diff --git a/.travis.yml b/.travis.yml index 3332e8f..0ca7101 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,7 @@ --- -sudo: True +sudo: required +dist: trusty language: 'python' python: '2.7' diff --git a/README.md b/README.md index 02c9893..8041ffb 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ This role installs and manages [Check_MK](http://mathias-kettner.com/check_mk.ht ### Installation -This role requires at least Ansible `v2.1.5`. To install it, run: +This role requires at least Ansible `v2.3.0`. To install it, run: ```Shell ansible-galaxy install debops-contrib.checkmk_server diff --git a/defaults/main.yml b/defaults/main.yml index 43ed018..f87d604 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,10 +19,11 @@ checkmk_server__version: '1.2.8p21' # ]]] -# .. envvar:: checkmk_server__version_label [[[ +# .. envvar:: checkmk_server__version_suffix [[[ # -# Check_MK version label used with the :command:`omd` tool. -checkmk_server__version_label: '{{ checkmk_server__version }}.cre' +# Check_MK version suffix to :envvar:`checkmk_server__version` used with the +# :command:`omd` tool. +checkmk_server__version_suffix: '.cre' # ]]] # .. envvar:: checkmk_server__site_update [[[ @@ -37,67 +38,18 @@ checkmk_server__site_update: False # Custom patches to apply after installing Check_MK package checkmk_server__patches: - patch: 'check-mk-raw-1.2.8-set-https-proxy-header.patch' - file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/apache-own.conf' + file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}/skel/etc/apache/apache-own.conf' - patch: 'check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch' - file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/conf.d/omd.conf' - - # ]]] -# .. envvar:: checkmk_server__ferm_dependent_rules [[[ -# -# Firewall configuration using the debops.ferm_ Ansible role. -checkmk_server__ferm_dependent_rules: '{{ - checkmk_server__ferm_web_rules + - (checkmk_server__ferm_livestatus_rules if checkmk_server__multisite_livestatus else []) - }}' - # ]]] - -# .. envvar:: checkmk_server__ferm_web_rules [[[ -# -# Firewall configuration for WATO Web access. -checkmk_server__ferm_web_rules: - - type: 'accept' - dport: '{{ [ "http", "https" ] if checkmk_server__pki else [ "http" ] }}' - saddr: '{{ checkmk_server__web_allow }}' - accept_any: True - weight: '40' - role: 'checkmk_server' - - # ]]] -# .. envvar:: checkmk_server__ferm_livestatus_rules [[[ -# -# Firewall configuration for Multisite Livestatus access. -checkmk_server__ferm_livestatus_rules: - - type: 'accept' - dport: [ '{{ checkmk_server__livestatus_port|string }}' ] - saddr: '{{ checkmk_server__livestatus_allow }}' - accept_any: True - weight: '40' - role: 'checkmk_server' - - # ]]] -# .. envvar:: checkmk_server__web_allow [[[ -# -# List of IP addresses or network CIDR ranges allowed to connect to the -# Check_MK Web interface. If list is empty, anyone can connect. -checkmk_server__web_allow: [] + file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}/skel/etc/apache/conf.d/omd.conf' # ]]] # .. envvar:: checkmk_server__livestatus_allow [[[ # # List of IP addresses or network CIDR ranges allowed to connect to the -# Check_MK Livestatus TCP socket. If list is empty, anyone can connect. +# Check_MK Livestatus TCP socket of every site running on this host. By default +# only the master of each site is allowed to connect. checkmk_server__livestatus_allow: [] - # ]]] -# .. envvar:: checkmk_server__etc_services__dependent_list [[[ -# -# Add entry for Livestatus to :file:`/etc/services` using the -# ``debops.etc_services`` role. -checkmk_server__etc_services__dependent_list: - - name: 'check-mk-livestatus' - port: '{{ checkmk_server__livestatus_port }}' - comment: 'Check_MK server Livestatus' - # ]]] # .. envvar:: checkmk_server__livestatus_port [[[ # @@ -138,22 +90,20 @@ checkmk_server__prerequisite_packages: [ 'apache2', 'python-passlib' ] checkmk_server__site: 'debops' # ]]] -# .. envvar:: checkmk_server__hostname [[[ +# .. envvar:: checkmk_server__fqdn [[[ # # Set Check_MK server DNS hostname (e. g. for agent download, API calls, ...). -# FIXME: Rename to checkmk_server__fqdn. -checkmk_server__hostname: '{{ ansible_local.core.fqdn - if (ansible_local|d() and ansible_local.core|d() and - ansible_local.core.fqdn|d()) - else ansible_fqdn }}' +checkmk_server__fqdn: '{{ ansible_local.core.fqdn + if (ansible_local|d() and ansible_local.core|d() and + ansible_local.core.fqdn|d()) + else ansible_fqdn }}' # ]]] # .. envvar:: checkmk_server__site_url [[[ # # Check_MK server site URL. checkmk_server__site_url: '{{ ("https://" if checkmk_server__pki else "http://") + - checkmk_server__hostname + "/" + - checkmk_server__site + checkmk_server__fqdn + "/" + checkmk_server__site if checkmk_server__site|d() else "" }}' # ]]] @@ -171,11 +121,10 @@ checkmk_server__webapi_url: '{{ checkmk_server__site_url + "/check_mk/webapi.py" # :ref:`checkmk_server__ref_omd_config` for more details. checkmk_server__omd_config: '{{ checkmk_server__omd_config_email + - checkmk_server__omd_config_core + - (checkmk_server__omd_config_livestatus if checkmk_server__multisite_livestatus|d() else []) + checkmk_server__omd_config_core }}' - # ]]] + # ]]] # .. envvar:: checkmk_server__omd_config_email [[[ # # Administrator email address set via OMD. @@ -191,16 +140,6 @@ checkmk_server__omd_config_core: - var: 'CORE' value: 'icinga' - # ]]] -# .. envvar:: checkmk_server__omd_config_livestatus [[[ -# -# Livestatus service configuration via OMD. -checkmk_server__omd_config_livestatus: - - var: 'LIVESTATUS_TCP' - value: 'on' - - var: 'LIVESTATUS_TCP_PORT' - value: '{{ checkmk_server__livestatus_port }}' - # ]]] # .. envvar:: checkmk_server__sshkeys [[[ # @@ -235,20 +174,6 @@ checkmk_server__ssh_arguments: '-o BatchMode=yes -o StrictHostKeyChecking=no -o # Multisite Web Configuration [[[ # ------------------------------- -# .. envvar:: checkmk_server__multisite_slave [[[ -# -# Indicate if this site is a distributed monitoring slave which receives the -# Check_MK configuration from another Check_MK server instance. -checkmk_server__multisite_slave: False - - # ]]] -# .. envvar:: checkmk_server__multisite_livestatus [[[ -# -# Enable multisite Livestatus service. This is required for distributed -# monitoring of this site. -checkmk_server__multisite_livestatus: '{{ True if checkmk_server__multisite_slave|d() else False }}' - - # ]]] # .. envvar:: checkmk_server__multisite_config_path [[[ # # Configuration path for Check_MK multisite configurations. Relative to the @@ -392,11 +317,11 @@ checkmk_server__multisite_users: '{{ checkmk_server__multisite_debops_users | checkmk_server__multisite_debops_users: ansible: alias: 'Automation User used by Ansible' - automation_secret: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/ansible/secret") }}' + automation_secret: '{{ lookup("password", secret + "/credentials/" + inventory_hostname + "/checkmk_server/" + checkmk_server__site + "/ansible/secret") }}' roles: [ 'api' ] sitesync: alias: 'Synchronization User for Multisite' - password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' + password: '{{ lookup("password", secret + "/credentials/" + inventory_hostname + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' roles: [ 'admin' ] # ]]] @@ -450,32 +375,35 @@ checkmk_server__multisite_user_connection_defaults: # # Distributed monitoring sites configuration. For more details see # :ref:`checkmk_server__ref_distributed_sites` -checkmk_server__distributed_sites: {} +checkmk_server__distributed_sites: [] +# name: site_name +# inventory_host: slavehost +# tls + + # ]]] +# .. envvar:: checkmk_server__sites [[[ +# +# List of expanded sites configuration used for distributed sites setup. +checkmk_server__sites: '{{ lookup("template", "lookup/checkmk_server__sites.j2", convert_data=False) | from_yaml }}' # ]]] # .. envvar:: checkmk_server__distributed_sites_defaults [[[ # # Default sites properties for distributed monitoring. checkmk_server__distributed_sites_defaults: - username: 'sitesync' - password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' - disabled: False - disable_wato: True - insecure: False - multisiteurl: '' - persist: False - replicate_ec: False - replicate_mkps: True - replication: '' - status_host: None - timeout: 10 - url_prefix: '' - user_login: True - # ]]] - # ]]] -# Monitoring Rules [[[ -# -------------------- + multisite_username: 'sitesync' + #password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' + multisite_disable_wato: True + multisite_insecure: False + multisite_persist: False + multisite_replicate_ec: False + multisite_replicate_mkps: True + multisite_replication: 'slave' + multisite_status_host: None + multisite_timeout: 10 + multisite_user_login: True + # ]]] # .. envvar:: checkmk_server__site_config_path [[[ # # Configuration path for Check_MK main configurations. Relative to the site's @@ -632,63 +560,62 @@ checkmk_server__site_cfg_netif_description: checkmk_server__site_packages: [] # ]]] # ]]] -# PKI Configuration [[[ -# --------------------- - -# .. envvar:: checkmk_server__pki [[[ -# -# Enable or disable support for HTTPS in Check_MK server (using -# debops.pki_). -checkmk_server__pki: '{{ (True - if (ansible_local|d() and ansible_local.pki|d() and - ansible_local.pki.enabled|d() | bool) - else False) | bool }}' - - # ]]] -# .. envvar:: checkmk_server__pki_path [[[ -# -# Base path for PKI directory. -checkmk_server__pki_path: '{{ ansible_local.pki.path - if (ansible_local|d() and ansible_local.pki|d() and - ansible_local.pki.path|d()) - else "/etc/pki/realms" }}' +# Configuration for other Ansible roles [[[ +# ----------------------------------------- - # ]]] -# .. envvar:: checkmk_server__pki_realm [[[ +# .. envvar:: checkmk_server__apache__dependent_vhosts [[[ # -# Default PKI realm used by Check_MK server. -checkmk_server__pki_realm: '{{ ansible_local.pki.realm - if (ansible_local|d() and ansible_local.pki|d() and - ansible_local.pki.realm|d()) - else "domain" }}' +# Configuration for the debops.apache_ Ansible role. By default it will create +# a dedicated Apache virtual host which includes the reverse proxy +# configuration files provided by the `check-mk-raw` upstream package. +checkmk_server__apache__dependent_vhosts: + - name: '{{ checkmk_server__fqdn }}' + include: [ '/omd/apache/*.conf' ] + by_role: 'debops-contrib.checkmk_server' # ]]] -# .. envvar:: checkmk_server__pki_ca [[[ +# .. envvar:: checkmk_server__apache__dependent_snippets [[[ # -# Root CA certificate, relative to :envvar:`checkmk_server__pki_realm`. -checkmk_server__pki_ca: 'CA.crt' +# Configuration for the debops.apache_ Ansible role. By default it will disable +# The Apache configuration snippet which is installed by the `check-mk-raw` +# upstream package. +checkmk_server__apache__dependent_snippets: + 'zzz_omd': + enabled: False + type: 'dont-create' # ]]] -# .. envvar:: checkmk_server__pki_crt [[[ +# .. envvar:: checkmk_server__etc_services__dependent_list [[[ # -# Host certificate, relative to :envvar:`checkmk_server__pki_realm`. -checkmk_server__pki_crt: 'default.crt' +# Configuration for the debops.etc_services_ Ansible role. If this is a slave +# server this might be generated by the master site, therefore read it +# from the Ansible facts by default. +checkmk_server__etc_services__dependent_list: '{{ (ansible_local.checkmk_server.values() + | map(attribute="dependent_vars.etc_services__dependent_list") + | list) + if ansible_local.checkmk_server|d() else [] }}' # ]]] -# .. envvar:: checkmk_server__pki_key [[[ +# .. envvar:: checkmk_server__ferm__dependent_rules [[[ # -# Host private key, relative to :envvar:`checkmk_server__pki_realm`. -checkmk_server__pki_key: 'default.key' +# Configuration for the debops.ferm_ Ansible role. If this is a slave +# server this might be generated by the master site, therefore read it +# from the Ansible facts by default. +checkmk_server__ferm__dependent_rules: '{{ (ansible_local.checkmk_server.values() + | map(attribute="dependent_vars.ferm__dependent_rules") + | list) + if ansible_local.checkmk_server|d() else [] }}' # ]]] -# .. envvar:: checkmk_server__tls_options [[[ +# .. envvar:: checkmk_server__users__dependent_accounts [[[ # -# Additional Apache mod_ssl options. Valid configuration keys: -# ``SSLCipherSuite``, ``SSLHonorCipherOrder``, ``SSLProtocols``, -# ``SSLStrictSNIVHostCheck`` -checkmk_server__tls_options: - SSLHonorCipherOrder: 'On' - SSLCipherSuite: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' +# Configuration for the debops.users_ Ansible role. If this is a slave +# server this might be generated by the master site, therefore read it +# from the Ansible facts by default. +checkmk_server__users__dependent_accounts: '{{ (ansible_local.checkmk_server.values() + | map(attribute="dependent_vars.users__dependent_accounts") + | list) + if ansible_local.checkmk_server|d() else [] }}' # ]]] # ]]] # ]]] diff --git a/docs/playbooks/checkmk_server.yml b/docs/playbooks/checkmk_server.yml index e169df7..2a5d45a 100644 --- a/docs/playbooks/checkmk_server.yml +++ b/docs/playbooks/checkmk_server.yml @@ -6,16 +6,30 @@ roles: + - role: debops.apache/env + tags: [ 'role::apache', 'role::apache:env' ] + + - role: debops-contrib.checkmk_server/env + tags: [ 'role::checkmk_server', 'role::checkmk_server:env' ] + - role: debops.etc_services tags: [ 'role::etc_services' ] - etc_services__dependent_list: - - '{{ checkmk_server__etc_services__dependent_list }}' - when: checkmk_server__multisite_livestatus|d() + etc_services__dependent_list: '{{ checkmk_server__etc_services__dependent_list }}' - role: debops.ferm tags: [ 'role::ferm' ] ferm__dependent_rules: - - '{{ checkmk_server__ferm_dependent_rules }}' + - '{{ apache__ferm__dependent_rules }}' + - '{{ checkmk_server__ferm__dependent_rules }}' + + - role: debops.apache + tags: [ 'role::apache' ] + apache__dependent_snippets: '{{ checkmk_server__apache__dependent_snippets }}' + apache__dependent_vhosts: '{{ checkmk_server__apache__dependent_vhosts }}' + + - role: debops.users + tags: [ 'role::users' ] + users__dependent_accounts: '{{ checkmk_server__users__dependent_accounts }}' - role: debops-contrib.checkmk_server tags: [ 'role::checkmk_server' ] diff --git a/env/defaults b/env/defaults new file mode 120000 index 0000000..37aebd7 --- /dev/null +++ b/env/defaults @@ -0,0 +1 @@ +../defaults \ No newline at end of file diff --git a/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch b/env/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch similarity index 100% rename from files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch rename to env/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch diff --git a/files/check-mk-raw-1.2.8-set-https-proxy-header.patch b/env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch similarity index 79% rename from files/check-mk-raw-1.2.8-set-https-proxy-header.patch rename to env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch index c7aaea0..3b3b78f 100644 --- a/files/check-mk-raw-1.2.8-set-https-proxy-header.patch +++ b/env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch @@ -1,5 +1,5 @@ Author: Reto Gantenbein -Date: Tue Jun 21 06:51:23 2016 +0200 +Date: Tue May 8 17:57:28 2017 +0200 Set X-Forwarded headers when accessed via HTTPS @@ -14,15 +14,21 @@ Date: Tue Jun 21 06:51:23 2016 +0200 %{SERVER_PORT} in in the X-Forwarded-Port header failed because it seemed to be undefined "(null)". + v2: - Guard 'RequestHeader' statements with + to avoid errors if mod_headers + is not (yet) enabled + --- /omd/versions/default/skel/etc/apache/apache-own.conf.orig 2016-05-13 19:19:07.000000000 +0200 -+++ /omd/versions/default/skel/etc/apache/apache-own.conf 2016-06-21 06:50:03.169171120 +0200 -@@ -11,6 +11,10 @@ ++++ /omd/versions/default/skel/etc/apache/apache-own.conf 2017-05-08 17:56:25.342383031 +0200 +@@ -11,6 +11,12 @@ ProxyRequests Off ProxyPreserveHost On + # Indicate when the site was accessed via HTTPS ++ + RequestHeader set X-Forwarded-Proto https env=HTTPS + RequestHeader set X-Forwarded-Port 443 env=HTTPS ++ + # Include file created by 'omd config', which # sets the TCP port of the site local webserver diff --git a/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch b/env/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch similarity index 100% rename from files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch rename to env/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch diff --git a/env/tasks/create_sites.yml b/env/tasks/create_sites.yml new file mode 100644 index 0000000..f81379f --- /dev/null +++ b/env/tasks/create_sites.yml @@ -0,0 +1,14 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- name: Create Check_MK site + command: omd create '{{ site_item.name }}' + args: + creates: '{{ site_item.home }}/etc/omd/site.conf' + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/env/tasks/facts.yml b/env/tasks/facts.yml new file mode 100644 index 0000000..5c9225a --- /dev/null +++ b/env/tasks/facts.yml @@ -0,0 +1,34 @@ +--- +# +# Set site facts so that later tasks can depend on it +# +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- name: Persist site facts + block: + + - name: Make sure that local fact directory exists + file: + dest: '/etc/ansible/facts.d' + state: 'directory' + owner: 'root' + group: 'root' + mode: '0755' + + - name: Save Check_MK server local facts + template: + src: 'etc/ansible/facts.d/checkmk_server.fact.j2' + dest: '/etc/ansible/facts.d/checkmk_server.fact' + owner: 'root' + group: 'root' + mode: '0644' + register: checkmk_server__register_local_facts + + # Delegate entire block to corresponding host + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/env/tasks/main.yml b/env/tasks/main.yml new file mode 100644 index 0000000..c39abb3 --- /dev/null +++ b/env/tasks/main.yml @@ -0,0 +1,81 @@ +--- +- name: Check that involved distributed sites servers are play hosts + assert: + that: checkmk_server__sites | map(attribute="delegate_to") | list | issubset(play_hosts) + msg: 'Make sure that playbook is run on all servers included in distributed sites. Not doing so might result in wrong variable defaults.' + +- name: Install prerequisite packages + apt: + name: '{{ item }}' + state: present + with_items: '{{ checkmk_server__prerequisite_packages }}' + +- name: Check check-mk-raw package version + shell: dpkg-query -W -f='${Version}\n' check-mk-raw-{{ checkmk_server__version }} | cut -d- -f1 + register: checkmk_server__register_version + changed_when: False + failed_when: False + check_mode: no + +- name: Download Check_MK RAW package + get_url: + url: '{{ checkmk_server__raw_package }}' + dest: '/var/cache/apt/archives/{{ checkmk_server__raw_package | basename }}' + register: checkmk_server__register_download + when: (not checkmk_server__register_version.stdout) and + (checkmk_server__raw_package | match('^http')) + +- name: Install local Check_MK RAW package + apt: + deb: '{{ "/var/cache/apt/archives/" + (checkmk_server__raw_package | basename) + if (not checkmk_server__register_download | skipped) + else checkmk_server__raw_package }}' + state: present + register: checkmk_server__register_deb_install + when: (not checkmk_server__register_version.stdout) and + ((checkmk_server__raw_package | splitext)[1] == '.deb') + +- name: Install Check_MK RAW package from repository + apt: + name: '{{ checkmk_server__raw_package }}' + state: present + register: checkmk_server__register_apt_install + when: (not checkmk_server__register_version.stdout) and + (not checkmk_server__register_deb_install|d()) + +- name: Apply patches + patch: + src: '{{ item.patch }}' + dest: '{{ item.file }}' + basedir: '/' + with_items: '{{ checkmk_server__patches }}' + when: (checkmk_server__register_apt_install | changed) or + (checkmk_server__register_deb_install | changed) + +- name: Get Check_MK default version + stat: + path: '/omd/versions/default' + register: checkmk_server__register_default + check_mode: no + +- name: Set new default version + command: omd setversion '{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}' + when: (checkmk_server__register_default.stat.lnk_source | + basename) != (checkmk_server__version + checkmk_server__version_suffix) + +- name: Create Check_MK sites + include: create_sites.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + +- name: Set site facts + include: facts.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + tags: [ 'role::checkmk_server:facts' ] + +- name: Re-read local facts + action: setup + tags: [ 'role::checkmk_server:facts' ] diff --git a/env/templates b/env/templates new file mode 120000 index 0000000..564a409 --- /dev/null +++ b/env/templates @@ -0,0 +1 @@ +../templates \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index fc40342..a90ca10 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -11,7 +11,7 @@ galaxy_info: author: Reto Gantenbein description: 'Setup Check_MK monitoring server' license: 'GPL-3.0' - min_ansible_version: '2.1.5' + min_ansible_version: '2.3.0' platforms: @@ -19,6 +19,13 @@ galaxy_info: versions: - wheezy - jessie + - stretch + - name: Ubuntu + versions: + - trusty + - xenial + - yakkety + - zesty galaxy_tags: - debops diff --git a/tasks/login.yml b/tasks/login.yml new file mode 100644 index 0000000..fa96686 --- /dev/null +++ b/tasks/login.yml @@ -0,0 +1,40 @@ +--- + +- name: Login on remote site + uri: + url: '{{ item.multisite_url }}/login.py' + method: POST + body: '{{ [ "_login=1", + "_username=" + item.multisite_username, + "_password=" + item.multisite_password, + "_origtarget=automation_login.py", + "_plain_error=1" ] | join("&") }}' + force_basic_auth: yes + user: '{{ item.multisite_username }}' + password: '{{ item.multisite_password }}' + status_code: 302 + validate_certs: '{{ not item.multisite_insecure|bool }}' + register: checkmk_server__register_multisite_login + when: (not item.connection|d('remote') == 'local') + with_items: '{{ checkmk_server__sites }}' + +- name: Get Multisite distribution secrets + uri: + url: '{{ item.location }}' + HEADER_Cookie: '{{ item.set_cookie }}' + return_content: True + validate_certs: '{{ item.invocation.module_args.validate_certs }}' + register: checkmk_server__register_multisite_automation_login + no_log: True + when: not item | skipped + with_items: '{{ checkmk_server__register_multisite_login.results + if "results" in checkmk_server__register_multisite_login else [] }}' + +- name: Generate distributed sites configuration + template: + src: 'etc/check_mk/multisite.d/sites.mk.j2' + dest: '{{ item.home }}/{{ checkmk_server__multisite_config_path }}/sites.mk' + owner: '{{ item.user }}' + group: '{{ item.group }}' + when: (item.connection|d('remote') == 'local') + with_items: '{{ checkmk_server__sites }}' diff --git a/tasks/main.yml b/tasks/main.yml index 974a786..dff9a36 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,140 +1,44 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker -- name: Install prerequisite packages - apt: - name: '{{ item }}' - state: present - with_items: '{{ checkmk_server__prerequisite_packages }}' +- name: Manage SSH keys for monitoring and site synchronization + include: ssh.yml -- name: Check check-mk-raw package version - shell: dpkg-query -W -f='${Version}\n' check-mk-raw-{{ checkmk_server__version }} | cut -d- -f1 - register: checkmk_server_register_version - changed_when: False - failed_when: False - always_run: True - -- name: Download Check_MK RAW package - get_url: - url: '{{ checkmk_server__raw_package }}' - dest: '/var/cache/apt/archives/{{ checkmk_server__raw_package | basename }}' - register: checkmk_server_register_download - when: (not checkmk_server_register_version.stdout) and - (checkmk_server__raw_package | match('^http')) - -- name: Install local Check_MK RAW package - apt: - deb: '{{ ("/var/cache/apt/archives/" + (checkmk_server__raw_package | basename)) - if checkmk_server_register_download|d() - else checkmk_server__raw_package }}' - state: present - ignore_errors: '{{ ansible_check_mode }}' - register: checkmk_server_register_deb_install - when: (not checkmk_server_register_version.stdout) and - ((checkmk_server__raw_package | splitext)[1] == '.deb') - -- name: Install Check_MK RAW package from repository - apt: - name: '{{ checkmk_server__raw_package }}' - state: present - register: checkmk_server_register_apt_install - when: (not checkmk_server_register_version.stdout) and - (not checkmk_server_register_deb_install|d()) - -- name: Apply patches - patch: - src: '{{ item.patch }}' - dest: '{{ item.file }}' - basedir: '/' - ignore_errors: '{{ ansible_check_mode }}' - with_items: '{{ checkmk_server__patches }}' - when: (checkmk_server_register_apt_install | changed) or - (checkmk_server_register_deb_install | changed) - -- name: Set TLS options - template: - src: 'etc/apache2/mods-available/ssl.conf.j2' - dest: '/etc/apache2/mods-available/ssl.conf' - owner: 'root' - group: 'root' - mode: '0644' - when: checkmk_server__pki|d(False) - notify: [ 'Reload apache2' ] - -- name: Check apache2 mod_headers status - stat: - path: '/etc/apache2/mods-enabled/headers.load' - register: checkmk_server_register_mod_headers - changed_when: False - always_run: True - -- name: Enable apache2 mod_headers - command: 'a2enmod headers' - when: not checkmk_server_register_mod_headers.stat.exists - notify: [ 'Reload apache2' ] - -- name: Check apache2 mod_ssl status - stat: - path: '/etc/apache2/mods-enabled/ssl.load' - register: checkmk_server_register_mod_ssl - changed_when: False - always_run: True - -- name: Enable apache2 mod_ssl - command: '{{ item }}' - with_items: - - 'a2enmod ssl' - - 'a2ensite default-ssl' - when: checkmk_server__pki|d(False) and not checkmk_server_register_mod_ssl.stat.exists - notify: [ 'Reload apache2' ] - -- name: Disable apache2 mod_ssl - command: '{{ item }}' - with_items: - - 'a2dismod ssl' - - 'a2dissite default-ssl' - when: not checkmk_server__pki|d(False) and checkmk_server_register_mod_ssl.stat.exists - notify: [ 'Reload apache2' ] - -- name: Manage Check_MK site +- name: Manage Check_MK sites include: site.yml - when: checkmk_server__site|d() - -- name: Check distributed site state - stat: - path: '{{ checkmk_server__site_home }}/{{ checkmk_server__site_config_path }}/distributed_wato.mk' - register: checkmk_server__multisite_distributed_wato_mk + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item - name: Monitoring site user authentication include: users.yml - when: checkmk_server__site|d() and - ((checkmk_server__multisite_slave|d() and - not checkmk_server__multisite_distributed_wato_mk.stat.exists) or - not checkmk_server__multisite_slave|d()) + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + tags: + - 'role::checkmk_server:multisite' + - 'role::checkmk_server:users' + +- name: Trigger reload/restart handlers + meta: flush_handlers + +- name: Login on distributed sites + include: login.yml + when: (checkmk_server__sites | length) > 1 + tags: + - 'role::checkmk_server:login' - name: Manage WATO and monitoring rules include: wato.yml - when: not checkmk_server__multisite_slave|d() - -- name: Make sure that local fact directory exists - file: - dest: '/etc/ansible/facts.d' - state: 'directory' - owner: 'root' - group: 'root' - mode: '0755' - -- name: Save Check_MK server local facts - template: - src: 'etc/ansible/facts.d/checkmk_server.fact.j2' - dest: '/etc/ansible/facts.d/checkmk_server.fact' - owner: 'root' - group: 'root' - mode: '0644' - register: checkmk_server_register_local_facts - when: checkmk_server__sshkeys|d() - -- name: Gather facts if they were modified - action: setup - when: checkmk_server_register_local_facts|d() and - (checkmk_server_register_local_facts | changed) + when: (checkmk_server__sites | length) > 0 + +- name: Upload configuration to slave sites + include: sync.yml + when: ('multisite_replication' in site_item) and + (site_item.multisite_replication == 'slave') + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + tags: + - role::checkmk_server:rules + - role::checkmk_server:multisite diff --git a/tasks/site.yml b/tasks/site.yml index 9cbd60d..1dbeac3 100644 --- a/tasks/site.yml +++ b/tasks/site.yml @@ -1,185 +1,80 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker -# Check_MK site configuration [[[1 -- name: Get Check_MK default version - stat: - path: '/omd/versions/default' - register: checkmk_server_register_default - always_run: True - -- name: Set new default version - command: omd setversion '{{ checkmk_server__version_label }}' - ignore_errors: '{{ ansible_check_mode }}' - when: (checkmk_server_register_default.stat.lnk_source | - basename) != checkmk_server__version_label - -- name: Create Check_MK site - command: omd create '{{ checkmk_server__site }}' - args: - creates: '/omd/sites/{{ checkmk_server__site }}/etc/omd/site.conf' - -- name: Get Check_MK site version - command: omd version '{{ checkmk_server__site }}' - register: checkmk_server_register_site_version - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - -- name: Trigger site version update - set_fact: - checkmk_server__fact_update: True - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - when: checkmk_server__site_update|bool and - ((checkmk_server_register_site_version.stdout.split(" ")[-1] | splitext)[0] | - version_compare(checkmk_server__version, "<")) - -- name: Check cron.allow file - stat: - path: '/etc/cron.allow' - register: checkmk_server_register_cron - -- name: Grant cron permissions to Check_MK user - lineinfile: - dest: '/etc/cron.allow' - line: '{{ checkmk_server__user }}' - regexp: '^{{ checkmk_server__user }}$' - when: checkmk_server_register_cron.stat.exists - notify: [ 'Restart Check_MK' ] - -- name: Query OMD configuration - command: omd config '{{ checkmk_server__site }}' show '{{ item.var }}' - with_items: '{{ checkmk_server__omd_config }}' - register: checkmk_server__register_omd_config - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - -- name: Shutdown Check_MK site (if required) - command: omd stop '{{ checkmk_server__site }}' - when: (not (item.item.value|string) == item.stdout) or - checkmk_server__fact_update|d(False) - with_items: '{{ checkmk_server__register_omd_config.results - if not "failed" in checkmk_server__register_omd_config else [] }}' - register: checkmk_server__register_omd_stop - -- name: Run Check_MK site update - command: omd --force update '{{ checkmk_server__site }}' - ignore_errors: '{{ ansible_check_mode }}' - when: checkmk_server__fact_update|d(False) - -- name: Set OMD site properties - command: omd config '{{ checkmk_server__site }}' set '{{ item.item.var }}' '{{ item.item.value }}' - when: not item.stdout == (item.item.value|string) - with_items: '{{ checkmk_server__register_omd_config.results - if not "failed" in checkmk_server__register_omd_config else [] }}' - -- name: Enable Check_MK service - service: - name: 'check-mk-raw-{{ checkmk_server__version if checkmk_server__fact_update|d() else (checkmk_server_register_site_version.stdout.split(" ")[-1] | splitext)[0] }}' - enabled: yes - ignore_errors: '{{ ansible_check_mode }}' +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. -- name: Start Check_MK site (if required) - command: omd start '{{ checkmk_server__site }}' - when: checkmk_server__register_omd_stop | changed - -- name: Create .ssh directory - file: - path: '{{ checkmk_server__site_home }}/.ssh' - state: directory - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0700' - when: checkmk_server__sshkeys|d() - -- name: Generate SSH keypair - command: 'ssh-keygen {{ "-b " + checkmk_server__sshkeys.keysize if "keysize" in checkmk_server__sshkeys else "-b 4096" }} -f {{ checkmk_server__site_home }}/.ssh/id_rsa -N ""' - args: - creates: '{{ checkmk_server__site_home }}/.ssh/id_rsa' - when: checkmk_server__sshkeys|d() and - ("generate_keypair" in checkmk_server__sshkeys|d() and - checkmk_server__sshkeys.generate_keypair) - -- name: Fix SSH keypair ownership - file: - path: '{{ checkmk_server__site_home }}/.ssh/{{ item }}' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - ignore_errors: '{{ ansible_check_mode }}' - with_items: [ 'id_rsa', 'id_rsa.pub' ] - when: checkmk_server__sshkeys|d() and - ("generate_keypair" in checkmk_server__sshkeys|d() and - checkmk_server__sshkeys.generate_keypair) - -- name: Copy SSH private key - copy: - src: '{{ checkmk_server__sshkeys.privatekey_file }}' - dest: '{{ checkmk_server__site_home }}/.ssh/id_rsa' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0600' - when: checkmk_server__sshkeys|d() and - "privatekey_file" in checkmk_server__sshkeys|d() - -- name: Copy SSH public key - copy: - src: '{{ checkmk_server__sshkeys.publickey_file }}' - dest: '{{ checkmk_server__site_home }}/.ssh/id_rsa.pub' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0644' - when: checkmk_server__sshkeys|d() and - "publickey_file" in checkmk_server__sshkeys|d() - -- name: Read SSH public key - command: 'cat {{ checkmk_server__site_home }}/.ssh/id_rsa.pub' - changed_when: False - ignore_errors: '{{ ansible_check_mode }}' - register: checkmk_server__register_ssh_public_key - when: checkmk_server__sshkeys|d() - -- name: Query installed Check_MK packages - command: mkp list - become_user: '{{ checkmk_server__user }}' - become_flags: '-i' - changed_when: False - always_run: True - register: checkmk_server__register_mkp - tags: - - 'role::checkmk_server:mkp' - -- name: Download Check_MK packages - get_url: - url: '{{ item.url }}' - dest: '{{ checkmk_server__site_home }}/tmp' - checksum: '{{ item.checksum|d(omit) }}' - when: ('url' in item) and - (item.name not in checkmk_server__register_mkp.stdout_lines) - register: checkmk_server__register_mkp_download - with_items: '{{ checkmk_server__site_packages }}' - tags: - - 'role::checkmk_server:mkp' - -- name: Upload Check_MK packages - copy: - src: '{{ item.path }}' - dest: '{{ checkmk_server__site_home }}/tmp' - when: ('path' in item) and - (item.name not in checkmk_server__register_mkp.stdout_lines) - register: checkmk_server__register_mkp_upload - with_items: '{{ checkmk_server__site_packages }}' - tags: - - 'role::checkmk_server:mkp' - -- name: Install Check_MK packages - command: mkp install '{{ item.dest|d() }}' - become_user: '{{ checkmk_server__user }}' - become_flags: '-i' - when: not (item | skipped) - with_flattened: - - '{{ checkmk_server__register_mkp_download.results }}' - - '{{ checkmk_server__register_mkp_upload.results }}' - tags: - - 'role::checkmk_server:mkp' +# Check_MK site configuration [[[1 +- name: Site configuration via omd + block: + + - name: Get Check_MK site version + command: omd version '{{ site_item.name }}' + register: checkmk_server__register_site_version + changed_when: False + check_mode: no + + - name: Trigger site version update + set_fact: + checkmk_server__fact_update: '{{ site_item.update and + ((checkmk_server__register_site_version.stdout.split(" ")[-1] | splitext)[0] | + version_compare(site_item.version, "<")) }}' + check_mode: no + + - name: Check cron.allow file + stat: + path: '/etc/cron.allow' + register: checkmk_server__register_cron + + - name: Grant cron permissions to Check_MK user + lineinfile: + dest: '/etc/cron.allow' + line: '{{ site_item.user }}' + regexp: '^{{ site_item.user }}$' + when: checkmk_server__register_cron.stat.exists + notify: [ 'Restart Check_MK' ] + + - name: Query OMD configuration + command: omd config '{{ site_item.name }}' show '{{ item.var }}' + with_items: '{{ site_item.omd_config }}' + register: checkmk_server__register_omd_config + changed_when: False + check_mode: no + + - name: Shutdown Check_MK site (if required) + command: omd stop '{{ site_item.name }}' + when: (not (item.item.value|string) == item.stdout) or + checkmk_server__fact_update|d(False) + with_items: '{{ checkmk_server__register_omd_config.results + if not "failed" in checkmk_server__register_omd_config else [] }}' + register: checkmk_server__register_omd_stop + + - name: Run Check_MK site update + command: omd --force update '{{ site_item.name }}' + when: checkmk_server__fact_update|d(False) + + - name: Set OMD site properties + command: omd config '{{ site_item.name }}' set '{{ item.item.var }}' '{{ item.item.value }}' + when: not item.stdout == (item.item.value|string) + with_items: '{{ checkmk_server__register_omd_config.results + if not "failed" in checkmk_server__register_omd_config else [] }}' + + - name: Enable Check_MK service + service: + name: 'check-mk-raw-{{ site_item.version + if checkmk_server__fact_update|d() + else (checkmk_server__register_site_version.stdout.split(" ")[-1] | splitext)[0] }}' + enabled: yes + ignore_errors: '{{ ansible_check_mode }}' + + - name: Start Check_MK site (if required) + command: omd start '{{ site_item.name }}' + when: checkmk_server__register_omd_stop | changed + + # delegate block + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/ssh.yml b/tasks/ssh.yml new file mode 100644 index 0000000..7b4bbcb --- /dev/null +++ b/tasks/ssh.yml @@ -0,0 +1,24 @@ +--- + +- name: Manage SSH keys for monitoring and site synchronization + include: ssh_keys.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + +- name: Update facts with SSH key + include: ssh_fact.yml + with_items: '{{ ansible_local.checkmk_server.values() }}' + loop_control: + loop_var: site_item + tags: [ 'role::checkmk_server:facts' ] + +- name: Re-read local facts + action: setup + tags: [ 'role::checkmk_server:facts' ] + +- name: Setup SSH public key login on slave sites + include: ssh_login.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item diff --git a/tasks/ssh_fact.yml b/tasks/ssh_fact.yml new file mode 100644 index 0000000..dcfb462 --- /dev/null +++ b/tasks/ssh_fact.yml @@ -0,0 +1,23 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined on the local +# server. This means they can run multiple times per server. The +# site configuration is available through `site_item`. + +- name: Read SSH public key + command: 'cat {{ site_item.home }}/.ssh/id_rsa.pub' + register: checkmk_server__register_ssh_public_key + changed_when: False + +- name: Show SSH public key of site '{{ site_item.name }}' + debug: + var: checkmk_server__register_ssh_public_key.stdout + verbosity: 1 + +- name: Save Check_MK server local facts + template: + src: 'etc/ansible/facts.d/checkmk_server.fact.j2' + dest: '/etc/ansible/facts.d/checkmk_server.fact' + owner: 'root' + group: 'root' + mode: '0644' diff --git a/tasks/ssh_keys.yml b/tasks/ssh_keys.yml new file mode 100644 index 0000000..3559e3c --- /dev/null +++ b/tasks/ssh_keys.yml @@ -0,0 +1,43 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- name: Upload and read SSH key + block: + + - name: Create .ssh directory + file: + path: '{{ site_item.home }}/.ssh' + state: directory + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0700' + when: ('sshkeys' in site_item) and site_item.sshkeys + + - name: Copy SSH private key + copy: + src: '{{ site_item.sshkeys.privatekey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0600' + when: ('sshkeys' in site_item) and + site_item.sshkeys.privatekey_file|d(False) + + - name: Copy SSH public key + copy: + src: '{{ site_item.sshkeys.publickey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa.pub' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0644' + when: ('sshkeys' in site_item) and + site_item.sshkeys.publickey_file|d(False) + + # delegate block + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/ssh_login.yml b/tasks/ssh_login.yml new file mode 100644 index 0000000..e6253cd --- /dev/null +++ b/tasks/ssh_login.yml @@ -0,0 +1,19 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- block: + + - name: Allow SSH login from master site + authorized_key: + user: '{{ site_item.user }}' + key: '{{ hostvars[site_item.master_delegate_to].ansible_local.checkmk_server[site_item.master_site].ssh_public_key }}' + when: ('master_delegate_to' in site_item.keys()) + + # delegate block + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/sync.yml b/tasks/sync.yml new file mode 100644 index 0000000..30252cd --- /dev/null +++ b/tasks/sync.yml @@ -0,0 +1,23 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- name: Synchronize multisite configuration to slave sites + become_user: '{{ site_item.master_site }}' + command: 'rsync --archive --verbose --rsh="ssh -o BatchMode=yes -o StrictHostKeyChecking=no" {{ checkmk_server__site_home }}/{{ item }}/. {{ site_item.user }}@{{ site_item.fqdn }}:{{ site_item.home }}/{{ item }}/' + delegate_to: '{{ site_item.master_delegate_to }}' + with_items: + - [ '{{ checkmk_server__multisite_config_path }}/wato', '{{ checkmk_server__site_config_path }}/wato' ] + register: checkmk_server__register_site_sync + changed_when: ('stdout_lines' in checkmk_server__register_site_sync) and + (checkmk_server__register_site_sync.stdout_lines | length > 4) + +- name: Reload slave site configuration + command: '{{ site_item.home }}/bin/cmk --reload' + environment: + OMD_ROOT: '/omd/sites/{{ site_item.name }}' + delegate_to: '{{ site_item.delegate_to }}' diff --git a/tasks/users.yml b/tasks/users.yml index 20ea697..4f5beca 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -1,78 +1,97 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker -# Read existing Check_MK configuration [[[1 -- name: Wait for the site to be started - wait_for: - path: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' - timeout: 60 +# Check if distributed site is already initialized [[[1 +- name: Check distributed site state + stat: + path: '{{ site_item.home }}/{{ checkmk_server__site_config_path }}/distributed_wato.mk' + register: checkmk_server__register_distributed_wato_mk + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' -- name: Read local multisite users definition - command: 'sed -e "1,/^multisite_users\s*=/d" {{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' - register: checkmk_server__register_users_mk - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - tags: [ 'role::checkmk_server:multisite' ] +- name: Configure local multisite users + block: -- name: Read local contacts definition - command: 'sed -e "1,/^contacts.update(/d" -e "$d" {{ checkmk_server__site_home }}/{{ checkmk_server__site_config_path }}/wato/contacts.mk' - register: checkmk_server__register_contacts_mk - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - tags: [ 'role::checkmk_server:multisite' ] + # Read existing Check_MK configuration [[[1 + - name: Wait for the site to be started + wait_for: + path: '{{ site_item.home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' + timeout: 60 -- name: Set local Check_MK configuration facts - set_fact: - checkmk_server__fact_local_users: '{{ checkmk_server__register_users_mk.stdout - if checkmk_server__register_users_mk.stdout|length > 0 - else {} }}' - checkmk_server__fact_local_contacts: '{{ checkmk_server__register_contacts_mk.stdout - if checkmk_server__register_contacts_mk.stdout|length > 0 - else {} }}' - always_run: True - tags: [ 'role::checkmk_server:multisite' ] + - name: Read local multisite users definition + command: 'sed -e "1,/^multisite_users\s*=/d" {{ site_item.home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' + register: checkmk_server__register_users_mk + changed_when: False + check_mode: no + - name: Read local contacts definition + command: 'sed -e "1,/^contacts.update(/d" -e "$d" {{ site_item.home }}/{{ checkmk_server__site_config_path }}/wato/contacts.mk' + register: checkmk_server__register_contacts_mk + changed_when: False + check_mode: no -# Check_MK Multisite authentication [[[1 -- name: Set local httpd user passwords - htpasswd: - path: '{{ checkmk_server__site_home }}/etc/htpasswd' - name: '{{ item }}' - password: '{{ checkmk_server__multisite_users[item]["password"] - if "password" in checkmk_server__multisite_users[item] - else checkmk_server__multisite_users[item]["automation_secret"] }}' - crypt_scheme: md5_crypt - ignore_errors: '{{ ansible_check_mode }}' - when: ("password" in checkmk_server__multisite_users[item]) or - ("automation_secret" in checkmk_server__multisite_users[item]) - with_items: '{{ checkmk_server__multisite_users|d({})|list }}' - tags: [ 'role::checkmk_server:multisite' ] + - name: Set local Check_MK configuration facts + set_fact: + checkmk_server__fact_local_users: '{{ checkmk_server__register_users_mk.stdout + if checkmk_server__register_users_mk.stdout|length > 0 + else {} }}' + checkmk_server__fact_local_contacts: '{{ checkmk_server__register_contacts_mk.stdout + if checkmk_server__register_contacts_mk.stdout|length > 0 + else {} }}' + check_mode: no -- name: Create Web directory for Multisite users - file: - path: '{{ checkmk_server__site_home }}/var/check_mk/web/{{ item }}' - state: directory - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0770' - with_items: '{{ checkmk_server__multisite_users|d({})|list }}' + # Check_MK multisite authentication [[[1 + - name: Set local httpd user passwords + htpasswd: + path: '{{ site_item.home }}/etc/htpasswd' + name: '{{ item }}' + password: '{{ checkmk_server__multisite_users[item]["password"] + if "password" in checkmk_server__multisite_users[item] + else checkmk_server__multisite_users[item]["automation_secret"] }}' + crypt_scheme: md5_crypt + when: ("password" in checkmk_server__multisite_users[item]) or + ("automation_secret" in checkmk_server__multisite_users[item]) + with_items: '{{ checkmk_server__multisite_users|d({})|list }}' -- name: Create automation.secret - template: - src: 'var/check_mk/web/user/automation.secret.j2' - dest: '{{ checkmk_server__site_home }}/var/check_mk/web/{{ item }}/automation.secret' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0660' - when: ("automation_secret" in checkmk_server__multisite_users[item]) - with_items: '{{ checkmk_server__multisite_users|d({})|list }}' + - name: Create Web directory for multisite users + file: + path: '{{ site_item.home }}/var/check_mk/web/{{ item }}' + state: directory + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0770' + with_items: '{{ checkmk_server__multisite_users|d({})|list }}' -- name: Generate Check_MK Multisite user definitions - template: - src: 'etc/check_mk/multisite.d/wato/users.mk.j2' - dest: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0660' + - name: Create automation.secret + template: + src: 'var/check_mk/web/user/automation.secret.j2' + dest: '{{ site_item.home }}/var/check_mk/web/{{ item }}/automation.secret' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0660' + when: ("automation_secret" in checkmk_server__multisite_users[item]) + with_items: '{{ checkmk_server__multisite_users|d({})|list }}' + + - name: Generate Check_MK multisite user definitions + template: + src: 'etc/check_mk/multisite.d/wato/users.mk.j2' + dest: '{{ site_item.home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0660' + + rescue: + - name: Print current site configuration + debug: + var: site_item + + # Only run this block if the site is either a local master site or a slave + # site which hasn't been synchronized yet + when: (site_item.connection|d('remote') == 'local') or + (('multisite_replication' in site_item.keys() and + site_item.multisite_replication == 'slave') and + (not checkmk_server__register_distributed_wato_mk.stat.exists)) + + # Delegate tasks to server of current site item + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/wato.yml b/tasks/wato.yml index 2a28ea1..c4ddb11 100644 --- a/tasks/wato.yml +++ b/tasks/wato.yml @@ -1,56 +1,7 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker -# Check_MK Multisite/WATO configuration [[[ -- name: Login on slave sites - uri: - url: '{{ checkmk_server__distributed_sites[item].multisiteurl }}/login.py' - method: POST - body: '{{ [ "_login=1", - "_username=" + (checkmk_server__distributed_sites[item].username - if "username" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.username), - "_password=" + (checkmk_server__distributed_sites[item].password - if "password" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.password), - "_origtarget=automation_login.py", - "_plain_error=1" ] | join("&") }}' - force_basic_auth: True - user: '{{ checkmk_server__distributed_sites[item].username - if "username" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.username }}' - password: '{{ checkmk_server__distributed_sites[item].password - if "password" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.password }}' - status_code: 302 - validate_certs: '{{ not checkmk_server__distributed_sites[item].insecure - if "insecure" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.insecure }}' - register: checkmk_server__register_multisite_login - ignore_errors: '{{ ansible_check_mode }}' - when: item != checkmk_server__site - with_items: '{{ checkmk_server__distributed_sites|d([]) }}' - -- name: Get Multisite distribution secrets - uri: - url: '{{ item.location }}' - HEADER_Cookie: '{{ item.set_cookie }}' - return_content: True - validate_certs: '{{ item.invocation.module_args.validate_certs }}' - register: checkmk_server__register_multisite_automation_login - no_log: True - when: not item | skipped - with_items: '{{ checkmk_server__register_multisite_login.results - if "results" in checkmk_server__register_multisite_login else [] }}' - -- name: Generate distributed monitoring configuration - template: - src: 'etc/check_mk/multisite.d/sites.mk.j2' - dest: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/sites.mk' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - tags: [ 'role::checkmk_server:multisite' ] - +# Check_MK multisite/WATO configuration [[[ - name: Generate Check_MK WATO Multisite definitions template: src: '{{ lookup("template_src", "etc/check_mk/multisite.d/wato/" + item | basename) }}' diff --git a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 index cf0e367..9eda84a 100644 --- a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 +++ b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 @@ -1,10 +1,50 @@ +{# + # Create a facts file containing the sites hosted on the involved host. + # + # Distributed slaves sites are defined in the inventory of the master server, + # therefore it may happen, that the facts file is merged from multiple + # configuration sources (inventory from master host and local facts from + # slave host). + # + # Sites which are about to be deleted must not be listed in the resulting + # facts file. + #} {% set _site_facts = {} %} -{% if checkmk_server__site|d() %} -{% set _ = _site_facts.update({checkmk_server__site: {"version": checkmk_server__version_label}}) %} -{% set _ = _site_facts[checkmk_server__site].update({"site_url": checkmk_server__site_url}) %} -{% set _ = _site_facts[checkmk_server__site].update({"webapi_url": checkmk_server__webapi_url}) %} -{% if checkmk_server__register_ssh_public_key.stdout|d() %} -{% set _ = _site_facts[checkmk_server__site].update({"ssh_public_key": checkmk_server__register_ssh_public_key.stdout}) %} +{% if (site_item.delegate_to in hostvars) and + ('ansible_local' in hostvars[site_item.delegate_to]) and + ('checkmk_server' in hostvars[site_item.delegate_to].ansible_local) and + hostvars[site_item.delegate_to].ansible_local.checkmk_server %} +{# + # Site currently handled was defined before + #} +{% set _cmk_server_facts = hostvars[site_item.delegate_to].ansible_local.checkmk_server %} +{% for _local_site in _cmk_server_facts.keys() %} +{% if _local_site == site_item.name %} +{# + # Site is not meant to be removed + #} +{% if site_item.state|d('present') != 'absent' %} +{# + # Add the SSH public key if found as fact + #} +{% if checkmk_server__register_ssh_public_key|d() and + 'stdout' in checkmk_server__register_ssh_public_key and + checkmk_server__register_ssh_public_key.stdout | length > 0 %} +{% set _ = site_item.update({'ssh_public_key': checkmk_server__register_ssh_public_key.stdout}) %} +{% endif %} +{# + # Update site configuration + #} +{% set _ = _site_facts.update({_local_site: (_cmk_server_facts[_local_site] | combine(site_item, recursive=True))}) %} +{% endif %} +{% endif %} +{% endfor %} +{# + # No local facts found + #} +{% else %} +{% if site_item.state|d('present') != 'absent' %} +{% set _ = _site_facts.update({site_item.name: site_item}) %} {% endif %} {% endif %} {{ _site_facts | to_nice_json }} diff --git a/templates/etc/check_mk/multisite.d/sites.mk.j2 b/templates/etc/check_mk/multisite.d/sites.mk.j2 index d33da56..832f5b1 100644 --- a/templates/etc/check_mk/multisite.d/sites.mk.j2 +++ b/templates/etc/check_mk/multisite.d/sites.mk.j2 @@ -2,44 +2,34 @@ # {{ ansible_managed }} # encoding: utf-8 -{% set _sites = {} %} -{% if checkmk_server__distributed_sites|d({}) %} -{% if not checkmk_server__site in checkmk_server__distributed_sites %} -{% set _ = _sites.update({checkmk_server__site: {}}) %} -{% set _ = _sites[checkmk_server__site].update({ 'alias': 'Local site ' + checkmk_server__site }) %} -{% for _prop in checkmk_server__local_site_properties|d([]) %} -{% set _ = _sites[checkmk_server__site].update({ _prop: checkmk_server__distributed_sites_defaults[_prop] }) %} -{% endfor %} +{% set _sites_mk = {} %} +{% for _site in checkmk_server__sites %} +{% set _ = _sites_mk.update({_site.name: {}}) %} +{% if _site.connection|d('remote') == 'local' %} +{% set _property_list = checkmk_server__local_site_properties %} +{% else %} +{% set _property_list = checkmk_server__remote_site_properties %} {% endif %} -{% for _site in checkmk_server__distributed_sites %} -{% if not _site in _sites %} -{% set _ = _sites.update({_site: {}}) %} -{% for _key, _value in checkmk_server__distributed_sites[_site].items() %} -{% if _key not in [ 'username', 'password' ] %} -{% set _ = _sites[_site].update({ _key: _value }) %} -{% endif %} -{% endfor %} -{% if _site == checkmk_server__site %} -{% set _site_properties = checkmk_server__local_site_properties %} -{% else %} -{% set _site_properties = checkmk_server__distributed_sites_defaults | difference([ 'username', 'password' ]) %} -{% endif %} -{% for _prop in _site_properties %} -{% if _prop not in _sites[_site] %} -{% set _ = _sites[_site].update({ _prop: checkmk_server__distributed_sites_defaults[_prop] }) %} -{% endif %} -{% endfor %} +{% for _prop in (_property_list | difference(['password'])) %} +{% if ('multisite_' + _prop) in _site.keys() %} +{% set _ = _sites_mk[_site.name].update({_prop: _site['multisite_' + _prop]}) %} +{% endif %} +{% if ('livestatus_' + _prop) in _site.keys() %} +{% set _ = _sites_mk[_site.name].update({_prop: _site['livestatus_' + _prop]}) %} +{% endif %} +{% if (_prop == 'multisiteurl') and ('multisite_url' in _site.keys()) %} +{% set _ = _sites_mk[_site.name].update({_prop: _site['multisite_url']}) %} {% endif %} {% endfor %} {% if 'results' in checkmk_server__register_multisite_automation_login %} {% for _result in checkmk_server__register_multisite_automation_login.results|d({}) %} -{% if not _result | skipped %} -{% set _ = _sites[_result.item.item].update({ 'secret': _result.content|replace("'", "") }) %} +{% if (not _result | skipped) and (_result.item.item.name == _site.name) %} +{% set _ = _sites_mk[_site.name].update({'secret': _result.content|replace("'", "")}) %} {% endif %} {% endfor %} {% endif %} -{% endif %} -{% if _sites %} +{% endfor %} +{% if _sites_mk %} sites = \ -{{ macros.tmpl_format__dict_multiline(_sites) }} +{{ macros.tmpl_format__dict_multiline(_sites_mk) }} {% endif %} diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 new file mode 100644 index 0000000..b910cf5 --- /dev/null +++ b/templates/lookup/checkmk_server__sites.j2 @@ -0,0 +1,232 @@ +{# + # Get site configuration + # + # This Jinja templates requires at least Ansible 2.1.4, 2.2.2, 2.3.0, see: + # https://github.com/ansible/ansible/issues/14542 + #} + +{% if (not checkmk_server__distributed_sites) and (not checkmk_server__site) %} +[] +{% else %} +{% set _sites = [] %} +{% set _local_site = {} %} +{% set _ = _local_site.update({'connection': 'local'}) %} +{% set _ = _local_site.update({'delegate_to': inventory_hostname}) %} +{% set _ = _local_site.update({'group': checkmk_server__site}) %} +{% set _ = _local_site.update({'home': checkmk_server__site_home}) %} +{% set _ = _local_site.update({'fqdn': checkmk_server__fqdn}) %} +{% set _ = _local_site.update({'multisite_replication': ''}) %} +{% set _ = _local_site.update({'name': checkmk_server__site}) %} +{% set _ = _local_site.update({'omd_config': checkmk_server__omd_config}) %} +{% set _ = _local_site.update({'update': checkmk_server__site_update}) %} +{% set _ = _local_site.update({'user': checkmk_server__site}) %} +{% set _ = _local_site.update({'version': checkmk_server__version}) %} +{% for _key, _value in checkmk_server__distributed_sites_defaults.iteritems() %} +{% if not _key in _local_site.keys() %} +{% set _ = _local_site.update({_key: _value}) %} +{% endif %} +{% endfor %} +{# + # Set dependent role variables + #} +{% set _ = _local_site.update({'dependent_vars': {}}) %} +{% set _user = {'name': _local_site.user} %} +{% set _ = _user.update({'comment': 'OMD site ' + _local_site.name}) %} +{% set _ = _user.update({'shell': '/bin/bash'}) %} +{% set _ = _user.update({'home': _local_site.home}) %} +{% set _ = _user.update({'groups': 'sshusers'}) %} +{% if ('generate_keypair' in checkmk_server__sshkeys) and (not checkmk_server__sshkeys.generate_keypair == False) %} +{% set _ = _user.update({'generate_ssh_key': True }) %} +{% endif %} +{% set _ = _local_site.dependent_vars.update({'users__dependent_accounts': [ _user ]}) %} +{% set _ = _local_site.dependent_vars.update({'etc_services__dependent_list': []}) %} +{% set _ = _local_site.dependent_vars.update({'ferm__dependent_rules': []}) %} + +{# + # The site alias must be set + #} +{% if not 'multisite_alias' in _local_site.keys() %} +{% set _ = _local_site.update({'multisite_alias': 'Local site ' + _local_site.name}) %} +{% endif %} +{# + # Make sure multisite url is properly defined + #} +{% if not 'multisite_url' in _local_site.keys() %} +{% set _ = _local_site.update({'multisite_url': ''}) %} +{% endif %} +{# + # Make sure 'disabled' is defined + #} +{% if ('state' in _local_site.keys()) and (not 'multisite_disabled' in _local_site.keys()) %} +{% if _local_site.state == 'disabled' %} +{% set _is_disabled = True %} +{% else %} +{% set _is_disabled = False %} +{% endif %} +{% set _ = _local_site.update({'multisite_disabled': _is_disabled}) %} +{% else %} +{% set _ = _local_site.update({'multisite_disabled': False}) %} +{% endif %} +{% set _ = _sites.append(_local_site) %} +{# + # Configure remote distributed sites + #} +{% for _site_config in checkmk_server__distributed_sites %} +{# + # Set default values if undefined + #} +{% for _key, _value in checkmk_server__distributed_sites_defaults.iteritems() %} +{% if not _key in _site_config.keys() %} +{% set _ = _site_config.update({_key: _value}) %} +{% endif %} +{% endfor %} +{# + # Alias must be set + #} +{% if not 'multisite_alias' in _site_config.keys() %} +{% set _ = _site_config.update({'multisite_alias': 'Remote site ' + _site_config.name}) %} +{% endif %} +{# + # If version is not defined, use global definition + #} +{% if not 'version' in _site_config.keys() %} +{% set _ = _site_config.update({'version': checkmk_server__version}) %} +{% endif %} +{% if not 'update' in _site_config.keys() %} +{% set _ = _site_config.update({'update': checkmk_server__site_update}) %} +{% endif %} +{# + # Auto-detect master site. Use the first site with 'connection=local' + #} +{% if not 'master_site' in _site_config.keys() %} +{% for _site in _sites %} +{% if ('connection' in _site.keys()) and (_site.connection == 'local') %} +{% set _ = _site_config.update({'master_site': _site.name}) %} +{% endif %} +{% endfor %} +{% endif %} +{% if not 'master_delegate_to' in _site_config.keys() %} +{% set _ = _site_config.update({'master_delegate_to': inventory_hostname}) %} +{% endif %} +{# + # If fqdn for the site is not defined, query server facts + #} +{% if not 'fqdn' in _site_config %} +{% if 'checkmk_server__fqdn' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'fqdn': hostvars[_site_config.delegate_to].checkmk_server__fqdn}) %} +{% elif 'ansible_fqdn' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'fqdn': hostvars[_site_config.delegate_to].ansible_fqdn}) %} +{% else %} +{% set _ = _site_config.update({'fqdn': _site_config.delegate_to + "." + ansible_domain}) %} +{% endif %} +{% endif %} +{# + # Set some fix installation defaults + #} +{% set _ = _site_config.update({'user': _site_config.name}) %} +{% set _ = _site_config.update({'group': _site_config.name}) %} +{% set _ = _site_config.update({'home': checkmk_server__site_home|dirname + '/' + _site_config.name}) %} +{# + # SSH keypair setup + #} +{% if not 'sshkeys' in _site_config %} +{% if 'checkmk_server__sshkeys' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'sshkeys': hostvars[_site_config.delegate_to].checkmk_server__sshkeys}) %} +{% else %} +{% set _ = _site_config.update({'sshkeys': checkmk_server__sshkeys}) %} +{% endif %} +{% endif %} +{# + # Set dependent role variables + #} +{% set _ = _site_config.update({'dependent_vars': {}}) %} +{% set _user = {'name': _site_config.user} %} +{% set _ = _user.update({'comment': 'OMD site ' + _site_config.name}) %} +{% set _ = _user.update({'shell': '/bin/bash'}) %} +{% set _ = _user.update({'home': _site_config.home}) %} +{% set _ = _user.update({'groups': 'sshusers'}) %} +{% if 'generate_keypair' in _site_config.sshkeys %} +{% set _ = _user.update({'generate_ssh_key': _site_config.sshkeys.generate_keypair }) %} +{% set _ = _site_config.pop('sshkeys') %} +{% endif %} +{% set _ = _site_config.dependent_vars.update({'users__dependent_accounts': [ _user ]}) %} +{# + # Define TCP livestatus connection + #} +{% if not 'livestatus_port' in _site_config %} +{% if 'checkmk_server__livestatus_port' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'livestatus_port': hostvars[_site_config.delegate_to].checkmk_server__livestatus_port}) %} +{% else %} +{% set _ = _site_config.update({'livestatus_port': (checkmk_server__livestatus_port | string)}) %} +{% endif %} +{% endif %} +{% if not 'livestatus_socket' in _site_config.keys() %} +{% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.fqdn + ':' + _site_config.livestatus_port}) %} +{% endif %} +{% set _ = _site_config.dependent_vars.update({'etc_services__dependent_list': [{'name': 'check-mk-livestatus-' + _site_config.name, 'port': _site_config.livestatus_port, 'comment': 'Check_MK server Livestatus'}]}) %} +{# + # Define livestatus firewall access + #} +{% if not 'livestatus_allow' in _site_config %} +{% if 'checkmk_server__livestatus_allow' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'livestatus_allow': hostvars[_site_config.delegate_to].checkmk_server__livestatus_allow}) %} +{% else %} +{% set _ = _site_config.update({'livestatus_allow': hostvars[_site_config.master_delegate_to].ansible_all_ipv4_addresses}) %} +{% endif %} +{% endif %} +{% set _ = _site_config.dependent_vars.update({'ferm__dependent_rules': [{'type': 'accept', 'dport': [ _site_config.livestatus_port ], 'saddr': _site_config.livestatus_allow, 'accept_any': False, 'weight': '40', 'by_role': 'debops-contrib.checkmk_server'}]}) %} +{# + # Define OMD configuration + #} +{% if not 'omd_config' in _site_config.keys() %} +{% if 'checkmk_server__omd_config' in hostvars[_site_config.delegate_to].keys() %} +{% set _omd_config_origin = hostvars[_site_config.delegate_to].checkmk_server__omd_config %} +{% else %} +{% set _omd_config_origin = checkmk_server__omd_config %} +{% endif %} +{% set _omd_config = [] %} +{% for _list_item in _omd_config_origin %} +{% set _ = _omd_config.append(_list_item) %} +{% endfor %} +{% if _site_config.livestatus_port %} +{% set _ = _omd_config.extend([{'var': 'LIVESTATUS_TCP', 'value': 'on'}, {'var': 'LIVESTATUS_TCP_PORT', 'value': _site_config.livestatus_port}]) %} +{% endif %} +{% set _ = _site_config.update({'omd_config': _omd_config}) %} +{% endif %} +{# + # Define multisite user password + #} +{% if (not 'multisite_password' in _site_config.keys()) and + ((_site_config.multisite_replication == 'slave') or (_site_config.connection == 'local')) %} +{% set _ = _site_config.update({'multisite_password': lookup('password', secret + '/credentials/' + (_site_config.master_delegate_to|d(inventory_hostname)) + '/checkmk_server/' + _site_config.master_site + '/' + _site_config.multisite_username + '/password')}) %} +{% endif %} +{# + # Define relative URL prefix for access via mod_proxy + #} +{% if not 'multisite_url_prefix' in _site_config.keys() %} +{% set _ = _site_config.update({'multisite_url_prefix': '/' + _site_config.name + '/'}) %} +{% endif %} +{# + # Define Multisite Web access + #} +{% if not 'multisite_url' in _site_config.keys() %} +{# TODO: properly set http/https #} +{% set _ = _site_config.update({'multisite_url': 'https://' + _site_config.fqdn + _site_config.multisite_url_prefix + 'check_mk/'}) %} +{% endif %} +{# + # Make sure 'disabled' is defined + #} +{% if ('state' in _site_config.keys()) and (not 'multisite_disabled' in _site_config.keys()) %} +{% if _site_config.state == 'disabled' %} +{% set _is_disabled = True %} +{% else %} +{% set _is_disabled = False %} +{% endif %} +{% set _ = _site_config.update({'multisite_disabled': _is_disabled}) %} +{% else %} +{% set _ = _site_config.update({'multisite_disabled': False}) %} +{% endif %} +{% set _ = _sites.append(_site_config) %} +{% endfor %} +{{ _sites | to_yaml }} +{% endif %} diff --git a/templates/macros/checkmk_config.j2 b/templates/macros/checkmk_config.j2 index 9d1f108..5033af9 100644 --- a/templates/macros/checkmk_config.j2 +++ b/templates/macros/checkmk_config.j2 @@ -279,7 +279,7 @@ if {{ _name }} == None: {% macro tmpl_format__dict_multiline(_dict) %}{{ _dict | pprint | replace(" '", " '") | - replace("u'None'", "None") | + replace("'None'", "None") | replace("u''", "''") | regex_replace("([\[\{])u'", "\\1'") | regex_replace("(: )u'", "\\1'") | diff --git a/vars/main.yml b/vars/main.yml index 7b86372..ebbddad 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,7 +7,7 @@ checkmk_server__user: '{{ checkmk_server__site }}' checkmk_server__group: '{{ checkmk_server__site }}' # Check_MK site chroot directory -checkmk_server__site_home: '/opt/omd/sites/{{ checkmk_server__site }}' +checkmk_server__site_home: '/omd/sites/{{ checkmk_server__site }}' # User properties used for user definition in users.mk checkmk_server__user_properties: [ 'alias', 'automation_secret', 'connector', @@ -105,7 +105,13 @@ checkmk_server__multisite_variable_map: # user_connections.mk checkmk_server__ansible_user_connections_properties: [ 'binddn', 'bindpw' ] -# Distributed monitoring properties for local site -checkmk_server__local_site_properties: [ 'disable_wato', 'disabled', +# Distributed sites properties for local site in sites.mk +checkmk_server__local_site_properties: [ 'alias', 'disable_wato', 'disabled', 'insecure', 'multisiteurl', 'persist', 'replicate_ec', 'replication', 'timeout', 'user_login' ] + +# Distributed sites properties for remote sites in sites.mk +checkmk_server__remote_site_properties: [ 'alias', 'disable_wato', 'disabled', + 'insecure', 'multisiteurl', 'persist', 'replicate_ec', 'replicate_mkps', + 'replication', 'socket', 'status_host', 'timeout', 'url_prefix', + 'user_login' ]