sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2026-06-20 01:52:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

initial: no secrets

Browse Source
This commit is contained in:
Johnathen Sheppard
2024-02-12 17:01:18 +01:00
commit cf9efd55b5
186 changed files with 8697 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/backup-vm/files/backup_priv_key
+38
View File
@@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA2gAT8vYdNPb1EI/oHsL4SDvZA6VAZJFuXRs+h7A8aehS3mdCjjEz
2ckZMDx5AtyXnvL5E5dnxYu8I14ZFkqT3ux/0RXZ+px3+UUrzOGhMIZIw+xNZb3/ZS0VF5
yEnhVxTnQ94aUV6k+clT/TtUt0ZN2/ovRz5XMNbw5hR0uZmfq15sUEshw/LrsghC9UYuSD
s/V8cnGifzB19l2h1lPsYK0Nrr1q74Z4mwd24bX/eBqxyUF0X41HOJxd0ht/d+xZHYreS6
M7gxN/5i6DTej8F89d2dmnApaY4sjmUMaWtvk6cBOYtq1qGcLF7//8s6IR2wN9PqmEsSWE
K2GdV0cjkjxVkqd8MHLo/MjDKjCU9nu+Wclmh7qGLop3ThVuFTEe6RaabLJ523Sx7yRnuT
2TEg8ZcoVLZACuKdZ39pxJ4N1YwgXJ+lFitaaOQ0JnC8JHdHEG1ky8R4x+LALX8qewPI7B
i164Vq2jDjqFNCVZGpma6tgbksmguUu/inbxgoN1AAAFiNBNJKrQTSSqAAAAB3NzaC1yc2
EAAAGBANoAE/L2HTT29RCP6B7C+Eg72QOlQGSRbl0bPoewPGnoUt5nQo4xM9nJGTA8eQLc
l57y+ROXZ8WLvCNeGRZKk97sf9EV2fqcd/lFK8zhoTCGSMPsTWW9/2UtFRechJ4VcU50Pe
GlFepPnJU/07VLdGTdv6L0c+VzDW8OYUdLmZn6tebFBLIcPy67IIQvVGLkg7P1fHJxon8w
dfZdodZT7GCtDa69au+GeJsHduG1/3gasclBdF+NRzicXdIbf3fsWR2K3kujO4MTf+Yug0
3o/BfPXdnZpwKWmOLI5lDGlrb5OnATmLatahnCxe///LOiEdsDfT6phLElhCthnVdHI5I8
VZKnfDBy6PzIwyowlPZ7vlnJZoe6hi6Kd04VbhUxHukWmmyyedt0se8kZ7k9kxIPGXKFS2
QArinWd/acSeDdWMIFyfpRYrWmjkNCZwvCR3RxBtZMvEeMfiwC1/KnsDyOwYteuFatow46
hTQlWRqZmurYG5LJoLlLv4p28YKDdQAAAAMBAAEAAAGAbms5r4eflZM83820SdiBf7zol+
Mc8ZOELh69lmbawt4NE1+EI5eiZr5oRrlqpdtr5PO224iF5FZ5zgQ8esD9kx2BRDtoNHsK
fbTekaD7TyPFOY+4SD9rXCjwlQwPVC8SPCW+rks7BXqbmjFBH4P/iZOUHIrrJR4YgNbsyP
ru60JE3oWOclTCX/4iYzHB8XFDkGRYS3NpVjkKluYoMfJCOVmOI6MHxhj7f7LRMVRI+OG0
iXbg5gEeQPtavjB1aR3JuajYIRaxbJUzKCgE4+yeljvObSdG9THUiuFOTEkXcdtYnPu3uy
d2LcBQzLJ0BY6YvIoI4OFV6lqRRBXMleUSKzHFgkHUuRAKyPtVrE38HV/X5qQeBlg89/7/
XuwZDq+A7fSm95uj85bmrUXBKBog/F31UW+1P3lZ7j/ZxmcPwcJTJvPTFOSweynimeSZB/
lwFJpiDhxJjlfpWF0GxgIHdsjD4CZgSpSKCh/kI954f4HnhWEXbs8quoGwgrjIElTFAAAA
wEbaLe1mPdp8LsvOTbWNiF9eT5pKO2pwkJPINJ20ylxwYaap0Xda79shdskkxKTCwIFvoA
xjdE6B1HKqzsWHu7fiQ29/btdAZav+930tMSxemIwhNe9aHyOgoujNS8UaxaR/sSTnj19V
7DyetxFPGW1H1A/KKnPm+muqgO7KARHoQ+0x3I6pJzM+XHN5DT5FNSdtVm+xWCNsXwL4bk
t5d5vBU/VAspgNZVSge+aN3R2FGqA0dlDww4XX0nywbaO8WgAAAMEA/kwTKHc7W9eqYCzM
yRrPXB1cRhrLYOJNX+ykl/xPPx4YeZmrDmNfzcC8DULC/5HkXEygpsxuzK1SbGM0eeQyMu
LboVYxgslC0QjIfDS3x7CYUMsrK1r1nleGxYFpXRBTqKty6nNR53Unum2QAsGW90xfoD1N
NEeb2d/wgG/QHmTh6BzJ6JYqjc/ATsqfR5aKoNnh1stRHu6TzrIK4Y/6e/HEoXElwOyeYX
DadG5VfnD4jglgQR78sHtaSSIpvCADAAAAwQDbdcgfXQ93mIDnk97aXbrR/tP76+0QmsM2
IImV3/mhnjwsYXHnYTBoci6t+L+zClpW2FIj532XKSBF+fxIOTpnMW4grKICivbWmcrCj+
aA+w+mshv4K1A+TDlzfW4c+UHpp26UopkaFMrG9hvNoDcREyYqERf1YnxZCLTGgNQLpDUa
rveYj+PzCjTzUzH2wgtNttIDWeekFxTJP/7a7sdaRe4DzMMn0B0UDVKGgKY7s5q1xL0IJq
8oXFJvSt894ScAAAASc2hlcHB5QGF0bGFudGlzcGFkAQ==
-----END OPENSSH PRIVATE KEY-----
roles/backup-vm/files/config
+3
View File
@@ -0,0 +1,3 @@
Host *
User sheppy
IdentityFile ~/.ssh/backup_priv_key
roles/backup-vm/files/ths_cal_backup.sh
+27
View File
@@ -0,0 +1,27 @@
#!/bin/bash
set -e
cd
BACKUP_NAME=backup_$(date +%Y%m%d).zip
mkdir -p ~/ths_caldav_backups/
mkdir -p ~/ths_carddav_backups/
mkdir -p ~/ths_carddav_telefon_backups/
vdirsyncer -c vsyncdir.conf sync
zip -q -r ~/ths_caldav_backups/${BACKUP_NAME} ~/ths-caldav
zip -q -r ~/ths_carddav_backups/${BACKUP_NAME} ~/ths-carddav
zip -q -r ~/ths_carddav_telefon_backups/${BACKUP_NAME} ~/ths-carddav-telefon
~/backups/backup-tools/backup_manager.py ~/ths_caldav_backups/ --debug
~/backups/backup-tools/backup_manager.py ~/ths_carddav_backups/ --debug
~/backups/backup-tools/backup_manager.py ~/ths_carddav_telefon_backups/ --debug
# send to storrage box
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_caldav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav/
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_telefon_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav_telefon/
curl -H "Content-Type: application/json" \
-X POST https://async-icinga.atlantishq.de/report \
-d '{ "service" : "ths_caldav_backup", "token" : "", "status" : "OK", "info" : "" }'
roles/backup-vm/files/vsyncdir.conf
+54
View File
@@ -0,0 +1,54 @@
[general]
status_path = "~/.vdirsyncer/status/"
[pair ths_caldav]
a = "ths_remote_caldav"
b = "ths_local_caldav"
collections = ["from a"]
[storage ths_remote_caldav]
type = "caldav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/calendars/backup/ths_shared_by_ths/"
username = "backup"
password = ""
[storage ths_local_caldav]
type = "filesystem"
path = "~/ths-caldav/"
fileext = ".ics"
[pair ths_carddav]
a = "ths_remote_carddav"
b = "ths_local_carddav"
collections = ["from a"]
[storage ths_remote_carddav]
type = "carddav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths_shared_by_ths/"
username = "backup"
password = ""
[storage ths_local_carddav]
type = "filesystem"
path = "~/ths-carddav/"
fileext = ".vcf"
[pair ths_carddav_telefon]
a = "ths_remote_carddav_telefon"
b = "ths_local_carddav_telefon"
collections = ["from a"]
[storage ths_remote_carddav_telefon]
type = "carddav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths-telefon-1_shared_by_ths/"
username = "backup"
password = ""
[storage ths_local_carddav_telefon]
type = "filesystem"
path = "~/ths-carddav-telefon/"
fileext = ".vcf"
roles/backup-vm/tasks/main.yaml
+76
View File
@@ -0,0 +1,76 @@
- name: Install tools
apt:
pkg:
- zip
- vdirsyncer
- name: Copy Backup caldav script
copy:
src: ths_cal_backup.sh
dest: /home/sheppy/ths_cal_backup.sh
owner: sheppy
group: sheppy
- name: Copy vdirsync config
copy:
src: vsyncdir.conf
dest: /home/sheppy/vsyncdir.conf
owner: sheppy
group: sheppy
- name: Create backups dir
file:
path: /home/sheppy/backups/
state: directory
owner: sheppy
group: sheppy
- name: Clone backup tools
git:
repo: https://github.com/FAUSheppy/backup-tools
dest: /home/sheppy/backups/backup-tools/
version: master
become: yes
become_user: sheppy
- name: Create SSH Dir
file:
path: /home/sheppy/.ssh/
state: directory
owner: sheppy
group: sheppy
- name: Copy SSH config and backup priv key
copy:
src: "{{ item }}"
dest: "/home/sheppy/.ssh/{{ item }}"
owner: sheppy
group: sheppy
mode: 0600
with_items:
- backup_priv_key
- config
- name: template SLAPD backup script
template:
src: slapd_backup.sh
dest: /home/sheppy/
owner: sheppy
group: sheppy
mode: 0700
- name: Add slapd script to cron
cron:
minute: "10"
hour: "1"
name: SLAPD via rsync backup
job: /home/sheppy/slapd_backup.sh
user: sheppy
- name: Add ths nextcloud backup script to cron
cron:
minute: "0"
hour: "1"
name: THS Caldav Backup
job: /home/sheppy/ths_cal_backup.sh
user: sheppy
roles/backup-vm/templates/slapd_backup.sh
+14
View File
@@ -0,0 +1,14 @@
#!/bin/bash
set -e
DIR=/home/sheppy/slapd_backup
rsync -r --remove-source-files sheppy@192.168.122.112:$DIR /home/sheppy
~/backups/backup-tools/backup_manager.py --extensions ldif -- $DIR
rsync --delete --rsh="/usr/bin/sshpass -p ebHYlyVHgRnBcdkb ssh -p23" -r slapd_backup/* u244665-sub2@u244665.your-storagebox.de:./slapd_backup/
curl -H "Content-Type: application/json" \
-X POST https://async-icinga.atlantishq.de/report \
-d '{ "service" : "slapd_backup", "token" : "WX0yXFxSsb", "status" : "OK", "info" : "" }'
roles/base/tasks/main.yaml
+49
View File
@@ -0,0 +1,49 @@
- name: Install packages
apt:
pkg:
- rsync
- zsh
- net-tools
- tcpdump
- git
- apt-file
- name: Ensure Opt dir exists and accessible
file:
name: /opt/
state: directory
mode: 0711
- name: Ensure backup info dir exists and accessible
file:
name: /opt/backup-info/
state: directory
mode: 0700
- name: Copy Backup Helper script
copy:
src: check_dir_size_for_backup.py
dest: /opt/check_dir_size_for_backup.py
mode: 0755
- name: Create sheppy .ssh dir
file:
path: /home/sheppy/.ssh/
state: directory
owner: sheppy
group: sheppy
mode: 0700
- name: Template Sheppy authorized keys
template:
src: authorized_keys_sheppy.j2
dest: /home/sheppy/.ssh/authorized_keys
owner: sheppy
group: sheppy
mode: 0600
- name: Add extra root keys
lineinfile:
path: /root/.ssh/authorized_keys
line: "{{ item }}"
loop: "{{ extra_root_keys }}"
roles/base/templates/authorized_keys_sheppy.j2
+3
View File
@@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoUijFwmZaYHbueDsa3T2BV5UfMxKpztbuJwSBZ5s0WbZlg/9E9SHeGztaN/SCyQZdtOA7bR6tQMWhx4fadvrjg5BrN1bjpNUb2/rAxuWw0yU0Yp2CWwE02m+3bMj4pXeaI2Mk/Ywubfl88W2/OrUpbhHoYeedAIblyzuOwDTS9MpjD/ita89d4CM9AdhGBw3qaggtIxD8A5hULbJWe0D5KdtBFG8RFOmBaEb/tmBvdpwja3i17/AejUdjfjQv8G3BSTbKvOvMRwmnmoE5YCstwHIFqrlmqorSGQIVo5knfcSqgFxs2wDv4OOrPJTWcmr3LmN5lVjHkjtzRQ8zE9sB sheppy-master
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDU2aDU+TOiOXzWpGDhqbpzFkhENPc0QYbsqfImaBIMlbSDs6gxuQRtO9QtqyThrDuPNWVQqooVRj5MgdR9i2uNd8eDr+HWhzuiymy+KAJm9e+E4VTvgTiD+EB0IKJ6Vqm86/M0nwLPu3KNY9k/jjG2DjKDNEqX5b6U9Psfq/HqB5NDNL/BvCTNknehSDCp8gyFYjrRijGz6vnVF8jfNGOaliJvwQI7GciV8/Q986J4RruF/KbIf2DhVjQogHOV1ZVtFpBffxA6+PkDR4kgLYnZM4L4WCHqOqS9Cen4lqJg+ZJMMDx/T0cWkJIdTq6+GUvNjNfrle6Ck72vT1aRAxpjNCo+w5FeV6PtSrE2yF6cLoca1ia7n9fBANI7Pb9WdPytLeBMvzGU3C8b2RilDS89Ri6UZr63YzDI1hmTVUCe73ct2aV5DnDw668Y3+9hT+vi2mC+zHcgfPfJ7erySDmxG1pi2yDlaJP9fLz4MMOtknTdq73nnQPF7MRbiHk1Ots= hypervisor
{{ extra_sheppy_pubkeys }}
roles/docker-deployments/handlers/main.yaml
+8
View File
@@ -0,0 +1,8 @@
- name: reload async icinga settings
uri:
url: "http://localhost:5006/reload-configuration"
status_code: [ 200, 204 ]
- name: restart hub
shell:
cmd: docker restart atlantis-hub_atlantis-hub_1
roles/docker-deployments/tasks/main.yaml
+215
View File
@@ -0,0 +1,215 @@
- include_vars: services.yaml
- name: Create data-dir
file:
name: /data/
state: directory
- name: Create opt-dir
file:
name: /opt/
state: directory
- name: Async Icinga mount directory
file:
name: /data/async-icinga
state: directory
- name: Async Icinga database mount directory
file:
name: /data/async-icinga
state: directory
- name: Async Icinga Service (static)
template:
src: async-config.json.j2
dest: /data/async-icinga/config.json
notify:
- reload async icinga settings
- name: Async Icinga Service (static)
template:
src: async-icinga-config.json.j2
dest: /data/async-icinga/async-icinga-config.json
notify:
- reload async icinga settings
- name: Async Icinga Service (dynamic from backup file)
copy:
src: async-icinga-config-dynamic.json
dest: /data/async-icinga/
notify:
- reload async icinga settings
- name: Create data directories
file:
name: "/data/{{ item }}/"
state: directory
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
#- reactive-resume
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: Copy AtlantisHub config
copy:
src: "atlantis-hub-content/config.yaml"
dest: "/data/atlantis-hub/config.yaml"
notify: restart hub
- name: Create AtlantisHubDirectories
file:
name: "/data/atlantis-hub/{{ item }}"
state: directory
with_items:
- static-icons
- instance
- static-cache
- name: Copy AtlantisHub static icons
copy:
src: "atlantis-hub-content/static-icons/"
dest: "/data/atlantis-hub/static-icons/"
- name: Copy AtlantisHub static icons
template:
src: "grafana.ini"
dest: "/data/grafana/grafana.ini"
- name: Create compose directories
file:
name: "/opt/{{ item }}"
state: directory
with_items:
- athq-landing
- grafana
- potaris
- sector32
- async-icinga
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
- tor
#- reactive-resume
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: Copy compose templates
template:
src: "{{ item }}.yaml"
dest: "/opt/{{ item }}/"
with_items:
- athq-landing
- grafana
- potaris
- sector32
- async-icinga
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
- tor
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: Log into private registry
docker_login:
registry: registry.atlantishq.de
username: docker
password: ""
- name: Deploy compose templates
community.docker.docker_compose:
project_src: "/opt/{{ item }}/"
pull: true
files:
- "{{ item }}.yaml"
with_items:
- athq-landing
- grafana
- potaris
- sector32
- async-icinga
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
- tor
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: OAuth2Proxy directories
file:
path: "/opt/oauth2proxy/{{ item }}/"
state: directory
recurse: yes
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- atlantis-web-check
- name: include services ports
include_vars: services.yaml
- name: Deploy OAuth2Proxy compose files
template:
src: oauth-standalone-docker-compose.yaml
dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- atlantis-web-check
- name: Deploy OAuth2Proxy
community.docker.docker_compose:
project_src: /opt/oauth2proxy/{{ item }}/
pull: true
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- atlantis-web-check
roles/docker-deployments/templates/async-config.json.j2
+7
View File
@@ -0,0 +1,7 @@
{
"ICINGA_API_USER" : "{{ icinga_api_user }}",
"ICINGA_API_PASS" : "{{ icinga_api_pass }}",
"ICINGA_API_URL" : "{{ icinga_api_url }}",
"ICINGA_WEB_URL" : "{{ icinga_web_url }}",
"ASYNC_ICINGA_DUMMY_HOST" : "ASYNC_ICINGA"
}
roles/docker-deployments/templates/async-icinga-config.json.j2
+9
View File
@@ -0,0 +1,9 @@
{
{% for service in async_icinga_static_services %}
"{{ service['name'] }}" : {
"timeout" : "{{ service['timeout'] }}",
"token" : "{{ service['token'] }}",
"owner" : "{{ service['owner'] }}"
}{% if not loop.last %},{% endif %}
{% endfor %}
}
roles/docker-deployments/templates/async-icinga.yaml
+8
View File
@@ -0,0 +1,8 @@
async-icinga:
volumes:
- "/data/async-icinga/:/app/config"
- "/data/async-icinga/instance/:/app/instance/"
restart: always
ports:
- 6006:5000
image: harbor-registry.atlantishq.de/atlantishq/async-icinga
roles/docker-deployments/templates/athq-landing.yaml
+5
View File
@@ -0,0 +1,5 @@
athqlanding:
ports:
- 5002:5000
image: registry.atlantishq.de/athq/landing-page
restart: always
roles/docker-deployments/templates/atlantis-hub.yaml
+10
View File
@@ -0,0 +1,10 @@
atlantis-hub:
image: registry.atlantishq.de/atlantis-hub:latest
restart: always
ports:
- 6011:5000
volumes:
- /data/atlantis-hub/config.yaml:/app/config.yaml
- /data/atlantis-hub/static-icons/:/app/static/icons/
- /data/atlantis-hub/sqlite-instance/:/app/instance/
- /data/atlantis-hub/static-cache/:/app/static/cache/
roles/docker-deployments/templates/atlantis-verify.yaml
+28
View File
@@ -0,0 +1,28 @@
atlantis-verify:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-verify:latest
restart: always
environment:
LDAP_SERVER: ldap://{{ ldap_server }}
LDAP_BIND_DN: {{ ldap_bind_dn }}
LDAP_BIND_PW: {{ ldap_password }}
LDAP_BASE_DN: {{ ldap_user_dn }}
DISPATCH_SERVER: {{ event_dispatcher_address }}
SQLALCHEMY_DATABASE_URI: "instance/database.sqlite"
KEYCLOAK_URL: https://{{ keycloak_address }}
KEYCLOAK_REALM: master
KEYCLOAK_ADMIN_USER: admin
KEYCLOAK_ADMIN_PASS: {{ keycloak_admin_password }}
MAIN_HOME: https://hub.atlantishq.de
DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
ports:
- {{ services[item].port + 1000 }}:5000
volumes:
- /data/atlantis-verify/instance/:/app/instance/
roles/docker-deployments/templates/atlantis-web-check.yaml
+39
View File
@@ -0,0 +1,39 @@
version: "3.3"
services:
master:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-master:latest
restart: always
ports:
- {{ services[item].port + 1000 }}:5000
depends_on:
- queue
volumes:
- /data/atlantis-web-check/instance/:/app/instance/
environment:
- QUEUE_HOST=queue
- QUEUE_NAME=scheduled
- DISPATCH_SERVER={{ event_dispatcher_address }}
- DISPATCH_AUTH_USER={{ event_dispatcher_user }}
- DISPATCH_AUTH_PASSWORD={{ event_dispatcher_pass }}
scheduler:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-scheduler:latest
restart: always
depends_on:
- master
environment:
- MASTER_HOST=master:5000
- SLEEP_TIME=1
queue:
image: rabbitmq
restart: always
ports:
- 5672:5672
worker:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-worker:latest
restart: always
depends_on:
- master
environment:
- MASTER_HOST=master:5000
- QUEUE_HOST=queue
- QUEUE_NAME=scheduled
roles/docker-deployments/templates/collabora.yaml
+9
View File
@@ -0,0 +1,9 @@
version: 3
service:
collabora:
ports:
- 9980:9980
image: collabora/code
restart: unless-stopped
environment:
- "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
roles/docker-deployments/templates/event-dispatcher.yaml
+14
View File
@@ -0,0 +1,14 @@
event-dispatcher:
ports:
- 5007:5000
image: registry.atlantishq.de/athq/event-dispatcher
restart: always
volumes:
- "/data/event-dispatcher/instance/:/app/instance/"
environment:
SIGNAL_API_PASS: "{{ event_dispatcher_pass }}"
LDAP_SERVER : "{{ ldap_connection_url }}"
LDAP_BIND_DN : "{{ ldap_bind_dn }}"
LDAP_BIND_PW : "{{ ldap_password }}"
LDAP_BASE_DN : "{{ ldap_user_dn }}"
SIGNAL_GATEWAY_PASS: "{{ event_dispatcher_token }}"
roles/docker-deployments/templates/gotify.yaml
+11
View File
@@ -0,0 +1,11 @@
gotify:
image: gotify/server
restart: always
environment:
- TZ="Europe/Berlin"
- GOTIFY_DEFAULTUSER_NAME={{ gotify_user }}
- GOTIFY_DEFAULTUSER_PASS={{ gotify_password }}
ports:
- 4001:80
volumes:
- /data/gotify/data:/app/data
roles/docker-deployments/templates/grafana.ini
+1492
View File
File diff suppressed because it is too large Load Diff
roles/docker-deployments/templates/grafana.yaml
+10
View File
@@ -0,0 +1,10 @@
grafana:
ports:
- 4000:3000
image: grafana/grafana-oss
restart: always
volumes:
- "/data/grafana/grafana-var/:/var/lib/grafana"
- "/data/grafana/grafana.ini:/etc/grafana/grafana.ini"
environment:
GF_INSTALL_PLUGINS : "grafana-clock-panel,grafana-simple-json-datasource"
roles/docker-deployments/templates/hedgedoc.yaml
+39
View File
@@ -0,0 +1,39 @@
version: '3'
services:
database:
image: postgres:13.4-alpine
environment:
- POSTGRES_USER=hedgedoc
- POSTGRES_PASSWORD=D7OIx5VBUa7nEzdy6f
- POSTGRES_DB=hedgedoc
volumes:
- /data/hedgedoc/pgsql:/var/lib/postgresql/data
restart: always
app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.9
environment:
- CMD_DB_URL=postgres://hedgedoc:D7OIx5VBUa7nEzdy6f@database:5432/hedgedoc
- CMD_DOMAIN=hedgedoc.atlantishq.de
- CMD_PROTOCOL_USESSL=true
- CMD_ALLOW_ORIGIN=['hedgedoc.atlantishq.de']
- CMD_EMAIL=false
- CMD_ALLOW_EMAIL_REGISTER=false
- CMD_OAUTH2_USER_PROFILE_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/userinfo
- CMD_OAUTH2_TOKEN_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth
- CMD_OAUTH2_CLIENT_ID=z_hedgedoc
- CMD_OAUTH2_CLIENT_SECRET=T4kvtI0ZF1JepEbmTm9bCksCJkuDOicGd
- CMD_OAUTH2_SCOPE=openid email profile
- CMD_OAUTH2_ROLES_CLAIM=roles
- CMD_OAUTH2_PROVIDERNAME=AtlantisHQ Auth
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
volumes:
- /data/hedgedoc/uploads:/hedgedoc/public/uploads
ports:
- "5012:3000"
restart: always
depends_on:
- database
roles/docker-deployments/templates/heimdall.yaml
+10
View File
@@ -0,0 +1,10 @@
heimdall:
image: linuxserver/heimdall:latest
restart: always
ports:
- 6011:80
volumes:
- /data/heimdall/:/config/
environment:
- PGID=1000
- PUID=1000
roles/docker-deployments/templates/money-balancer.yaml
+15
View File
@@ -0,0 +1,15 @@
version: "3"
services:
money-balancer:
image: ghcr.io/dorianim/money-balancer
restart: unless-stopped
ports:
- {{ services[item].port + 1000 }}:8000
volumes:
- /data/money-balancer:/data
environment:
- MONEYBALANCER_JWT_SECRET=Opta7EkHqgBWUDZULVypcP8FCxw511
- MONEYBALANCER_AUTH_LOCAL_ENABLED=false
- MONEYBALANCER_AUTH_PROXY_ENABLED=true
- MONEYBALANCER_AUTH_PROXY_HEADERS_USERNAME=x-forwarded-preferred-username
- MONEYBALANCER_AUTH_PROXY_HEADERS_NICKNAME=x-forwarded-preferred-username
roles/docker-deployments/templates/potaris.yaml
+6
View File
@@ -0,0 +1,6 @@
potaris:
ports:
- 5003:5000
- 5004:5000
image: harbor-registry.atlantishq.de/atlantishq/potaris-next-gen-web
restart: always
roles/docker-deployments/templates/python-flask-picture-factory.yaml
+12
View File
@@ -0,0 +1,12 @@
version: '3'
services:
image-factory:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-image-factory:latest
restart: always
ports:
- "{{ services[item].port + 1000 }}:5000"
environment:
UPLOAD_ENABLED: "yes"
PICTURES_DIRECTORY: pictures
volumes:
- "/data/image-factory/pictures/:/app/pictures/"
roles/docker-deployments/templates/reactive-resume.yaml
+93
View File
@@ -0,0 +1,93 @@
version: "3.8"
services:
minio:
image: minio/minio
restart: unless-stopped
command: server /data
ports:
- 9000:9000
volumes:
- /data/reactive-resume/minio/:/data
networks:
- resume
environment:
MINIO_ROOT_USER: minioadmin
MINIO_ROOT_PASSWORD: WGTVrFT73kwv0CbKa0PR
db:
image: postgres:13
environment:
- POSTGRES_USER=reactiveresume
- POSTGRES_PASSWORD=pwMOJntCfXdwF9ExnjNi
- POSTGRES_DB=reactiveresume
restart: always
volumes:
- /data/reative-resume-postgres/:/var/lib/postgresql/data
networks:
- resume
redis:
image: redis:latest
environment:
- TZ=Europe/Berlin
restart: unless-stopped
networks:
- resume
chrome:
image: browserless/chrome:latest
networks:
- resume
app:
image: amruthpillai/reactive-resume:latest
restart: unless-stopped
ports:
- {{ services[item].port + 1000 }}:3000
networks:
- resume
depends_on:
- db
- minio
- redis
- chrome
environment:
# -- Environment Variables --
PORT: 3000
NODE_ENV: production
# -- URLs --
PUBLIC_URL: https://resume.atlantishq.de
STORAGE_URL: http://localhost:9000
# -- Printer (Chrome) --
CHROME_TOKEN: chrome_token
CHROME_URL: ws://chrome:3000
# -- Database (Postgres) --
DATABASE_URL: postgresql://reactiveresume:pwMOJntCfXdwF9ExnjNi@db:5432/postgres
# -- Auth --
ACCESS_TOKEN_SECRET: 2EkPnUqJIE2EkPnUqJIE
REFRESH_TOKEN_SECRET: cihib7NzMxcihib7NzMx
# -- Emails --
MAIL_FROM: noreply@atlantishq.de
SMTP_URL: smtp://{{ smtp_service_user }}@atlantishq.de:{{ smtp_service_pass }}@{{ smtp_internal_host }}:{{ smtp_internal_host_port }}
# -- Storage (Minio) --
STORAGE_ENDPOINT: minio
STORAGE_PORT: 9000
STORAGE_BUCKET: default
STORAGE_ACCESS_KEY: minioadmin
STORAGE_SECRET_KEY: WGTVrFT73kwv0CbKa0PR
# -- Cache (Redis) --
REDIS_URL: redis://default:password@redis:6379
# -- Email (Optional) --
# DISABLE_EMAIL_AUTH: true
# VITE_DISABLE_SIGNUPS: true
networks:
resume:
roles/docker-deployments/templates/sector32.yaml
+5
View File
@@ -0,0 +1,5 @@
sector32:
ports:
- 5001:5000
image: registry.atlantishq.de/athq/sector32
restart: always
roles/docker-deployments/templates/soundlib-interface.yaml
+14
View File
@@ -0,0 +1,14 @@
version: '3'
services:
soundlib:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-soundlib:latest
restart: always
ports:
- "{{ services[item].port + 1000 }}:5000"
environment:
S3_BUCKET: soundlib
AWS_ACCESS_KEY_ID: {{ SOUNDLIB_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: {{ SOUNDLIB_AWS_SECRET_ACCESS_KEY }}
S3_ENDPOINT: {{ SOUNDLIB_S3_ENDPOINT }}
volumes:
- /data/soundlib/instance/:/app/instance/
roles/docker-deployments/templates/tmnf-replay-server.yaml
+14
View File
@@ -0,0 +1,14 @@
tmnf-replay-server:
image: harbor-registry.atlantishq.de/atlantishq/tmnf-replay-server:latest
restart: always
ports:
- 6010:5000
volumes:
- /data/tmnf-replay-server/data/:/app/data/
- /data/tmnf-replay-server/uploads/:/app/uploads/
environment:
SQLITE_LOCATION: sqlite:////app/data/sqlite.db
DISPATCH_SERVER: {{ event_dispatcher_address }}
DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
roles/docker-deployments/templates/tor.yaml
+27
View File
@@ -0,0 +1,27 @@
version: "3.4"
services:
obfs4-bridge:
image: thetorproject/obfs4-bridge:latest
networks:
- obfs4_bridge_external_network
environment:
- OR_PORT=20000
- PT_PORT=20001
- EMAIL=nobody@nowhere.com
- NICKNAME=nowhere
- OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
- OBFS4V_AddressDisableIPv6=1
# - OBFS4V_PublishServerDescriptor=0
volumes:
- data:/var/lib/tor
ports:
- 20000:20000
- 20001:20001
restart: unless-stopped
volumes:
data:
name: tor-datadir-20000-20001
networks:
obfs4_bridge_external_network:
roles/global-handlers/handlers/main.yml
+59
View File
@@ -0,0 +1,59 @@
- name: nsca-ng service reload
systemd:
name: nsca-ng
state: restarted
enabled: yes
daemon_reload: yes
- name: restart rsyslog
systemd:
name: rsyslog
state: restarted
- name: restart collectd
systemd:
name: collectd
state: restarted
- name: restart influxdb
systemd:
name: influxdb
state: restarted
- name: restart postfix
systemd:
name: postfix
state: restarted
- name: restart dovecot
systemd:
name: dovecot
state: restarted
- name: restart nginx
systemd:
name: nginx
state: restarted
- name: restart ldap
systemd:
name: ldap
state: restarted
- name: restart opendkim
systemd:
name: opendkim
state: restarted
- name: restart slapd
systemd:
name: slapd-custom
state: restarted
- name: daemon reload
systemd:
daemon-reload: yes
- name: apt update
apt:
update_cache: yes
roles/harbor-registry/files/harbor-oidc.json
+13
View File
@@ -0,0 +1,13 @@
{
"auth_mode": "oidc_auth",
"oidc_name": "AtlantisHQ Accounts",
"oidc_endpoint": "https://keycloak.atlantishq.de/realms/master",
"oidc_groups_claim": "groups",
"oidc_admin_group": "pki",
"oidc_client_id": "z_harbor",
"oidc_client_secret": "TODO MUST BE SET",
"oidc_scope": "openid,email,profile",
"oidc_verify_cert": "true",
"oidc_auto_onboard": "true",
"oidc_user_claim": "preferred_username"
}
roles/harbor-registry/handlers/main.yaml
+5
View File
@@ -0,0 +1,5 @@
- name: restart harbor
docker_compose:
project_src: /opt/harbor/
state: present
restarted: yes
roles/harbor-registry/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/harbor-registry/tasks/main.yaml
+50
View File
@@ -0,0 +1,50 @@
- name: Install Docker prerequisites
apt:
state: present
pkg:
- docker.io
- docker-compose
- name: Create /data/ dir
file:
path: /data/
state: directory
- name: Download release
get_url:
url: https://github.com/goharbor/harbor/releases/download/{{ harbor_version }}/{{ harbor_file }}
dest: /opt/{{ harbor_file }}
- name: Extract release
unarchive:
remote_src: true
src: /opt/harbor-online-installer-v2.10.0.tgz
dest: /opt/
register: release
- name: Copy harbor config
template:
src: harbor.config.yaml
dest: /opt/harbor/harbor.yml # mind the missing a
register: config
- name: run installer
shell:
cmd: ./install.sh --with-trivy
chdir: /opt/harbor/
when: config.changed or release.changed
notify: restart harbor
- name: Inject OIDC Config
lineinfile:
state: present
path: /opt/harbor/common/config/core/env
line: CONFIG_OVERWRITE_JSON={{ lookup('file','harbor-oidc.json') | from_json | to_json }}
regex: CONFIG_OVERWRITE_JSON=
notify: restart harbor
- name: Add @reboot compose job # harbor deps are meh, restart: always is not safe
cron:
name: "Harbor Up"
special_time: "reboot"
job: "/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up"
roles/harbor-registry/templates/harbor.config.yaml
+306
View File
@@ -0,0 +1,306 @@
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: NOPE
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# # https port for harbor, default is 443
# port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# # enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
external_url: https://harbor-registry.atlantishq.de
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: {{ harbor_admin_password }}
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: {{ harbor_db_password }}
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
conn_max_lifetime: 5m
# The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
conn_max_idle_time: 0
# The default data volume
data_volume: /data/harbor/
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disable: false
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# The offline_scan option prevents Trivy from sending API requests to identify dependencies.
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
# For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
# exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
# It would work if all the dependencies are in local.
# This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
offline_scan: false
#
# Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
security_check: vuln
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
# The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB"
job_loggers:
- STD_OUTPUT
- FILE
# - DB
# The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
logger_sweeper_duration: 1 #days
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 3
# HTTP client timeout for webhook job
webhook_job_http_client_timeout: 3 #seconds
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.10.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# Uncomment redis if need to customize redis db
# redis:
# # db_index 0 is for core, it's unchangeable
# # registry_db_index: 1
# # jobservice_db_index: 2
# # trivy_db_index: 5
# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
# # harbor_db_index: 6
# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
# # cache_db_index: 7
# Uncomment redis if need to customize redis db
# redis:
# # db_index 0 is for core, it's unchangeable
# # registry_db_index: 1
# # jobservice_db_index: 2
# # trivy_db_index: 5
# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
# # harbor_db_index: 6
# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
# # cache_layer_db_index: 7
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379
# password:
# # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
# # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892
# # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage
# # username:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# trivy_db_index: 5
# idle_timeout_seconds: 30
# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
# # harbor_db_index: 6
# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
# # cache_layer_db_index: 7
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
# metric:
# enabled: false
# port: 9090
# path: /metrics
# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
# enabled: true
# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
# sample_rate: 1
# # # namespace used to differenciate different harbor services
# # namespace:
# # # attributes is a key value dict contains user defined attributes used to initialize trace provider
# # attributes:
# # application: harbor
# # # jaeger should be 1.26 or newer.
# # jaeger:
# # endpoint: http://hostname:14268/api/traces
# # username:
# # password:
# # agent_host: hostname
# # # export trace data by jaeger.thrift in compact mode
# # agent_port: 6831
# # otel:
# # endpoint: hostname:4318
# # url_path: /v1/traces
# # compression: false
# # insecure: true
# # # timeout is in seconds
# # timeout: 10
# Enable purge _upload directories
upload_purging:
enabled: true
# remove files in _upload directories which exist for a period of time, default is one week.
age: 168h
# the interval of the purge operations
interval: 24h
dryrun: false
# Cache layer configurations
# If this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which can especially help to improve the performance of high concurrent
# manifest pulling.
# NOTICE
# If you are deploying Harbor in HA mode, make sure that all the harbor
# instances have the same behaviour, all with caching enabled or disabled,
# otherwise it can lead to potential data inconsistency.
cache:
# not enabled by default
enabled: false
# keep cache for one day by default
expire_hours: 24
# Harbor core configurations
# Uncomment to enable the following harbor core related configuration items.
# core:
# # The provider for updating project quota(usage), there are 2 options, redis or db,
# # by default is implemented by db but you can switch the updation via redis which
# # can improve the performance of high concurrent pushing to the same project,
# # and reduce the database connections spike and occupies.
# # By redis will bring up some delay for quota usage updation for display, so only
# # suggest switch provider to redis if you were ran into the db connections spike aroud
# # the scenario of high concurrent pushing to same project, no improvment for other scenes.
# quota_update_provider: redis # Or db
roles/iptables/tasks/main.yaml
+84
View File
@@ -0,0 +1,84 @@
- name: Install iptables
apt:
state: present
pkg:
- iptables
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Allow Hypervisor
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.1
jump: ACCEPT
comment: "allow hypervisor"
- name: Allow ping from monitoring
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.107
protocol: icmp
jump: ACCEPT
comment: "allow monitoring to ping"
- name: Allow TLS Check from monitoring on mail
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.107
protocol: tcp
destination_port: "{{ item }}"
jump: ACCEPT
comment: "allow monitoring to check mail TLS ports"
with_items:
- 465
- 993
- name: Allow ping from zabbix
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.117
protocol: icmp
jump: ACCEPT
comment: "allow zabbix to ping"
- name: Allow zabbix-agent from zabbix
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.117
protocol: tcp
destination_port: "10050"
jump: ACCEPT
comment: "allow zabbix to connect to agent"
- name: Allow node-exporter from prometheus
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.120
protocol: tcp
destination_port: "9100"
jump: ACCEPT
comment: "allow prometheus to access node-exporter"
- name: Open Configured internal ports
ansible.builtin.iptables:
chain: INPUT
destination_port: "{{ item.port }}"
source: 192.168.122.0/24
protocol: "{{ item.protocol }}"
comment: "{{ item.comment }}"
jump: ACCEPT
loop: "{{ extra_internal_iptables_ports_allow }}"
when: extra_internal_iptables_ports_allow is defined
- name: Reject everything else in internal network
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.0/24
comment: "Block internal network"
jump: REJECT
reject_with: icmp-admin-prohibited
state: present
roles/mail/files/dovecot.conf
+122
View File
@@ -0,0 +1,122 @@
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# logs
info_log_path = /var/dovecot/logs/dovecot_info.log
log_path = /var/dovecot/logs/dovecot.log
protocols = imap pop3 lmtp
# We're using Maildir format
mail_location = maildir:~/Maildir
# If you're using POP3, you'll need this:
pop3_uidl_format = %g
# Authentication configuration:
auth_verbose = yes
auth_mechanisms = plain login
disable_plaintext_auth = no
passdb {
driver = passwd-file
args = scheme=SHA512-CRYPT username_format=%n /var/dovecot/auth/passwd
}
userdb {
driver = passwd-file
args = username_format=%n /var/dovecot/auth/passwd
}
# Postmaster
protocol lda {
postmaster_address = postmaster@example.com
}
# Quotas mus be defined like this in passwd userdb_quota_rule=*:storage=100M
mail_plugins = $mail_plugins quota
protocol imap {
mail_plugins = $mail_plugins imap_quota
}
plugin {
quota = maildir
}
## SSL settings
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
ssl_cert = </etc/letsencrypt/live/atlantishq.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/atlantishq.de/privkey.pem
ssl_min_protocol = TLSv1.1
ssl_cipher_list = HIGH:!aNULL
ssl_prefer_server_ciphers = yes
default_login_user = dovenull
default_internal_user = dovecot
####### IMAP #######
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imap {
port = 0
}
service_count = 1
process_min_avail = 1
vsz_limit = 100M
}
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
}
service imap {
vsz_limit = 100M
process_limit = 100
}
####### POP3 #######
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
inet_listener pop3 {
port = 0
}
}
service pop3 {
process_limit = 100
}
###### LMTP #######
service lmtp {
unix_listener /var/spool/postfix/private/dovecot_lmtp_target {
mode = 0600
group = postfix
user = postfix
}
}
###### AUTH ######
service auth {
unix_listener auth-userdb {
mode = 0600
group = postfix
user = postfix
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0600
group = postfix
user = postfix
}
user = dovecot
}
service auth-worker {
user = dovecot
}
first_valid_uid = 100
roles/mail/files/dovecot_passwd
+1
View File
@@ -0,0 +1 @@
noreply:{SHA512-CRYPT}$6$XXXXXXXXXXXXXXXXXXXuse this: $(mkpasswd -msha512crypt)XXXXX:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
roles/mail/files/dynamicmaps.cf
+1
View File
@@ -0,0 +1 @@
sqlite postfix-sqlite.so dict_sqlite_open
roles/mail/files/enabled_senders
+9
View File
@@ -0,0 +1,9 @@
# Sender adress the user may use :)
sheppy@atlantishq.de sheppy@atlantishq.de
ths-nas@atlantishq.de ths-nas@atlantishq.de
joerg@darknet-fashion.de joerg@darknet-fashion.de
yannik.schmidt@potaris.de yannik.schmidt@potaris.de
noreply@atlantishq.de noreply@atlantishq.de
@darknet-fashion.de joerg
@darknet-fashion.com joerg
@atlantishq.de sheppy
roles/mail/files/header_checks
+1
View File
@@ -0,0 +1 @@
/^X-Spam-Flag: YES/ REDIRECT spamsink@atlantishq.de
roles/mail/files/main.cf
+102
View File
@@ -0,0 +1,102 @@
# let's confuse atackers
smtpd_banner = $myhostname Postfix
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
# delay_warning_time = 10h
queue_directory = /var/spool/postfix
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/atlantishq.de/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# tls paramaters
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
# breaks mailman for obvious reasons
smtpd_tls_security_level=may
smtpd_tls_auth_only = yes
# SMTP (mainly from dovecot documentation)
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_mandatory_ciphers=high
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders
## restrictions
# PERMIT MY NETWORKS MUST ALWAYS BE THE FIRST ARGUMENT OR YOU CANNOT SEND TO NON-LOCAL domains from NOT-DOVECOT
#policyd-spf_time_limit = 3600
smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated
# USER mappings (not reliant on unix users)
# MAILMAN #
virtual_mailbox_domains = atlantishq.de,darknet-fashion.de,darknet-fashion.com,potaris.de
virtual_alias_maps = hash:/etc/postfix/virtual
#recipient_cononical_maps = hash:/etc/postfix/canonical-recipient
virtual_transport = lmtp:unix:private/dovecot_lmtp_target
#relocated_maps = hash:/etc/postfix/mail_redirect
alias_maps = hash:/etc/aliases
virtual_minimum_uid = 100
virtual_uid_maps = static:1009
virtual_gid_maps = static:1009
#receive_override_options = no_address_mappings
# spam redirect happens here
header_checks = regexp:/etc/postfix/header_checks
# random shit
biff = no
readme_directory = no
compatibility_level = 2
myhostname = mail.atlantishq.de
#mydestination = localhost.divercitystudio.de,localhost.atlantishq.de, ,localhost
mydestination = localhost
#,localhost.esports-erlangen.de,esports-erlangen.de
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
message_size_limit = 80480000
inet_interfaces = all
inet_protocols = all
#alias_maps = hash:/etc/aliases
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = $smtpd_milters
disable_mime_output_conversion = yes
authorized_submit_users = !check,static:all
roles/mail/files/master.cf
+58
View File
@@ -0,0 +1,58 @@
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o content_filter=spamassassin
8025 inet n - y - - smtpd
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
#smtp inet n - y - 1 postscreen
smtps inet n - y - - smtpd -v
-o smtpd_tls_wrappermode=yes
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
########################## OTHER #############################
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension}
roles/mail/files/nginx.conf
+63
View File
@@ -0,0 +1,63 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_certificate /etc/letsencrypt/live/atlantishq.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/atlantishq.de/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
roles/mail/files/nginx_default.conf
+26
View File
@@ -0,0 +1,26 @@
server {
server_name mail.atlantishq.de autoconfig.atlantishq.de autodiscover.atlantishq.de autoconfig.potaris.de;
listen 443 ssl;
listen 80;
listen [::]:443 ssl;
location /.well-known/acme-challenge/ {
auth_basic off;
alias /var/www/.well-known/acme-challenge/;
}
location /initdb {
allow 127.0.0.1;
deny all;
}
location /{
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}
roles/mail/files/opendkim/key.table
+1
View File
@@ -0,0 +1 @@
atlantishq atlantishq.de:default:/etc/opendkim/keys/atlantishq.de/default.private
roles/mail/files/opendkim/opendkim.conf
+86
View File
@@ -0,0 +1,86 @@
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain example.com
#KeyFile /etc/dkimkeys/dkim.key
#Selector 2007
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
#Mode sv
#SubDomains no
# Socket smtp://localhost
#
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
Socket inet:8892@localhost
#Socket local:/var/run/opendkim/opendkim.sock
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
## PidFile filename
### default (none)
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /var/run/opendkim/opendkim.pid
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
SigningTable refile:/etc/opendkim/signing.table
KeyTable /etc/opendkim/key.table
roles/mail/files/opendkim/signing.table
+3
View File
@@ -0,0 +1,3 @@
*@atlantishq.de atlantishq
*@lantia-it.de atlantishq
*@esports-erlangen.de atlantishq
roles/mail/files/opendkim/trusted.hosts
+6
View File
@@ -0,0 +1,6 @@
127.0.0.1
localhost
atlantishq.de
192.168.122.112
192.168.122.107
192.168.122.117
roles/mail/files/policy-spf/policyd-spf.conf
+16
View File
@@ -0,0 +1,16 @@
# For a fully commented sample config file see policyd-spf.conf.commented
debugLevel = 1
TestOnly = 1
#HELO_reject = Fail
#Mail_From_reject = Fail
HELO_reject = False
Mail_From_reject = False
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.122.112,192.168.122.107
roles/mail/files/relocated
+1
View File
@@ -0,0 +1 @@
test@atlantishq.de sheppy@atlantishq.de
roles/mail/files/sender_blacklist
+11
View File
@@ -0,0 +1,11 @@
alyssa@catapult.gg REJECT
service-expert.net REJECT
yougetnow.com REJECT
forestanes.pics REJECT
stockcard.io REJECT
zapingers.autos REJECT
cleverep.com REJECT
.ru REJECT
allsip.ru REJECT
sina.buffy@avantgarde-experts.de OK
.avantgarde-experts.de OK
roles/mail/files/tls_policy
+13
View File
@@ -0,0 +1,13 @@
[atlantishq.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[atlantishq.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[atlantishq.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:587 encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:msa encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:submission encrypt protocols=TLSv1.2 ciphers=high
.datev.de encrypt
roles/mail/files/transport
+3
View File
@@ -0,0 +1,3 @@
atlantishq.de lmtp:unix:private/dovecot_lmtp_target
darknet-fashion.de lmtp:unix:private/dovecot_lmtp_target
darknet-fashion.com lmtp:unix:private/dovecot_lmtp_target
roles/mail/files/virtual
+38
View File
@@ -0,0 +1,38 @@
# you can also so this: test-second-account@atlantishq.de test@atlantishq.de
# which will give all incoming mails of test-second-account to test (sorta obvious)
# IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
# user@atlantishq.de user@esports-erlangen.de
# every user will get emails from both domains
# If a user also wants to _SEND_ mails, he also have to have an
# entry in the /etc/postfix/enabled-senders
# CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
# postmap FILENAME
# CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
# sheppy
insurgency@atlantishq.de sheppy@atlantishq.de
yannik@atlantishq.de sheppy@atlantishq.de
tac@atlantishq.de sheppy@atlantishq.de
uplay@atlantishq.de sheppy@atlantishq.de
#yannik.schmidt@potaris.de sheppy@atlantishq.de
acc@atlantishq.de sheppy@atlantishq.de
mail@potaris.de yannik.schmidt@potaris.de
sector32@potaris.de yannik.schmidt@potaris.de
root@atlantishq.de sheppy@atlantishq.de
trackmania-2@atlantishq.de sheppy@atlantishq.de
maria@atlantishq.de mondauge@icloud.com
steam-potaris-1@atlantishq.de sheppy@atlantishq.de
steam-potaris-2@atlantishq.de sheppy@atlantishq.de
steam-potaris-3@atlantishq.de sheppy@atlantishq.de
# michy
ipatix@atlantishq.de michael.panzlaff@fau.de
# catchall
#@atlantishq.de root@atlantishq.de
#@esports-erlangen.de root@atlantishq.de
@darknet-fashion.com joerg@darknet-fashion.de
@darknet-fashion.de joerg@darknet-fashion.de
roles/mail/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/mail/tasks/main.yaml
+88
View File
@@ -0,0 +1,88 @@
- name: Install Mail stuff
apt:
pkg:
- postfix
- dovecot-core
- dovecot-imapd
- spamassassin
- nginx
- postfix-policyd-spf-python
- opendkim
- opendkim-tools
state: present
- name: Deploy Postfix config
copy:
src: "{{ item }}"
dest: "/etc/postfix/{{ item }}"
with_items:
- dynamicmaps.cf
- enabled_senders
- main.cf
- master.cf
- relocated
- sender_blacklist
- tls_policy
- transport
- virtual
- header_checks
notify: restart postfix
- name: Deploy dmark/opendkim config (main)
copy:
src: "opendkim/opendkim.conf"
dest: "/etc/opendkim.conf"
notify: restart opendkim
- name: Deploy dmark/opendkim config (config dir)
copy:
src: "opendkim/{{ item }}"
dest: "/etc/opendkim/"
with_items:
- key.table
- signing.table
- trusted.hosts
notify: restart opendkim
- name: Deploy policy spf config
copy:
src: "policy-spf/policyd-spf.conf"
dest: "/etc/postfix-policyd-spf-python/"
notify: restart postfix
- name: Deploy dmark/opendkim config (config dir)
copy:
src: "opendkim/{{ item }}"
dest: "/etc/opendkim/"
with_items:
- key.table
- signing.table
notify: restart postfix
- name: Deploy Dovecot config
copy:
src: "{{ item }}"
dest: "/etc/dovecot/{{ item }}"
with_items:
- dovecot.conf
notify: restart dovecot
- name: Deploy nginx-config
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
notify: restart nginx
- name: Deploy nginx-config (page)
copy:
src: nginx_default.conf
dest: /etc/nginx/sites-available/default
notify: restart nginx
- name: Deploy user passwd config
copy:
src: dovecot_passwd
dest: /var/dovecot/auth/passwd
owner: dovecot
group: dovecot
notify: restart dovecot
roles/media/files/htpasswd
+2
View File
@@ -0,0 +1,2 @@
kathi:$y$j9T$llGL4Qoz3NYzphDi4UcK41$O2DR8i5YMS6iiKohETw58Wt5m55F/H/MIHgH3qxAdz9
sheppy:$y$j9T$nh0aLCxl0aZ9hczSkAUxP1$zEA6PI7Kwv.lfcfJJn91hQ4A4wCjQrGyZ0w47IeyYg8
roles/media/files/nginx_media.conf
+28
View File
@@ -0,0 +1,28 @@
map $http_x_nginx_cert_auth $basic_auth_val {
default "private";
true off;
}
server {
autoindex on;
autoindex_localtime on;
listen 8000;
root /var/www/media;
add_header Vary Accept-Encoding;
add_header Access-Control-Allow-Origin $http_origin;
location /videos/{
default_type video/mp4;
limit_rate 2m;
autoindex on;
}
location /auth/{
auth_basic $basic_auth_val;
auth_basic_user_file /etc/nginx/htpasswd;
}
}
roles/media/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/media/tasks/main.yaml
+17
View File
@@ -0,0 +1,17 @@
- name: Install Nginx
apt:
pkg:
- nginx
state: present
- name: Deploy nginx-config (page)
copy:
src: nginx_media.conf
dest: /etc/nginx/sites-available/media.conf
notify: restart nginx
- name: Deploy nginx basic auth file
copy:
src: htpasswd
dest: /etc/nginx/
notify: restart nginx
roles/monitoring-client/files/check_mailq
Executable
+687
View File
@@ -0,0 +1,687 @@
#!/usr/bin/perl -w
# check_mailq - check to see how many messages are in the smtp queue awating
# transmittal.
#
# Initial version support sendmail's mailq command
# Support for mutiple sendmail queues (Carlos Canau)
# Support for qmail (Benjamin Schmid)
# License Information:
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
# USA
#
############################################################################
use POSIX;
use strict;
use Getopt::Long;
use vars qw($opt_V $opt_h $opt_v $verbose $PROGNAME $opt_w $opt_c $opt_t $opt_s
$opt_M $mailq $status $state $msg $msg_q $msg_p $opt_W $opt_C $mailq @lines
%srcdomains %dstdomains);
use FindBin;
use lib "$FindBin::Bin";
use utils qw(%ERRORS &print_revision &support &usage );
my ($sudo);
sub print_help ();
sub print_usage ();
sub process_arguments ();
$ENV{'PATH'}='/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin';
$ENV{'BASH_ENV'}='';
$ENV{'ENV'}='';
$PROGNAME = "check_mailq";
$mailq = 'sendmail'; # default
$msg_q = 0 ;
$msg_p = 0 ;
$state = $ERRORS{'UNKNOWN'};
Getopt::Long::Configure('bundling');
$status = process_arguments();
if ($status){
print "ERROR: processing arguments\n";
exit $ERRORS{"UNKNOWN"};
}
if ($opt_s) {
if (defined $utils::PATH_TO_SUDO && -x $utils::PATH_TO_SUDO) {
$sudo = $utils::PATH_TO_SUDO;
} else {
print "ERROR: Cannot execute sudo\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
$sudo = "";
}
$SIG{'ALRM'} = sub {
print ("ERROR: timed out waiting for $utils::PATH_TO_MAILQ \n");
exit $ERRORS{"WARNING"};
};
alarm($opt_t);
# switch based on MTA
if ($mailq eq "sendmail") {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
# single queue empty
##/var/spool/mqueue is empty
# single queue: 1
## /var/spool/mqueue (1 request)
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
##h32E30p01763 2782 Wed Apr 2 15:03 <silvaATkpnqwest.pt>
## 8BITMIME
## <silvaATeunet.pt>
# multi queue empty
##/var/spool/mqueue/q0/df is empty
##/var/spool/mqueue/q1/df is empty
##/var/spool/mqueue/q2/df is empty
##/var/spool/mqueue/q3/df is empty
##/var/spool/mqueue/q4/df is empty
##/var/spool/mqueue/q5/df is empty
##/var/spool/mqueue/q6/df is empty
##/var/spool/mqueue/q7/df is empty
##/var/spool/mqueue/q8/df is empty
##/var/spool/mqueue/q9/df is empty
##/var/spool/mqueue/qA/df is empty
##/var/spool/mqueue/qB/df is empty
##/var/spool/mqueue/qC/df is empty
##/var/spool/mqueue/qD/df is empty
##/var/spool/mqueue/qE/df is empty
##/var/spool/mqueue/qF/df is empty
## Total Requests: 0
# multi queue: 1
##/var/spool/mqueue/q0/df is empty
##/var/spool/mqueue/q1/df is empty
##/var/spool/mqueue/q2/df is empty
## /var/spool/mqueue/q3/df (1 request)
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
##h32De2f23534* 48 Wed Apr 2 14:40 nocol
## nouserATEUnet.pt
## canau
##/var/spool/mqueue/q4/df is empty
##/var/spool/mqueue/q5/df is empty
##/var/spool/mqueue/q6/df is empty
##/var/spool/mqueue/q7/df is empty
##/var/spool/mqueue/q8/df is empty
##/var/spool/mqueue/q9/df is empty
##/var/spool/mqueue/qA/df is empty
##/var/spool/mqueue/qB/df is empty
##/var/spool/mqueue/qC/df is empty
##/var/spool/mqueue/qD/df is empty
##/var/spool/mqueue/qE/df is empty
##/var/spool/mqueue/qF/df is empty
## Total Requests: 1
while (<MAILQ>) {
# match email addr on queue listing
if ( (/<.*@.*\.(\w+\.\w+)>/) || (/<.*@(\w+\.\w+)>/) ) {
my $domain = $1;
if (/^\w+/) {
print "$utils::PATH_TO_MAILQ = srcdomain = $domain \n" if $verbose ;
$srcdomains{$domain} ++;
}
next;
}
#
# ...
# sendmail considers a message with more than one destiny, say N, to the same MX
# to have N messages in queue.
# we will only consider one in this code
if (( /\s\(reply:\sread\serror\sfrom\s.*\.(\w+\.\w+)\.$/ ) || ( /\s\(reply:\sread\serror\sfrom\s(\w+\.\w+)\.$/ ) ||
( /\s\(timeout\swriting\smessage\sto\s.*\.(\w+\.\w+)\.:/ ) || ( /\s\(timeout\swriting\smessage\sto\s(\w+\.\w+)\.:/ ) ||
( /\s\(host\smap:\slookup\s\(.*\.(\w+\.\w+)\):/ ) || ( /\s\(host\smap:\slookup\s\((\w+\.\w+)\):/ ) ||
( /\s\(Deferred:\s.*\s.*\.(\w+\.\w+)\.\)/ ) || ( /\s\(Deferred:\s.*\s(\w+\.\w+)\.\)/ ) ) {
print "$utils::PATH_TO_MAILQ = dstdomain = $1 \n" if $verbose ;
$dstdomains{$1} ++;
}
if (/\s+\(I\/O\serror\)/) {
print "$utils::PATH_TO_MAILQ = dstdomain = UNKNOWN \n" if $verbose ;
$dstdomains{'UNKNOWN'} ++;
}
# Finally look at the overall queue length
#
if (/mqueue/) {
print "$utils::PATH_TO_MAILQ = $_ "if $verbose ;
if (/ \((\d+) request/) {
#
# single queue: first line
# multi queue: one for each queue. overwrite on multi queue below
$msg_q = $1 ;
}
} elsif (/^\s+Total\sRequests:\s(\d+)$/i) {
print "$utils::PATH_TO_MAILQ = $_ \n" if $verbose ;
#
# multi queue: last line
$msg_q = $1 ;
}
}
## close mailq
close (MAILQ);
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
## now check the queue length(s)
if ($msg_q == 0) {
$msg = "OK: $mailq mailq is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check for domain specific queue lengths if requested
if (defined $opt_W) {
# Apply threshold to queue lengths FROM domain
my @srckeys = sort { $srcdomains{$b} <=> $srcdomains{$a} } keys %srcdomains;
my $srcmaxkey = $srckeys[0];
print "src max is $srcmaxkey with $srcdomains{$srcmaxkey} messages\n" if $verbose;
if ($srcdomains{$srcmaxkey} >= $opt_W && $srcdomains{$srcmaxkey} < $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
} else {
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
}
} elsif ($srcdomains{$srcmaxkey} >= $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C)";
$state = $ERRORS{'CRITICAL'};
} elsif ($state == $ERRORS{'WARNING'}) {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C) -and- " . $msg;
$msg =~ s/WARNING: //;
} elsif ($state == $ERRORS{'CRITICAL'}) {
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
} else {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'CRITICAL'};
}
} else {
if ($srcdomains{$srcmaxkey} > 0) {
$msg .= " $srcdomains{$srcmaxkey} msgs. FROM $srcmaxkey is below threshold ($opt_W/$opt_C)";
}
}
# Apply threshold to queue lengths TO domain
my @dstkeys = sort { $dstdomains{$b} <=> $dstdomains{$a} } keys %dstdomains;
my $dstmaxkey = $dstkeys[0];
print "dst max is $dstmaxkey with $dstdomains{$dstmaxkey} messages\n" if $verbose;
if ($dstdomains{$dstmaxkey} >= $opt_W && $dstdomains{$dstmaxkey} < $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
} else {
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
}
} elsif ($dstdomains{$dstmaxkey} >= $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C)";
$state = $ERRORS{'CRITICAL'};
} elsif ($state == $ERRORS{'WARNING'}) {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C) -and- " . $msg;
$msg =~ s/WARNING: //;
} elsif ($state == $ERRORS{'CRITICAL'}) {
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
} else {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'CRITICAL'};
}
} else {
if ($dstdomains{$dstmaxkey} > 0) {
$msg .= " $dstdomains{$dstmaxkey} msgs. TO $dstmaxkey is below threshold ($opt_W/$opt_C)";
}
}
} # End of queue length thresholds
}
} # end of ($mailq eq "sendmail")
elsif ( $mailq eq "postfix" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
@lines = reverse <MAILQ>;
# close qmail-qstat
close MAILQ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
# check queue length
if ($lines[0]=~/Kbytes in (\d+)/) {
$msg_q = $1 ;
}elsif ($lines[0]=~/Mail queue is empty/) {
$msg_q = 0;
}else{
print "Couldn't match $utils::PATH_TO_MAILQ output\n";
exit $ERRORS{'UNKNOWN'};
}
# check messages not processed
#if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
# my $msg_p = $1;
#}else{
# print "Couldn't match $utils::PATH_TO_MAILQ output\n";
# exit $ERRORS{'UNKNOWN'};
#}
# check queue length(s)
if ($msg_q == 0){
$msg = "OK: $mailq mailq reports queue is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
# are defined)
#if (defined $opt_W) {
# $msg .= "[Preprocessed = $msg_p]";
# if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
# $state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
# }elsif ($msg_p >= $opt_C ) {
# $state = $ERRORS{"CRITICAL"} ;
# }
#}
}
} # end of ($mailq eq "postfix")
elsif ( $mailq eq "qmail" ) {
# open qmail-qstat
if ( defined $utils::PATH_TO_QMAIL_QSTAT && -x $utils::PATH_TO_QMAIL_QSTAT ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_QMAIL_QSTAT | " ) ) {
print "ERROR: could not open $utils::PATH_TO_QMAIL_QSTAT \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_QMAIL_QSTAT){
unless (-x $utils::PATH_TO_QMAIL_QSTAT) {
print "ERROR: $utils::PATH_TO_QMAIL_QSTAT is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_QMAIL_QSTAT is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
@lines = <MAILQ>;
# close qmail-qstat
close MAILQ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
# check queue length
if ($lines[0]=~/^messages in queue: (\d+)/) {
$msg_q = $1 ;
}else{
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
exit $ERRORS{'UNKNOWN'};
}
# check messages not processed
if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
my $msg_p = $1;
}else{
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
exit $ERRORS{'UNKNOWN'};
}
# check queue length(s)
if ($msg_q == 0){
$msg = "OK: qmail-qstat reports queue is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
# are defined)
if (defined $opt_W) {
$msg .= "[Preprocessed = $msg_p]";
if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
$state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
}elsif ($msg_p >= $opt_C ) {
$state = $ERRORS{"CRITICAL"} ;
}
}
}
} # end of ($mailq eq "qmail")
elsif ( $mailq eq "exim" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
while (<MAILQ>) {
#22m 1.7K 19aEEr-0007hx-Dy <> *** frozen ***
#root@exlixams.glups.fr
if (/\s[\w\d]{6}-[\w\d]{6}-[\w\d]{2}\s/) { # message id 19aEEr-0007hx-Dy
$msg_q++ ;
}
}
close(MAILQ) ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "exim")
elsif ( $mailq eq "nullmailer" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
while (<MAILQ>) {
#2006-06-22 16:00:00 282 bytes
if (/^[1-9][0-9]*-[01][0-9]-[0-3][0-9]\s[0-2][0-9]\:[0-2][0-9]\:[0-2][0-9]\s{2}[0-9]+\sbytes$/) {
$msg_q++ ;
}
}
close(MAILQ) ;
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "nullmailer")
# Perfdata support
print "$msg|unsent=$msg_q;$opt_w;$opt_c;0\n";
exit $state;
#####################################
#### subs
sub process_arguments(){
GetOptions
("V" => \$opt_V, "version" => \$opt_V,
"v" => \$opt_v, "verbose" => \$opt_v,
"h" => \$opt_h, "help" => \$opt_h,
"M:s" => \$opt_M, "mailserver:s" => \$opt_M, # mailserver (default sendmail)
"w=i" => \$opt_w, "warning=i" => \$opt_w, # warning if above this number
"c=i" => \$opt_c, "critical=i" => \$opt_c, # critical if above this number
"t=i" => \$opt_t, "timeout=i" => \$opt_t,
"s" => \$opt_s, "sudo" => \$opt_s,
"W=i" => \$opt_W, # warning if above this number
"C=i" => \$opt_C, # critical if above this number
);
if ($opt_V) {
print_revision($PROGNAME,'2.3.1');
exit $ERRORS{'UNKNOWN'};
}
if ($opt_h) {
print_help();
exit $ERRORS{'UNKNOWN'};
}
if (defined $opt_v ){
$verbose = $opt_v;
}
unless (defined $opt_t) {
$opt_t = $utils::TIMEOUT ; # default timeout
}
unless ( defined $opt_w && defined $opt_c ) {
print_usage();
exit $ERRORS{'UNKNOWN'};
}
if ( $opt_w >= $opt_c) {
print "Warning (-w) cannot be greater than Critical (-c)!\n";
exit $ERRORS{'UNKNOWN'};
}
if (defined $opt_W && ! defined !$opt_C) {
print "Need -C if using -W\n";
exit $ERRORS{'UNKNOWN'};
}elsif(defined $opt_W && defined $opt_C) {
if ($opt_W >= $opt_C) {
print "Warning (-W) cannot be greater than Critical (-C)!\n";
exit $ERRORS{'UNKNOWN'};
}
}
if (defined $opt_M) {
if ($opt_M =~ /^(sendmail|qmail|postfix|exim|nullmailer)$/) {
$mailq = $opt_M ;
}elsif( $opt_M eq ''){
$mailq = 'sendmail';
}else{
print "-M: $opt_M is not supported\n";
exit $ERRORS{'UNKNOWN'};
}
}else{
if (defined $utils::PATH_TO_QMAIL_QSTAT
&& -x $utils::PATH_TO_QMAIL_QSTAT)
{
$mailq = 'qmail';
}
elsif (-d '/var/lib/postfix' || -d '/var/local/lib/postfix'
|| -e '/usr/sbin/postfix' || -e '/usr/local/sbin/postfix')
{
$mailq = 'postfix';
}
elsif (-d '/usr/lib/exim4' || -d '/usr/local/lib/exim4'
|| -e '/usr/sbin/exim' || -e '/usr/local/sbin/exim')
{
$mailq = 'exim';
}
elsif (-d '/usr/lib/nullmailer' || -d '/usr/local/lib/nullmailer'
|| -e '/usr/sbin/nullmailer-send'
|| -e '/usr/local/sbin/nullmailer-send')
{
$mailq = 'nullmailer';
}
else {
$mailq = 'sendmail';
}
}
return $ERRORS{'OK'};
}
sub print_usage () {
print "Usage: $PROGNAME -w <warn> -c <crit> [-W <warn>] [-C <crit>] [-M <MTA>] [-t <timeout>] [-s] [-v]\n";
}
sub print_help () {
print_revision($PROGNAME,'2.3.1');
print "Copyright (c) 2002 Subhendu Ghosh/Carlos Canau/Benjamin Schmid\n";
print "\n";
print_usage();
print "\n";
print " Checks the number of messages in the mail queue (supports multiple sendmail queues, qmail)\n";
print " Feedback/patches to support non-sendmail mailqueue welcome\n\n";
print "-w (--warning) = Min. number of messages in queue to generate warning\n";
print "-c (--critical) = Min. number of messages in queue to generate critical alert ( w < c )\n";
print "-W = Min. number of messages for same domain in queue to generate warning\n";
print "-C = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
print "-t (--timeout) = Plugin timeout in seconds (default = $utils::TIMEOUT)\n";
print "-M (--mailserver) = [ sendmail | qmail | postfix | exim | nullmailer ] (default = autodetect)\n";
print "-s (--sudo) = Use sudo to call the mailq command\n";
print "-h (--help)\n";
print "-V (--version)\n";
print "-v (--verbose) = debugging output\n";
print "\n\n";
print "Note: -w and -c are required arguments. -W and -C are optional.\n";
print " -W and -C are applied to domains listed on the queues - both FROM and TO. (sendmail)\n";
print " -W and -C are applied message not yet preproccessed. (qmail)\n";
print " This plugin tries to autodetect which mailserver you are running,\n";
print " you can override the autodetection with -M.\n";
print " This plugin uses the system mailq command (sendmail) or qmail-stat (qmail)\n";
print " to look at the queues. Mailq can usually only be accessed by root or \n";
print " a TrustedUser. You will have to set appropriate permissions for the plugin to work.\n";
print "";
print "\n\n";
support();
}
roles/monitoring-client/tasks/main.yaml
+81
View File
@@ -0,0 +1,81 @@
- name: Update apt-get repo and cache
apt:
update_cache: yes
force_apt_get: yes
cache_valid_time: 3600
changed_when: False
- name: Install Dependencies
apt:
name:
- python3-nagiosplugin
- nagios-plugins-contrib
- git
state: present
- name: Clone Passive Monitoring
git:
repo: https://github.com/FAUSheppy/icinga-passive-checks-monitoring
dest: "/etc/monitoring/"
version: master
- name: Clone Monitoring Tools
git:
repo: https://github.com/FAUSheppy/monitoring-tools
dest: "/etc/monitoring-tools/"
version: master
- name: Copy send_nsca to /bin/
copy:
src: send_nsca
dest: /bin/send_nsca
mode: 0755
- name: Copy send nsca config
template:
src: send_nsca.cfg.j2
dest: /etc/send_nsca.cfg
mode: 0744
- name: Copy check_mailq
copy:
src: check_mailq
dest: /usr/lib/nagios/plugins/check_mailq
mode: 0755
- name: Copy systemd monitoring
copy:
src: pynagsystemd.py
dest: /bin/pynagsystemd.py
mode: 0755
- name: Check if PostgreSQL is installed
command: dpkg -s postgresql
register: postgresql_installed
ignore_errors: true
changed_when: false
failed_when: false
check_mode: no
- name: Set has_postgres variable
set_fact:
has_postgres: "{{ postgresql_installed.rc == 0 }}"
- name: Template Remote Monitoring Config
template:
src: monitoring.conf.j2
dest: /etc/monitoring.conf
owner: root
mode: 0644
- name: Add monitoring report cronjob
cron:
name: "monitoring"
job: "/etc/monitoring/monitoring-report.py -c /etc/monitoring.conf --nsca-bin /bin/send_nsca --nsca-config /etc/send_nsca.cfg"
- name: Install Prometheus Node Exporter
become: yes
import_role:
name: prometheus.prometheus.node_exporter
vars:
node_exporter_web_telemetry_path: "/node-exporter"
roles/monitoring-client/templates/monitoring.conf.j2
+10
View File
@@ -0,0 +1,10 @@
nobody disk-remote /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /
nobody load-remote /usr/lib/nagios/plugins/check_load -w 5,3,2 -c 10,6,4
nobody procs-remote /usr/lib/nagios/plugins/check_procs
nobody systemd /etc/monitoring-tools/pynagsystemd.py
{% if checks %}
{% for entry in checks %}
{{ entry["user"] }} {{ entry["name"] }} {{ entry["cmd"] }}
{% endfor %}
{% endif %}
roles/monitoring-client/templates/send_nsca.cfg.j2
+5
View File
@@ -0,0 +1,5 @@
identity = {{ group_names[0] }}
password = {{ nsca_password }}
server = {{ nsca_server }}
port = 5668
tls_ciphers = "PSK-AES256-CBC-SHA"
roles/monitoring-influx/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/monitoring-influx/tasks/main.yaml
+45
View File
@@ -0,0 +1,45 @@
- name: Copy influx apt keyring
copy:
src: influx-repo.gpg
dest: /usr/share/keyrings/
mode: 0644
when: monitoring_master
- name: Add influx apt repo
copy:
src: influxdb.list
dest: /etc/apt/sources.list.d/
mode: 0644
when: monitoring_master
- name: Install influxdb
apt:
name: influxdb
state: present
when: monitoring_master
- name: Influxdb master server config
template:
src: influxdb.conf.j2
dest: /etc/influxdb/influxdb.conf
when: monitoring_master
notify:
- restart influxdb
- name: Create Influx collectd-db
shell: 'echo "CREATE DATABASE collectd;" | influx'
changed_when: False
when: monitoring_master
- name: Install collectd
apt:
name: collectd
install_recommends: false
state: present
- name: Collectd config
template:
src: collectd.conf.j2
dest: /etc/collectd/collectd.conf
notify:
- restart collectd
roles/monitoring-influx/templates/collectd.conf.j2
+34
View File
@@ -0,0 +1,34 @@
FQDNLookup true
LoadPlugin cpu
LoadPlugin df
LoadPlugin disk
LoadPlugin entropy
LoadPlugin interface
LoadPlugin irq
LoadPlugin load
LoadPlugin memory
LoadPlugin network
LoadPlugin processes
LoadPlugin swap
LoadPlugin users
LoadPlugin rrdtool
<Plugin df>
FSType rootfs
FSType sysfs
FSType proc
FSType devtmpfs
FSType devpts
FSType tmpfs
FSType fusectl
FSType cgroup
IgnoreSelected true
</Plugin>
<Plugin network>
Server "internal.monitoring.atlantishq.de" "25826"
</Plugin>
<Plugin rrdtool>
DataDir "/var/lib/collectd/rrd"
</Plugin>
<Include "/etc/collectd/collectd.conf.d">
Filter "*.conf"
</Include>
roles/monitoring-influx/templates/influxdb.conf.j2
+29
View File
@@ -0,0 +1,29 @@
[meta]
dir = "/var/lib/influxdb/meta"
[data]
dir = "/var/lib/influxdb/data"
wal-dir = "/var/lib/influxdb/wal"
[[collectd]]
enabled = true
bind-address = ":25826"
database = "collectd"
retention-policy = ""
# security-level = "none"
# auth-file = "/etc/collectd/auth_file"
batch-size = 5000
batch-pending = 10
batch-timeout = "10s"
read-buffer = 0
# Multi-value plugins can be handled two ways.
# "split" will parse and store the multi-value plugin data into separate measurements
# "join" will parse and store the multi-value plugin as a single multi-value measurement.
# "split" is the default behavior for backward compatability with previous versions of influxdb.
# parse-multivalue-plugin = "split"
roles/monitoring-master/files/icinga-nginx.conf
+32
View File
@@ -0,0 +1,32 @@
server {
listen 80;
listen 9080;
server_name icinga.atlantishq.de;
#auth_basic "ICINGA";
#auth_basic_user_file /etc/nginx/auth/stats_auth;
access_log /var/log/nginx/access-icinga.log;
error_log /var/log/nginx/error-icinga.log;
location = / {
return 302 https://icinga.atlantishq.de/icingaweb2;
}
##### ICINGA WEB #####
location ~ ^/icingaweb2/index\.php(.*)$ {
include fastcgi.conf;
include fastcgi_params;
# fastcgi_temp_path fastcgi;
fastcgi_pass unix:/etc/alternatives/php-fpm.sock;
fastcgi_index index.php;
# fastcgi_param SCRIPT_NAME /usr/share/icingaweb2/public/index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
fastcgi_param REMOTE_USER $http_x_forwarded_preferred_username;
}
location ~ ^/icingaweb2(.+)? {
alias /usr/share/icingaweb2/public;
index index.php;
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
}
}
roles/monitoring-master/files/michy-ese-server.conf
+52
View File
@@ -0,0 +1,52 @@
object Host "esports-erlangen.de" {
import "generic-host"
address = "esports-erlangen.de"
name = "esports-erlangen.de"
check_command = "hostalive4"
vars.linux = "true"
max_check_attempts = 5
retry_interval = 1m
vars.notification["mail"] = {
groups = ["ese"]
}
}
apply Service "dovecot-imap-tls-993" {
import "generic-service"
check_command = "ssl"
vars.host = host.address
vars.port = 993
assign where host.name == "esports-erlangen.de"
}
apply Service "postfix-smtp-25" {
import "generic-service"
check_command = "smtp"
vars.host = host.address
vars.protocol = "smtp"
vars.port = 25
assign where host.name == "esports-erlangen.de"
}
apply Service "postfix-smtp-starttls-25" {
import "generic-service"
check_command = "ssl"
vars.host = host.address
vars.protocol = "smtp"
vars.port = 25
assign where host.name == "esports-erlangen.de"
}
apply Service "website-http" {
import "generic-service"
check_command = "http"
vars.host = "www.esports-erlangen.de"
vars.ssl = true
assign where host.name == "esports-erlangen.de"
}
roles/monitoring-master/files/nsca-ng.service
+11
View File
@@ -0,0 +1,11 @@
[Unit]
Description=Monitoring Command Acceptor
[Service]
ExecStart=/usr/sbin/nsca-ng
Type=forking
User=root
Restart=on-failure
[Install]
WantedBy=multi-user.target
roles/monitoring-master/files/report_to_rudi_monitoring.conf
+2
View File
@@ -0,0 +1,2 @@
nagios sheppy-icinga /usr/local/bin/icinga/check_icinga_self
nobody sheppy-mail /bin/true
roles/monitoring-master/files/report_to_rudi_send_nsca_rudi.cfg
+4
View File
@@ -0,0 +1,4 @@
identity = "atlantishq.de"
password = ""
server = "kraftwerk.ruderich.eu"
tls_ciphers = "PSK-AES256-CBC-SHA"
roles/monitoring-master/files/services_async.conf
+147
View File
@@ -0,0 +1,147 @@
object CheckCommand "gateway" {
command = [ "/etc/icinga2/icinga-webhook-gateway/icinga-gateway-command.py" ]
arguments = {
"--protocol" = "$protocol$",
"--host" = "$host$",
"--port" = "$port$",
"--service" = "$service_name$"
}
}
object Host "THS" {
import "generic-host"
address = "localhost"
name = "THS"
vars.async = "true"
vars.linux = "true"
vars.ssl_address = "async-icinga.atlantishq.de"
vars.ssl_port = "443"
check_command = "http"
max_check_attempts = 5
retry_interval = 1m
}
object Host "atlantispc" {
import "generic-host"
address = "localhost"
name = "atlantispc"
vars.async = "true"
vars.linux = "true"
vars.ssl_address = "async-icinga.atlantishq.de"
vars.ssl_port = "443"
check_command = "http"
max_check_attempts = 5
retry_interval = 1m
}
object Host "atlantislaptop" {
import "generic-host"
address = "localhost"
name = "atlantislaptop"
vars.async = "true"
vars.linux = "true"
vars.ssl_address = "async-icinga.atlantishq.de"
vars.ssl_port = "443"
check_command = "http"
max_check_attempts = 5
retry_interval = 1m
}
apply Service "apt_atlantis_laptop" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "apt_atlantis_laptop"
assign where host.name == "atlantislaptop"
}
apply Service "apt_atlantis_pc" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "apt_atlantis_pc"
assign where host.name == "atlantispc"
}
apply Service "backup_atlantis_laptop" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "backup_atlantis_laptop"
assign where host.name == "atlantispc"
}
apply Service "backup_ths_storrage_box" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "backup_ths_storrage_box"
assign where host.name == "atlantispc"
}
apply Service "backup_ths" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "backup_ths"
assign where host.name == "THS"
}
apply Service "ths_auftragsdatenbank" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "ths_auftragsdatenbank"
assign where host.name == "THS"
}
apply Service "mail_atlantishq" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "mail_atlantishq"
assign where host.name == "async_icinga"
}
apply Service "ths_caldav_backup" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "ths_caldav_backup"
assign where host.name == "async_icinga"
}
apply Service "slapd_backup" {
import "generic-service"
check_command = "gateway"
vars.protocol = "https"
vars.host = "async-icinga.atlantishq.de"
vars.service_name = "slapd_backup"
assign where host.name == "async_icinga"
}
roles/monitoring-master/files/services_passive.conf
+54
View File
@@ -0,0 +1,54 @@
apply Service "systemd" {
import "remote_passive"
assign where host.vars.remote
}
apply Service "disk-remote" {
import "remote_passive"
assign where host.vars.remote
}
apply Service "load-remote" {
import "remote_passive"
assign where host.vars.remote
}
apply Service "procs-remote" {
import "remote_passive"
assign where host.vars.remote
}
apply Service "insurgency-1" {
import "remote_passive"
assign where host.name == "steam"
}
apply Service "insurgency-2" {
import "remote_passive"
assign where host.name == "steam"
}
apply Service "irc" {
import "remote_passive"
assign where host.name == "irc"
}
apply Service "wireguard-darknet-rudi" {
import "remote_passive"
assign where host.name == "vpn"
}
apply Service "wireguard-darknet-hase" {
import "remote_passive"
assign where host.name == "vpn"
}
#apply Service "darknet-reachable" {
# import "remote_passive"
# assign where host.name == "vpn"
#}
apply Service "mail_queue" {
import "remote_passive"
assign where host.name == "mail"
}
roles/monitoring-master/files/services_passive_mail_extern.conf
+15
View File
@@ -0,0 +1,15 @@
apply Service "MAIL-postfix-tls" {
import "generic-service"
check_command = "ssl"
vars.ssl_address = "192.168.122.101"
vars.ssl_port = "465"
assign where host.name == "mail"
}
apply Service "IMAP-dovecot-tls" {
import "generic-service"
check_command = "ssl"
vars.ssl_address = "192.168.122.101"
vars.ssl_port = "993"
assign where host.name == "mail"
}
roles/monitoring-master/files/services_vhosts_http_checks.conf
+7
View File
@@ -0,0 +1,7 @@
apply Service for (http_vhost => config in host.vars.http_vhosts) {
import "generic-service"
check_command = "http"
vars += config
}
roles/monitoring-master/files/users.conf
+25
View File
@@ -0,0 +1,25 @@
object User "michy" {
import "generic-user"
display_name = "Michy Monitoring"
groups = ["ese"]
email = "ipatix@atlantishq.de"
}
object User "icingaadmin" {
import "generic-user"
display_name = "Icinga 2 Admin"
groups = [ "icingaadmins" ]
email = "sheppy@atlantishq.de"
}
object UserGroup "icingaadmins" {
display_name = "Icinga 2 Admin Group"
}
object UserGroup "ese" {
display_name = "ESports-Erlangen Gruppe"
}
roles/monitoring-master/handlers/main.yml
+9
View File
@@ -0,0 +1,9 @@
- name: restart icinga
systemd:
name: icinga2
state: restarted
- name: restart telegraf
systemd:
name: telegraf
state: restarted
roles/monitoring-master/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/monitoring-master/tasks/icinga.yaml
+189
View File
@@ -0,0 +1,189 @@
- name: Install Dependecies
apt:
pkg:
- git
- docker-compose
- nginx
state: present
- name: Clone Passive Monitoring
git:
repo: https://github.com/FAUSheppy/icinga-passive-checks-monitoring
dest: "/etc/monitoring/"
version: master
- name: Clone Monitoring tools
git:
repo: https://github.com/FAUSheppy/monitoring-tools
dest: "/etc/monitoring-tools/"
version: master
notify: restart icinga
- name: Set monitoring tools permissions
file:
dest: /etc/monitoring-tools/
owner: root
mode: u=rwX,g=rX,o=rX
recurse: yes
- name: Set monitoring permissions
file:
dest: /etc/monitoring/
owner: root
mode: u=rwX,g=rX,o=rX
recurse: yes
- name: Copy nsca-ng and send_nsca to /bin/
copy:
src: nsca-ng
dest: /bin/nsca-ng
mode: 0755
- name: Copy nsca-ng and send_nsca to /bin/
copy:
src: send_nsca
dest: /bin/send_nsca
mode: 0755
- name: Create nsca server directory
file:
path: /etc/nsca-ng/
mode: 0750
owner: root
group: nagios
- name: Copy nsca server config
copy:
src: nsca_server.conf
dest: /etc/nsca-ng/nsca-ng.cfg
owner: root
group: nagios
mode: 0644
notify:
- nsca-ng service reload
- name: Copy nsca systemd unit
copy:
src: nsca-ng.service
dest: /etc/systemd/user/nsca-ng.service
mode: 0644
notify:
- nsca-ng service reload
- name: Enable and start nsca-ng
systemd:
name: nsca-ng.service
state: started
enabled: yes
- name: Copy icinga configuration
copy:
src: "{{ item }}"
dest: /etc/icinga2/conf.d/
owner: root
group: nagios
mode: 0640
with_items:
- icinga_master_hosts.conf
- services_vhosts_http_checks.conf
- services_passive.conf
- services_passive_mail_extern.conf
- services_async.conf
- users.conf
- michy-ese-server.conf
- async-icinga-services-dynamic.conf
notify:
- restart icinga
- name: Template icinga configuration
template:
src: "{{ item }}"
dest: /etc/icinga2/conf.d/
owner: root
group: nagios
mode: 0640
with_items:
- mail_notifications.conf
notify:
- restart icinga
- name: Change icinga log level
lineinfile:
path: /etc/icinga2/features-enabled/mainlog.conf
line: ' severity = "warning"'
notify: restart icinga
- name: Add signal vars
lineinfile:
path: /etc/icinga2/constants.conf
line: "{{ item }}"
with_items:
# WARNING ME LAZY BITCH, YOU HAVE TO DELETE THOSE ON THE SERVER OR IT WONT WORK #
# i mean it will work because they will be added at the end and overwrite
# previous definitions but ya know write a regex its fucking 03:39 am
- 'const signal_gateway_host = "{{ event_dispatcher_host }}"'
- 'const signal_gateway_port = "{{ event_dispatcher_port }}"'
- 'const signal_gateway_proto = "{{ event_dispatcher_proto }}"'
notify: restart icinga
- name: Signal command loaded from monitoring tools
lineinfile:
path: /etc/icinga2/icinga2.conf
line: '"include /etc/monitoring-tools/commands.d/signal-notify.conf"'
notify:
- restart icinga
- name: OAuth2Proxy directories
file:
path: "/opt/oauth2proxy/{{ item }}/"
state: directory
recurse: yes
with_items:
- icinga
- name: include services ports
include_vars: services.yaml
- name: Deploy OAuth2Proxy compose files
template:
src: oauth-standalone-docker-compose.yaml
dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
with_items:
- icinga
- name: Deploy OAuth2Proxy
community.docker.docker_compose:
project_src: /opt/oauth2proxy/{{ item }}/
pull: true
with_items:
- icinga
- name: Copy icinga web nginx conf
copy:
src: icinga-nginx.conf
dest: /etc/nginx/sites-enabled/icinga.conf
mode: 0755
notify:
- restart nginx
- name: Copy icingaweb2-config
template:
src: "icingaweb2/{{ item }}"
dest: "/etc/icingaweb2/{{ item }}"
mode: 0660
owner: root
group: icingaweb2
with_items:
- resources.ini
- roles.ini
- config.ini
- authentication.ini
- groups.ini
- name: Template dispatcher gateway passfile
template:
src: dispatcher-pass-file.txt
dest: /etc/icinga2/dispatcher-pass-file.txt
mode: 0660
owner: root
group: nagios
roles/monitoring-master/tasks/icinga_postfix.yaml
+11
View File
@@ -0,0 +1,11 @@
- name: install postfix
apt:
pkg:
- postfix
- name: copy postfix config
template:
src: postfix_main.cf
dest: /etc/postfix/main.cf
notify:
- restart postfix
roles/monitoring-master/tasks/logs.yaml
+31
View File
@@ -0,0 +1,31 @@
- name: Copy influx apt keyring
copy:
src: influx-repo.gpg
dest: /usr/share/keyrings/
mode: 0644
notify:
- apt update
- name: Add Influx repo
copy:
src: influxdb.list
dest: /etc/apt/sources.list.d/influxdb.list
mode: 0644
notify:
apt update
- meta: flush_handlers
- name: Install Telegraf
apt:
pkg:
- telegraf
- name: Copy telegraf config files
template:
src: "{{ item }}"
dest: /etc/telegraf/telegraf.d/
with_items:
- telegraf_influxdb.conf
- telegraf_rsyslog_input.conf
notify: restart telegraf
roles/monitoring-master/tasks/main.yaml
+44
View File
@@ -0,0 +1,44 @@
- name: Icinga
include: icinga.yaml
when: monitoring_master
tags:
- icinga
- monitoring-master
- name: Postfix/Mail for icinga
include: icinga_postfix.yaml
when: monitoring_master
tags:
- icinga
- monitoring-master
- name: logs.yaml
include: logs.yaml
when: monitoring_master
tags:
- grafana
- monitoring-master
- name: Report to Rudi nsca cfg
copy:
src: report_to_rudi_send_nsca_rudi.cfg
dest: /etc/report_to_rudi_send_nsca_rudi.cfg
mode: 0666
tags:
- monitoring-master
- name: Report to Rudi monitoring cfg
copy:
src: report_to_rudi_monitoring.conf
dest: /etc/report_to_rudi_monitoring.conf
mode: 0666
tags:
- monitoring-master
- name: Add Report to Rudi cron
cron:
name: "Monitoring at Rudi"
job: /etc/monitoring/monitoring-report.py -H atlantishq.de -c /etc/report_to_rudi_monitoring.conf --nsca-config /etc/report_to_rudi_send_nsca_rudi.cfg
minute: "*"
hour: "*"
day: "*"
roles/monitoring-master/templates/dispatcher-pass-file.txt
+2
View File
@@ -0,0 +1,2 @@
{{ event_dispatcher_user }}
{{ event_dispatcher_pass }}
roles/monitoring-master/templates/icingaweb2/authentication.ini
+14
View File
@@ -0,0 +1,14 @@
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
[autologin]
backend = "external"
[ldap_users]
backend = ldap
resource = ldap_auth
group_backend = "ldap_groups"
user_class = inetOrgPerson
user_name_attribute = uid
#filter = "memberOf=cn=icinga,cn=groups,cn=accounts,dc=icinga,dc=org"
roles/monitoring-master/templates/icingaweb2/config.ini
+10
View File
@@ -0,0 +1,10 @@
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
config_backend = "db"
config_resource = "icingaweb_db"
[logging]
log = "file"
level = "INFO"
file = "/var/log/icingaweb2.log"
roles/monitoring-master/templates/icingaweb2/groups.ini
+12
View File
@@ -0,0 +1,12 @@
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
[ldap_groups]
backend = "ldap"
resource = "ldap_groups_auth"
group_class = "groupOfNames"
group_name_attribute = "cn"
user_name_attribute = "uid"
user_backend = "ldap_users"
user_class = "inetOrgPerson"
roles/monitoring-master/templates/icingaweb2/resources.ini
+41
View File
@@ -0,0 +1,41 @@
[icingaweb_db]
type = "db"
db = "pgsql"
host = "localhost"
port = "5432"
dbname = "icinga_web"
username = "icinga_web"
password = ""
charset = ""
use_ssl = "0"
[icinga_ido]
type = "db"
db = "pgsql"
host = "localhost"
port = "5432"
dbname = "icinga2"
username = "icinga2"
password = ""
charset = ""
use_ssl = "0"
[ldap_auth]
type = "ldap"
hostname = "{{ ldap_server }}"
port = "389"
encryption = "none"
root_dn = "{{ ldap_user_dn }}"
bind_dn = "{{ ldap_bind_dn }}"
bind_pw = "{{ ldap_password }}"
timeout = "5"
[ldap_groups_auth]
type = "ldap"
hostname = "{{ ldap_server }}"
port = "389"
encryption = "none"
root_dn = "{{ ldap_group_dn }}"
bind_dn = "{{ ldap_bind_dn }}"
bind_pw = "{{ ldap_password }}"
timeout = "5"
roles/monitoring-master/templates/icingaweb2/roles.ini
+15
View File
@@ -0,0 +1,15 @@
[Administrators]
users = "sheppy"
permissions = "*"
groups = "Administrators"
[icinga]
users = "*"
groups = "icinga"
monitoring/filter/objects = "_service_owner=$user:local_name$"
permissions = "module/monitoring,monitoring/*"
[sheppy]
users = "sheppy"
monitoring/filter/objects = "*"
permissions = "module/monitoring,monitoring/*"
roles/monitoring-master/templates/mail_notifications.conf
+25
View File
@@ -0,0 +1,25 @@
apply Notification "mail-icingaadmin" to Host {
import "mail-host-notification"
user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users
interval = 7d
vars.notification_logtosyslog = true
vars.notification_from = "Icinga <{{ smtp_service_user }}@atlantishq.de>"
assign where host.vars.notification.mail
}
apply Notification "mail-icingaadmin" to Service {
import "mail-service-notification"
user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users
interval = 7d
vars.notification_logtosyslog = true
vars.notification_from = "Icinga <{{ smtp_service_user }}@atlantishq.de>"
assign where host.vars.notification.mail
}
roles/monitoring-master/templates/postfix_main.cf
+13
View File
@@ -0,0 +1,13 @@
# Set username and password
smtp_sasl_password_maps = static:{{ smtp_service_user }}:{{ smtp_service_pass }}
smtp_sasl_security_options = noanonymous
# Turn on tls encryption
# smtp_tls_security_level = encrypt
header_size_limit = 4096000
# Set external SMTP relay host here IP or hostname accepted along with a port number.
relayhost = {{ smtp_internal_host }}:25
# accept email from our web-server only (adjust to match your VPC/VLAN etc)
inet_interfaces = 127.0.0.1
roles/monitoring-master/templates/telegraf_influx_db_setup.txt
+3
View File
@@ -0,0 +1,3 @@
CREATE USER telegraf WITH PASSWORD {{ influxdb_telegraf_password }} WITH ALL PRIVILEGES
CREATE DATABASE telegraf
CREATE RETENTION POLICY "4Weeks" ON "telegraf" DURATION 4w REPLICATION 1 DEFAULT
roles/monitoring-master/templates/telegraf_influxdb.conf
+4
View File
@@ -0,0 +1,4 @@
[[outputs.influxdb]]
database = "telegraf"
username = "telegraf"
password = "{{ influxdb_telegraf_password }}"
roles/monitoring-master/templates/telegraf_rsyslog_input.conf
+2
View File
@@ -0,0 +1,2 @@
[[inputs.syslog]]
server = "tcp://localhost:6514"
roles/nextcloud/tasks/main.yaml
+7
View File
@@ -0,0 +1,7 @@
- name: Add slapd script to cron
cron:
minute: "0"
hour: "0"
name: Nextcloud cron-cleanup
job: /usr/bin/php -f /var/www/nextcloud/cron.php
user: www-data

Some files were not shown because too many files have changed in this diff Show More