diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-26 00:07:03 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-26 00:07:03 -0400 |
| commit | 6e2a5993ce470341bed0e0c6ba8e44de3712d50e (patch) | |
| tree | 7a6bad35bac69e5f9264a5dde460335b1068ec9e /files | |
| parent | 7bb5176a0e1d3a7d8a119b92758404d514f59be9 (diff) | |
| download | infrastructure-6e2a5993ce470341bed0e0c6ba8e44de3712d50e.tar.gz | |
more icinga stuff
Diffstat (limited to 'files')
22 files changed, 860 insertions, 164 deletions
diff --git a/files/etc/login.access.freebsd b/files/etc/login.access.freebsd index e6667db..c2d6fc1 100644 --- a/files/etc/login.access.freebsd +++ b/files/etc/login.access.freebsd @@ -1,5 +1,6 @@ # Always allow root logins. +:root:ALL ++:${icinga_local_user}:ALL $(if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then printf -- '-:ALL EXCEPT ' diff --git a/files/usr/local/etc/dovecot/conf.d/10-master.conf.imap_server b/files/usr/local/etc/dovecot/conf.d/10-master.conf.imap_server index 1445cb6..4aeed76 100644 --- a/files/usr/local/etc/dovecot/conf.d/10-master.conf.imap_server +++ b/files/usr/local/etc/dovecot/conf.d/10-master.conf.imap_server @@ -13,7 +13,6 @@ service lmtp { user = ${dovecot_vmail_user} inet_listener lmtp { port = ${lmtp_port} - ssl = yes } } diff --git a/files/usr/local/etc/icinga2/conf.d/commands.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/commands.conf.icinga_server index dd78f14..f8017ec 100644 --- a/files/usr/local/etc/icinga2/conf.d/commands.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/commands.conf.icinga_server @@ -1,40 +1,189 @@ object NotificationCommand "mail-host-notification" { command = [ ConfigDir + "/scripts/mail-host-notification.sh" ] - env = { - NOTIFICATIONTYPE = "$notification.type$" - HOSTDISPLAYNAME = "$host.display_name$" - HOSTNAME = "$host.name$" - HOSTADDRESS = "$address$" - HOSTSTATE = "$host.state$" - LONGDATETIME = "$icinga.long_date_time$" - HOSTOUTPUT = "$host.output$" - NOTIFICATIONAUTHORNAME = "$notification.author$" - NOTIFICATIONCOMMENT = "$notification.comment$" - HOSTDISPLAYNAME = "$host.display_name$" - USEREMAIL = "$user.email$" - HOSTNOTES = "$host.notes$" + arguments += { + "-4" = "$notification_address$" + "-6" = "$notification_address6$" + "-b" = "$notification_author$" + "-c" = "$notification_comment$" + "-d" = { + required = true + value = "$notification_date$" + } + "-f" = { + value = "$notification_from$" + description = "Set from address. Requires GNU mailutils (Debian/Ubuntu) or mailx (RHEL/SUSE)" + } + "-i" = "$notification_icingaweb2url$" + "-l" = { + required = true + value = "$notification_hostname$" + } + "-n" = { + required = true + value = "$notification_hostdisplayname$" + } + "-o" = { + required = true + value = "$notification_hostoutput$" + } + "-r" = { + required = true + value = "$notification_useremail$" + } + "-s" = { + required = true + value = "$notification_hoststate$" + } + "-X" = "$notification_hostnotes$" + "-t" = { + required = true + value = "$notification_type$" + } + "-v" = "$notification_logtosyslog$" + } + + vars += { + notification_address = "$address$" + notification_address6 = "$address6$" + notification_author = "$notification.author$" + notification_comment = "$notification.comment$" + notification_type = "$notification.type$" + notification_date = "$icinga.long_date_time$" + notification_hostname = "$host.name$" + notification_hostdisplayname = "$host.display_name$" + notification_hostoutput = "$host.output$" + notification_hoststate = "$host.state$" + notification_useremail = "$user.email$" + notification_hostnotes = "$host.notes$" } } object NotificationCommand "mail-service-notification" { command = [ ConfigDir + "/scripts/mail-service-notification.sh" ] - env = { - NOTIFICATIONTYPE = "$notification.type$" - SERVICENAME = "$service.name$" - HOSTNAME = "$host.name$" - HOSTDISPLAYNAME = "$host.display_name$" - HOSTADDRESS = "$address$" - SERVICESTATE = "$service.state$" - LONGDATETIME = "$icinga.long_date_time$" - SERVICEOUTPUT = "$service.output$" - NOTIFICATIONAUTHORNAME = "$notification.author$" - NOTIFICATIONCOMMENT = "$notification.comment$" - HOSTDISPLAYNAME = "$host.display_name$" - SERVICEDISPLAYNAME = "$service.display_name$" - USEREMAIL = "$user.email$" - HOSTNOTES = "$host.notes$" - SERVICENOTES = "$service.notes$" + arguments += { + "-4" = "$notification_address$" + "-6" = "$notification_address6$" + "-b" = "$notification_author$" + "-c" = "$notification_comment$" + "-d" = { + required = true + value = "$notification_date$" + } + "-e" = { + required = true + value = "$notification_servicename$" + } + "-f" = { + value = "$notification_from$" + description = "Set from address. Requires GNU mailutils (Debian/Ubuntu) or mailx (RHEL/SUSE)" + } + "-i" = "$notification_icingaweb2url$" + "-l" = { + required = true + value = "$notification_hostname$" + } + "-n" = { + required = true + value = "$notification_hostdisplayname$" + } + "-o" = { + required = true + value = "$notification_serviceoutput$" + } + "-r" = { + required = true + value = "$notification_useremail$" + } + "-s" = { + required = true + value = "$notification_servicestate$" + } + "-t" = { + required = true + value = "$notification_type$" + } + "-X" = "$notification_hostnotes$" + "-x" = "$notification_servicenotes$" + "-u" = { + required = true + value = "$notification_servicedisplayname$" + } + "-v" = "$notification_logtosyslog$" + } + + vars += { + notification_address = "$address$" + notification_address6 = "$address6$" + notification_author = "$notification.author$" + notification_comment = "$notification.comment$" + notification_type = "$notification.type$" + notification_date = "$icinga.long_date_time$" + notification_hostname = "$host.name$" + notification_hostdisplayname = "$host.display_name$" + notification_servicename = "$service.name$" + notification_serviceoutput = "$service.output$" + notification_servicestate = "$service.state$" + notification_useremail = "$user.email$" + notification_servicedisplayname = "$service.display_name$" + notification_hostnotes = "$host.notes$" + notification_servicenotes = "$service.notes$" + } +} + +object CheckCommand "eapol" { + command = [ PluginDir + "/check_eapol" ] + arguments = { + "-c" = { + value = "$eapol_config_file$" + required = true + description = "Path to wpa_supplicant config file" + } + "-a" = { + value = "$eapol_address$" + required = true + description = "IP address of the RADIUS server" + } + "-p" = { + value = "$eapol_port$" + required = true + description = "Port of the RADIUS server" + } + "-s" = { + value = "$eapol_secret$" + required = true + description = "Shared secret with the RADIUS server" + } + "-t" = { + value = "$eapol_timeout$" + description = "Timeout in seconds" + } + "-d" = { + set_if = "$eapol_debug$" + description = "Enable debugging output" + } } + + vars.eapol_timeout = 5 + vars.eapol_port = 1812 + vars.eapol_address = "$host.address$" + vars.eapol_debug = false +} + +object CheckCommand "smtp2" { + import "smtp" + arguments += { + "-L" = { + set_if = "$smtp_lmtp$" + description = "Send LHLO instead of HELO/EHLO" + } + } +} + +object CheckCommand "mailq_by_ssh" { + import "mailq" + import "by_ssh" + vars.by_ssh_command = {{ get_check_command("mailq").command }} + vars.by_ssh_arguments = {{ get_check_command("mailq").arguments }} } diff --git a/files/usr/local/etc/icinga2/conf.d/downtimes.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/downtimes.conf.icinga_server index e69de29..49a9912 100644 --- a/files/usr/local/etc/icinga2/conf.d/downtimes.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/downtimes.conf.icinga_server @@ -0,0 +1 @@ +// No downtimes diff --git a/files/usr/local/etc/icinga2/conf.d/hosts.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/hosts.conf.icinga_server index dbc2a54..65a3d6d 100644 --- a/files/usr/local/etc/icinga2/conf.d/hosts.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/hosts.conf.icinga_server @@ -1,3 +1,103 @@ -/* - * Add custom hosts here. - */ +// TODO: we can generate this from LDAP. + +object Host "icinga1" { + address = "icinga1.${domain}" + check_command = "dummy" + vars.os = "FreeBSD" +} + +object Host "idm1" { + address = "idm1.${domain}" + vars.os = "FreeBSD" +} + +object Host "idm2" { + address = "idm2.${domain}" + vars.os = "FreeBSD" +} + +object Host "pkg1" { + address = "pkg1.${domain}" + vars.os = "FreeBSD" +} + +object Host "smtp1" { + address = "smtp1.${domain}" + vars.os = "FreeBSD" +} + +object Host "imap1" { + address = "imap1.${domain}" + vars.os = "FreeBSD" +} + +object Host "postgres1" { + address = "postgres1.${domain}" + vars.os = "FreeBSD" +} + +object Host "turn1" { + address = "turn1.${domain}" + vars.os = "FreeBSD" +} + +object Host "xmpp1" { + address = "xmpp1.${domain}" + vars.os = "FreeBSD" +} + +object Host "www1" { + address = "www1.${domain}" + vars.os = "FreeBSD" +} + +object Host "dav1" { + address = "dav1.${domain}" + vars.os = "FreeBSD" +} + +object Host "ttrss1" { + address = "ttrss1.${domain}" + vars.os = "FreeBSD" +} + +object Host "bitwarden1" { + address = "bitwarden1.${domain}" + vars.os = "FreeBSD" +} + +object Host "znc1" { + address = "znc1.${domain}" + vars.os = "FreeBSD" +} + +object Host "cups1" { + address = "cups1.${domain}" + vars.os = "FreeBSD" +} + +object Host "invidious1" { + address = "invidious1.${domain}" + vars.os = "FreeBSD" +} + +object Host "radius1" { + // We must use the raw IP address because eapol_test does not resolve hostnames. + address = "$(host "radius1.${domain}" | awk '{print $NF}')" + vars.os = "FreeBSD" +} + +object Host "unifi1" { + address = "unifi1.${domain}" + vars.os = "FreeBSD" +} + +object Host "nfs1" { + address = "nfs1.${domain}" + vars.os = "FreeBSD" +} + +object Host "desktop1" { + address = "desktop1.${domain}" + vars.os = "FreeBSD" +} diff --git a/files/usr/local/etc/icinga2/conf.d/notifications.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/notifications.conf.icinga_server index effff9e..4f581cc 100644 --- a/files/usr/local/etc/icinga2/conf.d/notifications.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/notifications.conf.icinga_server @@ -1,23 +1,33 @@ -apply Notification "mail-icingaadmin" to Host { - import "mail-host-notification" - user_groups = host.vars.notification.mail.groups - users = host.vars.notification.mail.users +apply Notification "email" to Host { + command = "mail-host-notification" - //interval = 2h + states = [ Up, Down ] + types = [ Problem, Acknowledgement, Recovery, Custom, + FlappingStart, FlappingEnd, + DowntimeStart, DowntimeEnd, DowntimeRemoved ] - //vars.notification_logtosyslog = true + users = [ "sysadmins" ] - assign where host.vars.notification.mail + vars += { + notification_icingaweb2url = "https://${icinga_fqdn}" + } + + assign where true } -apply Notification "mail-icingaadmin" to Service { - import "mail-service-notification" - user_groups = host.vars.notification.mail.groups - users = host.vars.notification.mail.users +apply Notification "email" to Service { + command = "mail-service-notification" + + states = [ OK, Warning, Critical, Unknown ] + types = [ Problem, Acknowledgement, Recovery, Custom, + FlappingStart, FlappingEnd, + DowntimeStart, DowntimeEnd, DowntimeRemoved ] - //interval = 2h + users = [ "sysadmins" ] - //vars.notification_logtosyslog = true + vars += { + notification_icingaweb2url = "https://${icinga_fqdn}" + } - assign where host.vars.notification.mail + assign where true } diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server index 5b00864..8d0433f 100644 --- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server @@ -1,165 +1,331 @@ +apply Service "icinga" { + check_command = "icinga" + assign where host.name == NodeName +} + +apply Service "icingadb" { + check_command = "icingadb" + assign where host.name == NodeName +} + apply Service "ssh" { - import "generic-service" check_command = "ssh" - assign where host.vars.os in ["FreeBSD","Linux"] + assign where host.vars.os in ["FreeBSD"," Linux"] } -apply Service "icinga" { - import "generic-service" - check_command = "icinga" +apply Service "upstream-packet-loss" { + check_command = "ping" + display_name = "upstream packet loss" + vars.ping_address = "${icinga_upstream_ping_address}" + vars.ping_wpl = ${icinga_upstream_packet_loss_warn} + vars.ping_cpl = ${icinga_upstream_packet_loss_crit} + vars.ping_wrta = ${icinga_upstream_latency_warn} + vars.ping_crta = ${icinga_upstream_latency_crit} + vars.ping_packets = ${icinga_upstream_packet_count} assign where host.name == NodeName } apply Service "dns" { - import "generic-service" check_command = "dns" - vars.dns_lookup = "$address$" - vars.dns_server = "$address$" - vars.dns_wtime = ResponseTimeWarn - vars.dns_ctime = ResponseTimeCrit + vars.dns_lookup = "\$address\$" + vars.dns_server = "\$address\$" + vars.dns_wtime = ${icinga_response_time_warn} + vars.dns_ctime = ${icinga_response_time_crit} + assign where "idm-servers" in host.groups +} + +apply Service "resolver" { + check_command = "dns" + vars.dns_lookup = "www.google.com" + vars.dns_server = "\$address\$" + vars.dns_wtime = ${icinga_response_time_warn} + vars.dns_ctime = ${icinga_response_time_crit} assign where "idm-servers" in host.groups } apply Service "ldap" { - import "generic-service" check_command = "ldap" vars.ldap_port = 389 - vars.ldap_warning = ResponseTimeWarn - vars.ldap_critical = ResponseTimeCrit + vars.ldap_warning = ${icinga_response_time_warn} + vars.ldap_critical = ${icinga_response_time_crit} vars.ldap_v2 = false vars.ldap_v3 = true vars.ldap_starttls = true - vars.ldap_bind = IcingaDN + vars.ldap_bind = "${icinga_dn}" vars.ldap_pass = IcingaPassword - vars.ldap_base = HostsBaseDn + vars.ldap_base = "${hosts_basedn}" vars.ldap_attr = "(cn=" + NodeName + ")" assign where "idm-servers" in host.groups } apply Service "ldaps" { - import "generic-service" check_command = "ldap" vars.ldap_port = 636 - vars.ldap_warning = ResponseTimeWarn - vars.ldap_critical = ResponseTimeCrit + vars.ldap_warning = ${icinga_response_time_warn} + vars.ldap_critical = ${icinga_response_time_crit} vars.ldap_v2 = false vars.ldap_v3 = true vars.ldap_ssl = true - vars.ldap_bind = IcingaDN + vars.ldap_bind = "${icinga_dn}" vars.ldap_pass = IcingaPassword - vars.ldap_base = HostsBaseDn + vars.ldap_base = "${hosts_basedn}" vars.ldap_attr = "(cn=" + NodeName + ")" assign where "idm-servers" in host.groups } apply Service "imap" { - import "generic-service" check_command = "imap" vars.imap_port = 993 vars.imap_ssl = true - vars.imap_certificate_age = CertDaysWarn - vars.imap_warning = ResponseTimeWarn - vars.imap_critical = ResponseTimeCrit + vars.imap_certificate_age = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} + vars.imap_warning = ${icinga_response_time_warn} + vars.imap_critical = ${icinga_response_time_crit} + assign where "imap-servers" in host.groups +} + +apply Service "lmtp" { + check_command = "smtp2" + vars.smtp_port = 25 + vars.smtp_starttls = true + vars.smtp_lmtp = true + vars.smtp_mail_from = "${icinga_smtp_mail_from}" + vars.smtp_command = "RCPT TO:<" + "${icinga_lmtp_rcpt_to}" + ">" + vars.smtp_response = "250 2.1.5 OK" + assign where "imap-servers" in host.groups +} + +apply Service "lmtp-cert" { + display_name = "lmtp certificate" + check_command = "smtp2" + vars.smtp_lmtp = true + vars.smtp_port = 25 + vars.smtp_certificate_age = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} + vars.smtp_starttls = true assign where "imap-servers" in host.groups } apply Service "smtp" { - import "generic-service" check_command = "smtp" vars.smtp_port = 25 - vars.smtp_certificate_age = CertDaysWarn vars.smtp_starttls = true - vars.smtp_warning = ResponseTimeWarn - vars.smtp_critical = ResponseTimeCrit + vars.smtp_warning = ${icinga_response_time_warn} + vars.smtp_critical = ${icinga_response_time_crit} + vars.smtp_mail_from = "${icinga_smtp_mail_from}" + vars.smtp_command = "RCPT TO:<" + "${icinga_smtp_rcpt_to}" + ">" + vars.smtp_response = "250 2.1.5 Ok" + assign where "smtp-servers" in host.groups +} + +apply Service "smtp-cert" { + display_name = "smtp certificate" + check_command = "smtp" + vars.smtp_port = 25 + vars.smtp_certificate_age = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} + vars.smtp_starttls = true assign where "smtp-servers" in host.groups } + apply Service "submission" { - import "generic-service" check_command = "smtp" vars.smtp_port = 587 - vars.smtp_certificate_age = CertDaysWarn + vars.smtp_certificate_age = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} vars.smtp_starttls = true - vars.smtp_warning = ResponseTimeWarn - vars.smtp_critical = ResponseTimeCrit + vars.smtp_warning = ${icinga_response_time_warn} + vars.smtp_critical = ${icinga_response_time_crit} + assign where "smtp-servers" in host.groups +} + +apply Service "mailq" { + check_command = "mailq_by_ssh" + vars.mailq_servertype = "postfix" + vars.mailq_warning = ${icinga_mailq_warn} + vars.mailq_critical = ${icinga_mailq_crit} assign where "smtp-servers" in host.groups } apply Service "postgres" { - import "generic-service" check_command = "pgsql" - vars.pgsql_warning = ResponseTimeWarn - vars.pgsql_critical = ResponseTimeCrit - vars.pgsql_username = IcingaUsername + vars.pgsql_warning = ${icinga_response_time_warn} + vars.pgsql_critical = ${icinga_response_time_crit} + vars.pgsql_username = "${icinga_username}" vars.pgsql_password = IcingaPassword + vars.pgsql_options = ["sslmode=verify-full", "sslrootcert=system"] assign where "postgresql-servers" in host.groups } +apply Service "eap-cert" { + check_command = "eapol" + vars.eapol_secret = IcingaRadiusSecret + vars.eapol_config_file = "${icinga_home_dir}/eap-tls.conf" + assign where "radius-servers" in host.groups +} + +apply Service "eap-ttls-pap" { + check_command = "eapol" + vars.eapol_secret = IcingaRadiusSecret + vars.eapol_config_file = "${icinga_home_dir}/eap-ttls-pap.conf" + assign where "radius-servers" in host.groups +} + +apply Service "irc" { + check_command = "tcp" + vars.tcp_port = 6697 + vars.tcp_ssl = true + vars.tcp_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} + vars.tcp_wtime = ${icinga_response_time_warn} + vars.tcp_ctime = ${icinga_response_time_crit} + assign where "znc-servers" in host.groups +} + +apply Service "turn" { + check_command = "tcp" + vars.tcp_port = 3478 + vars.tcp_wtime = ${icinga_response_time_warn} + vars.tcp_ctime = ${icinga_response_time_crit} + assign where "turn-servers" in host.groups +} + +apply Service "cups" { + check_command = "http" + display_name = "cups status" + vars.http_vhost = "\$address\$" + vars.http_port = 631 + vars.http_expect = "HTTP/1.1 200 OK" + vars.http_ssl = true + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} + assign where ("cups-servers" in host.groups) +} + +apply Service "cups-cert" { + check_command = "http" + display_name = "cups certificate" + vars.http_vhost = "\$address\$" + vars.http_port = 631 + vars.http_ssl = true + vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} + assign where ("cups-servers" in host.groups) +} + // Expect HTTP 200 apply Service "http" { - import "generic-service" check_command = "http" - vars.http_vhost = "$address$" + display_name = "http status" + vars.http_vhost = "\$address\$" vars.http_expect = "HTTP/1.1 200 OK" vars.http_ssl = false - vars.http_warn_time = ResponseTimeWarn - vars.http_critical_time = ResponseTimeCrit - assign where ("cups-servers" in host.groups - || "pkg-repositories" in host.groups) + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} + assign where ("pkg-repositories" in host.groups) } // Expect HTTP 301 apply Service "http" { - import "generic-service" check_command = "http" - vars.http_vhost = "$address$" + display_name = "http status" + vars.http_vhost = "\$address\$" vars.http_expect = "HTTP/1.1 301 Moved Permanently" vars.http_ssl = false - vars.http_warn_time = ResponseTimeWarn - vars.http_critical_time = ResponseTimeCrit + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} assign where ("dav-servers" in host.groups || "smtp-servers" in host.groups || "ttrss-servers" in host.groups || "invidious-servers" in host.groups || "nfs-servers" in host.groups - || "pkg-servers" in host.groups - || "unifi-controllers" in host.groups || "web-servers" in host.groups || "xmpp-servers" in host.groups - || "znc-servers" in host.groups) + || "znc-servers" in host.groups + || "icinga-servers" in host.groups + || "bitwarden-servers" in host.groups) +} + +// Expect HTTP 302 +apply Service "http" { + check_command = "http" + display_name = "http status" + vars.http_vhost = "\$address\$" + vars.http_expect = "HTTP/1.1 302" + vars.http_ssl = false + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} + assign where ("unifi-controllers" in host.groups) } // Expect HTTPS 401 apply Service "https" { - import "generic-service" check_command = "http" - vars.http_vhost = "$address$" + display_name = "https status" + vars.http_vhost = "\$address\$" vars.http_expect = "HTTP/1.1 401 Unauthorized" vars.http_ssl = true - vars.http_certificate = CertDaysWarn + "," + CertDaysCrit - vars.http_warn_time = ResponseTimeWarn - vars.http_critical_time = ResponseTimeCrit - assign where ("dav-servers" in host.groups - || "cups-servers" in host.groups - || "smtp-servers" in host.groups - || "ttrss-servers" in host.groups) + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} + assign where ("dav-servers" in host.groups + || "smtp-servers" in host.groups + || "icinga-servers" in host.groups + || "ttrss-servers" in host.groups) } // Expect HTTPS 200 apply Service "https" { - import "generic-service" check_command = "http" - vars.http_vhost = "$address$" + display_name = "https status" + vars.http_vhost = "\$address\$" vars.http_expect = "HTTP/1.1 200 OK" vars.http_ssl = true - vars.http_certificate = CertDaysWarn + "," + CertDaysCrit - vars.http_warn_time = ResponseTimeWarn - vars.http_critical_time = ResponseTimeCrit + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} + assign where ("pkg-repositories" in host.groups + || "web-servers" in host.groups + || "xmpp-servers" in host.groups + || "znc-servers" in host.groups + || "bitwarden-servers" in host.groups) +} + +// Expect HTTPS 404 +apply Service "https" { + check_command = "http" + display_name = "https status" + vars.http_vhost = "\$address\$" + vars.http_expect = "HTTP/1.1 404 Not Found" + vars.http_ssl = true + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} + assign where ("nfs-servers" in host.groups) +} + +// Expect HTTPS 302 +apply Service "https" { + check_command = "http" + display_name = "https status" + vars.http_vhost = "\$address\$" + vars.http_expect = "HTTP/1.1 302" + vars.http_ssl = true + vars.http_warn_time = ${icinga_response_time_warn} + vars.http_critical_time = ${icinga_response_time_crit} + assign where ("unifi-controllers" in host.groups + || "invidious-servers" in host.groups) +} + +// Certificate validity +apply Service "https-cert" { + check_command = "http" + display_name = "https certificate" + vars.http_vhost = "\$address\$" + vars.http_ssl = true + vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} assign where ("invidious-servers" in host.groups || "nfs-servers" in host.groups - || "pkg-servers" in host.groups + || "pkg-repositories" in host.groups || "unifi-controllers" in host.groups || "web-servers" in host.groups || "xmpp-servers" in host.groups - || "znc-servers" in host.groups) + || "znc-servers" in host.groups + || "bitwarden-servers" in host.groups + || "dav-servers" in host.groups + || "smtp-servers" in host.groups + || "icinga-servers" in host.groups + || "ttrss-servers" in host.groups) } diff --git a/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server index 1aae5ac..0ebe46e 100644 --- a/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server @@ -12,39 +12,10 @@ template Service "generic-service" default { } template User "generic-user" default { - -} - -template Notification "mail-host-notification" { - command = "mail-host-notification" - - states = [ Up, Down ] - types = [ Problem, Acknowledgement, Recovery, Custom, - FlappingStart, FlappingEnd, - DowntimeStart, DowntimeEnd, DowntimeRemoved ] - - vars += { - // notification_icingaweb2url = "https://www.example.com/icingaweb2" - // notification_from = "Icinga 2 Host Monitoring <icinga@example.com>" - notification_logtosyslog = false - } - - period = "24x7" } -template Notification "mail-service-notification" { - command = "mail-service-notification" - - states = [ OK, Warning, Critical, Unknown ] - types = [ Problem, Acknowledgement, Recovery, Custom, - FlappingStart, FlappingEnd, - DowntimeStart, DowntimeEnd, DowntimeRemoved ] - - vars += { - // notification_icingaweb2url = "https://www.example.com/icingaweb2" - // notification_from = "Icinga 2 Service Monitoring <icinga@example.com>" - notification_logtosyslog = false - } - +template Notification "generic-notification" default { + // Don't repeat notifications. + interval = 0 period = "24x7" } diff --git a/files/usr/local/etc/icinga2/conf.d/users.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/users.conf.icinga_server index 1ddaf55..5d3f19d 100644 --- a/files/usr/local/etc/icinga2/conf.d/users.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/users.conf.icinga_server @@ -1,12 +1,5 @@ -object User "icingaadmin" { +object User "sysadmins" { import "generic-user" - - display_name = "Icinga 2 Admin" - groups = [ "icingaadmins" ] - - email = "icinga@localhost" -} - -object UserGroup "icingaadmins" { - display_name = "Icinga 2 Admin Group" + display_name = "System Administrators" + email = "${icinga_notification_mail_to}" } diff --git a/files/usr/local/etc/icinga2/constants.conf.icinga_server b/files/usr/local/etc/icinga2/constants.conf.icinga_server index 592da99..dea4160 100644 --- a/files/usr/local/etc/icinga2/constants.conf.icinga_server +++ b/files/usr/local/etc/icinga2/constants.conf.icinga_server @@ -4,11 +4,5 @@ const PluginContribDir = "/usr/local/libexec/nagios" const NodeName = "${BOXCONF_HOSTNAME}" const ZoneName = NodeName const TicketSalt = "${icinga_ticket_salt}" -const CertDaysWarn = 30 -const CertDaysCrit = 20 -const ResponseTimeWarn = 0.5 -const ResponseTimeCrit = 1 -const HostsBaseDn = "${hosts_basedn}" -const IcingaUsername = "${icinga_username}" const IcingaPassword = "${icinga_password}" -const IcingaDN = "${icinga_dn}" +const IcingaRadiusSecret = "${icinga_radius_secret}" diff --git a/files/usr/local/etc/icingaweb2/roles.ini.icinga_server b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server index 2511267..d67a664 100644 --- a/files/usr/local/etc/icingaweb2/roles.ini.icinga_server +++ b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server @@ -5,9 +5,9 @@ groups = "$(join ',' $icingaweb_admin_groups)" EOF fi) permissions = "*" -icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*" +icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*,*secret*" [Users] groups = "${icingaweb_access_role}" permissions = "module/icingadb" -icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*" +icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*,*secret*" diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server index 802568f..1f42202 100644 --- a/files/usr/local/etc/postfix/main.cf.smtp_server +++ b/files/usr/local/etc/postfix/main.cf.smtp_server @@ -74,7 +74,6 @@ smtp_tls_loglevel = 1 lmtp_tls_CApath = ${system_cacert_path} lmtp_tls_security_level = encrypt -lmtp_tls_wrappermode = yes lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache smtp_tls_loglevel = 1 diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index 1d3a308..3a80736 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -81,6 +81,7 @@ security_pinentry-qt5_SET=LIBSECRET security_sudo_SET=LDAP security_sudo_UNSET=GSSAPI_MIT security_vaultwarden_SET=PGSQL +security_wpa_supplicant_SET=EAPOL_TEST shells_bash_UNSET=PORTS_READLINE sysutils_htop_SET=LSOF sysutils_k3b_UNSET=EMOVIX VCDIMAGER diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 1f11a33..8542c20 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -114,6 +114,7 @@ security/py-omemo-dr security/sshpass security/sudo security/vaultwarden +security/wpa_supplicant sysutils/cpu-microcode sysutils/htop sysutils/k3b diff --git a/files/usr/local/etc/raddb/clients.conf.radius_server b/files/usr/local/etc/raddb/clients.conf.radius_server new file mode 100644 index 0000000..033b059 --- /dev/null +++ b/files/usr/local/etc/raddb/clients.conf.radius_server @@ -0,0 +1,16 @@ +client icinga { + ipaddr = ${icinga_radius_cidr} + secret = ${icinga_radius_secret} +} + +$(for client_name in $radius_clients; do + eval "client_address=\$radius_${client_name}_address" + eval "client_secret=\$radius_${client_name}_secret" + cat <<EOF +client ${client_name} { + ipaddr = ${client_address} + secret = ${client_secret} +} + +EOF +done) diff --git a/files/usr/local/etc/raddb/mods-available/eap.radius_server b/files/usr/local/etc/raddb/mods-available/eap.radius_server index 5c1aafd..789bc0e 100644 --- a/files/usr/local/etc/raddb/mods-available/eap.radius_server +++ b/files/usr/local/etc/raddb/mods-available/eap.radius_server @@ -39,4 +39,12 @@ eap { tls { tls = tls-common } + + ttls { + tls = tls-common + default_eap_type = md5 + copy_request_to_tunnel = no + use_tunneled_reply = no + virtual_server = "inner-tunnel" + } } diff --git a/files/usr/local/etc/raddb/mods-available/ldap.radius_server b/files/usr/local/etc/raddb/mods-available/ldap.radius_server new file mode 100644 index 0000000..09442f0 --- /dev/null +++ b/files/usr/local/etc/raddb/mods-available/ldap.radius_server @@ -0,0 +1,107 @@ +ldap { + $(printf " server = '%s'\n" ${ldap_hosts}) + + base_dn = '${users_basedn}' + + sasl { + mech = 'GSSAPI' + realm = '${realm}' + } + + update { + control:Password-With-Header += 'userPassword' + control: += 'radiusControlAttribute' + request: += 'radiusRequestAttribute' + reply: += 'radiusReplyAttribute' + } + + user_dn = "LDAP-UserDn" + + user { + base_dn = "\${..base_dn}" + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + } + + group { + base_dn = '${groups_basedn}' + filter = '(objectClass=groupOfMembers)' + name_attribute = cn + membership_filter = "(member=%{control:\${..user_dn}})" + membership_attribute = 'memberOf' + cacheable_name = 'yes' + cacheable_dn = 'yes' + allow_dangling_group_ref = 'yes' + } + + profile { } + + client { + base_dn = "\${..base_dn}" + filter = '(objectClass=radiusClient)' + + template { } + + attribute { + ipaddr = 'radiusClientIdentifier' + secret = 'radiusClientSecret' + } + } + + read_clients = no + + accounting { + reference = "%{tolower:type.%{Acct-Status-Type}}" + + type { + start { + update { + description := "Online at %S" + } + } + + interim-update { + update { + description := "Last seen at %S" + } + } + + stop { + update { + description := "Offline at %S" + } + } + } + } + + post-auth { + update { + description := "Authenticated at %S" + } + } + + options { + chase_referrals = yes + rebind = yes + res_timeout = 10 + srv_timelimit = 3 + net_timeout = 1 + idle = 60 + probes = 3 + interval = 3 + ldap_debug = 0x0000 + } + + tls { } + + pool { + start = \${thread[pool].start_servers} + min = \${thread[pool].min_spare_servers} + max = \${thread[pool].max_servers} + + spare = \${thread[pool].max_spare_servers} + uses = 0 + retry_delay = 30 + lifetime = 0 + idle_timeout = 60 + } +} diff --git a/files/usr/local/etc/raddb/sites-available/inner-tunnel.radius_server b/files/usr/local/etc/raddb/sites-available/inner-tunnel.radius_server new file mode 100644 index 0000000..81b2a41 --- /dev/null +++ b/files/usr/local/etc/raddb/sites-available/inner-tunnel.radius_server @@ -0,0 +1,90 @@ +server inner-tunnel { + listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth + } + + authorize { + filter_username + chap + suffix + + update control { + &Proxy-To-Realm := LOCAL + } + + eap { + ok = return + } + + ldap + if (ok || updated) { + update { + control:Auth-Type := ldap + } + } + + expiration + logintime + pap + } + + authenticate { + Auth-Type PAP { + pap + } + + Auth-Type CHAP { + chap + } + + Auth-Type LDAP { + ldap + } + + eap + } + + session { + radutmp + } + + + post-auth { + -sql + update reply { + User-Name !* ANY + Message-Authenticator !* ANY + EAP-Message !* ANY + Proxy-State !* ANY + MS-MPPE-Encryption-Types !* ANY + MS-MPPE-Encryption-Policy !* ANY + MS-MPPE-Send-Key !* ANY + MS-MPPE-Recv-Key !* ANY + } + + update { + &outer.session-state: += &reply: + } + + Post-Auth-Type REJECT { + -sql + attr_filter.access_reject + + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } + + if (LDAP-Group != "${wifi_access_role}") { + reject + } + } + + pre-proxy { } + + post-proxy { + eap + } +} diff --git a/files/usr/local/libexec/nagios/check_eapol.icinga_server b/files/usr/local/libexec/nagios/check_eapol.icinga_server new file mode 100644 index 0000000..47ecf16 --- /dev/null +++ b/files/usr/local/libexec/nagios/check_eapol.icinga_server @@ -0,0 +1,56 @@ +#!/bin/sh + +PROG=check_eapol +USAGE="USAGE: ${PROG} -c CONFIGFILE -a ADDRESS -s SECRET [-p PORT] [-t TIMEOUT] [-d]" + +OK=0 +WARN=1 +CRIT=2 +UNKNOWN=3 + +usage(){ + printf 'USAGE: %s -c CONFIGFILE -a ADDRESS -s SECRET [-p PORT] [-t TIMEOUT] [-d]' "$PROG" + exit "$UNKNOWN" +} + +die(){ + printf '%s: %s\n' "$PROG" "$1" 1>&2 + exit "$UNKNOWN" +} + +port=1812 +timeout=5 +debug=false + +while getopts :a:c:dp:s:t: opt; do + case $opt in + a) address=$OPTARG ;; + c) config=$OPTARG ;; + d) debug=true ;; + p) port=$OPTARG ;; + s) secret=$OPTARG ;; + t) timeout=$OPTARG ;; + :|?) usage ;; + esac +done +shift $((OPTIND - 1 )) + +[ $# -eq 0 ] || usage +[ -r "$config" ] || die "config file not readable: ${config}" +if [ -z "$address" ] || [ -z "$config" ] || [ -z "$secret" ]; then + usage +fi + +if [ "$debug" = true ]; then + eapol_test -c "$config" -a "$address" -p "$port" -s "$secret" -t "$timeout" +else + eapol_test -c "$config" -a "$address" -p "$port" -s "$secret" -t "$timeout" > /dev/null +fi + +if [ $? -eq 0 ]; then + echo "authentication to ${address}:${port} using ${config} succeeded" + exit "$OK" +else + echo "authentication to ${address}:${port} using ${config} failed" + exit "$CRIT" +fi diff --git a/files/var/spool/icinga2/.ssh/config.icinga_server b/files/var/spool/icinga2/.ssh/config.icinga_server new file mode 100644 index 0000000..8d02483 --- /dev/null +++ b/files/var/spool/icinga2/.ssh/config.icinga_server @@ -0,0 +1,16 @@ +PubkeyAuthentication yes +PasswordAuthentication no +GSSAPIAuthentication no +GSSAPIDelegateCredentials no +KbdInteractiveAuthentication no +PreferredAuthentications publickey +CanonicalizeHostname no +IdentitiesOnly yes +IdentityFile ~/.ssh/id_ed25519 +StrictHostKeyChecking no +UserKnownHostsFile /dev/null +KnownHostsCommand none +LogLevel ERROR +ControlMaster auto +ControlPersist 10m +ControlPath ~/.ssh/sockets/%r@%h:%p diff --git a/files/var/spool/icinga2/eap-tls.conf.icinga_server b/files/var/spool/icinga2/eap-tls.conf.icinga_server new file mode 100644 index 0000000..f90ef96 --- /dev/null +++ b/files/var/spool/icinga2/eap-tls.conf.icinga_server @@ -0,0 +1,9 @@ +network={ + ssid="_" + key_mgmt=WPA-EAP + eap=TLS + identity="${icinga_username}" + ca_cert="${site_cacert_path}" + client_cert="${icinga_tls_client_cert}" + private_key="${icinga_tls_client_key}" +} diff --git a/files/var/spool/icinga2/eap-ttls-pap.conf.icinga_server b/files/var/spool/icinga2/eap-ttls-pap.conf.icinga_server new file mode 100644 index 0000000..2579284 --- /dev/null +++ b/files/var/spool/icinga2/eap-ttls-pap.conf.icinga_server @@ -0,0 +1,9 @@ +network={ + ssid="_" + key_mgmt=WPA-EAP + eap=TTLS + identity="${icinga_username}" + password="${icinga_password}" + phase2="auth=PAP" + ca_cert="${site_cacert_path}" +} |