munin (#116)

motd unit house plugins vereinheitlicht aufräumen user vereinheitlicht samba users aufgeräumt aussortiert apc pwr systemd plugin kvm plugins lvm plguin acng plugin munin user chrony fur alle gruppe playbook docker vars playbook firewall munin für alle Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#116 Co-Authored-By: mg <mg@noreply.git.mgrote.net> Co-Committed-By: mg <mg@noreply.git.mgrote.net>
2021-06-16 21:57:28 +02:00 · 2021-06-16 21:57:28 +02:00 · 416c36f97c
commit 416c36f97c
parent 44022ed0a8
16 changed files with 190 additions and 55 deletions
--- a/group_vars/acng.yml
+++ b/group_vars/acng.yml
@ -6,6 +6,11 @@
      protocol: tcp
      comment: 'ssh'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
    - rule: allow
      to_port: 9999
      from_ip: 192.168.2.0/24
@ -15,3 +20,19 @@
  acng_server_exthreshold: "60" #hebt Pakete 60 Tage auf
  acng_server_auth_user: acngadmin
  acng_server_auth_pass: "{{ lookup('keepass', 'acng_webinterface', 'password') }}"
  ### geerlingguy.munin-node
  munin_node_plugins:
    - name: chrony
    - name: systemd_status
    - name: lvm_
    - name: acng
  munin_node_install_plugins: # in eigenes Repo gesichert
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/acng
  munin_node_config: {
  "acng": {
    "env.logfile /var/log/apt-cacher-ng/apt-cacher.log"
    }
  }
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -5,6 +5,45 @@
    #----------------------------------------------------------------#
    #              This file is managed with ansible!                #
    #----------------------------------------------------------------#
  ### geerlingguy.munin-node
  munin_node_bind_host: "0.0.0.0"
  munin_node_bind_port: "4949"
  munin_node_allowed_cidrs: [192.168.2.0/24]
  munin_node_remove_plugins:
    - name: meminfo # zu hohe last
    - name: hddtemp2 # ersetzt durch hddtemp_smartctl
    - name: squid_cache
    - name: squid_objectsize
    - name: squid_requests
    - name: squid_traffic
    - name: nfsd
    - name: samba
    - name: nfsd4
    - name: ntp # verursacht zu viele dns ptr request
    - name: cronjobs
    - name: hddtempd # ersetzt durch hddtemp_smartctl
    - name: ipmi_power # für pve2, leeres diagramm
    - name: fail2ban
    - name: fail2ban_
    - name: apcupsd_pct
    - name: kvm_io
    - name: kvm_cpu
    - name: docker_mem
    - name: docker_cpu
  munin_node_plugins:
    - name: chrony
    - name: systemd_status
    - name: lvm_
  munin_node_install_plugins: # in eigenes Repo gesichert
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
  munin_node_config: {
  "lvm_": {
    "user munin"
    }
  }
  ### mgrote.dotfiles
  dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
  dotfiles_repo_path: /home/mg/dotfiles
@ -76,6 +115,11 @@
      protocol: tcp
      comment: 'ssh'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
  ufw_default_incoming_policy: deny
  ufw_default_outgoing_policy: allow
  ### ryandaniels.create_users
@ -87,11 +131,20 @@
      use_sudo: yes
      use_sudo_nopass: yes
      user_state: present
-      groups: ssh, sudo
+      groups: ssh, sudo, docker
      servers:
        - production
        - test
        - laptop
    - username: munin
      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
      update_password: always
      use_sudo: yes
      use_sudo_nopass: yes
      user_state: present
      groups: root, docker
      servers:
        - production
    - username: root
      password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}"
      update_password: on_create
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@ -1,15 +1,4 @@
 ---
  ### oefenweb.ufw
  ufw_rules:
    - rule: allow
      to_port: 22
      protocol: tcp
      comment: 'ssh'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 5000
      protocol: tcp
      comment: 'rss-feed-changedetection'
  ### geerlingguy.docker
  docker_users:
    - mg
@ -30,27 +19,3 @@
        /var/lib/docker/volumes/docker-photoprism_pp_smb_bilder***/**
        # https://github.com/restic/restic/issues/1005
        # https://forum.restic.net/t/exclude-syntax-confusion/1531/12
  ### ryandaniels.create_users
  users:
    - username: mg
      password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
      update_password: on_create
      ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAp7z2WWUS626wY4laQJNGVYs5uOowrSOjd9RLsoPV5GWU46lsD+Q7CblqcBflvkzFiU16bzI0QZcQ9YP5M5LcYreCqCIq2HdeA4/hgIhlBGAzgp4mK8gZsEoCd2rs5888RA8T/oGnAoP0FXBegm2XmXTmt3826ZZUektCanSipMzrT3XUDZDnf1sTY60Fu8GK4hcRIFI7spM0u9upCYXVOrygBmoBQ5GlOyGEPyXs1Am/PERcVZFUPS0mGJ0COVCgEOaVvM8kEn5dK/QpmKqE8OMBsRdQ51pj9BMLNz/0IRnF6OxHDfEyLuqNPZuuBZc+/pULaZefCgjKGL1zXIFFlw==  #generieren: ssh-keygen -o; für putty ändern https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/ggcs/Change_private_key_format_for_Putty/Change_private_key_format_for_Putty.html#section2
      use_sudo: yes
      use_sudo_nopass: yes
      user_state: present
      groups: ssh, sudo, docker
      servers:
        - production
        - test
    - username: ansible-user
      password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
      update_password: on_create
      ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
      use_sudo: yes
      use_sudo_nopass: yes
      user_state: present
      groups: ssh, sudo
      servers:
        - production
        - test
--- a/group_vars/dokuwiki.yml
+++ b/group_vars/dokuwiki.yml
@ -12,3 +12,8 @@
      to_port: 80
      comment: 'dokuwiki-webserver'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
--- a/group_vars/fileserver.yml
+++ b/group_vars/fileserver.yml
@ -110,3 +110,22 @@
      to_port: 139
      comment: 'smb'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
  ### geerlingguy.munin-node
  munin_node_plugins:
    - name: chrony
    - name: systemd_status
    - name: lvm_
    - name: samba_locked
    - name: samba_users
  munin_node_install_plugins: # in eigenes Repo gesichert
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/samba_locked
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/samba_users
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@ -18,6 +18,11 @@
      protocol: tcp
      comment: 'gitea'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
  ### tmaurice.gitea
  gitea_version: "1.13.7"
  gitea_app_name: "Gitea"
--- a/group_vars/jenkins.yml
+++ b/group_vars/jenkins.yml
@ -18,6 +18,11 @@
      to_port: 8080
      comment: 'jenkins'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
  ### mgrote.restic
  restic_folders_to_backup: /usr/local /etc /root /home /var/lib/jenkins
  ### geerlingguy.pip
--- a/group_vars/ntpserver.yml
+++ b/group_vars/ntpserver.yml
@ -10,6 +10,11 @@
      to_port: 123
      comment: 'ntp'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
  ### mgrote.ntp_chrony_server
  ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
  ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
--- a/group_vars/pihole.yml
+++ b/group_vars/pihole.yml
@ -10,6 +10,11 @@
      to_port: 80
      comment: 'pihole-webgui'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
    - rule: allow
      to_port: 53
      comment: 'pihole-dns'
--- a/group_vars/proxmox.yml
+++ b/group_vars/proxmox.yml
@ -12,10 +12,10 @@
  ### mgrote.apcupsd
  apcupsd_slave_polltime: 10 #in Sekunden
  ### geerlingguy.munin-node
  munin_node_bind_host: "0.0.0.0"
  munin_node_bind_port: "4949"
  munin_node_allowed_cidrs: [192.168.2.0/24]
  munin_node_plugins:
    - name: chrony
    - name: systemd_status
    - name: lvm_
    - name: apc_nis
    - name: hddtemp_smartctl
    - name: zpool_iostat
@ -23,7 +23,9 @@
    - name: zfs_arcstats
    - name: zfs_list
    - name: zpool_capacity
-    - name: fail2ban_
+    - name: kvm_mem
    - name: kvm_net
    - name: apcupsd_pwr
  munin_node_config: {
  "apc_nis": {
    "env.host": "pve2.grote.lan",
@ -31,25 +33,17 @@
    }
  }
  munin_node_install_plugins: # in eigenes Repo gesichert
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_arcstats
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfsonlinux_stats_
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_iostat
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_list
    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_capacity
-    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/fail2ban_
+    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/kvm_mem
-  munin_node_remove_plugins:
+    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/kvm_net
-    - name: meminfo # zu hohe last
+    - remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/apcupsd_pwr
    - name: hddtemp2 # ersetzt durch hddtemp_smartctl
    - name: squid_cache
    - name: squid_objectsize
    - name: squid_requests
    - name: squid_traffic
    - name: nfsd
    - name: nfsd4
    - name: ntp # verursacht zu viele dns ptr request
    - name: cronjobs
    - name: hddtempd # ersetzt durch hddtemp_smartctl
    - name: ipmi_power # für pve2, leeres diagramm
  # Ansible Variablen
  ### sudo
--- a/host_vars/docker.grote.lan.yml
+++ b/host_vars/docker.grote.lan.yml
@ -0,0 +1,19 @@
 ---
  ### oefenweb.ufw
  ufw_rules:
    - rule: allow
      to_port: 22
      protocol: tcp
      comment: 'ssh'
      from_ip: 192.168.2.0/24
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.0.0/16
    - rule: allow
      to_port: 5000
      protocol: tcp
      comment: 'rss-feed-changedetection'
  ### geerlingguy.munin-node
  munin_node_allowed_cidrs: [192.168.0.0/16] # weil der munin-server aus einem anderen subnet zugreift
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx
--- a/playbooks/base/monitoring.yml
+++ b/playbooks/base/monitoring.yml
@ -1,5 +1,5 @@
 ---
-  - hosts: proxmoxprod
+  - hosts: production
    roles:
      - { role: geerlingguy.munin-node,
        become: true,
--- a/roles/mgrote.motd/handlers/main.yml
+++ b/roles/mgrote.motd/handlers/main.yml
@ -9,3 +9,7 @@
    systemd:
      name: sshd
      state: restarted
  - name: systemctl_reset_failed
    become: yes
    ansible.builtin.shell: systemctl reset-failed
--- a/roles/mgrote.motd/tasks/main.yml
+++ b/roles/mgrote.motd/tasks/main.yml
@ -99,3 +99,6 @@
      path: '/etc/update-motd.d/10-wetter-mgrote'
      state: absent
    when: not motd_wetter_aktiv
  - name: include systemctl tasks
    include_tasks: systemctl.yml
--- a/roles/mgrote.motd/tasks/systemctl.yml
+++ b/roles/mgrote.motd/tasks/systemctl.yml
@ -0,0 +1,32 @@
 ---
  - name: stop units
    become: yes
    ansible.builtin.systemd:
      name: motd-news
      masked: yes
      state: stopped
    notify: systemctl_reset_failed
    register: scsstop
    ignore_errors: true
  - name: disable units
    become: yes
    ansible.builtin.shell: systemctl disable motd-news
    when: scsstop.changed
  - name: Remove files
    become: yes
    ansible.builtin.file:
      path:
        - rm /etc/systemd/system/motd-news
        - rm /usr/lib/systemd/system/motd-news
      state: absent
  - name: force systemd to reread configs
    become: yes
    ansible.builtin.systemd:
      daemon_reload: yes
    when: scsstop.changed
 # https://superuser.com/questions/513159/how-to-remove-systemd-services