diff options
Diffstat (limited to 'roles/nagios_server')
21 files changed, 1316 insertions, 0 deletions
diff --git a/roles/nagios_server/defaults/main.yml b/roles/nagios_server/defaults/main.yml new file mode 100644 index 0000000..c963b93 --- /dev/null +++ b/roles/nagios_server/defaults/main.yml @@ -0,0 +1,34 @@ +nagios_admin_email: root@{{ email_domain }} +nagios_admin_pager: root@{{ email_domain }} + +nagios_access_group: role-nagios-access + +nagios_email: root@{{ email_domain }} + +nagios_reboot_window: 03:00-05:00 + +nagios_ssh_control_persist: 20m + +nagios_snmp_max_size: 10000 + +nagios_check_dns: + - name: example.com + qtype: A + server: 8.8.8.8 + expect: 1.2.3.4 + +nagios_connectivity_check_host: 8.8.8.8 +nagios_connectivity_check_count: 20 +nagios_connectivity_check_rtt_warn: 50.0 +nagios_connectivity_check_rtt_crit: 100.0 +nagios_connectivity_check_loss_warn: 5% +nagios_connectivity_check_loss_crit: 20% + +nagios_manubulon_repo: https://github.com/SteScho/manubulon-snmp +nagios_manubulon_version: master + +# key: name, value: url +nagios_thirdparty_plugins: {} + +# key: name, value: url +nagios_thirdparty_mibs: {} diff --git a/roles/nagios_server/files/usr/lib64/nagios/plugins/check_asterisk_endpoints b/roles/nagios_server/files/usr/lib64/nagios/plugins/check_asterisk_endpoints new file mode 100644 index 0000000..42fee08 --- /dev/null +++ b/roles/nagios_server/files/usr/lib64/nagios/plugins/check_asterisk_endpoints @@ -0,0 +1,62 @@ +#!/usr/libexec/platform-python + +# Nagios check for Asterisk PJSIP endpoints +# +# Copyright (c) 2023 stonewall@sacredheartsc.com +# MIT License https://opensource.org/licenses/MIT + +import requests +import json +import argparse +import sys +from enum import Enum + +class Status(Enum): + OK = 0 + WARN = 1 + CRIT = 2 + UNKNOWN = 3 + +parser = argparse.ArgumentParser() +parser.add_argument('-H', '--host', help='asterisk host', type=str, required=True) +parser.add_argument('-P', '--port', help='asterisk ARI port', type=int, default=8089) +parser.add_argument('-u', '--username', help='asterisk ARI username', type=str, required=True) +parser.add_argument('-p', '--password', help='asterisk ARI password', type=str, required=True) +parser.add_argument('endpoints', nargs='+', help='endpoint name to check', metavar='ENDPOINT') +args = parser.parse_args() + +try: + r = requests.get(f'https://{args.host}:{args.port}/ari/endpoints', auth=(args.username, args.password)) + + if r.status_code == 200: + state = {i['resource']: i['state'] for i in r.json() if i['technology'] == 'PJSIP'} + results = [] + + for endpoint in args.endpoints: + if endpoint in state: + status = Status.OK if state[endpoint] == 'online' else Status.CRIT + message = f'{endpoint} is {state[endpoint]}' + results.append((status, message)) + else: + results.append((Status.UNKNOWN, f'{endpoint} not found')) + + results.sort(key=lambda x:x[0].value, reverse=True) + + if results[0][0] == Status.OK: + print('all endpoints connected') + elif results[0][0] == Status.UNKNOWN: + print('endpoint(s) not found in ARI!') + else: + print('endpoint not connected!') + + for result in results: + print(f'{result[0].name}: {result[1]}') + + sys.exit(results[0][0].value) + else: + print('failed to retrieve data from ARI!') + sys.exit(Status.UNKNOWN.value) + +except Exception as e: + print(str(e)) + sys.exit(Status.UNKNOWN.value) diff --git a/roles/nagios_server/handlers/main.yml b/roles/nagios_server/handlers/main.yml new file mode 100644 index 0000000..34fdd65 --- /dev/null +++ b/roles/nagios_server/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart nagios + systemd: + name: nagios + state: restarted + +- name: reload nagios + systemd: + name: nagios + state: reloaded diff --git a/roles/nagios_server/meta/main.yml b/roles/nagios_server/meta/main.yml new file mode 100644 index 0000000..29230f9 --- /dev/null +++ b/roles/nagios_server/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: yum + yum_repositories: epel + tags: yum diff --git a/roles/nagios_server/tasks/freeipa.yml b/roles/nagios_server/tasks/freeipa.yml new file mode 100644 index 0000000..59ab7b3 --- /dev/null +++ b/roles/nagios_server/tasks/freeipa.yml @@ -0,0 +1,42 @@ +- name: create HBAC service + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ nagios_hbac_service }}' + description: nagios web interface + state: present + run_once: yes + +- name: create nagios servers hostgroup + ipahostgroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ nagios_hbac_hostgroup }}' + description: Nagios Servers + host: "{{ groups[nagios_hbac_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}" + state: present + run_once: yes + +- name: create access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ nagios_access_group }}' + description: nagios Administrators + nonposix: yes + state: present + run_once: yes + +- name: create HBAC rule + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: allow_nagios_users_on_nagios_servers + description: Allow nagios admins on nagios servers + hostgroup: + - '{{ nagios_hbac_hostgroup }}' + group: + - '{{ nagios_access_group }}' + hbacsvc: + - '{{ nagios_hbac_service }}' + run_once: yes diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml new file mode 100644 index 0000000..db8ebf6 --- /dev/null +++ b/roles/nagios_server/tasks/main.yml @@ -0,0 +1,90 @@ +- name: install packages + dnf: + name: '{{ nagios_packages }}' + state: present + +- name: generate nagios configuration + template: + src: '{{ item[1:] }}.j2' + dest: '{{ item }}' + loop: + - /etc/nagios/cgi.cfg + - /etc/nagios/nagios.cfg + - /usr/share/nagios/html/config.inc.php + notify: restart nagios + +- name: remove default nagios config files + copy: + content: | + # This file intentionally empty to avoid being clobbered on package updates. + dest: /etc/nagios/objects/{{ item }} + loop: + - printer.cfg + - switch.cfg + - windows.cfg + - localhost.cfg + notify: reload nagios + +- name: clone manubulon repo + git: + repo: '{{ nagios_manubulon_repo }}' + dest: '{{ nagios_manubulon_install_dir }}' + version: '{{ nagios_manubulon_version }}' + force: yes + update: yes + register: nagios_manubulon_git + +- name: install manubulon plugins + shell: install -o root -g root -m755 {{ nagios_manubulon_install_dir }}/plugins/*.pl {{ nagios_plugin_dir }}/ + when: nagios_manubulon_git.changed + +- import_tasks: objects.yml + tags: nagios_config + +- name: download thirdparty plugins + get_url: + url: '{{ item.url }}' + dest: '{{ nagios_plugin_dir }}/{{ item.name }}' + mode: 0555 + loop: '{{ nagios_thirdparty_plugins | dict2items(key_name="name", value_name="url") }}' + tags: nagios_config + +- name: download thirdparty MIBs + get_url: + url: '{{ item.url }}' + dest: '{{ nagios_mib_dir }}/MIB-{{ item.name | upper }}.txt' + loop: '{{ nagios_thirdparty_mibs | dict2items(key_name="name", value_name="url") }}' + +- name: create nagios ssh directory + file: + path: '{{ nagios_home }}/.ssh' + owner: nagios + group: nagios + mode: 0700 + state: directory + +- name: copy nagios ssh key + copy: + content: '{{ nagios_ssh_privkey }}' + dest: "{{ nagios_home }}/.ssh/id_{{ nagios_ssh_pubkey | regex_replace('^ssh-(\\w+).*', '\\1') }}" + owner: nagios + group: nagios + mode: 0600 + +- import_tasks: freeipa.yml + +- name: create SELinux policy for php-fpm to access nagios contexts + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: php_nagios + selinux_policy_te: '{{ nagios_selinux_policy_te }}' + tags: selinux + +- name: enable nagios + systemd: + name: nagios + enabled: yes + state: started diff --git a/roles/nagios_server/tasks/objects.yml b/roles/nagios_server/tasks/objects.yml new file mode 100644 index 0000000..e216e71 --- /dev/null +++ b/roles/nagios_server/tasks/objects.yml @@ -0,0 +1,32 @@ +- name: generate nagios objects + template: + src: '{{ item.src }}' + dest: /etc/nagios/objects/{{ item.path | splitext | first }} + owner: root + group: nagios + mode: 0640 + lstrip_blocks: yes + loop: "{{ lookup('filetree', '../templates/etc/nagios/objects', wantlist=True) }}" + when: item.state == 'file' + loop_control: + label: '{{ item.path }}' + notify: reload nagios + +- name: generate nagios resource file + template: + src: etc/nagios/private/resource.cfg.j2 + dest: /etc/nagios/private/resource.cfg + owner: root + group: nagios + mode: 0640 + notify: reload nagios + +- name: copy nagios plugins + copy: + src: '{{ item.src }}' + dest: '{{ nagios_plugin_dir }}/{{ item.path }}' + mode: 0555 + loop: "{{ lookup('filetree', nagios_plugin_dir[1:], wantlist=True) }}" + loop_control: + label: '{{ item.path }}' + when: item.state == 'file' diff --git a/roles/nagios_server/templates/etc/nagios/cgi.cfg.j2 b/roles/nagios_server/templates/etc/nagios/cgi.cfg.j2 new file mode 100644 index 0000000..2910a7b --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/cgi.cfg.j2 @@ -0,0 +1,24 @@ +main_config_file=/etc/nagios/nagios.cfg +physical_html_path=/usr/share/nagios/html +url_html_path=/ +show_context_help=0 +use_pending_states=1 +use_authentication=1 +use_ssl_authentication=0 +authorized_for_system_information=* +authorized_for_configuration_information=* +authorized_for_system_commands=* +authorized_for_all_services=* +authorized_for_all_hosts=* +authorized_for_all_service_commands=* +authorized_for_all_host_commands=* +default_statuswrl_layout=4 +ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$ +refresh_rate=90 +result_limit=100 +escape_html_tags=1 +action_url_target=_blank +notes_url_target=_blank +lock_author_names=1 +navbar_search_for_addresses=1 +navbar_search_for_aliases=1 diff --git a/roles/nagios_server/templates/etc/nagios/nagios.cfg.j2 b/roles/nagios_server/templates/etc/nagios/nagios.cfg.j2 new file mode 100644 index 0000000..1e48e0a --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/nagios.cfg.j2 @@ -0,0 +1,105 @@ +log_file=/var/log/nagios/nagios.log +cfg_dir=/etc/nagios/objects +object_cache_file=/var/spool/nagios/objects.cache +precached_object_file=/var/spool/nagios/objects.precache +resource_file=/etc/nagios/private/resource.cfg +status_file={{ nagios_status_file }} +status_update_interval=10 +nagios_user=nagios +nagios_group=nagios +check_external_commands=1 +command_file=/var/spool/nagios/cmd/nagios.cmd +lock_file=/var/run/nagios/nagios.pid +temp_file=/var/spool/nagios/nagios.tmp +temp_path=/tmp +event_broker_options=-1 +log_rotation_method=d +log_archive_path=/var/log/nagios/archives +use_syslog=1 +log_notifications=1 +log_service_retries=1 +log_host_retries=1 +log_event_handlers=1 +log_initial_states=0 +log_current_states=1 +log_external_commands=1 +log_passive_checks=1 +service_inter_check_delay_method=s +max_service_check_spread=30 +service_interleave_factor=s +host_inter_check_delay_method=s +max_host_check_spread=30 +max_concurrent_checks=0 +check_result_reaper_frequency=10 +max_check_result_reaper_time=30 +check_result_path=/var/spool/nagios/checkresults +max_check_result_file_age=3600 +cached_host_check_horizon=15 +cached_service_check_horizon=15 +enable_predictive_host_dependency_checks=1 +enable_predictive_service_dependency_checks=1 +soft_state_dependencies=0 +auto_reschedule_checks=0 +auto_rescheduling_interval=30 +auto_rescheduling_window=180 +service_check_timeout=60 +host_check_timeout=30 +event_handler_timeout=30 +notification_timeout=30 +ocsp_timeout=5 +ochp_timeout=5 +perfdata_timeout=5 +retain_state_information=1 +state_retention_file={{ nagios_state_retention_file }} +retention_update_interval=60 +use_retained_program_state=1 +use_retained_scheduling_info=1 +retained_host_attribute_mask=0 +retained_service_attribute_mask=0 +retained_process_host_attribute_mask=0 +retained_process_service_attribute_mask=0 +retained_contact_host_attribute_mask=0 +retained_contact_service_attribute_mask=0 +interval_length=60 +check_for_updates=0 +bare_update_check=0 +use_aggressive_host_checking=0 +execute_service_checks=1 +accept_passive_service_checks=1 +execute_host_checks=1 +accept_passive_host_checks=1 +enable_notifications=1 +enable_event_handlers=1 +process_performance_data=0 +obsess_over_services=0 +obsess_over_hosts=0 +translate_passive_host_checks=0 +passive_host_checks_are_soft=0 +check_for_orphaned_services=1 +check_for_orphaned_hosts=1 +check_service_freshness=1 +service_freshness_check_interval=60 +service_check_timeout_state=c +check_host_freshness=0 +host_freshness_check_interval=60 +additional_freshness_latency=15 +enable_flap_detection=1 +low_service_flap_threshold=5.0 +high_service_flap_threshold=20.0 +low_host_flap_threshold=5.0 +high_host_flap_threshold=20.0 +date_format=us +illegal_object_name_chars=`~!$%^&*|'"<>?,()= +illegal_macro_output_chars=`~$&|'"<> +use_regexp_matching=1 +use_true_regexp_matching=0 +admin_email={{ nagios_admin_email }} +admin_pager={{ nagios_admin_pager }} +daemon_dumps_core=0 +use_large_installation_tweaks=0 +enable_environment_macros=0 +debug_level=0 +debug_verbosity=1 +debug_file=/var/log/nagios/nagios.debug +max_debug_file_size=1000000 +allow_empty_hostgroup_assignment=0 diff --git a/roles/nagios_server/templates/etc/nagios/objects/commands.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/commands.cfg.j2 new file mode 100644 index 0000000..e44d6ab --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/commands.cfg.j2 @@ -0,0 +1,285 @@ +################# +### Notifications +################# +define command { + command_name notify-host-by-email + command_line /usr/bin/printf "%b" "Notification Type: $NOTIFICATIONTYPE$\n\nHost: $HOSTNAME$\nAddress: $HOSTADDRESS$\nState: $HOSTSTATE$\n\nDate/Time: $LONGDATETIME$\n\n$HOSTOUTPUT$\n\n$LONGHOSTOUTPUT$" \ + | /usr/bin/mail -s "$NOTIFICATIONTYPE$: $HOSTNAME$ is $HOSTSTATE$" $CONTACTEMAIL$ +} + +define command { + command_name notify-service-by-email + command_line /usr/bin/printf "%b" "Notification Type: $NOTIFICATIONTYPE$\n\nHost: $HOSTALIAS$\nService: $SERVICEDESC$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\n$SERVICEOUTPUT$\n\n$LONGSERVICEOUTPUT$" \ + | /usr/bin/mail -s "$NOTIFICATIONTYPE$: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$" $CONTACTEMAIL$ +} + + +############### +### Host Checks +############### +define command { + command_name check_ping + command_line $USER1$/check_ping \ + --hostname='$ARG1$' \ + --packets='$ARG2$' \ + --warning='$ARG3$' \ + --critical='$ARG4$' +} + +define command { + command_name check_dummy + command_line $USER1$/check_dummy 0 +} + + +########################## +### Service Checks: Common +########################## +define command { + command_name check_ssh + command_line $USER1$/check_ssh '$HOSTADDRESS$' +} + +define command { + command_name check_systemd_by_ssh + command_line $USER1$/check_by_ssh \ + {{ nagios_check_by_ssh_args }} \ + --command='check_systemd' +} + +define command { + command_name check_needs_restart_by_ssh + command_line $USER1$/check_by_ssh \ + {{ nagios_check_by_ssh_args }} \ + --command='check_needs_restart' +} + +define command { + command_name check_mem_by_ssh + command_line $USER1$/check_by_ssh \ + {{ nagios_check_by_ssh_args }} \ + --command='check_mem -u -C -z -w $ARG1$ -c $ARG2$' +} + +define command { + command_name check_swap_by_ssh + command_line $USER1$/check_by_ssh \ + {{ nagios_check_by_ssh_args }} \ + --command='check_swap -n ok -w $ARG1$ -c $ARG2$' +} + +define command { + command_name check_snmp_interface + command_line $USER1$/check_snmp_int.pl \ + {{ nagios_manubulon_args }} \ + --ign-admindown \ + --use-ifname \ + --perfdata \ + --error \ + --perfspeed \ + --perfcheck \ + --extperfcheck \ + --64bits \ + --label \ + --kbits \ + --mega \ + --name='$ARG1$' \ + --warning='$ARG2$' \ + --critical='$ARG3$' \ + --octetlength={{ nagios_snmp_max_size }} \ + $ARG4$ +} + +define command { + command_name check_snmp_storage + command_line $USER1$/check_snmp_storage.pl \ + {{ nagios_manubulon_args }} \ + --name='$ARG1$' \ + --warn='$ARG2$' \ + --crit='$ARG3$' \ + --storagetype=FixedDisk \ + --perfdata \ + --gigabyte \ + --short=1,1 \ + --octetlength={{ nagios_snmp_max_size }} \ + $ARG4$ +} + +define command { + command_name check_snmp_storage_terse + command_line $USER1$/check_snmp_storage.pl \ + {{ nagios_manubulon_args }} \ + --name='$ARG1$' \ + --warn='$ARG2$' \ + --crit='$ARG3$' \ + --storagetype=FixedDisk \ + --gigabyte \ + --short=0,1 \ + --octetlength={{ nagios_snmp_max_size }} \ + $ARG4$ +} + +define command { + command_name check_snmp_load + command_line $USER1$/check_snmp_load.pl \ + {{ nagios_manubulon_args }} \ + --perfdata \ + --type=netsl \ + --warn='$ARG1$' \ + --crit='$ARG2$' +} + +define command { + command_name check_snmp_mem + command_line $USER1$/check_snmp_mem.pl \ + {{ nagios_manubulon_args }} \ + --perfdata \ + --warn='$ARG1$' \ + --crit='$ARG2$' +} + + +####################### +### Service Checks: ZFS +####################### +define command { + command_name check_zpools_by_ssh + command_line $USER1$/check_by_ssh \ + {{ nagios_check_by_ssh_args }} \ + --command='check_zpools -w $ARG1$ -c $ARG2$' +} + + +################################## +### Service Checks: Infrastructure +################################## +define command { + command_name check_cyberpower + command_line $USER1$/check_cyberpower -u -H $HOSTADDRESS$ -C {{ nagios_snmp_community | quote }} -l $ARG1$ $ARG2$ +} + + +########################## +# Service Checks: Asterisk +########################## +define command { + command_name check_asterisk_endpoints + command_line $USER1$/check_asterisk_endpoints -H '$_HOSTFQDN$' -P '$ARG1$' -u '$ARG2$' -p '$ARG3$' $ARG4$ +} + + +###################################### +# Service Checks: Certificate Validity +###################################### +define command { + command_name check_ssl_validity + command_line $USER1$/check_ssl_validity -I '$HOSTADDRESS$' -C 3600 -p '$ARG1$' -H '$ARG2$' -w '$ARG3$' -c '$ARG4$' +} + + +###################### +# Service Checks: SMTP +###################### +define command { + command_name check_smtp + command_line $USER1$/check_smtp -H '$HOSTADDRESS$' -p 25 -S -D '$ARG1$,$ARG2$' -w '$ARG3$' -c '$ARG4$' +} + +define command { + command_name check_mailq + command_line $USER1$/check_by_ssh \ + {{ nagios_check_by_ssh_args }} \ + --command='check_mailq -M postfix -w $ARG1$ -c $ARG2$' +} + +###################### +# Service Checks: IMAP +###################### +define command { + command_name check_imap + command_line $USER1$/check_imap -H '$HOSTADDRESS$' -p 993 -S -D '$ARG1$,$ARG2$' -w '$ARG3$' -c '$ARG4$' +} + +###################### +# Service Checks: XMPP +###################### +define command { + command_name check_xmpp + command_line $USER1$/check_ssl_cert \ + --host '$HOSTADDRESS$' \ + --protocol xmpp-server \ + --ignore-sct \ + --timeout 60 \ + --xmpphost '$ARG1$' \ + --warning '$ARG2$' \ + --critical '$ARG3$' +} + +############################ +# Service Checks: PostgreSQL +############################ +define command { + command_name check_postgres + command_line $USER1$/check_ssl_cert \ + --host '$HOSTADDRESS$' \ + --protocol postgres \ + --ignore-sct \ + --timeout 60 \ + --warning '$ARG1$' \ + --critical '$ARG2$' +} + +############################ +# Service Checks: LDAP +############################ +define command { + command_name check_ldaps + command_line $USER1$/check_ldaps \ + --hostname='$_HOSTFQDN$' \ + --ver3 \ + --base='$ARG1$' \ + --age='$ARG2$,$ARG3$' +} + +###################################### +# Service Checks: HTTPS +###################################### +define command { + command_name check_https + command_line $USER1$/check_http \ + --IP-address='$HOSTADDRESS$' \ + --hostname='$ARG1$' \ + --port=443 \ + --ssl=1.2 \ + --sni \ + --verify-host \ + --certificate '$ARG2$,$ARG3$' \ + --continue-after-certificate \ + --no-body \ + --onredirect=ok \ + --warning='$ARG4$' \ + --critical='$ARG5$' \ + $ARG6$ +} + +###################################### +# Service Checks: DNS +###################################### +define command { + command_name check_dns + command_line $USER1$/check_dns \ + --accept-cname \ + --server='$HOSTADDRESS$' \ + --hostname='$ARG1$' \ + --querytype='$ARG2$' +} + +define command { + command_name check_dns_response + command_line $USER1$/check_dns \ + --accept-cname \ + --server='$ARG1$' \ + --hostname='$ARG2$' \ + --querytype='$ARG3$' \ + --expected-address='$ARG4$' +} diff --git a/roles/nagios_server/templates/etc/nagios/objects/contacts.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/contacts.cfg.j2 new file mode 100644 index 0000000..797adbc --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/contacts.cfg.j2 @@ -0,0 +1,6 @@ +define contact { + contact_name sysadmins + alias System Administrators + email {{ nagios_email }} + use generic-contact +} diff --git a/roles/nagios_server/templates/etc/nagios/objects/hostgroups.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/hostgroups.cfg.j2 new file mode 100644 index 0000000..2051447 --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/hostgroups.cfg.j2 @@ -0,0 +1,10 @@ +{% for groupname in groups.keys() | difference(['all','ungrouped'] + nagios_excluded_groups) %} +{% if groups[groupname] | reject('in', nagios_excluded_groups | map('extract', groups) | flatten) %} +define hostgroup { + hostgroup_name {{ groupname }} + alias {{ groupname | replace('_', ' ') | title }} + members {{ groups[groupname] | reject('in', nagios_excluded_groups | map('extract', groups) | flatten) | join(',') }} +} + +{% endif %} +{% endfor %} diff --git a/roles/nagios_server/templates/etc/nagios/objects/hosts.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/hosts.cfg.j2 new file mode 100644 index 0000000..3e8d72f --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/hosts.cfg.j2 @@ -0,0 +1,31 @@ +define host { + host_name {{ inventory_hostname }} + alias {{ inventory_hostname }} + address 127.0.0.1 + use generic-host + check_command check_dummy + notification_period 24x7 + _fqdn {{ ansible_fqdn }} + _snmp_user {{ hostvars[inventory_hostname].nagios_snmp_user }} + _snmp_priv_pass {{ hostvars[inventory_hostname].nagios_snmp_priv_pass }} + _snmp_priv_proto {{ hostvars[inventory_hostname].nagios_snmp_priv_proto }} + _snmp_auth_pass {{ hostvars[inventory_hostname].nagios_snmp_auth_pass }} + _snmp_auth_proto {{ hostvars[inventory_hostname].nagios_snmp_auth_proto }} +} + +{% for host in groups['all'] | reject('equalto', inventory_hostname) | reject('in', nagios_excluded_groups | map('extract', groups) | flatten) %} +define host { + host_name {{ host }} + alias {{ host }} + address {{ hostvars[host].ip }} + use generic-host + check_command check_ping!$HOSTADDRESS$!{{ hostvars[host].nagios_ping_count }}!{{ hostvars[host].nagios_ping_rtt_warn }},{{ hostvars[host].nagios_ping_loss_warn | replace('%', '') }}%!{{ hostvars[host].nagios_ping_rtt_crit }},{{ hostvars[host].nagios_ping_loss_crit | replace('%', '') }}% + _fqdn {{ hostvars[host].fqdn }} + _snmp_user {{ hostvars[host].nagios_snmp_user }} + _snmp_priv_pass {{ hostvars[host].nagios_snmp_priv_pass }} + _snmp_priv_proto {{ hostvars[host].nagios_snmp_priv_proto }} + _snmp_auth_pass {{ hostvars[host].nagios_snmp_auth_pass }} + _snmp_auth_proto {{ hostvars[host].nagios_snmp_auth_proto }} +} + +{% endfor %} diff --git a/roles/nagios_server/templates/etc/nagios/objects/servicedependencies.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/servicedependencies.cfg.j2 new file mode 100644 index 0000000..050a1cd --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/servicedependencies.cfg.j2 @@ -0,0 +1,8 @@ +# ssh-based checks depend on the ssh service being OK +define servicedependency { + hostgroup nagios_check_ssh + service_description ssh + dependent_servicegroup_name ssh + execution_failure_criteria c,u + notification_failure_criteria c,u +} diff --git a/roles/nagios_server/templates/etc/nagios/objects/servicegroups.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/servicegroups.cfg.j2 new file mode 100644 index 0000000..c8e6a98 --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/servicegroups.cfg.j2 @@ -0,0 +1,19 @@ +define servicegroup { + servicegroup_name ssh + alias SSH-based checks +} + +define servicegroup { + servicegroup_name snmp + alias SNMP-based checks +} + +define servicegroup { + servicegroup_name https + alias HTTPS-based checks +} + +define servicegroup { + servicegroup_name dns + alias DNS-based checks +} diff --git a/roles/nagios_server/templates/etc/nagios/objects/services.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/services.cfg.j2 new file mode 100644 index 0000000..68b4fe4 --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/services.cfg.j2 @@ -0,0 +1,375 @@ +############### +# Local checks +############### + +# Upstream packet loss +define service { + service_description upstream-packet-loss + host_name {{ inventory_hostname }} + use generic-service + check_command check_ping!{{ nagios_connectivity_check_host }}!{{ nagios_connectivity_check_count }}!{{ nagios_connectivity_check_rtt_warn }},{{ nagios_connectivity_check_loss_warn | replace('%', '') }}%!{{ nagios_connectivity_check_rtt_crit }},{{ nagios_connectivity_check_loss_crit | replace('%', '') }}% +} + +# Nagios web gui +define service { + service_description https + host_name {{ inventory_hostname }} + use generic-service + check_command check_https!$_HOSTFQDN$!{{ nagios_certificate_warn }}!{{ nagios_certificate_crit }}!{{ nagios_http_warn }}!{{ nagios_http_crit }}!-e 'HTTP/1.1 401' + servicegroups https +} + +############### +# DNS checks +############### + +{% for item in nagios_check_dns %} +# {{ item.name }} - {{ item.qtype | default('A') | upper }} +define service { + {% if (item.qtype | default('A') | upper) == 'A' %} + service_description dns-{{ item.name }} + {% else %} + service_description dns-{{ item.name }}-{{ item.qtype | lower }} + {% endif %} + host_name {{ inventory_hostname }} + use generic-service + check_command check_dns_response!{{ item.server }}!{{ item.name }}!{{ item.qtype | default('A') | upper }}!{{ item.expect }} + servicegroups dns +} + +{% endfor %} + + +############### +# Common checks +############### + +# SSH +define service { + service_description ssh + hostgroups nagios_check_ssh + use generic-service + check_command check_ssh +} + +# Systemd +define service { + service_description systemd + hostgroups nagios_check_systemd + use generic-service + check_command check_systemd_by_ssh + servicegroups ssh +} + +# Check if services need restart or system needs reboot +define service { + service_description needs-restart + hostgroups nagios_el_clients + use generic-service + check_command check_needs_restart_by_ssh + servicegroups ssh + check_interval 60 + # only alert if needs-restart doesn't resolve within 24h + first_notification_delay 1440 +} + +{% for host in groups.nagios_check_load %} +# Load - {{ host }} +define service { + service_description load + host_name {{ host }} + use generic-service + check_command check_snmp_load!{{ hostvars[host].nagios_load_1m_warn }},{{ hostvars[host].nagios_load_5m_warn }},{{ hostvars[host].nagios_load_15m_warn }}!{{ hostvars[host].nagios_load_1m_crit }},{{ hostvars[host].nagios_load_5m_crit }},{{ hostvars[host].nagios_load_15m_crit }} + servicegroups snmp +} + +{% endfor %} + +{% for host in groups.nagios_check_mem %} +# Memory / Swap - {{ host }} +{% if host in groups.nagios_check_zfs %} +define service { + service_description mem + host_name {{ host }} + use generic-service + check_command check_mem_by_ssh!{{ hostvars[host].nagios_mem_warn | replace('%', '') }}!{{ hostvars[host].nagios_mem_crit | replace('%', '') }} + servicegroups ssh +} +define service { + service_description swap + host_name {{ host }} + use generic-service + check_command check_swap_by_ssh!{{ 100 - (hostvars[host].nagios_swap_warn | replace('%', '') | int) }}%!{{ 100 - (hostvars[host].nagios_swap_crit | replace('%', '') | int) }}% + servicegroups ssh +} +{% else %} +define service { + service_description mem + host_name {{ host }} + use generic-service + check_command check_snmp_mem!{{ hostvars[host].nagios_mem_warn | replace('%', '') }},{{ hostvars[host].nagios_swap_warn | replace('%', '') }}!{{ hostvars[host].nagios_mem_crit | replace('%', '') }},{{ hostvars[host].nagios_swap_crit | replace('%', '') }} + servicegroups snmp +} +{% endif %} + +{% endfor %} + +{% for host in groups.nagios_check_disk %} +# Disk Usage - {{ host }} +{% for disk in hostvars[host].nagios_disks %} +define service { + service_description {% if disk is string %}{{ disk }}{% elif disk.description is defined %}{{ disk.description }}{% else %}{{ disk.path }}{% endif %} + + host_name {{ host }} + use generic-service + check_command check_snmp_storage{% if disk.terse | default(false) %}_terse{% endif %}!{% if disk is string %}{{ disk }}{% elif disk.regex is defined %}{{ disk.regex | replace('!', '\\!') }}{% else %}{{ disk.path }}{% endif %}!{{ disk.warn | default(hostvars[host].nagios_disk_warn) }}!{{ disk.crit | default(hostvars[host].nagios_disk_crit) }}!{% if disk.exclude | default(false) %}--exclude{% endif %} {% if disk.regex is not defined %}--noregexp{% endif %} + + servicegroups snmp +} + +{% endfor %} +{% endfor %} + +{% for host in groups.nagios_check_interfaces %} +# Network Interfaces - {{ host }} +{% for intf in hostvars[host].nagios_interfaces %} +define service { + service_description {% if intf is string %}{{ intf }}{% elif intf.description is defined %}{{ intf.description }}{% else %}{{ intf.name }}{% endif %} + + host_name {{ host }} + use generic-service + check_interval 5 + retry_interval 5 + check_command check_snmp_interface!{% if intf is string %}{{ intf }}{% elif intf.regex is defined %}{{ intf.regex | replace('!', '\\!') }}{% else %}{{ intf.name }}{% endif %}!{{ intf.bandwidth_warn | default(hostvars[host].nagios_interface_bandwidth_warn) }},{{ intf.bandwidth_warn | default(hostvars[host].nagios_interface_bandwidth_warn) }},{{ intf.error_warn | default(hostvars[host].nagios_interface_error_warn) }},{{ intf.error_warn | default(hostvars[host].nagios_interface_error_warn) }},{{ intf.discard_warn | default(hostvars[host].nagios_interface_discard_warn) }},{{ intf.discard_warn | default(hostvars[host].nagios_interface_discard_warn) }}!{{ intf.bandwidth_crit | default(hostvars[host].nagios_interface_bandwidth_crit) }},{{ intf.bandwidth_crit | default(hostvars[host].nagios_interface_bandwidth_crit) }},{{ intf.error_crit | default(hostvars[host].nagios_interface_error_crit) }},{{ intf.error_crit | default(hostvars[host].nagios_interface_error_crit) }},{{ intf.discard_crit | default(hostvars[host].nagios_interface_discard_crit) }},{{ intf.discard_crit | default(hostvars[host].nagios_interface_discard_crit) }}!{% if intf.down_ok | default(false) %}--down{% endif %} {% if intf.regex is not defined %}--noregexp{% endif %} + servicegroups snmp +} + +{% endfor %} +{% endfor %} + + +############ +# ZFS Checks +############ + +{% for host in groups.nagios_check_zfs %} +# zpools - {{ host }} +define service { + service_description zpool + host_name {{ host }} + use generic-service + check_command check_zpools_by_ssh!{{ 100 - (hostvars[host].nagios_disk_warn|replace('%','') | int) }}!{{ 100 - (hostvars[host].nagios_disk_crit|replace('%','') | int) }} + servicegroups ssh +} + +{% endfor %} + + +####################### +# Infrastructure Checks +####################### + +# UPS +define service { + service_description status + hostgroups ups + use generic-service + check_command check_cyberpower!status + servicegroups snmp +} + +define service { + service_description health + hostgroups ups + use generic-service + check_command check_cyberpower!health + servicegroups snmp +} + +define service { + service_description battery + hostgroups ups + use generic-service + check_command check_cyberpower!battery + servicegroups snmp +} + +define service { + service_description transfer + hostgroups ups + use generic-service + check_command check_cyberpower!transfer + servicegroups snmp +} + +{% for host in groups.ups %} +# UPS Temp - {{ host }} +define service { + service_description temp + host_name {{ host }} + use generic-service + check_command check_cyberpower!temp!-w {{ hostvars[host].nagios_temp_warn }} -c {{ hostvars[host].nagios_temp_crit }} + servicegroups snmp +} + +define service { +# UPS Load - {{ host }} + service_description load + host_name {{ host }} + use generic-service + check_command check_cyberpower!load! -w {{ hostvars[host].nagios_power_draw_warn | replace('%', '') }} -c {{ hostvars[host].nagios_power_draw_crit | replace('%', '') }} + servicegroups snmp +} + +{% endfor %} + + +################# +# Asterisk Checks +################# + +{% for host in groups.asterisk_servers %} +# endpoints - {{ host }} +define service { + service_description endpoints + host_name {{ host }} + use generic-service + check_command check_asterisk_endpoints!{{ hostvars[host].asterisk_https_port | default(8089) }}!nagios!{{ hostvars[host].asterisk_ari_users | selectattr('name', '==', 'nagios') | map(attribute='password') | first }}!{{ (hostvars[host].asterisk_sip_trunks + hostvars[host].asterisk_sip_extensions) | map(attribute='name') | join(' ' ) }} +} +{% endfor %} + + +###################### +# SMTP Checks +###################### + +{% for host in groups.mail_servers %} +define service { + service_description smtp + host_name {{ host }} + use generic-service + check_command check_smtp!{{ hostvars[host].nagios_certificate_warn }}!{{ hostvars[host].nagios_certificate_crit }}!{{ hostvars[host].nagios_smtp_warn }}!{{ hostvars[host].nagios_smtp_crit }} +} + +define service { + service_description mailq + host_name {{ host }} + use generic-service + check_command check_mailq!{{ hostvars[host].nagios_mailq_warn }}!{{ hostvars[host].nagios_mailq_crit }} +} + +{% endfor %} + + +###################### +# IMAP Checks +###################### + +{% for host in groups.imap_servers %} +define service { + service_description imap + host_name {{ host }} + use generic-service + check_command check_imap!{{ hostvars[host].nagios_certificate_warn }}!{{ hostvars[host].nagios_certificate_crit }}!{{ hostvars[host].nagios_imap_warn }}!{{ hostvars[host].nagios_imap_crit }} +} + +{% endfor %} + + +###################### +# XMPP Checks +###################### + +{% for host in groups.xmpp_servers %} +{% for vhost in hostvars[host].prosody_vhosts %} +define service { + service_description xmpp-{{ vhost }} + host_name {{ host }} + use generic-service + check_command check_xmpp!{{ vhost }}!{{ hostvars[host].nagios_certificate_warn }}!{{ hostvars[host].nagios_certificate_crit }} +} + +{% endfor %} +{% for vhost in hostvars[host].prosody_conference_vhosts | default(['conference.'] | product(hostvars[host].prosody_vhosts) | map('join') | list) %} +define service { + service_description xmpp-{{ vhost }} + host_name {{ host }} + use generic-service + check_command check_xmpp!{{ vhost }}!{{ hostvars[host].nagios_certificate_warn }}!{{ hostvars[host].nagios_certificate_crit }} +} + +{% endfor %} +{% endfor %} + + +###################### +# PostgreSQL Checks +###################### + +{% for host in groups.postgresql_servers %} +define service { + service_description postgres + host_name {{ host }} + use generic-service + check_command check_postgres!{{ hostvars[host].nagios_certificate_warn }}!{{ hostvars[host].nagios_certificate_crit }} +} + +{% endfor %} + + +###################### +# HTTPS Checks +###################### + +{% for host in groups.nagios_check_https %} +# {{ host }} +{% for vhost in hostvars[host].nagios_https_vhosts | default(['$_HOSTFQDN$']) %} +define service { + service_description {{ 'https' if loop.length == 1 else 'https-'~(vhost if vhost is string else vhost.name) }} + host_name {{ host }} + use generic-service + check_command check_https!{{ vhost if vhost is string else vhost.name }}!{{ hostvars[host].nagios_certificate_warn }}!{{ hostvars[host].nagios_certificate_crit }}!{{ hostvars[host].nagios_http_warn }}!{{ hostvars[host].nagios_http_crit }}!{{ '-e HTTP/1.1 '~vhost.status if vhost.status is defined else '-e HTTP/1.1 '~hostvars[host].nagios_http_status if hostvars[host].nagios_http_status is defined else '' }} + servicegroups https +} +{% endfor %} + +{% endfor %} + + +###################### +# DNS Checks +###################### + +{% for host in groups.authoritative_nameservers %} +{% for zone in hostvars[host].nsd_zones | map(attribute='name') %} +define service { + service_description dns-{{ zone }} + host_name {{ host }} + use generic-service + check_command check_dns!{{ zone }}!SOA +} + +{% endfor %} +{% endfor %} + + +###################### +# FreeIPA Checks +###################### + +define service { + service_description dns + hostgroups freeipa_servers + use generic-service + check_command check_dns!{{ domain }}!SOA +} + +{% for host in groups.freeipa_servers %} +define service { + service_description ldap + hostgroups freeipa_servers + use generic-service + check_command check_ldaps!{{ freeipa_basedn }}!{{ hostvars[host].nagios_certificate_warn }}!{{ hostvars[host].nagios_certificate_crit }} +} + +{% endfor %} diff --git a/roles/nagios_server/templates/etc/nagios/objects/templates.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/templates.cfg.j2 new file mode 100644 index 0000000..4f9d306 --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/templates.cfg.j2 @@ -0,0 +1,51 @@ +define contact { + name generic-contact + host_notification_period 24x7 + host_notification_options d,u,r,f,s + host_notification_commands notify-host-by-email + service_notification_period 24x7 + service_notification_options w,u,c,r,f,s + service_notification_commands notify-service-by-email + register 0 +} + +define host { + name generic-host + notifications_enabled 1 + event_handler_enabled 1 + flap_detection_enabled 0 + process_perf_data 1 + retain_status_information 1 + retain_nonstatus_information 1 + notification_period 24x7-except-reboot-window + notification_interval 0 + notification_options d,u,r,f + first_notification_delay 0 + check_period 24x7 + check_interval 5 + retry_interval 1 + max_check_attempts 3 + contacts sysadmins + register 0 +} + +define service { + name generic-service + parallelize_check 1 + check_freshness 0 + notifications_enabled 1 + event_handler_enabled 1 + flap_detection_enabled 0 + process_perf_data 1 + retain_status_information 1 + retain_nonstatus_information 1 + is_volatile 0 + max_check_attempts 3 + check_interval 10 + retry_interval 1 + notification_options w,u,c,r,f + notification_interval 0 + first_notification_delay 0 + contacts sysadmins + register 0 +} diff --git a/roles/nagios_server/templates/etc/nagios/objects/timeperiods.cfg.j2 b/roles/nagios_server/templates/etc/nagios/objects/timeperiods.cfg.j2 new file mode 100644 index 0000000..2a0c885 --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/objects/timeperiods.cfg.j2 @@ -0,0 +1,39 @@ +define timeperiod { + timeperiod_name reboot-window + alias reboot window + + sunday {{ nagios_reboot_window }} + monday {{ nagios_reboot_window }} + tuesday {{ nagios_reboot_window }} + wednesday {{ nagios_reboot_window }} + thursday {{ nagios_reboot_window }} + friday {{ nagios_reboot_window }} + saturday {{ nagios_reboot_window }} +} + +define timeperiod { + timeperiod_name 24x7 + alias 24x7 + + sunday 00:00-24:00 + monday 00:00-24:00 + tuesday 00:00-24:00 + wednesday 00:00-24:00 + thursday 00:00-24:00 + friday 00:00-24:00 + saturday 00:00-24:00 +} + +define timeperiod { + timeperiod_name 24x7-except-reboot-window + alias 24x7 (except reboot window) + exclude reboot-window + + sunday 00:00-24:00 + monday 00:00-24:00 + tuesday 00:00-24:00 + wednesday 00:00-24:00 + thursday 00:00-24:00 + friday 00:00-24:00 + saturday 00:00-24:00 +} diff --git a/roles/nagios_server/templates/etc/nagios/private/resource.cfg.j2 b/roles/nagios_server/templates/etc/nagios/private/resource.cfg.j2 new file mode 100644 index 0000000..b8c4e8c --- /dev/null +++ b/roles/nagios_server/templates/etc/nagios/private/resource.cfg.j2 @@ -0,0 +1 @@ +$USER1$=/usr/lib64/nagios/plugins diff --git a/roles/nagios_server/templates/usr/share/nagios/html/config.inc.php.j2 b/roles/nagios_server/templates/usr/share/nagios/html/config.inc.php.j2 new file mode 100644 index 0000000..4723227 --- /dev/null +++ b/roles/nagios_server/templates/usr/share/nagios/html/config.inc.php.j2 @@ -0,0 +1,11 @@ +<?php +$cfg['cgi_config_file']='/etc/nagios/cgi.cfg'; +$cfg['cgi_base_url']='/cgi-bin'; + +// FILE LOCATION DEFAULTS +$cfg['main_config_file']='/etc/nagios/nagios.cfg'; +$cfg['status_file']='{{ nagios_status_file }}'; +$cfg['state_retention_file']='{{ nagios_state_retention_file }}'; + +require_once(dirname(__FILE__).'/includes/utils.inc.php'); +?> diff --git a/roles/nagios_server/vars/main.yml b/roles/nagios_server/vars/main.yml new file mode 100644 index 0000000..aa8effa --- /dev/null +++ b/roles/nagios_server/vars/main.yml @@ -0,0 +1,78 @@ +nagios_packages: + - nagios + - nagios-plugins-all + - nagios-contrib + - nagios-selinux + - perl-Net-SNMP + - perl-Getopt-Long + - perl-Crypt-Rijndael + - perl-Crypt-DES + - perl-Digest-HMAC + - perl-Switch + - perl-bignum + - git + - python3 + - bc + +nagios_home: /var/spool/nagios +nagios_html_dir: /usr/share/nagios/html +nagios_cgi_dir: /usr/lib64/nagios/cgi-bin +nagios_status_file: /var/log/nagios/status.dat +nagios_state_retention_file: /var/log/nagios/retention.dat +nagios_plugin_dir: /usr/lib64/nagios/plugins + +nagios_mib_dir: /usr/share/snmp/mibs + +nagios_manubulon_install_dir: /usr/local/share/manubulon + +nagios_thirdparty_plugins: + check_cyberpower: https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=7181&cf_id=24 + check_ssl_cert: https://raw.githubusercontent.com/matteocorti/check_ssl_cert/master/check_ssl_cert + +nagios_thirdparty_mibs: {} + +nagios_hbac_service: nagios +nagios_hbac_hostgroup: nagios_servers + +nagios_check_by_ssh_args: >- + --hostname='$HOSTADDRESS$' + --quiet + --ssh-option=StrictHostKeyChecking=no + --ssh-option=UserKnownHostsFile=/dev/null + --ssh-option=ControlMaster=yes + --ssh-option='ControlPath=/var/run/nagios/ssh-$HOSTNAME$' + --ssh-option=ControlPersist={{ nagios_ssh_control_persist | quote }} + +nagios_manubulon_args: >- + --hostname='$HOSTADDRESS$' + --login='$_HOSTSNMP_USER$' + --passwd='$_HOSTSNMP_AUTH_PASS$' + --privpass='$_HOSTSNMP_PRIV_PASS$' + --protocols='$_HOSTSNMP_AUTH_PROTO$,$_HOSTSNMP_PRIV_PROTO$' + +nagios_selinux_policy_te: | + require { + type nagios_spool_t; + type httpd_t; + class file open; + } + + #============= httpd_t ============== + allow httpd_t nagios_spool_t:file open; + +nagios_apache_config: | + <Location /> + AuthType GSSAPI + AuthName "FreeIPA Single Sign-On" + {{ apache_gssapi_session_config }} + AuthLDAPUrl "{{ apache_ldap_url }}?krbprincipalname" + {{ apache_ldap_creds }} + Require ldap-attribute memberof=cn={{ nagios_access_group }},{{ freeipa_group_basedn }} + </Location> + + ScriptAlias "/cgi-bin/" "{{ nagios_cgi_dir }}/" + + <Directory "{{ nagios_cgi_dir }}"> + AllowOverride None + Require all granted + </Directory> |