mg
/
homeserver
1
0
Fork 0
Code Issues 1 Pull Requests Activity

munin (#116) 

motd unit

house

plugins vereinheitlicht

aufräumen

user vereinheitlicht

samba users

aufgeräumt

aussortiert

apc pwr

systemd plugin

kvm plugins

lvm plguin

acng plugin

munin user

chrony fur alle

gruppe playbook

docker vars

playbook

firewall

munin für alle

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: mg/ansible#116
Co-Authored-By: mg <mg@noreply.git.mgrote.net>
Co-Committed-By: mg <mg@noreply.git.mgrote.net>
This commit is contained in:
Michael Grote 2021-06-16 21:57:28 +02:00
parent 44022ed0a8
commit 416c36f97c
16 changed files with 190 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
group_vars/acng.yml
View File

@ -6,6 +6,11 @@
protocol: tcp
comment: 'ssh'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
- rule: allow
to_port: 9999
from_ip: 192.168.2.0/24
@ -15,3 +20,19 @@
acng_server_exthreshold: "60" #hebt Pakete 60 Tage auf
acng_server_auth_user: acngadmin
acng_server_auth_pass: "{{ lookup('keepass', 'acng_webinterface', 'password') }}"
### geerlingguy.munin-node
munin_node_plugins:
- name: chrony
- name: systemd_status
- name: lvm_
- name: acng
munin_node_install_plugins: # in eigenes Repo gesichert
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/acng
munin_node_config: {
"acng": {
"env.logfile /var/log/apt-cacher-ng/apt-cacher.log"
}
}

55
group_vars/all.yml
View File

@ -5,6 +5,45 @@
#----------------------------------------------------------------#
# This file is managed with ansible! #
#----------------------------------------------------------------#
### geerlingguy.munin-node
munin_node_bind_host: "0.0.0.0"
munin_node_bind_port: "4949"
munin_node_allowed_cidrs: [192.168.2.0/24]
munin_node_remove_plugins:
- name: meminfo # zu hohe last
- name: hddtemp2 # ersetzt durch hddtemp_smartctl
- name: squid_cache
- name: squid_objectsize
- name: squid_requests
- name: squid_traffic
- name: nfsd
- name: samba
- name: nfsd4
- name: ntp # verursacht zu viele dns ptr request
- name: cronjobs
- name: hddtempd # ersetzt durch hddtemp_smartctl
- name: ipmi_power # für pve2, leeres diagramm
- name: fail2ban
- name: fail2ban_
- name: apcupsd_pct
- name: kvm_io
- name: kvm_cpu
- name: docker_mem
- name: docker_cpu
munin_node_plugins:
- name: chrony
- name: systemd_status
- name: lvm_
munin_node_install_plugins: # in eigenes Repo gesichert
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
munin_node_config: {
"lvm_": {
"user munin"
}
}
### mgrote.dotfiles
dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
dotfiles_repo_path: /home/mg/dotfiles
@ -76,6 +115,11 @@
protocol: tcp
comment: 'ssh'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
ufw_default_incoming_policy: deny
ufw_default_outgoing_policy: allow
### ryandaniels.create_users
@ -87,11 +131,20 @@
use_sudo: yes
use_sudo_nopass: yes
user_state: present
groups: ssh, sudo
groups: ssh, sudo, docker
servers:
- production
- test
- laptop
- username: munin
password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
update_password: always
use_sudo: yes
use_sudo_nopass: yes
user_state: present
groups: root, docker
servers:
- production
- username: root
password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}"
update_password: on_create

35
group_vars/docker.yml
View File

@ -1,15 +1,4 @@
---
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 5000
protocol: tcp
comment: 'rss-feed-changedetection'
### geerlingguy.docker
docker_users:
- mg
@ -30,27 +19,3 @@
/var/lib/docker/volumes/docker-photoprism_pp_smb_bilder***/**
# https://github.com/restic/restic/issues/1005
# https://forum.restic.net/t/exclude-syntax-confusion/1531/12
### ryandaniels.create_users
users:
- username: mg
password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
update_password: on_create
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAp7z2WWUS626wY4laQJNGVYs5uOowrSOjd9RLsoPV5GWU46lsD+Q7CblqcBflvkzFiU16bzI0QZcQ9YP5M5LcYreCqCIq2HdeA4/hgIhlBGAzgp4mK8gZsEoCd2rs5888RA8T/oGnAoP0FXBegm2XmXTmt3826ZZUektCanSipMzrT3XUDZDnf1sTY60Fu8GK4hcRIFI7spM0u9upCYXVOrygBmoBQ5GlOyGEPyXs1Am/PERcVZFUPS0mGJ0COVCgEOaVvM8kEn5dK/QpmKqE8OMBsRdQ51pj9BMLNz/0IRnF6OxHDfEyLuqNPZuuBZc+/pULaZefCgjKGL1zXIFFlw== #generieren: ssh-keygen -o; für putty ändern https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/ggcs/Change_private_key_format_for_Putty/Change_private_key_format_for_Putty.html#section2
use_sudo: yes
use_sudo_nopass: yes
user_state: present
groups: ssh, sudo, docker
servers:
- production
- test
- username: ansible-user
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: on_create
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
use_sudo: yes
use_sudo_nopass: yes
user_state: present
groups: ssh, sudo
servers:
- production
- test

5
group_vars/dokuwiki.yml
View File

@ -12,3 +12,8 @@
to_port: 80
comment: 'dokuwiki-webserver'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24

19
group_vars/fileserver.yml
View File

@ -110,3 +110,22 @@
to_port: 139
comment: 'smb'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
### geerlingguy.munin-node
munin_node_plugins:
- name: chrony
- name: systemd_status
- name: lvm_
- name: samba_locked
- name: samba_users
munin_node_install_plugins: # in eigenes Repo gesichert
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/samba_locked
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/samba_users

5
group_vars/gitea.yml
View File

@ -18,6 +18,11 @@
protocol: tcp
comment: 'gitea'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
### tmaurice.gitea
gitea_version: "1.13.7"
gitea_app_name: "Gitea"

5
group_vars/jenkins.yml
View File

@ -18,6 +18,11 @@
to_port: 8080
comment: 'jenkins'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
### mgrote.restic
restic_folders_to_backup: /usr/local /etc /root /home /var/lib/jenkins
### geerlingguy.pip

5
group_vars/ntpserver.yml
View File

@ -10,6 +10,11 @@
to_port: 123
comment: 'ntp'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
### mgrote.ntp_chrony_server
ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile

5
group_vars/pihole.yml
View File

@ -10,6 +10,11 @@
to_port: 80
comment: 'pihole-webgui'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
- rule: allow
to_port: 53
comment: 'pihole-dns'

30
group_vars/proxmox.yml
View File

@ -12,10 +12,10 @@
### mgrote.apcupsd
apcupsd_slave_polltime: 10 #in Sekunden
### geerlingguy.munin-node
munin_node_bind_host: "0.0.0.0"
munin_node_bind_port: "4949"
munin_node_allowed_cidrs: [192.168.2.0/24]
munin_node_plugins:
- name: chrony
- name: systemd_status
- name: lvm_
- name: apc_nis
- name: hddtemp_smartctl
- name: zpool_iostat
@ -23,7 +23,9 @@
- name: zfs_arcstats
- name: zfs_list
- name: zpool_capacity
- name: fail2ban_
- name: kvm_mem
- name: kvm_net
- name: apcupsd_pwr
munin_node_config: {
"apc_nis": {
"env.host": "pve2.grote.lan",
@ -31,25 +33,17 @@
}
}
munin_node_install_plugins: # in eigenes Repo gesichert
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_arcstats
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfsonlinux_stats_
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_iostat
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_list
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_capacity
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/fail2ban_
munin_node_remove_plugins:
- name: meminfo # zu hohe last
- name: hddtemp2 # ersetzt durch hddtemp_smartctl
- name: squid_cache
- name: squid_objectsize
- name: squid_requests
- name: squid_traffic
- name: nfsd
- name: nfsd4
- name: ntp # verursacht zu viele dns ptr request
- name: cronjobs
- name: hddtempd # ersetzt durch hddtemp_smartctl
- name: ipmi_power # für pve2, leeres diagramm
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/kvm_mem
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/kvm_net
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/apcupsd_pwr
# Ansible Variablen
### sudo

19
host_vars/docker.grote.lan.yml Normal file
View File

@ -0,0 +1,19 @@
---
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.0.0/16
- rule: allow
to_port: 5000
protocol: tcp
comment: 'rss-feed-changedetection'
### geerlingguy.munin-node
munin_node_allowed_cidrs: [192.168.0.0/16] # weil der munin-server aus einem anderen subnet zugreift

BIN
keepass_db.kdbx
View File

Binary file not shown.

2
playbooks/base/monitoring.yml
View File

@ -1,5 +1,5 @@
---
- hosts: proxmoxprod
- hosts: production
roles:
- { role: geerlingguy.munin-node,
become: true,

4
roles/mgrote.motd/handlers/main.yml
View File

@ -9,3 +9,7 @@
systemd:
name: sshd
state: restarted
- name: systemctl_reset_failed
become: yes
ansible.builtin.shell: systemctl reset-failed

3
roles/mgrote.motd/tasks/main.yml
View File

@ -99,3 +99,6 @@
path: '/etc/update-motd.d/10-wetter-mgrote'
state: absent
when: not motd_wetter_aktiv
- name: include systemctl tasks
include_tasks: systemctl.yml

32
roles/mgrote.motd/tasks/systemctl.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: stop units
become: yes
ansible.builtin.systemd:
name: motd-news
masked: yes
state: stopped
notify: systemctl_reset_failed
register: scsstop
ignore_errors: true
- name: disable units
become: yes
ansible.builtin.shell: systemctl disable motd-news
when: scsstop.changed
- name: Remove files
become: yes
ansible.builtin.file:
path:
- rm /etc/systemd/system/motd-news
- rm /usr/lib/systemd/system/motd-news
state: absent
- name: force systemd to reread configs
become: yes
ansible.builtin.systemd:
daemon_reload: yes
when: scsstop.changed
# https://superuser.com/questions/513159/how-to-remove-systemd-services