diff options
author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-24 06:43:08 -0400 |
---|---|---|
committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-24 06:43:08 -0400 |
commit | e2fc0433de38c322ce46ad250bc0f0f03e7710c8 (patch) | |
tree | f04f079ed745f0c0350af93adf6491bbfec1cd13 /files | |
parent | 393adb9a95913e1658afe3243e4a0498dced9090 (diff) | |
download | infrastructure-e2fc0433de38c322ce46ad250bc0f0f03e7710c8.tar.gz |
add icinga
Diffstat (limited to 'files')
15 files changed, 231 insertions, 0 deletions
diff --git a/files/usr/local/etc/icinga2/api-users.conf.icinga_server b/files/usr/local/etc/icinga2/api-users.conf.icinga_server new file mode 100644 index 0000000..6ee26c2 --- /dev/null +++ b/files/usr/local/etc/icinga2/api-users.conf.icinga_server @@ -0,0 +1,4 @@ +object ApiUser "${icingaweb_api_username}" { + password = "${icingaweb_api_password}" + permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ] +} diff --git a/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server b/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server new file mode 100644 index 0000000..6fda495 --- /dev/null +++ b/files/usr/local/etc/icinga2/features-available/icingadb.conf.icinga_server @@ -0,0 +1,3 @@ +object IcingaDB "icingadb" { + path = "${redis_sock}" +} diff --git a/files/usr/local/etc/icingadb/config.yml.icinga_server b/files/usr/local/etc/icingadb/config.yml.icinga_server new file mode 100644 index 0000000..e30d81c --- /dev/null +++ b/files/usr/local/etc/icingadb/config.yml.icinga_server @@ -0,0 +1,10 @@ +database: + type: pgsql + host: ${icinga_dbhost} + user: ${icinga_username} + password: ${icinga_password} + database: ${icinga_dbname} + tls: true + +redis: + host: ${redis_sock} diff --git a/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server b/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server new file mode 100644 index 0000000..52ed21d --- /dev/null +++ b/files/usr/local/etc/icingaweb2/authentication.ini.icinga_server @@ -0,0 +1,10 @@ +[icingaweb2] +backend = "ldap" +resource = "icingaweb_ldap" +base_dn = "${users_basedn}" +user_class = "inetOrgPerson" +user_name_attribute = "uid" +filter = "memberOf=cn=${icingaweb_access_role},${roles_basedn}" + +[autologin] +backend = external diff --git a/files/usr/local/etc/icingaweb2/config.ini.icinga_server b/files/usr/local/etc/icingaweb2/config.ini.icinga_server new file mode 100644 index 0000000..8c05a5f --- /dev/null +++ b/files/usr/local/etc/icingaweb2/config.ini.icinga_server @@ -0,0 +1,10 @@ +[global] +show_stacktraces = "0" +show_application_state_messages = "1" +config_resource = "icingaweb_db" + +[logging] +log = "syslog" +level = "INFO" +application = "icingaweb2" +facility = "user" diff --git a/files/usr/local/etc/icingaweb2/groups.ini.icinga_server b/files/usr/local/etc/icingaweb2/groups.ini.icinga_server new file mode 100644 index 0000000..87da799 --- /dev/null +++ b/files/usr/local/etc/icingaweb2/groups.ini.icinga_server @@ -0,0 +1,11 @@ +[icingaweb2] +backend = "ldap" +resource = "icingaweb_ldap" +user_backend = "icingaweb2" +user_class = "inetOrgPerson" +user_name_attribute = "uid" +user_base_dn = "${users_basedn}" +base_dn = "${groups_basedn}" +group_class = "groupOfMembers" +group_member_attribute = "member" +group_name_attribute = "cn" diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server new file mode 100644 index 0000000..990e08a --- /dev/null +++ b/files/usr/local/etc/icingaweb2/modules/icingadb/commandtransports.ini.icinga_server @@ -0,0 +1,6 @@ +[icinga2] +skip_validation = "0" +transport = "api" +port = "${icinga_port}" +username = "${icingaweb_api_username}" +password = ${icingaweb_api_password}" diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server new file mode 100644 index 0000000..7c19f9f --- /dev/null +++ b/files/usr/local/etc/icingaweb2/modules/icingadb/config.ini.icinga_server @@ -0,0 +1,5 @@ +[icingadb] +resource = "icingadb" + +[redis] +tls = "0" diff --git a/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server b/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server new file mode 100644 index 0000000..0064b7e --- /dev/null +++ b/files/usr/local/etc/icingaweb2/modules/icingadb/redis.ini.icinga_server @@ -0,0 +1,3 @@ +[redis1] +host = "localhost" +port = "${redis_port}" diff --git a/files/usr/local/etc/icingaweb2/resources.ini.icinga_server b/files/usr/local/etc/icingaweb2/resources.ini.icinga_server new file mode 100644 index 0000000..0400b1e --- /dev/null +++ b/files/usr/local/etc/icingaweb2/resources.ini.icinga_server @@ -0,0 +1,28 @@ +[icingaweb_db] +type = "db" +db = "pgsql" +host = "${icingaweb_dbhost}" +dbname = "${icingaweb_dbname}" +username = "${icinga_username}" +password = "" +port = "5432" +use_ssl = "0" + +[icingaweb_ldap] +type = "ldap" +hostname = "${ldap_hosts}" +port = "389" +encryption = "starttls" +bind_dn = "${icinga_dn}" +bind_pw = "${icinga_password}" +root_dn = "${accounts_basedn}" + +[icingadb] +type = "db" +db = "pgsql" +host = "${icinga_dbhost}" +dbname = "${icinga_dbname}" +username = "${icinga_username}" +password = "" +port = "5432" +use_ssl = "0" diff --git a/files/usr/local/etc/icingaweb2/roles.ini.icinga_server b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server new file mode 100644 index 0000000..6e20e8a --- /dev/null +++ b/files/usr/local/etc/icingaweb2/roles.ini.icinga_server @@ -0,0 +1,12 @@ +[Administrators] +$(if [ -n "$icingaweb_admin_groups" ]; then +cat <<EOF +groups = "$(join ',' $icingaweb_admin_groups)" +EOF +fi) +permissions = "*" + +[Users] +groups = "${icingaweb_access_role}" +permissions = "module/icingadb" +icingadb/denylist/variables = "*priv*,*auth*,*key*,*pass*,*token*" diff --git a/files/usr/local/etc/nginx/vhosts.conf.icinga_server b/files/usr/local/etc/nginx/vhosts.conf.icinga_server new file mode 100644 index 0000000..43fa82e --- /dev/null +++ b/files/usr/local/etc/nginx/vhosts.conf.icinga_server @@ -0,0 +1,33 @@ +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + + root ${icingaweb_webroot}; + index index.php index.html; + + ssl_certificate ${icingaweb_https_cert}; + ssl_certificate_key ${icingaweb_https_key}; + + add_header Strict-Transport-Security "max-age=63072000" always; + + auth_gss_keytab ${nginx_keytab}; + auth_gss_allow_basic_fallback off; + auth_gss on; + satisfy any; +$(printf ' deny %s;\n' $kerberized_cidrs) + allow all; + + location ~ ^/index\.php(.*)$ { + fastcgi_pass unix:${icingaweb_fpm_socket}; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${icingaweb_webroot}/index.php; + fastcgi_param ICINGAWEB_CONFIGDIR ${icingaweb_conf_dir}; + } + + location ~ ^/(.+)? { + index index.php; + try_files \$1 \$uri \$uri/ /index.php\$is_args\$args; + } +} diff --git a/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server b/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server new file mode 100644 index 0000000..35bab5c --- /dev/null +++ b/files/usr/local/etc/php-fpm.d/icingaweb.conf.icinga_server @@ -0,0 +1,20 @@ +[icingaweb] +user = ${nginx_user} +group = ${nginx_user} + +listen = ${icingaweb_fpm_socket} + +listen.owner = ${nginx_user} +listen.group = ${nginx_user} +listen.mode = 0660 + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +chdir = ${icingaweb_webroot} + +catch_workers_output = yes +decorate_workers_output = no diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 7d2a7ab..2b9587d 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -76,6 +76,10 @@ net-im/gajim net-im/prosody net-im/prosody-modules net-im/signal-desktop +net-mgmt/icinga2 +net-mgmt/icingadb +net-mgmt/icingaweb2 +net-mgmt/icingaweb2-module-icingadb net-mgmt/unifi8 net/asterisk18 net/freeradius3 diff --git a/files/usr/local/etc/redis.conf.icinga_server b/files/usr/local/etc/redis.conf.icinga_server new file mode 100644 index 0000000..1197bd5 --- /dev/null +++ b/files/usr/local/etc/redis.conf.icinga_server @@ -0,0 +1,72 @@ +pidfile /var/run/redis/redis.pid +proc-title-template "{title} icingadb" +dir ${redis_data_dir} +unixsocket ${redis_sock} +unixsocketperm 770 + +bind 127.0.0.1 ::1 +port ${redis_port} + +databases 1 +syslog-enabled yes +loglevel notice +logfile "" + +# The rest of these values are unchanged from the FreeBSD defaults: +daemonize yes +protected-mode yes +tcp-backlog 511 +timeout 0 +tcp-keepalive 300 +always-show-logo no +set-proc-title yes +locale-collate "" +stop-writes-on-bgsave-error yes +rdbcompression yes +rdbchecksum yes +dbfilename dump.rdb +rdb-del-sync-files no +lazyfree-lazy-eviction no +lazyfree-lazy-expire no +lazyfree-lazy-server-del no +replica-lazy-flush no +lazyfree-lazy-user-del no +lazyfree-lazy-user-flush no +oom-score-adj no +oom-score-adj-values 0 200 800 +disable-thp yes +appendonly no +appendfilename "appendonly.aof" +appenddirname "appendonlydir" +appendfsync everysec +no-appendfsync-on-rewrite no +auto-aof-rewrite-percentage 100 +auto-aof-rewrite-min-size 64mb +aof-load-truncated yes +aof-use-rdb-preamble yes +aof-timestamp-enabled no +slowlog-log-slower-than 10000 +slowlog-max-len 128 +latency-monitor-threshold 0 +notify-keyspace-events "" +hash-max-listpack-entries 512 +hash-max-listpack-value 64 +list-max-listpack-size -2 +list-compress-depth 0 +set-max-intset-entries 512 +set-max-listpack-entries 128 +set-max-listpack-value 64 +zset-max-listpack-entries 128 +zset-max-listpack-value 64 +hll-sparse-max-bytes 3000 +stream-node-max-bytes 4096 +stream-node-max-entries 100 +activerehashing yes +client-output-buffer-limit normal 0 0 0 +client-output-buffer-limit replica 256mb 64mb 60 +client-output-buffer-limit pubsub 32mb 8mb 60 +hz 10 +dynamic-hz yes +aof-rewrite-incremental-fsync yes +rdb-save-incremental-fsync yes +jemalloc-bg-thread yes |