diff --git a/group_vars/acng.yml b/group_vars/acng.yml index b29427ca..31996ea8 100644 --- a/group_vars/acng.yml +++ b/group_vars/acng.yml @@ -6,6 +6,11 @@ protocol: tcp comment: 'ssh' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 - rule: allow to_port: 9999 from_ip: 192.168.2.0/24 @@ -15,3 +20,19 @@ acng_server_exthreshold: "60" #hebt Pakete 60 Tage auf acng_server_auth_user: acngadmin acng_server_auth_pass: "{{ lookup('keepass', 'acng_webinterface', 'password') }}" + ### geerlingguy.munin-node + munin_node_plugins: + - name: chrony + - name: systemd_status + - name: lvm_ + - name: acng + munin_node_install_plugins: # in eigenes Repo gesichert + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_ + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/acng + munin_node_config: { + "acng": { + "env.logfile /var/log/apt-cacher-ng/apt-cacher.log" + } + } diff --git a/group_vars/all.yml b/group_vars/all.yml index 73daf9e8..d70e9da5 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -5,6 +5,45 @@ #----------------------------------------------------------------# # This file is managed with ansible! # #----------------------------------------------------------------# + ### geerlingguy.munin-node + munin_node_bind_host: "0.0.0.0" + munin_node_bind_port: "4949" + munin_node_allowed_cidrs: [192.168.2.0/24] + munin_node_remove_plugins: + - name: meminfo # zu hohe last + - name: hddtemp2 # ersetzt durch hddtemp_smartctl + - name: squid_cache + - name: squid_objectsize + - name: squid_requests + - name: squid_traffic + - name: nfsd + - name: samba + - name: nfsd4 + - name: ntp # verursacht zu viele dns ptr request + - name: cronjobs + - name: hddtempd # ersetzt durch hddtemp_smartctl + - name: ipmi_power # für pve2, leeres diagramm + - name: fail2ban + - name: fail2ban_ + - name: apcupsd_pct + - name: kvm_io + - name: kvm_cpu + - name: docker_mem + - name: docker_cpu + munin_node_plugins: + - name: chrony + - name: systemd_status + - name: lvm_ + munin_node_install_plugins: # in eigenes Repo gesichert + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_ + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status + munin_node_config: { + "lvm_": { + "user munin" + } + } + ### mgrote.dotfiles dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles dotfiles_repo_path: /home/mg/dotfiles @@ -76,6 +115,11 @@ protocol: tcp comment: 'ssh' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 ufw_default_incoming_policy: deny ufw_default_outgoing_policy: allow ### ryandaniels.create_users @@ -87,11 +131,20 @@ use_sudo: yes use_sudo_nopass: yes user_state: present - groups: ssh, sudo + groups: ssh, sudo, docker servers: - production - test - laptop + - username: munin + password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}" + update_password: always + use_sudo: yes + use_sudo_nopass: yes + user_state: present + groups: root, docker + servers: + - production - username: root password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}" update_password: on_create diff --git a/group_vars/docker.yml b/group_vars/docker.yml index e7967da6..78a578aa 100644 --- a/group_vars/docker.yml +++ b/group_vars/docker.yml @@ -1,15 +1,4 @@ --- - ### oefenweb.ufw - ufw_rules: - - rule: allow - to_port: 22 - protocol: tcp - comment: 'ssh' - from_ip: 192.168.2.0/24 - - rule: allow - to_port: 5000 - protocol: tcp - comment: 'rss-feed-changedetection' ### geerlingguy.docker docker_users: - mg @@ -30,27 +19,3 @@ /var/lib/docker/volumes/docker-photoprism_pp_smb_bilder***/** # https://github.com/restic/restic/issues/1005 # https://forum.restic.net/t/exclude-syntax-confusion/1531/12 - ### ryandaniels.create_users - users: - - username: mg - password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}" - update_password: on_create - ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAp7z2WWUS626wY4laQJNGVYs5uOowrSOjd9RLsoPV5GWU46lsD+Q7CblqcBflvkzFiU16bzI0QZcQ9YP5M5LcYreCqCIq2HdeA4/hgIhlBGAzgp4mK8gZsEoCd2rs5888RA8T/oGnAoP0FXBegm2XmXTmt3826ZZUektCanSipMzrT3XUDZDnf1sTY60Fu8GK4hcRIFI7spM0u9upCYXVOrygBmoBQ5GlOyGEPyXs1Am/PERcVZFUPS0mGJ0COVCgEOaVvM8kEn5dK/QpmKqE8OMBsRdQ51pj9BMLNz/0IRnF6OxHDfEyLuqNPZuuBZc+/pULaZefCgjKGL1zXIFFlw== #generieren: ssh-keygen -o; für putty ändern https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/ggcs/Change_private_key_format_for_Putty/Change_private_key_format_for_Putty.html#section2 - use_sudo: yes - use_sudo_nopass: yes - user_state: present - groups: ssh, sudo, docker - servers: - - production - - test - - username: ansible-user - password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}" - update_password: on_create - ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2 - use_sudo: yes - use_sudo_nopass: yes - user_state: present - groups: ssh, sudo - servers: - - production - - test diff --git a/group_vars/dokuwiki.yml b/group_vars/dokuwiki.yml index 732a47ab..aa131f97 100644 --- a/group_vars/dokuwiki.yml +++ b/group_vars/dokuwiki.yml @@ -12,3 +12,8 @@ to_port: 80 comment: 'dokuwiki-webserver' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 diff --git a/group_vars/fileserver.yml b/group_vars/fileserver.yml index 538af4fa..bfca4735 100644 --- a/group_vars/fileserver.yml +++ b/group_vars/fileserver.yml @@ -110,3 +110,22 @@ to_port: 139 comment: 'smb' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 + + ### geerlingguy.munin-node + munin_node_plugins: + - name: chrony + - name: systemd_status + - name: lvm_ + - name: samba_locked + - name: samba_users + munin_node_install_plugins: # in eigenes Repo gesichert + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_ + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/samba_locked + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/samba_users diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml index 8199bd92..0352ea1f 100644 --- a/group_vars/gitea.yml +++ b/group_vars/gitea.yml @@ -18,6 +18,11 @@ protocol: tcp comment: 'gitea' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 ### tmaurice.gitea gitea_version: "1.13.7" gitea_app_name: "Gitea" diff --git a/group_vars/jenkins.yml b/group_vars/jenkins.yml index 31c53151..c8618951 100644 --- a/group_vars/jenkins.yml +++ b/group_vars/jenkins.yml @@ -18,6 +18,11 @@ to_port: 8080 comment: 'jenkins' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 ### mgrote.restic restic_folders_to_backup: /usr/local /etc /root /home /var/lib/jenkins ### geerlingguy.pip diff --git a/group_vars/ntpserver.yml b/group_vars/ntpserver.yml index 407e2713..e734981b 100644 --- a/group_vars/ntpserver.yml +++ b/group_vars/ntpserver.yml @@ -10,6 +10,11 @@ to_port: 123 comment: 'ntp' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 ### mgrote.ntp_chrony_server ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile diff --git a/group_vars/pihole.yml b/group_vars/pihole.yml index 5e8c0abb..dea25bf1 100644 --- a/group_vars/pihole.yml +++ b/group_vars/pihole.yml @@ -10,6 +10,11 @@ to_port: 80 comment: 'pihole-webgui' from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 - rule: allow to_port: 53 comment: 'pihole-dns' diff --git a/group_vars/proxmox.yml b/group_vars/proxmox.yml index de45ce26..c122135e 100644 --- a/group_vars/proxmox.yml +++ b/group_vars/proxmox.yml @@ -12,10 +12,10 @@ ### mgrote.apcupsd apcupsd_slave_polltime: 10 #in Sekunden ### geerlingguy.munin-node - munin_node_bind_host: "0.0.0.0" - munin_node_bind_port: "4949" - munin_node_allowed_cidrs: [192.168.2.0/24] munin_node_plugins: + - name: chrony + - name: systemd_status + - name: lvm_ - name: apc_nis - name: hddtemp_smartctl - name: zpool_iostat @@ -23,7 +23,9 @@ - name: zfs_arcstats - name: zfs_list - name: zpool_capacity - - name: fail2ban_ + - name: kvm_mem + - name: kvm_net + - name: apcupsd_pwr munin_node_config: { "apc_nis": { "env.host": "pve2.grote.lan", @@ -31,25 +33,17 @@ } } munin_node_install_plugins: # in eigenes Repo gesichert + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_ + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_arcstats - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfsonlinux_stats_ - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_iostat - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_list - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_capacity - - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/fail2ban_ - munin_node_remove_plugins: - - name: meminfo # zu hohe last - - name: hddtemp2 # ersetzt durch hddtemp_smartctl - - name: squid_cache - - name: squid_objectsize - - name: squid_requests - - name: squid_traffic - - name: nfsd - - name: nfsd4 - - name: ntp # verursacht zu viele dns ptr request - - name: cronjobs - - name: hddtempd # ersetzt durch hddtemp_smartctl - - name: ipmi_power # für pve2, leeres diagramm + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/kvm_mem + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/kvm_net + - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/apcupsd_pwr # Ansible Variablen ### sudo diff --git a/host_vars/docker.grote.lan.yml b/host_vars/docker.grote.lan.yml new file mode 100644 index 00000000..394a780c --- /dev/null +++ b/host_vars/docker.grote.lan.yml @@ -0,0 +1,19 @@ +--- + ### oefenweb.ufw + ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'ssh' + from_ip: 192.168.2.0/24 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.0.0/16 + - rule: allow + to_port: 5000 + protocol: tcp + comment: 'rss-feed-changedetection' + ### geerlingguy.munin-node + munin_node_allowed_cidrs: [192.168.0.0/16] # weil der munin-server aus einem anderen subnet zugreift diff --git a/keepass_db.kdbx b/keepass_db.kdbx index 75bbd81f..38dcf2c8 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ diff --git a/playbooks/base/monitoring.yml b/playbooks/base/monitoring.yml index b321067a..c1155736 100644 --- a/playbooks/base/monitoring.yml +++ b/playbooks/base/monitoring.yml @@ -1,5 +1,5 @@ --- - - hosts: proxmoxprod + - hosts: production roles: - { role: geerlingguy.munin-node, become: true, diff --git a/roles/mgrote.motd/handlers/main.yml b/roles/mgrote.motd/handlers/main.yml index e9795db9..6cbb0aac 100644 --- a/roles/mgrote.motd/handlers/main.yml +++ b/roles/mgrote.motd/handlers/main.yml @@ -9,3 +9,7 @@ systemd: name: sshd state: restarted + + - name: systemctl_reset_failed + become: yes + ansible.builtin.shell: systemctl reset-failed diff --git a/roles/mgrote.motd/tasks/main.yml b/roles/mgrote.motd/tasks/main.yml index 67fa6870..953c2019 100644 --- a/roles/mgrote.motd/tasks/main.yml +++ b/roles/mgrote.motd/tasks/main.yml @@ -99,3 +99,6 @@ path: '/etc/update-motd.d/10-wetter-mgrote' state: absent when: not motd_wetter_aktiv + + - name: include systemctl tasks + include_tasks: systemctl.yml diff --git a/roles/mgrote.motd/tasks/systemctl.yml b/roles/mgrote.motd/tasks/systemctl.yml new file mode 100644 index 00000000..85aa0d15 --- /dev/null +++ b/roles/mgrote.motd/tasks/systemctl.yml @@ -0,0 +1,32 @@ +--- + - name: stop units + become: yes + ansible.builtin.systemd: + name: motd-news + masked: yes + state: stopped + notify: systemctl_reset_failed + register: scsstop + ignore_errors: true + + - name: disable units + become: yes + ansible.builtin.shell: systemctl disable motd-news + when: scsstop.changed + + - name: Remove files + become: yes + ansible.builtin.file: + path: + - rm /etc/systemd/system/motd-news + - rm /usr/lib/systemd/system/motd-news + state: absent + + - name: force systemd to reread configs + become: yes + ansible.builtin.systemd: + daemon_reload: yes + when: scsstop.changed + + +# https://superuser.com/questions/513159/how-to-remove-systemd-services