diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-25 00:49:42 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-25 00:49:42 -0400 |
| commit | 7bb5176a0e1d3a7d8a119b92758404d514f59be9 (patch) | |
| tree | 216cc2c9b1af8ddd337d619bc8c77e44bba94b1a | |
| parent | e2fc0433de38c322ce46ad250bc0f0f03e7710c8 (diff) | |
| download | infrastructure-7bb5176a0e1d3a7d8a119b92758404d514f59be9.tar.gz | |
icinga stuff
28 files changed, 697 insertions, 73 deletions
diff --git a/files/usr/local/etc/icinga2/conf.d/app.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/app.conf.icinga_server new file mode 100644 index 0000000..3e4be0d --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/app.conf.icinga_server @@ -0,0 +1 @@ +object IcingaApplication "app" { } diff --git a/files/usr/local/etc/icinga2/conf.d/commands.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/commands.conf.icinga_server new file mode 100644 index 0000000..dd78f14 --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/commands.conf.icinga_server @@ -0,0 +1,40 @@ +object NotificationCommand "mail-host-notification" { + command = [ ConfigDir + "/scripts/mail-host-notification.sh" ] + + env = { + NOTIFICATIONTYPE = "$notification.type$" + HOSTDISPLAYNAME = "$host.display_name$" + HOSTNAME = "$host.name$" + HOSTADDRESS = "$address$" + HOSTSTATE = "$host.state$" + LONGDATETIME = "$icinga.long_date_time$" + HOSTOUTPUT = "$host.output$" + NOTIFICATIONAUTHORNAME = "$notification.author$" + NOTIFICATIONCOMMENT = "$notification.comment$" + HOSTDISPLAYNAME = "$host.display_name$" + USEREMAIL = "$user.email$" + HOSTNOTES = "$host.notes$" + } +} + +object NotificationCommand "mail-service-notification" { + command = [ ConfigDir + "/scripts/mail-service-notification.sh" ] + + env = { + NOTIFICATIONTYPE = "$notification.type$" + SERVICENAME = "$service.name$" + HOSTNAME = "$host.name$" + HOSTDISPLAYNAME = "$host.display_name$" + HOSTADDRESS = "$address$" + SERVICESTATE = "$service.state$" + LONGDATETIME = "$icinga.long_date_time$" + SERVICEOUTPUT = "$service.output$" + NOTIFICATIONAUTHORNAME = "$notification.author$" + NOTIFICATIONCOMMENT = "$notification.comment$" + HOSTDISPLAYNAME = "$host.display_name$" + SERVICEDISPLAYNAME = "$service.display_name$" + USEREMAIL = "$user.email$" + HOSTNOTES = "$host.notes$" + SERVICENOTES = "$service.notes$" + } +} diff --git a/files/usr/local/etc/icinga2/conf.d/downtimes.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/downtimes.conf.icinga_server new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/downtimes.conf.icinga_server diff --git a/files/usr/local/etc/icinga2/conf.d/groups.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/groups.conf.icinga_server new file mode 100644 index 0000000..f6f13b8 --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/groups.conf.icinga_server @@ -0,0 +1,119 @@ +object HostGroup "hypervisors" { + display_name = "Hypervisors" + assign where regex("^alcatraz[0-9]+", host.name) +} + +object HostGroup "idm-servers" { + display_name = "IDM Servers" + assign where regex("^idm[0-9]+", host.name) +} + +object HostGroup "pkg-repositories" { + display_name = "Pkg Repositories" + assign where regex("^pkg[0-9]+", host.name) +} + +object HostGroup "smtp-servers" { + display_name = "SMTP Servers" + assign where regex("^smtp[0-9]+", host.name) +} + +object HostGroup "imap-servers" { + display_name = "IMAP Servers" + assign where regex("^imap[0-9]+", host.name) +} + +object HostGroup "radius-servers" { + display_name = "RADIUS Servers" + assign where regex("^radius[0-9]+", host.name) +} + +object HostGroup "desktops" { + display_name = "Desktops" + assign where regex("^desktop[0-9]+", host.name) +} + +object HostGroup "laptops" { + display_name = "Laptops" + assign where regex("^laptop[0-9]+", host.name) +} + +object HostGroup "postgresql-servers" { + display_name = "PostgreSQL Servers" + assign where regex("^postgres[0-9]+", host.name) +} + +object HostGroup "dav-servers" { + display_name = "DAV Servers" + assign where regex("^dav[0-9]+", host.name) +} + +object HostGroup "bitwarden-servers" { + display_name = "Bitwarden Servers" + assign where regex("^bitwarden[0-9]+", host.name) +} + +object HostGroup "ttrss-servers" { + display_name = "TT-RSS Servers" + assign where regex("^ttrss[0-9]+", host.name) +} + +object HostGroup "znc-servers" { + display_name = "ZNC Servers" + assign where regex("^znc[0-9]+", host.name) +} + +object HostGroup "cups-servers" { + display_name = "CUPS Servers" + assign where regex("^cups[0-9]+", host.name) +} + +object HostGroup "unifi-controllers" { + display_name = "UniFi Controllers" + assign where regex("^unifi[0-9]+", host.name) +} + +object HostGroup "invidious-servers" { + display_name = "Invidious Servers" + assign where regex("^invidious[0-9]+", host.name) +} + +object HostGroup "git-servers" { + display_name = "Git Servers" + assign where regex("^git[0-9]+", host.name) +} + +object HostGroup "xmpp-servers" { + display_name = "XMPP Servers" + assign where regex("^xmpp[0-9]+", host.name) +} + +object HostGroup "web-servers" { + display_name = "Web Servers" + assign where regex("^(www|web)[0-9]+", host.name) +} + +object HostGroup "nameservers" { + display_name = "Nameservers" + assign where regex("^ns[0-9]+", host.name) +} + +object HostGroup "asterisk-servers" { + display_name = "Asterisk Servers" + assign where regex("^pbx[0-9]+", host.name) +} + +object HostGroup "nfs-servers" { + display_name = "NFS Servers" + assign where regex("^nfs[0-9]+", host.name) +} + +object HostGroup "turn-servers" { + display_name = "TURN Servers" + assign where regex("^turn[0-9]+", host.name) +} + +object HostGroup "icinga-servers" { + display_name = "Icinga Servers" + assign where regex("^icinga[0-9]+", host.name) +} diff --git a/files/usr/local/etc/icinga2/conf.d/hosts.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/hosts.conf.icinga_server new file mode 100644 index 0000000..dbc2a54 --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/hosts.conf.icinga_server @@ -0,0 +1,3 @@ +/* + * Add custom hosts here. + */ diff --git a/files/usr/local/etc/icinga2/conf.d/notifications.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/notifications.conf.icinga_server new file mode 100644 index 0000000..effff9e --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/notifications.conf.icinga_server @@ -0,0 +1,23 @@ +apply Notification "mail-icingaadmin" to Host { + import "mail-host-notification" + user_groups = host.vars.notification.mail.groups + users = host.vars.notification.mail.users + + //interval = 2h + + //vars.notification_logtosyslog = true + + assign where host.vars.notification.mail +} + +apply Notification "mail-icingaadmin" to Service { + import "mail-service-notification" + user_groups = host.vars.notification.mail.groups + users = host.vars.notification.mail.users + + //interval = 2h + + //vars.notification_logtosyslog = true + + assign where host.vars.notification.mail +} diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server new file mode 100644 index 0000000..5b00864 --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server @@ -0,0 +1,165 @@ +apply Service "ssh" { + import "generic-service" + check_command = "ssh" + assign where host.vars.os in ["FreeBSD","Linux"] +} + +apply Service "icinga" { + import "generic-service" + check_command = "icinga" + assign where host.name == NodeName +} + +apply Service "dns" { + import "generic-service" + check_command = "dns" + vars.dns_lookup = "$address$" + vars.dns_server = "$address$" + vars.dns_wtime = ResponseTimeWarn + vars.dns_ctime = ResponseTimeCrit + assign where "idm-servers" in host.groups +} + +apply Service "ldap" { + import "generic-service" + check_command = "ldap" + vars.ldap_port = 389 + vars.ldap_warning = ResponseTimeWarn + vars.ldap_critical = ResponseTimeCrit + vars.ldap_v2 = false + vars.ldap_v3 = true + vars.ldap_starttls = true + vars.ldap_bind = IcingaDN + vars.ldap_pass = IcingaPassword + vars.ldap_base = HostsBaseDn + vars.ldap_attr = "(cn=" + NodeName + ")" + assign where "idm-servers" in host.groups +} + +apply Service "ldaps" { + import "generic-service" + check_command = "ldap" + vars.ldap_port = 636 + vars.ldap_warning = ResponseTimeWarn + vars.ldap_critical = ResponseTimeCrit + vars.ldap_v2 = false + vars.ldap_v3 = true + vars.ldap_ssl = true + vars.ldap_bind = IcingaDN + vars.ldap_pass = IcingaPassword + vars.ldap_base = HostsBaseDn + vars.ldap_attr = "(cn=" + NodeName + ")" + assign where "idm-servers" in host.groups +} + +apply Service "imap" { + import "generic-service" + check_command = "imap" + vars.imap_port = 993 + vars.imap_ssl = true + vars.imap_certificate_age = CertDaysWarn + vars.imap_warning = ResponseTimeWarn + vars.imap_critical = ResponseTimeCrit + assign where "imap-servers" in host.groups +} + +apply Service "smtp" { + import "generic-service" + check_command = "smtp" + vars.smtp_port = 25 + vars.smtp_certificate_age = CertDaysWarn + vars.smtp_starttls = true + vars.smtp_warning = ResponseTimeWarn + vars.smtp_critical = ResponseTimeCrit + assign where "smtp-servers" in host.groups +} + +apply Service "submission" { + import "generic-service" + check_command = "smtp" + vars.smtp_port = 587 + vars.smtp_certificate_age = CertDaysWarn + vars.smtp_starttls = true + vars.smtp_warning = ResponseTimeWarn + vars.smtp_critical = ResponseTimeCrit + assign where "smtp-servers" in host.groups +} + +apply Service "postgres" { + import "generic-service" + check_command = "pgsql" + vars.pgsql_warning = ResponseTimeWarn + vars.pgsql_critical = ResponseTimeCrit + vars.pgsql_username = IcingaUsername + vars.pgsql_password = IcingaPassword + assign where "postgresql-servers" in host.groups +} + +// Expect HTTP 200 +apply Service "http" { + import "generic-service" + check_command = "http" + vars.http_vhost = "$address$" + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = false + vars.http_warn_time = ResponseTimeWarn + vars.http_critical_time = ResponseTimeCrit + assign where ("cups-servers" in host.groups + || "pkg-repositories" in host.groups) +} + +// Expect HTTP 301 +apply Service "http" { + import "generic-service" + check_command = "http" + vars.http_vhost = "$address$" + vars.http_expect = "HTTP/1.1 301 Moved Permanently" + vars.http_ssl = false + vars.http_warn_time = ResponseTimeWarn + vars.http_critical_time = ResponseTimeCrit + assign where ("dav-servers" in host.groups + || "smtp-servers" in host.groups + || "ttrss-servers" in host.groups + || "invidious-servers" in host.groups + || "nfs-servers" in host.groups + || "pkg-servers" in host.groups + || "unifi-controllers" in host.groups + || "web-servers" in host.groups + || "xmpp-servers" in host.groups + || "znc-servers" in host.groups) +} + +// Expect HTTPS 401 +apply Service "https" { + import "generic-service" + check_command = "http" + vars.http_vhost = "$address$" + vars.http_expect = "HTTP/1.1 401 Unauthorized" + vars.http_ssl = true + vars.http_certificate = CertDaysWarn + "," + CertDaysCrit + vars.http_warn_time = ResponseTimeWarn + vars.http_critical_time = ResponseTimeCrit + assign where ("dav-servers" in host.groups + || "cups-servers" in host.groups + || "smtp-servers" in host.groups + || "ttrss-servers" in host.groups) +} + +// Expect HTTPS 200 +apply Service "https" { + import "generic-service" + check_command = "http" + vars.http_vhost = "$address$" + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_certificate = CertDaysWarn + "," + CertDaysCrit + vars.http_warn_time = ResponseTimeWarn + vars.http_critical_time = ResponseTimeCrit + assign where ("invidious-servers" in host.groups + || "nfs-servers" in host.groups + || "pkg-servers" in host.groups + || "unifi-controllers" in host.groups + || "web-servers" in host.groups + || "xmpp-servers" in host.groups + || "znc-servers" in host.groups) +} diff --git a/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server new file mode 100644 index 0000000..1aae5ac --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server @@ -0,0 +1,50 @@ +template Host "generic-host" default { + max_check_attempts = 3 + check_interval = 1m + retry_interval = 30s + check_command = "hostalive" +} + +template Service "generic-service" default { + max_check_attempts = 5 + check_interval = 1m + retry_interval = 30s +} + +template User "generic-user" default { + +} + +template Notification "mail-host-notification" { + command = "mail-host-notification" + + states = [ Up, Down ] + types = [ Problem, Acknowledgement, Recovery, Custom, + FlappingStart, FlappingEnd, + DowntimeStart, DowntimeEnd, DowntimeRemoved ] + + vars += { + // notification_icingaweb2url = "https://www.example.com/icingaweb2" + // notification_from = "Icinga 2 Host Monitoring <icinga@example.com>" + notification_logtosyslog = false + } + + period = "24x7" +} + +template Notification "mail-service-notification" { + command = "mail-service-notification" + + states = [ OK, Warning, Critical, Unknown ] + types = [ Problem, Acknowledgement, Recovery, Custom, + FlappingStart, FlappingEnd, + DowntimeStart, DowntimeEnd, DowntimeRemoved ] + + vars += { + // notification_icingaweb2url = "https://www.example.com/icingaweb2" + // notification_from = "Icinga 2 Service Monitoring <icinga@example.com>" + notification_logtosyslog = false + } + + period = "24x7" +} diff --git a/files/usr/local/etc/icinga2/conf.d/timeperiods.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/timeperiods.conf.icinga_server new file mode 100644 index 0000000..64cd925 --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/timeperiods.conf.icinga_server @@ -0,0 +1,18 @@ +object TimePeriod "24x7" { + display_name = "24x7" + ranges = { + "monday" = "00:00-24:00" + "tuesday" = "00:00-24:00" + "wednesday" = "00:00-24:00" + "thursday" = "00:00-24:00" + "friday" = "00:00-24:00" + "saturday" = "00:00-24:00" + "sunday" = "00:00-24:00" + } +} + +object TimePeriod "never" { + display_name = "Never" + ranges = { } +} + diff --git a/files/usr/local/etc/icinga2/conf.d/users.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/users.conf.icinga_server new file mode 100644 index 0000000..1ddaf55 --- /dev/null +++ b/files/usr/local/etc/icinga2/conf.d/users.conf.icinga_server @@ -0,0 +1,12 @@ +object User "icingaadmin" { + import "generic-user" + + display_name = "Icinga 2 Admin" + groups = [ "icingaadmins" ] + + email = "icinga@localhost" +} + +object UserGroup "icingaadmins" { + display_name = "Icinga 2 Admin Group" +} diff --git a/files/usr/local/etc/icinga2/constants.conf.icinga_server b/files/usr/local/etc/icinga2/constants.conf.icinga_server new file mode 100644 index 0000000..592da99 --- /dev/null +++ b/files/usr/local/etc/icinga2/constants.conf.icinga_server @@ -0,0 +1,14 @@ +const PluginDir = "/usr/local/libexec/nagios" +const ManubulonPluginDir = "/usr/local/libexec/nagios" +const PluginContribDir = "/usr/local/libexec/nagios" +const NodeName = "${BOXCONF_HOSTNAME}" +const ZoneName = NodeName +const TicketSalt = "${icinga_ticket_salt}" +const CertDaysWarn = 30 +const CertDaysCrit = 20 +const ResponseTimeWarn = 0.5 +const ResponseTimeCrit = 1 +const HostsBaseDn = "${hosts_basedn}" +const IcingaUsername = "${icinga_username}" +const IcingaPassword = "${icinga_password}" +const IcingaDN = "${icinga_dn}" diff --git a/files/usr/local/etc/icinga2/icinga2.conf.icinga_server b/files/usr/local/etc/icinga2/icinga2.conf.icinga_server new file mode 100644 index 0000000..c97f5fc --- /dev/null +++ b/files/usr/local/etc/icinga2/icinga2.conf.icinga_server @@ -0,0 +1,9 @@ +include "constants.conf" +include "api-users.conf" +include "zones.conf" +include <itl> +include <plugins> +include <plugins-contrib> +include <manubulon> +include "features-enabled/*.conf" +include_recursive "conf.d" diff --git a/files/usr/local/etc/icinga2/zones.conf.icinga_server b/files/usr/local/etc/icinga2/zones.conf.icinga_server new file mode 100644 index 0000000..59b1fdb --- /dev/null +++ b/files/usr/local/etc/icinga2/zones.conf.icinga_server @@ -0,0 +1,7 @@ +object Endpoint NodeName { + host = NodeName +} + +object Zone ZoneName { + endpoints = [ NodeName ] +} diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server index 990e08a..cf6dea7 100644 --- a/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server +++ b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server @@ -1,6 +1,7 @@ [icinga2] skip_validation = "0" transport = "api" +host = "127.0.0.1" port = "${icinga_port}" username = "${icingaweb_api_username}" -password = ${icingaweb_api_password}" +password = "${icingaweb_api_password}" diff --git a/files/usr/local/etc/icingaweb2/roles.ini.icinga_server b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server index 6e20e8a..2511267 100644 --- a/files/usr/local/etc/icingaweb2/roles.ini.icinga_server +++ b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server @@ -5,6 +5,7 @@ groups = "$(join ',' $icingaweb_admin_groups)" EOF fi) permissions = "*" +icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*" [Users] groups = "${icingaweb_access_role}" diff --git a/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository index 9504faa..71400a4 100644 --- a/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository @@ -4,6 +4,7 @@ dns/powerdns dns/unbound editors/vim@console lang/python +net-mgmt/monitoring-plugins net/nss-pam-ldapd-sasl net/openldap26-client net/openldap26-server diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index 7e78bbc..1d3a308 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -55,6 +55,8 @@ multimedia_vlc_SET=FLAC MPEG2 X264 X265 VPX DCA FAAD AOM multimedia_webcamd_UNSET=DVB INPUT RADIO net-im_dino_UNSET=RTP net-im_py-matrix-synapse_SET=PGSQL URLPREVIEW LDAP +net-mgmt_monitoring-plugins_SET=LDAP SSH_PORTABLE PGSQL RADIUS DNS_BINDTOOLS +net-mgmt_monitoring-plugins_UNSET=DNS_BASE net_asterisk18_SET=NEWG711 G729 NCURSES net_asterisk18_UNSET=DAHDI FREETDS RADIUS NEWT net_freeradius3_SET=LDAP MITKRB_PORT diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 2b9587d..1f11a33 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -80,6 +80,7 @@ net-mgmt/icinga2 net-mgmt/icingadb net-mgmt/icingaweb2 net-mgmt/icingaweb2-module-icingadb +net-mgmt/monitoring-plugins net-mgmt/unifi8 net/asterisk18 net/freeradius3 diff --git a/files/usr/local/etc/rc.d/myicinga2.icinga_server b/files/usr/local/etc/rc.d/myicinga2.icinga_server new file mode 100755 index 0000000..be10192 --- /dev/null +++ b/files/usr/local/etc/rc.d/myicinga2.icinga_server @@ -0,0 +1,113 @@ +#!/bin/sh + +# PROVIDE: icinga2 +# REQUIRE: LOGIN +# KEYWORD: shutdown + +# Unfortunately, we must duplicate the icinga rc script here in order +# to provide a mechanism to pass flags to the icinga2 executable. + +. /etc/rc.subr + +# Add /usr/local/bin to path, so that the notification scripts +# can work (#!/usr/bin/env bash) +export PATH=$PATH:/usr/local/bin:/usr/local/sbin + +name="icinga2" +desc="Icinga 2 monitoring (core)" +rcvar=myicinga2_enable + +load_rc_config "${name}" + +: ${myicinga2_enable:="NO"} +: ${icinga2_configfile="/usr/local/etc/${name}/${name}.conf"} +: ${icinga2_user:="icinga"} +: ${icinga2_group:="icinga"} +: ${icinga2_webgroup:="www"} +: ${icinga2_flags:=""} + + +command="/usr/local/sbin/${name}" +procname="/usr/local/lib/icinga2/sbin/icinga2" +extra_commands="reload checkconfig configtest" + +icinga2_cachedir="/var/cache/${name}" +icinga2_libdir="/var/lib/${name}" +icinga2_logdir="/var/log/icinga2" +icinga2_rundir="/var/run/${name}" +icinga2_spooldir="/var/spool/${name}" + +pidfile="${icinga2_rundir}/${name}.pid" +icinga2_logfile="${icinga2_logdir}/${name}.log" +icinga2_errorlogfile="${icinga2_logdir}/error.log" + +start_cmd="start_cmd" +start_precmd="start_precmd" +restart_precmd="icinga2_checkconfig" +reload_precmd="reload_precmd" +checkconfig_cmd="icinga2_checkconfig verbose" +configtest_cmd="${checkconfig_cmd}" +sig_reload=HUP + +required_files="${icinga2_configfile}" +command_args="daemon -d -e ${icinga2_errorlogfile} -c ${icinga2_configfile} ${icinga2_flags}" + +icinga2_checkconfig() { + echo -n "Performing sanity check of icinga2 configuration: " + + if [ "$1" != "verbose" ]; then + quietredir="2>&1 >/dev/null" + fi + + ${command} daemon -c ${icinga2_configfile} -C + + if [ $? -ne 0 ]; then + echo "FAILED" + return 1 + else + echo "OK" + fi +} + +reload_precmd() { + if ! icinga2_checkconfig; then + return 1 + fi +} + +start_precmd() { + # Create necessary directories / change ownership + # While this is also done through pkg-plist, /var might be on a ramdisk, + # so make sure all needed files and directories are created before starting + # Icinga. + for d in "${icinga2_logdir}" "${icinga2_logdir}/compat" \ + "${icinga2_logdir}/compat/archives" "${icinga2_libdir}" \ + "${icinga2_spooldir}" "${icinga2_spooldir}/tmp" \ + "${icinga2_rundir}" "${icinga2_cachedir}"; do + if [ ! -d "${d}" ]; then + install -d -o ${icinga2_user} -g ${icinga2_group} "${d}" + fi + done + + install -d -o ${icinga2_user} -g ${icinga2_webgroup} -m 2750 "${icinga2_rundir}/cmd" + + chown -R ${icinga2_user}:${icinga2_group} "${icinga2_libdir}" + chown -R ${icinga2_user}:${icinga2_group} "${icinga2_spooldir}" + chown -R ${icinga2_user}:${icinga2_group} "${icinga2_cachedir}" + chown -R ${icinga2_user}:${icinga2_webgroup} "${icinga2_rundir}/cmd" + + + if ! icinga2_checkconfig; then + return 1 + fi + + if [ ! -f "${icinga2_logfile}" ]; then + install -o "${icinga2_user}" -g "${icinga2_group}" -m 644 /dev/null "${icinga2_logfile}" + fi +} + +start_cmd() { + ${command} ${command_args} +} + +run_rc_command "$1" diff --git a/files/usr/share/skel/dot.shrc.freebsd b/files/usr/share/skel/dot.shrc.freebsd index bc8e8da..a5147c7 100644 --- a/files/usr/share/skel/dot.shrc.freebsd +++ b/files/usr/share/skel/dot.shrc.freebsd @@ -4,6 +4,12 @@ green=$'\e[0;32m' PS1="\[${green}\]\u@\h\[${reset}\]:\[${blue}\]\W\[${green}\]\$\[${reset}\] " unset reset blue green +export CLICOLOR=1 +export PAGER=less +export LESS='-iMRS -x2' +export EDITOR=vim +export LSCOLORS=DxfxgxgxcxxbxbaCacADAd + alias ls='ls -FHh' alias ll='ls -l' alias la='ls -la' diff --git a/hostclasses b/hostclasses index 92c1d38..5115b03 100644 --- a/hostclasses +++ b/hostclasses @@ -24,5 +24,4 @@ authoritative_nameserver ^ns[0-9] asterisk_server ^pbx[0-9] nfs_server ^nfs[0-9] turn_server ^turn[0-9] -syncthing_server ^syncthing[0-9] icinga_server ^icinga[0-9] diff --git a/lib/60-postgres b/lib/60-postgres index af37c27..6f418ea 100644 --- a/lib/60-postgres +++ b/lib/60-postgres @@ -17,8 +17,8 @@ EOF } postgres_create_database(){ - # $1 = postgres_host, $2 = dbname, $3 = owner + # $1 = postgres_host, $2 = dbname, $3 = owner $4 = encoding, $5 = locale cat <<EOF | postgres_run -h "${1}" -d postgres -SELECT 'CREATE DATABASE "${2}" OWNER "${3:-postgres}"' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${2}')\\gexec +SELECT 'CREATE DATABASE "${2}" ENCODING "${4:-UTF8}" LOCALE "${5:-en_US.UTF-8}" OWNER "${3:-postgres}" TEMPLATE "template0"' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${2}')\\gexec EOF } diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index ac8bdda..bddce05 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -168,66 +168,6 @@ esac # acceleration after resuming from sleep. set_sysctl kern.vt.suspendswitch="${vt_suspendswitch:-1}" -# Fix xterm-256color termcap -# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280679 -cat <<'EOF' | tic -o /usr/local/share/site-terminfo - -xterm-256color|xterm with 256 colors, - am, bce, ccc, km, mc5i, mir, msgr, npc, xenl, - colors#0x100, cols#80, it#8, lines#24, pairs#0x10000, - acsc=``aaffggiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~, - bel=^G, blink=\E[5m, bold=\E[1m, cbt=\E[Z, civis=\E[?25l, - clear=\E[H\E[2J, cnorm=\E[?12l\E[?25h, cr=\r, - csr=\E[%i%p1%d;%p2%dr, cub=\E[%p1%dD, cub1=^H, - cud=\E[%p1%dB, cud1=\n, cuf=\E[%p1%dC, cuf1=\E[C, - cup=\E[%i%p1%d;%p2%dH, cuu=\E[%p1%dA, cuu1=\E[A, - cvvis=\E[?12;25h, dch=\E[%p1%dP, dch1=\E[P, dim=\E[2m, - dl=\E[%p1%dM, dl1=\E[M, ech=\E[%p1%dX, ed=\E[J, el=\E[K, - el1=\E[1K, flash=\E[?5h$<100/>\E[?5l, home=\E[H, - hpa=\E[%i%p1%dG, ht=^I, hts=\EH, ich=\E[%p1%d@, - il=\E[%p1%dL, il1=\E[L, ind=\n, indn=\E[%p1%dS, - initc=\E]4;%p1%d;rgb:%p2%{255}%*%{1000}%/%2.2X/%p3%{255}%*%{1000}%/%2.2X/%p4%{255}%*%{1000}%/%2.2X\E\\, - invis=\E[8m, is2=\E[!p\E[?3;4l\E[4l\E>, kDC=\E[3;2~, - kEND=\E[1;2F, kHOM=\E[1;2H, kIC=\E[2;2~, kLFT=\E[1;2D, - kNXT=\E[6;2~, kPRV=\E[5;2~, kRIT=\E[1;2C, ka1=\EOw, - ka3=\EOy, kb2=\EOu, kbs=^?, kc1=\EOq, kc3=\EOs, kcbt=\E[Z, - kcub1=\EOD, kcud1=\EOB, kcuf1=\EOC, kcuu1=\EOA, - kdch1=\E[3~, kend=\EOF, kent=\EOM, kf1=\EOP, kf10=\E[21~, - kf11=\E[23~, kf12=\E[24~, kf13=\E[1;2P, kf14=\E[1;2Q, - kf15=\E[1;2R, kf16=\E[1;2S, kf17=\E[15;2~, kf18=\E[17;2~, - kf19=\E[18;2~, kf2=\EOQ, kf20=\E[19;2~, kf21=\E[20;2~, - kf22=\E[21;2~, kf23=\E[23;2~, kf24=\E[24;2~, - kf25=\E[1;5P, kf26=\E[1;5Q, kf27=\E[1;5R, kf28=\E[1;5S, - kf29=\E[15;5~, kf3=\EOR, kf30=\E[17;5~, kf31=\E[18;5~, - kf32=\E[19;5~, kf33=\E[20;5~, kf34=\E[21;5~, - kf35=\E[23;5~, kf36=\E[24;5~, kf37=\E[1;6P, kf38=\E[1;6Q, - kf39=\E[1;6R, kf4=\EOS, kf40=\E[1;6S, kf41=\E[15;6~, - kf42=\E[17;6~, kf43=\E[18;6~, kf44=\E[19;6~, - kf45=\E[20;6~, kf46=\E[21;6~, kf47=\E[23;6~, - kf48=\E[24;6~, kf49=\E[1;3P, kf5=\E[15~, kf50=\E[1;3Q, - kf51=\E[1;3R, kf52=\E[1;3S, kf53=\E[15;3~, kf54=\E[17;3~, - kf55=\E[18;3~, kf56=\E[19;3~, kf57=\E[20;3~, - kf58=\E[21;3~, kf59=\E[23;3~, kf6=\E[17~, kf60=\E[24;3~, - kf61=\E[1;4P, kf62=\E[1;4Q, kf63=\E[1;4R, kf7=\E[18~, - kf8=\E[19~, kf9=\E[20~, khome=\EOH, kich1=\E[2~, - kind=\E[1;2B, kmous=\E[<, knp=\E[6~, kpp=\E[5~, - kri=\E[1;2A, mc0=\E[i, mc4=\E[4i, mc5=\E[5i, meml=\El, - memu=\Em, mgc=\E[?69l, nel=\EE, oc=\E]104\007, - op=\E[39;49m, rc=\E8, rep=%p1%c\E[%p2%{1}%-%db, - rev=\E[7m, ri=\EM, rin=\E[%p1%dT, ritm=\E[23m, rmacs=\E(B, - rmam=\E[?7l, rmcup=\E[?1049l\E[23;0;0t, rmir=\E[4l, - rmkx=\E[?1l\E>, rmm=\E[?1034l, rmso=\E[27m, rmul=\E[24m, - rs1=\Ec\E]104\007, rs2=\E[!p\E[?3;4l\E[4l\E>, sc=\E7, - setab=\E[%?%p1%{8}%<%t4%p1%d%e%p1%{16}%<%t10%p1%{8}%-%d%e48;5;%p1%d%;m, - setaf=\E[%?%p1%{8}%<%t3%p1%d%e%p1%{16}%<%t9%p1%{8}%-%d%e38;5;%p1%d%;m, - sgr=%?%p9%t\E(0%e\E(B%;\E[0%?%p6%t;1%;%?%p5%t;2%;%?%p2%t;4%;%?%p1%p3%|%t;7%;%?%p4%t;5%;%?%p7%t;8%;m, - sgr0=\E(B\E[m, sitm=\E[3m, smacs=\E(0, smam=\E[?7h, - smcup=\E[?1049h\E[22;0;0t, - smglr=\E[?69h\E[%i%p1%d;%p2%ds, smir=\E[4h, - smkx=\E[?1h\E=, smm=\E[?1034h, smso=\E[7m, smul=\E[4m, - tbc=\E[3g, u6=\E[%i%d;%dR, u7=\E[6n, - u8=\E[?%[;0123456789]c, u9=\E[c, vpa=\E[%i%p1%dd, -EOF - # Start login manager. case $desktop_type in kde) diff --git a/scripts/hostclass/icinga_server b/scripts/hostclass/icinga_server index ccd1d46..75ef7b8 100644 --- a/scripts/hostclass/icinga_server +++ b/scripts/hostclass/icinga_server @@ -1,9 +1,10 @@ #!/bin/sh -: ${icinga_username:='s-icinga'} +: ${icinga_threads:="$nproc"} : ${icinga_dbname:='icinga'} : ${icinga_dbhost:="$postgres_host"} : ${icinga_password:='changeme'} +: ${icinga_ticket_salt:='changeme'} : ${icingaweb_api_password:='changeme'} : ${icingaweb_dbhost:="$postgres_host"} : ${icingaweb_dbname:='icingaweb'} @@ -118,10 +119,10 @@ install_directory -m 0700 -o "$icinga_local_user" -g "$icinga_local_user" \ "$icinga_ca_dir" [ -f "${icinga_ca_dir}/ca.crt" ] \ || icinga2 pki new-ca -[ -f "${icinga_cert_dir}/${fqdn}.csr" ] \ - || icinga2 pki new-cert --cn "$fqdn" --key "${icinga_cert_dir}/${fqdn}.key" --csr "${icinga_cert_dir}/${fqdn}.csr" -[ -f "${icinga_cert_dir}/${fqdn}.crt" ] \ - || icinga2 pki sign-csr --csr "${icinga_cert_dir}/${fqdn}.csr" --cert "${icinga_cert_dir}/${fqdn}.crt" +[ -f "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" ] \ + || icinga2 pki new-cert --cn "$BOXCONF_HOSTNAME" --key "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.key" --csr "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" +[ -f "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.crt" ] \ + || icinga2 pki sign-csr --csr "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" --cert "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.crt" ln -snfv "${icinga_ca_dir}/ca.crt" "${icinga_cert_dir}/ca.crt" # Enable icinga modules. @@ -132,7 +133,21 @@ done # Generate icinga configuration. install_template -m 0640 -g "$icinga_local_user" \ "${icinga_conf_dir}/api-users.conf" \ - "${icinga_conf_dir}/features-available/icingadb.conf" + "${icinga_conf_dir}/constants.conf" \ + "${icinga_conf_dir}/icinga2.conf" \ + "${icinga_conf_dir}/zones.conf" \ + "${icinga_conf_dir}/features-available/icingadb.conf" \ + "${icinga_conf_dir}/conf.d/users.conf" \ + "${icinga_conf_dir}/conf.d/hosts.conf" +install_file -m 0640 -g "$icinga_local_user" \ + "${icinga_conf_dir}/conf.d/app.conf" \ + "${icinga_conf_dir}/conf.d/commands.conf" \ + "${icinga_conf_dir}/conf.d/downtimes.conf" \ + "${icinga_conf_dir}/conf.d/groups.conf" \ + "${icinga_conf_dir}/conf.d/notifications.conf" \ + "${icinga_conf_dir}/conf.d/services.conf" \ + "${icinga_conf_dir}/conf.d/templates.conf" \ + "${icinga_conf_dir}/conf.d/timeperiods.conf" # Create icingaweb postgres user and database. postgres_create_database "$icingaweb_dbhost" "$icingaweb_dbname" "$icinga_username" @@ -143,6 +158,7 @@ if ! icingaweb_psql -c 'SELECT 1 FROM icingaweb_schema'; then fi # Generate icingaweb configuration. +find "$icinga_conf_dir" -name '*.sample' -delete install_directory -m 2770 -g "$nginx_user" \ "$icingaweb_conf_dir" \ "${icingaweb_conf_dir}/enabledModules" \ @@ -183,18 +199,31 @@ install_template -m 0644 \ install_certificate nginx "$icingaweb_https_cert" install_certificate_key nginx "$icingaweb_https_key" +# Icinga spawns a number of threads based on the core count of the machine. On machines +# with a large number of CPU cores, this can be undesirable (especially if run from a jail +# with cpuset()). +# +# The thread count can be overriden with the -DConcurrency=N argument to icinga2. +# Unfortunately, icinga2 rc script from ports does not have a way to override the +# daemon arguments. So we have to copy over a custom one ("myicinga2"). +# +# https://icinga.com/docs/icinga-2/latest/doc/15-troubleshooting/#try-reducing-concurrency-threads +install_file -m 0555 /usr/local/etc/rc.d/myicinga2 + # Enable and start daemons. sysrc -v \ nginx_enable=YES \ php_fpm_enable=YES \ redis_enable=YES \ icingadb_enable=YES \ - icinga2_enable=YES + myicinga2_enable=YES \ + icinga2_flags="-DConfiguration.Concurrency=${icinga_threads}" service nginx restart service php_fpm restart + service redis restart -service icingadb restart > /dev/null 2>&1 < /dev/null || die 'failed to start icingadb' -service icinga2 restart +service icingadb restart > /dev/null 2>&1 +service myicinga2 restart # Create access role. ldap_add "cn=${icingaweb_access_role},${roles_basedn}" <<EOF diff --git a/scripts/hostclass/postgresql_server b/scripts/hostclass/postgresql_server index cbd9c17..b3e8804 100644 --- a/scripts/hostclass/postgresql_server +++ b/scripts/hostclass/postgresql_server @@ -104,3 +104,8 @@ END # Load citext extension (required by icingadb) postgres_psql -c 'create extension if not exists citext;' + +# Create icinga user. +postgres_psql <<EOF +SELECT 'CREATE ROLE "${icinga_username}" WITH LOGIN' WHERE NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${icinga_username}')\\gexec +EOF diff --git a/scripts/os/freebsd/20-termcap b/scripts/os/freebsd/20-termcap new file mode 100644 index 0000000..ea5a1b5 --- /dev/null +++ b/scripts/os/freebsd/20-termcap @@ -0,0 +1,61 @@ +#!/bin/sh + +# Fix xterm-256color termcap +# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280679 +cat <<'EOF' | tic -o /usr/local/share/site-terminfo - +xterm-256color|xterm with 256 colors, + am, bce, ccc, km, mc5i, mir, msgr, npc, xenl, + colors#0x100, cols#80, it#8, lines#24, pairs#0x10000, + acsc=``aaffggiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~, + bel=^G, blink=\E[5m, bold=\E[1m, cbt=\E[Z, civis=\E[?25l, + clear=\E[H\E[2J, cnorm=\E[?12l\E[?25h, cr=\r, + csr=\E[%i%p1%d;%p2%dr, cub=\E[%p1%dD, cub1=^H, + cud=\E[%p1%dB, cud1=\n, cuf=\E[%p1%dC, cuf1=\E[C, + cup=\E[%i%p1%d;%p2%dH, cuu=\E[%p1%dA, cuu1=\E[A, + cvvis=\E[?12;25h, dch=\E[%p1%dP, dch1=\E[P, dim=\E[2m, + dl=\E[%p1%dM, dl1=\E[M, ech=\E[%p1%dX, ed=\E[J, el=\E[K, + el1=\E[1K, flash=\E[?5h$<100/>\E[?5l, home=\E[H, + hpa=\E[%i%p1%dG, ht=^I, hts=\EH, ich=\E[%p1%d@, + il=\E[%p1%dL, il1=\E[L, ind=\n, indn=\E[%p1%dS, + initc=\E]4;%p1%d;rgb:%p2%{255}%*%{1000}%/%2.2X/%p3%{255}%*%{1000}%/%2.2X/%p4%{255}%*%{1000}%/%2.2X\E\\, + invis=\E[8m, is2=\E[!p\E[?3;4l\E[4l\E>, kDC=\E[3;2~, + kEND=\E[1;2F, kHOM=\E[1;2H, kIC=\E[2;2~, kLFT=\E[1;2D, + kNXT=\E[6;2~, kPRV=\E[5;2~, kRIT=\E[1;2C, ka1=\EOw, + ka3=\EOy, kb2=\EOu, kbs=^?, kc1=\EOq, kc3=\EOs, kcbt=\E[Z, + kcub1=\EOD, kcud1=\EOB, kcuf1=\EOC, kcuu1=\EOA, + kdch1=\E[3~, kend=\EOF, kent=\EOM, kf1=\EOP, kf10=\E[21~, + kf11=\E[23~, kf12=\E[24~, kf13=\E[1;2P, kf14=\E[1;2Q, + kf15=\E[1;2R, kf16=\E[1;2S, kf17=\E[15;2~, kf18=\E[17;2~, + kf19=\E[18;2~, kf2=\EOQ, kf20=\E[19;2~, kf21=\E[20;2~, + kf22=\E[21;2~, kf23=\E[23;2~, kf24=\E[24;2~, + kf25=\E[1;5P, kf26=\E[1;5Q, kf27=\E[1;5R, kf28=\E[1;5S, + kf29=\E[15;5~, kf3=\EOR, kf30=\E[17;5~, kf31=\E[18;5~, + kf32=\E[19;5~, kf33=\E[20;5~, kf34=\E[21;5~, + kf35=\E[23;5~, kf36=\E[24;5~, kf37=\E[1;6P, kf38=\E[1;6Q, + kf39=\E[1;6R, kf4=\EOS, kf40=\E[1;6S, kf41=\E[15;6~, + kf42=\E[17;6~, kf43=\E[18;6~, kf44=\E[19;6~, + kf45=\E[20;6~, kf46=\E[21;6~, kf47=\E[23;6~, + kf48=\E[24;6~, kf49=\E[1;3P, kf5=\E[15~, kf50=\E[1;3Q, + kf51=\E[1;3R, kf52=\E[1;3S, kf53=\E[15;3~, kf54=\E[17;3~, + kf55=\E[18;3~, kf56=\E[19;3~, kf57=\E[20;3~, + kf58=\E[21;3~, kf59=\E[23;3~, kf6=\E[17~, kf60=\E[24;3~, + kf61=\E[1;4P, kf62=\E[1;4Q, kf63=\E[1;4R, kf7=\E[18~, + kf8=\E[19~, kf9=\E[20~, khome=\EOH, kich1=\E[2~, + kind=\E[1;2B, kmous=\E[<, knp=\E[6~, kpp=\E[5~, + kri=\E[1;2A, mc0=\E[i, mc4=\E[4i, mc5=\E[5i, meml=\El, + memu=\Em, mgc=\E[?69l, nel=\EE, oc=\E]104\007, + op=\E[39;49m, rc=\E8, rep=%p1%c\E[%p2%{1}%-%db, + rev=\E[7m, ri=\EM, rin=\E[%p1%dT, ritm=\E[23m, rmacs=\E(B, + rmam=\E[?7l, rmcup=\E[?1049l\E[23;0;0t, rmir=\E[4l, + rmkx=\E[?1l\E>, rmm=\E[?1034l, rmso=\E[27m, rmul=\E[24m, + rs1=\Ec\E]104\007, rs2=\E[!p\E[?3;4l\E[4l\E>, sc=\E7, + setab=\E[%?%p1%{8}%<%t4%p1%d%e%p1%{16}%<%t10%p1%{8}%-%d%e48;5;%p1%d%;m, + setaf=\E[%?%p1%{8}%<%t3%p1%d%e%p1%{16}%<%t9%p1%{8}%-%d%e38;5;%p1%d%;m, + sgr=%?%p9%t\E(0%e\E(B%;\E[0%?%p6%t;1%;%?%p5%t;2%;%?%p2%t;4%;%?%p1%p3%|%t;7%;%?%p4%t;5%;%?%p7%t;8%;m, + sgr0=\E(B\E[m, sitm=\E[3m, smacs=\E(0, smam=\E[?7h, + smcup=\E[?1049h\E[22;0;0t, + smglr=\E[?69h\E[%i%p1%d;%p2%ds, smir=\E[4h, + smkx=\E[?1h\E=, smm=\E[?1034h, smso=\E[7m, smul=\E[4m, + tbc=\E[3g, u6=\E[%i%d;%dR, u7=\E[6n, + u8=\E[?%[;0123456789]c, u9=\E[c, vpa=\E[%i%p1%dd, +EOF diff --git a/scripts/os/freebsd/42-icinga b/scripts/os/freebsd/42-icinga new file mode 100644 index 0000000..872c1c6 --- /dev/null +++ b/scripts/os/freebsd/42-icinga @@ -0,0 +1,3 @@ +#!/bin/sh + +pkg install -y monitoring-plugins diff --git a/vars/common b/vars/common index 8e9fab0..0dc1a6b 100644 --- a/vars/common +++ b/vars/common @@ -45,6 +45,7 @@ host_keytab_groupname=hostkeytab host_keytab_gid=788 lmtp_port=25 quota_status_port=10993 +icinga_username='s-icinga' krb5_ticket_lifetime=24h krb5_renew_lifetime=7d nslcd_min_uid=1000 |