mysql/icinga fixesHEADmaster

8 files changed, 48 insertions, 7 deletions

diff --git a/files/usr/local/etc/icinga2/conf.d/groups.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/groups.conf.icinga_server
index f6f13b8..6665a78 100644
--- a/files/usr/local/etc/icinga2/conf.d/groups.conf.icinga_server
+++ b/files/usr/local/etc/icinga2/conf.d/groups.conf.icinga_server
@@ -43,6 +43,11 @@ object HostGroup "postgresql-servers" {
   assign where regex("^postgres[0-9]+", host.name)
 }
 
+object HostGroup "mysql-servers" {
+  display_name = "MySQL Servers"
+  assign where regex("^mysql[0-9]+", host.name)
+}
+
 object HostGroup "dav-servers" {
   display_name = "DAV Servers"
   assign where regex("^dav[0-9]+", host.name)
diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
index ce08657..dbff174 100644
--- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
+++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server
@@ -165,6 +165,16 @@ apply Service "postgres" {
   assign where "postgresql-servers" in host.groups
 }
 
+apply Service "mysql" {
+  check_command = "mysql"
+  vars.mysql_warning = ${icinga_response_time_warn}
+  vars.mysql_critical = ${icinga_response_time_crit}
+  vars.mysql_username = "${icinga_username}"
+  vars.mysql_password = IcingaPassword
+  vars.mysql_ssl = true
+  assign where "mysql-servers" in host.groups
+}
+
 apply Service "eap-cert" {
   check_command = "eapol"
   vars.eapol_secret = IcingaRadiusSecret
@@ -233,6 +243,28 @@ apply Service for (vhost in host.vars.xmpp_vhosts) {
   vars.tcp_expect = "<?xml version='1.0'"
 }
 
+apply Service "mollysocket" {
+  check_command = "http"
+  display_name = "mollysocket status"
+  vars.http_vhost = "\$address\$"
+  vars.http_port = 8443
+  vars.http_expect = "HTTP/1.1 200 OK"
+  vars.http_ssl = true
+  vars.http_warn_time = ${icinga_response_time_warn}
+  vars.http_critical_time = ${icinga_response_time_crit}
+  assign where ("xmpp-servers" in host.groups)
+}
+
+apply Service "mollysocket-cert" {
+  check_command = "http"
+  display_name = "mollysocket certificate"
+  vars.http_port = 8443
+  vars.http_vhost = "\$address\$"
+  vars.http_ssl = true
+  vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit}
+  assign where ("xmpp-servers" in host.groups)
+}
+
 // Expect HTTP 200
 apply Service "http" {
   check_command = "http"
diff --git a/files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server b/files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server
index 2f514ae..4b51ccd 100644
--- a/files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server
+++ b/files/usr/local/etc/mysql/conf.d/server.cnf.mysql_server
@@ -18,5 +18,4 @@ pam_use_cleartext_plugin
 ssl_ca                    = ${site_cacert_path}
 ssl_cert                  = ${mysql_tls_cert}
 ssl_key                   = ${mysql_tls_key}
-require_secure_transport
 max_allowed_packet        = ${mysql_max_packet_size}
diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
index eeda66f..aa961ea 100644
--- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
@@ -58,7 +58,7 @@ multimedia_qt6-multimedia_SET=PULSEAUDIO
 multimedia_vlc_SET=FLAC MPEG2 X264 X265 VPX DCA FAAD AOM
 multimedia_webcamd_UNSET=DVB INPUT RADIO
 net-im_py-matrix-synapse_SET=PGSQL URLPREVIEW LDAP
-net-mgmt_monitoring-plugins_SET=LDAP SSH_PORTABLE PGSQL RADIUS DNS_BINDTOOLS
+net-mgmt_monitoring-plugins_SET=LDAP SSH_PORTABLE PGSQL MYSQL RADIUS DNS_BINDTOOLS
 net-mgmt_monitoring-plugins_UNSET=DNS_BASE
 net_asterisk18_SET=NEWG711 G729 NCURSES
 net_asterisk18_UNSET=DAHDI FREETDS RADIUS NEWT
diff --git a/files/usr/local/var/krb5kdc/kadm5.acl.idm_server b/files/usr/local/var/krb5kdc/kadm5.acl.idm_server
index 9f7507e..77ab9cf 100644
--- a/files/usr/local/var/krb5kdc/kadm5.acl.idm_server
+++ b/files/usr/local/var/krb5kdc/kadm5.acl.idm_server
@@ -1,2 +1,2 @@
 */admin@${realm} * *
-${boxconf_username}@${realm} * *
+${boxconf_username}@${realm} xe *
diff --git a/scripts/hostclass/icinga_server/10-icingadb b/scripts/hostclass/icinga_server/10-icingadb
index e6084c6..1004d72 100644
--- a/scripts/hostclass/icinga_server/10-icingadb
+++ b/scripts/hostclass/icinga_server/10-icingadb
@@ -38,12 +38,11 @@ ldap_add "$icinga_dn" <<EOF
 objectClass: account
 objectClass: simpleSecurityObject
 uid: ${icinga_username}
-userPassword: {SSHA-512}
+userPassword: {SASL}${icinga_username}@${realm}
 EOF
-ldap_passwd "$icinga_dn" "$icinga_password"
-add_principal -nokey -x "dn=${icinga_dn}" "$icinga_username"
+add_principal -pw "$icinga_password" -x "dn=${icinga_dn}" "$icinga_username"
 
-ktadd -k "$icingaweb_client_keytab" "$icinga_username"
+ktadd -k "$icingaweb_client_keytab" -norandkey "$icinga_username"
 chgrp "$nginx_user" "$icingaweb_client_keytab"
 chmod 640 "$icingaweb_client_keytab"
 nginx_uid=$(id -u "$nginx_user")
diff --git a/scripts/hostclass/mysql_server b/scripts/hostclass/mysql_server
index d8edad6..33edded 100644
--- a/scripts/hostclass/mysql_server
+++ b/scripts/hostclass/mysql_server
@@ -61,7 +61,13 @@ install_template -m 0644 "${mysql_conf_dir}/conf.d/server.cnf"
 sysrc -v mysql_enable=YES
 service mysql-server restart
 
+# Create the boxconf superuser.
 cat <<EOF | mysql --batch
 CREATE USER IF NOT EXISTS '${boxconf_username}' IDENTIFIED VIA pam;
 GRANT ALL PRIVILEGES ON *.* to '${boxconf_username}' WITH GRANT OPTION;
 EOF
+
+# Create icinga user.
+cat <<EOF | mysql --batch
+CREATE USER IF NOT EXISTS '${icinga_username}' IDENTIFIED VIA pam;
+EOF
diff --git a/site b/site
-Subproject 55a4440d5ab567109b00f34e87d36a2fa4c1ea9
+Subproject ce16cab20272bb2c180aebd2dd070b7f479394e