From 3f49a5fe88d8ea6447167fc61224226852642df6 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Tue, 23 Apr 2019 12:21:00 -0700 Subject: [PATCH 01/19] -sigh- After trying to go down the path of editing the configs with inline I am going to change over to a template file and see if I can get that to work better for me. At least Elastic will now let me hit the REST. --- .../linux/elastic/config-elasticsearch.yml | 114 +++++++++++++----- playbook/linux/elastic/config-heartbeat.yml | 9 ++ playbook/linux/elastic/config-kibana.yml | 11 +- playbook/linux/elastic/config-metricbeat.yml | 36 +++--- playbook/linux/elastic/install-client.yml | 14 +-- playbook/linux/elastic/t.yml | 15 +++ playbook/templateTest.j2 | 5 + playbook/templateTest.yml | 14 +++ 8 files changed, 165 insertions(+), 53 deletions(-) create mode 100644 playbook/linux/elastic/t.yml create mode 100644 playbook/templateTest.j2 create mode 100644 playbook/templateTest.yml diff --git a/playbook/linux/elastic/config-elasticsearch.yml b/playbook/linux/elastic/config-elasticsearch.yml index 019b899..c19978c 100644 --- a/playbook/linux/elastic/config-elasticsearch.yml +++ b/playbook/linux/elastic/config-elasticsearch.yml @@ -1,44 +1,98 @@ # This will work on a new install. # If any changes are needed to the cluster name on an existing install add another function -- name: Config - cluster.name 'elastic-DMI01' -become: true -lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regex: '^cluster.name' - insertafter: '#cluster.name: my-application' - line: 'cluster.name: elastic-DMI01' - backup: yes +- name: Config - cluster.name 'logging-dev' + become: true + lineinfile: + path: /etc/elasticsearch/elasticsearch.yml + regex: '^cluster.name' + insertafter: '#cluster.name: my-application' + line: 'cluster.name: logging-dev' + backup: yes # We define the name of the host we are working on - name: Config - node.name -become: true -lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regex: '^node.name' - insertafter: '#node.name: node-1' - line: "node.name: {{ ansible_eno1.ipv4.address }}" + become: true + lineinfile: + path: /etc/elasticsearch/elasticsearch.yml + regex: '^node.name' + insertafter: '#node.name: node-1' + line: "node.name: dev-data-01" + +- name: Config - network.host + become: true + lineinfile: + path: /etc/elasticsearch/elasticsearch.yml + regexp: 'network.host:' + insertafter: '#network.host:' + line: 'network.host: {{ ansible_eno1.ipv4.address }}' + +- name: Config - transport.host + become: true + lineinfile: + path: /etc/elasticsearch/elasticsearch.yml + regexp: 'transort.host:' + #insertafter: 'http.port: 9200' + line: 'transport.host: localhost' + state: present + #backrefs: yes + +- name: Config - transport.tcp.port + become: true + lineinfile: + path: /etc/elasticsearch/elasticsearch.yml + regexp: 'transport.tcp.port:' + #insertafter: 'transport.host: localhost' + line: 'transport.tcp.port: 9300' + state: present + backrefs: yes + +- name: Config - node.master + become: true + lineinfile: + path: /etc/elasticsearch/elasticsearch.yml + regexp: 'node.master:' + insertafter: 'node.name:' + line: 'node.master: true' + state: present + backrefs: yes + +- name: Config - node.data + become: true + lineinfile: + path: /etc/elasticsearch/elasticsearch.yml + regexp: 'node.data:' + insertafter: 'node.master:' + line: 'node.data: true' + state: present + backrefs: yes # Allow 9200 so we can access it over the network - name: Allow port 9200 though UFW -become: true -ufw: - rule: allow - port: 9200 - #name: ElasticSearch + become: true + ufw: + rule: allow + port: 9200 + #name: ElasticSearch + +- name: Allow port 9300 though UFW + become: true + ufw: + rule: allow + port: 9300 - name: Service reload daemon -become: true -systemd: - daemon_reload: yes + become: true + systemd: + daemon_reload: yes - name: systemd - enable ElasticSearch on startup -become: true -systemd: - name: elasticsearch - enabled: yes + become: true + systemd: + name: elasticsearch + enabled: yes - name: systemd - restart ElasticSearch service -become: true -systemd: - name: elasticsearch - state: restarted + become: true + systemd: + name: elasticsearch + state: restarted diff --git a/playbook/linux/elastic/config-heartbeat.yml b/playbook/linux/elastic/config-heartbeat.yml index ad2dacd..a7ea73d 100644 --- a/playbook/linux/elastic/config-heartbeat.yml +++ b/playbook/linux/elastic/config-heartbeat.yml @@ -7,6 +7,15 @@ insertafter: '#host: "localhost:5601"' line: 'host: "dm-nagios.local:5601"' +- name: define elasticsearch host + become: true + lineinfile: + path: /etc/heartbeat/heartbeat.yml + regexp: 'hosts: \["localhost:9200"\]' + line: ' host: ["dm-nagios.local:9200"]' + state: present + backrefs: yes + - name: systemd - daemon reload become: true systemd: diff --git a/playbook/linux/elastic/config-kibana.yml b/playbook/linux/elastic/config-kibana.yml index 1152ec6..d7513d0 100644 --- a/playbook/linux/elastic/config-kibana.yml +++ b/playbook/linux/elastic/config-kibana.yml @@ -17,13 +17,22 @@ insertafter: '#server.host' line: 'server.host: {{ ansible_eno1.ipv4.address }}' +- name: Config - server.name + become: true + lineinfile: + path: /etc/kibana/kibana.yml + regexp: 'server.name:' + insertafter: '#server.name: "your-hostname"' + line: 'server.name: {{ ansible_hostname }}' + - name: Config - elasticsearch.hosts become: true lineinfile: path: /etc/kibana/kibana.yml regex: '^elasticsearch.hosts' insertafter: '#elasticsearch.hosts:' - line: 'elasticsearch.hosts: ["http://localhost:9200"]' + #line: 'elasticsearch.hosts: ["http://{{ ansible_eno1.ipv4.address }}:9200"]' + line: 'elasticsearch.hosts: ["https://localhost:9200"]' - name: Allow port 5601 become: true diff --git a/playbook/linux/elastic/config-metricbeat.yml b/playbook/linux/elastic/config-metricbeat.yml index 90fed44..e9b6386 100644 --- a/playbook/linux/elastic/config-metricbeat.yml +++ b/playbook/linux/elastic/config-metricbeat.yml @@ -5,27 +5,33 @@ become: true lineinfile: path: /etc/metricbeat/metricbeat.yml - regex: '^host: "dm-nagios.local:5601"' - insertafter: '#host: "localhost:5601"' - line: 'host: "dm-nagios.local:5601"' - -#- name: config where to send information - - #- name: Remove builtin elasticsearch host config - # become: true - # replace: - #dest: /etc/metricbeat/metricbeat.yml - #regexp: '^hosts: ["localhost:9200"]' - #replace: '#hosts: ["localhost:9200"]' + regexp: 'host: "localhost:5601"' + #insertafter: '#host: "localhost:5601"' + line: ' host: "192.168.0.173:5601"' + state: present + backrefs: yes - name: define elasticsearch host become: true lineinfile: path: /etc/metricbeat/metricbeat.yml - regex: '^hosts: ["localhost:9200"]' - insertafter: 'hosts: ["localhost:9200"]' - line: 'hosts: ["dm-nagios.local:9200"]' + regexp: 'hosts: \["localhost:9200"\]' + #insertafter: '#hosts: ["localhost:9200"]' + line: ' hosts: ["192.168.0.173:9200"]' + state: present + backrefs: yes +- name: enable system module + become: true + shell: metricbeat modules enable system + +- name: run metricbeat setup + become: true + shell: metricbeat setup + +- name: start metricbeat service + become: true + shell: metricbeat service metricbeat start - name: systemd - daemon reload become: true diff --git a/playbook/linux/elastic/install-client.yml b/playbook/linux/elastic/install-client.yml index 9573703..0072b57 100644 --- a/playbook/linux/elastic/install-client.yml +++ b/playbook/linux/elastic/install-client.yml @@ -2,19 +2,19 @@ # This will install all the client parts needed for elastic to monitor client computers - name: Install elastic client programs - hosts: linux + hosts: elasticClients tasks: - name: Install elastic repo include: install-repo.yml - - name: Install elastic heartbeat - become: true - apt: - name: heartbeat-elastic + #- name: Install elastic heartbeat + #become: true + #apt: + #name: heartbeat-elastic - - name: Configure elastic heartbeazt - include: config-heartbeat.yml + #- name: Configure elastic heartbeat + #include: config-heartbeat.yml - name: Install elastic metricbeat become: true diff --git a/playbook/linux/elastic/t.yml b/playbook/linux/elastic/t.yml new file mode 100644 index 0000000..c85096b --- /dev/null +++ b/playbook/linux/elastic/t.yml @@ -0,0 +1,15 @@ +--- +- name: update metricbeat + hosts: linux + + tasks: + + - name: define elasticsearch hosts + become: true + lineinfile: + path: /etc/metricbeat/metricbeat.yml + regexp: 'hosts: \["localhost:9200"\]' + #insertafter: 'hosts: \["localhost:9200"\]' + line: ' hosts: ["dm-nagios.local:9200"]' + state: present + backrefs: yes diff --git a/playbook/templateTest.j2 b/playbook/templateTest.j2 new file mode 100644 index 0000000..1cba573 --- /dev/null +++ b/playbook/templateTest.j2 @@ -0,0 +1,5 @@ + + +{{ var01 }} + +{{ var02 }} diff --git a/playbook/templateTest.yml b/playbook/templateTest.yml new file mode 100644 index 0000000..cf0b1c8 --- /dev/null +++ b/playbook/templateTest.yml @@ -0,0 +1,14 @@ + + +- name: TemplateTest + hosts: elasticClients + vars: + var01: 'Hello world' + var02: "Why did I start at 1?" + + + tasks: + - name: ansible template + template: + src: templateTest.j2 + dest: /tmp/templatetest.txt From b26a4334bd036c14afb03a490a54c6e48276872a Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Tue, 23 Apr 2019 16:13:44 -0700 Subject: [PATCH 02/19] moving elastic config to a template --- playbook/linux/elastic/elasticsearch.j2 | 94 +++++++++++++++++++++++ playbook/linux/elastic/install-server.yml | 11 +++ playbook/linux/elastic/template-test.yml | 21 +++++ playbook/templateTest.j2 | 5 -- playbook/templateTest.yml | 14 ---- 5 files changed, 126 insertions(+), 19 deletions(-) create mode 100755 playbook/linux/elastic/elasticsearch.j2 create mode 100644 playbook/linux/elastic/template-test.yml delete mode 100644 playbook/templateTest.j2 delete mode 100644 playbook/templateTest.yml diff --git a/playbook/linux/elastic/elasticsearch.j2 b/playbook/linux/elastic/elasticsearch.j2 new file mode 100755 index 0000000..16fcf9a --- /dev/null +++ b/playbook/linux/elastic/elasticsearch.j2 @@ -0,0 +1,94 @@ +# ======================== Elasticsearch Configuration ========================= +# +# NOTE: Elasticsearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. +# +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. +# +# Please consult the documentation for further information on configuration options: +# https://www.elastic.co/guide/en/elasticsearch/reference/index.html +# +# ---------------------------------- Cluster ----------------------------------- +# +# Use a descriptive name for your cluster: +# +#cluster.name: my-application +cluster.name: {{ cluster_name }} +# +# ------------------------------------ Node ------------------------------------ +# +# Use a descriptive name for the node: +# +#node.name: node-1 +node.name: {{ node_name }} +node.master: {{ node_master }} +node.data: {{ node_data }} +# +# Add custom attributes to the node: +# +#node.attr.rack: r1 +# +# ----------------------------------- Paths ------------------------------------ +# +# Path to directory where to store the data (separate multiple locations by comma): +# +path.data: {{ path_data }} +# +# Path to log files: +# +path.logs: {{ path_logs }} +# +# ----------------------------------- Memory ----------------------------------- +# +# Lock the memory on startup: +# +#bootstrap.memory_lock: true +# +# Make sure that the heap size is set to about half the memory available +# on the system and that the owner of the process is allowed to use this +# limit. +# +# Elasticsearch performs poorly when the system is swapping the memory. +# +# ---------------------------------- Network ----------------------------------- +# +# Set the bind address to a specific IP (IPv4 or IPv6): +# +network.host: {{ network_host }} +# +# Set a custom port for HTTP: +# +http.port: {{ http_port }} +transport.host: {{ transport_host }} +transport.port: {{ transport_port }} +# +# For more information, consult the network module documentation.# +# +# --------------------------------- Discovery ---------------------------------- +# +# Pass an initial list of hosts to perform discovery when this node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] +# +#discovery.seed_hosts: ["host1", "host2"] +# +# Bootstrap the cluster using an initial set of master-eligible nodes: +# +#cluster.initial_master_nodes: ["node-1", "node-2"] +# +# For more information, consult the discovery and cluster formation module documentation. +# +# ---------------------------------- Gateway ----------------------------------- +# +# Block initial recovery after a full cluster restart until N nodes are started: +# +#gateway.recover_after_nodes: 3 +# +# For more information, consult the gateway module documentation. +# +# ---------------------------------- Various ----------------------------------- +# +# Require explicit names when deleting indices: +# +#action.destructive_requires_name: true diff --git a/playbook/linux/elastic/install-server.yml b/playbook/linux/elastic/install-server.yml index bc6854a..e4451d5 100644 --- a/playbook/linux/elastic/install-server.yml +++ b/playbook/linux/elastic/install-server.yml @@ -5,6 +5,17 @@ - name: Install Elastic server programs hosts: elastic + vars: + cluster_name: 'logging-dev' + node_name: 'dev-data-01' + node_master: 'true' + node_data: 'true' + path_data: '/var/lib/elasticsearch' + path_logs: '/var/log/elasticsearch' + network_host: {{ ansible_default_ipv4.address }} + http_port: '9200' + transport_host: 'localhost' + transport_port: '9300' tasks: - name: Install Requrements diff --git a/playbook/linux/elastic/template-test.yml b/playbook/linux/elastic/template-test.yml new file mode 100644 index 0000000..848db7c --- /dev/null +++ b/playbook/linux/elastic/template-test.yml @@ -0,0 +1,21 @@ + + +- name: template test + hosts: elasticClients + vars: + cluster_name: 'logging-dev' + node_name: 'dev-data-01' + node_master: 'true' + node_data: 'true' + path_data: '/var/lib/elasticsearch' + path_logs: '/var/log/elasticsearch' + network_host: ansible_default_ipv4.address + http_port: '9200' + transport_host: 'localhost' + transport_port: '9300' + + tasks: + - name: generate template + template: + src: elasticsearch.j2 + dest: /tmp/elasticsearch.yml diff --git a/playbook/templateTest.j2 b/playbook/templateTest.j2 deleted file mode 100644 index 1cba573..0000000 --- a/playbook/templateTest.j2 +++ /dev/null @@ -1,5 +0,0 @@ - - -{{ var01 }} - -{{ var02 }} diff --git a/playbook/templateTest.yml b/playbook/templateTest.yml deleted file mode 100644 index cf0b1c8..0000000 --- a/playbook/templateTest.yml +++ /dev/null @@ -1,14 +0,0 @@ - - -- name: TemplateTest - hosts: elasticClients - vars: - var01: 'Hello world' - var02: "Why did I start at 1?" - - - tasks: - - name: ansible template - template: - src: templateTest.j2 - dest: /tmp/templatetest.txt From 0b961246961fc38c9675b782e99f2a1b859b531b Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Wed, 24 Apr 2019 14:40:05 -0700 Subject: [PATCH 03/19] Elastic configs for windows hosts is in progress I am able to deploy metricbeat now to the windows hosts. Looking at heartbeat again though. --- .../linux/elastic/config-elasticsearch.yml | 66 ------- playbook/linux/elastic/config-heartbeat.yml | 16 -- playbook/linux/elastic/config-kibana.yml | 37 +--- playbook/linux/elastic/config-metricbeat.yml | 31 +--- .../linux/elastic/config-win-heartbeat.yml | 56 ++++++ .../linux/elastic/config-win-metricbeat.yml | 39 ++++ playbook/linux/elastic/elasticsearch.j2 | 20 +-- playbook/linux/elastic/heartbeat.j2 | 168 ++++++++++++++++++ playbook/linux/elastic/install-client.yml | 27 ++- playbook/linux/elastic/install-server.yml | 39 ++-- playbook/linux/elastic/install-win-client.yml | 25 +++ playbook/linux/elastic/kibana.j2 | 120 +++++++++++++ playbook/linux/elastic/metricbeat.j2 | 155 ++++++++++++++++ playbook/windows/install-elastic-client.yml | 44 +++++ 14 files changed, 671 insertions(+), 172 deletions(-) create mode 100644 playbook/linux/elastic/config-win-heartbeat.yml create mode 100644 playbook/linux/elastic/config-win-metricbeat.yml create mode 100755 playbook/linux/elastic/heartbeat.j2 create mode 100644 playbook/linux/elastic/install-win-client.yml create mode 100644 playbook/linux/elastic/kibana.j2 create mode 100755 playbook/linux/elastic/metricbeat.j2 create mode 100644 playbook/windows/install-elastic-client.yml diff --git a/playbook/linux/elastic/config-elasticsearch.yml b/playbook/linux/elastic/config-elasticsearch.yml index c19978c..2971f8c 100644 --- a/playbook/linux/elastic/config-elasticsearch.yml +++ b/playbook/linux/elastic/config-elasticsearch.yml @@ -1,70 +1,4 @@ # This will work on a new install. -# If any changes are needed to the cluster name on an existing install add another function -- name: Config - cluster.name 'logging-dev' - become: true - lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regex: '^cluster.name' - insertafter: '#cluster.name: my-application' - line: 'cluster.name: logging-dev' - backup: yes - -# We define the name of the host we are working on -- name: Config - node.name - become: true - lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regex: '^node.name' - insertafter: '#node.name: node-1' - line: "node.name: dev-data-01" - -- name: Config - network.host - become: true - lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regexp: 'network.host:' - insertafter: '#network.host:' - line: 'network.host: {{ ansible_eno1.ipv4.address }}' - -- name: Config - transport.host - become: true - lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regexp: 'transort.host:' - #insertafter: 'http.port: 9200' - line: 'transport.host: localhost' - state: present - #backrefs: yes - -- name: Config - transport.tcp.port - become: true - lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regexp: 'transport.tcp.port:' - #insertafter: 'transport.host: localhost' - line: 'transport.tcp.port: 9300' - state: present - backrefs: yes - -- name: Config - node.master - become: true - lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regexp: 'node.master:' - insertafter: 'node.name:' - line: 'node.master: true' - state: present - backrefs: yes - -- name: Config - node.data - become: true - lineinfile: - path: /etc/elasticsearch/elasticsearch.yml - regexp: 'node.data:' - insertafter: 'node.master:' - line: 'node.data: true' - state: present - backrefs: yes # Allow 9200 so we can access it over the network - name: Allow port 9200 though UFW diff --git a/playbook/linux/elastic/config-heartbeat.yml b/playbook/linux/elastic/config-heartbeat.yml index a7ea73d..c1810dd 100644 --- a/playbook/linux/elastic/config-heartbeat.yml +++ b/playbook/linux/elastic/config-heartbeat.yml @@ -1,20 +1,4 @@ --- -- name: define kibana host - become: true - lineinfile: - path: /etc/heartbeat/heartbeat.yml - regex: '^host: "dm-nagios.local:5601"' - insertafter: '#host: "localhost:5601"' - line: 'host: "dm-nagios.local:5601"' - -- name: define elasticsearch host - become: true - lineinfile: - path: /etc/heartbeat/heartbeat.yml - regexp: 'hosts: \["localhost:9200"\]' - line: ' host: ["dm-nagios.local:9200"]' - state: present - backrefs: yes - name: systemd - daemon reload become: true diff --git a/playbook/linux/elastic/config-kibana.yml b/playbook/linux/elastic/config-kibana.yml index d7513d0..e507c78 100644 --- a/playbook/linux/elastic/config-kibana.yml +++ b/playbook/linux/elastic/config-kibana.yml @@ -1,40 +1,5 @@ - -- name: Config - Server.Port 5601 - become: true - lineinfile: - path: /etc/kibana/kibana.yml - regex: '^server.port' - insertafter: '#server.port: 5601' - line: 'server.port: 5601' - backup: yes - -- name: Config - Server.host - become: true - lineinfile: - path: /etc/kibana/kibana.yml - regex: '^server.host' - insertafter: '#server.host' - line: 'server.host: {{ ansible_eno1.ipv4.address }}' - -- name: Config - server.name - become: true - lineinfile: - path: /etc/kibana/kibana.yml - regexp: 'server.name:' - insertafter: '#server.name: "your-hostname"' - line: 'server.name: {{ ansible_hostname }}' - -- name: Config - elasticsearch.hosts - become: true - lineinfile: - path: /etc/kibana/kibana.yml - regex: '^elasticsearch.hosts' - insertafter: '#elasticsearch.hosts:' - #line: 'elasticsearch.hosts: ["http://{{ ansible_eno1.ipv4.address }}:9200"]' - line: 'elasticsearch.hosts: ["https://localhost:9200"]' - -- name: Allow port 5601 +- name: Allow 5601 though UFW become: true ufw: rule: allow diff --git a/playbook/linux/elastic/config-metricbeat.yml b/playbook/linux/elastic/config-metricbeat.yml index e9b6386..1726d2c 100644 --- a/playbook/linux/elastic/config-metricbeat.yml +++ b/playbook/linux/elastic/config-metricbeat.yml @@ -1,37 +1,12 @@ # - name: enable modules - -- name: define kibana host - become: true - lineinfile: - path: /etc/metricbeat/metricbeat.yml - regexp: 'host: "localhost:5601"' - #insertafter: '#host: "localhost:5601"' - line: ' host: "192.168.0.173:5601"' - state: present - backrefs: yes - -- name: define elasticsearch host - become: true - lineinfile: - path: /etc/metricbeat/metricbeat.yml - regexp: 'hosts: \["localhost:9200"\]' - #insertafter: '#hosts: ["localhost:9200"]' - line: ' hosts: ["192.168.0.173:9200"]' - state: present - backrefs: yes - - name: enable system module become: true shell: metricbeat modules enable system -- name: run metricbeat setup - become: true - shell: metricbeat setup - -- name: start metricbeat service - become: true - shell: metricbeat service metricbeat start + #- name: start metricbeat service + # become: true + #shell: metricbeat service metricbeat start - name: systemd - daemon reload become: true diff --git a/playbook/linux/elastic/config-win-heartbeat.yml b/playbook/linux/elastic/config-win-heartbeat.yml new file mode 100644 index 0000000..051614b --- /dev/null +++ b/playbook/linux/elastic/config-win-heartbeat.yml @@ -0,0 +1,56 @@ +--- +# This will install all the client parts needed for elastic to monitor client computers + +- name: Install elastic client programs + hosts: windows + vars: + elastic_version: '7.0.0' + url_heartbeat: 'https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-{{elastic_version}}-windows-x86_64.zip' + temp: 'c:\temp\' + program_files: 'c:\program files\' + kibana_host: '192.168.0.173:5601' + elasticsearch_hosts: '["192.168.0.173:9200"]' + + + tasks: + - name: make temp folder + win_file: + path: c:\temp\ + state: directory + + - name: download heartbeat + win_get_url: + url: '{{ url_heartbeat }}' + dest: 'C:\temp\heartbeat-{{ elastic_version }}.zip' + force: no + + - name: unzip heartbeat + win_unzip: + src: c:\temp\heartbeat-{{ elastic_version }}.zip + dest: C:\temp\heartbeat-{{ elastic_version }}\ + creates: C:\temp\heartbeat-{{ elastic_version }}\ + + - name: Copy heartbeat-{{ elastic_version }} folder + win_command: powershell.exe copy-item -Path 'c:\temp\heartbeat-{{ elastic_version }}\heartbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Heartbeat\' + args: + creates: C:\Program Files\Heartbeat\ + + - name: Update template + win_template: + src: heartbeat.j2 + dest: C:\Program Files\Heartbeat\heartbeat.yml + + - name: Install Heartbeat service + win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-heartbeat.ps1 + args: + chdir: C:\program files\heartbeat\ + + - name: stop heartbeat service + win_service: + name: heartbeat + state: stopped + + - name: start heartbeat service + win_service: + name: heartbeat + state: started diff --git a/playbook/linux/elastic/config-win-metricbeat.yml b/playbook/linux/elastic/config-win-metricbeat.yml new file mode 100644 index 0000000..68c6254 --- /dev/null +++ b/playbook/linux/elastic/config-win-metricbeat.yml @@ -0,0 +1,39 @@ +--- +# This will install all the client parts needed for elastic to monitor client computers + +- name: download metricbeat + win_get_url: + url: '{{ url_metricbeat }}' + dest: 'C:\temp\metricbeat-{{ elastic_version }}.zip' + force: no + +- name: unzip heartbeat + win_unzip: + src: c:\temp\metricbeat-{{ elastic_version }}.zip + dest: C:\temp\metricbeat-{{ elastic_version }}\ + creates: C:\temp\metricbeat-{{ elastic_version }}\ + +- name: Copy metricbeat-{{ elastic_version }} folder + win_command: powershell.exe copy-item -Path 'c:\temp\metricbeat-{{ elastic_version }}\metricbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Metricbeat\' + args: + creates: C:\Program Files\Metricbeat\ + +- name: Update template + win_template: + src: metricbeat.j2 + dest: C:\Program Files\Metricbeat\metricbeat.yml + +- name: Install Metricbeat service + win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-metricbeat.ps1 + args: + chdir: C:\program files\metricbeat\ + +- name: stop service + win_service: + name: metricbeat + state: stopped + +- name: start service + win_service: + name: metricbeat + state: started diff --git a/playbook/linux/elastic/elasticsearch.j2 b/playbook/linux/elastic/elasticsearch.j2 index 16fcf9a..e9f0b64 100755 --- a/playbook/linux/elastic/elasticsearch.j2 +++ b/playbook/linux/elastic/elasticsearch.j2 @@ -15,16 +15,16 @@ # Use a descriptive name for your cluster: # #cluster.name: my-application -cluster.name: {{ cluster_name }} +cluster.name: {{ es_cluster_name }} # # ------------------------------------ Node ------------------------------------ # # Use a descriptive name for the node: # #node.name: node-1 -node.name: {{ node_name }} -node.master: {{ node_master }} -node.data: {{ node_data }} +node.name: {{ es_node_name }} +node.master: {{ es_node_master }} +node.data: {{ es_node_data }} # # Add custom attributes to the node: # @@ -34,11 +34,11 @@ node.data: {{ node_data }} # # Path to directory where to store the data (separate multiple locations by comma): # -path.data: {{ path_data }} +path.data: {{ es_path_data }} # # Path to log files: # -path.logs: {{ path_logs }} +path.logs: {{ es_path_logs }} # # ----------------------------------- Memory ----------------------------------- # @@ -56,13 +56,13 @@ path.logs: {{ path_logs }} # # Set the bind address to a specific IP (IPv4 or IPv6): # -network.host: {{ network_host }} +network.host: {{ ansible_default_ipv4.address }} # # Set a custom port for HTTP: # -http.port: {{ http_port }} -transport.host: {{ transport_host }} -transport.port: {{ transport_port }} +http.port: {{ es_http_port }} +transport.host: {{ es_transport_host }} +transport.tcp.port: {{ es_transport_port }} # # For more information, consult the network module documentation.# # diff --git a/playbook/linux/elastic/heartbeat.j2 b/playbook/linux/elastic/heartbeat.j2 new file mode 100755 index 0000000..22fdf7c --- /dev/null +++ b/playbook/linux/elastic/heartbeat.j2 @@ -0,0 +1,168 @@ +################### Heartbeat Configuration Example ######################### + +# This file is an example configuration file highlighting only some common options. +# The heartbeat.reference.yml file in the same directory contains all the supported options +# with detailed comments. You can use it for reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/heartbeat/index.html + +############################# Heartbeat ###################################### + +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + path: ${path.config}/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + reload.enabled: false + # How often to check for changes + reload.period: 5s + +# Configure monitors inline +heartbeat.monitors: +- type: http + + # List or urls to query + urls: ["http://localhost:9200"] + + # Configure task schedule + schedule: '@every 10s' + + # Total test connection and data exchange timeout + #timeout: 16s + +#==================== Elasticsearch template setting ========================== + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + +#================================ General ===================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +#============================== Dashboards ===================================== +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. + +setup.dashboards.enabled: true + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + + host: {{ kibana_host }} + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +#============================= Elastic Cloud ================================== + +# These settings simplify using heartbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + # Array of hosts to connect to. + hosts: {{ elasticsearch_hosts }} + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + +#----------------------------- Logstash output -------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +#================================ Processors ===================================== + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + +#================================ Logging ===================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +#============================== Xpack Monitoring =============================== +# heartbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: + +#================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true diff --git a/playbook/linux/elastic/install-client.yml b/playbook/linux/elastic/install-client.yml index 0072b57..67a923f 100644 --- a/playbook/linux/elastic/install-client.yml +++ b/playbook/linux/elastic/install-client.yml @@ -3,23 +3,38 @@ - name: Install elastic client programs hosts: elasticClients + vars: + kibana_host: '192.168.0.173:5601' + elasticsearch_hosts: '["192.168.0.173:9200"]' tasks: - name: Install elastic repo include: install-repo.yml - #- name: Install elastic heartbeat - #become: true - #apt: - #name: heartbeat-elastic + - name: Install elastic heartbeat + become: true + apt: + name: heartbeat-elastic + + - name: Update Heatbeat config + become: true + template: + src: heartbeat.j2 + dest: /etc/heartbeat/heartbeat.yml - #- name: Configure elastic heartbeat - #include: config-heartbeat.yml + - name: Configure elastic heartbeat + include: config-heartbeat.yml - name: Install elastic metricbeat become: true apt: name: metricbeat + - name: Update Metricbeat config + become: true + template: + src: metricbeat.j2 + dest: /etc/metricbeat/metricbeat.yml + - name: Configure elastic metricbeat include: config-metricbeat.yml diff --git a/playbook/linux/elastic/install-server.yml b/playbook/linux/elastic/install-server.yml index e4451d5..d5204aa 100644 --- a/playbook/linux/elastic/install-server.yml +++ b/playbook/linux/elastic/install-server.yml @@ -6,16 +6,17 @@ - name: Install Elastic server programs hosts: elastic vars: - cluster_name: 'logging-dev' - node_name: 'dev-data-01' - node_master: 'true' - node_data: 'true' - path_data: '/var/lib/elasticsearch' - path_logs: '/var/log/elasticsearch' - network_host: {{ ansible_default_ipv4.address }} - http_port: '9200' - transport_host: 'localhost' - transport_port: '9300' + es_cluster_name: 'logging-dev' + es_node_name: 'dev-data-01' + es_node_master: 'true' + es_node_data: 'true' + es_path_data: '/var/lib/elasticsearch' + es_path_logs: '/var/log/elasticsearch' + es_http_port: '9200' + es_transport_host: 'localhost' + es_transport_port: '9300' + k_server_port: 5601 + k_elasticsearch_hosts: 'http://192.168.0.173:9200' tasks: - name: Install Requrements @@ -26,6 +27,12 @@ apt: name: elasticsearch + - name: Update ElasticSearch config + become: true + template: + src: elasticsearch.j2 + dest: /etc/elasticsearch/elasticsearch.yml + - name: Configure ElasticSearch include: config-elasticsearch.yml @@ -34,5 +41,17 @@ apt: name: kibana + - name: Configure Kibana + become: true + template: + src: kibana.j2 + dest: /etc/kibana/kibana.yml + - name: Configure Kibana include: config-kibana.yml + + #- name: Install Logstash + #become: true + #apt: + #name: logstash + diff --git a/playbook/linux/elastic/install-win-client.yml b/playbook/linux/elastic/install-win-client.yml new file mode 100644 index 0000000..8be6258 --- /dev/null +++ b/playbook/linux/elastic/install-win-client.yml @@ -0,0 +1,25 @@ +--- +# This will install all the client parts needed for elastic to monitor client computers + +- name: Install elastic client programs + hosts: windows + vars: + elastic_version: '7.0.0' + url_heartbeat: 'https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-{{elastic_version}}-windows-x86_64.zip' + url_metricbeat: 'https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.0.0-windows-x86_64.zip' + temp: 'c:\temp\' + program_files: 'c:\program files\' + kibana_host: '192.168.0.173:5601' + elasticsearch_hosts: '["192.168.0.173:9200"]' + + + tasks: + - name: make temp folder + win_file: + path: c:\temp\ + state: directory + + - name: Install Metricbeat + include: config-win-metricbeat.yml + + diff --git a/playbook/linux/elastic/kibana.j2 b/playbook/linux/elastic/kibana.j2 new file mode 100644 index 0000000..234a051 --- /dev/null +++ b/playbook/linux/elastic/kibana.j2 @@ -0,0 +1,120 @@ +# Kibana is served by a back end server. This setting specifies the port to use. +#server.port: 5601 + +server.port: {{ k_server_port }} + +# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. +# The default is 'localhost', which usually means remote machines will not be able to connect. +# To allow connections from remote users, set this parameter to a non-loopback address. +#server.host: "192.168.0.173" + +server.host: {{ ansible_default_ipv4.address }} + +# Enables you to specify a path to mount Kibana at if you are running behind a proxy. +# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath +# from requests it receives, and to prevent a deprecation warning at startup. +# This setting cannot end in a slash. +#server.basePath: "" + +# Specifies whether Kibana should rewrite requests that are prefixed with +# `server.basePath` or require that they are rewritten by your reverse proxy. +# This setting was effectively always `false` before Kibana 6.3 and will +# default to `true` starting in Kibana 7.0. +#server.rewriteBasePath: false + +# The maximum payload size in bytes for incoming server requests. +#server.maxPayloadBytes: 1048576 + +# The Kibana server's name. This is used for display purposes. +server.name: {{ ansible_hostname }} + +# The URLs of the Elasticsearch instances to use for all your queries. +#elasticsearch.hosts: ["http://localhost:9200"] +elasticsearch.hosts: [ + {{ k_elasticsearch_hosts }} +] + +# When this setting's value is true Kibana uses the hostname specified in the server.host +# setting. When the value of this setting is false, Kibana uses the hostname of the host +# that connects to this Kibana instance. +#elasticsearch.preserveHost: true + +# Kibana uses an index in Elasticsearch to store saved searches, visualizations and +# dashboards. Kibana creates a new index if the index doesn't already exist. +#kibana.index: ".kibana" + +# The default application to load. +#kibana.defaultAppId: "home" + +# If your Elasticsearch is protected with basic authentication, these settings provide +# the username and password that the Kibana server uses to perform maintenance on the Kibana +# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which +# is proxied through the Kibana server. +#elasticsearch.username: "user" +#elasticsearch.password: "pass" + +# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. +# These settings enable SSL for outgoing requests from the Kibana server to the browser. +#server.ssl.enabled: false +#server.ssl.certificate: /path/to/your/server.crt +#server.ssl.key: /path/to/your/server.key + +# Optional settings that provide the paths to the PEM-format SSL certificate and key files. +# These files validate that your Elasticsearch backend uses the same key files. +#elasticsearch.ssl.certificate: /path/to/your/client.crt +#elasticsearch.ssl.key: /path/to/your/client.key + +# Optional setting that enables you to specify a path to the PEM file for the certificate +# authority for your Elasticsearch instance. +#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] + +# To disregard the validity of SSL certificates, change this setting's value to 'none'. +#elasticsearch.ssl.verificationMode: full + +# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of +# the elasticsearch.requestTimeout setting. +#elasticsearch.pingTimeout: 1500 + +# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value +# must be a positive integer. +#elasticsearch.requestTimeout: 30000 + +# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side +# headers, set this value to [] (an empty list). +#elasticsearch.requestHeadersWhitelist: [ authorization ] + +# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten +# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. +#elasticsearch.customHeaders: {} + +# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. +#elasticsearch.shardTimeout: 30000 + +# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. +#elasticsearch.startupTimeout: 5000 + +# Logs queries sent to Elasticsearch. Requires logging.verbose set to true. +#elasticsearch.logQueries: false + +# Specifies the path where Kibana creates the process ID file. +#pid.file: /var/run/kibana.pid + +# Enables you specify a file where Kibana stores log output. +#logging.dest: stdout + +# Set the value of this setting to true to suppress all logging output. +#logging.silent: false + +# Set the value of this setting to true to suppress all logging output other than error messages. +#logging.quiet: false + +# Set the value of this setting to true to log all events, including system usage information +# and all requests. +#logging.verbose: false + +# Set the interval in milliseconds to sample system and process performance +# metrics. Minimum is 100ms. Defaults to 5000. +#ops.interval: 5000 + +# Specifies locale to be used for all localizable strings, dates and number formats. +#i18n.locale: "en" diff --git a/playbook/linux/elastic/metricbeat.j2 b/playbook/linux/elastic/metricbeat.j2 new file mode 100755 index 0000000..a6ec3cb --- /dev/null +++ b/playbook/linux/elastic/metricbeat.j2 @@ -0,0 +1,155 @@ +###################### Metricbeat Configuration Example ####################### + +# This file is an example configuration file highlighting only the most common +# options. The metricbeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/metricbeat/index.html + +#========================== Modules configuration ============================ + +metricbeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +#==================== Elasticsearch template setting ========================== + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + +#================================ General ===================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +#============================== Dashboards ===================================== +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. + +setup.dashboards.enabled: true + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + + host: "{{ kibana_host }}" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +#============================= Elastic Cloud ================================== + +# These settings simplify using metricbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + # Array of hosts to connect to. + hosts: {{ elasticsearch_hosts }} + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + +#----------------------------- Logstash output -------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +#================================ Processors ===================================== + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + +#================================ Logging ===================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +#============================== Xpack Monitoring =============================== +# metricbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: + +#================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true diff --git a/playbook/windows/install-elastic-client.yml b/playbook/windows/install-elastic-client.yml new file mode 100644 index 0000000..91d1a12 --- /dev/null +++ b/playbook/windows/install-elastic-client.yml @@ -0,0 +1,44 @@ +--- +# This will install all the client parts needed for elastic to monitor client computers + +- name: Install elastic client programs + hosts: windows + vars: + elastic_version: '7.0.0' + url_heartbeat: 'https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-{{elastic_version}}-windows-x86_64.zip' + temp: 'c:\temp\' + program_files: 'c:\program files\' + kibana_host: '192.168.0.173:5601' + elasticsearch_hosts: '["192.168.0.173:9200"]' + + + tasks: + - name: make temp folder + win_file: + path: c:\temp\ + state: directory + + - name: download heartbeat + win_get_url: + url: '{{ url_heartbeat }}' + dest: 'C:\temp\heartbeat-{{ elastic_version }}.zip' + force: no + + - name: unzip heartbeat + win_unzip: + src: c:\temp\heartbeat-{{ elastic_version }}.zip + dest: C:\temp\heartbeat-{{ elastic_version }}\ + creates: C:\temp\heartbeat-{{ elastic_version }}\ + + - name: Copy heartbeat-{{ elastic_version }} folder + win_command: powershell.exe copy-item -Path 'c:\temp\heartbeat-{{ elastic_version }}\heartbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Heartbeat\' + args: + creates: C:\Program Files\Heartbeat\ + + - name: Update template + win_template: + src: heartbeat.j2 + dest: C:\Program Files\Heartbeat\heartbeat.yml + + - name: Install Heartbeat service + win_command: powershell.exe -ExecutionPolicy ByPass -File 'C:\Program Files\Heartbeat\install-service-heartbeat.ps1' From bdba44c56d45b306b43e0e05a4715abff22a0883 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Wed, 24 Apr 2019 15:53:43 -0700 Subject: [PATCH 04/19] win-metricbeat now checks service status not finished with winlogbeat but config template is stored for now. Checking the status of the service to know what order to issue --- .../linux/elastic/config-win-metricbeat.yml | 21 ++- playbook/linux/elastic/config-winlogbeat.yml | 39 +++++ playbook/linux/elastic/install-win-client.yml | 4 +- playbook/linux/elastic/winlogbeat.j2 | 158 ++++++++++++++++++ 4 files changed, 219 insertions(+), 3 deletions(-) create mode 100644 playbook/linux/elastic/config-winlogbeat.yml create mode 100644 playbook/linux/elastic/winlogbeat.j2 diff --git a/playbook/linux/elastic/config-win-metricbeat.yml b/playbook/linux/elastic/config-win-metricbeat.yml index 68c6254..54f6b0f 100644 --- a/playbook/linux/elastic/config-win-metricbeat.yml +++ b/playbook/linux/elastic/config-win-metricbeat.yml @@ -23,17 +23,34 @@ src: metricbeat.j2 dest: C:\Program Files\Metricbeat\metricbeat.yml +- name: Check if metricbeat service is installed + register: service_metricbeat + win_service: + name: metricbeat + +- debug: var=service_metricbeat + - name: Install Metricbeat service win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-metricbeat.ps1 args: chdir: C:\program files\metricbeat\ + when: service_metricbeat.exists == false -- name: stop service +- name: check status of metricbeat service + register: service_metricbeat + win_service: + name: metricbeat + +- debug: var=service_metricbeat + +- name: restart service win_service: name: metricbeat - state: stopped + state: restarted + when: service_metricbeat.state == 'started' - name: start service win_service: name: metricbeat state: started + when: service_metricbeat.state == 'stopped' diff --git a/playbook/linux/elastic/config-winlogbeat.yml b/playbook/linux/elastic/config-winlogbeat.yml new file mode 100644 index 0000000..7e5b560 --- /dev/null +++ b/playbook/linux/elastic/config-winlogbeat.yml @@ -0,0 +1,39 @@ +--- +# This will install all the client parts needed for elastic to monitor client computers + +- name: download winlogbeat + win_get_url: + url: '{{ url_winlogbeat }}' + dest: 'C:\temp\winlogbeat-{{ elastic_version }}.zip' + force: no + +- name: unzip winlogbeat + win_unzip: + src: c:\temp\winlogbeat-{{ elastic_version }}.zip + dest: C:\temp\winlogbeat-{{ elastic_version }}\ + creates: C:\temp\winlogbeat-{{ elastic_version }}\ + +- name: Copy winlogbeat-{{ elastic_version }} folder + win_command: powershell.exe copy-item -Path 'c:\temp\winlogbeat-{{ elastic_version }}\metricbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\winlogbeat\' + args: + creates: C:\Program Files\winlogbeat\ + +- name: Update template + win_template: + src: winlogbeat.j2 + dest: C:\Program Files\winlogbeat\winlogbeat.yml + +- name: Install winlogbeat service + win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-winlogbeat.ps1 + args: + chdir: C:\program files\winlogbeat\ + +- name: restart service + win_service: + name: winlogbeat + state: restarted + +- name: start service + win_service: + name: winlogbeat + state: started diff --git a/playbook/linux/elastic/install-win-client.yml b/playbook/linux/elastic/install-win-client.yml index 8be6258..bd4e251 100644 --- a/playbook/linux/elastic/install-win-client.yml +++ b/playbook/linux/elastic/install-win-client.yml @@ -7,6 +7,7 @@ elastic_version: '7.0.0' url_heartbeat: 'https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-{{elastic_version}}-windows-x86_64.zip' url_metricbeat: 'https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.0.0-windows-x86_64.zip' + url_winlogbeat: 'https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.0.0-windows-x86_64.zip' temp: 'c:\temp\' program_files: 'c:\program files\' kibana_host: '192.168.0.173:5601' @@ -22,4 +23,5 @@ - name: Install Metricbeat include: config-win-metricbeat.yml - + - name: Install WinLogbeat + include: config-winlogbeat.yml diff --git a/playbook/linux/elastic/winlogbeat.j2 b/playbook/linux/elastic/winlogbeat.j2 new file mode 100644 index 0000000..3cc7fc4 --- /dev/null +++ b/playbook/linux/elastic/winlogbeat.j2 @@ -0,0 +1,158 @@ +###################### Winlogbeat Configuration Example ########################## + +# This file is an example configuration file highlighting only the most common +# options. The winlogbeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/winlogbeat/index.html + +#======================= Winlogbeat specific options ========================== + +# event_logs specifies a list of event logs to monitor as well as any +# accompanying options. The YAML data type of event_logs is a list of +# dictionaries. +# +# The supported keys are name (required), tags, fields, fields_under_root, +# forwarded, ignore_older, level, event_id, provider, and include_xml. Please +# visit the documentation for the complete details of each option. +# https://go.es.io/WinlogbeatConfig +winlogbeat.event_logs: + - name: Application + ignore_older: 72h + - name: Security + - name: System + +#==================== Elasticsearch template setting ========================== + +setup.template.settings: + index.number_of_shards: 1 + #index.codec: best_compression + #_source.enabled: false + +#================================ General ===================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +#============================== Dashboards ===================================== +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +#============================= Elastic Cloud ================================== + +# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["localhost:9200"] + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + +#----------------------------- Logstash output -------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +#================================ Processors ===================================== + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + +#================================ Logging ===================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +#============================== Xpack Monitoring =============================== +# winlogbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: + +#================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + From f394ee9781ff8c9564d3c6cb30fdfa81ce763774 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Thu, 25 Apr 2019 09:29:45 -0700 Subject: [PATCH 05/19] Updated configs Trying to find a place to install heartbeat. I do not think any client devices need to run this service. --- .gitignore | 1 + .../linux/elastic/config-win-metricbeat.yml | 4 ++-- playbook/linux/elastic/config-winlogbeat.yml | 15 ++++++++++++- playbook/linux/elastic/heartbeat.j2 | 8 +++---- playbook/linux/elastic/t.yml | 15 ------------- playbook/linux/elastic/template-test.yml | 21 ------------------- playbook/linux/elastic/winlogbeat.j2 | 6 +++--- 7 files changed, 24 insertions(+), 46 deletions(-) delete mode 100644 playbook/linux/elastic/t.yml delete mode 100644 playbook/linux/elastic/template-test.yml diff --git a/.gitignore b/.gitignore index e91eb9f..899db53 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ .DS_Store hosts +win_hosts diff --git a/playbook/linux/elastic/config-win-metricbeat.yml b/playbook/linux/elastic/config-win-metricbeat.yml index 54f6b0f..66328e0 100644 --- a/playbook/linux/elastic/config-win-metricbeat.yml +++ b/playbook/linux/elastic/config-win-metricbeat.yml @@ -28,7 +28,7 @@ win_service: name: metricbeat -- debug: var=service_metricbeat +#- debug: var=service_metricbeat - name: Install Metricbeat service win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-metricbeat.ps1 @@ -41,7 +41,7 @@ win_service: name: metricbeat -- debug: var=service_metricbeat +#- debug: var=service_metricbeat - name: restart service win_service: diff --git a/playbook/linux/elastic/config-winlogbeat.yml b/playbook/linux/elastic/config-winlogbeat.yml index 7e5b560..0f5df35 100644 --- a/playbook/linux/elastic/config-winlogbeat.yml +++ b/playbook/linux/elastic/config-winlogbeat.yml @@ -14,7 +14,7 @@ creates: C:\temp\winlogbeat-{{ elastic_version }}\ - name: Copy winlogbeat-{{ elastic_version }} folder - win_command: powershell.exe copy-item -Path 'c:\temp\winlogbeat-{{ elastic_version }}\metricbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\winlogbeat\' + win_command: powershell.exe copy-item -Path 'c:\temp\winlogbeat-{{ elastic_version }}\winlogbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\winlogbeat\' args: creates: C:\Program Files\winlogbeat\ @@ -23,17 +23,30 @@ src: winlogbeat.j2 dest: C:\Program Files\winlogbeat\winlogbeat.yml +- name: check for service + register: service + win_service: + name: winlogbeat + - name: Install winlogbeat service win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-winlogbeat.ps1 args: chdir: C:\program files\winlogbeat\ + when: service.exists == false + +- name: check status of service + register: service + win_service: + name: winlogbeat - name: restart service win_service: name: winlogbeat state: restarted + when: service.state == 'started' - name: start service win_service: name: winlogbeat state: started + when: service.state == 'stopped' diff --git a/playbook/linux/elastic/heartbeat.j2 b/playbook/linux/elastic/heartbeat.j2 index 22fdf7c..b5c4efa 100755 --- a/playbook/linux/elastic/heartbeat.j2 +++ b/playbook/linux/elastic/heartbeat.j2 @@ -15,7 +15,7 @@ heartbeat.config.monitors: # Directory + glob pattern to search for configuration files path: ${path.config}/monitors.d/*.yml # If enabled, heartbeat will periodically check the config.monitors path for changes - reload.enabled: false + reload.enabled: true # How often to check for changes reload.period: 5s @@ -24,10 +24,10 @@ heartbeat.monitors: - type: http # List or urls to query - urls: ["http://localhost:9200"] + urls: ["http://localhost:9200", "https://www.directorsmortgage.com", "https://www.usadirectfunding.com":] # Configure task schedule - schedule: '@every 10s' + schedule: '@every 60s' # Total test connection and data exchange timeout #timeout: 16s @@ -43,7 +43,7 @@ setup.template.settings: # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. -#name: +name: {{ ansible_hostname }} # The tags of the shipper are included in their own field with each # transaction published. diff --git a/playbook/linux/elastic/t.yml b/playbook/linux/elastic/t.yml deleted file mode 100644 index c85096b..0000000 --- a/playbook/linux/elastic/t.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: update metricbeat - hosts: linux - - tasks: - - - name: define elasticsearch hosts - become: true - lineinfile: - path: /etc/metricbeat/metricbeat.yml - regexp: 'hosts: \["localhost:9200"\]' - #insertafter: 'hosts: \["localhost:9200"\]' - line: ' hosts: ["dm-nagios.local:9200"]' - state: present - backrefs: yes diff --git a/playbook/linux/elastic/template-test.yml b/playbook/linux/elastic/template-test.yml deleted file mode 100644 index 848db7c..0000000 --- a/playbook/linux/elastic/template-test.yml +++ /dev/null @@ -1,21 +0,0 @@ - - -- name: template test - hosts: elasticClients - vars: - cluster_name: 'logging-dev' - node_name: 'dev-data-01' - node_master: 'true' - node_data: 'true' - path_data: '/var/lib/elasticsearch' - path_logs: '/var/log/elasticsearch' - network_host: ansible_default_ipv4.address - http_port: '9200' - transport_host: 'localhost' - transport_port: '9300' - - tasks: - - name: generate template - template: - src: elasticsearch.j2 - dest: /tmp/elasticsearch.yml diff --git a/playbook/linux/elastic/winlogbeat.j2 b/playbook/linux/elastic/winlogbeat.j2 index 3cc7fc4..8514f47 100644 --- a/playbook/linux/elastic/winlogbeat.j2 +++ b/playbook/linux/elastic/winlogbeat.j2 @@ -50,7 +50,7 @@ setup.template.settings: # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the # options here or by using the `setup` command. -#setup.dashboards.enabled: false +setup.dashboards.enabled: true # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released @@ -68,7 +68,7 @@ setup.kibana: # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 - #host: "localhost:5601" + host: {{ kibana_host }} # Kibana Space ID # ID of the Kibana Space into which the dashboards should be loaded. By default, @@ -95,7 +95,7 @@ setup.kibana: #-------------------------- Elasticsearch output ------------------------------ output.elasticsearch: # Array of hosts to connect to. - hosts: ["localhost:9200"] + hosts: {{ elasticsearch_hosts }} # Optional protocol and basic auth credentials. #protocol: "https" From 79b7a915acd32481f828551b4a83aadec727c9c4 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Thu, 25 Apr 2019 15:25:52 -0700 Subject: [PATCH 06/19] Moving Elastic to a role Config was updated to find the new ./roles/ folder splitting the elastic installers into a roles that can be easier to manage --- ansible.cfg | 4 +- playbook/linux/elastic/install-server.yml | 5 ++ playbook/linux/elastic/role-test.yml | 11 ++++ roles/elasticsearch/README.md | 38 ++++++++++++++ roles/elasticsearch/defaults/main.yml | 31 +++++++++++ roles/elasticsearch/handlers/main.yml | 2 + roles/elasticsearch/meta/main.yml | 60 ++++++++++++++++++++++ roles/elasticsearch/tasks/elastic-7.x.list | 1 + roles/elasticsearch/tasks/install-repo.yml | 29 +++++++++++ roles/elasticsearch/tasks/main.yml | 28 ++++++++++ roles/elasticsearch/tests/inventory | 2 + roles/elasticsearch/tests/test.yml | 5 ++ roles/elasticsearch/vars/main.yml | 24 +++++++++ 13 files changed, 238 insertions(+), 2 deletions(-) create mode 100644 playbook/linux/elastic/role-test.yml create mode 100644 roles/elasticsearch/README.md create mode 100644 roles/elasticsearch/defaults/main.yml create mode 100644 roles/elasticsearch/handlers/main.yml create mode 100644 roles/elasticsearch/meta/main.yml create mode 100644 roles/elasticsearch/tasks/elastic-7.x.list create mode 100644 roles/elasticsearch/tasks/install-repo.yml create mode 100644 roles/elasticsearch/tasks/main.yml create mode 100644 roles/elasticsearch/tests/inventory create mode 100644 roles/elasticsearch/tests/test.yml create mode 100644 roles/elasticsearch/vars/main.yml diff --git a/ansible.cfg b/ansible.cfg index 2444af9..b605092 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -65,7 +65,7 @@ local_tmp = ~/.ansible/tmp # inject_facts_as_vars = True # additional paths to search for roles in, colon separated -#roles_path = /etc/ansible/roles +roles_path = /etc/ansible/roles:./roles/ # uncomment this to disable SSH key host checking #host_key_checking = False @@ -487,4 +487,4 @@ local_tmp = ~/.ansible/tmp # always = no # Set how many context lines to show in diff -# context = 3 \ No newline at end of file +# context = 3 diff --git a/playbook/linux/elastic/install-server.yml b/playbook/linux/elastic/install-server.yml index d5204aa..cf7ff19 100644 --- a/playbook/linux/elastic/install-server.yml +++ b/playbook/linux/elastic/install-server.yml @@ -50,6 +50,11 @@ - name: Configure Kibana include: config-kibana.yml + - name: Install Heartbeat + become: true + apt: + name: heartbeat + #- name: Install Logstash #become: true #apt: diff --git a/playbook/linux/elastic/role-test.yml b/playbook/linux/elastic/role-test.yml new file mode 100644 index 0000000..5d681f8 --- /dev/null +++ b/playbook/linux/elastic/role-test.yml @@ -0,0 +1,11 @@ + +- name: testing elastic role + hosts: elastic + + tasks: + - name: test role + import_role: + name: elasticsearch + vars: + cluster_name: "cookies" + diff --git a/roles/elasticsearch/README.md b/roles/elasticsearch/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/elasticsearch/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml new file mode 100644 index 0000000..75bf840 --- /dev/null +++ b/roles/elasticsearch/defaults/main.yml @@ -0,0 +1,31 @@ +--- +# This contains all the variables that can be used in the playbook + +cluster_name: 'cluster' + +node_name: '' + +# https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html +# +node_master: true + +node_data: true + +path_data: '/var/lib/elasticsearch' + +path_logs: '/var/log/elastisearch' + +http_port: 9200 + +### Transport ### +# +#https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html +# + +# The host address to bind the transport service to. Defaults to transport.host (if set) or network.bind_host. +transport_host: 'localhost' + +# A bind port range. Defaults to 9300-9400. +transport_port: 9300 + + diff --git a/roles/elasticsearch/handlers/main.yml b/roles/elasticsearch/handlers/main.yml new file mode 100644 index 0000000..5da5dbb --- /dev/null +++ b/roles/elasticsearch/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for elasticsearch \ No newline at end of file diff --git a/roles/elasticsearch/meta/main.yml b/roles/elasticsearch/meta/main.yml new file mode 100644 index 0000000..5d50bf4 --- /dev/null +++ b/roles/elasticsearch/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/roles/elasticsearch/tasks/elastic-7.x.list b/roles/elasticsearch/tasks/elastic-7.x.list new file mode 100644 index 0000000..7eef915 --- /dev/null +++ b/roles/elasticsearch/tasks/elastic-7.x.list @@ -0,0 +1 @@ +deb https://artifacts.elastic.co/packages/7.x/apt stable main diff --git a/roles/elasticsearch/tasks/install-repo.yml b/roles/elasticsearch/tasks/install-repo.yml new file mode 100644 index 0000000..c4504a6 --- /dev/null +++ b/roles/elasticsearch/tasks/install-repo.yml @@ -0,0 +1,29 @@ +--- + +- name: Install Elastic GPG Key + become: true + apt_key: + url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + state: present + id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 + +- name: Install apt-transport-https + become: true + apt: + name: apt-transport-https + +- name: Add Elastic Repo + become: true + copy: + dest: '/etc/apt/sources.list.d/elastic-7.x.list' + content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" + # copy: + #src: elastic-7.x.list + # dest: /etc/apt/sources.list.d/ + # backup: yes + +- name: Update Packages + become: true + apt: + update_cache: true + diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml new file mode 100644 index 0000000..082d15f --- /dev/null +++ b/roles/elasticsearch/tasks/main.yml @@ -0,0 +1,28 @@ +--- +# tasks file for elasticsearcih + +- name: Test role + debug: var=cluster_name + +- name: Install Elastic GPG Key + become: true + apt_key: + url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + state: present + id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 + +- name: Install apt-transport-https + become: true + apt: + name: apt-transport-https + +- name: Add Elastic Repo + become: true + copy: + dest: '/etc/apt/sources.list.d/elastic-7.x.list' + content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" + +- name: Update Packages + become: true + apt: + update_cache: true diff --git a/roles/elasticsearch/tests/inventory b/roles/elasticsearch/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/elasticsearch/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/elasticsearch/tests/test.yml b/roles/elasticsearch/tests/test.yml new file mode 100644 index 0000000..23f2653 --- /dev/null +++ b/roles/elasticsearch/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - elasticsearch \ No newline at end of file diff --git a/roles/elasticsearch/vars/main.yml b/roles/elasticsearch/vars/main.yml new file mode 100644 index 0000000..7d1daf9 --- /dev/null +++ b/roles/elasticsearch/vars/main.yml @@ -0,0 +1,24 @@ +--- + +# configuration for elasticsearch.yml +# +# Defines the name of the cluster we are going to deploy to +cluster_name: 'Elastic-Cluster' + +# Defines the name of the node +node_name: 'hostname' + +node_master: true + +node_data: true + +path_data: '/var/lib/elasticsearch' + +path_logs: '/var/lib/elasticsearch' + +http_port: 9200 + +transport_host: localhost + +transport_tcp_port: 9300 + From 3721747f01b7912b2da00f6c1177bb76ad5e5577 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Thu, 25 Apr 2019 15:59:42 -0700 Subject: [PATCH 07/19] Adding ubuntu directions to elasti role --- roles/elasticsearch/tasks/main.yml | 42 +++++++++++++++------------- roles/elasticsearch/tasks/ubuntu.yml | 8 ++++++ 2 files changed, 31 insertions(+), 19 deletions(-) create mode 100644 roles/elasticsearch/tasks/ubuntu.yml diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 082d15f..62c35c7 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -4,25 +4,29 @@ - name: Test role debug: var=cluster_name -- name: Install Elastic GPG Key - become: true - apt_key: - url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" - state: present - id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 +- name: Install Elastic Repo + include: install-repo.yml + when: ansible_distribution == "Ubuntu" -- name: Install apt-transport-https - become: true - apt: - name: apt-transport-https + #- name: Install Elastic GPG Key + #become: true + #apt_key: + #url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + #state: present + #id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 -- name: Add Elastic Repo - become: true - copy: - dest: '/etc/apt/sources.list.d/elastic-7.x.list' - content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" +#- name: Install apt-transport-https + # become: true + #apt: + #name: apt-transport-https -- name: Update Packages - become: true - apt: - update_cache: true +#- name: Add Elastic Repo +# become: true +# copy: + # dest: '/etc/apt/sources.list.d/elastic-7.x.list' + # content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" + + #- name: Update Packages + #become: true + # apt: + # update_cache: true diff --git a/roles/elasticsearch/tasks/ubuntu.yml b/roles/elasticsearch/tasks/ubuntu.yml new file mode 100644 index 0000000..1b8b0f2 --- /dev/null +++ b/roles/elasticsearch/tasks/ubuntu.yml @@ -0,0 +1,8 @@ + + +- name: Install ElasticSearch from apt + become: true + apt: + name: elasticsearch + +- name: From 74c75c3d3636f65e2949a6f261c00d531dae8d78 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Fri, 26 Apr 2019 12:35:26 -0700 Subject: [PATCH 08/19] Moving kibana to a role --- playbook/linux/elastic/role-test.yml | 6 +- roles/elasticsearch/README.md | 72 ++++++++++++-- roles/elasticsearch/defaults/main.yml | 21 ++++- roles/elasticsearch/tasks/elastic-7.x.list | 1 - roles/elasticsearch/tasks/main.yml | 31 +----- roles/elasticsearch/tasks/ubuntu.yml | 38 +++++++- .../elasticsearch/templates/elasticsearch.j2 | 94 +++++++++++++++++++ roles/kibana/README.md | 38 ++++++++ roles/kibana/defaults/main.yml | 15 +++ roles/kibana/handlers/main.yml | 2 + roles/kibana/meta/main.yml | 60 ++++++++++++ roles/kibana/tasks/install-repo.yml | 29 ++++++ roles/kibana/tasks/main.yml | 2 + .../kibana/templates}/kibana.j2 | 0 roles/kibana/tests/inventory | 2 + roles/kibana/tests/test.yml | 5 + roles/kibana/vars/main.yml | 2 + 17 files changed, 381 insertions(+), 37 deletions(-) delete mode 100644 roles/elasticsearch/tasks/elastic-7.x.list create mode 100755 roles/elasticsearch/templates/elasticsearch.j2 create mode 100644 roles/kibana/README.md create mode 100644 roles/kibana/defaults/main.yml create mode 100644 roles/kibana/handlers/main.yml create mode 100644 roles/kibana/meta/main.yml create mode 100644 roles/kibana/tasks/install-repo.yml create mode 100644 roles/kibana/tasks/main.yml rename {playbook/linux/elastic => roles/kibana/templates}/kibana.j2 (100%) create mode 100644 roles/kibana/tests/inventory create mode 100644 roles/kibana/tests/test.yml create mode 100644 roles/kibana/vars/main.yml diff --git a/playbook/linux/elastic/role-test.yml b/playbook/linux/elastic/role-test.yml index 5d681f8..68fb5bc 100644 --- a/playbook/linux/elastic/role-test.yml +++ b/playbook/linux/elastic/role-test.yml @@ -7,5 +7,9 @@ import_role: name: elasticsearch vars: - cluster_name: "cookies" + cluster_name: "loggin-dev" + ufw_http_port: true + ufw_transport_port: true + systemd_enabled: true + systemd_restart: true diff --git a/roles/elasticsearch/README.md b/roles/elasticsearch/README.md index 225dd44..1cdb858 100644 --- a/roles/elasticsearch/README.md +++ b/roles/elasticsearch/README.md @@ -1,17 +1,64 @@ -Role Name +ElasticSearch ========= -A brief description of the role goes here. +This role will install and configure ElastiSearch on requested servers. Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +No requirements are needed for this role. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +```yaml +cluster_name: 'cluster' + +node_name: '' + +# https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html +# +node_master: true + +node_data: true + +path_data: '/var/lib/elasticsearch' + +path_logs: '/var/log/elastisearch' + +http_port: 9200 + +### Transport ### +# +#https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html +# + +# The host address to bind the transport service to. Defaults to transport.host (if set) or network.bind_host. +transport_host: 'localhost' + +# A bind port range. Defaults to 9300-9400. +transport_port: 9300 + +# +# Firewall configuration +# + +# Allow http_port though UFW +ufw_http_port: false + +# Allow transport_port though UFW +ufw_transport_port: false + +# +# systemd configuration +# + +# Enable ElasticSearch on system startup +systemd_enabled: false + +# Restart ElasticSearch after running though playbook +systemd_restart: false +``` Dependencies ------------ @@ -23,9 +70,20 @@ Example Playbook Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +- name: testing elastic role + hosts: elastic + + tasks: + - name: Install ElasticSearch + import_role: + name: elasticsearch + vars: + cluster_name: "cookies" + ufw_http_port: true + ufw_transport_port: true + systemd_enabled: true + systemd_restart: true + License ------- diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index 75bf840..a2a291c 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -3,7 +3,7 @@ cluster_name: 'cluster' -node_name: '' +node_name: 'nodeName' # https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html # @@ -28,4 +28,23 @@ transport_host: 'localhost' # A bind port range. Defaults to 9300-9400. transport_port: 9300 +# +# Firewall configuration +# + +# Allow http_port though UFW +ufw_http_port: false + +# Allow transport_port though UFW +ufw_transport_port: false + +# +# systemd configuration +# + +# Enable ElasticSearch on system startup +systemd_enabled: false + +# Restart ElasticSearch after running though playbook +systemd_restart: false diff --git a/roles/elasticsearch/tasks/elastic-7.x.list b/roles/elasticsearch/tasks/elastic-7.x.list deleted file mode 100644 index 7eef915..0000000 --- a/roles/elasticsearch/tasks/elastic-7.x.list +++ /dev/null @@ -1 +0,0 @@ -deb https://artifacts.elastic.co/packages/7.x/apt stable main diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 62c35c7..4f0a375 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -1,32 +1,11 @@ --- # tasks file for elasticsearcih -- name: Test role - debug: var=cluster_name +#- name: Test role +#debug: var=cluster_name -- name: Install Elastic Repo - include: install-repo.yml +- name: Running role - elasticsearch + include: ubuntu.yml when: ansible_distribution == "Ubuntu" - #- name: Install Elastic GPG Key - #become: true - #apt_key: - #url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" - #state: present - #id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 - -#- name: Install apt-transport-https - # become: true - #apt: - #name: apt-transport-https - -#- name: Add Elastic Repo -# become: true -# copy: - # dest: '/etc/apt/sources.list.d/elastic-7.x.list' - # content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" - - #- name: Update Packages - #become: true - # apt: - # update_cache: true + diff --git a/roles/elasticsearch/tasks/ubuntu.yml b/roles/elasticsearch/tasks/ubuntu.yml index 1b8b0f2..6026c10 100644 --- a/roles/elasticsearch/tasks/ubuntu.yml +++ b/roles/elasticsearch/tasks/ubuntu.yml @@ -1,8 +1,44 @@ +- name: Add Elastic repo + include: install-repo.yml + - name: Install ElasticSearch from apt become: true apt: name: elasticsearch -- name: +- name: Update config + become: true + template: + src: elasticsearch.j2 + dest: /etc/elasticsearch/elasticsearch.yml + backup: yes + +- name: UFW allow http_port + become: true + when: ufw_http_port == true + ufw: + rule: allow + port: "{{ http_port }}" + +- name: UFW allow transport_port + become: true + when: ufw_transport_port == true + ufw: + rule: allow + port: "{{ transport_port }}" + +- name: systemd enable elasticsearch + become: true + when: systemd_enabled == true + systemd: + name: elasticsearch + enabled: true + +- name: systemd restart elasticsearch + become: true + when: systemd_restart == true + systemd: + name: elasticsearch + state: restarted diff --git a/roles/elasticsearch/templates/elasticsearch.j2 b/roles/elasticsearch/templates/elasticsearch.j2 new file mode 100755 index 0000000..5dc9754 --- /dev/null +++ b/roles/elasticsearch/templates/elasticsearch.j2 @@ -0,0 +1,94 @@ +# ======================== Elasticsearch Configuration ========================= +# +# NOTE: Elasticsearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. +# +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. +# +# Please consult the documentation for further information on configuration options: +# https://www.elastic.co/guide/en/elasticsearch/reference/index.html +# +# ---------------------------------- Cluster ----------------------------------- +# +# Use a descriptive name for your cluster: +# +#cluster.name: my-application +cluster.name: {{ cluster_name }} +# +# ------------------------------------ Node ------------------------------------ +# +# Use a descriptive name for the node: +# +#node.name: node-1 +node.name: {{ node_name }} +node.master: {{ node_master }} +node.data: {{ node_data }} +# +# Add custom attributes to the node: +# +#node.attr.rack: r1 +# +# ----------------------------------- Paths ------------------------------------ +# +# Path to directory where to store the data (separate multiple locations by comma): +# +path.data: {{ path_data }} +# +# Path to log files: +# +path.logs: {{ path_logs }} +# +# ----------------------------------- Memory ----------------------------------- +# +# Lock the memory on startup: +# +#bootstrap.memory_lock: true +# +# Make sure that the heap size is set to about half the memory available +# on the system and that the owner of the process is allowed to use this +# limit. +# +# Elasticsearch performs poorly when the system is swapping the memory. +# +# ---------------------------------- Network ----------------------------------- +# +# Set the bind address to a specific IP (IPv4 or IPv6): +# +network.host: {{ ansible_default_ipv4.address }} +# +# Set a custom port for HTTP: +# +http.port: {{ http_port }} +transport.host: {{ transport_host }} +transport.tcp.port: {{ transport_port }} +# +# For more information, consult the network module documentation.# +# +# --------------------------------- Discovery ---------------------------------- +# +# Pass an initial list of hosts to perform discovery when this node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] +# +#discovery.seed_hosts: ["host1", "host2"] +# +# Bootstrap the cluster using an initial set of master-eligible nodes: +# +#cluster.initial_master_nodes: ["node-1", "node-2"] +# +# For more information, consult the discovery and cluster formation module documentation. +# +# ---------------------------------- Gateway ----------------------------------- +# +# Block initial recovery after a full cluster restart until N nodes are started: +# +#gateway.recover_after_nodes: 3 +# +# For more information, consult the gateway module documentation. +# +# ---------------------------------- Various ----------------------------------- +# +# Require explicit names when deleting indices: +# +#action.destructive_requires_name: true diff --git a/roles/kibana/README.md b/roles/kibana/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/kibana/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml new file mode 100644 index 0000000..a3854d0 --- /dev/null +++ b/roles/kibana/defaults/main.yml @@ -0,0 +1,15 @@ +--- + +# +# All variables exposed to the Kibana role. +# + +# +# Role variables +# + + + +# +# Configuration file variables +# diff --git a/roles/kibana/handlers/main.yml b/roles/kibana/handlers/main.yml new file mode 100644 index 0000000..2afd799 --- /dev/null +++ b/roles/kibana/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for kibana \ No newline at end of file diff --git a/roles/kibana/meta/main.yml b/roles/kibana/meta/main.yml new file mode 100644 index 0000000..5d50bf4 --- /dev/null +++ b/roles/kibana/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/roles/kibana/tasks/install-repo.yml b/roles/kibana/tasks/install-repo.yml new file mode 100644 index 0000000..c4504a6 --- /dev/null +++ b/roles/kibana/tasks/install-repo.yml @@ -0,0 +1,29 @@ +--- + +- name: Install Elastic GPG Key + become: true + apt_key: + url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + state: present + id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 + +- name: Install apt-transport-https + become: true + apt: + name: apt-transport-https + +- name: Add Elastic Repo + become: true + copy: + dest: '/etc/apt/sources.list.d/elastic-7.x.list' + content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" + # copy: + #src: elastic-7.x.list + # dest: /etc/apt/sources.list.d/ + # backup: yes + +- name: Update Packages + become: true + apt: + update_cache: true + diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml new file mode 100644 index 0000000..442e090 --- /dev/null +++ b/roles/kibana/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for kibana \ No newline at end of file diff --git a/playbook/linux/elastic/kibana.j2 b/roles/kibana/templates/kibana.j2 similarity index 100% rename from playbook/linux/elastic/kibana.j2 rename to roles/kibana/templates/kibana.j2 diff --git a/roles/kibana/tests/inventory b/roles/kibana/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/kibana/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/kibana/tests/test.yml b/roles/kibana/tests/test.yml new file mode 100644 index 0000000..4ca1352 --- /dev/null +++ b/roles/kibana/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - kibana \ No newline at end of file diff --git a/roles/kibana/vars/main.yml b/roles/kibana/vars/main.yml new file mode 100644 index 0000000..b9a456a --- /dev/null +++ b/roles/kibana/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for kibana \ No newline at end of file From b27e8dda285adce25299f3a3102ea0a87f8bde65 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Fri, 26 Apr 2019 16:01:55 -0700 Subject: [PATCH 09/19] Moved Kibana to a role Untested but should be moved over. --- playbook/linux/elastic/config-kibana.yml | 3 +- playbook/linux/elastic/role-test.yml | 10 ++++++ roles/kibana/defaults/main.yml | 24 ++++++++++++++ roles/kibana/tasks/ubuntu.yml | 42 ++++++++++++++++++++++++ roles/kibana/templates/kibana.j2 | 8 ++--- 5 files changed, 81 insertions(+), 6 deletions(-) create mode 100644 roles/kibana/tasks/ubuntu.yml diff --git a/playbook/linux/elastic/config-kibana.yml b/playbook/linux/elastic/config-kibana.yml index e507c78..49c8c58 100644 --- a/playbook/linux/elastic/config-kibana.yml +++ b/playbook/linux/elastic/config-kibana.yml @@ -19,5 +19,4 @@ - name: systemd - restart Kibana become: true systemd: - name: kibana - state: restarted + name: kiband diff --git a/playbook/linux/elastic/role-test.yml b/playbook/linux/elastic/role-test.yml index 68fb5bc..aff8c2d 100644 --- a/playbook/linux/elastic/role-test.yml +++ b/playbook/linux/elastic/role-test.yml @@ -13,3 +13,13 @@ systemd_enabled: true systemd_restart: true + - name: install kibana + import_role: + name: kibana + vars: + server_port: 5601 + server_host: ansible_default_ipv4.address + server_name: ansible_hostname + elasticsearch_hosts: + - http://192.168.0.173:9200 + diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml index a3854d0..15e4a89 100644 --- a/roles/kibana/defaults/main.yml +++ b/roles/kibana/defaults/main.yml @@ -8,8 +8,32 @@ # Role variables # +# Allow 5601 though UFW +ufw_server_port: false +# systemd - enable Kibana on startup +systemd_enabled: false + +# systemd - restart Kibana +systemd_restart: false # # Configuration file variables # + +# Defines that port that Kibana will listen on +# Default: 5601 +server_port: 5601 + +# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. +# The default is 'localhost', which usually means remote machines will not be able to connect. +# To allow connections from remote users, set this parameter to a non-loopback address. +server_host: localhost + +# The Kibana server's name. This is used for display purposes. +server_name: {{ ansible_hostname }} + +# The URLs of the Elasticsearch instances to use for all your queries. +elasticsearch_hosts: + - localhost + - server02 diff --git a/roles/kibana/tasks/ubuntu.yml b/roles/kibana/tasks/ubuntu.yml new file mode 100644 index 0000000..6086ed5 --- /dev/null +++ b/roles/kibana/tasks/ubuntu.yml @@ -0,0 +1,42 @@ + +# This handles the install and configuration for ubuntu based computers. + +- name: Install Elastic Repo + include: install-repo.yml + +- name: Intall Kibana from APT + become: true + apt: + name: kibana + +- name: Update Kibana config from template + become: true + template: + src: kibana.j2 + dest: /etc/kibana/kibana.yml + backup: true + +- name: Allow 5601 though UFW + when: ufw_server_port == true_ + become: true + ufw: + rule: allow + port: server_port + +- name: systemd - daemon reload + become: true + systemd: + daemon_reload: yes + +- name: systemd - enable Kibana on startup + when: systemd_enabled == true + become: true + systemd: + name: kibana + enabled: yes + +- name: systemd - restart Kibana + when: systemd_restart == true + become: true + systemd: + name: kiband diff --git a/roles/kibana/templates/kibana.j2 b/roles/kibana/templates/kibana.j2 index 234a051..ee09b97 100644 --- a/roles/kibana/templates/kibana.j2 +++ b/roles/kibana/templates/kibana.j2 @@ -1,14 +1,14 @@ # Kibana is served by a back end server. This setting specifies the port to use. #server.port: 5601 -server.port: {{ k_server_port }} +server.port: {{ server_port }} # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. # The default is 'localhost', which usually means remote machines will not be able to connect. # To allow connections from remote users, set this parameter to a non-loopback address. #server.host: "192.168.0.173" -server.host: {{ ansible_default_ipv4.address }} +server.host: {{ server_host }} # Enables you to specify a path to mount Kibana at if you are running behind a proxy. # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath @@ -26,12 +26,12 @@ server.host: {{ ansible_default_ipv4.address }} #server.maxPayloadBytes: 1048576 # The Kibana server's name. This is used for display purposes. -server.name: {{ ansible_hostname }} +server.name: {{ server_name }} # The URLs of the Elasticsearch instances to use for all your queries. #elasticsearch.hosts: ["http://localhost:9200"] elasticsearch.hosts: [ - {{ k_elasticsearch_hosts }} + {{ elasticsearch_hosts }} ] # When this setting's value is true Kibana uses the hostname specified in the server.host From b7facd7394b1252cbb62b816232ad19e9a47960e Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Mon, 29 Apr 2019 07:08:11 -0700 Subject: [PATCH 10/19] Role Adjustments Added Sensu Moved default role downloads to ./roles Added unattended-upgrades --- ansible.cfg | 2 +- playbook/linux/auto-securityupdates.yml | 16 + .../sensu_ssl_tool/client/cert.pem | 18 + .../sensu_ssl_tool/client/key.pem | 27 ++ .../sensu_ssl_tool/sensu_ca/cacert.pem | 17 + .../sensu_ssl_tool/server/cert.pem | 18 + .../sensu_ssl_tool/server/key.pem | 27 ++ playbook/linux/elastic/role-test.yml | 3 +- playbook/linux/sensu-test.yml | 19 + roles/jnv.unattended-upgrades/.editorconfig | 9 + roles/jnv.unattended-upgrades/.gitignore | 3 + roles/jnv.unattended-upgrades/.travis.yml | 16 + roles/jnv.unattended-upgrades/LICENSE | 339 ++++++++++++++++++ roles/jnv.unattended-upgrades/README.md | 180 ++++++++++ .../jnv.unattended-upgrades/defaults/main.yml | 122 +++++++ .../jnv.unattended-upgrades/handlers/main.yml | 2 + .../meta/.galaxy_install_info | 2 + roles/jnv.unattended-upgrades/meta/main.yml | 38 ++ roles/jnv.unattended-upgrades/tasks/main.yml | 2 + .../jnv.unattended-upgrades/tasks/reboot.yml | 9 + .../tasks/unattended-upgrades.yml | 34 ++ .../templates/auto-upgrades.j2 | 25 ++ .../templates/unattended-upgrades.j2 | 106 ++++++ .../jnv.unattended-upgrades/tests/ansible.cfg | 3 + roles/jnv.unattended-upgrades/tests/inventory | 1 + .../tests/requirements.yml | 3 + roles/jnv.unattended-upgrades/tests/test.sh | 29 ++ roles/jnv.unattended-upgrades/tests/test.yml | 70 ++++ .../vars/Debian-wheezy.yml | 11 + roles/jnv.unattended-upgrades/vars/Debian.yml | 3 + roles/jnv.unattended-upgrades/vars/Ubuntu.yml | 3 + roles/kibana/defaults/main.yml | 3 +- roles/sensu.sensu/.gitattributes | 6 + roles/sensu.sensu/.gitignore | 4 + roles/sensu.sensu/.yamllint | 11 + roles/sensu.sensu/CHANGELOG.md | 194 ++++++++++ roles/sensu.sensu/LICENSE | 18 + roles/sensu.sensu/README.md | 85 +++++ roles/sensu.sensu/defaults/main.yml | 126 +++++++ roles/sensu.sensu/handlers/main.yml | 69 ++++ roles/sensu.sensu/meta/.galaxy_install_info | 2 + roles/sensu.sensu/meta/main.yml | 39 ++ roles/sensu.sensu/tasks/Amazon/dashboard.yml | 21 ++ roles/sensu.sensu/tasks/Amazon/main.yml | 30 ++ roles/sensu.sensu/tasks/Amazon/rabbit.yml | 66 ++++ roles/sensu.sensu/tasks/Amazon/redis.yml | 29 ++ roles/sensu.sensu/tasks/CentOS/dashboard.yml | 41 +++ roles/sensu.sensu/tasks/CentOS/main.yml | 83 +++++ roles/sensu.sensu/tasks/CentOS/rabbit.yml | 66 ++++ roles/sensu.sensu/tasks/CentOS/redis.yml | 29 ++ roles/sensu.sensu/tasks/Debian/dashboard.yml | 21 ++ roles/sensu.sensu/tasks/Debian/main.yml | 41 +++ roles/sensu.sensu/tasks/Debian/rabbit.yml | 53 +++ roles/sensu.sensu/tasks/Debian/redis.yml | 26 ++ roles/sensu.sensu/tasks/Fedora/dashboard.yml | 1 + roles/sensu.sensu/tasks/Fedora/main.yml | 1 + roles/sensu.sensu/tasks/Fedora/rabbit.yml | 66 ++++ roles/sensu.sensu/tasks/Fedora/redis.yml | 27 ++ roles/sensu.sensu/tasks/FreeBSD/dashboard.yml | 86 +++++ roles/sensu.sensu/tasks/FreeBSD/main.yml | 53 +++ roles/sensu.sensu/tasks/FreeBSD/rabbit.yml | 14 + roles/sensu.sensu/tasks/FreeBSD/redis.yml | 25 ++ roles/sensu.sensu/tasks/OpenBSD/dashboard.yml | 86 +++++ roles/sensu.sensu/tasks/OpenBSD/main.yml | 69 ++++ roles/sensu.sensu/tasks/OpenBSD/rabbit.yml | 14 + roles/sensu.sensu/tasks/OpenBSD/redis.yml | 25 ++ roles/sensu.sensu/tasks/OracleLinux | 1 + roles/sensu.sensu/tasks/RedHat | 1 + roles/sensu.sensu/tasks/SmartOS/client.yml | 23 ++ roles/sensu.sensu/tasks/SmartOS/dashboard.yml | 96 +++++ roles/sensu.sensu/tasks/SmartOS/main.yml | 36 ++ roles/sensu.sensu/tasks/SmartOS/rabbit.yml | 14 + roles/sensu.sensu/tasks/SmartOS/redis.yml | 12 + roles/sensu.sensu/tasks/SmartOS/server.yml | 32 ++ roles/sensu.sensu/tasks/Ubuntu/dashboard.yml | 21 ++ roles/sensu.sensu/tasks/Ubuntu/main.yml | 35 ++ roles/sensu.sensu/tasks/Ubuntu/rabbit.yml | 53 +++ roles/sensu.sensu/tasks/Ubuntu/redis.yml | 33 ++ roles/sensu.sensu/tasks/client.yml | 28 ++ roles/sensu.sensu/tasks/common.yml | 57 +++ roles/sensu.sensu/tasks/dashboard.yml | 12 + roles/sensu.sensu/tasks/main.yml | 45 +++ roles/sensu.sensu/tasks/plugins.yml | 152 ++++++++ roles/sensu.sensu/tasks/rabbit.yml | 76 ++++ roles/sensu.sensu/tasks/redis.yml | 14 + roles/sensu.sensu/tasks/server.yml | 44 +++ roles/sensu.sensu/tasks/ssl.yml | 31 ++ roles/sensu.sensu/tasks/ssl_generate.yml | 129 +++++++ roles/sensu.sensu/templates/client.json.j2 | 15 + .../templates/erlang-apt-preferences.j2 | 4 + roles/sensu.sensu/templates/openssl.cnf.j2 | 56 +++ .../sensu.sensu/templates/rabbitmq.config.j2 | 16 + roles/sensu.sensu/templates/sensu-api.json.j2 | 10 + .../sensu-api.smartos_smf_manifest.xml.j2 | 32 ++ .../sensu-client.smartos_smf_manifest.xml.j2 | 32 ++ .../templates/sensu-freebsd-repo.conf.j2 | 5 + .../templates/sensu-rabbitmq.json.j2 | 15 + .../sensu.sensu/templates/sensu-redis.json.j2 | 14 + .../sensu-server.smartos_smf_manifest.xml.j2 | 32 ++ .../templates/sensu-tessen.json.j2 | 5 + .../sensu_enterprise_dashboard_config.json.j2 | 19 + .../templates/sensuclient_openbsd.j2 | 13 + roles/sensu.sensu/templates/transport.json.j2 | 6 + roles/sensu.sensu/templates/uchiwa.sh.j2 | 25 ++ .../uchiwa.smartos_smf_manifest.xml.j2 | 32 ++ .../templates/uchiwa_config.json.j2 | 29 ++ roles/sensu.sensu/templates/uchiwa_freebsd.j2 | 27 ++ roles/sensu.sensu/vars/Amazon.yml | 20 ++ roles/sensu.sensu/vars/CentOS.yml | 13 + roles/sensu.sensu/vars/Debian.yml | 14 + roles/sensu.sensu/vars/Fedora.yml | 12 + roles/sensu.sensu/vars/FreeBSD.yml | 14 + roles/sensu.sensu/vars/OpenBSD.yml | 16 + roles/sensu.sensu/vars/OracleLinux.yml | 1 + roles/sensu.sensu/vars/RedHat.yml | 1 + roles/sensu.sensu/vars/SmartOS.yml | 10 + roles/sensu.sensu/vars/Ubuntu.yml | 15 + 117 files changed, 4131 insertions(+), 4 deletions(-) create mode 100644 playbook/linux/auto-securityupdates.yml create mode 100644 playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/cert.pem create mode 100644 playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/key.pem create mode 100644 playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem create mode 100644 playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/cert.pem create mode 100644 playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/key.pem create mode 100644 playbook/linux/sensu-test.yml create mode 100644 roles/jnv.unattended-upgrades/.editorconfig create mode 100644 roles/jnv.unattended-upgrades/.gitignore create mode 100644 roles/jnv.unattended-upgrades/.travis.yml create mode 100644 roles/jnv.unattended-upgrades/LICENSE create mode 100644 roles/jnv.unattended-upgrades/README.md create mode 100644 roles/jnv.unattended-upgrades/defaults/main.yml create mode 100644 roles/jnv.unattended-upgrades/handlers/main.yml create mode 100644 roles/jnv.unattended-upgrades/meta/.galaxy_install_info create mode 100644 roles/jnv.unattended-upgrades/meta/main.yml create mode 100644 roles/jnv.unattended-upgrades/tasks/main.yml create mode 100644 roles/jnv.unattended-upgrades/tasks/reboot.yml create mode 100644 roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml create mode 100644 roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 create mode 100644 roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 create mode 100644 roles/jnv.unattended-upgrades/tests/ansible.cfg create mode 100644 roles/jnv.unattended-upgrades/tests/inventory create mode 100644 roles/jnv.unattended-upgrades/tests/requirements.yml create mode 100755 roles/jnv.unattended-upgrades/tests/test.sh create mode 100644 roles/jnv.unattended-upgrades/tests/test.yml create mode 100644 roles/jnv.unattended-upgrades/vars/Debian-wheezy.yml create mode 100644 roles/jnv.unattended-upgrades/vars/Debian.yml create mode 100644 roles/jnv.unattended-upgrades/vars/Ubuntu.yml create mode 100644 roles/sensu.sensu/.gitattributes create mode 100644 roles/sensu.sensu/.gitignore create mode 100644 roles/sensu.sensu/.yamllint create mode 100644 roles/sensu.sensu/CHANGELOG.md create mode 100644 roles/sensu.sensu/LICENSE create mode 100644 roles/sensu.sensu/README.md create mode 100644 roles/sensu.sensu/defaults/main.yml create mode 100644 roles/sensu.sensu/handlers/main.yml create mode 100644 roles/sensu.sensu/meta/.galaxy_install_info create mode 100644 roles/sensu.sensu/meta/main.yml create mode 100644 roles/sensu.sensu/tasks/Amazon/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/Amazon/main.yml create mode 100644 roles/sensu.sensu/tasks/Amazon/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/Amazon/redis.yml create mode 100644 roles/sensu.sensu/tasks/CentOS/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/CentOS/main.yml create mode 100644 roles/sensu.sensu/tasks/CentOS/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/CentOS/redis.yml create mode 100644 roles/sensu.sensu/tasks/Debian/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/Debian/main.yml create mode 100644 roles/sensu.sensu/tasks/Debian/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/Debian/redis.yml create mode 120000 roles/sensu.sensu/tasks/Fedora/dashboard.yml create mode 120000 roles/sensu.sensu/tasks/Fedora/main.yml create mode 100644 roles/sensu.sensu/tasks/Fedora/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/Fedora/redis.yml create mode 100644 roles/sensu.sensu/tasks/FreeBSD/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/FreeBSD/main.yml create mode 100644 roles/sensu.sensu/tasks/FreeBSD/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/FreeBSD/redis.yml create mode 100644 roles/sensu.sensu/tasks/OpenBSD/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/OpenBSD/main.yml create mode 100644 roles/sensu.sensu/tasks/OpenBSD/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/OpenBSD/redis.yml create mode 120000 roles/sensu.sensu/tasks/OracleLinux create mode 120000 roles/sensu.sensu/tasks/RedHat create mode 100644 roles/sensu.sensu/tasks/SmartOS/client.yml create mode 100644 roles/sensu.sensu/tasks/SmartOS/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/SmartOS/main.yml create mode 100644 roles/sensu.sensu/tasks/SmartOS/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/SmartOS/redis.yml create mode 100644 roles/sensu.sensu/tasks/SmartOS/server.yml create mode 100644 roles/sensu.sensu/tasks/Ubuntu/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/Ubuntu/main.yml create mode 100644 roles/sensu.sensu/tasks/Ubuntu/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/Ubuntu/redis.yml create mode 100644 roles/sensu.sensu/tasks/client.yml create mode 100644 roles/sensu.sensu/tasks/common.yml create mode 100644 roles/sensu.sensu/tasks/dashboard.yml create mode 100644 roles/sensu.sensu/tasks/main.yml create mode 100644 roles/sensu.sensu/tasks/plugins.yml create mode 100644 roles/sensu.sensu/tasks/rabbit.yml create mode 100644 roles/sensu.sensu/tasks/redis.yml create mode 100644 roles/sensu.sensu/tasks/server.yml create mode 100644 roles/sensu.sensu/tasks/ssl.yml create mode 100644 roles/sensu.sensu/tasks/ssl_generate.yml create mode 100644 roles/sensu.sensu/templates/client.json.j2 create mode 100644 roles/sensu.sensu/templates/erlang-apt-preferences.j2 create mode 100644 roles/sensu.sensu/templates/openssl.cnf.j2 create mode 100644 roles/sensu.sensu/templates/rabbitmq.config.j2 create mode 100644 roles/sensu.sensu/templates/sensu-api.json.j2 create mode 100644 roles/sensu.sensu/templates/sensu-api.smartos_smf_manifest.xml.j2 create mode 100644 roles/sensu.sensu/templates/sensu-client.smartos_smf_manifest.xml.j2 create mode 100644 roles/sensu.sensu/templates/sensu-freebsd-repo.conf.j2 create mode 100644 roles/sensu.sensu/templates/sensu-rabbitmq.json.j2 create mode 100644 roles/sensu.sensu/templates/sensu-redis.json.j2 create mode 100644 roles/sensu.sensu/templates/sensu-server.smartos_smf_manifest.xml.j2 create mode 100644 roles/sensu.sensu/templates/sensu-tessen.json.j2 create mode 100644 roles/sensu.sensu/templates/sensu_enterprise_dashboard_config.json.j2 create mode 100644 roles/sensu.sensu/templates/sensuclient_openbsd.j2 create mode 100644 roles/sensu.sensu/templates/transport.json.j2 create mode 100644 roles/sensu.sensu/templates/uchiwa.sh.j2 create mode 100644 roles/sensu.sensu/templates/uchiwa.smartos_smf_manifest.xml.j2 create mode 100644 roles/sensu.sensu/templates/uchiwa_config.json.j2 create mode 100644 roles/sensu.sensu/templates/uchiwa_freebsd.j2 create mode 100644 roles/sensu.sensu/vars/Amazon.yml create mode 100644 roles/sensu.sensu/vars/CentOS.yml create mode 100644 roles/sensu.sensu/vars/Debian.yml create mode 100644 roles/sensu.sensu/vars/Fedora.yml create mode 100644 roles/sensu.sensu/vars/FreeBSD.yml create mode 100644 roles/sensu.sensu/vars/OpenBSD.yml create mode 120000 roles/sensu.sensu/vars/OracleLinux.yml create mode 120000 roles/sensu.sensu/vars/RedHat.yml create mode 100644 roles/sensu.sensu/vars/SmartOS.yml create mode 100644 roles/sensu.sensu/vars/Ubuntu.yml diff --git a/ansible.cfg b/ansible.cfg index b605092..8b184d5 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -65,7 +65,7 @@ local_tmp = ~/.ansible/tmp # inject_facts_as_vars = True # additional paths to search for roles in, colon separated -roles_path = /etc/ansible/roles:./roles/ +roles_path = ./roles/:/etc/ansible/roles # uncomment this to disable SSH key host checking #host_key_checking = False diff --git a/playbook/linux/auto-securityupdates.yml b/playbook/linux/auto-securityupdates.yml new file mode 100644 index 0000000..3a13640 --- /dev/null +++ b/playbook/linux/auto-securityupdates.yml @@ -0,0 +1,16 @@ + +--- + +- name: enable + hosts: linux + + tasks: + - name: unattended-upgrades + become: true + include_role: + name: jnv.unattended-upgrades + vars: + #unattended_package_blacklist: [] + unattended_automatic_reboot: true + + diff --git a/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/cert.pem b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/cert.pem new file mode 100644 index 0000000..0db1db3 --- /dev/null +++ b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdTZW5z +dUNBMB4XDTE5MDQyODE3NTMwMloXDTI0MDQyNjE3NTMwMlowITEOMAwGA1UEAwwF +c2Vuc3UxDzANBgNVBAoMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMBFLZ/mgAOdKJ2YUkqzjZHKsRyvNxixX9I3LWXJCMfFnWuUOLau5UaE +rS6ZbtO1N4djsi6xSyBhPSu2hjPt9KgniTesaKZDwlLO2HLrOpUpmKPPpLxnBym9 +m/nXWaeuTLAnnNtP/wU4Jwvp1u9qMu5tIYdy+hTd5LJSQcfjgrt5ydHzLbwn9UyE +2pcMawEgOaoywY9i6Ofhfsr5hwLkR3/3VS5PfJ2sVsO0Ks2vBW091BaQSwQAarpR +ExMHmTrcHoHtWFI0RiFxZ+MoakL5380VSmzhAs8QPxYWYc3PLndhYt4pH6TLcCOF +LpY8qk6S/acHuWHgdl+GIgyk5jKqnkECAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV +HQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEB +AG/MiB8QHvJlGrF1Xa5UHs/ykFJj1n+JzeniC5p3nApnRmpgi9KNlDZqRXjotuww +uvaDlsRpFp+X4NukUUR8aUUZpwYbIm/wgXJ376Su0nUmpFmCU2TrGkk/cMeqbAen +OYe5WZxsmJnmmkwhHLybrvha/vsCTNV6GY2JcHNhI8R7Uvwna48ueg7/WBQ5oXqZ +zdYXMaFD2ioBFaYZqVifWv+5d1av2VBveX1V5p7ZZ3LHsvNS8/eVWufu5I4mwJI9 +GRPakzY0emL9ZBbtsZtsNA7IA6w4l4WeQtu1DHPc2iYO+JwfpeUNVX65ANSicqjC +ibyhYEZs3qI/rb3WPXy6l0I= +-----END CERTIFICATE----- diff --git a/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/key.pem b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/key.pem new file mode 100644 index 0000000..3ca2917 --- /dev/null +++ b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwEUtn+aAA50onZhSSrONkcqxHK83GLFf0jctZckIx8Wda5Q4 +tq7lRoStLplu07U3h2OyLrFLIGE9K7aGM+30qCeJN6xopkPCUs7Ycus6lSmYo8+k +vGcHKb2b+ddZp65MsCec20//BTgnC+nW72oy7m0hh3L6FN3kslJBx+OCu3nJ0fMt +vCf1TITalwxrASA5qjLBj2Lo5+F+yvmHAuRHf/dVLk98naxWw7Qqza8FbT3UFpBL +BABqulETEweZOtwege1YUjRGIXFn4yhqQvnfzRVKbOECzxA/FhZhzc8ud2Fi3ikf +pMtwI4UuljyqTpL9pwe5YeB2X4YiDKTmMqqeQQIDAQABAoIBAFxnovLLa9DQ0jlT +gJFIVAyydoaLqxYiASRdwmK9yIuCbRLL7KnXyncmwri3ouz6lhJqlrMcIDgSo7yD +f2Irxb6fKbJpGO53eEgmAx7P8JrJoANygwDNH0MvTmw31G3jNhYfI6K/gpf2kcWG +//aWep3eMxQO7SPkNMqC//xaWnVQ0FLigNQjyFlgQrIZ3L4x7qFxcrkvTUIODGio +R6hs7fECwXZkvLB28//tiwLEuOHnWGkG64fDebXUBDHsFhY/ObtA9vJITGY2GlUi +1KFt9ZJd1JdMoV7EH5IwnA5YUN1NOtb5bwRaCddCMFH2lWsjzV1hNTZ9MzNyFqIF +eolkKKUCgYEA6xR0LR3/stMPOWvgdaiXACHsH2hLx7Yh1vOf97eBbdUgiqjeL7DW +mUmXIBLOQwrKMWNX0+DAqeuY80ESBmQ5KhRR/Sws2FMXGcqgyNPdJYAruif8y4z9 +0fGdvES1Fe12lOzyfPJclJi6doglyTjoJS5KGXUz8womJH4eiWZd+98CgYEA0WFx +SPttK8Oi9zKxh/6YzpvOaABm6pCUslg79smhPGdhj4M0sO1sS4KzOBBolcplT9e6 +T1awh7ML44dowIFuQ0FgySnz5ogZt6xnqGv6bbfSVbMNpU4B9O4tJ2z16uFOXDeM +f0tS55fcbspJ1Dylc+ndyAurd5E/8z/2BnU6qd8CgYADs6bAryA/qKMsvE4kjCsU +jXQyamoHEw8lW2DBfdpD6H9Cr7YP+jDm6QnAL4uf8qOMc4wGghuGkXcvHW8zOpDL +4NYJrpBmN6i9dztg7jUlSgdmPwr0CZxVmgBp3osbdUnQvopy/T4H+P+2rh4qNQMy +0q/IBthyk05WdMX2U+5W8QKBgFSBwqpVKBvYyyaAZFziKiSBiA47003q6skMia8y +dAwgIaU9rH+YY/QaHWGMZdnHJZrTFBQ/heJPJoY/ucywsKMeeQTYFOO/nLmgMPou +EpZD8fW63dARKwMDOmBGPv78zpazqNYbvatRhJuGs8OgcprVEjlSVHNewXPZJeA3 +YmT7AoGAJuMaSA6oZqn0uKJD0FDwIl4j0RfVhPJHe9Um1G1K2FpZ3DV705kcwx1t +IUu9pHLFJubwpkQFiERX/6BRbjbp4oZhpPLcLRec5nXTT8LHoiCBMaQW2RtnDMeW +XKt2xyhGFp0Drw4vWV0Nr8fJbuBbAqviZTQnBtj7ZJ41KRV1mU4= +-----END RSA PRIVATE KEY----- diff --git a/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem new file mode 100644 index 0000000..73b717b --- /dev/null +++ b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAgIJAPX7448uFrdyMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV +BAMMB1NlbnN1Q0EwHhcNMTkwNDI4MTc1MjU3WhcNMjQwNDI2MTc1MjU3WjASMRAw +DgYDVQQDDAdTZW5zdUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +sI4ptnAIEJISxDYMVZIi6vF6GcnzXDyXl4Et9m86QF9+Zyfe4zomGDnfp7wfhddS +6asPHMxcgXi9itY6qr33lzdDL4SaMysS/VwWLBwhmdl2hEELPvUKHBF96iyfuq4A +lsQ3lAXr/3uqXdODNo38hGaxrK2n1ocKFEKZrGlmrFDvfYKJz1cYlDh5u0ghjJGQ +E/MCDeQzGNOjcbSbNUo5nMR8P6nzPcMDHjtA0OS4DXSijvjibHPhZ/NU9KgoTz9W +oL8FoePlL6Zq6cwiEKCOUsqivIPbM3nGGNkPBHmSE0dnYXn0le+LK3rkNX60ZdwE +fqisAIaHSVQWVlTw4J8xlQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQE +AwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAp1MPCS8tKdUGrT07yHosw7+Gxc++/ylM +cmS9GLiwAfU4VU4QEy97ipL4K8VLWbrGVvJSpgxAApLA0jX7R2UcYTYeTk9ikuto +BeQRxcj6QdR8BKD4N7Qtje6jBVMJ6Ssky3Kj1XXcEQu4iZx9uZCX2yeCeozXaLtS ++Tw3r9NjgIXGvhLCp64JTC+rL74S7cMwAIW5YBRy/K4uBdLKBcjYIi7VQnivsfGu +J2+28+kfNw7nNWBdVWtBf6MoJQNEDvpx+HGRBCJoSlgw+GTRgbgCqEPJrXBdbamU +SDJtCEdYonQqUCqqCI083ckx8c31YBg1COTZBQnWQiYVpcIfXG7j/A== +-----END CERTIFICATE----- diff --git a/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/cert.pem b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/cert.pem new file mode 100644 index 0000000..de6105d --- /dev/null +++ b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdTZW5z +dUNBMB4XDTE5MDQyODE3NTI1OVoXDTI0MDQyNjE3NTI1OVowITEOMAwGA1UEAwwF +c2Vuc3UxDzANBgNVBAoMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALEltlZMg7u1rqFbnljmD+IeiVeRt0zzRiCEpjvQ4t+bBjT5onPAOxYI +Q1d3MdPJqA+lyCRP/sXcEKa1l14UDj50WEruK0VqXKL+e2ETeJi4kJb8k8ansCAI +Ask5Ok2d8bTSQLzJBCkjwvR5kfG49R5wfJFDSA3WLfTHq1myRibJIMgbFGB2UP3Q +yyljZWn04IO72yWhK413CxwnwXKsIFT5/z0hVGZMr5wDWpfhBhtBi6uxqeKG3Zyy +CV/f3yUcOL+A9yoxPu155TNYfvmz1rqarTeuOJJJU7TtAiHmue8OhkfRFanBBYj9 +hSOGPdLB9eKzoWsS8vLKLUTwaQwZ9IsCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV +HQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEB +ABPZUxDIGJ6C8hu1aOj5sY/r8yphotSnPVkghBTGVJbjmGHSci+IGbHX6yemVYvH +mQWKI8qBdroiIpCOpMVvmG6oUR4s+h/vdKuDoy/x3lRZjJDQiReAGKwwyeiG++wJ +x6eSCDGqcIWvk72Zgd+OGym3JGrDpU7ofat+ncqtIunAOh7rhQlyRJ42wYZpWDIi +Aass4yn16aYhF/PppUIsBYrWk1UUlKbXOF/Z7WOG4Hg6h5HwwtJZq/PGsSzJqd/O +s6XI8Am1pU9PwLwWm9Vad44OhTNWGxsidboUCxNa7Yc7p5CkAqT+Z2Lf7RfvgmcX +SUCwSN9REpYGV3k9l47eljY= +-----END CERTIFICATE----- diff --git a/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/key.pem b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/key.pem new file mode 100644 index 0000000..7603fc1 --- /dev/null +++ b/playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAsSW2VkyDu7WuoVueWOYP4h6JV5G3TPNGIISmO9Di35sGNPmi +c8A7FghDV3cx08moD6XIJE/+xdwQprWXXhQOPnRYSu4rRWpcov57YRN4mLiQlvyT +xqewIAgCyTk6TZ3xtNJAvMkEKSPC9HmR8bj1HnB8kUNIDdYt9MerWbJGJskgyBsU +YHZQ/dDLKWNlafTgg7vbJaErjXcLHCfBcqwgVPn/PSFUZkyvnANal+EGG0GLq7Gp +4obdnLIJX9/fJRw4v4D3KjE+7XnlM1h++bPWupqtN644kklTtO0CIea57w6GR9EV +qcEFiP2FI4Y90sH14rOhaxLy8sotRPBpDBn0iwIDAQABAoIBAFtnsiXlZTO+E1V/ +CL2mOBvc1dExhvtVq6Gr0Hqc1fO68gDzrjc7wUElElpXToaRTv6D9DmIbVV6r7zV +hj0s7Aydy9EeA4XV0+bmmJMGkPt8gF7oBPhEHkTo3UcnGEZkcQt0UaMXteXkZfvv +nrazUQdb02rA5LT/Bsd/H5MwwbHQyipMXKQXpYyzALhoBUrXItc+aHfINHOELs0h +UPSoFnNSsQo1VGSd/TCZJYYw2cpmeTqWO4sM6z8vYXJnNQTCb2saW+vywfQoYTJ7 +V6mSmX7EgYh512jNpNdzhQx8qN1hmWF/r5G9DC4QSnzVoN23fi4H+szB9CEfVlPy +pGj6qUECgYEA1zwPaLjz9XgeZiHrLYDCFeNRYE4Noa9mFuuplYxmiIJGsBiUNHNJ +bbMn8VpuBBptEUnSTCGJhAF39AGKfUHx+49hTKTUISmnTDOSHLeE1mKvZJWB3x4r +3ezfsUVwV4BvidYQEv0FWuE+lniDmx2BVQk7vIiF5VjUxMmyqnB8cEUCgYEA0rLw +LtSYod0VzFLs8NlMH9nhfQk7oSfyxqLVwpiAQVAtrI3xfQUaYP04BrV/XOI+YBcF +Svg4Ou4tqcuGFFYtqNPAaGYfih7UzEY8Z6wH2rkyznCq7VQZexKKtTbPQCNSkJ5h +fpNxfh4sXZSpYg/aIEr6OC8REuhcjRjhJBWJJo8CgYAsPN316j3KMBwfZc1Olu5N +TWGGZ8SJfOGAyIMch7TzTcN1ojej6CYpc+87vhhqo3vTV9bvat020o5zCnYKdKll +yPx4olAvWL5X/SmE2XtmDPZ7t/bvguYFQRBhASKr+Wvzapn3LSYSncUdbDuwgAn7 +DmDGyVCr6OwiXkpomaIZ+QKBgCZIpSOdNW6TwVYy6yKIGTDgYfxaJR+PJqm5BKYr +F4LGksX7tJlGyBg/amKtr8qswTCsfiW1HGJ4zItBk8c2MW2vrBJMHAb4uymyyV78 +/yBa7kRcbHJbCZY3NEThBJ9ey63DWWuqVsDXsq/+RxiuUK/1b6mtw6hv2AE7OA1a +bGU5AoGBANL+ssYI1JH1TFRwI8iTc/no2Loy2jZ2NGyZbU/gc3NhhVERNgtK8nmM +dcYrgmewKKS20+AqqbM7zITYdJea6RTKU6ELJul2iKMDSwA65cEwueqAT6WY7x57 +z0fBzoaLRQp11SSuuPz9p0a096XGygQP1o2SabZCwY4b3+vtkbJM +-----END RSA PRIVATE KEY----- diff --git a/playbook/linux/elastic/role-test.yml b/playbook/linux/elastic/role-test.yml index aff8c2d..25bcafc 100644 --- a/playbook/linux/elastic/role-test.yml +++ b/playbook/linux/elastic/role-test.yml @@ -21,5 +21,6 @@ server_host: ansible_default_ipv4.address server_name: ansible_hostname elasticsearch_hosts: - - http://192.168.0.173:9200 + #- http://192.168.0.173:9200 + - http://192.168.0.60:9200 diff --git a/playbook/linux/sensu-test.yml b/playbook/linux/sensu-test.yml new file mode 100644 index 0000000..a1de237 --- /dev/null +++ b/playbook/linux/sensu-test.yml @@ -0,0 +1,19 @@ + +- name: testing sensu + hosts: linux + + tasks: + - name: install sensu server + become: true + import_role: + name: sensu.sensu + vars: + # Sever vars + sensu_deploy_redis_server: true + sensu_deploy_rabbitmq_server: true + sensu_master: true + #sensu_include_plugins: true + sensu_include_dashboard: true + # Client Vars + #sensu_client: true + diff --git a/roles/jnv.unattended-upgrades/.editorconfig b/roles/jnv.unattended-upgrades/.editorconfig new file mode 100644 index 0000000..c6c8b36 --- /dev/null +++ b/roles/jnv.unattended-upgrades/.editorconfig @@ -0,0 +1,9 @@ +root = true + +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true diff --git a/roles/jnv.unattended-upgrades/.gitignore b/roles/jnv.unattended-upgrades/.gitignore new file mode 100644 index 0000000..d9ff546 --- /dev/null +++ b/roles/jnv.unattended-upgrades/.gitignore @@ -0,0 +1,3 @@ +.vagrant/ +*~ +*.log diff --git a/roles/jnv.unattended-upgrades/.travis.yml b/roles/jnv.unattended-upgrades/.travis.yml new file mode 100644 index 0000000..32fdb5d --- /dev/null +++ b/roles/jnv.unattended-upgrades/.travis.yml @@ -0,0 +1,16 @@ +sudo: required +language: python +services: docker + +cache: pip + +install: + - pip install ansible docker + - ansible-galaxy install -r tests/requirements.yml -p tests/roles/ + +script: + - ansible --version + - tests/test.sh + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/roles/jnv.unattended-upgrades/LICENSE b/roles/jnv.unattended-upgrades/LICENSE new file mode 100644 index 0000000..d511905 --- /dev/null +++ b/roles/jnv.unattended-upgrades/LICENSE @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/roles/jnv.unattended-upgrades/README.md b/roles/jnv.unattended-upgrades/README.md new file mode 100644 index 0000000..5cec7ec --- /dev/null +++ b/roles/jnv.unattended-upgrades/README.md @@ -0,0 +1,180 @@ +# Unattended-Upgrades Role for Ansible + +[![Build Status of branch master](https://img.shields.io/travis/jnv/ansible-role-unattended-upgrades/master.svg?style=flat-square)](https://travis-ci.org/jnv/ansible-role-unattended-upgrades) +[![Ansible Role: jnv.unattended-upgrades](https://img.shields.io/ansible/role/8068.svg?style=flat-square)](https://galaxy.ansible.com/jnv/unattended-upgrades/) + +Install and setup [unattended-upgrades](https://launchpad.net/unattended-upgrades) for Ubuntu and Debian (since Wheezy), to periodically install security upgrades. + +**NOTE:** If you have used version 0.0.1 of the role, you can delete the file `/etc/apt/apt.conf.d/10periodic` as it is not needed anymore. You can use the following one-shot command: + + ansible -m file -a "state=absent path=/etc/apt/apt.conf.d/10periodic" + +## Requirements + +The role uses [apt module](http://docs.ansible.com/apt_repository_module.html) which has additional dependencies. + +If you set `unattended_mail` to an e-mail address, make sure `mailx` command is available and your system is able to send e-mails. + +The role requires unattended-upgrades version 0.70 and newer, which is available since Debian Wheezy and Ubuntu 12.04 respectively. This is due to [Origins Patterns](#origins-patterns) usage; if this is not available on your system, you may use [the first version of the role](https://github.com/jnv/ansible-role-unattended-upgrades/tree/v0.1). + +### Automatic Reboot + +If you enable automatic reboot feature (`unattended_automatic_reboot`), the role will attempt to install `update-notifier-common` package, which is required on some systems for detecting and executing reboot after the upgrade. You may optionally define a specific time for rebooting (`unattended_automatic_reboot_time`). + +This feature was broken in Debian Jessie, but eventually was rolled into the unattended-upgrades package; see [the discussion in #6](https://github.com/jnv/ansible-role-unattended-upgrades/issues/6) for more details. + +## Disabled Cron Jobs + +On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.daily/apt` file has been renamed to `apt.disabled`. This is possibly provider's decision, to save some CPU cycles. Use [enable-standard-cronjobs](https://github.com/Yannik/ansible-role-enable-standard-cronjobs) role to reenable unattended-upgrades. See also discussion in [#9](https://github.com/jnv/ansible-role-unattended-upgrades/issues/9). + +## Role Variables + +* `unattended_cache_valid_time`: Update the apt cache if its older than the given time in seconds; passed to the [apt module](https://docs.ansible.com/ansible/latest/apt_module.html) during package installation. + * Default: `3600` +* `unattended_origins_patterns`: array of origins patterns to determine whether the package can be automatically installed, for more details see [Origins Patterns](#origins-patterns) below. + * Default for Debian: `['origin=Debian,codename=${distro_codename},label=Debian-Security']` + * Default for Ubuntu: `['origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu']` +* `unattended_package_blacklist`: packages which won't be automatically upgraded + * Default: `[]` +* `unattended_autofix_interrupted_dpkg`: whether on unclean dpkg exit to run `dpkg --force-confold --configure -a` + * Default: `true` +* `unattended_minimal_steps`: split the upgrade into the smallest possible chunks so that they can be interrupted with SIGUSR1. + * Default: `false` +* `unattended_install_on_shutdown`: install all unattended-upgrades when the machine is shuting down. + * Default: `false` +* `unattended_mail`: e-mail address to send information about upgrades or problems with unattended upgrades + * Default: `false` (don't send any e-mail) +* `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade. + * Default: `false` +* `unattended_remove_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade. + * Default: `false` +* `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade. + * Default: `false` +* `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade. + * Default: `false` +* `unattended_update_days`: Set the days of the week that updates should be applied. The days can be specified as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is Monday etc. Example: `{"Mon";"Fri"};` + * Default: disabled +* `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive. + * Default: `false` +* `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root. + * Possible options: + * `0`: no report + * `1`: progress report + * `2`: + command outputs + * `3`: + trace on + * Default: `0` (no report) +* `unattended_update_package_list`: Do "apt-get update" automatically every n-days (0=disable) + * Default: `1` +* `unattended_download_upgradeable`: Do "apt-get upgrade --download-only" every n-days (0=disable) + * Default: `0` +* `unattended_autoclean_interval`: Do "apt-get autoclean" every n-days (0=disable) + * Default: `7` +* `unattended_clean_interval`: Do "apt-get clean" every n-days (0=disable) + * Default: `0` +* `unattended_random_sleep`: Define maximum for a random interval in seconds after which the apt job starts (only for systems without systemd) + * Default: `1800` (30 minutes) +* `unattended_dpkg_options`: Array of dpkg command-line options used during unattended-upgrades runs, e.g. `["--force-confdef"]`, `["--force-confold"]` + * Default: `[]` +* `unattended_dl_limit`: Limit the download speed in kb/sec using apt bandwidth limit feature. + * Default: disabled + +## Origins Patterns + +Origins Pattern is a more powerful alternative to the Allowed Origins option used in previous versions of unattended-upgrade. + +Pattern is composed from specific keywords: + +* `a`,`archive`,`suite` – e.g. `stable`, `trusty-security` (`archive=stable`) +* `c`,`component` – e.g. `main`, `crontrib`, `non-free` (`component=main`) +* `l`,`label` – e.g. `Debian`, `Debian-Security`, `Ubuntu` +* `o`,`origin` – e.g. `Debian`, `Unofficial Multimedia Packages`, `Ubuntu` +* `n`,`codename` – e.g. `jessie`, `jessie-updates`, `trusty` (this is only supported with `unattended-upgrades` >= 0.80) +* `site` – e.g. `http.debian.net` + +You can review the available repositories using `apt-cache policy` and debug your choice using `unattended-upgrades -d` command on a target system. + +Additionally unattended-upgrades support two macros (variables), derived from `/etc/debian_version`: + +* `${distro_id}` – Installed distribution name, e.g. `Debian` or `Ubuntu`. +* `${distro_codename}` – Installed codename, e.g. `jessie` or `trusty`. + +Using `${distro_codename}` should be preferred over using `stable` or `oldstable` as a selected, as once `stable` moves to `oldstable`, no security updates will be installed at all, or worse, package from a newer distro release will be installed by accident. The same goes for upgrading your installation from `oldstable` to `stable`, if you forget to change this in your origin patterns, you may not receive the security updates for your newer distro release. With `${distro_codename}`, both cases can never happen. + +## Role Usage Example + +Example for Ubuntu, with custom [origins patterns](#patterns-examples), blacklisted packages and e-mail notification: + +```yaml +- hosts: all + roles: + - role: jnv.unattended-upgrades + unattended_origins_patterns: + - 'origin=Ubuntu,archive=${distro_codename}-security' + - 'o=Ubuntu,a=${distro_codename}-updates' + unattended_package_blacklist: [cowsay, vim] + unattended_mail: 'root@example.com' +``` + +_Note:_ You don't need to specify `unattended_origins_patterns`, the role will use distribution's default if the variable is not set. + +### Patterns Examples + +By default, only security updates are allowed for both Ubuntu and Debian. You can add more patterns to allow unattended-updates install more packages automatically, however be aware that automated major updates may potentially break your system. + +#### For Debian + +```yaml +unattended_origins_patterns: + - 'origin=Debian,codename=${distro_codename},label=Debian-Security' # security updates + - 'o=Debian,codename=${distro_codename},label=Debian' # updates including non-security updates + - 'o=Debian,codename=${distro_codename},a=proposed-updates' +``` + +On debian wheezy, due to `unattended-upgrades` being `0.79.5`, you cannot use the `codename` directive. + +You will have to do archive based matching instead: + +```yaml +unattended_origins_patterns: + - 'origin=Debian,a=stable,label=Debian-Security' # security updates + - 'o=Debian,a=stable,l=Debian' # updates including non-security updates + - 'o=Debian,a=proposed-updates' +``` + +Please be sure to read about the issues regarding this in the origin pattern documentation above. + +#### For Ubuntu + +In Ubuntu, archive always contains the distribution codename + +```yaml +unattended_origins_patterns: + - 'origin=Ubuntu,archive=${distro_codename}-security' + - 'o=Ubuntu,a=${distro_codename}' + - 'o=Ubuntu,a=${distro_codename}-updates' + - 'o=Ubuntu,a=${distro_codename}-proposed-updates' +``` + + +#### For Raspbian + +In Raspbian, it is only possible to update all packages from the default repository, including non-security updates, or updating none. + +Updating all, including non-security: + +```yaml +unattended_origins_patterns: + - 'origin=Raspbian,codename=${distro_codename},label=Raspbian' +``` + +You can not use the `codename` directive on raspbian wheezy, the same as with debian wheezy above. + +To not install any updates on a raspbian host, just set `unattended_origins_patterns` to an empty list: +``` +unattended_origins_patterns: [] +``` + + +## License + +GPLv2 diff --git a/roles/jnv.unattended-upgrades/defaults/main.yml b/roles/jnv.unattended-upgrades/defaults/main.yml new file mode 100644 index 0000000..7b2a211 --- /dev/null +++ b/roles/jnv.unattended-upgrades/defaults/main.yml @@ -0,0 +1,122 @@ +--- +# Cache update time for apt module +unattended_cache_valid_time: 3600 + +#Unattended-Upgrade::Origins-Pattern +# Automatically upgrade packages from these origin patterns +# e.g.: 'o=Debian,a=stable', 'o=Debian,a=stable-updates' +# +# Left unset, distribution-specific defaults will be used through +# __unattended_origins_patterns variable only if this variable +# is not provided externally +# REFS https://github.com/ansible/ansible/issues/8121 +#unattended_origins_patterns: [] + +#Unattended-Upgrade::Package-Blacklist +# List of packages to not update +unattended_package_blacklist: [] + +#Unattended-Upgrade::AutoFixInterruptedDpkg +# On a unclean dpkg exit unattended-upgrades will run +# dpkg --force-confold --configure -a +# The default is true, to ensure updates keep getting installed +unattended_autofix_interrupted_dpkg: true + +#Unattended-Upgrade::MinimalSteps +# Split the upgrade into the smallest possible chunks so that +# they can be interrupted with SIGUSR1. This makes the upgrade +# a bit slower but it has the benefit that shutdown while a upgrade +# is running is possible (with a small delay) +unattended_minimal_steps: false + +#Unattended-Upgrade::InstallOnShutdown +# Install all unattended-upgrades when the machine is shuting down +# instead of doing it in the background while the machine is running +# This will (obviously) make shutdown slower +unattended_install_on_shutdown: false + +#Unattended-Upgrade::Mail +# Send email to this address for problems or packages upgrades +# If empty or unset then no email is sent, make sure that you +# have a working mail setup on your system. A package that provides +# 'mailx' must be installed. +unattended_mail: false + +#Unattended-Upgrade::MailOnlyOnError +# Set this value to "true" to get emails only on errors. Default +# is to always send a mail if Unattended-Upgrade::Mail is set +unattended_mail_only_on_error: false + +#Unattended-Upgrade::Remove-Unused-Dependencies +# Do automatic removal of new unused dependencies after the upgrade +# (equivalent to apt-get autoremove) +unattended_remove_unused_dependencies: false + +#Unattended-Upgrade::Automatic-Reboot +# Automatically reboot *WITHOUT CONFIRMATION* if a +# the file /var/run/reboot-required is found after the upgrade +unattended_automatic_reboot: false + +#Unattended-Upgrade::Automatic-Reboot-Time +# If automatic reboot is enabled and needed, reboot at the specific +# time instead of immediately +unattended_automatic_reboot_time: false + +#Unattended-Upgrade::IgnoreAppsRequireRestart +# Do upgrade application even if it requires restart after upgrade +# I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file +unattended_ignore_apps_require_restart: false + +### APT::Periodic configuration +# Snatched from /usr/lib/apt/apt.systemd.daily + +#APT::Periodic::Update-Package-Lists "0"; +# - Do "apt-get update" automatically every n-days (0=disable) +unattended_update_package_list: 1 + +#APT::Periodic::Download-Upgradeable-Packages "0"; +# - Do "apt-get upgrade --download-only" every n-days (0=disable) +#unattended_download_upgradeable: 0 + +#APT::Periodic::AutocleanInterval "0"; +# - Do "apt-get autoclean" every n-days (0=disable) +unattended_autoclean_interval: 7 + +#APT::Periodic::CleanInterval "0"; +# - Do "apt-get clean" every n-days (0=disable) +#unattended_clean_interval: 0 + +#APT::Periodic::Verbose "0"; +# - Send report mail to root +# 0: no report (or null string) +# 1: progress report (actually any string) +# 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) +# 3: + trace on +#unattended_verbose: 0 + +## Cron systems only + +#APT::Periodic::RandomSleep +# When the apt job starts, it will sleep for a random period between 0 +# and APT::Periodic::RandomSleep seconds +# The default value is "1800" so that the script will stall for up to 30 +# minutes (1800 seconds) so that the mirror servers are not crushed by +# everyone running their updates all at the same time +# Kept undefined to allow default (1800) +#unattended_random_sleep: 0 + +#Dpkg::Options +# Provide dpkg options that take effect during unattended upgrades. +# By default no flags are appended. Configuration file changes can +# block installation of certain packages. Passing the flags +# "--force-confdef" and "--force-confold" will ensure updates are applied +# and old configuration files are preserved. +unattended_dpkg_options: [] + +# unattended_dpkg_options: +# - "--force-confdef" +# - "--force-confold" + + +# Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec +#unattended_dl_limit: 70 \ No newline at end of file diff --git a/roles/jnv.unattended-upgrades/handlers/main.yml b/roles/jnv.unattended-upgrades/handlers/main.yml new file mode 100644 index 0000000..c0b5512 --- /dev/null +++ b/roles/jnv.unattended-upgrades/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for unattended-upgrades diff --git a/roles/jnv.unattended-upgrades/meta/.galaxy_install_info b/roles/jnv.unattended-upgrades/meta/.galaxy_install_info new file mode 100644 index 0000000..713a4a2 --- /dev/null +++ b/roles/jnv.unattended-upgrades/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Sun Apr 28 18:26:47 2019 +version: v1.7.0 diff --git a/roles/jnv.unattended-upgrades/meta/main.yml b/roles/jnv.unattended-upgrades/meta/main.yml new file mode 100644 index 0000000..90dcd6d --- /dev/null +++ b/roles/jnv.unattended-upgrades/meta/main.yml @@ -0,0 +1,38 @@ +--- +galaxy_info: + author: Jan Vlnas + description: Setup unattended-upgrades on Debian-based systems + license: GPLv2 + min_ansible_version: 1.4 + platforms: + - name: Ubuntu + versions: + - precise + - raring + - saucy + - trusty + - utopic + - name: Debian + versions: + - wheezy + - jessie + # + # Below are all categories currently available. Just as with + # the platforms above, uncomment those that apply to your role. + # + categories: + #- cloud + #- cloud:ec2 + #- cloud:gce + #- cloud:rax + #- database + #- database:nosql + #- database:sql + #- development + #- monitoring + #- networking + #- packaging + - system + #- web +dependencies: [] + diff --git a/roles/jnv.unattended-upgrades/tasks/main.yml b/roles/jnv.unattended-upgrades/tasks/main.yml new file mode 100644 index 0000000..9a924fa --- /dev/null +++ b/roles/jnv.unattended-upgrades/tasks/main.yml @@ -0,0 +1,2 @@ + - include: unattended-upgrades.yml + tags: unattended diff --git a/roles/jnv.unattended-upgrades/tasks/reboot.yml b/roles/jnv.unattended-upgrades/tasks/reboot.yml new file mode 100644 index 0000000..faa7149 --- /dev/null +++ b/roles/jnv.unattended-upgrades/tasks/reboot.yml @@ -0,0 +1,9 @@ +--- +# Ignored, since newer distros don't need this package +# https://github.com/jnv/ansible-role-unattended-upgrades/issues/6 +- name: install update-notifier-common + apt: + pkg: update-notifier-common + state: present + failed_when: false + diff --git a/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml b/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml new file mode 100644 index 0000000..852fd6d --- /dev/null +++ b/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml @@ -0,0 +1,34 @@ +--- +- name: add distribution-specific variables + include_vars: "{{ ansible_distribution }}.yml" + +- name: add Debian Wheezy workaround + include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml" + when: (ansible_distribution == "Debian") and (ansible_distribution_release == "wheezy") + +- name: install unattended-upgrades + apt: + pkg: unattended-upgrades + state: present + cache_valid_time: "{{unattended_cache_valid_time}}" + update_cache: yes + +- name: install reboot dependencies + include: reboot.yml + when: unattended_automatic_reboot + +- name: create APT auto-upgrades configuration + template: + src: auto-upgrades.j2 + dest: /etc/apt/apt.conf.d/20auto-upgrades + owner: root + group: root + mode: 0644 + +- name: create unattended-upgrades configuration + template: + src: unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + owner: root + group: root + mode: 0644 diff --git a/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 b/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 new file mode 100644 index 0000000..388a028 --- /dev/null +++ b/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 @@ -0,0 +1,25 @@ +APT::Periodic::Unattended-Upgrade "1"; + +{% if unattended_update_package_list is defined %} +APT::Periodic::Update-Package-Lists "{{unattended_update_package_list}}"; +{% endif %} + +{% if unattended_download_upgradeable is defined %} +APT::Periodic::Download-Upgradeable-Packages "{{unattended_download_upgradeable}}"; +{% endif %} + +{% if unattended_autoclean_interval is defined %} +APT::Periodic::AutocleanInterval "{{unattended_autoclean_interval}}"; +{% endif %} + +{% if unattended_clean_interval is defined %} +APT::Periodic::CleanInterval "{{unattended_clean_interval}}"; +{% endif %} + +{% if unattended_verbose is defined %} +APT::Periodic::Verbose "{{unattended_verbose}}"; +{% endif %} + +{% if unattended_random_sleep is defined %} +APT::Periodic::RandomSleep "{{unattended_random_sleep}}"; +{% endif %} diff --git a/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 b/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 new file mode 100644 index 0000000..3df60da --- /dev/null +++ b/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 @@ -0,0 +1,106 @@ +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +Unattended-Upgrade::Origins-Pattern { +{% if unattended_origins_patterns is defined %} + {% for origin in unattended_origins_patterns %} + "{{ origin }}"; + {% endfor %} +{% else %} + {% for origin in __unattended_origins_patterns %} + "{{ origin }}"; + {% endfor %} +{% endif %} +}; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { +{% for package in unattended_package_blacklist %} + "{{package}}"; +{% endfor %} +}; + +{% if not unattended_autofix_interrupted_dpkg %} +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +Unattended-Upgrade::AutoFixInterruptedDpkg "false"; +{% endif %} + +{% if unattended_minimal_steps %} +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "true"; +{% endif %} + +{% if unattended_install_on_shutdown %} +// Install all unattended-upgrades when the machine is shuting down +// instead of doing it in the background while the machine is running +// This will (obviously) make shutdown slower +Unattended-Upgrade::InstallOnShutdown "true"; +{% endif %} + +{% if unattended_mail %} +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. +Unattended-Upgrade::Mail "{{unattended_mail}}"; +{% endif %} + +{% if unattended_mail_only_on_error %} +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +Unattended-Upgrade::MailOnlyOnError "true"; +{% endif %} + +{% if unattended_remove_unused_dependencies %} +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +{% endif %} + +{% if unattended_automatic_reboot %} +// Automatically reboot *WITHOUT CONFIRMATION* if a +// the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "true"; +{% endif %} + +{% if unattended_automatic_reboot_time %} +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_automatic_reboot_time }}"; +{% endif %} + +{% if unattended_update_days is defined %} +// Set the days of the week that updates should be applied. The days can be specified +// as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is +// Monday etc. +// Example - apply updates only on Monday and Friday: +// {"Mon";"Fri"}; +Unattended-Upgrade::Update-Days {{ unattended_update_days }}; +{% endif %} + +{% if unattended_ignore_apps_require_restart %} +// Do upgrade application even if it requires restart after upgrade +// I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file +Unattended-Upgrade::IgnoreAppsRequireRestart "true"; +{% endif %} + +{% if unattended_dpkg_options %} +// Append options for governing dpkg behavior, e.g. --force-confdef. +Dpkg::Options { +{% for dpkg_option in unattended_dpkg_options %} + "{{ dpkg_option }}"; +{% endfor %} +}; +{% endif %} + +{% if unattended_dl_limit is defined %} +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +Acquire::http::Dl-Limit "{{ unattended_dl_limit }}"; +{% endif %} diff --git a/roles/jnv.unattended-upgrades/tests/ansible.cfg b/roles/jnv.unattended-upgrades/tests/ansible.cfg new file mode 100644 index 0000000..6abf5b7 --- /dev/null +++ b/roles/jnv.unattended-upgrades/tests/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +roles_path = ../../ +retry_files_enabled = False diff --git a/roles/jnv.unattended-upgrades/tests/inventory b/roles/jnv.unattended-upgrades/tests/inventory new file mode 100644 index 0000000..42de3a1 --- /dev/null +++ b/roles/jnv.unattended-upgrades/tests/inventory @@ -0,0 +1 @@ +localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python" diff --git a/roles/jnv.unattended-upgrades/tests/requirements.yml b/roles/jnv.unattended-upgrades/tests/requirements.yml new file mode 100644 index 0000000..562771a --- /dev/null +++ b/roles/jnv.unattended-upgrades/tests/requirements.yml @@ -0,0 +1,3 @@ +--- +- src: chrismeyersfsu.provision_docker + name: provision_docker diff --git a/roles/jnv.unattended-upgrades/tests/test.sh b/roles/jnv.unattended-upgrades/tests/test.sh new file mode 100755 index 0000000..84096bf --- /dev/null +++ b/roles/jnv.unattended-upgrades/tests/test.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# Exit on any individual command failure +set -e + +# Pretty colors. +red='\033[0;31m' +green='\033[0;32m' +neutral='\033[0m' + +section() { + echo -e "\033[33;1m$1\033[0m" +} + +fold_start() { + echo -e "travis_fold:start:$1\033[33;1m$2\033[0m" +} + +fold_end() { + echo -e "\ntravis_fold:end:$1\r" +} + +# Ensure we are in the tests dir +cd "$( dirname "${BASH_SOURCE[0]}" )" + +section "Syntax check" +ansible-playbook -i inventory --syntax-check test.yml +section "Running role" +ansible-playbook -i inventory test.yml diff --git a/roles/jnv.unattended-upgrades/tests/test.yml b/roles/jnv.unattended-upgrades/tests/test.yml new file mode 100644 index 0000000..45d5485 --- /dev/null +++ b/roles/jnv.unattended-upgrades/tests/test.yml @@ -0,0 +1,70 @@ +--- +- name: Bring up Docker containers + hosts: localhost + gather_facts: false + vars: + inventory: + - name: ubuntu_latest + image: "ubuntu:latest" + - name: ubuntu_xenial + image: "ubuntu:xenial" + - name: ubuntu_trusty + image: "ubuntu:trusty" + - name: debian_testing + image: "debian:testing" + - name: debian_stable + image: "debian:stable" + - name: debian_oldstable + image: "debian:oldstable" + roles: + - role: provision_docker + provision_docker_inventory: "{{ inventory }}" + provision_docker_privileged: true + provision_docker_use_docker_connection: true + +- name: Test role + hosts: docker_containers + gather_facts: false + pre_tasks: + - name: Provision Python + raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-simplejson)" + register: output + changed_when: output.stdout + - setup: # Gather facts + vars: + unattended_autofix_interrupted_dpkg: false + unattended_minimal_steps: true + unattended_install_on_shutdown: true + unattended_automatic_reboot: true + unattended_update_days: '{"Sat"}' + roles: + # Searched for in ../.. (see ansible.cfg) + - ansible-role-unattended-upgrades + tasks: + - name: Idempotency check + include_role: + name: ansible-role-unattended-upgrades + register: idempotency + - fail: + msg: Role failed idempotency check + when: idempotency.changed + + - name: Get apt-config variables + shell: apt-config dump + register: aptconfig + - name: Check for registered variables + assert: + that: item in aptconfig.stdout + with_items: + - 'APT::Periodic::Unattended-Upgrade "1"' + - 'Unattended-Upgrade::AutoFixInterruptedDpkg "false"' + - 'Unattended-Upgrade::MinimalSteps "true"' + - 'Unattended-Upgrade::InstallOnShutdown "true"' + - 'Unattended-Upgrade::Automatic-Reboot "true"' + # NOTE: this uses the array syntax, which requires one + # top-level record, then one item per line + - 'Unattended-Upgrade::Update-Days "";' + - 'Unattended-Upgrade::Update-Days:: "Sat";' + + - name: Dry run unattended-upgrades + command: /usr/bin/unattended-upgrades --dry-run diff --git a/roles/jnv.unattended-upgrades/vars/Debian-wheezy.yml b/roles/jnv.unattended-upgrades/vars/Debian-wheezy.yml new file mode 100644 index 0000000..57afa2d --- /dev/null +++ b/roles/jnv.unattended-upgrades/vars/Debian-wheezy.yml @@ -0,0 +1,11 @@ +--- + +# This workaround for Debian Wheezy which doesn't support ${distro_codename} macro +# See +# https://github.com/jnv/ansible-role-unattended-upgrades/issues/19 +# https://github.com/jnv/ansible-role-unattended-upgrades/pull/20 +# for details + +__unattended_origins_patterns: + - 'origin=Debian,archive=stable,label=Debian-Security' + - 'origin=Debian,archive=oldstable,label=Debian-Security' diff --git a/roles/jnv.unattended-upgrades/vars/Debian.yml b/roles/jnv.unattended-upgrades/vars/Debian.yml new file mode 100644 index 0000000..706a604 --- /dev/null +++ b/roles/jnv.unattended-upgrades/vars/Debian.yml @@ -0,0 +1,3 @@ +--- +__unattended_origins_patterns: + - 'origin=Debian,codename=${distro_codename},label=Debian-Security' diff --git a/roles/jnv.unattended-upgrades/vars/Ubuntu.yml b/roles/jnv.unattended-upgrades/vars/Ubuntu.yml new file mode 100644 index 0000000..85a6bf3 --- /dev/null +++ b/roles/jnv.unattended-upgrades/vars/Ubuntu.yml @@ -0,0 +1,3 @@ +--- +__unattended_origins_patterns: + - 'origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu' diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml index 15e4a89..577fd91 100644 --- a/roles/kibana/defaults/main.yml +++ b/roles/kibana/defaults/main.yml @@ -31,9 +31,8 @@ server_port: 5601 server_host: localhost # The Kibana server's name. This is used for display purposes. -server_name: {{ ansible_hostname }} +server_name: ansible_hostname # The URLs of the Elasticsearch instances to use for all your queries. elasticsearch_hosts: - localhost - - server02 diff --git a/roles/sensu.sensu/.gitattributes b/roles/sensu.sensu/.gitattributes new file mode 100644 index 0000000..9498b62 --- /dev/null +++ b/roles/sensu.sensu/.gitattributes @@ -0,0 +1,6 @@ +Pipfile export-ignore +Pipfile.lock export-ignore +.travis.yml export-ignore +docs/ export-ignore +mkdocs.yml export-ignore +molecule/ export-ignore diff --git a/roles/sensu.sensu/.gitignore b/roles/sensu.sensu/.gitignore new file mode 100644 index 0000000..3e1b141 --- /dev/null +++ b/roles/sensu.sensu/.gitignore @@ -0,0 +1,4 @@ +site +molecule/shared/data/* +!molecule/shared/data/static/ +molecule/*/cache/ diff --git a/roles/sensu.sensu/.yamllint b/roles/sensu.sensu/.yamllint new file mode 100644 index 0000000..ad0be76 --- /dev/null +++ b/roles/sensu.sensu/.yamllint @@ -0,0 +1,11 @@ +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + truthy: disable diff --git a/roles/sensu.sensu/CHANGELOG.md b/roles/sensu.sensu/CHANGELOG.md new file mode 100644 index 0000000..59f4805 --- /dev/null +++ b/roles/sensu.sensu/CHANGELOG.md @@ -0,0 +1,194 @@ +# Change Log +All notable changes to this project will be documented in this file. + +This project adheres to [Semantic Versioning](http://semver.org/) +The format is based on [Keep a Changelog](http://keepachangelog.com/). + +## [Unreleased] + +## [5.2.0] - 2019-03-12 +## Added +- Add official support for OracleLinux 7 (@michaelpporter) + +## [5.1.0] - 2019-02-27 +## Changed +- Add `client_templates` option for group based tempaltes (@michaelpporter) +- Add `run_once: true` to `delegate_to: localhost` (@michaelpporter) + +## [5.0.2] - 2019-02-19 +## Fixed +- Fixup new loop logic to deploy checks/handlers/plugins to hosts (@michaelpporter) + +## [5.0.1] - 2019-02-19 +## Fixed +- Fixup sensu_rabbitmq_host to use new default variable for sensu_rabbitmq_servers (@michaelpporter) + +## [5.0.0] - 2019-02-19 +### Breaking Changes +- Prefix all variables with `sensu_` to reduce collisions with other roles (@michaelpporter) + +## [4.0.0] - 2019-02-17 +### Breaking Changes +- Upgrade all playbooks to `loop` syntax, requiring Ansible 2.5 or higher (@michaelpporter) +- Update role metadata to require Ansible 2.5 or higher (@jaredledvina) + +### Changed +- Upgrade Inspec to 3.6.6 (@jaredledvina) +- Re-enabled Ubuntu 18.04 integration tests (@michaelpporter) +- Switch from `local_action` to `delegate_to: localhost` (@michaelpporter) + +## [3.0.0] - 2019-02-16 +### Breaking Changes +- Officially drop support for Ansible 2.3 (@jaredledvina) +- Switch to `include_tasks` and `import_tasks` (@michaelpporter) + +### Fixed +- Update the use of tags to support Ansible 2.5 or higher (@michaelpporter) + +## [2.7.0] - 2019-01-31 +### Fixed +- RabbitMQ - Configure ciphers when SSL is enabled (@mkobel) +- Check if sensu_available_checks was skipped to support running in check mode (@jaredledvina) + +### Changed +- Tests - Update Dockerfile and bump Inspec to 3.1.1 (@jaredledvina) +- Docs - Change theme to readthedocs from flatly to fix builds (@jaredledvina) + +## [2.6.0] - 2018-07-03 +### Changed +- Add support for configuring [Tessen](https://docs.sensu.io/sensu-core/1.4/reference/tessen/) via `sensu_enable_tessen` (@jaredledvina) +- Stop publishing development/testing files to Ansible Galaxy (@jaredledvina) +- Update molecule's testing configuration for speed and task profiling (@jaredledvina) +- Update Inspec to latest stable & refactor shared testing files (@jaredledvina) +- RabbitMQ - Expose a varient distro repo configs via variables for more flexibility (@jaredledvina) +- RabbitMQ - Configure apt-preferences and pin erlang to version 20.3.X (@jaredledvina) +- Fedora - RabbitMQ - Reconfigure GPG key pinning to match CentOS/AmazonLinux (@jaredledvina) +- Fedora/CentOS/AmazonLinux - Upgrade to zero-dep erlang v20 repo's (@jaredledvina) + +## [2.5.0] - 2018-06-16 +### Changed +- Ansible role is officially mirrored to the `sensu.sensu` namespace (@jaredledvina) +- Deprecated `sensu_pkg_version` for Redhat, Fedora, CentOS, and FreeBSD. To pin going forward across all operating systems, simply append the Sensu version to `sensu_package`. For example, `sensu_package: sensu-1.3.3` will ensure that only Sensu 1.3.3 is ever installed. (@jaredledvina) +- Ensure that on first install we install the latest stable Sensu release (@jaredledvina) +- Document `sensu_pkg_state`. If you'd like to ensure the latest stable release is always installed, simply leave `sensu_package` to the default `sensu` and change `sensu_pkg_state` to `latest`. (@jaredledvina) +- Switched entirely to [molecule](https://github.com/metacloud/molecule) for integration testing (@jaredledvina) +- Configure [Inspec](https://www.inspec.io/) for full automated verification after integration testing (@jaredledvina) +- Amazon Linux now installs proper version of EPEL (@jaredledvina) +- Amazon Linux now installs a supported version of Erlang and RabbitMQ from Bintray (@jaredledvina) +- Fixup the CentOS RabbitMQ install w/ full GPG signing verification (@jaredledvina) +- Various syntax cleanups and testing documentation updates (@jaredledvina) +- Enable `yamllint` checking and fixup all files to pass checks (@jaredledvina) +- Enable `ansible-lint` checking and fixup all errors to pass checks (@jaredledvina) +- Various doc cleanup and fixes (@jaredledvina) +- Switch openssl to `present` as `installed` is deprecated (@rlizana) + + +## [2.4.0] - 2018-05-06 +### Fixed: +- Automated SSL key & cert generation fails on systems with Python 2.6 or older (@jaredledvina) + +### Changed +- Port over the latest ssl_tools code to more native Ansible `command` instructions for greater flexibility (@jaredledvina) + +## [2.3.0] - 2018-05-04 +### Fixed +- Issue that prevented older OS such as CentOS 5 from installing the Sensu RPM package as they are unsigned (@smbambling) +- Security issue with redis.json being world readable, as it can contain sensitive information (@smbambling) +- Issue with conf.d that limited access and prevent automated tests from passing (@smbambling) + +### Added +- Support for keepalive attributes: handlers and thresholds (warning/critical) in client.json (@smbambling) +- Support for managing safe_mode in client.json (@smbambling) + +## [2.2.0] - 2018-02-22 +### Added +- Fedora support. Tested in the wild on Fedora 25 as a client and Fedora 27 on the test suite as both master and client. (@danragnar) + - `tasks/Fedora/redis.yml`, `tasks/Fedora/rabbit.yml`: Based on CentOS equivalents but with dnf module instead of yum + - `tasks/Fedora/main.yml`, `tasks/Fedora/dashboard.yml`: links to Centos files + - `vars/Fedora.yml`: vars for Fedora + +### Changed +- `tasks/CentOS/dashboard.yml`, `tasks/CentOS/main.yml`: Use generic package module to support Fedora (@danragnar) + +## [2.1.0] +### Fixed +- `defaults/main.yaml`,`tasks/plugins.yml`: Fix Python 3.X compatability issue when checking the contents of sensu_remote_plugins. (@danragnar) + +### Added +- `templates/sensu-api-json.j2`, `templates/uchiwa_config.json.j2`: Check for explicitly defining sensu_uchiwa_users and sensu_api_user_name as empty to disable authentication, useful when having a reverse proxy handling auth in front of the API and/or the uchiwa dashboard (@danragnar) +- `tasks/rabbit.yml`: Consistency of remote_src option for rabbitmq and sensu when copying SSL cert/key files. Useful if certificates are generated by another CA (e.g. FreeIPA) on the sensu host. (@danragnar) + +## [2.0.0] - 2018-02-07 +### Breaking Change +- Split up the variables used to determine if a host gets rabbitmq/redis for more flexibility in deployments. (@tculp) `sensu_deploy_rabbitmq` and `sensu_deploy_redis` are now `sensu_deploy_rabbitmq_server` and `sensu_deploy_redis_server` respectively. See the [role variable documentation](https://github.com/sensu/sensu-ansible/blob/master/docs/role_variables.md) for details on the parameters. +- Redis on Ubuntu will now be configured to bind to `0.0.0.0` to ensure accessiblity and to match the other supported OS configurations. (@tculp) +- Updated the supported Ansible version to the last two stable releases (currently that's Ansible 2.3 and 2.4). (@jaredledvina) Please note that we have not explicitly broken support for running this role on versions of Ansible <2.3. However, we will only be actively supporting the last two stable Ansible releases to reduce the maintenance burden. + +### Added +- Initial support for OpenBSD! (@smbambling) +- Ubuntu now get's `apt-transport-https` installed to support HTTPS repos. (@kevit) +- Default to HTTPS APT repos. @jaredledvina +- Allow for configuring when a node gets the `sensu-client` config file. (@tculp) +- Allow for deploying client definitions based on groups. (@tculp) +- Default to HTTPS Yum repo's and install the Yum key for package signing validation via HTTPS. (@jaredledvina) +- Used HTTPS for APT key. (@jaredledvina) +- Amazon Linux has proper yum repo configured and supports Amazon Linux 2. (@romainrbr) +- Yum based distros now get EPEL to support installing a newer and supported version of RabbitMQ. (@romainrbr) +- CentOS now supports using Bintray mirrors for installing RabbitMQ to work around Erlang issues with older versions. (@romainrbr) +- All PRs are now required to pass TravisCI integrations tests. (@jaredledvina) +- Ensure that we configure the `mode` and `umask` for files to work in a more restrictive environment. (@roumano) +- Debian and Ubuntu switch to Bintray for RabbitMQ to match yum distros. (@jaredledvina) + +### Changed +- Switched from Gitter to `#ansible` in the Sensu Community Slack. (@grepory) +- Bumped SSL tools version to 1.2 by default. (@marji) +- Update 'Generate SSL Certs' to support Ansible 2.4. (@tculp) + +## [1.2.0] - 2017-05-13 +### Added +- RedHat support +- Sensu enterprise support + - Adds a few other minor features as well, such as the ability to toggle rabbitmq's SSL +- Uchiwa HA support + +### Changed +- Rely on the existing sensu repositories to install Uchiwa +- Use the FreeBSD repository +- Update documentation to note Ubuntu 15's EOL +- Allow overriding the use of EPEL on CentOS/RedHat + +### Fixed +- Make sure any local directories that are assumed to exist actually do + +## [1.1.0] - 2017-04-03 +### Added +- Toggle for SSL cert management + +### Changed +- Updated repository URLs and versions for all platforms + +### Fixed +- Fixed behaivor changed by recent versions of Ansible + +## 1.0.0 - 2017-02-14 + +First tagged release, starting at 1.0.0 since the project can be considered stable at this point. + +[Unreleased]: https://github.com/sensu/sensu-ansible/compare/5.2.0...HEAD +[5.2.0]: https://github.com/sensu/sensu-ansible/compare/5.1.0...5.2.0 +[5.1.0]: https://github.com/sensu/sensu-ansible/compare/5.0.2...5.1.0 +[5.0.2]: https://github.com/sensu/sensu-ansible/compare/5.0.1...5.0.2 +[5.0.1]: https://github.com/sensu/sensu-ansible/compare/5.0.0...5.0.1 +[5.0.0]: https://github.com/sensu/sensu-ansible/compare/4.0.0...5.0.0 +[4.0.0]: https://github.com/sensu/sensu-ansible/compare/3.0.0...4.0.0 +[3.0.0]: https://github.com/sensu/sensu-ansible/compare/2.7.0...3.0.0 +[2.7.0]: https://github.com/sensu/sensu-ansible/compare/2.6.0...2.7.0 +[2.6.0]: https://github.com/sensu/sensu-ansible/compare/2.5.0...2.6.0 +[2.5.0]: https://github.com/sensu/sensu-ansible/compare/2.4.0...2.5.0 +[2.4.0]: https://github.com/sensu/sensu-ansible/compare/2.3.0...2.4.0 +[2.3.0]: https://github.com/sensu/sensu-ansible/compare/2.2.0...2.3.0 +[2.2.0]: https://github.com/sensu/sensu-ansible/compare/2.1.0...2.2.0 +[2.1.0]: https://github.com/sensu/sensu-ansible/compare/2.0.0...2.1.0 +[2.0.0]: https://github.com/sensu/sensu-ansible/compare/1.2.0...2.0.0 +[1.2.0]: https://github.com/sensu/sensu-ansible/compare/1.1.0...1.2.0 +[1.1.0]: https://github.com/sensu/sensu-ansible/compare/1.0.0...1.1.0 diff --git a/roles/sensu.sensu/LICENSE b/roles/sensu.sensu/LICENSE new file mode 100644 index 0000000..c9b44cb --- /dev/null +++ b/roles/sensu.sensu/LICENSE @@ -0,0 +1,18 @@ +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/sensu.sensu/README.md b/roles/sensu.sensu/README.md new file mode 100644 index 0000000..16ccb05 --- /dev/null +++ b/roles/sensu.sensu/README.md @@ -0,0 +1,85 @@ +# Sensu [![Ansible Galaxy](https://img.shields.io/badge/galaxy-sensu.sensu-660198.svg?style=flat)](https://galaxy.ansible.com/sensu/sensu/) [![Build Status](https://travis-ci.org/sensu/sensu-ansible.svg?branch=master)](https://travis-ci.org/sensu/sensu-ansible) + +[![Join the chat at https://slack.sensu.io/](https://slack.sensu.io/badge.svg)](https://slack.sensu.io/) + +This role deploys a full [Sensu](https://sensu.io) stack, a modern, open source monitoring framework. + +## Features +- Deploy a full [Sensu](https://sensu.io) stack, including RabbitMQ, redis, and the [Uchiwa dashboard](https://uchiwa.io/#/) +- Full support for [Sensu Enterprise](https://sensu.io/products/enterprise) +- Tight integration with the Ansible inventory - deployment of monitoring checks based on inventory grouping +- Fine grained control over dynamic client configurations +- Remote plugin deployment +- Automatic generation and dynamic deployment of SSL certs for secure communication between your clients and servers +- Highly configurable + +## Batteries included, but not imposed +Along with deploying the Sensu Server, API and clients, this role can deploy a full stack: [RabbitMQ](http://www.rabbitmq.com/), [redis](http://redis.io), and the [Uchiwa dashboard](https://uchiwa.io/#/). +However, if you want to rely on other roles/management methods to deploy/manage these services, [it's nice and easy to integrate this role](http://ansible-sensu.readthedocs.io/en/latest/integration/). + +## Documentation [![Documentation](https://readthedocs.org/projects/ansible-sensu/badge/?version=latest)](http://ansible-sensu.readthedocs.io/en/latest/) +[Read the full documentation](http://ansible-sensu.readthedocs.io/en/latest/) for a comprehensive overview of this role and its powerful features. + +## Requirements +This role requires: +- A supported version of Ansible, see [Ansible version support](#ansible-version-support) for details. +- The `dynamic_data_store` variable to be set: see [Dynamic Data Store](http://ansible-sensu.readthedocs.io/en/latest/dynamic_data/) +- If `sensu_include_plugins` is true (the default), the `static_data_store` variable needs to be set: see [Check Deployment](http://ansible-sensu.readthedocs.io/en/latest/dynamic_checks/) + +## Supported Platforms +### Automatically tested via TravisCI + +- [CentOS - 6](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.9) +- [CentOS - 7](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7) +- [Debian - 8 (Jessie)](https://wiki.debian.org/DebianJessie) +- [Debian - 9 (Stretch)](https://wiki.debian.org/DebianStretch) +- [Ubuntu - 14.04 (Trusty Tahr)](http://releases.ubuntu.com/14.04/) +- [Ubuntu - 16.04 (Xenial Xerus)](http://releases.ubuntu.com/16.04/) +- [Fedora - 26](https://docs.fedoraproject.org/f26/release-notes/) +- [Fedora - 27](https://docs.fedoraproject.org/f27/release-notes/) +- [Fedora - 28](https://docs.fedoraproject.org/f28/release-notes/) +- [Amazon Linux](https://aws.amazon.com/amazon-linux-ami/) +- [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/) + +### Supported manually (compatibility not always guaranteed) +- [SmartOS - base-64 15.x.x](https://docs.joyent.com/images/smartos/base#version-15xx) +- [FreeBSD - 10.3, 11.0 (64-bit only)](https://www.freebsd.org/releases/10.2R/relnotes.html) +- [OpenBSD - 6.2](https://www.openbsd.org/62.html) + +## Role Variables + +See [Role Variables](http://ansible-sensu.readthedocs.io/en/latest/role_variables/) for a detailed list of the variables this role uses + +## Example Playbook + +``` yaml + - hosts: all + roles: + - role: sensu.sensu +``` +Or, passing parameter values: + +``` yaml + - hosts: sensu_masters + roles: + - { role: sensu.sensu, sensu_master: true, sensu_include_dashboard: true } +``` + +## Ansible version support +All changes to this role are actively tested against Ansible 2.6 and 2.7 at this time. Ansible 2.5 is required at a minimum. + + +License +------- +MIT + +Author Information +------------------ +Originally created by [Calum MacRae](http://cmacr.ae) and supported by the [Sensu Community Ansible Maintainers](https://github.com/sensu-plugins/community/#maintained-areas) + +### Contributors +See the projects [Contributors page](https://github.com/sensu/sensu-ansible/graphs/contributors) + +Feel free to: +[Raise an issue](https://github.com/sensu/sensu-ansible/issues) +[Contribute](https://github.com/sensu/sensu-ansible/pulls) diff --git a/roles/sensu.sensu/defaults/main.yml b/roles/sensu.sensu/defaults/main.yml new file mode 100644 index 0000000..eec777d --- /dev/null +++ b/roles/sensu.sensu/defaults/main.yml @@ -0,0 +1,126 @@ +--- +# Sensu enterprise credential +# Variables for Sensu Enterprise License +se_enterprise: false +se_user: '' +se_pass: '' + +# Sensu package +sensu_package: sensu +sensu_enterprise_package: sensu-enterprise +sensu_enterprise_dashboard_package: sensu-enterprise-dashboard + +# Sensu repo urls +sensu_yum_repo_url: "https://sensu.global.ssl.fastly.net/yum/$releasever/$basearch/" +sensu_yum_key_url: "https://sensu.global.ssl.fastly.net/yum/pubkey.gpg" +sensu_apt_repo_url: "deb https://repositories.sensuapp.org/apt {{ ansible_distribution_release }} main" +sensu_apt_key_url: "https://sensu.global.ssl.fastly.net/apt/pubkey.gpg" +sensu_freebsd_url: "https://sensu.global.ssl.fastly.net/freebsd/FreeBSD:{{ ansible_distribution_major_version }}:{{ ansible_architecture }}/" +sensu_ol_yum_repo_url: "https://dl.fedoraproject.org/pub/epel/$releasever/$basearch/" +sensu_ol_yum_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-$releasever" + +# Sensu service names +sensu_server_service_name: sensu-server +sensu_api_service_name: sensu-api +sensu_client_service_name: sensu-client +sensu_enterprise_service_name: sensu-enterprise +sensu_enterprise_dashboard_service_name: sensu-enterprise-dashboard +uchiwa_service_name: uchiwa + +# Service deployment options +sensu_deploy_rabbitmq_server: true +sensu_deploy_redis_server: true + +# RabbitMQ server properties +sensu_rabbitmq_config_path: /etc/rabbitmq +sensu_rabbitmq_config_template: rabbitmq.config.j2 +sensu_rabbitmq_enable_ssl: true +sensu_rabbitmq_host: "{{ groups['sensu_rabbitmq_servers'][0] }}" +sensu_rabbitmq_port: 5671 +sensu_rabbitmq_pkg_state: present +sensu_rabbitmq_server: false +sensu_rabbitmq_service_name: rabbitmq-server +sensu_rabbitmq_user_name: sensu +sensu_rabbitmq_password: sensu +sensu_rabbitmq_vhost: /sensu + +# redis server properties +sensu_redis_host: "{{ groups['sensu_redis_servers'][0] }}" +sensu_redis_server: false +sensu_redis_service_name: redis +sensu_redis_pkg_repo: ~ +sensu_redis_pkg_name: redis +sensu_redis_pkg_state: present +sensu_redis_port: 6379 +sensu_redis_password: +sensu_redis_sentinels: [] +sensu_redis_master_name: +sensu_redis_config: sensu-redis.json.j2 + +# Sensu/Uchiwa user/group/service properties +sensu_api_host: "{{ groups['sensu_masters'][0] }}" +sensu_api_port: 4567 +sensu_api_ssl: "false" +sensu_api_user_name: admin +sensu_api_password: secret +sensu_api_uchiwa_path: '' +sensu_api_timeout: 5000 +sensu_client_config: client.json.j2 +sensu_rabbitmq_config: sensu-rabbitmq.json.j2 +sensu_config_path: /etc/sensu +sensu_pkg_state: present +sensu_gem_state: present +sensu_plugin_gem_state: present +sensu_group_name: sensu +sensu_include_plugins: true +sensu_include_dashboard: false +sensu_master: false +sensu_client: true +sensu_user_name: sensu +sensu_remote_plugins: [] +sensu_transport: rabbitmq +sensu_client_name: "{{ ansible_hostname }}" +sensu_client_subscriptions: "{{ group_names }}" +sensu_client_keepalive_handlers: + - default +sensu_client_keepalive_threshold_warning: 120 +sensu_client_keepalive_threshold_critical: 180 +sensu_client_safe_mode: false +sensu_deploy_rabbitmq_config: true +sensu_deploy_redis_config: true +sensu_deploy_transport_config: true +sensu_enable_tessen: false + +# Sensu/RabbitMQ SSL certificate properties +sensu_ssl_gen_certs: true +sensu_ssl_deploy_remote_src: false +sensu_ssl_manage_certs: true +sensu_master_config_path: "{{ hostvars[groups['sensu_masters'][0]]['sensu_config_path'] | default('/etc/sensu') }}" +sensu_ssl_tool_base_path: "{{ dynamic_data_store }}/{{ groups['sensu_masters'][0] }}{{ sensu_master_config_path }}/ssl_generation/sensu_ssl_tool" +sensu_ssl_client_cert: "{{ sensu_ssl_tool_base_path }}/client/cert.pem" +sensu_ssl_client_key: "{{ sensu_ssl_tool_base_path }}/client/key.pem" +sensu_ssl_server_cacert: "{{ sensu_ssl_tool_base_path }}/sensu_ca/cacert.pem" +sensu_ssl_server_cert: "{{ sensu_ssl_tool_base_path }}/server/cert.pem" +sensu_ssl_server_key: "{{ sensu_ssl_tool_base_path }}/server/key.pem" +dynamic_data_store: "{{ playbook_dir }}/data/store" +static_data_store: "{{ playbook_dir }}/data/static" + +# Uchiwa properties +sensu_uchiwa_dc_name: ~ +sensu_uchiwa_path: /opt/uchiwa +sensu_uchiwa_redis_use_ssl: false +sensu_uchiwa_users: + - username: admin + password: admin +sensu_uchiwa_port: 3000 +sensu_uchiwa_refresh: 5 +sensu_uchiwa_api_port: "{{ sensu_api_port }}" +sensu_uchiwa_auth_privatekey: ~ +sensu_uchiwa_auth_publickey: ~ + +# CentOS repository for redis and rabbitmq +sensu_centos_repository: epel + +# Internal settings +__bash_path: /bin/bash +__root_group: root diff --git a/roles/sensu.sensu/handlers/main.yml b/roles/sensu.sensu/handlers/main.yml new file mode 100644 index 0000000..4762243 --- /dev/null +++ b/roles/sensu.sensu/handlers/main.yml @@ -0,0 +1,69 @@ +--- + +- name: restart rabbitmq service + service: + name: "{{ sensu_rabbitmq_service_name }}" + state: restarted + +- name: restart redis service + service: + name: "{{ sensu_redis_service_name }}" + pattern: /usr/bin/redis-server + state: restarted + +- name: restart uchiwa service + service: + name: "{{ uchiwa_service_name }}" + state: restarted + +- name: restart sensu-server service + service: + name: "{{ sensu_server_service_name }}" + state: restarted + when: sensu_master and not se_enterprise + +- name: restart sensu-api service + service: + name: "{{ sensu_api_service_name }}" + state: restarted + when: sensu_master and not se_enterprise + +- name: restart sensu-client service + service: + name: "{{ sensu_client_service_name }}" + state: restarted + +- name: restart sensu-enterprise service + service: + name: "{{ sensu_enterprise_service_name }}" + state: restarted + when: se_enterprise and sensu_master + +- name: restart sensu-enterprise-dashboard service + service: + name: "{{ sensu_enterprise_dashboard_service_name }}" + state: restarted + when: se_enterprise and sensu_master + +# Joyent SmartOS specific handlers +- name: import sensu-server service + command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/sensu-server.xml + +- name: import sensu-api service + command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/sensu-api.xml + +- name: import sensu-client service + command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/sensu-client.xml + +- name: import uchiwa service + command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/uchiwa.xml + +- name: Build and deploy Uchiwa + command: npm install --production + args: + chdir: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa" + become: true + become_user: "{{ sensu_user_name }}" + +- name: Update pkgng database + command: /usr/sbin/pkg update diff --git a/roles/sensu.sensu/meta/.galaxy_install_info b/roles/sensu.sensu/meta/.galaxy_install_info new file mode 100644 index 0000000..3994e10 --- /dev/null +++ b/roles/sensu.sensu/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Sun Apr 28 17:44:58 2019 +version: 5.2.0 diff --git a/roles/sensu.sensu/meta/main.yml b/roles/sensu.sensu/meta/main.yml new file mode 100644 index 0000000..834a880 --- /dev/null +++ b/roles/sensu.sensu/meta/main.yml @@ -0,0 +1,39 @@ +--- +galaxy_info: + author: Calum MacRae + description: Deploy a full Sensu monitoring stack; including redis, RabbitMQ & the Uchiwa dashboard + license: MIT + min_ansible_version: 2.5 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Ubuntu + versions: + - trusty + - vivid + - name: Debian + versions: + - jessie + - stretch + - name: Fedora + versions: + - 26 + - 27 + - 28 + + galaxy_tags: + - cloud + - monitoring + - system + - web + - sensu + - rabbitmq + - redis + - metrics + - amqp + - alerting + - stack + - dashboard +dependencies: [] diff --git a/roles/sensu.sensu/tasks/Amazon/dashboard.yml b/roles/sensu.sensu/tasks/Amazon/dashboard.yml new file mode 100644 index 0000000..ad93db8 --- /dev/null +++ b/roles/sensu.sensu/tasks/Amazon/dashboard.yml @@ -0,0 +1,21 @@ +--- +# tasks/Amazon/dashboard.yml: Deployment of the Uchiwa dashboard +# Specific to CentOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: dashboard + +- name: Ensure Uchiwa is installed + tags: dashboard + yum: + name: uchiwa + state: present + +- name: Deploy Uchiwa config + tags: dashboard + template: + src: uchiwa_config.json.j2 + dest: "{{ sensu_config_path }}/uchiwa.json" + notify: restart uchiwa service diff --git a/roles/sensu.sensu/tasks/Amazon/main.yml b/roles/sensu.sensu/tasks/Amazon/main.yml new file mode 100644 index 0000000..8aa3568 --- /dev/null +++ b/roles/sensu.sensu/tasks/Amazon/main.yml @@ -0,0 +1,30 @@ +--- +# tasks/Amazon/main.yml: CentOS specific set-up +# This takes care of base prerequisites for Amazon Linux AMI + +- name: Include ansible_distribution vars + tags: setup + include_vars: + file: "{{ ansible_distribution }}.yml" + +- name: Set epel_version override when AmazonLinux AMIv2 + tags: setup + set_fact: + epel_version: 7 + when: ansible_distribution_version == 'Candidate' + +- name: Ensure the Sensu Core Yum repo is present + tags: setup + yum_repository: + name: sensu + description: The Sensu Core yum repository + baseurl: "{{ sensu_yum_repo_url }}" + gpgkey: "{{ sensu_yum_key_url }}" + gpgcheck: yes + enabled: yes + +- name: Ensure Sensu is installed + tags: setup + yum: + name: "{{ sensu_package }}" + state: "{{ sensu_pkg_state }}" diff --git a/roles/sensu.sensu/tasks/Amazon/rabbit.yml b/roles/sensu.sensu/tasks/Amazon/rabbit.yml new file mode 100644 index 0000000..97db57d --- /dev/null +++ b/roles/sensu.sensu/tasks/Amazon/rabbit.yml @@ -0,0 +1,66 @@ +--- +# tasks/Amazon/rabbit.yml: Deploy RabbitMQ +# Specific to Amazon Linux + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- name: Configure RabbitMQ/RabbitMQ-erlang GPG keys in the RPM keyring + tags: rabbitmq + rpm_key: + key: "{{ sensu_rabbitmq_signing_key }}" + state: present + register: sensu_rabbitmq_import_key + +- name: Add RabbitMQ's repo + tags: rabbitmq + yum_repository: + name: rabbitmq + description: rabbitmq + baseurl: "{{ sensu_rabbitmq_baseurl }}" + gpgcheck: yes + gpgkey: "{{ sensu_rabbitmq_signing_key }}" + repo_gpgcheck: no + +- name: Add RabbitMQ's Erlang repo + tags: rabbitmq + yum_repository: + name: rabbitmq-erlang + description: rabbitmq-erlang + baseurl: "{{ sensu_rabbitmq_erlang_baseurl }}" + gpgcheck: yes + gpgkey: "{{ sensu_rabbitmq_erlang_signing_key }}" + repo_gpgcheck: no + +# HACK: https://github.com/ansible/ansible/issues/20711#issuecomment-306260869 +# Can be removed once we're running w/ a version of Ansible that has https://github.com/ansible/ansible/pull/35989 +- name: Make yum cache to import GPG keys + tags: rabbitmq + command: "yum -q makecache -y --disablerepo='*' --enablerepo='{{ item }}'" + args: + warn: false + when: sensu_rabbitmq_import_key.changed + loop: + - rabbitmq + - rabbitmq-erlang + +# Hard dependency for rabbitmq-server, however, typically comes from EPEL, so +# we simply install it here, as we purposely disable epel when installing rabbitmq +# causing dependency issues during installs +- name: Ensure socat is installed + tags: rabbitmq + yum: + name: socat + state: present + +- name: Ensure Erlang & RabbitMQ are installed + tags: rabbitmq + yum: + name: + - erlang + - rabbitmq-server + state: present + enablerepo: rabbitmq,rabbitmq-erlang + disablerepo: '*' diff --git a/roles/sensu.sensu/tasks/Amazon/redis.yml b/roles/sensu.sensu/tasks/Amazon/redis.yml new file mode 100644 index 0000000..8fdd9dc --- /dev/null +++ b/roles/sensu.sensu/tasks/Amazon/redis.yml @@ -0,0 +1,29 @@ +--- +# tasks/Amazon/redis.yml: Deploy redis +# Specific to Amazon Linux AMI + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: redis + +- name: Install EPEL repo + tags: redis + yum: + name: "{{ epel_repo_rpm }}" + state: present + when: enable_epel_repo + +- name: Ensure redis is installed + tags: redis + yum: + name: "{{ sensu_redis_pkg_name }}" + state: "{{ sensu_redis_pkg_state }}" + enablerepo: epel + +- name: Ensure redis binds to accessible IP + tags: redis + lineinfile: + dest: /etc/redis.conf + regexp: '^bind' + line: 'bind 0.0.0.0' diff --git a/roles/sensu.sensu/tasks/CentOS/dashboard.yml b/roles/sensu.sensu/tasks/CentOS/dashboard.yml new file mode 100644 index 0000000..5ad39d2 --- /dev/null +++ b/roles/sensu.sensu/tasks/CentOS/dashboard.yml @@ -0,0 +1,41 @@ +--- +# tasks/CentOS/dashboard.yml: Deployment of the Uchiwa dashboard +# Specific to CentOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: dashboard + +- name: Ensure Uchiwa is installed + tags: dashboard + package: + name: uchiwa + state: present + when: not se_enterprise + +- name: Ensure Sensu Enterprise Dashboard is installed + tags: dashboard + package: + name: "{{ sensu_enterprise_dashboard_package }}" + state: present + when: se_enterprise + +- name: Deploy Uchiwa config + tags: dashboard + template: + src: uchiwa_config.json.j2 + dest: "{{ sensu_config_path }}/uchiwa.json" + when: not se_enterprise + notify: + - restart uchiwa service + + +- name: Deploy Sensu Enterprise Dashboard + tags: dashboard + template: + src: sensu_enterprise_dashboard_config.json.j2 + dest: "{{ sensu_config_path }}/dashboard.json" + when: se_enterprise + notify: + - restart sensu-enterprise-dashboard service diff --git a/roles/sensu.sensu/tasks/CentOS/main.yml b/roles/sensu.sensu/tasks/CentOS/main.yml new file mode 100644 index 0000000..41bfebb --- /dev/null +++ b/roles/sensu.sensu/tasks/CentOS/main.yml @@ -0,0 +1,83 @@ +--- +# tasks/CentOS/main.yml: CentOS specific set-up +# This takes care of base prerequisites for CentOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: setup + +- name: Ensure the Sensu Core Yum repo is present + tags: setup + yum_repository: + name: sensu + description: The Sensu Core yum repository + baseurl: "{{ sensu_yum_repo_url }}" + gpgkey: "{{ sensu_yum_key_url }}" + gpgcheck: "{{ ( + (ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux') and + ansible_distribution_major_version == '5' + ) | ternary('no', 'yes') }}" + enabled: yes + +- name: Ensure the epel present for OracleLinux + tags: setup + yum_repository: + name: epel + description: EPEL YUM repo + baseurl: "{{ sensu_ol_yum_repo_url }}" + gpgkey: "{{ sensu_ol_yum_key_url }}" + enabled: yes + when: ansible_distribution == 'OracleLinux' + +- name: Ensure that credential is supplied if installing Sensu Enterprise + tags: setup + assert: + that: + - "se_user != ''" + - "se_pass != ''" + msg: Sensu enterprise credential must not be empty. Did you forget to set se_user and se_pass? + when: se_enterprise + +- name: Ensure the Sensu Enterprise repo is present + tags: setup + copy: + dest: /etc/yum.repos.d/sensu-enterprise.repo + content: | + [sensu-enterprise] + name=sensu-enterprise + baseurl=http://{{ se_user }}:{{ se_pass }}@enterprise.sensuapp.com/yum/noarch/ + gpgcheck=0 + enabled=1 + owner: root + group: root + mode: 0644 + when: se_enterprise + +- name: Ensure the Sensu Enterprise Dashboard repo is present + tags: setup + copy: + dest: /etc/yum.repos.d/sensu-enterprise-dashboard.repo + content: | + [sensu-enterprise-dashboard] + name=sensu-enterprise-dashboard + baseurl=http://{{ se_user }}:{{ se_pass }}@enterprise.sensuapp.com/yum/\$basearch/ + gpgcheck=0 + enabled=1 + owner: root + group: root + mode: 0644 + when: se_enterprise + +- name: Ensure Sensu is installed + tags: setup + package: + name: "{{ sensu_package }}" + state: "{{ sensu_pkg_state }}" + +- name: Ensure Sensu Enterprise is installed + tags: setup + package: + name: "{{ sensu_enterprise_package }}" + state: "{{ sensu_pkg_state }}" + when: se_enterprise diff --git a/roles/sensu.sensu/tasks/CentOS/rabbit.yml b/roles/sensu.sensu/tasks/CentOS/rabbit.yml new file mode 100644 index 0000000..055e662 --- /dev/null +++ b/roles/sensu.sensu/tasks/CentOS/rabbit.yml @@ -0,0 +1,66 @@ +--- +# tasks/CentOS/rabbit.yml: Deploy RabbitMQ +# Specific to CentOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- name: Configure RabbitMQ GPG keys in the RPM keyring + tags: rabbitmq + rpm_key: + key: "{{ sensu_rabbitmq_signing_key }}" + state: present + register: sensu_rabbitmq_import_key + +- name: Add RabbitMQ's repo + tags: rabbitmq + yum_repository: + name: rabbitmq + description: rabbitmq + baseurl: "{{ sensu_rabbitmq_baseurl }}" + gpgcheck: yes + gpgkey: "{{ sensu_rabbitmq_signing_key }}" + repo_gpgcheck: no + +- name: Add RabbitMQ's Erlang repo + tags: rabbitmq + yum_repository: + name: rabbitmq-erlang + description: rabbitmq-erlang + baseurl: "{{ sensu_rabbitmq_erlang_baseurl }}" + gpgcheck: yes + gpgkey: "{{ sensu_rabbitmq_erlang_signing_key }}" + repo_gpgcheck: no + +# HACK: https://github.com/ansible/ansible/issues/20711#issuecomment-306260869 +# Can be removed once we're running w/ a version of Ansible that has https://github.com/ansible/ansible/pull/35989 +- name: Make yum cache to import GPG keys + tags: rabbitmq + command: "yum -q makecache -y --disablerepo='*' --enablerepo='{{ item }}'" + args: + warn: false + when: sensu_rabbitmq_import_key.changed + loop: + - rabbitmq + - rabbitmq-erlang + +# Hard dependency for rabbitmq-server, however, typically comes from EPEL, so +# we simply install it here, as we purposely disable epel when installing rabbitmq +# causing dependency issues during installs +- name: Ensure socat is installed + tags: rabbitmq + yum: + name: socat + state: present + +- name: Ensure Erlang & RabbitMQ are installed + tags: rabbitmq + yum: + name: + - erlang + - rabbitmq-server + state: present + enablerepo: rabbitmq,rabbitmq-erlang + disablerepo: epel diff --git a/roles/sensu.sensu/tasks/CentOS/redis.yml b/roles/sensu.sensu/tasks/CentOS/redis.yml new file mode 100644 index 0000000..28a7bd0 --- /dev/null +++ b/roles/sensu.sensu/tasks/CentOS/redis.yml @@ -0,0 +1,29 @@ +--- +# tasks/CentOS/redis.yml: Deploy redis +# Specific to CentOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: redis + +- name: Install EPEL repo + tags: redis + yum: + name: epel-release + state: present + when: enable_epel_repo + +- name: Ensure redis is installed + tags: redis + yum: + name: "{{ sensu_redis_pkg_name }}" + state: "{{ sensu_redis_pkg_state }}" + enablerepo: "{{ sensu_centos_repository }}" + +- name: Ensure redis binds to accessible IP + tags: redis + lineinfile: + dest: /etc/redis.conf + regexp: '^bind' + line: 'bind 0.0.0.0' diff --git a/roles/sensu.sensu/tasks/Debian/dashboard.yml b/roles/sensu.sensu/tasks/Debian/dashboard.yml new file mode 100644 index 0000000..9ae01d2 --- /dev/null +++ b/roles/sensu.sensu/tasks/Debian/dashboard.yml @@ -0,0 +1,21 @@ +--- +# tasks/Debian/dashboard.yml: Deployment of the Uchiwa dashboard +# Specific to Debian + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: dashboard + +- name: Install uchiwa + tags: dashboard + apt: + name: uchiwa + state: present + +- name: Deploy Uchiwa config + tags: dashboard + template: + src: uchiwa_config.json.j2 + dest: "{{ sensu_config_path }}/uchiwa.json" + notify: restart uchiwa service diff --git a/roles/sensu.sensu/tasks/Debian/main.yml b/roles/sensu.sensu/tasks/Debian/main.yml new file mode 100644 index 0000000..44177da --- /dev/null +++ b/roles/sensu.sensu/tasks/Debian/main.yml @@ -0,0 +1,41 @@ +--- +# tasks/Debian/main.yml: Debian specific set-up +# This takes care of base prerequisites for Debian + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: setup + +- name: Ensure apt-transport-https is installed + tags: setup + apt: + name: apt-transport-https + state: present + cache_valid_time: 3600 + update_cache: true + +- name: Ensure that gnupg is installed for apt_key + tags: setup + apt: + name: gnupg + state: present + +- name: Ensure the Sensu APT repo GPG key is present + tags: setup + apt_key: + url: "{{ sensu_apt_key_url }}" + state: present + +- name: Ensure the Sensu Core APT repo is present + tags: setup + apt_repository: + repo: "{{ sensu_apt_repo_url }}" + state: present + update_cache: true + +- name: Ensure Sensu is installed + tags: setup + apt: + name: "{{ sensu_package }}" + state: "{{ sensu_pkg_state }}" diff --git a/roles/sensu.sensu/tasks/Debian/rabbit.yml b/roles/sensu.sensu/tasks/Debian/rabbit.yml new file mode 100644 index 0000000..841c658 --- /dev/null +++ b/roles/sensu.sensu/tasks/Debian/rabbit.yml @@ -0,0 +1,53 @@ +--- +# tasks/Debian/rabbit.yml: Deploy RabbitMQ +# Specific to Debian + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- name: Ensure the RabbitMQ APT repo GPG key is present + tags: rabbitmq + apt_key: + url: "{{ sensu_rabbitmq_signing_key }}" + state: present + +- name: Ensure the RabbitMQ APT repo is present + tags: rabbitmq + apt_repository: + repo: "{{ sensu_rabbitmq_repo }}" + filename: rabbitmq + state: present + update_cache: true + +- name: Ensure Erlang APT preferences is configured + tags: rabbitmq + template: + src: erlang-apt-preferences.j2 + dest: /etc/apt/preferences.d/erlang + owner: root + group: root + mode: 0755 + +- name: Ensure the Erlang APT repo GPG key is present + tags: rabbitmq + apt_key: + url: "{{ sensu_rabbitmq_erlang_signing_key }}" + state: present + +- name: Ensure the Erlang APT repo is present + tags: rabbitmq + apt_repository: + repo: "{{ sensu_rabbitmq_erlang_repo }}" + filename: erlang + state: present + update_cache: true + +- name: Ensure RabbitMQ is installed + tags: rabbitmq + apt: + name: rabbitmq-server + state: "{{ sensu_rabbitmq_pkg_state }}" + cache_valid_time: 600 + update_cache: true diff --git a/roles/sensu.sensu/tasks/Debian/redis.yml b/roles/sensu.sensu/tasks/Debian/redis.yml new file mode 100644 index 0000000..3592f60 --- /dev/null +++ b/roles/sensu.sensu/tasks/Debian/redis.yml @@ -0,0 +1,26 @@ +--- +# tasks/Debian/redis.yml: Deploy redis +# Specific to Debian + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: redis + +- name: Ensure redis is installed + tags: redis + apt: + name: "{{ sensu_redis_pkg_name }}" + state: "{{ sensu_redis_pkg_state }}" + update_cache: true + +- name: Ensure redis binds to accessible IP + tags: redis + lineinfile: + dest: /etc/redis/redis.conf + regexp: '^bind' + line: 'bind 0.0.0.0' + notify: restart redis service + +- meta: flush_handlers + tags: redis diff --git a/roles/sensu.sensu/tasks/Fedora/dashboard.yml b/roles/sensu.sensu/tasks/Fedora/dashboard.yml new file mode 120000 index 0000000..30ac786 --- /dev/null +++ b/roles/sensu.sensu/tasks/Fedora/dashboard.yml @@ -0,0 +1 @@ +../CentOS/dashboard.yml \ No newline at end of file diff --git a/roles/sensu.sensu/tasks/Fedora/main.yml b/roles/sensu.sensu/tasks/Fedora/main.yml new file mode 120000 index 0000000..8f9e772 --- /dev/null +++ b/roles/sensu.sensu/tasks/Fedora/main.yml @@ -0,0 +1 @@ +../CentOS/main.yml \ No newline at end of file diff --git a/roles/sensu.sensu/tasks/Fedora/rabbit.yml b/roles/sensu.sensu/tasks/Fedora/rabbit.yml new file mode 100644 index 0000000..a3783f8 --- /dev/null +++ b/roles/sensu.sensu/tasks/Fedora/rabbit.yml @@ -0,0 +1,66 @@ +--- +# tasks/Fedora/rabbit.yml: Deploy RabbitMQ +# Specific to Fedora + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- name: Configure RabbitMQ GPG keys in the RPM keyring + tags: rabbitmq + rpm_key: + key: "{{ sensu_rabbitmq_signing_key }}" + state: present + register: sensu_rabbitmq_import_key + +- name: Add RabbitMQ's repo + tags: rabbitmq + yum_repository: + name: rabbitmq + description: rabbitmq + baseurl: "{{ sensu_rabbitmq_baseurl }}" + gpgcheck: yes + gpgkey: "{{ sensu_rabbitmq_signing_key }}" + repo_gpgcheck: no + +- name: Add RabbitMQ's Erlang repo + tags: rabbitmq + yum_repository: + name: rabbitmq-erlang + description: rabbitmq-erlang + baseurl: "{{ sensu_rabbitmq_erlang_baseurl }}" + gpgcheck: yes + gpgkey: "{{ sensu_rabbitmq_erlang_signing_key }}" + repo_gpgcheck: no + +# HACK: https://github.com/ansible/ansible/issues/20711#issuecomment-306260869 +# Can be removed once we're running w/ a version of Ansible that has https://github.com/ansible/ansible/pull/35989 +- name: Make yum cache to import GPG keys + tags: rabbitmq + command: "yum -q makecache -y --disablerepo='*' --enablerepo='{{ item }}'" + args: + warn: false + when: sensu_rabbitmq_import_key.changed + loop: + - rabbitmq + - rabbitmq-erlang + +# Hard dependency for rabbitmq-server, however, typically comes from EPEL, so +# we simply install it here, as we purposely disable epel when installing rabbitmq +# causing dependency issues during installs +- name: Ensure socat is installed + tags: rabbitmq + dnf: + name: socat + state: present + +- name: Ensure Erlang & RabbitMQ are installed + tags: rabbitmq + dnf: + name: + - erlang + - rabbitmq-server + state: present + enablerepo: rabbitmq,rabbitmq-erlang + disablerepo: epel diff --git a/roles/sensu.sensu/tasks/Fedora/redis.yml b/roles/sensu.sensu/tasks/Fedora/redis.yml new file mode 100644 index 0000000..952d0ca --- /dev/null +++ b/roles/sensu.sensu/tasks/Fedora/redis.yml @@ -0,0 +1,27 @@ +--- +# tasks/Fedora/redis.yml: Deploy redis +# Specific to Fedora + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: redis + +- name: Ensure jemalloc is installed as a dependency of Redis + tags: redis + dnf: + name: jemalloc + state: present + +- name: Ensure redis is installed + tags: redis + dnf: + name: "{{ sensu_redis_pkg_name }}" + state: "{{ sensu_redis_pkg_state }}" + +- name: Ensure redis binds to accessible IP + tags: redis + lineinfile: + dest: /etc/redis.conf + regexp: '^bind' + line: 'bind 0.0.0.0' diff --git a/roles/sensu.sensu/tasks/FreeBSD/dashboard.yml b/roles/sensu.sensu/tasks/FreeBSD/dashboard.yml new file mode 100644 index 0000000..2b4d331 --- /dev/null +++ b/roles/sensu.sensu/tasks/FreeBSD/dashboard.yml @@ -0,0 +1,86 @@ +--- +# tasks/FreeBSD/dashboard.yml: Deployment of the Uchiwa dashboard +# Specific to FreeBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: dashboard + +- name: Ensure Uchiwa (dashboard) dependencies are installed + tags: dashboard + pkgng: + name: "{{ item }}" + state: present + loop: + - go + - git + - npm + +- name: Ensure Uchiwa directory exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + recurse: true + +- name: Ensure Uchiwa Go/config directory exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}/{{ item }}" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + recurse: true + loop: + - etc + - go + +- name: Ensure Uchiwa GOPATH exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}/go/{{ item }}" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + state: directory + recurse: true + loop: + - bin + - pkg + - src + +- name: Fetch Uchiwa from GitHub + tags: dashboard + command: go get github.com/sensu/uchiwa + environment: + GOPATH: "{{ sensu_uchiwa_path }}/go" + args: + creates: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa" + notify: Build and deploy Uchiwa + become: true + become_user: "{{ sensu_user_name }}" + +- meta: flush_handlers + tags: dashboard + +- name: Deploy Uchiwa config + tags: dashboard + template: + src: uchiwa_config.json.j2 + dest: "{{ sensu_uchiwa_path }}/etc/config.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + notify: restart uchiwa service + +- name: Deploy Uchiwa service file + tags: dashboard + template: + src: uchiwa_freebsd.j2 + dest: "/usr/local/etc/rc.d/uchiwa" + mode: "0755" + +- name: Ensure Uchiwa server service is running + tags: dashboard + service: name=uchiwa state=started enabled=yes diff --git a/roles/sensu.sensu/tasks/FreeBSD/main.yml b/roles/sensu.sensu/tasks/FreeBSD/main.yml new file mode 100644 index 0000000..c521758 --- /dev/null +++ b/roles/sensu.sensu/tasks/FreeBSD/main.yml @@ -0,0 +1,53 @@ +--- +# tasks/FreeBSD/main.yml: FreeBSD specific set-up +# This takes care of base prerequisites for FreeBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: setup + +- name: Ensure the Sensu group is present + tags: setup + group: + name: "{{ sensu_group_name }}" + state: present + +- name: Ensure the Sensu user is present + tags: setup + user: + name: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + shell: /bin/false + home: "{{ sensu_config_path }}" + createhome: true + state: present + +- name: Ensure pkgng custom repo config directory exists + tags: setup + file: + path: /usr/local/etc/pkg/repos/ + state: directory + +- name: Ensure Sensu repo is configured + tags: setup + template: + src: sensu-freebsd-repo.conf.j2 + dest: /usr/local/etc/pkg/repos/sensu.conf + notify: + - Update pkgng database + +- name: Ensure prerequisite packages are installed + tags: setup + pkgng: + name: "{{ item }}" + state: present + loop: + - bash + - ca_root_nss + +- name: Ensure Sensu is installed + tags: setup + pkgng: + name: "{{ sensu_package }}" + state: "{{ sensu_pkg_state }}" diff --git a/roles/sensu.sensu/tasks/FreeBSD/rabbit.yml b/roles/sensu.sensu/tasks/FreeBSD/rabbit.yml new file mode 100644 index 0000000..44f854d --- /dev/null +++ b/roles/sensu.sensu/tasks/FreeBSD/rabbit.yml @@ -0,0 +1,14 @@ +--- +# tasks/FreeBSD/rabbit.yml: Deploy RabbitMQ +# Specific to FreeBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- name: Ensure RabbitMQ is installed + tags: rabbitmq + pkgng: + name: rabbitmq + state: "{{ sensu_rabbitmq_pkg_state }}" diff --git a/roles/sensu.sensu/tasks/FreeBSD/redis.yml b/roles/sensu.sensu/tasks/FreeBSD/redis.yml new file mode 100644 index 0000000..9a821d3 --- /dev/null +++ b/roles/sensu.sensu/tasks/FreeBSD/redis.yml @@ -0,0 +1,25 @@ +--- +# tasks/FreeBSD/redis.yml: Deploy redis +# Specific to FreeBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: redis + +- name: Ensure redis is installed + tags: redis + pkgng: + name: "{{ sensu_redis_pkg_name }}" + state: "{{ sensu_redis_pkg_state }}" + +- name: Ensure redis binds to accessible IP + tags: redis + lineinfile: + dest: /usr/local/etc/redis.conf + regexp: '^bind' + line: 'bind 0.0.0.0' + notify: restart redis service + +- meta: flush_handlers + tags: redis diff --git a/roles/sensu.sensu/tasks/OpenBSD/dashboard.yml b/roles/sensu.sensu/tasks/OpenBSD/dashboard.yml new file mode 100644 index 0000000..a0735c6 --- /dev/null +++ b/roles/sensu.sensu/tasks/OpenBSD/dashboard.yml @@ -0,0 +1,86 @@ +--- +# tasks/OpenBSD/dashboard.yml: Deployment of the Uchiwa dashboard +# Specific to OpenBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: dashboard + +- name: Ensure Uchiwa (dashboard) dependencies are installed + tags: dashboard + openbsd_pkg: + name: "{{ item }}" + state: present + loop: + - go + - git + - npm + +- name: Ensure Uchiwa directory exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + recurse: true + +- name: Ensure Uchiwa Go/config directory exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}/{{ item }}" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + recurse: true + loop: + - etc + - go + +- name: Ensure Uchiwa GOPATH exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}/go/{{ item }}" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + state: directory + recurse: true + loop: + - bin + - pkg + - src + +- name: Fetch Uchiwa from GitHub + tags: dashboard + command: go get github.com/sensu/uchiwa + environment: + GOPATH: "{{ sensu_uchiwa_path }}/go" + args: + creates: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa" + notify: Build and deploy Uchiwa + become: true + become_user: "{{ sensu_user_name }}" + +- meta: flush_handlers + tags: dashboard + +- name: Deploy Uchiwa config + tags: dashboard + template: + src: uchiwa_config.json.j2 + dest: "{{ sensu_uchiwa_path }}/etc/config.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + notify: restart uchiwa service + +- name: Deploy Uchiwa service file + tags: dashboard + template: + src: uchiwa_openbsd.j2 + dest: "/usr/local/etc/rc.d/uchiwa" + mode: "0755" + +- name: Ensure Uchiwa server service is running + tags: dashboard + service: name=uchiwa state=started enabled=yes diff --git a/roles/sensu.sensu/tasks/OpenBSD/main.yml b/roles/sensu.sensu/tasks/OpenBSD/main.yml new file mode 100644 index 0000000..c6c763a --- /dev/null +++ b/roles/sensu.sensu/tasks/OpenBSD/main.yml @@ -0,0 +1,69 @@ +--- +# tasks/OpenBSD/main.yml: OpenBSD specific set-up +# This takes care of base prerequisites for OpenBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: setup + +- name: Ensure the Sensu group is present + tags: setup + group: name={{ sensu_group_name }} state=present + +- name: Ensure the Sensu user is present + tags: setup + user: + name: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + shell: /bin/false + home: "{{ sensu_config_path }}" + createhome: true + state: present + +- name: Install prerequisite packages + tags: setup + openbsd_pkg: + name: "{{ item }}" + state: present + loop: + - bash + - ruby%2.3 + +- name: Get the current version of rubygems + tags: setup + shell: /usr/local/bin/gem23 --version + check_mode: no + register: gem23_version + changed_when: False + +- name: Update rubygems to work around rubygems/rubygems/issues/1448 + tags: setup + shell: /usr/local/bin/gem23 update --system + when: "{{ gem23_version.stdout | version_compare('2.5.3', '<') }}" + +- name: Install sensu gem and all of its dependencies + tags: setup + gem: + name: sensu + repository: "{{ sensu_gem_repository | default('https://api.rubygems.org/') }}" + user_install: no + version: "{{ sensu_gem_version }}" + executable: /usr/local/bin/gem23 + +- name: Create the sensu log folder + tags: setup + file: + path: /var/log/sensu + owner: root + group: wheel + state: directory + +- name: Deploy OpenBSD rc script + tags: setup + template: + src: sensuclient_openbsd.j2 + dest: /etc/rc.d/sensuclient + owner: root + group: wheel + mode: 0755 diff --git a/roles/sensu.sensu/tasks/OpenBSD/rabbit.yml b/roles/sensu.sensu/tasks/OpenBSD/rabbit.yml new file mode 100644 index 0000000..1437c3b --- /dev/null +++ b/roles/sensu.sensu/tasks/OpenBSD/rabbit.yml @@ -0,0 +1,14 @@ +--- +# tasks/OpenBSD/rabbit.yml: Deploy RabbitMQ +# Specific to OpenBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- name: Ensure RabbitMQ is installed + tags: rabbitmq + pkgng: + name: rabbitmq + state: "{{ sensu_rabbitmq_pkg_state }}" diff --git a/roles/sensu.sensu/tasks/OpenBSD/redis.yml b/roles/sensu.sensu/tasks/OpenBSD/redis.yml new file mode 100644 index 0000000..45f494c --- /dev/null +++ b/roles/sensu.sensu/tasks/OpenBSD/redis.yml @@ -0,0 +1,25 @@ +--- +# tasks/OpenBSD/redis.yml: Deploy redis +# Specific to OpenBSD + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: redis + +- name: Ensure redis is installed + tags: redis + pkgng: + name: "{{ sensu_redis_pkg_name }}" + state: "{{ sensu_redis_pkg_state }}" + +- name: Ensure redis binds to accessible IP + tags: redis + lineinfile: + dest: /usr/local/etc/redis.conf + regexp: '^bind' + line: 'bind 0.0.0.0' + notify: restart redis service + +- meta: flush_handlers + tags: redis diff --git a/roles/sensu.sensu/tasks/OracleLinux b/roles/sensu.sensu/tasks/OracleLinux new file mode 120000 index 0000000..d6b00a3 --- /dev/null +++ b/roles/sensu.sensu/tasks/OracleLinux @@ -0,0 +1 @@ +CentOS \ No newline at end of file diff --git a/roles/sensu.sensu/tasks/RedHat b/roles/sensu.sensu/tasks/RedHat new file mode 120000 index 0000000..d6b00a3 --- /dev/null +++ b/roles/sensu.sensu/tasks/RedHat @@ -0,0 +1 @@ +CentOS \ No newline at end of file diff --git a/roles/sensu.sensu/tasks/SmartOS/client.yml b/roles/sensu.sensu/tasks/SmartOS/client.yml new file mode 100644 index 0000000..75748d1 --- /dev/null +++ b/roles/sensu.sensu/tasks/SmartOS/client.yml @@ -0,0 +1,23 @@ +--- +# tasks/SmartOS/client.yml: Deploy various client-side configurations for Sensu +# Specific to Joyent SmartOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: client + +- name: Deploy Sensu client service manifest + tags: client + template: + dest: /opt/local/lib/svc/manifest/sensu-client.xml + src: sensu-client.smartos_smf_manifest.xml.j2 + owner: root + group: root + mode: 0644 + notify: + - import sensu-client service + - restart sensu-client service + +- meta: flush_handlers + tags: client diff --git a/roles/sensu.sensu/tasks/SmartOS/dashboard.yml b/roles/sensu.sensu/tasks/SmartOS/dashboard.yml new file mode 100644 index 0000000..d4fad2e --- /dev/null +++ b/roles/sensu.sensu/tasks/SmartOS/dashboard.yml @@ -0,0 +1,96 @@ +--- +# tasks/SmartOS/dashboard.yml: Deployment of the Uchiwa dashboard +# Specific to Joyent SmartOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: dashboard + +- name: Ensure Uchiwa (dashboard) dependencies are installed + tags: dashboard + pkgin: name=go state=present + +- name: Ensure Uchiwa directory exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + recurse: true + +- name: Ensure Uchiwa Go/config directory exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}/{{ item }}" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + recurse: true + loop: + - etc + - go + +- name: Ensure Uchiwa GOPATH exists + tags: dashboard + file: + dest: "{{ sensu_uchiwa_path }}/go/{{ item }}" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + state: directory + recurse: true + loop: + - bin + - pkg + - src + +- name: Fetch Uchiwa from GitHub + tags: dashboard + command: go get github.com/sensu/uchiwa + environment: + GOPATH: "{{ sensu_uchiwa_path }}/go" + args: + creates: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa" + notify: Build and deploy Uchiwa + become: true + become_user: "{{ sensu_user_name }}" + +- meta: flush_handlers + tags: dashboard + +- name: Deploy Uchiwa config + tags: dashboard + template: + src: uchiwa_config.json.j2 + dest: "{{ sensu_uchiwa_path }}/etc/config.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + notify: restart uchiwa service + +- name: Deploy Uchiwa service script + tags: dashboard + template: + src: uchiwa.sh.j2 + dest: /opt/local/lib/svc/method/uchiwa + owner: root + group: root + mode: 0755 + notify: restart uchiwa service + +- name: Deploy Uchiwa service manifest + tags: dashboard + template: + dest: /opt/local/lib/svc/manifest/uchiwa.xml + src: uchiwa.smartos_smf_manifest.xml.j2 + owner: root + group: root + mode: 0644 + notify: import uchiwa service + +- meta: flush_handlers + tags: dashboard + +- name: Ensure Uchiwa server service is running + service: name=uchiwa state=started enabled=yes + tags: dashboard diff --git a/roles/sensu.sensu/tasks/SmartOS/main.yml b/roles/sensu.sensu/tasks/SmartOS/main.yml new file mode 100644 index 0000000..ef3fcb5 --- /dev/null +++ b/roles/sensu.sensu/tasks/SmartOS/main.yml @@ -0,0 +1,36 @@ +--- +# tasks/SmartOS/main.yml: "Set-up" playbook for sensu.sensu role +# This takes care of base prerequisites for Joyent SmartOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: setup + +- name: Ensure the Sensu group is present + tags: setup + group: name={{ sensu_group_name }} state=present + +- name: Ensure the Sensu user is present + tags: setup + user: + name: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + shell: /bin/false + home: "{{ sensu_config_path }}" + createhome: true + state: present + +- name: Ensure Sensu dependencies are installed + tags: setup + pkgin: name=build-essential,ruby21-base state=present + +- name: Ensure Sensu is installed + tags: setup + gem: name=sensu state={{ sensu_gem_state }} user_install=no + notify: + - restart sensu-client service + +- name: Ensure Sensu 'plugins' gem is installed + tags: setup + gem: name=sensu-plugin state={{ sensu_plugin_gem_state }} user_install=no diff --git a/roles/sensu.sensu/tasks/SmartOS/rabbit.yml b/roles/sensu.sensu/tasks/SmartOS/rabbit.yml new file mode 100644 index 0000000..ea09994 --- /dev/null +++ b/roles/sensu.sensu/tasks/SmartOS/rabbit.yml @@ -0,0 +1,14 @@ +--- +# tasks/SmartOS/rabbit.yml: Deploy RabbitMQ +# Specific to Joyent SmartOS + +- name: Ensure RabbitMQ is installed + tags: rabbitmq + pkgin: name=rabbitmq state=present + +- name: Ensure EPMD is running + tags: rabbitmq + service: + name: epmd + state: started + enabled: true diff --git a/roles/sensu.sensu/tasks/SmartOS/redis.yml b/roles/sensu.sensu/tasks/SmartOS/redis.yml new file mode 100644 index 0000000..7b15fce --- /dev/null +++ b/roles/sensu.sensu/tasks/SmartOS/redis.yml @@ -0,0 +1,12 @@ +--- +# tasks/SmartOS/redis.yml: Deploy redis +# Specific to Ubuntu + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: redis + +- name: Ensure redis is installed + tags: redis + pkgin: name=redis state={{ sensu_redis_pkg_state }} diff --git a/roles/sensu.sensu/tasks/SmartOS/server.yml b/roles/sensu.sensu/tasks/SmartOS/server.yml new file mode 100644 index 0000000..da98d43 --- /dev/null +++ b/roles/sensu.sensu/tasks/SmartOS/server.yml @@ -0,0 +1,32 @@ +--- +# tasks/SmartOS/server.yml: Deploy the necessary configuration for +# a Sensu 'master' node. +# Specific to SmartOS + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: server + +- name: Deploy Sensu server service manifest + tags: server + template: + dest: /opt/local/lib/svc/manifest/sensu-server.xml + src: sensu-server.smartos_smf_manifest.xml.j2 + owner: root + group: root + mode: 0644 + notify: import sensu-server service + +- name: Deploy Sensu API service manifest + tags: server + template: + dest: /opt/local/lib/svc/manifest/sensu-api.xml + src: sensu-api.smartos_smf_manifest.xml.j2 + owner: root + group: root + mode: 0644 + notify: import sensu-api service + +- meta: flush_handlers + tags: server diff --git a/roles/sensu.sensu/tasks/Ubuntu/dashboard.yml b/roles/sensu.sensu/tasks/Ubuntu/dashboard.yml new file mode 100644 index 0000000..39591ee --- /dev/null +++ b/roles/sensu.sensu/tasks/Ubuntu/dashboard.yml @@ -0,0 +1,21 @@ +--- +# tasks/Ubuntu/dashboard.yml: Deployment of the Uchiwa dashboard +# Specific to Ubuntu + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: dashboard + +- name: Install Uchiwa + tags: dashboard + apt: + name: uchiwa + state: present + +- name: Deploy Uchiwa config + tags: dashboard + template: + src: uchiwa_config.json.j2 + dest: "{{ sensu_config_path }}/uchiwa.json" + notify: restart uchiwa service diff --git a/roles/sensu.sensu/tasks/Ubuntu/main.yml b/roles/sensu.sensu/tasks/Ubuntu/main.yml new file mode 100644 index 0000000..62618bd --- /dev/null +++ b/roles/sensu.sensu/tasks/Ubuntu/main.yml @@ -0,0 +1,35 @@ +--- +# tasks/Ubuntu/main.yml: Ubuntu specific set-up +# This takes care of base prerequisites for Ubuntu + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: setup + +- name: Ensure that https transport is ready + tags: setup + apt: + name: apt-transport-https + state: present + cache_valid_time: 3600 + update_cache: true + +- name: Ensure the Sensu APT repo GPG key is present + tags: setup + apt_key: + url: "{{ sensu_apt_key_url }}" + state: present + +- name: Ensure the Sensu Core APT repo is present + tags: setup + apt_repository: + repo: "{{ sensu_apt_repo_url }}" + state: present + update_cache: true + +- name: Ensure Sensu is installed + tags: setup + apt: + name: "{{ sensu_package }}" + state: "{{ sensu_pkg_state }}" diff --git a/roles/sensu.sensu/tasks/Ubuntu/rabbit.yml b/roles/sensu.sensu/tasks/Ubuntu/rabbit.yml new file mode 100644 index 0000000..8e2b5a5 --- /dev/null +++ b/roles/sensu.sensu/tasks/Ubuntu/rabbit.yml @@ -0,0 +1,53 @@ +--- +# tasks/Ubuntu/rabbit.yml: Deploy RabbitMQ +# Specific to Ubuntu + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- name: Ensure the RabbitMQ APT repo GPG key is present + tags: rabbitmq + apt_key: + url: "{{ sensu_rabbitmq_signing_key }}" + state: present + +- name: Ensure the RabbitMQ APT repo is present + tags: rabbitmq + apt_repository: + repo: "{{ sensu_rabbitmq_repo }}" + filename: rabbitmq + state: present + update_cache: true + +- name: Ensure Erlang APT preferences is configured + tags: rabbitmq + template: + src: erlang-apt-preferences.j2 + dest: /etc/apt/preferences.d/erlang + owner: root + group: root + mode: 0755 + +- name: Ensure the Erlang APT repo GPG key is present + tags: rabbitmq + apt_key: + url: "{{ sensu_rabbitmq_erlang_signing_key }}" + state: present + +- name: Ensure the Erlang APT repo is present + tags: rabbitmq + apt_repository: + repo: "{{ sensu_rabbitmq_erlang_repo }}" + filename: erlang + state: present + update_cache: true + +- name: Ensure RabbitMQ is installed + tags: rabbitmq + apt: + name: rabbitmq-server + state: "{{ sensu_rabbitmq_pkg_state }}" + cache_valid_time: 600 + update_cache: true diff --git a/roles/sensu.sensu/tasks/Ubuntu/redis.yml b/roles/sensu.sensu/tasks/Ubuntu/redis.yml new file mode 100644 index 0000000..9dc82ec --- /dev/null +++ b/roles/sensu.sensu/tasks/Ubuntu/redis.yml @@ -0,0 +1,33 @@ +--- +# tasks/Ubuntu/redis.yml: Deploy redis +# Specific to Ubuntu + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + +- name: Ensure redis is installed + apt: + name: "{{ sensu_redis_pkg_name }}" + state: "{{ sensu_redis_pkg_state }}" + update_cache: true + register: sensu_ubuntu_redis_install + + # BUG: On Ubuntu 14.04, when first installed, redis, will be started + # however, the /var/run/redis/redis-server.pid file gets lost during the restart + # causing the process to be orphaned from the init system. + # We manually stop it right after install to account for this. +- name: Stop redis manually + shell: kill $(pgrep redis-server) + when: + - sensu_ubuntu_redis_install is changed + - ansible_distribution_version == '14.04' + +- name: Ensure redis binds to accessible IP + lineinfile: + dest: /etc/redis/redis.conf + regexp: '^bind' + line: 'bind 0.0.0.0' + notify: restart redis service + +- meta: flush_handlers diff --git a/roles/sensu.sensu/tasks/client.yml b/roles/sensu.sensu/tasks/client.yml new file mode 100644 index 0000000..417da15 --- /dev/null +++ b/roles/sensu.sensu/tasks/client.yml @@ -0,0 +1,28 @@ +--- +# tasks/client.yml: Deploy various client-side configurations for Sensu + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: client + +- name: Deploy Sensu client service configuration + tags: client + template: + dest: "{{ sensu_config_path }}/conf.d/client.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + src: "{{ sensu_client_config }}" + mode: "0640" + notify: restart sensu-client service + +- include_tasks: "{{ role_path }}/tasks/SmartOS/client.yml" + tags: client + when: ansible_distribution == "SmartOS" + +- name: Ensure Sensu client service is running + tags: client + service: + name: "{{ sensu_client_service_name }}" + state: started + enabled: yes diff --git a/roles/sensu.sensu/tasks/common.yml b/roles/sensu.sensu/tasks/common.yml new file mode 100644 index 0000000..a928290 --- /dev/null +++ b/roles/sensu.sensu/tasks/common.yml @@ -0,0 +1,57 @@ +--- +# tasks/common.yml: Deploy configurations common to client and server for Sensu + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + +- name: Ensure the Sensu config directory is present + file: + dest: "{{ sensu_config_path }}/conf.d" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + mode: "0555" + +- name: Deploy Sensu Redis configuration + template: + dest: "{{ sensu_config_path }}/conf.d/redis.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + src: "{{ sensu_redis_config }}" + mode: "0640" + when: sensu_deploy_redis_config + notify: + - restart sensu-server service + - restart sensu-api service + - restart sensu-enterprise service + - restart sensu-client service + +- name: Deploy Sensu RabbitMQ configuration + template: + dest: "{{ sensu_config_path }}/conf.d/rabbitmq.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + src: "{{ sensu_rabbitmq_config }}" + mode: "0640" + when: sensu_transport == "rabbitmq" + and sensu_deploy_rabbitmq_config + notify: + - restart sensu-server service + - restart sensu-api service + - restart sensu-enterprise service + - restart sensu-client service + +- name: Deploy Sensu transport configuration + template: + dest: "{{ sensu_config_path }}/conf.d/transport.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + src: transport.json.j2 + mode: "0640" + when: sensu_deploy_transport_config + notify: + - restart sensu-server service + - restart sensu-api service + - restart sensu-enterprise service + - restart sensu-client service diff --git a/roles/sensu.sensu/tasks/dashboard.yml b/roles/sensu.sensu/tasks/dashboard.yml new file mode 100644 index 0000000..7b64523 --- /dev/null +++ b/roles/sensu.sensu/tasks/dashboard.yml @@ -0,0 +1,12 @@ +--- +# tasks/dashboard.yml: Deployment of the Uchiwa dashboard +- name: Include ansible_distribution vars + include_tasks: "{{ role_path }}/tasks/{{ ansible_distribution }}/dashboard.yml" + tags: dashboard + +- name: Ensure Uchiwa/Sensu Enterprise Dashboard server service is running + tags: dashboard + service: + name: "{{ uchiwa_service_name if not se_enterprise else sensu_enterprise_dashboard_service_name }}" + state: started + enabled: yes diff --git a/roles/sensu.sensu/tasks/main.yml b/roles/sensu.sensu/tasks/main.yml new file mode 100644 index 0000000..3a4f805 --- /dev/null +++ b/roles/sensu.sensu/tasks/main.yml @@ -0,0 +1,45 @@ +--- +# tasks/main.yml: "Master" playbook for the sensu.sensu role + +- name: Include distribution specific variables + include_vars: + file: "{{ ansible_distribution }}.yml" + +- include_tasks: "{{ role_path }}/tasks/{{ ansible_distribution }}/main.yml" + tags: setup + when: sensu_master + or sensu_client + +- import_tasks: "redis.yml" + tags: redis + when: sensu_redis_server + and sensu_deploy_redis_server + +- import_tasks: "ssl.yml" + tags: ssl + +- import_tasks: "rabbit.yml" + tags: rabbitmq + when: sensu_rabbitmq_server + and sensu_deploy_rabbitmq_server + +- import_tasks: "common.yml" + tags: common + when: sensu_master + or sensu_client + +- import_tasks: "server.yml" + tags: server + when: sensu_master + +- import_tasks: "dashboard.yml" + tags: dashboard + when: sensu_include_dashboard + +- import_tasks: "client.yml" + tags: client + when: sensu_client + +- import_tasks: "plugins.yml" + tags: plugins + when: sensu_include_plugins diff --git a/roles/sensu.sensu/tasks/plugins.yml b/roles/sensu.sensu/tasks/plugins.yml new file mode 100644 index 0000000..f5bd81b --- /dev/null +++ b/roles/sensu.sensu/tasks/plugins.yml @@ -0,0 +1,152 @@ +--- +# tasks/plugins.yml: Deploy available checks/plugins/handlers/filters/mutators + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + +- name: Ensure Sensu plugin directory exists + file: + dest: "{{ sensu_config_path }}/plugins" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + +- name: Ensure local directories exist + file: + state: directory + dest: "{{ static_data_store }}/sensu/{{ item }}" + delegate_to: localhost + become: no + run_once: true + loop: + - checks + - filters + - handlers + - mutators + - definitions + - client_definitions + - client_templates + +- name: Ensure any remote plugins defined are present + shell: umask 0022; sensu-install -p {{ item }} + loop: "{{ sensu_remote_plugins }}" + changed_when: false + when: sensu_remote_plugins | length > 0 + +- name: Register available checks + command: "ls {{ static_data_store }}/sensu/checks" + delegate_to: localhost + register: sensu_available_checks + changed_when: false + become: false + run_once: true + +- name: Deploy check plugins + copy: + src: "{{ static_data_store }}/sensu/checks/{{ item }}/" + dest: "{{ sensu_config_path }}/plugins/" + mode: 0755 + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + when: + - sensu_available_checks is defined + - sensu_available_checks is not skipped + - item in sensu_available_checks.stdout_lines + loop: "{{ group_names|flatten }}" + notify: restart sensu-client service + +- name: Deploy handler plugins + copy: + src: "{{ static_data_store }}/sensu/handlers/" + dest: "{{ sensu_config_path }}/plugins/" + mode: 0755 + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + notify: restart sensu-client service + +- name: Deploy filter plugins + copy: + src: "{{ static_data_store }}/sensu/filters/" + dest: "{{ sensu_config_path }}/plugins/" + mode: 0755 + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + notify: restart sensu-client service + +- name: Deploy mutator plugins + copy: + src: "{{ static_data_store }}/sensu/mutators/" + dest: "{{ sensu_config_path }}/plugins/" + mode: 0755 + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + notify: restart sensu-client service + +- name: Deploy check/handler/filter/mutator definitions to the master + template: + src: "{{ item }}" + dest: "{{ sensu_config_path }}/conf.d/{{ item | basename | regex_replace('.j2', '') }}" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + when: sensu_master + with_fileglob: + - "{{ static_data_store }}/sensu/definitions/*" + notify: + - restart sensu-server service + - restart sensu-api service + - restart sensu-enterprise service + +- name: Register available client definitions + command: "ls {{ static_data_store }}/sensu/client_definitions" + delegate_to: localhost + register: sensu_available_client_definitions + changed_when: false + become: false + run_once: true + +- name: Deploy client definitions + copy: + src: "{{ static_data_store }}/sensu/client_definitions/{{ item }}/" + dest: "{{ sensu_config_path }}/conf.d/{{ item | basename | regex_replace('.j2', '') }}" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + when: + - sensu_available_client_definitions is defined + - sensu_available_client_definitions is not skipped + - item in sensu_available_client_definitions.stdout_lines + loop: "{{ group_names|flatten }}" + notify: restart sensu-client service + +- name: Register available client templates + command: "ls {{ static_data_store }}/sensu/client_templates" + delegate_to: localhost + register: sensu_available_client_templates + changed_when: false + become: false + run_once: true + +- name: Deploy client template folders + file: + path: '{{ sensu_config_path }}/conf.d/{{ item | basename }}' + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + when: + - sensu_available_client_templates is defined + - sensu_available_client_templates is not skipped + - item in sensu_available_client_templates.stdout_lines + loop: "{{ group_names|flatten }}" + notify: restart sensu-client service + +- name: Deploy client templates + template: + src: "{{ static_data_store }}/sensu/client_templates/{{ item.path | dirname }}/{{ item.path | basename }}" + dest: "{{ sensu_config_path }}/conf.d/{{ item.path | dirname }}/{{ item.path | basename | regex_replace('.j2', '') }}" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + with_filetree: "{{ static_data_store }}/sensu/client_templates" + when: + - item.state == 'file' + - item.path | dirname in group_names + notify: restart sensu-client service diff --git a/roles/sensu.sensu/tasks/rabbit.yml b/roles/sensu.sensu/tasks/rabbit.yml new file mode 100644 index 0000000..aebe60a --- /dev/null +++ b/roles/sensu.sensu/tasks/rabbit.yml @@ -0,0 +1,76 @@ +--- +# tasks/rabbit.yml: Deploy RabbitMQ and set-up vhost for Sensu messaging + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: rabbitmq + +- include_tasks: "{{ ansible_distribution }}/rabbit.yml" + tags: rabbitmq + +- name: Ensure RabbitMQ SSL directory exists + tags: rabbitmq + file: + dest: "{{ sensu_rabbitmq_config_path }}/ssl" + state: directory + +- name: Ensure RabbitMQ SSL certs/keys are in place + tags: rabbitmq + copy: + src: "{{ item.src }}" + dest: "{{ sensu_rabbitmq_config_path }}/ssl/{{ item.dest }}" + remote_src: "{{ sensu_ssl_deploy_remote_src }}" + loop: + - { src: "{{ sensu_ssl_server_cacert }}", dest: cacert.pem } + - { src: "{{ sensu_ssl_server_cert }}", dest: cert.pem } + - { src: "{{ sensu_ssl_server_key }}", dest: key.pem } + notify: + - restart rabbitmq service + - restart sensu-api service + - restart sensu-server service + - restart sensu-enterprise service + when: sensu_ssl_manage_certs + +- name: Deploy RabbitMQ config + tags: rabbitmq + template: + dest: "{{ sensu_rabbitmq_config_path }}/rabbitmq.config" + src: "{{ sensu_rabbitmq_config_template }}" + owner: root + group: "{{ __root_group }}" + mode: 0644 + notify: restart rabbitmq service + +- name: Ensure RabbitMQ is running + tags: rabbitmq + service: + name: "{{ sensu_rabbitmq_service_name }}" + state: started + enabled: true + register: sensu_rabbitmq_state + +- name: Wait for RabbitMQ to be up and running before asking to create a vhost + tags: rabbitmq + pause: + seconds: 3 + when: sensu_rabbitmq_state is changed + +- block: + - name: Ensure Sensu RabbitMQ vhost exists + rabbitmq_vhost: + name: "{{ sensu_rabbitmq_vhost }}" + state: present + + - name: Ensure Sensu RabbitMQ user has access to the Sensu vhost + rabbitmq_user: + user: "{{ sensu_rabbitmq_user_name }}" + password: "{{ sensu_rabbitmq_password }}" + vhost: "{{ sensu_rabbitmq_vhost }}" + configure_priv: .* + read_priv: .* + write_priv: .* + state: present + become: true + become_user: rabbitmq + tags: rabbitmq diff --git a/roles/sensu.sensu/tasks/redis.yml b/roles/sensu.sensu/tasks/redis.yml new file mode 100644 index 0000000..44554b0 --- /dev/null +++ b/roles/sensu.sensu/tasks/redis.yml @@ -0,0 +1,14 @@ +--- +# tasks/redis.yml: Deploy redis + +- name: Include ansible_distribution vars + include_tasks: "{{ role_path }}/tasks/{{ ansible_distribution }}/redis.yml" + tags: redis + +- name: Ensure redis is running + tags: redis + service: + name: "{{ sensu_redis_service_name }}" + pattern: /usr/bin/redis-server + state: started + enabled: true diff --git a/roles/sensu.sensu/tasks/server.yml b/roles/sensu.sensu/tasks/server.yml new file mode 100644 index 0000000..3466b7e --- /dev/null +++ b/roles/sensu.sensu/tasks/server.yml @@ -0,0 +1,44 @@ +--- +# tasks/server.yml: Deploy Sensu Server/API + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + tags: server + +- name: Deploy Sensu server API configuration + tags: server + template: + dest: "{{ sensu_config_path }}/conf.d/api.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + src: sensu-api.json.j2 + notify: restart sensu-api service + +- name: Deploy Tessen server configuratiuon + tags: server + template: + dest: "{{ sensu_config_path }}/conf.d/tessen.json" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + src: sensu-tessen.json.j2 + notify: restart sensu-server service + +- include_tasks: "{{ role_path }}/tasks/SmartOS/server.yml" + tags: server + when: ansible_distribution == "SmartOS" + +- name: Ensure Sensu server service is running + tags: server + service: + name: "{{ sensu_server_service_name if not se_enterprise else sensu_enterprise_service_name }}" + state: started + enabled: yes + +- name: Ensure Sensu API service is running + tags: server + service: + name: sensu-api + state: started + enabled: yes + when: not se_enterprise diff --git a/roles/sensu.sensu/tasks/ssl.yml b/roles/sensu.sensu/tasks/ssl.yml new file mode 100644 index 0000000..51c82f1 --- /dev/null +++ b/roles/sensu.sensu/tasks/ssl.yml @@ -0,0 +1,31 @@ +--- +# tasks/ssl.yml: Deploy the client SSL cert/key to client systems + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + +- name: Ensure Sensu SSL directory exists + file: + dest: "{{ sensu_config_path }}/ssl" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + when: sensu_ssl_manage_certs + +- include_tasks: "{{ role_path }}/tasks/ssl_generate.yml" + when: sensu_ssl_gen_certs + +- name: Deploy the Sensu client SSL cert/key + copy: + src: "{{ item.src }}" + owner: "{{ sensu_user_name }}" + remote_src: "{{ sensu_ssl_deploy_remote_src }}" + group: "{{ sensu_group_name }}" + dest: "{{ sensu_config_path }}/ssl/{{ item.dest }}" + mode: " {{ item.perm }}" + loop: + - {src: "{{ sensu_ssl_client_cert }}", dest: cert.pem, perm: "0640" } + - {src: "{{ sensu_ssl_client_key }}", dest: key.pem, perm: "0640" } + notify: restart sensu-client service + when: sensu_ssl_manage_certs diff --git a/roles/sensu.sensu/tasks/ssl_generate.yml b/roles/sensu.sensu/tasks/ssl_generate.yml new file mode 100644 index 0000000..0a27bcd --- /dev/null +++ b/roles/sensu.sensu/tasks/ssl_generate.yml @@ -0,0 +1,129 @@ +--- +# tasks/ssl_generate.yml: Generate SSL data and stash to dynamic +# data store for deployment to clients + +- name: Include ansible_distribution vars + include_vars: + file: "{{ ansible_distribution }}.yml" + +- name: Ensure OpenSSL is installed + package: + name: openssl + state: present + +- name: Ensure SSL generation directory exists + file: + dest: "{{ sensu_config_path }}/{{ item }}" + state: directory + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + when: sensu_master + loop: + - ssl_generation + - ssl_generation/sensu_ssl_tool + - ssl_generation/sensu_ssl_tool/client + - ssl_generation/sensu_ssl_tool/server + - ssl_generation/sensu_ssl_tool/sensu_ca + - ssl_generation/sensu_ssl_tool/sensu_ca/private + - ssl_generation/sensu_ssl_tool/sensu_ca/certs + +- name: Ensure OpenSSL configuration is in place + template: + src: openssl.cnf.j2 + dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/openssl.cnf" + owner: "{{ sensu_user_name }}" + group: "{{ sensu_group_name }}" + when: sensu_master + +- block: + - name: Ensure the Sensu CA serial configuration + shell: 'echo 01 > sensu_ca/serial' + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/serial" + register: sensu_ca_new_serial + + - name: Ensure sensu_ca/index.txt exists + file: + dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/index.txt" + state: touch + when: sensu_ca_new_serial is changed + + # TODO: The following mirrors the commands used in sensu_ssl_tool/ssl_certs.sh + # from the 1.3 version of the script. Ideally, this moves into the native openssl_* modules. + # See https://docs.sensu.io/sensu-core/1.3/reference/ssl/#reference-documentation for limitations and further instructions + - name: Generate Sensu CA certificate + command: openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 1825 -out cacert.pem -outform PEM -subj /CN=SensuCA/ -nodes + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem" + + - name: Generate CA cert + command: openssl x509 -in cacert.pem -out cacert.cer -outform DER + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.cer" + + - name: Generate server keys + command: openssl genrsa -out key.pem 2048 + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/key.pem" + + - name: Generate server certificate signing request + command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=server/ -nodes + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/req.pem" + + - name: Sign the server certificate + command: openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/cert.pem" + + - name: Convert server certificate and key to PKCS12 formart + command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/keycert.p12" + + - name: Generate client key + command: openssl genrsa -out key.pem 2048 + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/key.pem" + + - name: Generate client certificate signing request + command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=client/ -nodes + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/req.pem" + + - name: Sign the client certificate + command: openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/cert.pem" + + - name: Convert client key/certificate to PKCS12 format + command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret + args: + chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client" + creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/keycert.p12" + + when: sensu_master|bool + become: true + become_user: "{{ sensu_user_name }}" + +- name: Stash the Sensu SSL certs/keys + fetch: + src: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/{{ item }}" + dest: "{{ dynamic_data_store }}" + when: sensu_master + loop: + - sensu_ca/cacert.pem + - server/cert.pem + - server/key.pem + - client/cert.pem + - client/key.pem diff --git a/roles/sensu.sensu/templates/client.json.j2 b/roles/sensu.sensu/templates/client.json.j2 new file mode 100644 index 0000000..ab57f1d --- /dev/null +++ b/roles/sensu.sensu/templates/client.json.j2 @@ -0,0 +1,15 @@ +{ + "client": { + "name": "{{ sensu_client_name }}", + "address": "{{ ansible_default_ipv4['address'] }}", + "subscriptions": {{ sensu_client_subscriptions | to_nice_json(indent=6) }}, + "keepalive": { + "handlers": {{ sensu_client_keepalive_handlers | to_nice_json(indent=8) }}, + "thresholds": { + "warning": {{ sensu_client_keepalive_threshold_warning }}, + "critical": {{ sensu_client_keepalive_threshold_critical }} + } + }, + "safe_mode": {{ sensu_client_safe_mode | bool | lower }} + } +} diff --git a/roles/sensu.sensu/templates/erlang-apt-preferences.j2 b/roles/sensu.sensu/templates/erlang-apt-preferences.j2 new file mode 100644 index 0000000..8e4a4c0 --- /dev/null +++ b/roles/sensu.sensu/templates/erlang-apt-preferences.j2 @@ -0,0 +1,4 @@ +{{ ansible_managed | comment }} +Package: {{ sensu_erlang_pin_package }} +Pin: version {{ sensu_erlang_pin_version }} +Pin-Priority: 1000 diff --git a/roles/sensu.sensu/templates/openssl.cnf.j2 b/roles/sensu.sensu/templates/openssl.cnf.j2 new file mode 100644 index 0000000..fc877d3 --- /dev/null +++ b/roles/sensu.sensu/templates/openssl.cnf.j2 @@ -0,0 +1,56 @@ +{{ ansible_managed | comment }} +# Source: http://docs.sensu.io/sensu-core/1.3/files/sensu_ssl_tool.tar + +[ ca ] +default_ca = sensu_ca + +[ sensu_ca ] +dir = . +certificate = $dir/cacert.pem +database = $dir/index.txt +new_certs_dir = $dir/certs +private_key = $dir/private/cakey.pem +serial = $dir/serial + +default_crl_days = 7 +default_days = 1825 +default_md = sha1 + +policy = sensu_ca_policy +x509_extensions = certificate_extensions + +[ sensu_ca_policy ] +commonName = supplied +stateOrProvinceName = optional +countryName = optional +emailAddress = optional +organizationName = optional +organizationalUnitName = optional + +[ certificate_extensions ] +basicConstraints = CA:false + +[ req ] +default_bits = 2048 +default_keyfile = ./private/cakey.pem +default_md = sha1 +prompt = yes +distinguished_name = root_ca_distinguished_name +x509_extensions = root_ca_extensions + +[ root_ca_distinguished_name ] +commonName = sensu + +[ root_ca_extensions ] +basicConstraints = CA:true +keyUsage = keyCertSign, cRLSign + +[ client_ca_extensions ] +basicConstraints = CA:false +keyUsage = digitalSignature +extendedKeyUsage = 1.3.6.1.5.5.7.3.2 + +[ server_ca_extensions ] +basicConstraints = CA:false +keyUsage = keyEncipherment +extendedKeyUsage = 1.3.6.1.5.5.7.3.1 diff --git a/roles/sensu.sensu/templates/rabbitmq.config.j2 b/roles/sensu.sensu/templates/rabbitmq.config.j2 new file mode 100644 index 0000000..1388564 --- /dev/null +++ b/roles/sensu.sensu/templates/rabbitmq.config.j2 @@ -0,0 +1,16 @@ +[ + {rabbit, [ + {% if sensu_rabbitmq_enable_ssl %} + {ssl_listeners, [{{ sensu_rabbitmq_port }}]}, + {ssl_options, [{cacertfile,"{{ sensu_rabbitmq_config_path }}/ssl/cacert.pem"}, + {certfile,"{{ sensu_rabbitmq_config_path }}/ssl/cert.pem"}, + {keyfile,"{{ sensu_rabbitmq_config_path }}/ssl/key.pem"}, + {verify,verify_peer}, + {versions, ['tlsv1.2']}, + {ciphers, [{rsa,aes_256_cbc,sha256}]}, + {fail_if_no_peer_cert,true}]} + {% else %} + {tcp_listeners, [{{ sensu_rabbitmq_port }}]} + {% endif %} + ]} +]. diff --git a/roles/sensu.sensu/templates/sensu-api.json.j2 b/roles/sensu.sensu/templates/sensu-api.json.j2 new file mode 100644 index 0000000..dfcb373 --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-api.json.j2 @@ -0,0 +1,10 @@ +{ + "api": { + {% if sensu_api_user_name %} + "user": "{{ sensu_api_user_name }}", + "password": "{{ sensu_api_password }}", + {% endif %} + "host": "{{ sensu_api_host }}", + "port": {{ sensu_api_port }} + } +} diff --git a/roles/sensu.sensu/templates/sensu-api.smartos_smf_manifest.xml.j2 b/roles/sensu.sensu/templates/sensu-api.smartos_smf_manifest.xml.j2 new file mode 100644 index 0000000..b587f54 --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-api.smartos_smf_manifest.xml.j2 @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/sensu.sensu/templates/sensu-client.smartos_smf_manifest.xml.j2 b/roles/sensu.sensu/templates/sensu-client.smartos_smf_manifest.xml.j2 new file mode 100644 index 0000000..5a4e1b4 --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-client.smartos_smf_manifest.xml.j2 @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/sensu.sensu/templates/sensu-freebsd-repo.conf.j2 b/roles/sensu.sensu/templates/sensu-freebsd-repo.conf.j2 new file mode 100644 index 0000000..59c0acf --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-freebsd-repo.conf.j2 @@ -0,0 +1,5 @@ +sensu: { + url: "{{ sensu_freebsd_url }}", + enabled: true, + mirror_type: "http" +} diff --git a/roles/sensu.sensu/templates/sensu-rabbitmq.json.j2 b/roles/sensu.sensu/templates/sensu-rabbitmq.json.j2 new file mode 100644 index 0000000..0063439 --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-rabbitmq.json.j2 @@ -0,0 +1,15 @@ +{ + "rabbitmq": { + {% if sensu_rabbitmq_enable_ssl %} + "ssl": { + "cert_chain_file": "{{ sensu_config_path }}/ssl/cert.pem", + "private_key_file": "{{ sensu_config_path }}/ssl/key.pem" + }, + {% endif %} + "host": "{{ sensu_rabbitmq_host }}", + "port": {{ sensu_rabbitmq_port }}, + "vhost": "{{ sensu_rabbitmq_vhost }}", + "user": "{{ sensu_rabbitmq_user_name }}", + "password": "{{ sensu_rabbitmq_password }}" + } +} diff --git a/roles/sensu.sensu/templates/sensu-redis.json.j2 b/roles/sensu.sensu/templates/sensu-redis.json.j2 new file mode 100644 index 0000000..6b98b89 --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-redis.json.j2 @@ -0,0 +1,14 @@ +{ + "redis": { +{% if sensu_redis_password %} + "password": "{{ sensu_redis_password }}", +{% endif %} +{% if sensu_redis_sentinels %} + "sentinels": {{ sensu_redis_sentinels | to_nice_json }}, + "master": "{{ sensu_redis_master_name }}" +{% else %} + "host": "{{ sensu_redis_host }}", + "port": {{ sensu_redis_port }} +{% endif %} + } +} diff --git a/roles/sensu.sensu/templates/sensu-server.smartos_smf_manifest.xml.j2 b/roles/sensu.sensu/templates/sensu-server.smartos_smf_manifest.xml.j2 new file mode 100644 index 0000000..238267d --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-server.smartos_smf_manifest.xml.j2 @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/sensu.sensu/templates/sensu-tessen.json.j2 b/roles/sensu.sensu/templates/sensu-tessen.json.j2 new file mode 100644 index 0000000..250c45a --- /dev/null +++ b/roles/sensu.sensu/templates/sensu-tessen.json.j2 @@ -0,0 +1,5 @@ +{ + "tessen": { + "enabled": {{ sensu_enable_tessen | bool | lower }} + } +} diff --git a/roles/sensu.sensu/templates/sensu_enterprise_dashboard_config.json.j2 b/roles/sensu.sensu/templates/sensu_enterprise_dashboard_config.json.j2 new file mode 100644 index 0000000..928ba24 --- /dev/null +++ b/roles/sensu.sensu/templates/sensu_enterprise_dashboard_config.json.j2 @@ -0,0 +1,19 @@ +{ + "sensu": [ + { + "name": "{{ sensu_uchiwa_dc_name }}", + "host": "{{ sensu_api_host }}", + "ssl": {{ sensu_api_ssl }}, + "port": {{ sensu_uchiwa_api_port }}, + "user": "{{ sensu_api_user_name }}", + "pass": "{{ sensu_api_password }}", + "path": "{{ sensu_api_uchiwa_path }}", + "timeout": {{ sensu_api_timeout }} + } + ], + "dashboard": { + "users": {{ sensu_uchiwa_users | to_nice_json }}, + "port": {{ sensu_uchiwa_port }}, + "refresh": {{ sensu_uchiwa_refresh }} + } +} diff --git a/roles/sensu.sensu/templates/sensuclient_openbsd.j2 b/roles/sensu.sensu/templates/sensuclient_openbsd.j2 new file mode 100644 index 0000000..c4e988f --- /dev/null +++ b/roles/sensu.sensu/templates/sensuclient_openbsd.j2 @@ -0,0 +1,13 @@ +#!/bin/sh + +daemon="/usr/local/bin/sensu-client" + +daemon_flags="-b -c {{ sensu_config_path }}/conf.json -d {{ sensu_config_path }}/conf.d -e {{ sensu_config_path }}/extensions -p /var/run/sensu-client.pid -l /var/log/sensu/sensu-client.log -L info" + +. /etc/rc.d/rc.subr + +rc_reload="NO" + +pexp="/usr/local/bin/ruby23 /usr/local/bin/sensu-client.*" + +rc_cmd $1 diff --git a/roles/sensu.sensu/templates/transport.json.j2 b/roles/sensu.sensu/templates/transport.json.j2 new file mode 100644 index 0000000..b0bfff2 --- /dev/null +++ b/roles/sensu.sensu/templates/transport.json.j2 @@ -0,0 +1,6 @@ +{ + "transport": { + "name": "{{ sensu_transport }}", + "reconnect_on_error": true + } +} diff --git a/roles/sensu.sensu/templates/uchiwa.sh.j2 b/roles/sensu.sensu/templates/uchiwa.sh.j2 new file mode 100644 index 0000000..237eee0 --- /dev/null +++ b/roles/sensu.sensu/templates/uchiwa.sh.j2 @@ -0,0 +1,25 @@ +#!/bin/bash + +PATH=/opt/local/bin:/opt/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin +export PATH + +set -o errexit +set -o xtrace + +. /lib/svc/share/smf_include.sh + +HOME={{ sensu_uchiwa_path }} +UCHIWA_PATH=${HOME}/go/src/github.com/sensu/uchiwa +UCHIWA_USER={{ sensu_user_name }} + +if [ ! -d $HOME ]; then + echo "No directory found at: $HOME" +fi + +if [ ! -f $HOME/etc/config.json ]; then + echo "No Uchiwa config found at: ${HOME}/config.json" +fi + +cd $UCHIWA_PATH +${HOME}/go/bin/uchiwa -c ${HOME}/etc/config.json & +exit ${SMF_EXIT_OK} diff --git a/roles/sensu.sensu/templates/uchiwa.smartos_smf_manifest.xml.j2 b/roles/sensu.sensu/templates/uchiwa.smartos_smf_manifest.xml.j2 new file mode 100644 index 0000000..726c30d --- /dev/null +++ b/roles/sensu.sensu/templates/uchiwa.smartos_smf_manifest.xml.j2 @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/sensu.sensu/templates/uchiwa_config.json.j2 b/roles/sensu.sensu/templates/uchiwa_config.json.j2 new file mode 100644 index 0000000..d32c8f1 --- /dev/null +++ b/roles/sensu.sensu/templates/uchiwa_config.json.j2 @@ -0,0 +1,29 @@ +{ + "sensu": [ + { + "name": "{{ sensu_uchiwa_dc_name }}", + "host": "{{ sensu_api_host }}", + "ssl": {{ sensu_api_ssl | lower }}, + "port": {{ sensu_uchiwa_api_port }}, + {% if sensu_api_user_name %} + "user": "{{ sensu_api_user_name }}", + "pass": "{{ sensu_api_password }}", + {% endif %} + "path": "{{ sensu_api_uchiwa_path }}", + "timeout": {{ sensu_api_timeout }} + } + ], + "uchiwa": { + {% if sensu_uchiwa_users %} + "users": {{ sensu_uchiwa_users | to_nice_json }}, + {% endif %} + "port": {{ sensu_uchiwa_port }}, + {% if sensu_uchiwa_auth_privatekey %} + "auth": { + "privatekey": "{{ sensu_uchiwa_auth_privatekey }}", + "publickey": "{{ sensu_uchiwa_auth_publickey }}" + }, + {% endif %} + "refresh": {{ sensu_uchiwa_refresh }} + } +} diff --git a/roles/sensu.sensu/templates/uchiwa_freebsd.j2 b/roles/sensu.sensu/templates/uchiwa_freebsd.j2 new file mode 100644 index 0000000..6f5f314 --- /dev/null +++ b/roles/sensu.sensu/templates/uchiwa_freebsd.j2 @@ -0,0 +1,27 @@ +#!/bin/sh + +. /etc/rc.subr + +name=uchiwa +rcvar=uchiwa_enable + +command="{{ sensu_uchiwa_path }}/go/bin/${name}" +uchiwa_flags="-d {{ sensu_uchiwa_path }} -c {{ sensu_uchiwa_path }}/etc/config.json -p {{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa/public" + +load_rc_config $name + +pidfile=/var/run/${name}.pid +start_cmd=uchiwa_start +stop_postcmd=uchiwa_cleanup + +uchiwa_start() { + echo "Starting uchiwa." + /usr/bin/touch ${pidfile} + /usr/sbin/daemon -cf -p ${pidfile} ${command} ${uchiwa_flags} +} + +uchiwa_cleanup() { + [ -f ${pidfile} ] && /bin/rm ${pidfile} +} + +run_rc_command "$1" diff --git a/roles/sensu.sensu/vars/Amazon.yml b/roles/sensu.sensu/vars/Amazon.yml new file mode 100644 index 0000000..65e0a3f --- /dev/null +++ b/roles/sensu.sensu/vars/Amazon.yml @@ -0,0 +1,20 @@ +--- +# vars/Amazon.yml: Variables for Amazon Linux AMI +# Defaults are defined in defaults/main.yml + +# Define repo url without $releasever +# Define epel version to 6 by default, change to 7 when using a version 2 AMI +epel_version: 6 +sensu_yum_repo_url: "https://sensu.global.ssl.fastly.net/yum/{{epel_version}}/$basearch/" + +# Set this to false to disable the EPEL repo installation +enable_epel_repo: true +epel_repo_rpm: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{epel_version}}.noarch.rpm" + +# RabbitMQ/Erlang +sensu_rabbitmq_repo_version: v3.7.x +sensu_rabbitmq_erlang_repo_version: 20 +sensu_rabbitmq_signing_key: https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc +sensu_rabbitmq_baseurl: "https://dl.bintray.com/rabbitmq/rpm/rabbitmq-server/{{ sensu_rabbitmq_repo_version }}/el/{{ epel_version }}" +sensu_rabbitmq_erlang_signing_key: "{{ sensu_rabbitmq_signing_key }}" +sensu_rabbitmq_erlang_baseurl: "https://dl.bintray.com/rabbitmq/rpm/erlang/{{ sensu_rabbitmq_erlang_repo_version }}/el/{{ epel_version }}" diff --git a/roles/sensu.sensu/vars/CentOS.yml b/roles/sensu.sensu/vars/CentOS.yml new file mode 100644 index 0000000..15752c1 --- /dev/null +++ b/roles/sensu.sensu/vars/CentOS.yml @@ -0,0 +1,13 @@ +--- +# vars/CentOS.yml: Variables for CentOS +# Defaults are defined in defaults/main.yml + +# Set this to false to disable the EPEL repo installation +enable_epel_repo: true + +sensu_rabbitmq_repo_version: v3.7.x +sensu_rabbitmq_erlang_repo_version: 20 +sensu_rabbitmq_signing_key: https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc +sensu_rabbitmq_baseurl: "https://dl.bintray.com/rabbitmq/rpm/rabbitmq-server/{{ sensu_rabbitmq_repo_version }}/el/{{ ansible_distribution_major_version }}" +sensu_rabbitmq_erlang_signing_key: "{{ sensu_rabbitmq_signing_key }}" +sensu_rabbitmq_erlang_baseurl: "https://dl.bintray.com/rabbitmq/rpm/erlang/{{ sensu_rabbitmq_erlang_repo_version }}/el/{{ ansible_distribution_major_version }}" diff --git a/roles/sensu.sensu/vars/Debian.yml b/roles/sensu.sensu/vars/Debian.yml new file mode 100644 index 0000000..e6cc3a5 --- /dev/null +++ b/roles/sensu.sensu/vars/Debian.yml @@ -0,0 +1,14 @@ +--- +# vars/Debian.yml: Variables for Debian +# Defaults are defined in defaults/main.yml + +# redis server properties +sensu_redis_pkg_name: redis-server +sensu_redis_service_name: redis-server + +sensu_erlang_pin_package: 'esl-erlang erlang*' +sensu_erlang_pin_version: '1:20.3*' +sensu_rabbitmq_signing_key: https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc +sensu_rabbitmq_repo: "deb https://dl.bintray.com/rabbitmq/debian {{ ansible_distribution_release }} main" +sensu_rabbitmq_erlang_signing_key: https://packages.erlang-solutions.com/debian/erlang_solutions.asc +sensu_rabbitmq_erlang_repo: "deb https://packages.erlang-solutions.com/debian {{ ansible_distribution_release }} contrib" diff --git a/roles/sensu.sensu/vars/Fedora.yml b/roles/sensu.sensu/vars/Fedora.yml new file mode 100644 index 0000000..53c1d5b --- /dev/null +++ b/roles/sensu.sensu/vars/Fedora.yml @@ -0,0 +1,12 @@ +--- +# vars/Fedora.yml: Variables for Fedora +# Defaults are defined in defaults/main.yml + +# RH/Centos 7 version works for Fedora 25 as a client +sensu_yum_repo_url: "https://sensu.global.ssl.fastly.net/yum/7/$basearch/" +sensu_rabbitmq_repo_version: v3.7.x +sensu_rabbitmq_erlang_repo_version: 20 +sensu_rabbitmq_signing_key: https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc +sensu_rabbitmq_baseurl: "https://dl.bintray.com/rabbitmq/rpm/rabbitmq-server/{{ sensu_rabbitmq_repo_version }}/el/7" +sensu_rabbitmq_erlang_signing_key: "{{ sensu_rabbitmq_signing_key }}" +sensu_rabbitmq_erlang_baseurl: "https://dl.bintray.com/rabbitmq/rpm/erlang/{{ sensu_rabbitmq_erlang_repo_version }}/el/7" diff --git a/roles/sensu.sensu/vars/FreeBSD.yml b/roles/sensu.sensu/vars/FreeBSD.yml new file mode 100644 index 0000000..1db3285 --- /dev/null +++ b/roles/sensu.sensu/vars/FreeBSD.yml @@ -0,0 +1,14 @@ +--- +# vars/FreeBSD.yml: Variables for FreeBSD +# Defaults are defined in defaults/main.yml + +# Sensu config/package properties +sensu_config_path: /usr/local/etc/sensu + +# RabbitMQ options +sensu_rabbitmq_config_path: /usr/local/etc/rabbitmq +sensu_rabbitmq_service_name: rabbitmq + +# Internal settings +__bash_path: /usr/local/bin/bash +__root_group: wheel diff --git a/roles/sensu.sensu/vars/OpenBSD.yml b/roles/sensu.sensu/vars/OpenBSD.yml new file mode 100644 index 0000000..64f445e --- /dev/null +++ b/roles/sensu.sensu/vars/OpenBSD.yml @@ -0,0 +1,16 @@ +--- +# vars/FreeBSD.yml: Variables for FreeBSD +# Defaults are defined in vars/default.yml + +# Sensu config/package properties +sensu_config_path: /etc/sensu +sensu_gem_version: 0.29.0 +sensu_client_service_name: sensuclient + +# RabbitMQ options +sensu_rabbitmq_config_path: /etc/rabbitmq +sensu_rabbitmq_service_name: rabbitmq + +# Internal settings +__bash_path: /usr/local/bin/bash +__root_group: wheel diff --git a/roles/sensu.sensu/vars/OracleLinux.yml b/roles/sensu.sensu/vars/OracleLinux.yml new file mode 120000 index 0000000..2b721e2 --- /dev/null +++ b/roles/sensu.sensu/vars/OracleLinux.yml @@ -0,0 +1 @@ +CentOS.yml \ No newline at end of file diff --git a/roles/sensu.sensu/vars/RedHat.yml b/roles/sensu.sensu/vars/RedHat.yml new file mode 120000 index 0000000..2b721e2 --- /dev/null +++ b/roles/sensu.sensu/vars/RedHat.yml @@ -0,0 +1 @@ +CentOS.yml \ No newline at end of file diff --git a/roles/sensu.sensu/vars/SmartOS.yml b/roles/sensu.sensu/vars/SmartOS.yml new file mode 100644 index 0000000..a2bf5fc --- /dev/null +++ b/roles/sensu.sensu/vars/SmartOS.yml @@ -0,0 +1,10 @@ +--- +# vars/SmartOS.yml: Variables for Joyent SmartOS +# Defaults are defined in defaults/main.yml + +# RabbitMQ server properties +sensu_rabbitmq_service_name: rabbitmq +sensu_rabbitmq_config_path: /opt/local/etc/rabbitmq + +# Sensu/Uchiwa user/group/service properties +sensu_config_path: /opt/local/etc/sensu diff --git a/roles/sensu.sensu/vars/Ubuntu.yml b/roles/sensu.sensu/vars/Ubuntu.yml new file mode 100644 index 0000000..48d404e --- /dev/null +++ b/roles/sensu.sensu/vars/Ubuntu.yml @@ -0,0 +1,15 @@ +--- +# vars/Ubuntu.yml: Variables for Ubuntu +# Defaults are defined in defaults/main.yml + +# redis server properties +sensu_redis_pkg_name: redis-server +sensu_redis_service_name: redis-server + + +sensu_erlang_pin_package: 'esl-erlang erlang*' +sensu_erlang_pin_version: '1:20.3*' +sensu_rabbitmq_signing_key: https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc +sensu_rabbitmq_repo: "deb https://dl.bintray.com/rabbitmq/debian {{ ansible_distribution_release }} main" +sensu_rabbitmq_erlang_signing_key: https://packages.erlang-solutions.com/debian/erlang_solutions.asc +sensu_rabbitmq_erlang_repo: "deb https://packages.erlang-solutions.com/ubuntu {{ ansible_distribution_release }} contrib" From 642da849d6ed969791e7e9107462f1718f19203f Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Mon, 29 Apr 2019 16:08:04 -0700 Subject: [PATCH 11/19] Added Roles Jenkins Java Adding Elastic support for clusters --- .../default/virtualbox/action_set_name | 1 + .../machines/default/virtualbox/creator_uid | 1 + .vagrant/machines/default/virtualbox/id | 1 + .../machines/default/virtualbox/index_uuid | 1 + .../machines/default/virtualbox/vagrant_cwd | 1 + .vagrant/rgloader/loader.rb | 9 ++ playbook/linux/elastic/role-test.yml | 20 ++- playbook/linux/install-jenkins.yml | 19 +++ roles/elasticsearch/defaults/main.yml | 10 ++ .../elasticsearch/templates/elasticsearch.j2 | 8 +- roles/elasticsearch/vars/main.yml | 3 + roles/geerlingguy.java/.gitignore | 3 + roles/geerlingguy.java/.travis.yml | 32 +++++ roles/geerlingguy.java/LICENSE | 20 +++ roles/geerlingguy.java/README.md | 67 +++++++++ roles/geerlingguy.java/defaults/main.yml | 6 + .../meta/.galaxy_install_info | 2 + roles/geerlingguy.java/meta/main.yml | 39 +++++ .../molecule/default/molecule.yml | 29 ++++ .../molecule/default/playbook.yml | 13 ++ .../molecule/default/tests/test_default.py | 14 ++ .../molecule/default/yaml-lint.yml | 6 + roles/geerlingguy.java/tasks/main.yml | 41 ++++++ roles/geerlingguy.java/tasks/setup-Debian.yml | 16 +++ .../geerlingguy.java/tasks/setup-FreeBSD.yml | 11 ++ roles/geerlingguy.java/tasks/setup-RedHat.yml | 5 + .../templates/java_home.sh.j2 | 1 + roles/geerlingguy.java/vars/Debian-8.yml | 7 + roles/geerlingguy.java/vars/Debian-9.yml | 6 + roles/geerlingguy.java/vars/Fedora.yml | 6 + roles/geerlingguy.java/vars/FreeBSD.yml | 7 + roles/geerlingguy.java/vars/RedHat-6.yml | 7 + roles/geerlingguy.java/vars/RedHat-7.yml | 8 ++ roles/geerlingguy.java/vars/Ubuntu-12.yml | 7 + roles/geerlingguy.java/vars/Ubuntu-14.yml | 7 + roles/geerlingguy.java/vars/Ubuntu-16.yml | 7 + roles/geerlingguy.java/vars/Ubuntu-18.yml | 6 + roles/geerlingguy.jenkins/.ansible-lint | 2 + roles/geerlingguy.jenkins/.gitignore | 3 + roles/geerlingguy.jenkins/.travis.yml | 43 ++++++ roles/geerlingguy.jenkins/LICENSE | 20 +++ roles/geerlingguy.jenkins/README.md | 135 ++++++++++++++++++ roles/geerlingguy.jenkins/defaults/main.yml | 37 +++++ roles/geerlingguy.jenkins/handlers/main.yml | 12 ++ .../meta/.galaxy_install_info | 2 + roles/geerlingguy.jenkins/meta/main.yml | 29 ++++ .../molecule/default/java-8.yml | 51 +++++++ .../molecule/default/molecule.yml | 29 ++++ .../molecule/default/playbook-http-port.yml | 24 ++++ .../default/playbook-jenkins-version.yml | 27 ++++ .../default/playbook-plugins-with-home.yml | 52 +++++++ .../molecule/default/playbook-prefix.yml | 24 ++++ .../molecule/default/playbook.yml | 16 +++ .../molecule/default/requirements.yml | 2 + .../molecule/default/yaml-lint.yml | 6 + roles/geerlingguy.jenkins/tasks/main.yml | 66 +++++++++ roles/geerlingguy.jenkins/tasks/plugins.yml | 61 ++++++++ roles/geerlingguy.jenkins/tasks/settings.yml | 69 +++++++++ .../tasks/setup-Debian.yml | 45 ++++++ .../tasks/setup-RedHat.yml | 45 ++++++ .../templates/basic-security.groovy.j2 | 28 ++++ roles/geerlingguy.jenkins/vars/Debian.yml | 7 + roles/geerlingguy.jenkins/vars/RedHat.yml | 7 + roles/kibana/defaults/main.yml | 4 +- roles/kibana/tasks/main.yml | 7 +- roles/kibana/tasks/ubuntu.yml | 4 +- roles/kibana/templates/kibana.j2 | 8 +- 67 files changed, 1293 insertions(+), 19 deletions(-) create mode 100644 .vagrant/machines/default/virtualbox/action_set_name create mode 100644 .vagrant/machines/default/virtualbox/creator_uid create mode 100644 .vagrant/machines/default/virtualbox/id create mode 100644 .vagrant/machines/default/virtualbox/index_uuid create mode 100644 .vagrant/machines/default/virtualbox/vagrant_cwd create mode 100644 .vagrant/rgloader/loader.rb create mode 100644 playbook/linux/install-jenkins.yml create mode 100644 roles/geerlingguy.java/.gitignore create mode 100644 roles/geerlingguy.java/.travis.yml create mode 100644 roles/geerlingguy.java/LICENSE create mode 100644 roles/geerlingguy.java/README.md create mode 100644 roles/geerlingguy.java/defaults/main.yml create mode 100644 roles/geerlingguy.java/meta/.galaxy_install_info create mode 100644 roles/geerlingguy.java/meta/main.yml create mode 100644 roles/geerlingguy.java/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.java/molecule/default/playbook.yml create mode 100644 roles/geerlingguy.java/molecule/default/tests/test_default.py create mode 100644 roles/geerlingguy.java/molecule/default/yaml-lint.yml create mode 100644 roles/geerlingguy.java/tasks/main.yml create mode 100644 roles/geerlingguy.java/tasks/setup-Debian.yml create mode 100644 roles/geerlingguy.java/tasks/setup-FreeBSD.yml create mode 100644 roles/geerlingguy.java/tasks/setup-RedHat.yml create mode 100644 roles/geerlingguy.java/templates/java_home.sh.j2 create mode 100644 roles/geerlingguy.java/vars/Debian-8.yml create mode 100644 roles/geerlingguy.java/vars/Debian-9.yml create mode 100644 roles/geerlingguy.java/vars/Fedora.yml create mode 100644 roles/geerlingguy.java/vars/FreeBSD.yml create mode 100644 roles/geerlingguy.java/vars/RedHat-6.yml create mode 100644 roles/geerlingguy.java/vars/RedHat-7.yml create mode 100644 roles/geerlingguy.java/vars/Ubuntu-12.yml create mode 100644 roles/geerlingguy.java/vars/Ubuntu-14.yml create mode 100644 roles/geerlingguy.java/vars/Ubuntu-16.yml create mode 100644 roles/geerlingguy.java/vars/Ubuntu-18.yml create mode 100644 roles/geerlingguy.jenkins/.ansible-lint create mode 100644 roles/geerlingguy.jenkins/.gitignore create mode 100644 roles/geerlingguy.jenkins/.travis.yml create mode 100644 roles/geerlingguy.jenkins/LICENSE create mode 100644 roles/geerlingguy.jenkins/README.md create mode 100644 roles/geerlingguy.jenkins/defaults/main.yml create mode 100644 roles/geerlingguy.jenkins/handlers/main.yml create mode 100644 roles/geerlingguy.jenkins/meta/.galaxy_install_info create mode 100644 roles/geerlingguy.jenkins/meta/main.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/java-8.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/playbook-http-port.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/playbook-jenkins-version.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/playbook-plugins-with-home.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/playbook-prefix.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/playbook.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/requirements.yml create mode 100644 roles/geerlingguy.jenkins/molecule/default/yaml-lint.yml create mode 100644 roles/geerlingguy.jenkins/tasks/main.yml create mode 100644 roles/geerlingguy.jenkins/tasks/plugins.yml create mode 100644 roles/geerlingguy.jenkins/tasks/settings.yml create mode 100644 roles/geerlingguy.jenkins/tasks/setup-Debian.yml create mode 100644 roles/geerlingguy.jenkins/tasks/setup-RedHat.yml create mode 100644 roles/geerlingguy.jenkins/templates/basic-security.groovy.j2 create mode 100644 roles/geerlingguy.jenkins/vars/Debian.yml create mode 100644 roles/geerlingguy.jenkins/vars/RedHat.yml diff --git a/.vagrant/machines/default/virtualbox/action_set_name b/.vagrant/machines/default/virtualbox/action_set_name new file mode 100644 index 0000000..b0f69f9 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/action_set_name @@ -0,0 +1 @@ +1556550033 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/creator_uid b/.vagrant/machines/default/virtualbox/creator_uid new file mode 100644 index 0000000..7cebf7d --- /dev/null +++ b/.vagrant/machines/default/virtualbox/creator_uid @@ -0,0 +1 @@ +1001 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/id b/.vagrant/machines/default/virtualbox/id new file mode 100644 index 0000000..22b3ed4 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/id @@ -0,0 +1 @@ +96b95408-ffc7-44c3-919f-402645785ccd \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/index_uuid b/.vagrant/machines/default/virtualbox/index_uuid new file mode 100644 index 0000000..eab0594 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/index_uuid @@ -0,0 +1 @@ +3d922cc5783b466ab28a7ae61cc46639 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/vagrant_cwd b/.vagrant/machines/default/virtualbox/vagrant_cwd new file mode 100644 index 0000000..cf368e8 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/vagrant_cwd @@ -0,0 +1 @@ +/home/jamestombleson/Documents/github/ansible \ No newline at end of file diff --git a/.vagrant/rgloader/loader.rb b/.vagrant/rgloader/loader.rb new file mode 100644 index 0000000..c3c05b0 --- /dev/null +++ b/.vagrant/rgloader/loader.rb @@ -0,0 +1,9 @@ +# This file loads the proper rgloader/loader.rb file that comes packaged +# with Vagrant so that encoded files can properly run with Vagrant. + +if ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"] + require File.expand_path( + "rgloader/loader", ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"]) +else + raise "Encoded files can't be read outside of the Vagrant installer." +end diff --git a/playbook/linux/elastic/role-test.yml b/playbook/linux/elastic/role-test.yml index 25bcafc..32b0952 100644 --- a/playbook/linux/elastic/role-test.yml +++ b/playbook/linux/elastic/role-test.yml @@ -3,7 +3,13 @@ hosts: elastic tasks: - - name: test role + - name: install/Update Java + become: true + import_role: + name: geerlingguy.java + + - name: install elasticsearch + become: true import_role: name: elasticsearch vars: @@ -12,15 +18,17 @@ ufw_transport_port: true systemd_enabled: true systemd_restart: true + node_name: "{{ ansible_hostname }}" + discovery_seed_hosts: "'127.0.0.1', '172.20.0.142', '192.168.0.173'" + cluster_initial_master_nodes: " '172.20.0.142', '192.168.0.173' " - name: install kibana + become: true import_role: name: kibana vars: server_port: 5601 - server_host: ansible_default_ipv4.address - server_name: ansible_hostname - elasticsearch_hosts: - #- http://192.168.0.173:9200 - - http://192.168.0.60:9200 + server_host: "{{ ansible_default_ipv4.address }}" + server_name: "{{ ansible_hostname }}" + elasticsearch_hosts: " 'http://localhost:9200', 'http://dm-nagios.local:9200', 'http://172.20.0.142:9200' " diff --git a/playbook/linux/install-jenkins.yml b/playbook/linux/install-jenkins.yml new file mode 100644 index 0000000..ca7d174 --- /dev/null +++ b/playbook/linux/install-jenkins.yml @@ -0,0 +1,19 @@ + +--- + +- name: install Jenkins + hosts: jenkins + + tasks: + - name: Install Java + become: true + included_role: + name: geerlingguy.java + vars: + + # https://galaxy.ansible.com/geerlingguy/jenkins + - name: Install Jenkins + become: true + included_role: + name: geerlingguy.jenkins + diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index a2a291c..4b59327 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -28,6 +28,16 @@ transport_host: 'localhost' # A bind port range. Defaults to 9300-9400. transport_port: 9300 +# +# Discovery +# + +# Format data like so " '172.0.0.1', '192.168.0.0' " +discovery_seed_host: "127.0.0.1" + +#cluster_initial_master_nodes: ["node-1", "node-2"] +cluster_initial_master_nodes: "'node-1', 'node-2'" + # # Firewall configuration # diff --git a/roles/elasticsearch/templates/elasticsearch.j2 b/roles/elasticsearch/templates/elasticsearch.j2 index 5dc9754..83e5523 100755 --- a/roles/elasticsearch/templates/elasticsearch.j2 +++ b/roles/elasticsearch/templates/elasticsearch.j2 @@ -23,8 +23,8 @@ cluster.name: {{ cluster_name }} # #node.name: node-1 node.name: {{ node_name }} -node.master: {{ node_master }} -node.data: {{ node_data }} +#node.master: {{ node_master }} +#node.data: {{ node_data }} # # Add custom attributes to the node: # @@ -61,7 +61,7 @@ network.host: {{ ansible_default_ipv4.address }} # Set a custom port for HTTP: # http.port: {{ http_port }} -transport.host: {{ transport_host }} +#transport.host: {{ transport_host }} transport.tcp.port: {{ transport_port }} # # For more information, consult the network module documentation.# @@ -72,10 +72,12 @@ transport.tcp.port: {{ transport_port }} # The default list of hosts is ["127.0.0.1", "[::1]"] # #discovery.seed_hosts: ["host1", "host2"] +{{ discovery_seed_hosts_def }} # # Bootstrap the cluster using an initial set of master-eligible nodes: # #cluster.initial_master_nodes: ["node-1", "node-2"] +cluster.initial_master_nodes: [ {{ cluster_initial_master_nodes }} ] # # For more information, consult the discovery and cluster formation module documentation. # diff --git a/roles/elasticsearch/vars/main.yml b/roles/elasticsearch/vars/main.yml index 7d1daf9..c0056f6 100644 --- a/roles/elasticsearch/vars/main.yml +++ b/roles/elasticsearch/vars/main.yml @@ -22,3 +22,6 @@ transport_host: localhost transport_tcp_port: 9300 +discovery_seed_hosts: 172.0.0.1 + +discovery_seed_hosts_def: "discovery.seed_hosts: [ {{ discovery_seed_hosts }} ]" diff --git a/roles/geerlingguy.java/.gitignore b/roles/geerlingguy.java/.gitignore new file mode 100644 index 0000000..f56f5b5 --- /dev/null +++ b/roles/geerlingguy.java/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.java/.travis.yml b/roles/geerlingguy.java/.travis.yml new file mode 100644 index 0000000..4fb19f9 --- /dev/null +++ b/roles/geerlingguy.java/.travis.yml @@ -0,0 +1,32 @@ +--- +language: python +services: docker + +env: + global: + - ROLE_NAME: java + matrix: + - MOLECULE_DISTRO: centos7 + - MOLECULE_DISTRO: centos6 + - MOLECULE_DISTRO: fedora27 + - MOLECULE_DISTRO: ubuntu1804 + - MOLECULE_DISTRO: ubuntu1604 + - MOLECULE_DISTRO: debian9 + - MOLECULE_DISTRO: debian8 + +install: + # Install test dependencies. + - pip install molecule docker + +before_script: + # Use actual Ansible Galaxy role name for the project directory. + - cd ../ + - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME + - cd geerlingguy.$ROLE_NAME + +script: + # Run tests. + - molecule test + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/roles/geerlingguy.java/LICENSE b/roles/geerlingguy.java/LICENSE new file mode 100644 index 0000000..4275cf3 --- /dev/null +++ b/roles/geerlingguy.java/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.java/README.md b/roles/geerlingguy.java/README.md new file mode 100644 index 0000000..7bc991f --- /dev/null +++ b/roles/geerlingguy.java/README.md @@ -0,0 +1,67 @@ +# Ansible Role: Java + +[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-java.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-java) + +Installs Java for RedHat/CentOS and Debian/Ubuntu linux servers. + +## Requirements + +None. + +## Role Variables + +Available variables are listed below, along with default values: + + # The defaults provided by this role are specific to each distribution. + java_packages: + - java-1.7.0-openjdk + +Set the version/development kit of Java to install, along with any other necessary Java packages. Some other options include are included in the distribution-specific files in this role's 'defaults' folder. + + java_home: "" + +If set, the role will set the global environment variable `JAVA_HOME` to this value. + +## Dependencies + +None. + +## Example Playbook (using default package, usually OpenJDK 7) + + - hosts: servers + roles: + - role: geerlingguy.java + become: yes + +## Example Playbook (install OpenJDK 8) + +For RHEL / CentOS: + + - hosts: server + roles: + - role: geerlingguy.java + when: "ansible_os_family == 'RedHat'" + java_packages: + - java-1.8.0-openjdk + +For Ubuntu < 16.04: + + - hosts: server + tasks: + - name: installing repo for Java 8 in Ubuntu + apt_repository: repo='ppa:openjdk-r/ppa' + + - hosts: server + roles: + - role: geerlingguy.java + when: "ansible_os_family == 'Debian'" + java_packages: + - openjdk-8-jdk + +## License + +MIT / BSD + +## Author Information + +This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.java/defaults/main.yml b/roles/geerlingguy.java/defaults/main.yml new file mode 100644 index 0000000..aaf519d --- /dev/null +++ b/roles/geerlingguy.java/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# Set java_packages if you would like to use a different version than the +# default (OpenJDK 1.7). +# java_packages: [] + +java_home: "" diff --git a/roles/geerlingguy.java/meta/.galaxy_install_info b/roles/geerlingguy.java/meta/.galaxy_install_info new file mode 100644 index 0000000..b945bcc --- /dev/null +++ b/roles/geerlingguy.java/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Mon Apr 29 14:19:43 2019 +version: 1.9.5 diff --git a/roles/geerlingguy.java/meta/main.yml b/roles/geerlingguy.java/meta/main.yml new file mode 100644 index 0000000..57fec56 --- /dev/null +++ b/roles/geerlingguy.java/meta/main.yml @@ -0,0 +1,39 @@ +--- +dependencies: [] + +galaxy_info: + author: geerlingguy + description: Java for Linux + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.4 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Fedora + versions: + - all + - name: Debian + versions: + - wheezy + - jessie + - stretch + - name: Ubuntu + versions: + - precise + - trusty + - xenial + - bionic + - name: FreeBSD + versions: + - 10.2 + galaxy_tags: + - development + - system + - web + - java + - jdk + - openjdk + - oracle diff --git a/roles/geerlingguy.java/molecule/default/molecule.yml b/roles/geerlingguy.java/molecule/default/molecule.yml new file mode 100644 index 0000000..2ca6fea --- /dev/null +++ b/roles/geerlingguy.java/molecule/default/molecule.yml @@ -0,0 +1,29 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-file: molecule/default/yaml-lint.yml +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + lint: + name: ansible-lint + playbooks: + converge: ${MOLECULE_PLAYBOOK:-playbook.yml} +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/geerlingguy.java/molecule/default/playbook.yml b/roles/geerlingguy.java/molecule/default/playbook.yml new file mode 100644 index 0000000..c99558d --- /dev/null +++ b/roles/geerlingguy.java/molecule/default/playbook.yml @@ -0,0 +1,13 @@ +--- +- name: Converge + hosts: all + become: true + + pre_tasks: + - name: Update apt cache. + apt: update_cache=true cache_valid_time=600 + when: ansible_os_family == 'Debian' + changed_when: false + + roles: + - role: geerlingguy.java diff --git a/roles/geerlingguy.java/molecule/default/tests/test_default.py b/roles/geerlingguy.java/molecule/default/tests/test_default.py new file mode 100644 index 0000000..eedd64a --- /dev/null +++ b/roles/geerlingguy.java/molecule/default/tests/test_default.py @@ -0,0 +1,14 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') + + +def test_hosts_file(host): + f = host.file('/etc/hosts') + + assert f.exists + assert f.user == 'root' + assert f.group == 'root' diff --git a/roles/geerlingguy.java/molecule/default/yaml-lint.yml b/roles/geerlingguy.java/molecule/default/yaml-lint.yml new file mode 100644 index 0000000..a3dbc38 --- /dev/null +++ b/roles/geerlingguy.java/molecule/default/yaml-lint.yml @@ -0,0 +1,6 @@ +--- +extends: default +rules: + line-length: + max: 120 + level: warning diff --git a/roles/geerlingguy.java/tasks/main.yml b/roles/geerlingguy.java/tasks/main.yml new file mode 100644 index 0000000..b2a6ded --- /dev/null +++ b/roles/geerlingguy.java/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Include OS-specific variables for Fedora or FreeBSD. + include_vars: "{{ ansible_distribution }}.yml" + when: ansible_distribution == 'FreeBSD' or ansible_distribution == 'Fedora' + +- name: Include version-specific variables for CentOS/RHEL. + include_vars: "RedHat-{{ ansible_distribution_version.split('.')[0] }}.yml" + when: ansible_distribution == 'CentOS' or + ansible_distribution == 'Red Hat Enterprise Linux' or + ansible_distribution == 'RedHat' + +- name: Include version-specific variables for Ubuntu. + include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + when: ansible_distribution == 'Ubuntu' + +- name: Include version-specific variables for Debian. + include_vars: "{{ ansible_distribution|title }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + when: ansible_os_family == 'Debian' + +- name: Define java_packages. + set_fact: + java_packages: "{{ __java_packages | list }}" + when: java_packages is not defined + +# Setup/install tasks. +- include_tasks: setup-RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: setup-Debian.yml + when: ansible_os_family == 'Debian' + +- include_tasks: setup-FreeBSD.yml + when: ansible_os_family == 'FreeBSD' + +# Environment setup. +- name: Set JAVA_HOME if configured. + template: + src: java_home.sh.j2 + dest: /etc/profile.d/java_home.sh + mode: 0644 + when: java_home is defined and java_home diff --git a/roles/geerlingguy.java/tasks/setup-Debian.yml b/roles/geerlingguy.java/tasks/setup-Debian.yml new file mode 100644 index 0000000..cecbd45 --- /dev/null +++ b/roles/geerlingguy.java/tasks/setup-Debian.yml @@ -0,0 +1,16 @@ +--- +# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863199 and +# https://github.com/geerlingguy/ansible-role-java/issues/64 +- name: Ensure 'man' directory exists. + file: + path: /usr/share/man/man1 + state: directory + recurse: true + when: + - ansible_distribution == 'Ubuntu' + - ansible_distribution_version == '18.04' + +- name: Ensure Java is installed. + apt: + name: "{{ java_packages }}" + state: present diff --git a/roles/geerlingguy.java/tasks/setup-FreeBSD.yml b/roles/geerlingguy.java/tasks/setup-FreeBSD.yml new file mode 100644 index 0000000..ba66872 --- /dev/null +++ b/roles/geerlingguy.java/tasks/setup-FreeBSD.yml @@ -0,0 +1,11 @@ +--- +- name: Ensure Java is installed. + pkgng: + name: "{{ java_packages }}" + state: present + +- name: ensure proc is mounted + mount: name=/proc fstype=procfs src=proc opts=rw state=mounted + +- name: ensure fdesc is mounted + mount: name=/dev/fd fstype=fdescfs src=fdesc opts=rw state=mounted diff --git a/roles/geerlingguy.java/tasks/setup-RedHat.yml b/roles/geerlingguy.java/tasks/setup-RedHat.yml new file mode 100644 index 0000000..1306945 --- /dev/null +++ b/roles/geerlingguy.java/tasks/setup-RedHat.yml @@ -0,0 +1,5 @@ +--- +- name: Ensure Java is installed. + package: + name: "{{ java_packages }}" + state: present diff --git a/roles/geerlingguy.java/templates/java_home.sh.j2 b/roles/geerlingguy.java/templates/java_home.sh.j2 new file mode 100644 index 0000000..4859c4a --- /dev/null +++ b/roles/geerlingguy.java/templates/java_home.sh.j2 @@ -0,0 +1 @@ +export JAVA_HOME={{ java_home }} diff --git a/roles/geerlingguy.java/vars/Debian-8.yml b/roles/geerlingguy.java/vars/Debian-8.yml new file mode 100644 index 0000000..8d620e4 --- /dev/null +++ b/roles/geerlingguy.java/vars/Debian-8.yml @@ -0,0 +1,7 @@ +--- +# JDK version options include: +# - java +# - openjdk-6-jdk +# - openjdk-7-jdk +__java_packages: + - openjdk-7-jdk diff --git a/roles/geerlingguy.java/vars/Debian-9.yml b/roles/geerlingguy.java/vars/Debian-9.yml new file mode 100644 index 0000000..17e49bf --- /dev/null +++ b/roles/geerlingguy.java/vars/Debian-9.yml @@ -0,0 +1,6 @@ +--- +# JDK version options include: +# - java +# - openjdk-8-jdk +__java_packages: + - openjdk-8-jdk diff --git a/roles/geerlingguy.java/vars/Fedora.yml b/roles/geerlingguy.java/vars/Fedora.yml new file mode 100644 index 0000000..47c5a01 --- /dev/null +++ b/roles/geerlingguy.java/vars/Fedora.yml @@ -0,0 +1,6 @@ +--- +# JDK version options include: +# - java +# - java-1.8.0-openjdk +__java_packages: + - java-1.8.0-openjdk diff --git a/roles/geerlingguy.java/vars/FreeBSD.yml b/roles/geerlingguy.java/vars/FreeBSD.yml new file mode 100644 index 0000000..0d712eb --- /dev/null +++ b/roles/geerlingguy.java/vars/FreeBSD.yml @@ -0,0 +1,7 @@ +--- +# JDK version options for FreeBSD include: +# - openjdk +# - openjdk6 +# - openjdk8 +__java_packages: + - openjdk diff --git a/roles/geerlingguy.java/vars/RedHat-6.yml b/roles/geerlingguy.java/vars/RedHat-6.yml new file mode 100644 index 0000000..70694b7 --- /dev/null +++ b/roles/geerlingguy.java/vars/RedHat-6.yml @@ -0,0 +1,7 @@ +--- +# JDK version options include: +# - java +# - java-1.6.0-openjdk +# - java-1.7.0-openjdk +__java_packages: + - java-1.7.0-openjdk diff --git a/roles/geerlingguy.java/vars/RedHat-7.yml b/roles/geerlingguy.java/vars/RedHat-7.yml new file mode 100644 index 0000000..64db579 --- /dev/null +++ b/roles/geerlingguy.java/vars/RedHat-7.yml @@ -0,0 +1,8 @@ +--- +# JDK version options include: +# - java +# - java-1.6.0-openjdk +# - java-1.7.0-openjdk +# - java-1.8.0-openjdk +__java_packages: + - java-1.8.0-openjdk diff --git a/roles/geerlingguy.java/vars/Ubuntu-12.yml b/roles/geerlingguy.java/vars/Ubuntu-12.yml new file mode 100644 index 0000000..8d620e4 --- /dev/null +++ b/roles/geerlingguy.java/vars/Ubuntu-12.yml @@ -0,0 +1,7 @@ +--- +# JDK version options include: +# - java +# - openjdk-6-jdk +# - openjdk-7-jdk +__java_packages: + - openjdk-7-jdk diff --git a/roles/geerlingguy.java/vars/Ubuntu-14.yml b/roles/geerlingguy.java/vars/Ubuntu-14.yml new file mode 100644 index 0000000..8d620e4 --- /dev/null +++ b/roles/geerlingguy.java/vars/Ubuntu-14.yml @@ -0,0 +1,7 @@ +--- +# JDK version options include: +# - java +# - openjdk-6-jdk +# - openjdk-7-jdk +__java_packages: + - openjdk-7-jdk diff --git a/roles/geerlingguy.java/vars/Ubuntu-16.yml b/roles/geerlingguy.java/vars/Ubuntu-16.yml new file mode 100644 index 0000000..0a0bd82 --- /dev/null +++ b/roles/geerlingguy.java/vars/Ubuntu-16.yml @@ -0,0 +1,7 @@ +--- +# JDK version options include: +# - java +# - openjdk-8-jdk +# - openjdk-9-jdk +__java_packages: + - openjdk-8-jdk diff --git a/roles/geerlingguy.java/vars/Ubuntu-18.yml b/roles/geerlingguy.java/vars/Ubuntu-18.yml new file mode 100644 index 0000000..bd058c2 --- /dev/null +++ b/roles/geerlingguy.java/vars/Ubuntu-18.yml @@ -0,0 +1,6 @@ +--- +# JDK version options include: +# - java +# - openjdk-11-jdk +__java_packages: + - openjdk-11-jdk diff --git a/roles/geerlingguy.jenkins/.ansible-lint b/roles/geerlingguy.jenkins/.ansible-lint new file mode 100644 index 0000000..3f7f42d --- /dev/null +++ b/roles/geerlingguy.jenkins/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '602' diff --git a/roles/geerlingguy.jenkins/.gitignore b/roles/geerlingguy.jenkins/.gitignore new file mode 100644 index 0000000..f56f5b5 --- /dev/null +++ b/roles/geerlingguy.jenkins/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.jenkins/.travis.yml b/roles/geerlingguy.jenkins/.travis.yml new file mode 100644 index 0000000..6bba6d9 --- /dev/null +++ b/roles/geerlingguy.jenkins/.travis.yml @@ -0,0 +1,43 @@ +--- +language: python +services: docker + +env: + global: + - ROLE_NAME: jenkins + matrix: + # Test defaults. + - MOLECULE_DISTRO: centos7 + - MOLECULE_DISTRO: ubuntu1804 + - MOLECULE_DISTRO: ubuntu1604 + - MOLECULE_DISTRO: debian9 + + # Test other role features. + - MOLECULE_DISTRO: ubuntu1804 + MOLECULE_PLAYBOOK: playbook-http-port.yml + + - MOLECULE_DISTRO: ubuntu1804 + MOLECULE_PLAYBOOK: playbook-prefix.yml + + - MOLECULE_DISTRO: centos7 + MOLECULE_PLAYBOOK: playbook-jenkins-version.yml + + - MOLECULE_DISTRO: ubuntu1804 + MOLECULE_PLAYBOOK: playbook-plugins-with-home.yml + +install: + # Install test dependencies. + - pip install molecule docker + +before_script: + # Use actual Ansible Galaxy role name for the project directory. + - cd ../ + - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME + - cd geerlingguy.$ROLE_NAME + +script: + # Run tests. + - molecule test + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/roles/geerlingguy.jenkins/LICENSE b/roles/geerlingguy.jenkins/LICENSE new file mode 100644 index 0000000..4275cf3 --- /dev/null +++ b/roles/geerlingguy.jenkins/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.jenkins/README.md b/roles/geerlingguy.jenkins/README.md new file mode 100644 index 0000000..320118c --- /dev/null +++ b/roles/geerlingguy.jenkins/README.md @@ -0,0 +1,135 @@ +# Ansible Role: Jenkins CI + +[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-jenkins.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-jenkins) + +Installs Jenkins CI on RHEL/CentOS and Debian/Ubuntu servers. + +## Requirements + +Requires `curl` to be installed on the server. Also, newer versions of Jenkins require Java 8+ (see the test playbooks inside the `tests/` directory for an example of how to use newer versions of Java for your OS). + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + jenkins_package_state: present + +The state of the `jenkins` package install. By default this role installs Jenkins but will not upgrade Jenkins (when using package-based installs). If you want to always update to the latest version, change this to `latest`. + + jenkins_hostname: localhost + +The system hostname; usually `localhost` works fine. This will be used during setup to communicate with the running Jenkins instance via HTTP requests. + + jenkins_home: /var/lib/jenkins + +The Jenkins home directory which, amongst others, is being used for storing artifacts, workspaces and plugins. This variable allows you to override the default `/var/lib/jenkins` location. + + jenkins_http_port: 8080 + +The HTTP port for Jenkins' web interface. + + jenkins_admin_username: admin + jenkins_admin_password: admin + +Default admin account credentials which will be created the first time Jenkins is installed. + + jenkins_admin_password_file: "" + +Default admin password file which will be created the first time Jenkins is installed as /var/lib/jenkins/secrets/initialAdminPassword + + jenkins_jar_location: /opt/jenkins-cli.jar + +The location at which the `jenkins-cli.jar` jarfile will be kept. This is used for communicating with Jenkins via the CLI. + + jenkins_plugins: [] + +Jenkins plugins to be installed automatically during provisioning. + + jenkins_plugins_install_dependencies: true + +Whether Jenkins plugins to be installed should also install any plugin dependencies. + + jenkins_plugins_state: present + +Use `latest` to ensure all plugins are running the most up-to-date version. + + jenkins_plugin_updates_expiration: 86400 + +Number of seconds after which a new copy of the update-center.json file is downloaded. Set it to 0 if no cache file should be used. + + jenkins_updates_url: "https://updates.jenkins.io" + +The URL to use for Jenkins plugin updates and update-center information. + + jenkins_plugin_timeout: 30 + +The server connection timeout, in seconds, when installing Jenkins plugins. + + jenkins_version: "1.644" + jenkins_pkg_url: "http://www.example.com" + +(Optional) Then Jenkins version can be pinned to any version available on `http://pkg.jenkins-ci.org/debian/` (Debian/Ubuntu) or `http://pkg.jenkins-ci.org/redhat/` (RHEL/CentOS). If the Jenkins version you need is not available in the default package URLs, you can override the URL with your own; set `jenkins_pkg_url` (_Note_: the role depends on the same naming convention that `http://pkg.jenkins-ci.org/` uses). + + jenkins_url_prefix: "" + +Used for setting a URL prefix for your Jenkins installation. The option is added as `--prefix={{ jenkins_url_prefix }}` to the Jenkins initialization `java` invocation, so you can access the installation at a path like `http://www.example.com{{ jenkins_url_prefix }}`. Make sure you start the prefix with a `/` (e.g. `/jenkins`). + + jenkins_connection_delay: 5 + jenkins_connection_retries: 60 + +Amount of time and number of times to wait when connecting to Jenkins after initial startup, to verify that Jenkins is running. Total time to wait = `delay` * `retries`, so by default this role will wait up to 300 seconds before timing out. + + # For RedHat/CentOS (role default): + jenkins_repo_url: http://pkg.jenkins-ci.org/redhat/jenkins.repo + jenkins_repo_key_url: http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key + # For Debian (role default): + jenkins_repo_url: deb http://pkg.jenkins-ci.org/debian binary/ + jenkins_repo_key_url: http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key + +This role will install the latest version of Jenkins by default (using the official repositories as listed above). You can override these variables (use the correct set for your platform) to install the current LTS version instead: + + # For RedHat/CentOS LTS: + jenkins_repo_url: http://pkg.jenkins-ci.org/redhat-stable/jenkins.repo + jenkins_repo_key_url: http://pkg.jenkins-ci.org/redhat-stable/jenkins-ci.org.key + # For Debian/Ubuntu LTS: + jenkins_repo_url: deb http://pkg.jenkins-ci.org/debian-stable binary/ + jenkins_repo_key_url: http://pkg.jenkins-ci.org/debian-stable/jenkins-ci.org.key + +It is also possible stop the repo file being added by setting `jenkins_repo_url = ''`. This is useful if, for example, you sign your own packages or run internal package management (e.g. Spacewalk). + + jenkins_java_options: "-Djenkins.install.runSetupWizard=false" + +Extra Java options for the Jenkins launch command configured in the init file can be set with the var `jenkins_java_options`. For example, if you want to configure the timezone Jenkins uses, add `-Dorg.apache.commons.jelly.tags.fmt.timeZone=America/New_York`. By default, the option to disable the Jenkins 2.0 setup wizard is added. + + jenkins_init_changes: + - option: "JENKINS_ARGS" + value: "--prefix={{ jenkins_url_prefix }}" + - option: "JENKINS_JAVA_OPTIONS" + value: "{{ jenkins_java_options }}" + +Changes made to the Jenkins init script; the default set of changes set the configured URL prefix and add in configured Java options for Jenkins' startup. You can add other option/value pairs if you need to set other options for the Jenkins init file. + +## Dependencies + + - geerlingguy.java + +## Example Playbook + +```yaml +- hosts: jenkins + vars: + jenkins_hostname: jenkins.example.com + roles: + - role: geerlingguy.java + become: yes + - role: geerlingguy.jenkins + become: yes +``` + +## License + +MIT (Expat) / BSD + +## Author Information + +This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.jenkins/defaults/main.yml b/roles/geerlingguy.jenkins/defaults/main.yml new file mode 100644 index 0000000..b159e71 --- /dev/null +++ b/roles/geerlingguy.jenkins/defaults/main.yml @@ -0,0 +1,37 @@ +--- +# Optional method of pinning a specific version of Jenkins and/or overriding the +# default Jenkins packaging URL. +# jenkins_version: "1.644" +# jenkins_pkg_url: "https://www.example.com" + +# Change this to `latest` to update Jenkins if a newer version is available. +jenkins_package_state: present + +jenkins_connection_delay: 5 +jenkins_connection_retries: 60 +jenkins_home: /var/lib/jenkins +jenkins_hostname: localhost +jenkins_http_port: 8080 +jenkins_jar_location: /opt/jenkins-cli.jar +jenkins_url_prefix: "" +jenkins_java_options: "-Djenkins.install.runSetupWizard=false" + +jenkins_plugins: [] +jenkins_plugins_state: present +jenkins_plugin_updates_expiration: 86400 +jenkins_plugin_timeout: 30 +jenkins_plugins_install_dependencies: true +jenkins_updates_url: "https://updates.jenkins.io" + +jenkins_admin_username: admin +jenkins_admin_password: admin +jenkins_admin_password_file: "" + +jenkins_process_user: jenkins +jenkins_process_group: "{{ jenkins_process_user }}" + +jenkins_init_changes: + - option: "JENKINS_ARGS" + value: "--prefix={{ jenkins_url_prefix }}" + - option: "{{ jenkins_java_options_env_var }}" + value: "{{ jenkins_java_options }}" diff --git a/roles/geerlingguy.jenkins/handlers/main.yml b/roles/geerlingguy.jenkins/handlers/main.yml new file mode 100644 index 0000000..005440b --- /dev/null +++ b/roles/geerlingguy.jenkins/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: restart jenkins + service: name=jenkins state=restarted + +- name: configure default users + template: + src: basic-security.groovy.j2 + dest: "{{ jenkins_home }}/init.groovy.d/basic-security.groovy" + owner: "{{ jenkins_process_user }}" + group: "{{ jenkins_process_group }}" + mode: 0775 + register: jenkins_users_config diff --git a/roles/geerlingguy.jenkins/meta/.galaxy_install_info b/roles/geerlingguy.jenkins/meta/.galaxy_install_info new file mode 100644 index 0000000..3b50624 --- /dev/null +++ b/roles/geerlingguy.jenkins/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Mon Apr 29 14:19:40 2019 +version: 3.7.0 diff --git a/roles/geerlingguy.jenkins/meta/main.yml b/roles/geerlingguy.jenkins/meta/main.yml new file mode 100644 index 0000000..54ab892 --- /dev/null +++ b/roles/geerlingguy.jenkins/meta/main.yml @@ -0,0 +1,29 @@ +--- +dependencies: + - geerlingguy.java + +galaxy_info: + author: geerlingguy + description: Jenkins CI + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.4 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Fedora + versions: + - all + - name: Debian + versions: + - all + - name: Ubuntu + versions: + - all + galaxy_tags: + - development + - packaging + - jenkins + - ci diff --git a/roles/geerlingguy.jenkins/molecule/default/java-8.yml b/roles/geerlingguy.jenkins/molecule/default/java-8.yml new file mode 100644 index 0000000..cadaf39 --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/java-8.yml @@ -0,0 +1,51 @@ +--- +# Ubuntu. +- name: Add repository for OpenJDK 8 (Ubuntu 14). + apt_repository: repo='ppa:openjdk-r/ppa' + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_version == "14.04" + +# Debian. +- name: Enable Backports repository (Debian 8). + apt_repository: + repo: 'deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main' + state: present + filename: "{{ ansible_distribution_release }}_backports" + when: ansible_distribution == "Debian" + +- name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + changed_when: false + +# See: http://unix.stackexchange.com/a/342469 +- name: Install dependencies. + apt: + default_release: "{{ ansible_distribution_release }}-backports" + name: + - openjdk-8-jre-headless + - ca-certificates-java + state: present + when: ansible_distribution == "Debian" + +# Red Hat. +- name: Set the java_packages variable (RedHat). + set_fact: + java_packages: + - java-1.8.0-openjdk + when: ansible_os_family == 'RedHat' + +# Ubuntu. +- name: Set the java_packages variable (Ubuntu). + set_fact: + java_packages: + - openjdk-8-jdk + when: ansible_distribution == 'Ubuntu' + +# Debian. +- name: Set the java_packages variable (Debian). + set_fact: + java_packages: + - openjdk-8-jdk + when: ansible_distribution == 'Debian' diff --git a/roles/geerlingguy.jenkins/molecule/default/molecule.yml b/roles/geerlingguy.jenkins/molecule/default/molecule.yml new file mode 100644 index 0000000..2ca6fea --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/molecule.yml @@ -0,0 +1,29 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-file: molecule/default/yaml-lint.yml +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + lint: + name: ansible-lint + playbooks: + converge: ${MOLECULE_PLAYBOOK:-playbook.yml} +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/geerlingguy.jenkins/molecule/default/playbook-http-port.yml b/roles/geerlingguy.jenkins/molecule/default/playbook-http-port.yml new file mode 100644 index 0000000..1f4bba2 --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/playbook-http-port.yml @@ -0,0 +1,24 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + jenkins_http_port: 8081 + + pre_tasks: + - include_tasks: java-8.yml + + roles: + - geerlingguy.java + - geerlingguy.jenkins + + post_tasks: + - name: Ensure Jenkins is running on the specified port. + uri: + url: "http://127.0.0.1:{{ jenkins_http_port }}" + status_code: 200 + register: result + until: result.status == 200 + retries: 60 + delay: 1 diff --git a/roles/geerlingguy.jenkins/molecule/default/playbook-jenkins-version.yml b/roles/geerlingguy.jenkins/molecule/default/playbook-jenkins-version.yml new file mode 100644 index 0000000..8f36796 --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/playbook-jenkins-version.yml @@ -0,0 +1,27 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + jenkins_version: "1.644" + + roles: + - geerlingguy.java + - geerlingguy.jenkins + + post_tasks: + - name: Check installed version of Jenkins. + command: rpm -q jenkins + args: + warn: false + changed_when: false + register: jenkins_rpm_version + tags: ['skip_ansible_lint'] + + - name: Print installed Jenkins package information. + debug: var=jenkins_rpm_version + + - name: Fail if version doesn't match what we wanted. + fail: + when: "jenkins_version not in jenkins_rpm_version.stdout" diff --git a/roles/geerlingguy.jenkins/molecule/default/playbook-plugins-with-home.yml b/roles/geerlingguy.jenkins/molecule/default/playbook-plugins-with-home.yml new file mode 100644 index 0000000..92a699d --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/playbook-plugins-with-home.yml @@ -0,0 +1,52 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + jenkins_plugins: + - ghprb + - greenballs + jenkins_home: /tmp/jenkins + jenkins_plugin_timeout: 120 + + pre_tasks: + - include_tasks: java-8.yml + + roles: + - geerlingguy.java + - geerlingguy.jenkins + + post_tasks: + - name: Verify JENKINS_HOME is correct. + stat: + path: "{{ jenkins_home }}/config.xml" + register: jenkins_home_config + + - name: Fail if Jenkins config file doesn't exist. + fail: + when: not jenkins_home_config.stat.exists + + - name: List plugins directory contents. + command: "ls {{ jenkins_home }}/plugins" + register: plugins_contents + changed_when: false + tags: ['skip_ansible_lint'] + + - name: Verify greenballs plugin exists. + stat: + path: "{{ jenkins_home }}/plugins/greenballs.jpi" + register: greenballs_plugin + + - name: Fail if greenballs plugin file doesn't exist. + fail: + when: not greenballs_plugin.stat.exists + + - name: Ensure Jenkins is running. + uri: + url: "http://127.0.0.1:8080/" + status_code: 200 + register: result + until: result.status == 200 + retries: 60 + delay: 1 diff --git a/roles/geerlingguy.jenkins/molecule/default/playbook-prefix.yml b/roles/geerlingguy.jenkins/molecule/default/playbook-prefix.yml new file mode 100644 index 0000000..23d12fc --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/playbook-prefix.yml @@ -0,0 +1,24 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + jenkins_url_prefix: /jenkins + + pre_tasks: + - include_tasks: java-8.yml + + roles: + - geerlingguy.java + - geerlingguy.jenkins + + post_tasks: + - name: Ensure Jenkins is running with the specified prefix. + uri: + url: "http://127.0.0.1:8080{{ jenkins_url_prefix }}" + status_code: 200 + register: result + until: result.status == 200 + retries: 60 + delay: 1 diff --git a/roles/geerlingguy.jenkins/molecule/default/playbook.yml b/roles/geerlingguy.jenkins/molecule/default/playbook.yml new file mode 100644 index 0000000..15532b5 --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/playbook.yml @@ -0,0 +1,16 @@ +--- +- name: Converge + hosts: all + become: true + + pre_tasks: + - include_tasks: java-8.yml + + roles: + - role: geerlingguy.java + - role: geerlingguy.jenkins + + post_tasks: + - name: Check if Jenkins is running. + uri: + url: "http://127.0.0.1:8080/" diff --git a/roles/geerlingguy.jenkins/molecule/default/requirements.yml b/roles/geerlingguy.jenkins/molecule/default/requirements.yml new file mode 100644 index 0000000..8fbe7cb --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/requirements.yml @@ -0,0 +1,2 @@ +--- +- src: geerlingguy.java diff --git a/roles/geerlingguy.jenkins/molecule/default/yaml-lint.yml b/roles/geerlingguy.jenkins/molecule/default/yaml-lint.yml new file mode 100644 index 0000000..c9aab08 --- /dev/null +++ b/roles/geerlingguy.jenkins/molecule/default/yaml-lint.yml @@ -0,0 +1,6 @@ +--- +extends: default +rules: + line-length: + max: 150 + level: warning diff --git a/roles/geerlingguy.jenkins/tasks/main.yml b/roles/geerlingguy.jenkins/tasks/main.yml new file mode 100644 index 0000000..c302929 --- /dev/null +++ b/roles/geerlingguy.jenkins/tasks/main.yml @@ -0,0 +1,66 @@ +--- +# Variable setup. +- name: Include OS-Specific variables + include_vars: "{{ ansible_os_family }}.yml" + +- name: Define jenkins_repo_url + set_fact: + jenkins_repo_url: "{{ __jenkins_repo_url }}" + when: jenkins_repo_url is not defined + +- name: Define jenkins_repo_key_url + set_fact: + jenkins_repo_key_url: "{{ __jenkins_repo_key_url }}" + when: jenkins_repo_key_url is not defined + +- name: Define jenkins_pkg_url + set_fact: + jenkins_pkg_url: "{{ __jenkins_pkg_url }}" + when: jenkins_pkg_url is not defined + +# Setup/install tasks. +- include_tasks: setup-RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: setup-Debian.yml + when: ansible_os_family == 'Debian' + +# Configure Jenkins init settings. +- include_tasks: settings.yml + +# Make sure Jenkins starts, then configure Jenkins. +- name: Ensure Jenkins is started and runs on startup. + service: name=jenkins state=started enabled=yes + +- name: Wait for Jenkins to start up before proceeding. + command: > + curl -D - --silent --max-time 5 http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}/cli/ + args: + warn: false + register: result + until: > + (result.stdout.find("403 Forbidden") != -1) + or (result.stdout.find("200 OK") != -1) + and (result.stdout.find("Please wait while") == -1) + retries: "{{ jenkins_connection_retries }}" + delay: "{{ jenkins_connection_delay }}" + changed_when: false + check_mode: false + +- name: Get the jenkins-cli jarfile from the Jenkins server. + get_url: + url: "http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}/jnlpJars/jenkins-cli.jar" + dest: "{{ jenkins_jar_location }}" + register: jarfile_get + until: "'OK' in jarfile_get.msg or '304' in jarfile_get.msg or 'file already exists' in jarfile_get.msg" + retries: 5 + delay: 10 + check_mode: false + +- name: Remove Jenkins security init scripts after first startup. + file: + path: "{{ jenkins_home }}/init.groovy.d/basic-security.groovy" + state: absent + +# Update Jenkins and install configured plugins. +- include_tasks: plugins.yml diff --git a/roles/geerlingguy.jenkins/tasks/plugins.yml b/roles/geerlingguy.jenkins/tasks/plugins.yml new file mode 100644 index 0000000..1807590 --- /dev/null +++ b/roles/geerlingguy.jenkins/tasks/plugins.yml @@ -0,0 +1,61 @@ +--- +# jenkins_plugin module doesn't support password files. +- name: Get Jenkins admin password from file. + slurp: + src: "{{ jenkins_admin_password_file }}" + register: adminpasswordfile + no_log: true + when: jenkins_admin_password_file != "" + tags: ['skip_ansible_lint'] + +- name: Set Jenkins admin password fact. + set_fact: + jenkins_admin_password: "{{ adminpasswordfile['stdout'] | default(jenkins_admin_password) }}" + no_log: true + +# Update Jenkins so that plugin updates don't fail. +- name: Create Jenkins updates directory. + file: + path: "{{ jenkins_home }}/updates" + state: directory + owner: jenkins + group: jenkins + +- name: Download current plugin updates from Jenkins update site. + get_url: + url: "{{ jenkins_updates_url }}/update-center.json" + dest: "{{ jenkins_home }}/updates/default.json" + owner: jenkins + group: jenkins + mode: 0440 + changed_when: false + register: get_result + until: get_result is success + retries: 3 + delay: 2 + +- name: Remove first and last line from json file. + replace: + path: "{{ jenkins_home }}/updates/default.json" + regexp: "1d;$d" + +- name: Install Jenkins plugins using password. + jenkins_plugin: + name: "{{ item }}" + jenkins_home: "{{ jenkins_home }}" + url_username: "{{ jenkins_admin_username }}" + url_password: "{{ jenkins_admin_password }}" + state: "{{ jenkins_plugins_state }}" + timeout: "{{ jenkins_plugin_timeout }}" + updates_expiration: "{{ jenkins_plugin_updates_expiration }}" + updates_url: "{{ jenkins_updates_url }}" + url: "http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}" + with_dependencies: "{{ jenkins_plugins_install_dependencies }}" + with_items: "{{ jenkins_plugins }}" + when: jenkins_admin_password != "" + notify: restart jenkins + tags: ['skip_ansible_lint'] + register: plugin_result + until: plugin_result is success + retries: 3 + delay: 2 diff --git a/roles/geerlingguy.jenkins/tasks/settings.yml b/roles/geerlingguy.jenkins/tasks/settings.yml new file mode 100644 index 0000000..6d11c43 --- /dev/null +++ b/roles/geerlingguy.jenkins/tasks/settings.yml @@ -0,0 +1,69 @@ +--- +- name: Check if jenkins_init_file exists. + stat: + path: "{{ jenkins_init_file }}" + register: jenkins_init_file_stat + +- name: Ensure jenkins_init_file exists. + file: + path: "{{ jenkins_init_file }}" + state: touch + when: not jenkins_init_file_stat.stat.exists + +- name: Modify variables in init file. + lineinfile: + dest: "{{ jenkins_init_file }}" + insertafter: '^{{ item.option }}=' + regexp: '^{{ item.option }}=\"\${{ item.option }} ' + line: '{{ item.option }}="${{ item.option }} {{ item.value }}"' + state: present + with_items: "{{ jenkins_init_changes }}" + register: jenkins_init_prefix + +- name: Set the Jenkins home directory. + lineinfile: + dest: "{{ jenkins_init_file }}" + regexp: '^JENKINS_HOME=.*' + line: 'JENKINS_HOME={{ jenkins_home }}' + register: jenkins_home_config + +- name: Immediately restart Jenkins on init config changes. + service: name=jenkins state=restarted + when: jenkins_init_prefix.changed + tags: ['skip_ansible_lint'] + +- name: Set HTTP port in Jenkins config. + lineinfile: + backrefs: true + dest: "{{ jenkins_init_file }}" + regexp: '^{{ jenkins_http_port_param }}=' + line: '{{ jenkins_http_port_param }}={{ jenkins_http_port }}' + register: jenkins_http_config + +- name: Ensure jenkins_home {{ jenkins_home }} exists + file: + path: "{{ jenkins_home }}" + state: directory + owner: jenkins + group: jenkins + mode: u+rwx + follow: true + +- name: Create custom init scripts directory. + file: + path: "{{ jenkins_home }}/init.groovy.d" + state: directory + owner: "{{ jenkins_process_user }}" + group: "{{ jenkins_process_group }}" + mode: 0775 + +- name: Trigger handlers immediately in case Jenkins was installed + meta: flush_handlers + +- name: Immediately restart Jenkins on http or user changes. + service: name=jenkins state=restarted + when: > + (jenkins_users_config is defined and jenkins_users_config.changed) + or (jenkins_http_config is defined and jenkins_http_config.changed) + or (jenkins_home_config is defined and jenkins_home_config.changed) + tags: ['skip_ansible_lint'] diff --git a/roles/geerlingguy.jenkins/tasks/setup-Debian.yml b/roles/geerlingguy.jenkins/tasks/setup-Debian.yml new file mode 100644 index 0000000..7f81a14 --- /dev/null +++ b/roles/geerlingguy.jenkins/tasks/setup-Debian.yml @@ -0,0 +1,45 @@ +--- +- name: Ensure dependencies are installed. + apt: + name: + - curl + - apt-transport-https + state: present + +- name: Add Jenkins apt repository key. + apt_key: + url: "{{ jenkins_repo_key_url }}" + state: present + +- name: Add Jenkins apt repository. + apt_repository: + repo: "{{ jenkins_repo_url }}" + state: present + update_cache: true + when: jenkins_repo_url != "" + tags: ['skip_ansible_lint'] + +- name: Download specific Jenkins version. + get_url: + url: "{{ jenkins_pkg_url }}/jenkins_{{ jenkins_version }}_all.deb" + dest: "/tmp/jenkins_{{ jenkins_version }}_all.deb" + when: jenkins_version is defined + +- name: Check if we downloaded a specific version of Jenkins. + stat: + path: "/tmp/jenkins_{{ jenkins_version }}_all.deb" + register: specific_version + when: jenkins_version is defined + +- name: Install our specific version of Jenkins. + apt: + deb: "/tmp/jenkins_{{ jenkins_version }}_all.deb" + state: present + when: jenkins_version is defined and specific_version.stat.exists + notify: configure default users + +- name: Ensure Jenkins is installed. + apt: + name: jenkins + state: "{{ jenkins_package_state }}" + notify: configure default users diff --git a/roles/geerlingguy.jenkins/tasks/setup-RedHat.yml b/roles/geerlingguy.jenkins/tasks/setup-RedHat.yml new file mode 100644 index 0000000..e5ee979 --- /dev/null +++ b/roles/geerlingguy.jenkins/tasks/setup-RedHat.yml @@ -0,0 +1,45 @@ +--- +- name: Ensure dependencies are installed. + package: + name: + - curl + - libselinux-python + - initscripts + state: present + +- name: Ensure Jenkins repo is installed. + get_url: + url: "{{ jenkins_repo_url }}" + dest: /etc/yum.repos.d/jenkins.repo + when: jenkins_repo_url != "" + tags: ['skip_ansible_lint'] + +- name: Add Jenkins repo GPG key. + rpm_key: + state: present + key: "{{ jenkins_repo_key_url }}" + +- name: Download specific Jenkins version. + get_url: + url: "{{ jenkins_pkg_url }}/jenkins-{{ jenkins_version }}-1.1.noarch.rpm" + dest: "/tmp/jenkins-{{ jenkins_version }}-1.1.noarch.rpm" + when: jenkins_version is defined + +- name: Check if we downloaded a specific version of Jenkins. + stat: + path: "/tmp/jenkins-{{ jenkins_version }}-1.1.noarch.rpm" + register: specific_version + when: jenkins_version is defined + +- name: Install our specific version of Jenkins. + package: + name: "/tmp/jenkins-{{ jenkins_version }}-1.1.noarch.rpm" + state: present + when: jenkins_version is defined and specific_version.stat.exists + notify: configure default users + +- name: Ensure Jenkins is installed. + package: + name: jenkins + state: "{{ jenkins_package_state }}" + notify: configure default users diff --git a/roles/geerlingguy.jenkins/templates/basic-security.groovy.j2 b/roles/geerlingguy.jenkins/templates/basic-security.groovy.j2 new file mode 100644 index 0000000..c1d0758 --- /dev/null +++ b/roles/geerlingguy.jenkins/templates/basic-security.groovy.j2 @@ -0,0 +1,28 @@ +#!groovy +import hudson.security.* +import jenkins.model.* + +def instance = Jenkins.getInstance() +def hudsonRealm = new HudsonPrivateSecurityRealm(false) +def users = hudsonRealm.getAllUsers() +users_s = users.collect { it.toString() } + +// Create the admin user account if it doesn't already exist. +if ("{{ jenkins_admin_username }}" in users_s) { + println "Admin user already exists - updating password" + + def user = hudson.model.User.get('{{ jenkins_admin_username }}'); + def password = hudson.security.HudsonPrivateSecurityRealm.Details.fromPlainPassword('{{ jenkins_admin_password }}') + user.addProperty(password) + user.save() +} +else { + println "--> creating local admin user" + + hudsonRealm.createAccount('{{ jenkins_admin_username }}', '{{ jenkins_admin_password }}') + instance.setSecurityRealm(hudsonRealm) + + def strategy = new FullControlOnceLoggedInAuthorizationStrategy() + instance.setAuthorizationStrategy(strategy) + instance.save() +} diff --git a/roles/geerlingguy.jenkins/vars/Debian.yml b/roles/geerlingguy.jenkins/vars/Debian.yml new file mode 100644 index 0000000..526c9bf --- /dev/null +++ b/roles/geerlingguy.jenkins/vars/Debian.yml @@ -0,0 +1,7 @@ +--- +__jenkins_repo_url: deb https://pkg.jenkins.io/debian binary/ +__jenkins_repo_key_url: https://pkg.jenkins.io/debian/jenkins.io.key +__jenkins_pkg_url: https://pkg.jenkins.io/debian/binary +jenkins_init_file: /etc/default/jenkins +jenkins_http_port_param: HTTP_PORT +jenkins_java_options_env_var: JAVA_ARGS diff --git a/roles/geerlingguy.jenkins/vars/RedHat.yml b/roles/geerlingguy.jenkins/vars/RedHat.yml new file mode 100644 index 0000000..82d8845 --- /dev/null +++ b/roles/geerlingguy.jenkins/vars/RedHat.yml @@ -0,0 +1,7 @@ +--- +__jenkins_repo_url: https://pkg.jenkins.io/redhat/jenkins.repo +__jenkins_repo_key_url: https://pkg.jenkins.io/redhat/jenkins.io.key +__jenkins_pkg_url: https://pkg.jenkins.io/redhat +jenkins_init_file: /etc/sysconfig/jenkins +jenkins_http_port_param: JENKINS_PORT +jenkins_java_options_env_var: JENKINS_JAVA_OPTIONS diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml index 577fd91..a4d714b 100644 --- a/roles/kibana/defaults/main.yml +++ b/roles/kibana/defaults/main.yml @@ -34,5 +34,5 @@ server_host: localhost server_name: ansible_hostname # The URLs of the Elasticsearch instances to use for all your queries. -elasticsearch_hosts: - - localhost +# example: " 'http://localhost:9200', 'http://192.168.0.1:9200' " +elasticsearch_hosts: " 'http://localhost:9200' " diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 442e090..768a3f8 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -1,2 +1,7 @@ --- -# tasks file for kibana \ No newline at end of file +# tasks file for kibana + + +- name: install kibana on ubuntu + when: ansible_distribution == "Ubuntu" + include: ubuntu.yml diff --git a/roles/kibana/tasks/ubuntu.yml b/roles/kibana/tasks/ubuntu.yml index 6086ed5..5f93792 100644 --- a/roles/kibana/tasks/ubuntu.yml +++ b/roles/kibana/tasks/ubuntu.yml @@ -17,11 +17,11 @@ backup: true - name: Allow 5601 though UFW - when: ufw_server_port == true_ + when: ufw_server_port == true become: true ufw: rule: allow - port: server_port + port: "{{ server_port }}" - name: systemd - daemon reload become: true diff --git a/roles/kibana/templates/kibana.j2 b/roles/kibana/templates/kibana.j2 index ee09b97..c77c2b7 100644 --- a/roles/kibana/templates/kibana.j2 +++ b/roles/kibana/templates/kibana.j2 @@ -8,7 +8,7 @@ server.port: {{ server_port }} # To allow connections from remote users, set this parameter to a non-loopback address. #server.host: "192.168.0.173" -server.host: {{ server_host }} +server.host: "{{ server_host }}" # Enables you to specify a path to mount Kibana at if you are running behind a proxy. # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath @@ -26,13 +26,11 @@ server.host: {{ server_host }} #server.maxPayloadBytes: 1048576 # The Kibana server's name. This is used for display purposes. -server.name: {{ server_name }} +server.name: "{{ server_name }}" # The URLs of the Elasticsearch instances to use for all your queries. #elasticsearch.hosts: ["http://localhost:9200"] -elasticsearch.hosts: [ - {{ elasticsearch_hosts }} -] +elasticsearch.hosts: [ {{ elasticsearch_hosts }} ] # When this setting's value is true Kibana uses the hostname specified in the server.host # setting. When the value of this setting is false, Kibana uses the hostname of the host From 341caa5a782418a0dbd26f4cd2de1cfdb44da436 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Tue, 30 Apr 2019 10:03:30 -0700 Subject: [PATCH 12/19] Moving metricbeat to a role --- .../linux/elastic/config-elasticsearch.yml | 32 ------- playbook/linux/elastic/config-kibana.yml | 22 ----- playbook/linux/elastic/elasticsearch.j2 | 94 ------------------- playbook/linux/elastic/role-test.yml | 1 + roles/luther38.metricbeat/README.md | 38 ++++++++ roles/luther38.metricbeat/defaults/main.yml | 2 + roles/luther38.metricbeat/handlers/main.yml | 2 + roles/luther38.metricbeat/meta/main.yml | 60 ++++++++++++ .../tasks/install-repo.yml | 29 ++++++ roles/luther38.metricbeat/tasks/main.yml | 7 ++ roles/luther38.metricbeat/tasks/ubuntu.yml | 29 ++++++ .../templates}/metricbeat.j2 | 0 roles/luther38.metricbeat/tests/inventory | 2 + roles/luther38.metricbeat/tests/test.yml | 5 + roles/luther38.metricbeat/vars/main.yml | 2 + 15 files changed, 177 insertions(+), 148 deletions(-) delete mode 100644 playbook/linux/elastic/config-elasticsearch.yml delete mode 100644 playbook/linux/elastic/config-kibana.yml delete mode 100755 playbook/linux/elastic/elasticsearch.j2 create mode 100644 roles/luther38.metricbeat/README.md create mode 100644 roles/luther38.metricbeat/defaults/main.yml create mode 100644 roles/luther38.metricbeat/handlers/main.yml create mode 100644 roles/luther38.metricbeat/meta/main.yml create mode 100644 roles/luther38.metricbeat/tasks/install-repo.yml create mode 100644 roles/luther38.metricbeat/tasks/main.yml create mode 100644 roles/luther38.metricbeat/tasks/ubuntu.yml rename {playbook/linux/elastic => roles/luther38.metricbeat/templates}/metricbeat.j2 (100%) create mode 100644 roles/luther38.metricbeat/tests/inventory create mode 100644 roles/luther38.metricbeat/tests/test.yml create mode 100644 roles/luther38.metricbeat/vars/main.yml diff --git a/playbook/linux/elastic/config-elasticsearch.yml b/playbook/linux/elastic/config-elasticsearch.yml deleted file mode 100644 index 2971f8c..0000000 --- a/playbook/linux/elastic/config-elasticsearch.yml +++ /dev/null @@ -1,32 +0,0 @@ -# This will work on a new install. - -# Allow 9200 so we can access it over the network -- name: Allow port 9200 though UFW - become: true - ufw: - rule: allow - port: 9200 - #name: ElasticSearch - -- name: Allow port 9300 though UFW - become: true - ufw: - rule: allow - port: 9300 - -- name: Service reload daemon - become: true - systemd: - daemon_reload: yes - -- name: systemd - enable ElasticSearch on startup - become: true - systemd: - name: elasticsearch - enabled: yes - -- name: systemd - restart ElasticSearch service - become: true - systemd: - name: elasticsearch - state: restarted diff --git a/playbook/linux/elastic/config-kibana.yml b/playbook/linux/elastic/config-kibana.yml deleted file mode 100644 index 49c8c58..0000000 --- a/playbook/linux/elastic/config-kibana.yml +++ /dev/null @@ -1,22 +0,0 @@ - -- name: Allow 5601 though UFW - become: true - ufw: - rule: allow - port: 5601 - -- name: systemd - daemon reload - become: true - systemd: - daemon_reload: yes - -- name: systemd - enable Kibana on startup - become: true - systemd: - name: kibana - enabled: yes - -- name: systemd - restart Kibana - become: true - systemd: - name: kiband diff --git a/playbook/linux/elastic/elasticsearch.j2 b/playbook/linux/elastic/elasticsearch.j2 deleted file mode 100755 index e9f0b64..0000000 --- a/playbook/linux/elastic/elasticsearch.j2 +++ /dev/null @@ -1,94 +0,0 @@ -# ======================== Elasticsearch Configuration ========================= -# -# NOTE: Elasticsearch comes with reasonable defaults for most settings. -# Before you set out to tweak and tune the configuration, make sure you -# understand what are you trying to accomplish and the consequences. -# -# The primary way of configuring a node is via this file. This template lists -# the most important settings you may want to configure for a production cluster. -# -# Please consult the documentation for further information on configuration options: -# https://www.elastic.co/guide/en/elasticsearch/reference/index.html -# -# ---------------------------------- Cluster ----------------------------------- -# -# Use a descriptive name for your cluster: -# -#cluster.name: my-application -cluster.name: {{ es_cluster_name }} -# -# ------------------------------------ Node ------------------------------------ -# -# Use a descriptive name for the node: -# -#node.name: node-1 -node.name: {{ es_node_name }} -node.master: {{ es_node_master }} -node.data: {{ es_node_data }} -# -# Add custom attributes to the node: -# -#node.attr.rack: r1 -# -# ----------------------------------- Paths ------------------------------------ -# -# Path to directory where to store the data (separate multiple locations by comma): -# -path.data: {{ es_path_data }} -# -# Path to log files: -# -path.logs: {{ es_path_logs }} -# -# ----------------------------------- Memory ----------------------------------- -# -# Lock the memory on startup: -# -#bootstrap.memory_lock: true -# -# Make sure that the heap size is set to about half the memory available -# on the system and that the owner of the process is allowed to use this -# limit. -# -# Elasticsearch performs poorly when the system is swapping the memory. -# -# ---------------------------------- Network ----------------------------------- -# -# Set the bind address to a specific IP (IPv4 or IPv6): -# -network.host: {{ ansible_default_ipv4.address }} -# -# Set a custom port for HTTP: -# -http.port: {{ es_http_port }} -transport.host: {{ es_transport_host }} -transport.tcp.port: {{ es_transport_port }} -# -# For more information, consult the network module documentation.# -# -# --------------------------------- Discovery ---------------------------------- -# -# Pass an initial list of hosts to perform discovery when this node is started: -# The default list of hosts is ["127.0.0.1", "[::1]"] -# -#discovery.seed_hosts: ["host1", "host2"] -# -# Bootstrap the cluster using an initial set of master-eligible nodes: -# -#cluster.initial_master_nodes: ["node-1", "node-2"] -# -# For more information, consult the discovery and cluster formation module documentation. -# -# ---------------------------------- Gateway ----------------------------------- -# -# Block initial recovery after a full cluster restart until N nodes are started: -# -#gateway.recover_after_nodes: 3 -# -# For more information, consult the gateway module documentation. -# -# ---------------------------------- Various ----------------------------------- -# -# Require explicit names when deleting indices: -# -#action.destructive_requires_name: true diff --git a/playbook/linux/elastic/role-test.yml b/playbook/linux/elastic/role-test.yml index 32b0952..4f535bc 100644 --- a/playbook/linux/elastic/role-test.yml +++ b/playbook/linux/elastic/role-test.yml @@ -28,6 +28,7 @@ name: kibana vars: server_port: 5601 + ufw_server_port: true server_host: "{{ ansible_default_ipv4.address }}" server_name: "{{ ansible_hostname }}" elasticsearch_hosts: " 'http://localhost:9200', 'http://dm-nagios.local:9200', 'http://172.20.0.142:9200' " diff --git a/roles/luther38.metricbeat/README.md b/roles/luther38.metricbeat/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/luther38.metricbeat/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/luther38.metricbeat/defaults/main.yml b/roles/luther38.metricbeat/defaults/main.yml new file mode 100644 index 0000000..99e6285 --- /dev/null +++ b/roles/luther38.metricbeat/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for luther38.metricbeat \ No newline at end of file diff --git a/roles/luther38.metricbeat/handlers/main.yml b/roles/luther38.metricbeat/handlers/main.yml new file mode 100644 index 0000000..4971955 --- /dev/null +++ b/roles/luther38.metricbeat/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for luther38.metricbeat \ No newline at end of file diff --git a/roles/luther38.metricbeat/meta/main.yml b/roles/luther38.metricbeat/meta/main.yml new file mode 100644 index 0000000..5d50bf4 --- /dev/null +++ b/roles/luther38.metricbeat/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/roles/luther38.metricbeat/tasks/install-repo.yml b/roles/luther38.metricbeat/tasks/install-repo.yml new file mode 100644 index 0000000..c4504a6 --- /dev/null +++ b/roles/luther38.metricbeat/tasks/install-repo.yml @@ -0,0 +1,29 @@ +--- + +- name: Install Elastic GPG Key + become: true + apt_key: + url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + state: present + id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 + +- name: Install apt-transport-https + become: true + apt: + name: apt-transport-https + +- name: Add Elastic Repo + become: true + copy: + dest: '/etc/apt/sources.list.d/elastic-7.x.list' + content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" + # copy: + #src: elastic-7.x.list + # dest: /etc/apt/sources.list.d/ + # backup: yes + +- name: Update Packages + become: true + apt: + update_cache: true + diff --git a/roles/luther38.metricbeat/tasks/main.yml b/roles/luther38.metricbeat/tasks/main.yml new file mode 100644 index 0000000..126a7d9 --- /dev/null +++ b/roles/luther38.metricbeat/tasks/main.yml @@ -0,0 +1,7 @@ +--- +# tasks file for luther38.metricbeat + +- name: Install Metricbeat on Ubuntu + become: true + when:: ansible_distribution == 'Ubuntu' + include: ubuntu.yml diff --git a/roles/luther38.metricbeat/tasks/ubuntu.yml b/roles/luther38.metricbeat/tasks/ubuntu.yml new file mode 100644 index 0000000..ed2e0b9 --- /dev/null +++ b/roles/luther38.metricbeat/tasks/ubuntu.yml @@ -0,0 +1,29 @@ + +- name: Install elastic repo + include: install-repo.yml + +- name: Install metricbeat from apt + apt: + name: metricbeat + +- name: Update config + template: + src: metricbeat.j2 + dest: /etc/metricbeat/metricbeat.yml + +- name: enable system module + shell: metricbeat modules enable system + +- name: systemd - daemon reload + systemd: + daemon_reload: yes + +- name: Enable service on system startup + systemd: + name: metricbeat + enabled: yes + +- name: systemd - restart Metricbeat + systemd: + name: metricbeat + state: restarted diff --git a/playbook/linux/elastic/metricbeat.j2 b/roles/luther38.metricbeat/templates/metricbeat.j2 similarity index 100% rename from playbook/linux/elastic/metricbeat.j2 rename to roles/luther38.metricbeat/templates/metricbeat.j2 diff --git a/roles/luther38.metricbeat/tests/inventory b/roles/luther38.metricbeat/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/luther38.metricbeat/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/luther38.metricbeat/tests/test.yml b/roles/luther38.metricbeat/tests/test.yml new file mode 100644 index 0000000..c679671 --- /dev/null +++ b/roles/luther38.metricbeat/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - luther38.metricbeat \ No newline at end of file diff --git a/roles/luther38.metricbeat/vars/main.yml b/roles/luther38.metricbeat/vars/main.yml new file mode 100644 index 0000000..46b2f8d --- /dev/null +++ b/roles/luther38.metricbeat/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for luther38.metricbeat \ No newline at end of file From 76e0466edf654ed35d220918f360fd69474762a3 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Tue, 30 Apr 2019 13:36:32 -0700 Subject: [PATCH 13/19] metricbeat for linux is working need to add windows installer. --- playbook/linux/elastic/install-metricbeat.yml | 18 ++++++++++++++++++ roles/luther38.metricbeat/defaults/main.yml | 12 +++++++++++- .../luther38.metricbeat/tasks/install-repo.yml | 5 +---- roles/luther38.metricbeat/tasks/main.yml | 3 +-- roles/luther38.metricbeat/tasks/ubuntu.yml | 8 ++++++++ 5 files changed, 39 insertions(+), 7 deletions(-) create mode 100644 playbook/linux/elastic/install-metricbeat.yml diff --git a/playbook/linux/elastic/install-metricbeat.yml b/playbook/linux/elastic/install-metricbeat.yml new file mode 100644 index 0000000..a9dd6b6 --- /dev/null +++ b/playbook/linux/elastic/install-metricbeat.yml @@ -0,0 +1,18 @@ + + +--- + +- name: Install Metricbeat + hosts: elasticClients + + tasks: + - name: Install Metricbeat + become: true + include_role: + name: luther38.metricbeat + vars: + kibana_host: 172.20.0.142 + elasticsearch_hosts: '["172.20.0.142:9200"]' + systemd_enable_service: true + systemd_restart_service: true + diff --git a/roles/luther38.metricbeat/defaults/main.yml b/roles/luther38.metricbeat/defaults/main.yml index 99e6285..5be7ce2 100644 --- a/roles/luther38.metricbeat/defaults/main.yml +++ b/roles/luther38.metricbeat/defaults/main.yml @@ -1,2 +1,12 @@ --- -# defaults file for luther38.metricbeat \ No newline at end of file +# defaults file for luther38.metricbeat + + +kibana_host: 127.0.0.1 + +# Example: '["172.0.0.1:9200"]' +elasticsearch_hosts: '["172.0.0.1:9200"]' + +systemd_enable_service: true + +systemd_restart_service: true diff --git a/roles/luther38.metricbeat/tasks/install-repo.yml b/roles/luther38.metricbeat/tasks/install-repo.yml index c4504a6..b11ff33 100644 --- a/roles/luther38.metricbeat/tasks/install-repo.yml +++ b/roles/luther38.metricbeat/tasks/install-repo.yml @@ -17,10 +17,7 @@ copy: dest: '/etc/apt/sources.list.d/elastic-7.x.list' content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" - # copy: - #src: elastic-7.x.list - # dest: /etc/apt/sources.list.d/ - # backup: yes + - name: Update Packages become: true diff --git a/roles/luther38.metricbeat/tasks/main.yml b/roles/luther38.metricbeat/tasks/main.yml index 126a7d9..71fb7bc 100644 --- a/roles/luther38.metricbeat/tasks/main.yml +++ b/roles/luther38.metricbeat/tasks/main.yml @@ -2,6 +2,5 @@ # tasks file for luther38.metricbeat - name: Install Metricbeat on Ubuntu - become: true - when:: ansible_distribution == 'Ubuntu' + when: ansible_distribution == 'Ubuntu' include: ubuntu.yml diff --git a/roles/luther38.metricbeat/tasks/ubuntu.yml b/roles/luther38.metricbeat/tasks/ubuntu.yml index ed2e0b9..e174e10 100644 --- a/roles/luther38.metricbeat/tasks/ubuntu.yml +++ b/roles/luther38.metricbeat/tasks/ubuntu.yml @@ -3,27 +3,35 @@ include: install-repo.yml - name: Install metricbeat from apt + become: true apt: name: metricbeat - name: Update config + become: true template: src: metricbeat.j2 dest: /etc/metricbeat/metricbeat.yml - name: enable system module + become: true shell: metricbeat modules enable system - name: systemd - daemon reload + become: true systemd: daemon_reload: yes - name: Enable service on system startup + when: systemd_enable_service == true + become: true systemd: name: metricbeat enabled: yes - name: systemd - restart Metricbeat + when: systemd_restart_service == true + become: true systemd: name: metricbeat state: restarted From fde241d31b720321c9431728f145c8fd558f7970 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Tue, 30 Apr 2019 21:43:04 -0700 Subject: [PATCH 14/19] Added Windows support for metricbeat --- playbook/linux/elastic/install-metricbeat.yml | 2 -- roles/luther38.metricbeat/defaults/main.yml | 8 ++++- roles/luther38.metricbeat/tasks/main.yml | 4 +++ roles/luther38.metricbeat/tasks/windows.yml | 32 +++++++++++++++++++ 4 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 roles/luther38.metricbeat/tasks/windows.yml diff --git a/playbook/linux/elastic/install-metricbeat.yml b/playbook/linux/elastic/install-metricbeat.yml index a9dd6b6..8643cd0 100644 --- a/playbook/linux/elastic/install-metricbeat.yml +++ b/playbook/linux/elastic/install-metricbeat.yml @@ -1,5 +1,3 @@ - - --- - name: Install Metricbeat diff --git a/roles/luther38.metricbeat/defaults/main.yml b/roles/luther38.metricbeat/defaults/main.yml index 5be7ce2..5a87f4e 100644 --- a/roles/luther38.metricbeat/defaults/main.yml +++ b/roles/luther38.metricbeat/defaults/main.yml @@ -1,12 +1,18 @@ --- # defaults file for luther38.metricbeat - +# Defines the kibana host we will send data to kibana_host: 127.0.0.1 # Example: '["172.0.0.1:9200"]' elasticsearch_hosts: '["172.0.0.1:9200"]' +# tells ansible to enable the service on startup systemd_enable_service: true +# Tells ansible to restart the service after everything has been done systemd_restart_service: true + +# Defines the version of metricbeat to install. +# Currently used for Windows +version: 7.0.0 diff --git a/roles/luther38.metricbeat/tasks/main.yml b/roles/luther38.metricbeat/tasks/main.yml index 71fb7bc..ff1f622 100644 --- a/roles/luther38.metricbeat/tasks/main.yml +++ b/roles/luther38.metricbeat/tasks/main.yml @@ -4,3 +4,7 @@ - name: Install Metricbeat on Ubuntu when: ansible_distribution == 'Ubuntu' include: ubuntu.yml + +- name: Install Metricbeat on Windows + when: ansible_distribution == 'Windows' + include: windows.yml diff --git a/roles/luther38.metricbeat/tasks/windows.yml b/roles/luther38.metricbeat/tasks/windows.yml new file mode 100644 index 0000000..715e5b3 --- /dev/null +++ b/roles/luther38.metricbeat/tasks/windows.yml @@ -0,0 +1,32 @@ + +# This will install metricbeat on a windows host. +--- +- name: make temp folder + win_file: + path: c:\tmp\ + state: directory + +- name: download metricbeat + win_get_url: + url: '{{ url_metricbeat }}' + dest: 'C:\temp\metricbeat-{{ version }}.zip' + force: no + +- name: unzip metricbeat + win_unzip: + src: c:\temp\metricbeat-{{ version }}.zip + dest: C:\temp\metricbeat-{{ version }}\ + creates: C:\temp\metricbeat-{{ version }}\ + +- name: Copy metricbeat-{{ version }} folder + win_command: powershell.exe copy-item -Path 'c:\temp\metricbeat-{{ version }}\heartbeat-{{ version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Metricbeat\' + args: + creates: C:\Program Files\Metricbeat\ + +- name: Update template + win_template: + src: metricbeat.j2 + dest: C:\Program Files\Metricbeat\metricbeat.yml + +- name: Install Metricbeat service + win_command: powershell.exe -ExecutionPolicy ByPass -File 'C:\Program Files\Metricbeat\install-service-metricbeat.ps1' From 10c1d50483937ef05a816f96754878bd16c0c521 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Wed, 1 May 2019 14:20:01 -0700 Subject: [PATCH 15/19] winlogbeat is working From what I can see dev is now talking to my new server. --- playbook/linux/elastic/install-winlogbeat.yml | 16 +++++ roles/luther38.logstash/README.md | 38 ++++++++++++ roles/luther38.logstash/defaults/main.yml | 2 + roles/luther38.logstash/handlers/main.yml | 2 + roles/luther38.logstash/meta/main.yml | 60 ++++++++++++++++++ roles/luther38.logstash/tasks/main.yml | 2 + roles/luther38.logstash/tests/inventory | 2 + roles/luther38.logstash/tests/test.yml | 5 ++ roles/luther38.logstash/vars/main.yml | 2 + roles/luther38.metricbeat/tasks/main.yml | 2 +- roles/luther38.metricbeat/tasks/windows.yml | 50 ++++++++++++--- roles/luther38.winlogbeat/README.md | 38 ++++++++++++ roles/luther38.winlogbeat/defaults/main.yml | 2 + roles/luther38.winlogbeat/handlers/main.yml | 2 + roles/luther38.winlogbeat/meta/main.yml | 60 ++++++++++++++++++ roles/luther38.winlogbeat/tasks/main.yml | 6 ++ roles/luther38.winlogbeat/tasks/windows.yml | 62 +++++++++++++++++++ .../templates}/winlogbeat.j2 | 0 roles/luther38.winlogbeat/tests/inventory | 2 + roles/luther38.winlogbeat/tests/test.yml | 5 ++ roles/luther38.winlogbeat/vars/main.yml | 2 + roles/win_localdircopy/README.md | 38 ++++++++++++ roles/win_localdircopy/defaults/main.yml | 2 + roles/win_localdircopy/handlers/main.yml | 2 + roles/win_localdircopy/meta/main.yml | 60 ++++++++++++++++++ roles/win_localdircopy/tasks/main.yml | 2 + roles/win_localdircopy/tests/inventory | 2 + roles/win_localdircopy/tests/test.yml | 5 ++ roles/win_localdircopy/vars/main.yml | 2 + 29 files changed, 462 insertions(+), 11 deletions(-) create mode 100644 playbook/linux/elastic/install-winlogbeat.yml create mode 100644 roles/luther38.logstash/README.md create mode 100644 roles/luther38.logstash/defaults/main.yml create mode 100644 roles/luther38.logstash/handlers/main.yml create mode 100644 roles/luther38.logstash/meta/main.yml create mode 100644 roles/luther38.logstash/tasks/main.yml create mode 100644 roles/luther38.logstash/tests/inventory create mode 100644 roles/luther38.logstash/tests/test.yml create mode 100644 roles/luther38.logstash/vars/main.yml create mode 100644 roles/luther38.winlogbeat/README.md create mode 100644 roles/luther38.winlogbeat/defaults/main.yml create mode 100644 roles/luther38.winlogbeat/handlers/main.yml create mode 100644 roles/luther38.winlogbeat/meta/main.yml create mode 100644 roles/luther38.winlogbeat/tasks/main.yml create mode 100644 roles/luther38.winlogbeat/tasks/windows.yml rename {playbook/linux/elastic => roles/luther38.winlogbeat/templates}/winlogbeat.j2 (100%) create mode 100644 roles/luther38.winlogbeat/tests/inventory create mode 100644 roles/luther38.winlogbeat/tests/test.yml create mode 100644 roles/luther38.winlogbeat/vars/main.yml create mode 100644 roles/win_localdircopy/README.md create mode 100644 roles/win_localdircopy/defaults/main.yml create mode 100644 roles/win_localdircopy/handlers/main.yml create mode 100644 roles/win_localdircopy/meta/main.yml create mode 100644 roles/win_localdircopy/tasks/main.yml create mode 100644 roles/win_localdircopy/tests/inventory create mode 100644 roles/win_localdircopy/tests/test.yml create mode 100644 roles/win_localdircopy/vars/main.yml diff --git a/playbook/linux/elastic/install-winlogbeat.yml b/playbook/linux/elastic/install-winlogbeat.yml new file mode 100644 index 0000000..ead71a4 --- /dev/null +++ b/playbook/linux/elastic/install-winlogbeat.yml @@ -0,0 +1,16 @@ +--- + +- name: Install WinLogBeat + hosts: elasticClients + + tasks: + - name: Install WinLogBeat + become: true + include_role: + name: luther38.winlogbeat + vars: + version: 7.0.0 + kibana_host: 172.20.0.142 + elasticsearch_hosts: '["172.20.0.142:9200"]' + + diff --git a/roles/luther38.logstash/README.md b/roles/luther38.logstash/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/luther38.logstash/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/luther38.logstash/defaults/main.yml b/roles/luther38.logstash/defaults/main.yml new file mode 100644 index 0000000..503a7ab --- /dev/null +++ b/roles/luther38.logstash/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for luther38.logstash \ No newline at end of file diff --git a/roles/luther38.logstash/handlers/main.yml b/roles/luther38.logstash/handlers/main.yml new file mode 100644 index 0000000..f6a1d47 --- /dev/null +++ b/roles/luther38.logstash/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for luther38.logstash \ No newline at end of file diff --git a/roles/luther38.logstash/meta/main.yml b/roles/luther38.logstash/meta/main.yml new file mode 100644 index 0000000..5d50bf4 --- /dev/null +++ b/roles/luther38.logstash/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/roles/luther38.logstash/tasks/main.yml b/roles/luther38.logstash/tasks/main.yml new file mode 100644 index 0000000..9277f44 --- /dev/null +++ b/roles/luther38.logstash/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for luther38.logstash \ No newline at end of file diff --git a/roles/luther38.logstash/tests/inventory b/roles/luther38.logstash/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/luther38.logstash/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/luther38.logstash/tests/test.yml b/roles/luther38.logstash/tests/test.yml new file mode 100644 index 0000000..f869efb --- /dev/null +++ b/roles/luther38.logstash/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - luther38.logstash \ No newline at end of file diff --git a/roles/luther38.logstash/vars/main.yml b/roles/luther38.logstash/vars/main.yml new file mode 100644 index 0000000..29d57d6 --- /dev/null +++ b/roles/luther38.logstash/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for luther38.logstash \ No newline at end of file diff --git a/roles/luther38.metricbeat/tasks/main.yml b/roles/luther38.metricbeat/tasks/main.yml index ff1f622..624d141 100644 --- a/roles/luther38.metricbeat/tasks/main.yml +++ b/roles/luther38.metricbeat/tasks/main.yml @@ -6,5 +6,5 @@ include: ubuntu.yml - name: Install Metricbeat on Windows - when: ansible_distribution == 'Windows' + when: ansible_os_family == 'Windows' include: windows.yml diff --git a/roles/luther38.metricbeat/tasks/windows.yml b/roles/luther38.metricbeat/tasks/windows.yml index 715e5b3..ede903b 100644 --- a/roles/luther38.metricbeat/tasks/windows.yml +++ b/roles/luther38.metricbeat/tasks/windows.yml @@ -1,32 +1,62 @@ - +#https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.0.0-windows-x86_64.zip # This will install metricbeat on a windows host. --- -- name: make temp folder +- name: make tmp folder win_file: path: c:\tmp\ state: directory - name: download metricbeat win_get_url: - url: '{{ url_metricbeat }}' - dest: 'C:\temp\metricbeat-{{ version }}.zip' + url: 'https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-{{ version }}-windows-x86_64.zip' + dest: 'C:\tmp\metricbeat-{{ version }}.zip' force: no - name: unzip metricbeat win_unzip: - src: c:\temp\metricbeat-{{ version }}.zip - dest: C:\temp\metricbeat-{{ version }}\ - creates: C:\temp\metricbeat-{{ version }}\ + src: c:\tmp\metricbeat-{{ version }}.zip + dest: C:\tmp\metricbeat-{{ version }}\ + creates: C:\tmp\metricbeat-{{ version }}\ - name: Copy metricbeat-{{ version }} folder - win_command: powershell.exe copy-item -Path 'c:\temp\metricbeat-{{ version }}\heartbeat-{{ version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Metricbeat\' + win_command: powershell.exe copy-item -Path 'c:\tmp\metricbeat-{{ version }}\metricbeat-{{ version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Metricbeat\' args: creates: C:\Program Files\Metricbeat\ -- name: Update template +- name: Update tmplate win_template: src: metricbeat.j2 dest: C:\Program Files\Metricbeat\metricbeat.yml +- name: Check if metricbeat service is installed + register: service + win_service: + name: metricbeat + +#- debug: var=service + - name: Install Metricbeat service - win_command: powershell.exe -ExecutionPolicy ByPass -File 'C:\Program Files\Metricbeat\install-service-metricbeat.ps1' + when: service.exists == false + win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-metricbeat.ps1 + args: + chdir: C:\program files\metricbeat\ + +- name: check status of metricbeat service + register: service + win_service: + name: metricbeat + +#- debug: var=service + +- name: restart service + when: service.state == 'running' + win_service: + name: metricbeat + state: restarted + +- name: start service + when: service.state == 'stopped' + win_service: + name: metricbeat + state: started + diff --git a/roles/luther38.winlogbeat/README.md b/roles/luther38.winlogbeat/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/luther38.winlogbeat/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/luther38.winlogbeat/defaults/main.yml b/roles/luther38.winlogbeat/defaults/main.yml new file mode 100644 index 0000000..dabf483 --- /dev/null +++ b/roles/luther38.winlogbeat/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for luther38.winlogbeat \ No newline at end of file diff --git a/roles/luther38.winlogbeat/handlers/main.yml b/roles/luther38.winlogbeat/handlers/main.yml new file mode 100644 index 0000000..1359119 --- /dev/null +++ b/roles/luther38.winlogbeat/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for luther38.winlogbeat \ No newline at end of file diff --git a/roles/luther38.winlogbeat/meta/main.yml b/roles/luther38.winlogbeat/meta/main.yml new file mode 100644 index 0000000..5d50bf4 --- /dev/null +++ b/roles/luther38.winlogbeat/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/roles/luther38.winlogbeat/tasks/main.yml b/roles/luther38.winlogbeat/tasks/main.yml new file mode 100644 index 0000000..098aa89 --- /dev/null +++ b/roles/luther38.winlogbeat/tasks/main.yml @@ -0,0 +1,6 @@ +--- +# tasks file for luther38.winlogbeat + +- name: Install Metricbeat on Windows + when: ansible_os_family == 'Windows' + include: windows.yml diff --git a/roles/luther38.winlogbeat/tasks/windows.yml b/roles/luther38.winlogbeat/tasks/windows.yml new file mode 100644 index 0000000..e7ff0dd --- /dev/null +++ b/roles/luther38.winlogbeat/tasks/windows.yml @@ -0,0 +1,62 @@ +#https://artifacts.elastic.co/downloads/beats/winlogbeat/metricbeat-7.0.0-windows-x86_64.zip +# This will install winlogbeat on a windows host. +--- +- name: make tmp folder + win_file: + path: c:\tmp\ + state: directory + +- name: download winlogbeat + win_get_url: + url: 'https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-{{ version }}-windows-x86_64.zip' + dest: 'C:\tmp\winlogbeat-{{ version }}.zip' + force: no + +- name: unzip winlogbeat + win_unzip: + src: c:\tmp\winlogbeat-{{ version }}.zip + dest: C:\tmp\winlogbeat-{{ version }}\ + creates: C:\tmp\winlogbeat-{{ version }}\ + +- name: Copy winlogbeat-{{ version }} folder + win_command: powershell.exe copy-item -Path 'c:\tmp\winlogbeat-{{ version }}\winlogbeat-{{ version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Winlogbeat\' + args: + creates: C:\Program Files\Winlogbeat\ + +- name: Update tmplate + win_template: + src: winlogbeat.j2 + dest: C:\Program Files\Winlogbeat\winlogbeat.yml + +- name: Check if winlogbeat service is installed + register: service + win_service: + name: winlogbeat + +#- debug: var=service + +- name: Install service + when: service.exists == false + win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-winlogbeat.ps1 + args: + chdir: C:\program files\winlogbeat\ + +- name: check status service + register: service + win_service: + name: winlogbeat + +#- debug: var=service + +- name: restart service + when: service.state == 'running' + win_service: + name: winlogbeat + state: restarted + +- name: start service + when: service.state == 'stopped' + win_service: + name: winlogbeat + state: started + diff --git a/playbook/linux/elastic/winlogbeat.j2 b/roles/luther38.winlogbeat/templates/winlogbeat.j2 similarity index 100% rename from playbook/linux/elastic/winlogbeat.j2 rename to roles/luther38.winlogbeat/templates/winlogbeat.j2 diff --git a/roles/luther38.winlogbeat/tests/inventory b/roles/luther38.winlogbeat/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/luther38.winlogbeat/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/luther38.winlogbeat/tests/test.yml b/roles/luther38.winlogbeat/tests/test.yml new file mode 100644 index 0000000..e52b43a --- /dev/null +++ b/roles/luther38.winlogbeat/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - luther38.winlogbeat \ No newline at end of file diff --git a/roles/luther38.winlogbeat/vars/main.yml b/roles/luther38.winlogbeat/vars/main.yml new file mode 100644 index 0000000..8b53290 --- /dev/null +++ b/roles/luther38.winlogbeat/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for luther38.winlogbeat \ No newline at end of file diff --git a/roles/win_localdircopy/README.md b/roles/win_localdircopy/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/win_localdircopy/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/win_localdircopy/defaults/main.yml b/roles/win_localdircopy/defaults/main.yml new file mode 100644 index 0000000..001f5ab --- /dev/null +++ b/roles/win_localdircopy/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for win_localdircopy \ No newline at end of file diff --git a/roles/win_localdircopy/handlers/main.yml b/roles/win_localdircopy/handlers/main.yml new file mode 100644 index 0000000..480b525 --- /dev/null +++ b/roles/win_localdircopy/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for win_localdircopy \ No newline at end of file diff --git a/roles/win_localdircopy/meta/main.yml b/roles/win_localdircopy/meta/main.yml new file mode 100644 index 0000000..5d50bf4 --- /dev/null +++ b/roles/win_localdircopy/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/roles/win_localdircopy/tasks/main.yml b/roles/win_localdircopy/tasks/main.yml new file mode 100644 index 0000000..4d66bd7 --- /dev/null +++ b/roles/win_localdircopy/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for win_localdircopy \ No newline at end of file diff --git a/roles/win_localdircopy/tests/inventory b/roles/win_localdircopy/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/win_localdircopy/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/win_localdircopy/tests/test.yml b/roles/win_localdircopy/tests/test.yml new file mode 100644 index 0000000..73c7e0c --- /dev/null +++ b/roles/win_localdircopy/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - win_localdircopy \ No newline at end of file diff --git a/roles/win_localdircopy/vars/main.yml b/roles/win_localdircopy/vars/main.yml new file mode 100644 index 0000000..882aea6 --- /dev/null +++ b/roles/win_localdircopy/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for win_localdircopy \ No newline at end of file From d2d1e2734f64af6751ac8e85e8f81ae040131db3 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Wed, 1 May 2019 15:21:32 -0700 Subject: [PATCH 16/19] Adding fileeat role Unsure about logstash currently. That one is on hold for now. --- roles/luther38.filebeat/README.md | 38 +++ roles/luther38.filebeat/defaults/main.yml | 2 + roles/luther38.filebeat/handlers/main.yml | 2 + roles/luther38.filebeat/meta/main.yml | 60 +++++ .../luther38.filebeat/tasks/install-repo.yml | 29 ++ roles/luther38.filebeat/tasks/main.yml | 7 + roles/luther38.filebeat/tasks/ubuntu.yml | 44 ++++ roles/luther38.filebeat/tasks/windows.yml | 62 +++++ roles/luther38.filebeat/tests/inventory | 2 + roles/luther38.filebeat/tests/test.yml | 5 + roles/luther38.filebeat/vars/main.yml | 2 + roles/luther38.logstash/defaults/main.yml | 5 +- .../luther38.logstash/tasks/install-repo.yml | 29 ++ roles/luther38.logstash/tasks/main.yml | 6 +- roles/luther38.logstash/tasks/ubuntu.yml | 44 ++++ roles/luther38.logstash/templates/logstash.j2 | 247 ++++++++++++++++++ 16 files changed, 582 insertions(+), 2 deletions(-) create mode 100644 roles/luther38.filebeat/README.md create mode 100644 roles/luther38.filebeat/defaults/main.yml create mode 100644 roles/luther38.filebeat/handlers/main.yml create mode 100644 roles/luther38.filebeat/meta/main.yml create mode 100644 roles/luther38.filebeat/tasks/install-repo.yml create mode 100644 roles/luther38.filebeat/tasks/main.yml create mode 100644 roles/luther38.filebeat/tasks/ubuntu.yml create mode 100644 roles/luther38.filebeat/tasks/windows.yml create mode 100644 roles/luther38.filebeat/tests/inventory create mode 100644 roles/luther38.filebeat/tests/test.yml create mode 100644 roles/luther38.filebeat/vars/main.yml create mode 100644 roles/luther38.logstash/tasks/install-repo.yml create mode 100644 roles/luther38.logstash/tasks/ubuntu.yml create mode 100644 roles/luther38.logstash/templates/logstash.j2 diff --git a/roles/luther38.filebeat/README.md b/roles/luther38.filebeat/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/luther38.filebeat/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/luther38.filebeat/defaults/main.yml b/roles/luther38.filebeat/defaults/main.yml new file mode 100644 index 0000000..ffc8407 --- /dev/null +++ b/roles/luther38.filebeat/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for luther38.filebeat \ No newline at end of file diff --git a/roles/luther38.filebeat/handlers/main.yml b/roles/luther38.filebeat/handlers/main.yml new file mode 100644 index 0000000..ef1f8dc --- /dev/null +++ b/roles/luther38.filebeat/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for luther38.filebeat \ No newline at end of file diff --git a/roles/luther38.filebeat/meta/main.yml b/roles/luther38.filebeat/meta/main.yml new file mode 100644 index 0000000..5d50bf4 --- /dev/null +++ b/roles/luther38.filebeat/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/roles/luther38.filebeat/tasks/install-repo.yml b/roles/luther38.filebeat/tasks/install-repo.yml new file mode 100644 index 0000000..c4504a6 --- /dev/null +++ b/roles/luther38.filebeat/tasks/install-repo.yml @@ -0,0 +1,29 @@ +--- + +- name: Install Elastic GPG Key + become: true + apt_key: + url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + state: present + id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 + +- name: Install apt-transport-https + become: true + apt: + name: apt-transport-https + +- name: Add Elastic Repo + become: true + copy: + dest: '/etc/apt/sources.list.d/elastic-7.x.list' + content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" + # copy: + #src: elastic-7.x.list + # dest: /etc/apt/sources.list.d/ + # backup: yes + +- name: Update Packages + become: true + apt: + update_cache: true + diff --git a/roles/luther38.filebeat/tasks/main.yml b/roles/luther38.filebeat/tasks/main.yml new file mode 100644 index 0000000..cd70948 --- /dev/null +++ b/roles/luther38.filebeat/tasks/main.yml @@ -0,0 +1,7 @@ +--- +# tasks file for luther38.filebeat + + +- name: Install Filebeat on Ubuntu + when: ansible_distribution == 'Ubuntu' + include: ubuntu.yml diff --git a/roles/luther38.filebeat/tasks/ubuntu.yml b/roles/luther38.filebeat/tasks/ubuntu.yml new file mode 100644 index 0000000..6026c10 --- /dev/null +++ b/roles/luther38.filebeat/tasks/ubuntu.yml @@ -0,0 +1,44 @@ + + +- name: Add Elastic repo + include: install-repo.yml + +- name: Install ElasticSearch from apt + become: true + apt: + name: elasticsearch + +- name: Update config + become: true + template: + src: elasticsearch.j2 + dest: /etc/elasticsearch/elasticsearch.yml + backup: yes + +- name: UFW allow http_port + become: true + when: ufw_http_port == true + ufw: + rule: allow + port: "{{ http_port }}" + +- name: UFW allow transport_port + become: true + when: ufw_transport_port == true + ufw: + rule: allow + port: "{{ transport_port }}" + +- name: systemd enable elasticsearch + become: true + when: systemd_enabled == true + systemd: + name: elasticsearch + enabled: true + +- name: systemd restart elasticsearch + become: true + when: systemd_restart == true + systemd: + name: elasticsearch + state: restarted diff --git a/roles/luther38.filebeat/tasks/windows.yml b/roles/luther38.filebeat/tasks/windows.yml new file mode 100644 index 0000000..e7ff0dd --- /dev/null +++ b/roles/luther38.filebeat/tasks/windows.yml @@ -0,0 +1,62 @@ +#https://artifacts.elastic.co/downloads/beats/winlogbeat/metricbeat-7.0.0-windows-x86_64.zip +# This will install winlogbeat on a windows host. +--- +- name: make tmp folder + win_file: + path: c:\tmp\ + state: directory + +- name: download winlogbeat + win_get_url: + url: 'https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-{{ version }}-windows-x86_64.zip' + dest: 'C:\tmp\winlogbeat-{{ version }}.zip' + force: no + +- name: unzip winlogbeat + win_unzip: + src: c:\tmp\winlogbeat-{{ version }}.zip + dest: C:\tmp\winlogbeat-{{ version }}\ + creates: C:\tmp\winlogbeat-{{ version }}\ + +- name: Copy winlogbeat-{{ version }} folder + win_command: powershell.exe copy-item -Path 'c:\tmp\winlogbeat-{{ version }}\winlogbeat-{{ version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\Winlogbeat\' + args: + creates: C:\Program Files\Winlogbeat\ + +- name: Update tmplate + win_template: + src: winlogbeat.j2 + dest: C:\Program Files\Winlogbeat\winlogbeat.yml + +- name: Check if winlogbeat service is installed + register: service + win_service: + name: winlogbeat + +#- debug: var=service + +- name: Install service + when: service.exists == false + win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-winlogbeat.ps1 + args: + chdir: C:\program files\winlogbeat\ + +- name: check status service + register: service + win_service: + name: winlogbeat + +#- debug: var=service + +- name: restart service + when: service.state == 'running' + win_service: + name: winlogbeat + state: restarted + +- name: start service + when: service.state == 'stopped' + win_service: + name: winlogbeat + state: started + diff --git a/roles/luther38.filebeat/tests/inventory b/roles/luther38.filebeat/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/luther38.filebeat/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/luther38.filebeat/tests/test.yml b/roles/luther38.filebeat/tests/test.yml new file mode 100644 index 0000000..b3d142f --- /dev/null +++ b/roles/luther38.filebeat/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - luther38.filebeat \ No newline at end of file diff --git a/roles/luther38.filebeat/vars/main.yml b/roles/luther38.filebeat/vars/main.yml new file mode 100644 index 0000000..20faa9c --- /dev/null +++ b/roles/luther38.filebeat/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for luther38.filebeat \ No newline at end of file diff --git a/roles/luther38.logstash/defaults/main.yml b/roles/luther38.logstash/defaults/main.yml index 503a7ab..4479481 100644 --- a/roles/luther38.logstash/defaults/main.yml +++ b/roles/luther38.logstash/defaults/main.yml @@ -1,2 +1,5 @@ --- -# defaults file for luther38.logstash \ No newline at end of file +# defaults file for luther38.logstash + + +http_host: '127.0.0.1' diff --git a/roles/luther38.logstash/tasks/install-repo.yml b/roles/luther38.logstash/tasks/install-repo.yml new file mode 100644 index 0000000..c4504a6 --- /dev/null +++ b/roles/luther38.logstash/tasks/install-repo.yml @@ -0,0 +1,29 @@ +--- + +- name: Install Elastic GPG Key + become: true + apt_key: + url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + state: present + id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 + +- name: Install apt-transport-https + become: true + apt: + name: apt-transport-https + +- name: Add Elastic Repo + become: true + copy: + dest: '/etc/apt/sources.list.d/elastic-7.x.list' + content: "deb https://artifacts.elastic.co/packages/7.x/apt stable main" + # copy: + #src: elastic-7.x.list + # dest: /etc/apt/sources.list.d/ + # backup: yes + +- name: Update Packages + become: true + apt: + update_cache: true + diff --git a/roles/luther38.logstash/tasks/main.yml b/roles/luther38.logstash/tasks/main.yml index 9277f44..6d8e5ab 100644 --- a/roles/luther38.logstash/tasks/main.yml +++ b/roles/luther38.logstash/tasks/main.yml @@ -1,2 +1,6 @@ --- -# tasks file for luther38.logstash \ No newline at end of file +# tasks file for luther38.logstash + +- name: Install Logstash on Ubuntu + when: ansible_distribution == 'Ubuntu' + include: ubuntu.yml diff --git a/roles/luther38.logstash/tasks/ubuntu.yml b/roles/luther38.logstash/tasks/ubuntu.yml new file mode 100644 index 0000000..08cd5dd --- /dev/null +++ b/roles/luther38.logstash/tasks/ubuntu.yml @@ -0,0 +1,44 @@ + + +- name: Add Elastic repo + include: install-repo.yml + +- name: Install logstash from apt + become: true + apt: + name: logstash + +- name: Update config + become: true + template: + src: logstash.j2 + dest: /tmp/logstash/logstash.yml + backup: yes + +- name: UFW allow http_port + become: true + when: ufw_http_port == true + ufw: + rule: allow + port: "{{ http_port }}" + +- name: UFW allow transport_port + become: true + when: ufw_transport_port == true + ufw: + rule: allow + port: "{{ transport_port }}" + +- name: systemd enable elasticsearch + become: true + when: systemd_enabled == true + systemd: + name: elasticsearch + enabled: true + +- name: systemd restart elasticsearch + become: true + when: systemd_restart == true + systemd: + name: elasticsearch + state: restarted diff --git a/roles/luther38.logstash/templates/logstash.j2 b/roles/luther38.logstash/templates/logstash.j2 new file mode 100644 index 0000000..d9ffcf2 --- /dev/null +++ b/roles/luther38.logstash/templates/logstash.j2 @@ -0,0 +1,247 @@ +# Settings file in YAML +# +# Settings can be specified either in hierarchical form, e.g.: +# +# pipeline: +# batch: +# size: 125 +# delay: 5 +# +# Or as flat keys: +# +# pipeline.batch.size: 125 +# pipeline.batch.delay: 5 +# +# ------------ Node identity ------------ +# +# Use a descriptive name for the node: +# +# node.name: test +# +# If omitted the node name will default to the machine's host name +# +# ------------ Data path ------------------ +# +# Which directory should be used by logstash and its plugins +# for any persistent needs. Defaults to LOGSTASH_HOME/data +# +path.data: /var/lib/logstash +# +# ------------ Pipeline Settings -------------- +# +# The ID of the pipeline. +# +# pipeline.id: main +# +# Set the number of workers that will, in parallel, execute the filters+outputs +# stage of the pipeline. +# +# This defaults to the number of the host's CPU cores. +# +# pipeline.workers: 2 +# +# How many events to retrieve from inputs before sending to filters+workers +# +# pipeline.batch.size: 125 +# +# How long to wait in milliseconds while polling for the next event +# before dispatching an undersized batch to filters+outputs +# +# pipeline.batch.delay: 50 +# +# Force Logstash to exit during shutdown even if there are still inflight +# events in memory. By default, logstash will refuse to quit until all +# received events have been pushed to the outputs. +# +# WARNING: enabling this can lead to data loss during shutdown +# +# pipeline.unsafe_shutdown: false +# +# ------------ Pipeline Configuration Settings -------------- +# +# Where to fetch the pipeline configuration for the main pipeline +# +# path.config: +# +# Pipeline configuration string for the main pipeline +# +# config.string: +# +# At startup, test if the configuration is valid and exit (dry run) +# +# config.test_and_exit: false +# +# Periodically check if the configuration has changed and reload the pipeline +# This can also be triggered manually through the SIGHUP signal +# +# config.reload.automatic: false +# +# How often to check if the pipeline configuration has changed (in seconds) +# +# config.reload.interval: 3s +# +# Show fully compiled configuration as debug log message +# NOTE: --log.level must be 'debug' +# +# config.debug: false +# +# When enabled, process escaped characters such as \n and \" in strings in the +# pipeline configuration files. +# +# config.support_escapes: false +# +# ------------ Module Settings --------------- +# Define modules here. Modules definitions must be defined as an array. +# The simple way to see this is to prepend each `name` with a `-`, and keep +# all associated variables under the `name` they are associated with, and +# above the next, like this: +# +# modules: +# - name: MODULE_NAME +# var.PLUGINTYPE1.PLUGINNAME1.KEY1: VALUE +# var.PLUGINTYPE1.PLUGINNAME1.KEY2: VALUE +# var.PLUGINTYPE2.PLUGINNAME1.KEY1: VALUE +# var.PLUGINTYPE3.PLUGINNAME3.KEY1: VALUE +# +# Module variable names must be in the format of +# +# var.PLUGIN_TYPE.PLUGIN_NAME.KEY +# +# modules: +# +# ------------ Cloud Settings --------------- +# Define Elastic Cloud settings here. +# Format of cloud.id is a base64 value e.g. dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRub3RhcmVhbCRpZGVudGlmaWVy +# and it may have an label prefix e.g. staging:dXMtZ... +# This will overwrite 'var.elasticsearch.hosts' and 'var.kibana.host' +# cloud.id: +# +# Format of cloud.auth is: : +# This is optional +# If supplied this will overwrite 'var.elasticsearch.username' and 'var.elasticsearch.password' +# If supplied this will overwrite 'var.kibana.username' and 'var.kibana.password' +# cloud.auth: elastic: +# +# ------------ Queuing Settings -------------- +# +# Internal queuing model, "memory" for legacy in-memory based queuing and +# "persisted" for disk-based acked queueing. Defaults is memory +# +# queue.type: memory +# +# If using queue.type: persisted, the directory path where the data files will be stored. +# Default is path.data/queue +# +# path.queue: +# +# If using queue.type: persisted, the page data files size. The queue data consists of +# append-only data files separated into pages. Default is 64mb +# +# queue.page_capacity: 64mb +# +# If using queue.type: persisted, the maximum number of unread events in the queue. +# Default is 0 (unlimited) +# +# queue.max_events: 0 +# +# If using queue.type: persisted, the total capacity of the queue in number of bytes. +# If you would like more unacked events to be buffered in Logstash, you can increase the +# capacity using this setting. Please make sure your disk drive has capacity greater than +# the size specified here. If both max_bytes and max_events are specified, Logstash will pick +# whichever criteria is reached first +# Default is 1024mb or 1gb +# +# queue.max_bytes: 1024mb +# +# If using queue.type: persisted, the maximum number of acked events before forcing a checkpoint +# Default is 1024, 0 for unlimited +# +# queue.checkpoint.acks: 1024 +# +# If using queue.type: persisted, the maximum number of written events before forcing a checkpoint +# Default is 1024, 0 for unlimited +# +# queue.checkpoint.writes: 1024 +# +# If using queue.type: persisted, the interval in milliseconds when a checkpoint is forced on the head page +# Default is 1000, 0 for no periodic checkpoint. +# +# queue.checkpoint.interval: 1000 +# +# ------------ Dead-Letter Queue Settings -------------- +# Flag to turn on dead-letter queue. +# +# dead_letter_queue.enable: false + +# If using dead_letter_queue.enable: true, the maximum size of each dead letter queue. Entries +# will be dropped if they would increase the size of the dead letter queue beyond this setting. +# Default is 1024mb +# dead_letter_queue.max_bytes: 1024mb + +# If using dead_letter_queue.enable: true, the directory path where the data files will be stored. +# Default is path.data/dead_letter_queue +# +# path.dead_letter_queue: +# +# ------------ Metrics Settings -------------- +# +# Bind address for the metrics REST endpoint +# +# http.host: "127.0.0.1" +# +# Bind port for the metrics REST endpoint, this option also accept a range +# (9600-9700) and logstash will pick up the first available ports. +# +# http.port: 9600-9700 +# +# ------------ Debugging Settings -------------- +# +# Options for log.level: +# * fatal +# * error +# * warn +# * info (default) +# * debug +# * trace +# +# log.level: info +path.logs: /var/log/logstash +# +# ------------ Other Settings -------------- +# +# Where to find custom plugins +# path.plugins: [] +# +# ------------ X-Pack Settings (not applicable for OSS build)-------------- +# +# X-Pack Monitoring +# https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html +#xpack.monitoring.enabled: false +#xpack.monitoring.elasticsearch.username: logstash_system +#xpack.monitoring.elasticsearch.password: password +#xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"] +#xpack.monitoring.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ] +#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file +#xpack.monitoring.elasticsearch.ssl.truststore.password: password +#xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file +#xpack.monitoring.elasticsearch.ssl.keystore.password: password +#xpack.monitoring.elasticsearch.ssl.verification_mode: certificate +#xpack.monitoring.elasticsearch.sniffing: false +#xpack.monitoring.collection.interval: 10s +#xpack.monitoring.collection.pipeline.details.enabled: true +# +# X-Pack Management +# https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html +#xpack.management.enabled: false +#xpack.management.pipeline.id: ["main", "apache_logs"] +#xpack.management.elasticsearch.username: logstash_admin_user +#xpack.management.elasticsearch.password: password +#xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"] +#xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ] +#xpack.management.elasticsearch.ssl.truststore.path: /path/to/file +#xpack.management.elasticsearch.ssl.truststore.password: password +#xpack.management.elasticsearch.ssl.keystore.path: /path/to/file +#xpack.management.elasticsearch.ssl.keystore.password: password +#xpack.management.elasticsearch.ssl.verification_mode: certificate +#xpack.management.elasticsearch.sniffing: false +#xpack.management.logstash.poll_interval: 5s From a941a36d25b5990e1b59c21f3c674593f4c9952d Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Wed, 1 May 2019 16:05:54 -0700 Subject: [PATCH 17/19] Filebeat deploys to linux devices --- playbook/linux/elastic/install-filebeat.yml | 14 ++ roles/luther38.filebeat/defaults/main.yml | 15 +- roles/luther38.filebeat/tasks/ubuntu.yml | 24 +- roles/luther38.filebeat/templates/filebeat.j2 | 211 ++++++++++++++++++ 4 files changed, 244 insertions(+), 20 deletions(-) create mode 100644 playbook/linux/elastic/install-filebeat.yml create mode 100755 roles/luther38.filebeat/templates/filebeat.j2 diff --git a/playbook/linux/elastic/install-filebeat.yml b/playbook/linux/elastic/install-filebeat.yml new file mode 100644 index 0000000..79453a1 --- /dev/null +++ b/playbook/linux/elastic/install-filebeat.yml @@ -0,0 +1,14 @@ + +- name: Install Filebeat + hosts: elasticClients + + tasks: + - name: Install Filebeat + include_role: + name: luther38.filebeat + vars: + kibana_host: 172.20.0.142:5601 + elasticsearch_hosts: "'172.20.0.142:9200'" + systemd_enabled: true + systemd_restart: true + diff --git a/roles/luther38.filebeat/defaults/main.yml b/roles/luther38.filebeat/defaults/main.yml index ffc8407..d87f558 100644 --- a/roles/luther38.filebeat/defaults/main.yml +++ b/roles/luther38.filebeat/defaults/main.yml @@ -1,2 +1,15 @@ --- -# defaults file for luther38.filebeat \ No newline at end of file +# defaults file for luther38.filebeat + +# config file + +# Single value +kibana_host: 127.0.0.1 + +# Takes multiple values +# "'127.0.0.1:9200', '0.0.0.0:9200'" +elasticsearch_hosts: "'127.0.0.1:9200'" + +# Systemd +systemd_enable: false +systemd_restart: false diff --git a/roles/luther38.filebeat/tasks/ubuntu.yml b/roles/luther38.filebeat/tasks/ubuntu.yml index 6026c10..9f1f3e5 100644 --- a/roles/luther38.filebeat/tasks/ubuntu.yml +++ b/roles/luther38.filebeat/tasks/ubuntu.yml @@ -6,39 +6,25 @@ - name: Install ElasticSearch from apt become: true apt: - name: elasticsearch + name: filebeat - name: Update config become: true template: - src: elasticsearch.j2 - dest: /etc/elasticsearch/elasticsearch.yml + src: filebeat.j2 + dest: /etc/filebeat/filebeat.yml backup: yes -- name: UFW allow http_port - become: true - when: ufw_http_port == true - ufw: - rule: allow - port: "{{ http_port }}" - -- name: UFW allow transport_port - become: true - when: ufw_transport_port == true - ufw: - rule: allow - port: "{{ transport_port }}" - - name: systemd enable elasticsearch become: true when: systemd_enabled == true systemd: - name: elasticsearch + name: filebeat enabled: true - name: systemd restart elasticsearch become: true when: systemd_restart == true systemd: - name: elasticsearch + name: filebeat state: restarted diff --git a/roles/luther38.filebeat/templates/filebeat.j2 b/roles/luther38.filebeat/templates/filebeat.j2 new file mode 100755 index 0000000..0c091d6 --- /dev/null +++ b/roles/luther38.filebeat/templates/filebeat.j2 @@ -0,0 +1,211 @@ +###################### Filebeat Configuration Example ######################### + +# This file is an example configuration file highlighting only the most common +# options. The filebeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/filebeat/index.html + +# For more available modules and options, please see the filebeat.reference.yml sample +# configuration file. + +#=========================== Filebeat inputs ============================= + +filebeat.inputs: + +# Each - is an input. Most options can be set at the input level, so +# you can use different inputs for various configurations. +# Below are the input specific configurations. + +- type: log + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. + #include_lines: ['^ERR', '^WARN'] + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #exclude_files: ['.gz$'] + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + + ### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #multiline.pattern: ^\[ + + # Defines if the pattern set under pattern should be negated or not. Default is false. + #multiline.negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + #multiline.match: after + + +#============================= Filebeat modules =============================== + +filebeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +#==================== Elasticsearch template setting ========================== + +setup.template.settings: + index.number_of_shards: 1 + #index.codec: best_compression + #_source.enabled: false + +#================================ General ===================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +#============================== Dashboards ===================================== +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + host: {{ kibana_host }} + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +#============================= Elastic Cloud ================================== + +# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + # Array of hosts to connect to. + #hosts: ["localhost:9200"] + hosts: [{{ elasticsearch_hosts }}] + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + +#----------------------------- Logstash output -------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +#================================ Processors ===================================== + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + +#================================ Logging ===================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +#============================== Xpack Monitoring =============================== +# filebeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: + +#================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true From 9eabb48d1c2522cac1886a5fa7b0d731b11644fe Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Thu, 2 May 2019 07:42:47 -0700 Subject: [PATCH 18/19] Update unattended-upgrades.yml Added become lines given it needed permissions to run the operation but failed to do so. I think the role is older and you use to be able to elevate permissions from playbook. --- roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml b/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml index 852fd6d..a777fb9 100644 --- a/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml +++ b/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml @@ -7,6 +7,7 @@ when: (ansible_distribution == "Debian") and (ansible_distribution_release == "wheezy") - name: install unattended-upgrades + become: true apt: pkg: unattended-upgrades state: present @@ -18,6 +19,7 @@ when: unattended_automatic_reboot - name: create APT auto-upgrades configuration + become: true template: src: auto-upgrades.j2 dest: /etc/apt/apt.conf.d/20auto-upgrades @@ -26,6 +28,7 @@ mode: 0644 - name: create unattended-upgrades configuration + become: true template: src: unattended-upgrades.j2 dest: /etc/apt/apt.conf.d/50unattended-upgrades From 0339ede65c31592c8b57a473473bbf88ed84088a Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Thu, 2 May 2019 07:58:22 -0700 Subject: [PATCH 19/19] Update install-jenkins.yml --- playbook/linux/install-jenkins.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/playbook/linux/install-jenkins.yml b/playbook/linux/install-jenkins.yml index ca7d174..b9b5d06 100644 --- a/playbook/linux/install-jenkins.yml +++ b/playbook/linux/install-jenkins.yml @@ -6,14 +6,16 @@ tasks: - name: Install Java - become: true - included_role: + become: yes + import_role: name: geerlingguy.java - vars: - # https://galaxy.ansible.com/geerlingguy/jenkins - - name: Install Jenkins - become: true - included_role: - name: geerlingguy.jenkins + # https://galaxy.ansible.com/geerlingguy/jenkins + - name: Install Jenkins + become: yes + import_role: + name: geerlingguy.jenkins + vars: + jenkins_package_state: latest + jenkins_http_port: 8080