/commandtransports.ini owner: root group: icingaweb2 - mode: 0660 + mode: "0660" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 -- name: configure icingaweb2 monitoring module backends - template: +- name: Configure icingaweb2 monitoring module backends + ansible.builtin.template: src: templates/etc/icingaweb2/modules/monitoring/backends.ini.j2 dest: /etc/icingaweb2/modules/monitoring/backends.ini owner: root group: icingaweb2 - mode: 0660 + mode: "0660" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 -- name: configure icingaweb2 director module - template: +- name: Configure icingaweb2 director module + ansible.builtin.template: src: templates/etc/icingaweb2/modules/director/config.ini.j2 dest: /etc/icingaweb2/modules/director/config.ini owner: root group: icingaweb2 - mode: 0660 + mode: "0660" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 when: icinga2_web_director | length != 0 -- name: configure icingaweb2 director module api - template: +- name: Configure icingaweb2 director module api + ansible.builtin.template: src: templates/etc/icingaweb2/modules/director/kickstart.ini.j2 dest: /etc/icingaweb2/modules/director/kickstart.ini owner: root group: icingaweb2 - mode: 0660 + mode: "0660" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 when: icinga2_web_director | length != 0 -- name: configure icingaweb2 director database - command: icingacli director migration run +- name: Configure icingaweb2 director database # noqa no-changed-when + ansible.builtin.command: icingacli director migration run when: icinga2_web_director | length != 0 -- name: configure icingaweb2 reporting module - template: +- name: Configure icingaweb2 reporting module + ansible.builtin.template: src: templates/etc/icingaweb2/modules/reporting/config.ini.j2 dest: /etc/icingaweb2/modules/reporting/config.ini owner: root group: icingaweb2 - mode: 0660 + mode: "0660" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 when: icinga2_web_reporting | length != 0 -- name: create icingaweb2 admin password hash - command: openssl passwd -1 '{{ icinga2_web_admin_pass }}' +- name: Create icingaweb2 admin password hash # noqa no-changed-when + ansible.builtin.command: openssl passwd -1 '{{ icinga2_web_admin_pass }}' register: icinga2_web_register_admin_hash when: - not ansible_check_mode - icinga2_web_register_icingaweb2_imported.rc == 1 -- name: insert icingaweb2 admin password into database - command: > +- name: Insert icingaweb2 admin password into database # noqa no-changed-when + ansible.builtin.command: > mysql -h'{{ icinga2_web_icingaweb2_database_host }}' -u'{{ icinga2_web_icingaweb2_database_user }}' @@ -133,15 +133,15 @@ - icinga2_web_register_icingaweb2_imported.rc == 1 - icinga2_web_register_admin_hash -- name: configure grafana - template: +- name: Configure grafana + ansible.builtin.template: src: templates/etc/grafana/grafana.ini.j2 dest: /etc/grafana/grafana.ini owner: root group: grafana - mode: 0660 + mode: "0660" seuser: system_u serole: object_r selevel: s0 - notify: icinga2_web restart grafana-server + notify: Icinga2_web restart grafana-server when: icinga2_web_grafana.enabled diff --git a/tasks/installation.yml b/tasks/installation.yml index 2bcbd94..6bb4052 100644 --- a/tasks/installation.yml +++ b/tasks/installation.yml @@ -1,26 +1,30 @@ --- -- name: install icinga2 web packages - package: +- name: Install icinga2 web packages + ansible.builtin.package: name: '{{ icinga2_web_packages }}' state: present +- name: Install fail2ban using role + ansible.builtin.include_role: + name: robertdebock.roles.fail2ban + # Allow httpd to connect to the mysql database -- name: set httpd_can_network_connect_db flag on and keep it persistent across reboots - seboolean: +- name: Set httpd_can_network_connect_db flag on and keep it persistent across reboots + ansible.posix.seboolean: name: httpd_can_network_connect_db - state: yes - persistent: yes + state: true + persistent: true # Allow httpd to connect to the network -- name: set httpd_can_network_connect flag on and keep it persistent across reboots - seboolean: +- name: Set httpd_can_network_connect flag on and keep it persistent across reboots + ansible.posix.seboolean: name: httpd_can_network_connect - state: yes - persistent: yes + state: true + persistent: true -- name: check if icingaweb2 table and user in mysql exist - shell: > +- name: Check if icingaweb2 table and user in mysql exist + ansible.builtin.shell: > set -o pipefail; mysql --user={{ icinga2_web_database_root_user }} @@ -33,8 +37,8 @@ changed_when: icinga2_web_register_icingaweb2_imported.rc == 1 failed_when: "'Access denied for' in icinga2_web_register_icingaweb2_imported.stderr" -- name: import icingaweb2 database schema using the root user - mysql_db: +- name: Import icingaweb2 database schema using the root user + community.mysql.mysql_db: name: '{{ icinga2_web_icingaweb2_database_name }}' login_host: '{{ icinga2_web_icingaweb2_database_host }}' login_port: '{{ icinga2_web_icingaweb2_database_port }}' @@ -43,13 +47,13 @@ ssl_ca: '{{ icinga2_web_ca_path }}' state: import target: '{{ icinga2_web_mysql_schema_sql_path }}' - run_once: True + run_once: true when: - not ansible_check_mode - icinga2_web_register_icingaweb2_imported.rc == 1 -- name: create a user with access only to the icingaweb2 database using the root user - mysql_user: +- name: Create a user with access only to the icingaweb2 database using the root user + community.mysql.mysql_user: name: '{{ icinga2_web_icingaweb2_database_user.split("@")[0] }}' password: '{{ icinga2_web_icingaweb2_database_pass }}' priv: '{{ icinga2_web_icingaweb2_database_name }}.*:ALL' @@ -60,110 +64,110 @@ login_password: '{{ icinga2_web_database_root_pass }}' ssl_ca: '{{ icinga2_web_ca_path }}' state: present - run_once: True + run_once: true when: - not ansible_check_mode - icinga2_web_register_icingaweb2_imported.rc == 1 -- name: ensure icingaweb2 modules directory is present - file: +- name: Ensure icingaweb2 modules directory is present + ansible.builtin.file: name: /etc/icingaweb2/enabledModules state: directory owner: root group: icingaweb2 - mode: 0755 + mode: "0755" -- name: ensure icingaweb2 modules directory is present and set selinux - file: +- name: Ensure icingaweb2 modules directory is present and set selinux + ansible.builtin.file: name: /etc/icingaweb2/enabledModules state: directory owner: root group: icingaweb2 - mode: 0755 + mode: "0755" seuser: system_u serole: object_r setype: icingaweb2_config_t selevel: s0 - notify: icinga2_web reload icinga2 + notify: Icinga2_web reload icinga2 -- name: install modules from github - git: # noqa 401 - repo: 'https://github.com/icinga/icingaweb2-module-{{ item.name }}.git' +- name: Install modules from github + ansible.builtin.git: + repo: '{{ item.url }}' dest: '/etc/icingaweb2/modules/{{ item.name }}' version: '{{ item.version }}' loop: '{{ icinga2_web_modules }}' - notify: icinga2_web reload icinga2 + notify: Icinga2_web reload icinga2 -- name: enable modules from github - file: +- name: Enable modules from github + ansible.builtin.file: src: '/etc/icingaweb2/modules/{{ item.name }}' dest: '/etc/icingaweb2/enabledModules/{{ item.name }}' state: link - mode: 0755 + mode: "0755" loop: '{{ icinga2_web_modules }}' - notify: icinga2_web reload icinga2 + notify: Icinga2_web reload icinga2 -- name: create icingaweb2 director user for background daemon - user: +- name: Create icingaweb2 director user for background daemon + ansible.builtin.user: name: icingadirector group: icingaweb2 shell: '/bin/false' home: '/var/lib/icingadirector' - system: yes + system: true when: icinga2_web_director | length != 0 -- name: create home directory for icingaweb2 director daemon user - file: +- name: Create home directory for icingaweb2 director daemon user + ansible.builtin.file: name: /var/lib/icingadirector state: directory owner: icingadirector group: icingaweb2 - mode: 0750 + mode: "0750" seuser: system_u serole: object_r setype: var_lib_t selevel: s0 when: icinga2_web_director | length != 0 -- name: install systemd service for icingaweb2 director daemon - copy: +- name: Install systemd service for icingaweb2 director daemon + ansible.builtin.copy: src: /etc/icingaweb2/modules/director/contrib/systemd/icinga-director.service - remote_src: yes + remote_src: true dest: /etc/systemd/system - mode: 0644 + mode: "0644" when: icinga2_web_director | length != 0 -- name: enable and start systemd service for icingaweb2 director daemon - systemd: +- name: Enable and start systemd service for icingaweb2 director daemon + ansible.builtin.systemd_service: name: icinga-director.service state: started - daemon_reload: yes - enabled: yes + daemon_reload: true + enabled: true when: icinga2_web_director | length != 0 -- name: add grafana repository - yum_repository: +- name: Add grafana repository + ansible.builtin.yum_repository: name: grafana description: grafana baseurl: https://packages.grafana.com/oss/rpm - repo_gpgcheck: yes - enabled: yes - gpgcheck: yes + repo_gpgcheck: true + enabled: true + gpgcheck: true gpgkey: https://packages.grafana.com/gpg.key - sslverify: yes + sslverify: true sslcacert: /etc/pki/tls/certs/ca-bundle.crt when: icinga2_web_grafana.enabled -- name: install grafana - yum: +- name: Install grafana + ansible.builtin.yum: name: grafana state: present when: icinga2_web_grafana.enabled -- name: enable and start grafana service - systemd: +- name: Enable and start grafana service + ansible.builtin.systemd_service: name: grafana-server state: started - daemon_reload: yes - enabled: yes + daemon_reload: true + enabled: true when: icinga2_web_grafana.enabled diff --git a/tasks/main.yml b/tasks/main.yml index 905857f..c866558 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- -- name: include os specific vars - include_vars: '{{ item }}' +- name: Include os specific vars + ansible.builtin.include_vars: '{{ item }}' with_first_found: - '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml' - '{{ ansible_os_family }}.yml' @@ -10,12 +10,14 @@ - 'role::icinga2_web:install' - 'role::icinga2_web:config' -- import_tasks: installation.yml +- name: Include installation tasks + ansible.builtin.import_tasks: installation.yml tags: - 'role::icinga2_web' - 'role::icinga2_web:install' -- import_tasks: configuration.yml +- name: Include configuration tasks + ansible.builtin.import_tasks: configuration.yml tags: - 'role::icinga2_web' - 'role::icinga2_web:config' diff --git a/templates/etc/fail2ban/filter.d/icingaweb2-auth.conf b/templates/etc/fail2ban/filter.d/icingaweb2-auth.conf new file mode 100644 index 0000000..3b8a946 --- /dev/null +++ b/templates/etc/fail2ban/filter.d/icingaweb2-auth.conf @@ -0,0 +1,7 @@ +[Definition] + +failregex = ^.*- - \S+ - login-failed - User failed to authenticate$ + +ignoreregex = + +datepattern = {^LN-BEG} diff --git a/tests/inventory.yml b/tests/inventory.yml deleted file mode 100644 index a323cdf..0000000 --- a/tests/inventory.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -all: - hosts: - localhost diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index 3be2abf..0000000 --- a/tests/test.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- hosts: localhost - remote_user: root - roles: - - icinga2_web