Skip to content

Instantly share code, notes, and snippets.

@linuxmail

linuxmail/agent.pp

Last active May 24, 2019 11:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save linuxmail/d22062d4b8a37009e1066861bb143359 to your computer and use it in GitHub Desktop.
Save linuxmail/d22062d4b8a37009e1066861bb143359 to your computer and use it in GitHub Desktop.
Download ZIP
Puppet Icinga2 profile
Raw
agent.pp
# Included for normal nodes, via base.pp and boolean in Hiera
class profile::icinga2::agent(
Hash $parent_endpoints,
String $parent_zone,
String $zone_name = 'ZoneName',
$apiuser_name = false,
$apiuser_password = false,
Boolean $manage_repo = $profile::icinga2::params::manage_repo,
Array $features = ['mainlog'],
Stdlib::Compat::Ip_address $agent_ip = $::default_ipaddress,
) inherits ::profile::icinga2::params {
class { '::icinga2':
manage_repo => $manage_repo,
confd => false,
features => $features,
require => Exec['apt_update'],
}
validate_hash($parent_endpoints)
# Feature: api
class { '::icinga2::feature::api':
ca_host => 'mon-01.example.com',
pki => 'icinga2',
accept_config => true,
accept_commands => true,
ssl_protocolmin => 'TLSv1.1',
ssl_cipher_list => 'ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT',
zones => {
"$zone_name" => {
'endpoints' => [ 'NodeName' ],
'parent' => $parent_zone,
}
}
}
# Create a API user, for submit passive results
if $apiuser_name {
::icinga2::object::apiuser { "$apiuser_name":
ensure => 'present',
password => $apiuser_password,
permissions => ["*"],
target => '/etc/icinga2/conf.d/api-users.conf',
}
}
::icinga2::object::zone { 'linux-commands':
global => true,
order => '47',
}
::icinga2::object::zone { 'global-templates':
global => true,
order => '48',
}
::icinga2::object::zone { 'director-global':
global => true,
order => '49',
}
create_resources('icinga2::object::endpoint', $parent_endpoints)
::icinga2::object::zone { $parent_zone:
endpoints => keys($parent_endpoints),
}
contain ::profile::icinga2::plugins
firewall { '500 allow incoming Icinga2 connections':
dport => [5665],
proto => 'tcp',
action => 'accept',
}
firewall { '501 allow outgoing Icinga2 connections':
chain => 'OUTPUT',
dport => [5665],
proto => 'tcp',
action => 'accept',
}
}
Raw
applyrules.pp
# This class is for service checks and apply rules
class profile::icinga2::applyrules {
$templates = '/etc/icinga2/zones.d/global-templates'
$master_confd = '/etc/icinga2/zones.d/master/conf.d'
file { "${templates}/applyrules.d":
ensure => directory,
owner => 'nagios',
group => 'nagios',
mode => '0750',
purge => true
}
file { "${master_confd}":
ensure => directory,
owner => 'nagios',
group => 'nagios',
mode => '0750',
purge => true
}
-> file { "${templates}/applyrules.d/service_icinga_cluster_check.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/services/service_check_icinga2_cluster.conf',
],
}
file { "${templates}/applyrules.d/service_check_linux_base.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/services/service_check_linux_base.conf',
],
}
file { "${templates}/applyrules.d/service_check_nwc_health.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/services/service_check_nwc_health.conf',
],
}
file { "${templates}/applyrules.d/service_check_snmp.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::exported',
source => [
'puppet:///modules/icinga_checks/services/service_check_snmp.conf',
],
}
# ...
}
Raw
base.pp
# Setup base class
# For all our Puppet nodes
class base (
$icinga2_agent = false,
) {
...
if $icinga2_agent { include profile::icinga2::agent }
}
Raw
checkcommands.pp
# Custom checkcommands and may overwrites
class profile::icinga2::checkcommands {
$templates = '/etc/icinga2/zones.d/global-templates'
$commands = "${templates}/commands.d"
$master_confd = '/etc/icinga2/zones.d/master/conf.d'
file { $commands:
ensure => directory,
owner => nagios,
group => nagios,
mode => '0750',
purge => true
}
# Extend check_mysql_health ITL
-> file { "${commands}/check-custom-mysql-health.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/commands/check_custom_mysql_health.conf',
],
}
# Extend check_mongodb.py ITL
-> file { "${commands}/check-custom-mongodb.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/commands/check_custom_mongodb.conf',
],
}
# Extend check_squid ITL
-> file { "${commands}/check-custom-squid.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/commands/check_custom_squid.conf',
],
}
# Extend check_apt ITL
-> file { "${commands}/check-custom-apt.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/commands/check_custom_apt.conf',
],
}
# Used for other disks
icinga2::object::checkcommand { 'check-smart':
import => [
'plugin-check-command',
],
command => [
'PluginDir + /3dparty/check_smart',
],
arguments => {
'-d' => '$smart_device$',
'-i' => '$smart_interface$',
'-b' => '$smart_bad_threshold$',
},
vars => {
'smart_device' => '/dev/sda',
'smart_interface' => 'scsi',
},
target => "${commands}/check-smart-command.conf",
}
# Crucial health check
icinga2::object::checkcommand { 'check-crucial-ssd':
import => [
'plugin-check-command',
],
command => [
'PluginDir + /3dparty/check_crucial',
],
arguments => {
'-d' => '$smart_device$',
'-m' => '$crucial_check$',
'-w' => '$crucial_warning$',
'-c' => '$crucial_critical$',
'-s' => { 'set_if' => '$crucial_sudo$' },
},
vars => {
'smart_device' => '/dev/sda',
'crucial_check' => 'health',
'crucial_sudo' => true,
},
target => "${commands}/check-smart-command.conf",
}
# Used for SSDs
icinga2::object::checkcommand { 'check-smart-attributes':
import => [
'plugin-check-command',
],
command => [
'PluginDir + /3dparty/check_smart_attributes/check_smart_attributes',
],
arguments => {
'-d' => '$smart_device$',
'-dbj' => '$smart_dbj$',
'-ucfgj' => '$smart_ucfgj$',
'-nosudo' => { 'set_if' => '$smart_nosudo$' },
},
vars => {
'smart_device' => '/dev/sda',
'smart_dbj' => '/usr/lib/nagios/plugins/3dparty/check_smart_attributes/check_smartdb.json',
},
target => "${commands}/check-smart-attributes-command.conf",
}
# ...
}
Raw
common.eyaml
# common.yaml entries, which holds encrypted values
# eyaml edit hieradata/common.eyaml
# ...
---
# Adding common classes
classes:
profile::icinga2::repo
# Everything which has the key monitoring:: ... is setup here
# Example:
############################ Monitoring settings ########################
# Icinga Jabber Notification
'monitoring::notification::jabber::host' : "jabber.%{hiera('monitoring::domain')}"
'monitoring::notification::jabber::user': "icinga"
'monitoring::domain': 'example.com'
monitoring::ldap::password: DEC(81)::GPG[secret]!
##########################
### MySQL related settings
###########################
'monitoring::mysql::ipaddress': '192.168.1.100'
'monitoring::mysql::port': 3306
##########################
## icinga related settings
##########################
########### Icinga secret ##########
monitoring::icinga::mysql_password: DEC(93)::GPG[secret]!
# Many other values
Raw
dc1.example.com.eyaml
# That is the satellite file
# hieradata/node/dc1.example.com.eyaml
---
classes:
- profile::base::mailrelay
- profile::icinga2::agent
profile::icinga2::agent::apiuser_name: "icinga2-api"
profile::icinga2::agent::apiuser_password: DEC(3)::GPG[secret]!
profile::icinga2::agent::zone_name: "dc1"
profile::icinga2::agent::parent_zone: "master"
profile::icinga2::agent::features:
- 'mainlog'
- 'checker'
profile::icinga2::agent::parent_endpoints:
'mon-01.example.com':
ensure: 'present'
'mon-02.example.com':
ensure: 'present'
# Required for icinga plugins
packages::install:
- 'bc'
- 'libcrypt-rijndael-perl'
# For submitting passive checks
icinga2::object::apiuser:
'cluster':
target: '/etc/icinga2/conf.d/api-user.conf'
apiuser_name: 'cluster'
password: DEC(7)::GPG["more_secrets"]!
permissions:
- '*'
Raw
dc1.yaml
---
# hieradata/datacenter/dc1.yaml
# Set basics for agents
profile::icinga2::agent::parent_zone: "%{::datacenter}-%{::rack}"
profile::icinga2::agent::parent_endpoints:
'dc1-srv-monproxy.example.com':
ensure: 'present'
'dc2-srv-monproxy.example.com':
ensure: 'present'
Raw
icingaweb2.pp
# Install Icingaweb and setup all the basics.
class profile::icinga2::icingaweb2 (
String $web_db_name = hiera('monitoring::icingaweb2::mysql_db'),
String $web_db_user = hiera('monitoring::icingaweb2::mysql_user'),
$web_db_pass = Sensitive(hiera('monitoring::icingaweb2::mysql_password')),
String $web_db_host = hiera('monitoring::mysql::ipaddress'),
String $ido_db_name = hiera('monitoring::icinga::mysql_db'),
String $ido_db_user = hiera('monitoring::icinga::mysql_user'),
$ido_db_pass = Sensitive(hiera('monitoring::icinga::mysql_password')),
$icinga2_api_pass = Sensitive(hiera('monitoring::icinga::api::director::password')),
String $icinga2_api_user = hiera('monitoring::icingaweb2::icinga2::api_user')
) {
package { 'php-curl':
ensure => installed,
}
class { '::icingaweb2':
import_schema => true,
db_type => 'mysql',
db_host => $web_db_host,
db_username => $web_db_user,
db_password => $web_db_pass.unwrap,
}
class {'icingaweb2::module::monitoring':
ido_host => $web_db_host,
ido_db_name => $ido_db_name,
ido_db_username => $ido_db_user,
ido_db_password => $ido_db_pass.unwrap,
commandtransports => {
icinga2 => {
transport => 'api',
username => $icinga2_api_user,
password => $icinga2_api_pass.unwrap,
}
}
}
-> augeas { 'php.ini':
context => '/files/etc/php.ini/PHP',
changes => ['set date.timezone Europe/Berlin',],
}
# For resources
$myresource = hiera('icingaweb2::config::resource', {})
create_resources( 'icingaweb2::config::resource', $myresource)
# For auth config
$myauthconfig = hiera('icingaweb2::config::authmethod', {})
create_resources( 'icingaweb2::config::authmethod', $myauthconfig)
# For group config
$mygroupconfig = hiera('icingaweb2::config::groupbackend', {})
create_resources( 'icingaweb2::config::groupbackend', $mygroupconfig)
# IcingaWeb2 - Roles
$icingaweb_roles = hiera_hash( icingaweb2::config::role, undef )
if( $icingaweb_roles ) { create_resources( icingaweb2::config::role, $icingaweb_roles ) }
# IcingaWeb2 - LiveStatus
$icingaweb_livestatus = hiera_hash( icingaweb2::config::resource_livestatus, undef )
if( $icingaweb_livestatus ) { create_resources( icingaweb2::config::resource_livestatus, $icingaweb_livestatus ) }
contain ::icingaweb2::module::director
firewall { '100 allow http and https access':
dport => [80,443],
proto => tcp,
action => accept,
}
}
Raw
mariadb.yaml
---
# Example role for Hiera
# hieradata/role/mariadb.yaml
base::icinga2_agent: true
Raw
master.pp
# For Icinga Master nodes
class profile::icinga2::master (
$icinga_db_host = hiera('monitoring::mysql::ipaddress'),
$icinga_db_name = hiera('monitoring::icinga::mysql_db'),
$icinga_db_user = hiera('monitoring::icinga::mysql_user'),
$icinga_db_password = Sensitive(hiera('monitoring::icinga::mysql_password')),
$ticketsalt = Sensitive(hiera('monitoring::icinga::api::ticketsalt')),
){
user { 'nagios': groups => ssl-cert } ->
class { '::icinga2':
manage_repo => false,
manage_package => false,
purge_features => false,
confd => true,
constants => {
'ZoneName' => 'master',
'TicketSalt' => $ticketsalt.unwrap,
}
}
class{ '::icinga2::feature::idomysql':
user => "${icinga_db_user}",
password => "${icinga_db_password.unwrap}",
database => "${icinga_db_name}",
host => "${icinga_db_host}",
import_schema => true,
# require => Mysql::Db["${icinga_db_name}"],
cleanup => {
downtimehistory_age => '48h',
contactnotifications_age => '31d',
acknowledgements_age => '31d',
logentries_age => '31d',
statehistory_age => '183d',
},
}
# Feature: api
class { '::icinga2::feature::api':
accept_commands => true,
accept_config => true,
ssl_protocolmin => 'TLSv1.1',
ssl_cipher_list => 'ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT',
}
icinga2::object::zone { ['global-templates', 'director-global']:
global => true,
order => '47',
}
# Zone directories
file { ['/etc/icinga2/zones.d/master',
'/etc/icinga2/zones.d/global-templates']:
ensure => directory,
owner => 'nagios',
group => 'nagios',
mode => '0750',
tag => 'icinga2::config::file',
purge => true,
}
# Collect services and notifications exported on agent nodes
# (and not created by the Apply Rules included below)
file { 'icinga2_services':
path => '/etc/icinga2/conf.d/services',
ensure => directory,
purge => true,
recurse => true,
}
Icinga2::Object::Service <<| |>> { }
file { 'icinga2_notifications':
path => '/etc/icinga2/conf.d/notifications',
ensure => directory,
purge => true,
recurse => true,
}
Icinga2::Object::Notification <<| |>> { }
# Collect check and notification commands that are not created by Apply
file { 'icinga2_commands':
path => '/etc/icinga2/conf.d/commands',
ensure => directory,
purge => true,
recurse => true,
}
Icinga2::Object::Checkcommand <<| |>> { }->
Icinga2::Object::NotificationCommand <<| |>> { }
# Purge default config
file { [
'/etc/icinga2/conf.d/notifications.conf',
'/etc/icinga2/conf.d/groups.conf',
'/etc/icinga2/conf.d/satellite.conf',
'/etc/icinga2/conf.d/services.conf',
'/etc/icinga2/conf.d/users.conf',
'/etc/icinga2/conf.d/app.conf',
'/etc/icinga2/conf.d/templates.conf',
'/etc/icinga2/conf.d/downtimes.conf',
'/etc/icinga2/conf.d/commands.conf',
'/etc/icinga2/conf.d/hosts.conf',
]:
ensure => absent,
}
# Define apply rules that
contain profile::icinga2::applyrules
# Create Icinga hosts from Hiera
$myicinga2hosts = hiera('icinga2::object::host', {})
create_resources( 'icinga2::object::host', $myicinga2hosts)
# Create API users from Hiera
$myicinga2apiuser = hiera('icinga2::object::apiuser', {})
create_resources( 'icinga2::object::apiuser', $myicinga2apiuser)
# Create Icinga servicegroups from Hiera
$myicinga2servicegroup = hiera('icinga2::object::servicegroup', {})
create_resources( 'icinga2::object::servicegroup', $myicinga2servicegroup)
contain profile::icinga2::notifications
contain profile::icinga2::templates
contain profile::icinga2::checkcommands
contain profile::icinga2::plugins
firewall { '201 allow Icinga2 connections':
dport => [5665],
proto => tcp,
action => accept,
}
}
Raw
mon-01.example.com.eyaml
# this is for the master01
# file hieradata/node/mon-01.example.com.eyaml
# also encrypted
# Contains Hosts, which we don't want or have in PuppetDB / Director
# Mostly switches / Router
---
---
icinga2::object::host:
hp-switch-stack:
import:
- 'generic-host'
- 'SNMPv3 host'
target: '/etc/icinga2/zones.d/master/hp-switch-stack.example.com.conf'
display_name: 'hp-switch-stack.example.com'
address: '192.168.1.200'
notes: 'HP Office Stackswitch'
check_command: 'hostalive'
vars:
os: 'None'
domain: 'example.com'
hostname: 'hp-switch-stack'
address: 'hp-switch-stack.example.com'
mem: 'snmp'
load: 'snmp'
uptime: 'snmp'
interfaces:
"1/3":
description: "1/3"
"1/9":
description: "1/9"
Raw
mon.yaml
# hieradata/role/mon.yaml
# Hiera values for Monitoring masters
# This file contains:
# * Basics
# * Endpoints
# * Zones
---
# Basics
classes:
- base::light
- profile::icinga2::master
- profile::webserver::apache2
- profile::webserver::apache2_php
- profile::webserver::apache2_cgi
- profile::icinga2::icingaweb2
############# Icinga2 settings #############
icinga2::features:
- 'notification'
- 'checker'
- 'mainlog'
- 'statusdata'
- 'command'
- 'influxdb'
# icinga2::manage_database: true
icinga2::restart_cmd: 'service icinga2 reload'
icinga2::plugins:
- 'nscp'
- 'plugins'
- 'plugins-contrib'
- 'windows-plugins'
- 'manubulon'
icinga2::feature::influxdb::host: "%{hiera('monitoring::influxdb::ip')}"
icinga2::feature::influxdb::username: "%{hiera('monitoring::icinga::influxdb::user')}"
icinga2::feature::influxdb::password: "%{hiera('monitoring::icinga::influxdb::password')}"
icinga2::feature::influxdb::enable_ssl: true
icinga2::feature::influxdb::enable_send_thresholds: true
icinga2::feature::influxdb::enable_send_metadata: true
icinga2::feature::api::endpoints:
# Master1
'mon-01.example.com':
host: 192.168.1.13
# Master2, disabled for the moment
#'mon-02.inatec.com':
# host: 192.168.1.44
### DC1 ###
'dc1-srv-monproxy.example.com':
host: 172.1.2.3
### DC2 ###
'dc2-srv-monproxy.example.com':
host: 172.2.2.3
icinga2::feature::api::zones:
master:
endpoints:
- 'mon-01.example.com'
# - 'mon-02.example.com'
##### DC1 #####
dc1:
endpoints:
- 'dc1-srv-monproxy.example.com'
parent: 'master'
##### DC2 #####
dc2:
endpoints:
- 'dc2-srv-monproxy.example.com'
parent: 'master'
icinga2::feature::api::pki: 'none'
icinga2::feature::influxdb::host_tags:
fqdn: '$host.name$'
zone: '$host.zone$'
hostname: '$host.vars.hostname$'
domain: '$host.vars.domain$'
role: '$host.vars.role$'
icinga2::feature::influxdb::service_tags:
fqdn: "$host.name$"
hostname: '$host.vars.hostname$'
domain: "$host.vars.domain$"
service: "$service.name$"
instance: "$service.vars.instance$"
zone: "$host.zone$"
role: '$host.vars.role$'
############# Icinga2 API User #############
icinga2::object::apiuser:
'icingaweb2_director':
target: '/etc/icinga2/conf.d/api-user.conf'
apiuser_name: 'icingaweb2_director'
password: "%{hiera('monitoring::icinga::api::director::password')}"
permissions:
- '*'
icingaweb2::module::monitoring::protected_customvars: '*pw*,*pass*,community,*key*,*priv*,*password*'
icingaweb2::module::director::db_name: "%{hiera('monitoring::icingaweb2_director::mysql_db')}"
icingaweb2::module::director::db_username: "%{hiera('monitoring::icingaweb2_director::mysql_user')}"
icingaweb2::module::director::db_password: "%{hiera('monitoring::icingaweb2_director::mysql_password')}"
icingaweb2::module::director::db_host: "%{hiera('monitoring::mysql::ipaddress')}"
icingaweb2::module::director::db_port: 3306
icingaweb2::config::resource:
'icingaweb2_director_db':
type: 'db'
db_type: 'mysql'
db_name: "%{hiera('monitoring::icingaweb2_director::mysql_db')}"
host: "%{hiera('monitoring::mysql::ipaddress')}"
port: 3306
db_charset: "utf8"
db_name: "%{hiera('monitoring::icingaweb2_director::mysql_db')}"
db_username: "%{hiera('monitoring::icingaweb2_director::mysql_user')}"
db_password: "%{hiera('monitoring::icingaweb2_director::mysql_password')}"
'exampleAD':
type: 'ldap'
host: "%{hiera('monitoring::ldap::server')}"
port: 3268
ldap_bind_dn: "%{hiera('monitoring::ldap::username')}"
ldap_bind_pw: "%{hiera('monitoring::ldap::password')}"
ldap_root_dn: "%{hiera('monitoring::ldap::base_dn')}"
############# Icingaweb2 settings #############
icingaweb2::db: 'mysql'
icingaweb2::db_name: "%{hiera('monitoring::icingaweb2::mysql_db')}"
icingaweb2::db_user: "%{hiera('monitoring::icingaweb2::mysql_user')}"
icingaweb2::db_password: "%{hiera('monitoring::icingaweb2::mysql_password')}"
icingaweb2::db_host: "%{hiera('monitoring::mysql::ipaddress')}"
icingaweb2::config::authmethod:
'mysql':
backend: 'db'
resource: 'icingaweb2_director_db'
order: '01'
'inatecAD_LDAP':
backend: 'msldap'
resource: 'inatecAD'
ldap_filter: '!(objectClass=computer)'
ldap_user_class: 'user'
resource: 'exampleAD'
ldap_user_name_attribute: "sAMAccountName"
order: '02'
icingaweb2::config::role:
'Administrators':
groups: 'Gruppe_Icinga_admins'
permissions: '*'
'Members':
groups: 'Gruppe_Icinga_users'
permissions: 'module/doc, module/monitoring, dashboards, monitoring/commands/schedule-check, monitoring/command/acknowledge-problem, monitoring/command/remove-acknowledgement, monitoring/command/remove-acknowledgement, monitoring/command/downtime/*, monitoring/command/comment/*, monitoring/command/comment/add, monitoring/command/comment/delete'
'Windows Admins':
permissions: '*'
users: 'foobar'
filters:
'monitoring/filter/objects': '(hostgroup_name=Windows Hosts|hostgroup_name=Zypern|hostgroup_name=Office FFM Hosts|hostgroup_name=Vmware Cluster|hostgroup_name=IBM Storage|host_name=lancom|host_name=hp-switch-stack)|(host_name=mon-01.inatec.com&service_description=email)'
# ... Apache settings
Raw
params.pp
# Used for set our own repo, or offical repo
class profile::icinga2::params {
$manage_repo = false
}
Raw
plugins.pp
# Install the Icinga monitoring plugins
class profile::icinga2::plugins (
){
sudo::conf { 'nagios':
priority => 10,
content => template('base/sudoers_nagios.erb'),
}
if ($::kernel == 'linux') and ($::role != mon) {
$linuxdeps = [
'monitoring-plugins-standard',
'nagios-plugins-contrib',
'libmonitoring-plugin-perl',
'libcrypt-des-perl',
]
package { $linuxdeps:
install_options => ['--no-install-recommends'],
}
if 'ceph' in $::role {
$cephdeps = [
'nagios-plugins-ceph',
]
# For MongoDB
if 'mongodb' in $::role {
package { 'python-pymongo':
ensure => installed,
install_options => ['--no-install-recommends'],
}
}
# For NSLAN -> required for quagga check
if 'nslan' in $::role {
package { 'libnet-telnet-perl':
ensure => installed,
install_options => ['--no-install-recommends'],
}
}
# Needed: ceph.conf group is www-data on Proxmox ceph mon node.
user { 'nagios': groups => www-data }
package { $cephdeps:
install_options => ['--no-install-recommends'],
}
# Key on ceph generated with: ceph auth get-or-create client.nagios mon 'allow r' > client.nagios.keyring
$ceph_nagios_key = Sensitive(hiera('ceph_nagios_keyring'))
file {'/etc/icinga2/secrets/client.nagios.keyring':
ensure => file,
mode => '0640',
owner => 'root',
group => 'nagios',
content => "[client.nagios]\n\tkey = ${ceph_nagios_key.unwrap}\n",
require => File['/etc/icinga2/secrets'],
}
}
file {'/etc/icinga2/secrets':
ensure => directory,
mode => '0750',
owner => 'root',
group => 'nagios',
require => Package['icinga2'],
}
file { '/usr/lib/nagios/plugins/3dparty':
ensure => directory,
mode => '0755',
owner => 'root',
group => 'root',
force => true,
show_diff => false,
source => [
'puppet:///modules/icinga_checks/plugins_agent',
],
recurse => true,
require => Package['monitoring-plugins-standard'],
}
# Workarounds for some checks, that are not included, but in 3dparty/ folder
file { '/usr/lib/nagios/plugins/check_iostat':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_iostat',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
file { '/usr/lib/nagios/plugins/check_mem.pl':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_mem',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
file { '/usr/lib/nagios/plugins/check_iostats':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_iostats',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
file { '/usr/lib/nagios/plugins/check_mysql_health':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/mysql/check_mysql_health.pl',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
file { '/usr/lib/nagios/plugins/check_nginx_status.pl':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_nginx_status.pl',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
# Install perl modules for check_ngi
if ('nginx' in $::puppet_classes) or
('apache' in $::puppet_classes) {
$webdeps = [
'libwww-perl',
]
package { $webdeps:
ensure => installed,
install_options => ['--no-install-recommends'],
}
}
}
# Install IPMI tools for physical hosts
unless ( $facts['is_virtual'] == true ) {
$hwdeps = [ 'libipc-run-perl','freeipmi-tools','libconfig-json-perl' ]
package { $hwdeps:
ensure => installed,
install_options => ['--no-install-recommends'],
}
}
case $::role {
'mon': {
$mondeps = [
'libnet-snmp-perl',
'libcrypt-hcesha-perl',
'libcrypt-des-perl',
'libdigest-hmac-perl',
'libcrypt-rijndael-perl',
'libxml-simple-perl',
'libconfig-json-perl',
'libredis-perl',
'nagios-snmp-plugins',
'libhttp-date-perl',
'liburi-perl',
'libxml-libxml-perl',
'libtest-lwp-useragent-perl',
'libtime-duration-perl',
'libcrypt-ssleay-perl',
'openjdk-8-jre-headless',
'liblist-compare-perl',
]
package { $mondeps:
install_options => ['--no-install-recommends'],
}
file { '/usr/lib/nagios/plugins/3dparty':
ensure => directory,
mode => '0755',
owner => 'root',
group => 'root',
show_diff => false,
source => [
'puppet:///modules/icinga_checks/plugins',
],
recurse => true,
}
file { '/etc/icinga2/secrets':
ensure => directory,
mode => '0750',
owner => 'root',
group => 'nagios',
}
$vmware_host_root_password = Sensitive(hiera('monitoring::vmware::host::root::password'))
$vmware_dc_user_password = Sensitive(hiera('monitoring::vmware::dc::user::password'))
file { '/etc/icinga2/secrets/vmware_host_auth_file':
ensure => file,
mode => '0640',
owner => 'root',
group => 'nagios',
content => "username=root\npassword=${vmware_host_root_password.unwrap}",
require => File['/etc/icinga2/secrets'],
}
file { '/etc/icinga2/secrets/vmware_dc_auth_file':
ensure => file,
mode => '0640',
owner => 'root',
group => 'nagios',
content => "username=netzinatec.local\\icinga\npassword=${vmware_dc_user_password.unwrap}",
require => File['/etc/icinga2/secrets'],
}
file { '/usr/local/lib/site_perl':
ensure => directory,
mode => '0755',
owner => 'root',
group => 'root',
}
file { '/usr/lib/nagios/plugins/contrib':
ensure => directory,
mode => '0755',
owner => 'root',
group => 'root',
}
file { '/usr/local/lib/site_perl/VMware':
ensure => directory,
mode => '0755',
owner => 'root',
group => 'root',
recurse => true,
require => File['/usr/local/lib/site_perl'],
source => [
'puppet:///modules/icinga_checks/vmware_perl_env',
],
}
file { '/usr/lib/nagios/plugins/check_vmware_esx':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_vmware/check_vmware_esx.pl',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
file {'/usr/lib/nagios/plugins/check_icmp':
ensure => file,
mode => '4755',
owner => 'root',
group => 'root',
}
file {'/usr/lib/nagios/plugins/check_ping':
ensure => file,
mode => '4755',
owner => 'root',
group => 'root',
}
# Workarounds for some checks, that are not included, but in 3dparty/ folder
file { '/usr/lib/nagios/plugins/check_mem.pl':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_mem',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
file { '/usr/lib/nagios/plugins/check_iostat':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_iostat',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
file { '/usr/lib/nagios/plugins/check_iostats':
ensure => link,
target => '/usr/lib/nagios/plugins/3dparty/check_iostats',
require => File['/usr/lib/nagios/plugins/3dparty'],
}
}
default: { }
}
}
Raw
repo.pp
# Used for our own repo, or offical repo
class profile::icinga2::repo(
Boolean $manage_repo = $profile::icinga2::params::manage_repo,
) inherits ::profile::icinga2::params {
# Additional sources
unless $manage_repo {
case $::lsbdistcodename {
'jessie': {
apt::source { 'icinga-jessie':
location => "http://repos.example.com/",
release => "icinga-jessie",
repos => 'main',
pin => '900',
include => { 'src' => false },
key => {
id => 'C60EEFE0FCAF6D1E9C5173CEF5B67639973ED6D5',
source => 'http://repos.example.com/release.pub',
},
}
}
'stretch': {
apt::source { 'icinga-stretch':
location => "http://repos.example.com/",
release => "icinga-stretch",
repos => 'main',
pin => '900',
include => { 'src' => false },
key => {
id => 'C60EEFE0FCAF6D1E9C5173CEF5B67639973ED6D5',
source => 'http://repos.example.com/release.pub',
},
}
}
default: {}
}
}
}
Raw
templates.pp
# Mostly all templates for import
class profile::icinga2::templates {
$global_templates = '/etc/icinga2/zones.d/global-templates'
$templates = "${global_templates}/templates.d"
file { "${global_templates}/templates.d":
ensure => directory,
owner => 'nagios',
group => 'nagios',
mode => '0750',
purge => true,
force => true,
}
-> file { "${templates}/host-templates.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/templates/host-templates.conf',
],
}
-> file { "${templates}/service-templates.conf":
ensure => file,
owner => nagios,
group => nagios,
tag => 'icinga2::config::file',
source => [
'puppet:///modules/icinga_checks/templates/service-templates.conf',
],
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment