initial: no secrets

2026-06-20 04:22:37 +02:00 · 2024-02-12 17:01:18 +01:00
commit cf9efd55b5
186 changed files with 8697 additions and 0 deletions
@@ -0,0 +1,32 @@
+server {
+    listen 80;
+    listen 9080;
+    server_name icinga.atlantishq.de;
+
+    #auth_basic "ICINGA";
+    #auth_basic_user_file /etc/nginx/auth/stats_auth;
+
+    access_log /var/log/nginx/access-icinga.log;
+    error_log /var/log/nginx/error-icinga.log; 
+    location = / {  
+       return 302 https://icinga.atlantishq.de/icingaweb2;
+    }
+        
+    ##### ICINGA WEB #####
+    location ~ ^/icingaweb2/index\.php(.*)$ {
+            include fastcgi.conf;
+            include fastcgi_params;
+            # fastcgi_temp_path fastcgi;
+            fastcgi_pass  unix:/etc/alternatives/php-fpm.sock;
+            fastcgi_index index.php;
+            # fastcgi_param SCRIPT_NAME /usr/share/icingaweb2/public/index.php;
+            fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
+            fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+            fastcgi_param REMOTE_USER $http_x_forwarded_preferred_username;
+    }
+    location ~ ^/icingaweb2(.+)? {
+        alias /usr/share/icingaweb2/public;
+        index index.php;
+        try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
+    }
+}
@@ -0,0 +1,52 @@
+object Host "esports-erlangen.de" {
+
+  import "generic-host"
+
+  address	= "esports-erlangen.de"
+  name      = "esports-erlangen.de"
+  check_command = "hostalive4"
+  vars.linux 	= "true"
+
+
+  max_check_attempts = 5
+  retry_interval     = 1m
+
+  vars.notification["mail"] = {
+    groups = ["ese"]
+  }
+
+}
+
+apply Service "dovecot-imap-tls-993" {
+    import "generic-service"
+    check_command = "ssl"
+    vars.host = host.address
+    vars.port = 993
+    assign where host.name == "esports-erlangen.de"
+}
+
+apply Service "postfix-smtp-25" {
+    import "generic-service"
+    check_command = "smtp"
+    vars.host = host.address
+    vars.protocol = "smtp"
+    vars.port = 25
+    assign where host.name == "esports-erlangen.de"
+}
+
+apply Service "postfix-smtp-starttls-25" {
+    import "generic-service"
+    check_command = "ssl"
+    vars.host = host.address
+    vars.protocol = "smtp"
+    vars.port = 25
+    assign where host.name == "esports-erlangen.de"
+}
+
+apply Service "website-http" {
+    import "generic-service"
+    check_command = "http"
+    vars.host = "www.esports-erlangen.de"
+    vars.ssl = true
+    assign where host.name == "esports-erlangen.de"
+}
@@ -0,0 +1,11 @@
+[Unit]
+Description=Monitoring Command Acceptor
+
+[Service]
+ExecStart=/usr/sbin/nsca-ng
+Type=forking
+User=root
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,2 @@
+nagios	sheppy-icinga	/usr/local/bin/icinga/check_icinga_self
+nobody	sheppy-mail	/bin/true
@@ -0,0 +1,4 @@
+identity = "atlantishq.de"
+password = ""
+server   = "kraftwerk.ruderich.eu"
+tls_ciphers = "PSK-AES256-CBC-SHA"
@@ -0,0 +1,147 @@
+object CheckCommand "gateway" {
+    command = [ "/etc/icinga2/icinga-webhook-gateway/icinga-gateway-command.py" ]
+    arguments = {
+	    "--protocol" = "$protocol$",
+        "--host"     = "$host$",
+	    "--port"     = "$port$",
+        "--service"  = "$service_name$"
+    }
+}
+
+object Host "THS" {
+
+  import "generic-host"
+
+  address	= "localhost"
+  name      = "THS"
+  vars.async 	= "true"
+  vars.linux 	= "true"
+
+  vars.ssl_address = "async-icinga.atlantishq.de"
+  vars.ssl_port = "443"
+
+  check_command = "http"
+
+  max_check_attempts = 5
+  retry_interval     = 1m
+
+}
+
+object Host "atlantispc" {
+
+  import "generic-host"
+
+  address	= "localhost"
+  name      = "atlantispc"
+  vars.async 	= "true"
+  vars.linux 	= "true"
+
+  vars.ssl_address = "async-icinga.atlantishq.de"
+  vars.ssl_port = "443"
+
+  check_command = "http"
+
+  max_check_attempts = 5
+  retry_interval     = 1m
+
+}
+
+object Host "atlantislaptop" {
+
+  import "generic-host"
+
+  address	= "localhost"
+  name      = "atlantislaptop"
+  vars.async 	= "true"
+  vars.linux 	= "true"
+
+  vars.ssl_address = "async-icinga.atlantishq.de"
+  vars.ssl_port = "443"
+
+  check_command = "http"
+
+  max_check_attempts = 5
+  retry_interval     = 1m
+
+}
+
+apply Service "apt_atlantis_laptop" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "apt_atlantis_laptop"
+    assign where host.name == "atlantislaptop"
+}
+
+apply Service "apt_atlantis_pc" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "apt_atlantis_pc"
+    assign where host.name == "atlantispc"
+}
+
+apply Service "backup_atlantis_laptop" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "backup_atlantis_laptop"
+    assign where host.name == "atlantispc"
+}
+
+apply Service "backup_ths_storrage_box" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "backup_ths_storrage_box"
+    assign where host.name == "atlantispc"
+}
+
+apply Service "backup_ths" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "backup_ths"
+    assign where host.name == "THS"
+}
+
+apply Service "ths_auftragsdatenbank" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "ths_auftragsdatenbank"
+    assign where host.name == "THS"
+}
+
+apply Service "mail_atlantishq" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "mail_atlantishq"
+    assign where host.name == "async_icinga"
+}
+
+apply Service "ths_caldav_backup" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "ths_caldav_backup"
+    assign where host.name == "async_icinga"
+}
+
+apply Service "slapd_backup" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "slapd_backup"
+    assign where host.name == "async_icinga"
+}
@@ -0,0 +1,54 @@
+apply Service "systemd" {
+    import "remote_passive"
+    assign where host.vars.remote
+}
+
+apply Service "disk-remote" {
+    import "remote_passive"
+    assign where host.vars.remote
+}
+
+apply Service "load-remote" {
+    import "remote_passive"
+    assign where host.vars.remote
+}
+
+apply Service "procs-remote" {
+    import "remote_passive"
+    assign where host.vars.remote
+}
+
+apply Service "insurgency-1" {
+    import "remote_passive"
+ 	assign where host.name == "steam"
+}
+
+apply Service "insurgency-2" {
+    import "remote_passive"
+ 	assign where host.name == "steam"
+}
+
+apply Service "irc" {
+    import "remote_passive"
+ 	assign where host.name == "irc"
+}
+
+apply Service "wireguard-darknet-rudi" {
+    import "remote_passive"
+ 	assign where host.name == "vpn"
+}
+
+apply Service "wireguard-darknet-hase" {
+    import "remote_passive"
+ 	assign where host.name == "vpn"
+}
+
+#apply Service "darknet-reachable" {
+#    import "remote_passive"
+# 	assign where host.name == "vpn"
+#}
+
+apply Service "mail_queue" {
+    import "remote_passive"
+    assign where host.name == "mail"
+}
@@ -0,0 +1,15 @@
+apply Service "MAIL-postfix-tls" {
+	import "generic-service"
+	check_command = "ssl"
+	vars.ssl_address = "192.168.122.101"
+	vars.ssl_port = "465"
+ 	assign where host.name == "mail"
+}
+
+apply Service "IMAP-dovecot-tls" {
+	import "generic-service"
+	check_command = "ssl"
+	vars.ssl_address = "192.168.122.101"
+	vars.ssl_port = "993"
+ 	assign where host.name == "mail"
+}
@@ -0,0 +1,7 @@
+apply Service for (http_vhost => config in host.vars.http_vhosts) {
+  import "generic-service"
+
+  check_command = "http"
+
+  vars += config
+}
@@ -0,0 +1,25 @@
+object User "michy" {
+  import "generic-user"
+
+  display_name = "Michy Monitoring"
+  groups =  ["ese"]
+
+  email = "ipatix@atlantishq.de"
+}
+
+object User "icingaadmin" {
+  import "generic-user"
+
+  display_name = "Icinga 2 Admin"
+  groups = [ "icingaadmins" ]
+
+  email = "sheppy@atlantishq.de"
+}
+
+object UserGroup "icingaadmins" {
+  display_name = "Icinga 2 Admin Group"
+}
+
+object UserGroup "ese" {
+  display_name = "ESports-Erlangen Gruppe"
+}
@@ -0,0 +1,9 @@
+- name: restart icinga
+  systemd:
+    name: icinga2
+    state: restarted
+
+- name: restart telegraf
+  systemd:
+    name: telegraf
+    state: restarted
@@ -0,0 +1,2 @@
+dependencies:
+    - global-handlers
@@ -0,0 +1,189 @@
+- name: Install Dependecies
+  apt:
+    pkg:
+        - git
+        - docker-compose
+        - nginx
+    state: present
+
+- name: Clone Passive Monitoring 
+  git:
+    repo: https://github.com/FAUSheppy/icinga-passive-checks-monitoring
+    dest: "/etc/monitoring/"
+    version: master
+
+- name: Clone Monitoring tools
+  git:
+    repo: https://github.com/FAUSheppy/monitoring-tools
+    dest: "/etc/monitoring-tools/"
+    version: master
+  notify: restart icinga
+
+- name: Set monitoring tools permissions
+  file:
+    dest: /etc/monitoring-tools/
+    owner: root
+    mode: u=rwX,g=rX,o=rX
+    recurse: yes
+
+- name: Set monitoring permissions
+  file:
+    dest: /etc/monitoring/
+    owner: root
+    mode: u=rwX,g=rX,o=rX
+    recurse: yes
+
+- name: Copy nsca-ng and send_nsca to /bin/
+  copy:
+    src: nsca-ng
+    dest: /bin/nsca-ng
+    mode: 0755
+
+- name: Copy nsca-ng and send_nsca to /bin/
+  copy:
+    src: send_nsca
+    dest: /bin/send_nsca
+    mode: 0755
+
+- name: Create nsca server directory
+  file:
+    path: /etc/nsca-ng/
+    mode: 0750
+    owner: root
+    group: nagios
+
+- name: Copy nsca server config
+  copy:
+    src: nsca_server.conf
+    dest: /etc/nsca-ng/nsca-ng.cfg
+    owner: root
+    group: nagios
+    mode: 0644
+  notify:
+    - nsca-ng service reload
+
+- name: Copy nsca systemd unit
+  copy:
+    src: nsca-ng.service
+    dest: /etc/systemd/user/nsca-ng.service
+    mode: 0644
+  notify:
+    - nsca-ng service reload
+
+- name: Enable and start nsca-ng
+  systemd:
+    name: nsca-ng.service
+    state: started
+    enabled: yes
+
+- name: Copy icinga configuration
+  copy:
+    src: "{{ item }}"
+    dest: /etc/icinga2/conf.d/
+    owner: root
+    group: nagios
+    mode: 0640
+  with_items:
+    - icinga_master_hosts.conf
+    - services_vhosts_http_checks.conf
+    - services_passive.conf
+    - services_passive_mail_extern.conf
+    - services_async.conf
+    - users.conf
+    - michy-ese-server.conf
+    - async-icinga-services-dynamic.conf
+  notify:
+    - restart icinga
+
+- name: Template icinga configuration
+  template:
+    src: "{{ item }}"
+    dest: /etc/icinga2/conf.d/
+    owner: root
+    group: nagios
+    mode: 0640
+  with_items:
+    - mail_notifications.conf
+  notify:
+    - restart icinga
+
+- name: Change icinga log level
+  lineinfile:
+    path: /etc/icinga2/features-enabled/mainlog.conf
+    line: '  severity = "warning"'
+  notify: restart icinga
+
+- name: Add signal vars
+  lineinfile:
+    path: /etc/icinga2/constants.conf
+    line: "{{ item }}"
+  with_items:
+    # WARNING ME LAZY BITCH, YOU HAVE TO DELETE THOSE ON THE SERVER OR IT WONT WORK #
+    # i mean it will work because they will be added at the end and overwrite
+    # previous definitions but ya know write a regex its fucking 03:39 am
+    - 'const signal_gateway_host = "{{ event_dispatcher_host }}"'
+    - 'const signal_gateway_port = "{{ event_dispatcher_port }}"'
+    - 'const signal_gateway_proto = "{{ event_dispatcher_proto }}"'
+  notify: restart icinga
+
+- name: Signal command loaded from monitoring tools
+  lineinfile:
+    path: /etc/icinga2/icinga2.conf
+    line: '"include /etc/monitoring-tools/commands.d/signal-notify.conf"'
+  notify:
+    - restart icinga
+
+- name: OAuth2Proxy directories
+  file:
+    path: "/opt/oauth2proxy/{{ item }}/"
+    state: directory
+    recurse: yes
+  with_items:
+   - icinga
+
+- name: include services ports
+  include_vars: services.yaml
+
+- name: Deploy OAuth2Proxy compose files
+  template:
+    src: oauth-standalone-docker-compose.yaml
+    dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
+  with_items:
+    - icinga
+
+- name: Deploy OAuth2Proxy
+  community.docker.docker_compose:
+    project_src: /opt/oauth2proxy/{{ item }}/
+    pull: true
+  with_items:
+    - icinga
+
+- name: Copy icinga web nginx conf
+  copy:
+    src: icinga-nginx.conf
+    dest: /etc/nginx/sites-enabled/icinga.conf
+    mode: 0755
+  notify:
+    - restart nginx
+
+- name: Copy icingaweb2-config
+  template:
+    src: "icingaweb2/{{ item }}"
+    dest: "/etc/icingaweb2/{{ item }}"
+    mode: 0660
+    owner: root
+    group: icingaweb2
+  with_items:
+    - resources.ini
+    - roles.ini
+    - config.ini
+    - authentication.ini
+    - groups.ini
+
+- name: Template dispatcher gateway passfile
+  template:
+    src: dispatcher-pass-file.txt
+    dest: /etc/icinga2/dispatcher-pass-file.txt
+    mode: 0660
+    owner: root
+    group: nagios
@@ -0,0 +1,11 @@
+- name: install postfix
+  apt:
+    pkg:
+        - postfix
+
+- name: copy postfix config
+  template:
+    src: postfix_main.cf
+    dest: /etc/postfix/main.cf
+  notify:
+    - restart postfix
@@ -0,0 +1,31 @@
+- name: Copy influx apt keyring
+  copy:
+    src: influx-repo.gpg
+    dest: /usr/share/keyrings/
+    mode: 0644
+  notify:
+    - apt update
+
+- name: Add Influx repo
+  copy:
+    src: influxdb.list
+    dest: /etc/apt/sources.list.d/influxdb.list
+    mode: 0644
+  notify:
+    apt update
+
+- meta: flush_handlers
+
+- name: Install Telegraf
+  apt:
+    pkg:
+      - telegraf
+
+- name: Copy telegraf config files
+  template:
+    src: "{{ item }}"
+    dest: /etc/telegraf/telegraf.d/
+  with_items:
+    - telegraf_influxdb.conf
+    - telegraf_rsyslog_input.conf
+  notify: restart telegraf
@@ -0,0 +1,44 @@
+- name: Icinga
+  include: icinga.yaml
+  when: monitoring_master
+  tags:
+    - icinga
+    - monitoring-master
+
+- name: Postfix/Mail for icinga
+  include: icinga_postfix.yaml
+  when: monitoring_master
+  tags:
+    - icinga
+    - monitoring-master
+
+- name: logs.yaml
+  include: logs.yaml
+  when: monitoring_master
+  tags:
+    - grafana
+    - monitoring-master
+
+- name: Report to Rudi nsca cfg
+  copy:
+    src: report_to_rudi_send_nsca_rudi.cfg
+    dest: /etc/report_to_rudi_send_nsca_rudi.cfg
+    mode: 0666
+  tags:
+    - monitoring-master
+
+- name: Report to Rudi monitoring cfg
+  copy:
+    src: report_to_rudi_monitoring.conf
+    dest: /etc/report_to_rudi_monitoring.conf
+    mode: 0666
+  tags:
+    - monitoring-master
+
+- name: Add Report to Rudi cron
+  cron:                                                                                             
+    name: "Monitoring at Rudi"
+    job: /etc/monitoring/monitoring-report.py -H atlantishq.de -c /etc/report_to_rudi_monitoring.conf --nsca-config /etc/report_to_rudi_send_nsca_rudi.cfg
+    minute: "*"
+    hour: "*"
+    day: "*"
@@ -0,0 +1,2 @@
+{{ event_dispatcher_user }}
+{{ event_dispatcher_pass }}
@@ -0,0 +1,14 @@
+[icingaweb2]
+backend = "db"
+resource = "icingaweb_db"
+
+[autologin]
+backend    = "external"
+
+[ldap_users]
+backend             = ldap
+resource            = ldap_auth
+group_backend       = "ldap_groups"
+user_class          = inetOrgPerson
+user_name_attribute = uid
+#filter              = "memberOf=cn=icinga,cn=groups,cn=accounts,dc=icinga,dc=org"
@@ -0,0 +1,10 @@
+[global]
+show_stacktraces = "1"
+show_application_state_messages = "1"
+config_backend = "db"
+config_resource = "icingaweb_db"
+
+[logging]
+log = "file"
+level = "INFO"
+file = "/var/log/icingaweb2.log"
@@ -0,0 +1,12 @@
+[icingaweb2]
+backend = "db"
+resource = "icingaweb_db"
+
+[ldap_groups]
+backend = "ldap"
+resource = "ldap_groups_auth"
+group_class = "groupOfNames"
+group_name_attribute = "cn"
+user_name_attribute = "uid"
+user_backend = "ldap_users"
+user_class = "inetOrgPerson"
@@ -0,0 +1,41 @@
+[icingaweb_db]
+type = "db"
+db = "pgsql"
+host = "localhost"
+port = "5432"
+dbname = "icinga_web"
+username = "icinga_web"
+password = ""
+charset = ""
+use_ssl = "0"
+
+[icinga_ido]
+type = "db"
+db = "pgsql"
+host = "localhost"
+port = "5432"
+dbname = "icinga2"
+username = "icinga2"
+password = ""
+charset = ""
+use_ssl = "0"
+
+[ldap_auth]
+type = "ldap"
+hostname = "{{ ldap_server }}"
+port = "389"
+encryption = "none"
+root_dn = "{{ ldap_user_dn }}"
+bind_dn = "{{ ldap_bind_dn }}"
+bind_pw = "{{ ldap_password }}"
+timeout = "5"
+
+[ldap_groups_auth]
+type = "ldap"
+hostname = "{{ ldap_server }}"
+port = "389"
+encryption = "none"
+root_dn = "{{ ldap_group_dn }}"
+bind_dn = "{{ ldap_bind_dn }}"
+bind_pw = "{{ ldap_password }}"
+timeout = "5"
@@ -0,0 +1,15 @@
+[Administrators]
+users = "sheppy"
+permissions = "*"
+groups = "Administrators"
+
+[icinga]
+users = "*"
+groups = "icinga"
+monitoring/filter/objects = "_service_owner=$user:local_name$"
+permissions = "module/monitoring,monitoring/*"
+
+[sheppy]
+users = "sheppy"
+monitoring/filter/objects = "*"
+permissions = "module/monitoring,monitoring/*"
@@ -0,0 +1,25 @@
+apply Notification "mail-icingaadmin" to Host {
+  import "mail-host-notification"
+
+  user_groups = host.vars.notification.mail.groups
+  users = host.vars.notification.mail.users
+
+  interval = 7d
+
+  vars.notification_logtosyslog = true
+  vars.notification_from = "Icinga <{{ smtp_service_user }}@atlantishq.de>"
+
+  assign where host.vars.notification.mail
+}
+
+apply Notification "mail-icingaadmin" to Service {
+  import "mail-service-notification"
+
+  user_groups = host.vars.notification.mail.groups
+  users = host.vars.notification.mail.users
+
+  interval = 7d
+  vars.notification_logtosyslog = true
+  vars.notification_from = "Icinga <{{ smtp_service_user }}@atlantishq.de>"
+  assign where host.vars.notification.mail
+}
@@ -0,0 +1,13 @@
+# Set username and password
+smtp_sasl_password_maps = static:{{ smtp_service_user }}:{{ smtp_service_pass }}
+smtp_sasl_security_options = noanonymous
+
+# Turn on tls encryption 
+# smtp_tls_security_level = encrypt
+header_size_limit = 4096000
+
+# Set external SMTP relay host here IP or hostname accepted along with a port number. 
+relayhost = {{ smtp_internal_host }}:25
+
+# accept email from our web-server only (adjust to match your VPC/VLAN etc)
+inet_interfaces = 127.0.0.1
@@ -0,0 +1,3 @@
+CREATE USER telegraf WITH PASSWORD {{ influxdb_telegraf_password }} WITH ALL PRIVILEGES
+CREATE DATABASE telegraf
+CREATE RETENTION POLICY "4Weeks" ON "telegraf" DURATION 4w REPLICATION 1 DEFAULT
@@ -0,0 +1,4 @@
+[[outputs.influxdb]]
+  database = "telegraf"
+  username = "telegraf"
+  password = "{{ influxdb_telegraf_password }}"
@@ -0,0 +1,2 @@
+[[inputs.syslog]]
+  server = "tcp://localhost:6514"