jtom38
/
Ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Role Adjustments 

Added Sensu
Moved default role downloads to ./roles
Added unattended-upgrades
This commit is contained in:
James Tombleson 2019-04-29 07:08:11 -07:00
parent b27e8dda28
commit b7facd7394
117 changed files with 4131 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible.cfg
View File

@ -65,7 +65,7 @@ local_tmp = ~/.ansible/tmp
# inject_facts_as_vars = True
# additional paths to search for roles in, colon separated
roles_path = /etc/ansible/roles:./roles/
roles_path = ./roles/:/etc/ansible/roles
# uncomment this to disable SSH key host checking
#host_key_checking = False

16
playbook/linux/auto-securityupdates.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: enable
hosts: linux
tasks:
- name: unattended-upgrades
become: true
include_role:
name: jnv.unattended-upgrades
vars:
#unattended_package_blacklist: []
unattended_automatic_reboot: true

18
playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/cert.pem Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC3TCCAcWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdTZW5z
dUNBMB4XDTE5MDQyODE3NTMwMloXDTI0MDQyNjE3NTMwMlowITEOMAwGA1UEAwwF
c2Vuc3UxDzANBgNVBAoMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMBFLZ/mgAOdKJ2YUkqzjZHKsRyvNxixX9I3LWXJCMfFnWuUOLau5UaE
rS6ZbtO1N4djsi6xSyBhPSu2hjPt9KgniTesaKZDwlLO2HLrOpUpmKPPpLxnBym9
m/nXWaeuTLAnnNtP/wU4Jwvp1u9qMu5tIYdy+hTd5LJSQcfjgrt5ydHzLbwn9UyE
2pcMawEgOaoywY9i6Ofhfsr5hwLkR3/3VS5PfJ2sVsO0Ks2vBW091BaQSwQAarpR
ExMHmTrcHoHtWFI0RiFxZ+MoakL5380VSmzhAs8QPxYWYc3PLndhYt4pH6TLcCOF
LpY8qk6S/acHuWHgdl+GIgyk5jKqnkECAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV
HQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEB
AG/MiB8QHvJlGrF1Xa5UHs/ykFJj1n+JzeniC5p3nApnRmpgi9KNlDZqRXjotuww
uvaDlsRpFp+X4NukUUR8aUUZpwYbIm/wgXJ376Su0nUmpFmCU2TrGkk/cMeqbAen
OYe5WZxsmJnmmkwhHLybrvha/vsCTNV6GY2JcHNhI8R7Uvwna48ueg7/WBQ5oXqZ
zdYXMaFD2ioBFaYZqVifWv+5d1av2VBveX1V5p7ZZ3LHsvNS8/eVWufu5I4mwJI9
GRPakzY0emL9ZBbtsZtsNA7IA6w4l4WeQtu1DHPc2iYO+JwfpeUNVX65ANSicqjC
ibyhYEZs3qI/rb3WPXy6l0I=
-----END CERTIFICATE-----

27
playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/client/key.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwEUtn+aAA50onZhSSrONkcqxHK83GLFf0jctZckIx8Wda5Q4
tq7lRoStLplu07U3h2OyLrFLIGE9K7aGM+30qCeJN6xopkPCUs7Ycus6lSmYo8+k
vGcHKb2b+ddZp65MsCec20//BTgnC+nW72oy7m0hh3L6FN3kslJBx+OCu3nJ0fMt
vCf1TITalwxrASA5qjLBj2Lo5+F+yvmHAuRHf/dVLk98naxWw7Qqza8FbT3UFpBL
BABqulETEweZOtwege1YUjRGIXFn4yhqQvnfzRVKbOECzxA/FhZhzc8ud2Fi3ikf
pMtwI4UuljyqTpL9pwe5YeB2X4YiDKTmMqqeQQIDAQABAoIBAFxnovLLa9DQ0jlT
gJFIVAyydoaLqxYiASRdwmK9yIuCbRLL7KnXyncmwri3ouz6lhJqlrMcIDgSo7yD
f2Irxb6fKbJpGO53eEgmAx7P8JrJoANygwDNH0MvTmw31G3jNhYfI6K/gpf2kcWG
//aWep3eMxQO7SPkNMqC//xaWnVQ0FLigNQjyFlgQrIZ3L4x7qFxcrkvTUIODGio
R6hs7fECwXZkvLB28//tiwLEuOHnWGkG64fDebXUBDHsFhY/ObtA9vJITGY2GlUi
1KFt9ZJd1JdMoV7EH5IwnA5YUN1NOtb5bwRaCddCMFH2lWsjzV1hNTZ9MzNyFqIF
eolkKKUCgYEA6xR0LR3/stMPOWvgdaiXACHsH2hLx7Yh1vOf97eBbdUgiqjeL7DW
mUmXIBLOQwrKMWNX0+DAqeuY80ESBmQ5KhRR/Sws2FMXGcqgyNPdJYAruif8y4z9
0fGdvES1Fe12lOzyfPJclJi6doglyTjoJS5KGXUz8womJH4eiWZd+98CgYEA0WFx
SPttK8Oi9zKxh/6YzpvOaABm6pCUslg79smhPGdhj4M0sO1sS4KzOBBolcplT9e6
T1awh7ML44dowIFuQ0FgySnz5ogZt6xnqGv6bbfSVbMNpU4B9O4tJ2z16uFOXDeM
f0tS55fcbspJ1Dylc+ndyAurd5E/8z/2BnU6qd8CgYADs6bAryA/qKMsvE4kjCsU
jXQyamoHEw8lW2DBfdpD6H9Cr7YP+jDm6QnAL4uf8qOMc4wGghuGkXcvHW8zOpDL
4NYJrpBmN6i9dztg7jUlSgdmPwr0CZxVmgBp3osbdUnQvopy/T4H+P+2rh4qNQMy
0q/IBthyk05WdMX2U+5W8QKBgFSBwqpVKBvYyyaAZFziKiSBiA47003q6skMia8y
dAwgIaU9rH+YY/QaHWGMZdnHJZrTFBQ/heJPJoY/ucywsKMeeQTYFOO/nLmgMPou
EpZD8fW63dARKwMDOmBGPv78zpazqNYbvatRhJuGs8OgcprVEjlSVHNewXPZJeA3
YmT7AoGAJuMaSA6oZqn0uKJD0FDwIl4j0RfVhPJHe9Um1G1K2FpZ3DV705kcwx1t
IUu9pHLFJubwpkQFiERX/6BRbjbp4oZhpPLcLRec5nXTT8LHoiCBMaQW2RtnDMeW
XKt2xyhGFp0Drw4vWV0Nr8fJbuBbAqviZTQnBtj7ZJ41KRV1mU4=
-----END RSA PRIVATE KEY-----

17
playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICxDCCAaygAwIBAgIJAPX7448uFrdyMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
BAMMB1NlbnN1Q0EwHhcNMTkwNDI4MTc1MjU3WhcNMjQwNDI2MTc1MjU3WjASMRAw
DgYDVQQDDAdTZW5zdUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
sI4ptnAIEJISxDYMVZIi6vF6GcnzXDyXl4Et9m86QF9+Zyfe4zomGDnfp7wfhddS
6asPHMxcgXi9itY6qr33lzdDL4SaMysS/VwWLBwhmdl2hEELPvUKHBF96iyfuq4A
lsQ3lAXr/3uqXdODNo38hGaxrK2n1ocKFEKZrGlmrFDvfYKJz1cYlDh5u0ghjJGQ
E/MCDeQzGNOjcbSbNUo5nMR8P6nzPcMDHjtA0OS4DXSijvjibHPhZ/NU9KgoTz9W
oL8FoePlL6Zq6cwiEKCOUsqivIPbM3nGGNkPBHmSE0dnYXn0le+LK3rkNX60ZdwE
fqisAIaHSVQWVlTw4J8xlQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
AwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAp1MPCS8tKdUGrT07yHosw7+Gxc++/ylM
cmS9GLiwAfU4VU4QEy97ipL4K8VLWbrGVvJSpgxAApLA0jX7R2UcYTYeTk9ikuto
BeQRxcj6QdR8BKD4N7Qtje6jBVMJ6Ssky3Kj1XXcEQu4iZx9uZCX2yeCeozXaLtS
+Tw3r9NjgIXGvhLCp64JTC+rL74S7cMwAIW5YBRy/K4uBdLKBcjYIi7VQnivsfGu
J2+28+kfNw7nNWBdVWtBf6MoJQNEDvpx+HGRBCJoSlgw+GTRgbgCqEPJrXBdbamU
SDJtCEdYonQqUCqqCI083ckx8c31YBg1COTZBQnWQiYVpcIfXG7j/A==
-----END CERTIFICATE-----

18
playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/cert.pem Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC3TCCAcWgAwIBAgIBATANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDDAdTZW5z
dUNBMB4XDTE5MDQyODE3NTI1OVoXDTI0MDQyNjE3NTI1OVowITEOMAwGA1UEAwwF
c2Vuc3UxDzANBgNVBAoMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALEltlZMg7u1rqFbnljmD+IeiVeRt0zzRiCEpjvQ4t+bBjT5onPAOxYI
Q1d3MdPJqA+lyCRP/sXcEKa1l14UDj50WEruK0VqXKL+e2ETeJi4kJb8k8ansCAI
Ask5Ok2d8bTSQLzJBCkjwvR5kfG49R5wfJFDSA3WLfTHq1myRibJIMgbFGB2UP3Q
yyljZWn04IO72yWhK413CxwnwXKsIFT5/z0hVGZMr5wDWpfhBhtBi6uxqeKG3Zyy
CV/f3yUcOL+A9yoxPu155TNYfvmz1rqarTeuOJJJU7TtAiHmue8OhkfRFanBBYj9
hSOGPdLB9eKzoWsS8vLKLUTwaQwZ9IsCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV
HQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEB
ABPZUxDIGJ6C8hu1aOj5sY/r8yphotSnPVkghBTGVJbjmGHSci+IGbHX6yemVYvH
mQWKI8qBdroiIpCOpMVvmG6oUR4s+h/vdKuDoy/x3lRZjJDQiReAGKwwyeiG++wJ
x6eSCDGqcIWvk72Zgd+OGym3JGrDpU7ofat+ncqtIunAOh7rhQlyRJ42wYZpWDIi
Aass4yn16aYhF/PppUIsBYrWk1UUlKbXOF/Z7WOG4Hg6h5HwwtJZq/PGsSzJqd/O
s6XI8Am1pU9PwLwWm9Vad44OhTNWGxsidboUCxNa7Yc7p5CkAqT+Z2Lf7RfvgmcX
SUCwSN9REpYGV3k9l47eljY=
-----END CERTIFICATE-----

27
playbook/linux/data/store/192.168.0.60/etc/sensu/ssl_generation/sensu_ssl_tool/server/key.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsSW2VkyDu7WuoVueWOYP4h6JV5G3TPNGIISmO9Di35sGNPmi
c8A7FghDV3cx08moD6XIJE/+xdwQprWXXhQOPnRYSu4rRWpcov57YRN4mLiQlvyT
xqewIAgCyTk6TZ3xtNJAvMkEKSPC9HmR8bj1HnB8kUNIDdYt9MerWbJGJskgyBsU
YHZQ/dDLKWNlafTgg7vbJaErjXcLHCfBcqwgVPn/PSFUZkyvnANal+EGG0GLq7Gp
4obdnLIJX9/fJRw4v4D3KjE+7XnlM1h++bPWupqtN644kklTtO0CIea57w6GR9EV
qcEFiP2FI4Y90sH14rOhaxLy8sotRPBpDBn0iwIDAQABAoIBAFtnsiXlZTO+E1V/
CL2mOBvc1dExhvtVq6Gr0Hqc1fO68gDzrjc7wUElElpXToaRTv6D9DmIbVV6r7zV
hj0s7Aydy9EeA4XV0+bmmJMGkPt8gF7oBPhEHkTo3UcnGEZkcQt0UaMXteXkZfvv
nrazUQdb02rA5LT/Bsd/H5MwwbHQyipMXKQXpYyzALhoBUrXItc+aHfINHOELs0h
UPSoFnNSsQo1VGSd/TCZJYYw2cpmeTqWO4sM6z8vYXJnNQTCb2saW+vywfQoYTJ7
V6mSmX7EgYh512jNpNdzhQx8qN1hmWF/r5G9DC4QSnzVoN23fi4H+szB9CEfVlPy
pGj6qUECgYEA1zwPaLjz9XgeZiHrLYDCFeNRYE4Noa9mFuuplYxmiIJGsBiUNHNJ
bbMn8VpuBBptEUnSTCGJhAF39AGKfUHx+49hTKTUISmnTDOSHLeE1mKvZJWB3x4r
3ezfsUVwV4BvidYQEv0FWuE+lniDmx2BVQk7vIiF5VjUxMmyqnB8cEUCgYEA0rLw
LtSYod0VzFLs8NlMH9nhfQk7oSfyxqLVwpiAQVAtrI3xfQUaYP04BrV/XOI+YBcF
Svg4Ou4tqcuGFFYtqNPAaGYfih7UzEY8Z6wH2rkyznCq7VQZexKKtTbPQCNSkJ5h
fpNxfh4sXZSpYg/aIEr6OC8REuhcjRjhJBWJJo8CgYAsPN316j3KMBwfZc1Olu5N
TWGGZ8SJfOGAyIMch7TzTcN1ojej6CYpc+87vhhqo3vTV9bvat020o5zCnYKdKll
yPx4olAvWL5X/SmE2XtmDPZ7t/bvguYFQRBhASKr+Wvzapn3LSYSncUdbDuwgAn7
DmDGyVCr6OwiXkpomaIZ+QKBgCZIpSOdNW6TwVYy6yKIGTDgYfxaJR+PJqm5BKYr
F4LGksX7tJlGyBg/amKtr8qswTCsfiW1HGJ4zItBk8c2MW2vrBJMHAb4uymyyV78
/yBa7kRcbHJbCZY3NEThBJ9ey63DWWuqVsDXsq/+RxiuUK/1b6mtw6hv2AE7OA1a
bGU5AoGBANL+ssYI1JH1TFRwI8iTc/no2Loy2jZ2NGyZbU/gc3NhhVERNgtK8nmM
dcYrgmewKKS20+AqqbM7zITYdJea6RTKU6ELJul2iKMDSwA65cEwueqAT6WY7x57
z0fBzoaLRQp11SSuuPz9p0a096XGygQP1o2SabZCwY4b3+vtkbJM
-----END RSA PRIVATE KEY-----

3
playbook/linux/elastic/role-test.yml
View File

@ -21,5 +21,6 @@
server_host: ansible_default_ipv4.address
server_name: ansible_hostname
elasticsearch_hosts:
- http://192.168.0.173:9200
#- http://192.168.0.173:9200
- http://192.168.0.60:9200

19
playbook/linux/sensu-test.yml Normal file
View File

@ -0,0 +1,19 @@
- name: testing sensu
hosts: linux
tasks:
- name: install sensu server
become: true
import_role:
name: sensu.sensu
vars:
# Sever vars
sensu_deploy_redis_server: true
sensu_deploy_rabbitmq_server: true
sensu_master: true
#sensu_include_plugins: true
sensu_include_dashboard: true
# Client Vars
#sensu_client: true

9
roles/jnv.unattended-upgrades/.editorconfig Normal file
View File

@ -0,0 +1,9 @@
root = true
[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true

3
roles/jnv.unattended-upgrades/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
.vagrant/
*~
*.log

16
roles/jnv.unattended-upgrades/.travis.yml Normal file
View File

@ -0,0 +1,16 @@
sudo: required
language: python
services: docker
cache: pip
install:
- pip install ansible docker
- ansible-galaxy install -r tests/requirements.yml -p tests/roles/
script:
- ansible --version
- tests/test.sh
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

339
roles/jnv.unattended-upgrades/LICENSE Normal file
View File

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

180
roles/jnv.unattended-upgrades/README.md Normal file
View File

@ -0,0 +1,180 @@
# Unattended-Upgrades Role for Ansible
[![Build Status of branch master](https://img.shields.io/travis/jnv/ansible-role-unattended-upgrades/master.svg?style=flat-square)](https://travis-ci.org/jnv/ansible-role-unattended-upgrades)
[![Ansible Role: jnv.unattended-upgrades](https://img.shields.io/ansible/role/8068.svg?style=flat-square)](https://galaxy.ansible.com/jnv/unattended-upgrades/)
Install and setup [unattended-upgrades](https://launchpad.net/unattended-upgrades) for Ubuntu and Debian (since Wheezy), to periodically install security upgrades.
**NOTE:** If you have used version 0.0.1 of the role, you can delete the file `/etc/apt/apt.conf.d/10periodic` as it is not needed anymore. You can use the following one-shot command:
ansible -m file -a "state=absent path=/etc/apt/apt.conf.d/10periodic" <host-pattern>
## Requirements
The role uses [apt module](http://docs.ansible.com/apt_repository_module.html) which has additional dependencies.
If you set `unattended_mail` to an e-mail address, make sure `mailx` command is available and your system is able to send e-mails.
The role requires unattended-upgrades version 0.70 and newer, which is available since Debian Wheezy and Ubuntu 12.04 respectively. This is due to [Origins Patterns](#origins-patterns) usage; if this is not available on your system, you may use [the first version of the role](https://github.com/jnv/ansible-role-unattended-upgrades/tree/v0.1).
### Automatic Reboot
If you enable automatic reboot feature (`unattended_automatic_reboot`), the role will attempt to install `update-notifier-common` package, which is required on some systems for detecting and executing reboot after the upgrade. You may optionally define a specific time for rebooting (`unattended_automatic_reboot_time`).
This feature was broken in Debian Jessie, but eventually was rolled into the unattended-upgrades package; see [the discussion in #6](https://github.com/jnv/ansible-role-unattended-upgrades/issues/6) for more details.
## Disabled Cron Jobs
On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.daily/apt` file has been renamed to `apt.disabled`. This is possibly provider's decision, to save some CPU cycles. Use [enable-standard-cronjobs](https://github.com/Yannik/ansible-role-enable-standard-cronjobs) role to reenable unattended-upgrades. See also discussion in [#9](https://github.com/jnv/ansible-role-unattended-upgrades/issues/9).
## Role Variables
* `unattended_cache_valid_time`: Update the apt cache if its older than the given time in seconds; passed to the [apt module](https://docs.ansible.com/ansible/latest/apt_module.html) during package installation.
* Default: `3600`
* `unattended_origins_patterns`: array of origins patterns to determine whether the package can be automatically installed, for more details see [Origins Patterns](#origins-patterns) below.
* Default for Debian: `['origin=Debian,codename=${distro_codename},label=Debian-Security']`
* Default for Ubuntu: `['origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu']`
* `unattended_package_blacklist`: packages which won't be automatically upgraded
* Default: `[]`
* `unattended_autofix_interrupted_dpkg`: whether on unclean dpkg exit to run `dpkg --force-confold --configure -a`
* Default: `true`
* `unattended_minimal_steps`: split the upgrade into the smallest possible chunks so that they can be interrupted with SIGUSR1.
* Default: `false`
* `unattended_install_on_shutdown`: install all unattended-upgrades when the machine is shuting down.
* Default: `false`
* `unattended_mail`: e-mail address to send information about upgrades or problems with unattended upgrades
* Default: `false` (don't send any e-mail)
* `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade.
* Default: `false`
* `unattended_remove_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade.
* Default: `false`
* `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade.
* Default: `false`
* `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade.
* Default: `false`
* `unattended_update_days`: Set the days of the week that updates should be applied. The days can be specified as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is Monday etc. Example: `{"Mon";"Fri"};`
* Default: disabled
* `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive.
* Default: `false`
* `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root.
* Possible options:
* `0`: no report
* `1`: progress report
* `2`: + command outputs
* `3`: + trace on
* Default: `0` (no report)
* `unattended_update_package_list`: Do "apt-get update" automatically every n-days (0=disable)
* Default: `1`
* `unattended_download_upgradeable`: Do "apt-get upgrade --download-only" every n-days (0=disable)
* Default: `0`
* `unattended_autoclean_interval`: Do "apt-get autoclean" every n-days (0=disable)
* Default: `7`
* `unattended_clean_interval`: Do "apt-get clean" every n-days (0=disable)
* Default: `0`
* `unattended_random_sleep`: Define maximum for a random interval in seconds after which the apt job starts (only for systems without systemd)
* Default: `1800` (30 minutes)
* `unattended_dpkg_options`: Array of dpkg command-line options used during unattended-upgrades runs, e.g. `["--force-confdef"]`, `["--force-confold"]`
* Default: `[]`
* `unattended_dl_limit`: Limit the download speed in kb/sec using apt bandwidth limit feature.
* Default: disabled
## Origins Patterns
Origins Pattern is a more powerful alternative to the Allowed Origins option used in previous versions of unattended-upgrade.
Pattern is composed from specific keywords:
* `a`,`archive`,`suite` e.g. `stable`, `trusty-security` (`archive=stable`)
* `c`,`component` e.g. `main`, `crontrib`, `non-free` (`component=main`)
* `l`,`label` e.g. `Debian`, `Debian-Security`, `Ubuntu`
* `o`,`origin` e.g. `Debian`, `Unofficial Multimedia Packages`, `Ubuntu`
* `n`,`codename` e.g. `jessie`, `jessie-updates`, `trusty` (this is only supported with `unattended-upgrades` >= 0.80)
* `site` e.g. `http.debian.net`
You can review the available repositories using `apt-cache policy` and debug your choice using `unattended-upgrades -d` command on a target system.
Additionally unattended-upgrades support two macros (variables), derived from `/etc/debian_version`:
* `${distro_id}` Installed distribution name, e.g. `Debian` or `Ubuntu`.
* `${distro_codename}` Installed codename, e.g. `jessie` or `trusty`.
Using `${distro_codename}` should be preferred over using `stable` or `oldstable` as a selected, as once `stable` moves to `oldstable`, no security updates will be installed at all, or worse, package from a newer distro release will be installed by accident. The same goes for upgrading your installation from `oldstable` to `stable`, if you forget to change this in your origin patterns, you may not receive the security updates for your newer distro release. With `${distro_codename}`, both cases can never happen.
## Role Usage Example
Example for Ubuntu, with custom [origins patterns](#patterns-examples), blacklisted packages and e-mail notification:
```yaml
- hosts: all
roles:
- role: jnv.unattended-upgrades
unattended_origins_patterns:
- 'origin=Ubuntu,archive=${distro_codename}-security'
- 'o=Ubuntu,a=${distro_codename}-updates'
unattended_package_blacklist: [cowsay, vim]
unattended_mail: 'root@example.com'
```
_Note:_ You don't need to specify `unattended_origins_patterns`, the role will use distribution's default if the variable is not set.
### Patterns Examples
By default, only security updates are allowed for both Ubuntu and Debian. You can add more patterns to allow unattended-updates install more packages automatically, however be aware that automated major updates may potentially break your system.
#### For Debian
```yaml
unattended_origins_patterns:
- 'origin=Debian,codename=${distro_codename},label=Debian-Security' # security updates
- 'o=Debian,codename=${distro_codename},label=Debian' # updates including non-security updates
- 'o=Debian,codename=${distro_codename},a=proposed-updates'
```
On debian wheezy, due to `unattended-upgrades` being `0.79.5`, you cannot use the `codename` directive.
You will have to do archive based matching instead:
```yaml
unattended_origins_patterns:
- 'origin=Debian,a=stable,label=Debian-Security' # security updates
- 'o=Debian,a=stable,l=Debian' # updates including non-security updates
- 'o=Debian,a=proposed-updates'
```
Please be sure to read about the issues regarding this in the origin pattern documentation above.
#### For Ubuntu
In Ubuntu, archive always contains the distribution codename
```yaml
unattended_origins_patterns:
- 'origin=Ubuntu,archive=${distro_codename}-security'
- 'o=Ubuntu,a=${distro_codename}'
- 'o=Ubuntu,a=${distro_codename}-updates'
- 'o=Ubuntu,a=${distro_codename}-proposed-updates'
```
#### For Raspbian
In Raspbian, it is only possible to update all packages from the default repository, including non-security updates, or updating none.
Updating all, including non-security:
```yaml
unattended_origins_patterns:
- 'origin=Raspbian,codename=${distro_codename},label=Raspbian'
```
You can not use the `codename` directive on raspbian wheezy, the same as with debian wheezy above.
To not install any updates on a raspbian host, just set `unattended_origins_patterns` to an empty list:
```
unattended_origins_patterns: []
```
## License
GPLv2

122
roles/jnv.unattended-upgrades/defaults/main.yml Normal file
View File

@ -0,0 +1,122 @@
---
# Cache update time for apt module
unattended_cache_valid_time: 3600
#Unattended-Upgrade::Origins-Pattern
# Automatically upgrade packages from these origin patterns
# e.g.: 'o=Debian,a=stable', 'o=Debian,a=stable-updates'
#
# Left unset, distribution-specific defaults will be used through
# __unattended_origins_patterns variable only if this variable
# is not provided externally
# REFS https://github.com/ansible/ansible/issues/8121
#unattended_origins_patterns: []
#Unattended-Upgrade::Package-Blacklist
# List of packages to not update
unattended_package_blacklist: []
#Unattended-Upgrade::AutoFixInterruptedDpkg
# On a unclean dpkg exit unattended-upgrades will run
# dpkg --force-confold --configure -a
# The default is true, to ensure updates keep getting installed
unattended_autofix_interrupted_dpkg: true
#Unattended-Upgrade::MinimalSteps
# Split the upgrade into the smallest possible chunks so that
# they can be interrupted with SIGUSR1. This makes the upgrade
# a bit slower but it has the benefit that shutdown while a upgrade
# is running is possible (with a small delay)
unattended_minimal_steps: false
#Unattended-Upgrade::InstallOnShutdown
# Install all unattended-upgrades when the machine is shuting down
# instead of doing it in the background while the machine is running
# This will (obviously) make shutdown slower
unattended_install_on_shutdown: false
#Unattended-Upgrade::Mail
# Send email to this address for problems or packages upgrades
# If empty or unset then no email is sent, make sure that you
# have a working mail setup on your system. A package that provides
# 'mailx' must be installed.
unattended_mail: false
#Unattended-Upgrade::MailOnlyOnError
# Set this value to "true" to get emails only on errors. Default
# is to always send a mail if Unattended-Upgrade::Mail is set
unattended_mail_only_on_error: false
#Unattended-Upgrade::Remove-Unused-Dependencies
# Do automatic removal of new unused dependencies after the upgrade
# (equivalent to apt-get autoremove)
unattended_remove_unused_dependencies: false
#Unattended-Upgrade::Automatic-Reboot
# Automatically reboot *WITHOUT CONFIRMATION* if a
# the file /var/run/reboot-required is found after the upgrade
unattended_automatic_reboot: false
#Unattended-Upgrade::Automatic-Reboot-Time
# If automatic reboot is enabled and needed, reboot at the specific
# time instead of immediately
unattended_automatic_reboot_time: false
#Unattended-Upgrade::IgnoreAppsRequireRestart
# Do upgrade application even if it requires restart after upgrade
# I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file
unattended_ignore_apps_require_restart: false
### APT::Periodic configuration
# Snatched from /usr/lib/apt/apt.systemd.daily
#APT::Periodic::Update-Package-Lists "0";
# - Do "apt-get update" automatically every n-days (0=disable)
unattended_update_package_list: 1
#APT::Periodic::Download-Upgradeable-Packages "0";
# - Do "apt-get upgrade --download-only" every n-days (0=disable)
#unattended_download_upgradeable: 0
#APT::Periodic::AutocleanInterval "0";
# - Do "apt-get autoclean" every n-days (0=disable)
unattended_autoclean_interval: 7
#APT::Periodic::CleanInterval "0";
# - Do "apt-get clean" every n-days (0=disable)
#unattended_clean_interval: 0
#APT::Periodic::Verbose "0";
# - Send report mail to root
# 0: no report (or null string)
# 1: progress report (actually any string)
# 2: + command outputs (remove -qq, remove 2>/dev/null, add -d)
# 3: + trace on
#unattended_verbose: 0
## Cron systems only
#APT::Periodic::RandomSleep
# When the apt job starts, it will sleep for a random period between 0
# and APT::Periodic::RandomSleep seconds
# The default value is "1800" so that the script will stall for up to 30
# minutes (1800 seconds) so that the mirror servers are not crushed by
# everyone running their updates all at the same time
# Kept undefined to allow default (1800)
#unattended_random_sleep: 0
#Dpkg::Options
# Provide dpkg options that take effect during unattended upgrades.
# By default no flags are appended. Configuration file changes can
# block installation of certain packages. Passing the flags
# "--force-confdef" and "--force-confold" will ensure updates are applied
# and old configuration files are preserved.
unattended_dpkg_options: []
# unattended_dpkg_options:
# - "--force-confdef"
# - "--force-confold"
# Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec
#unattended_dl_limit: 70

2
roles/jnv.unattended-upgrades/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for unattended-upgrades

2
roles/jnv.unattended-upgrades/meta/.galaxy_install_info Normal file
View File

@ -0,0 +1,2 @@
install_date: Sun Apr 28 18:26:47 2019
version: v1.7.0

38
roles/jnv.unattended-upgrades/meta/main.yml Normal file
View File

@ -0,0 +1,38 @@
---
galaxy_info:
author: Jan Vlnas
description: Setup unattended-upgrades on Debian-based systems
license: GPLv2
min_ansible_version: 1.4
platforms:
- name: Ubuntu
versions:
- precise
- raring
- saucy
- trusty
- utopic
- name: Debian
versions:
- wheezy
- jessie
#
# Below are all categories currently available. Just as with
# the platforms above, uncomment those that apply to your role.
#
categories:
#- cloud
#- cloud:ec2
#- cloud:gce
#- cloud:rax
#- database
#- database:nosql
#- database:sql
#- development
#- monitoring
#- networking
#- packaging
- system
#- web
dependencies: []

2
roles/jnv.unattended-upgrades/tasks/main.yml Normal file
View File

@ -0,0 +1,2 @@
- include: unattended-upgrades.yml
tags: unattended

9
roles/jnv.unattended-upgrades/tasks/reboot.yml Normal file
View File

@ -0,0 +1,9 @@
---
# Ignored, since newer distros don't need this package
# https://github.com/jnv/ansible-role-unattended-upgrades/issues/6
- name: install update-notifier-common
apt:
pkg: update-notifier-common
state: present
failed_when: false

34
roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml Normal file
View File

@ -0,0 +1,34 @@
---
- name: add distribution-specific variables
include_vars: "{{ ansible_distribution }}.yml"
- name: add Debian Wheezy workaround
include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
when: (ansible_distribution == "Debian") and (ansible_distribution_release == "wheezy")
- name: install unattended-upgrades
apt:
pkg: unattended-upgrades
state: present
cache_valid_time: "{{unattended_cache_valid_time}}"
update_cache: yes
- name: install reboot dependencies
include: reboot.yml
when: unattended_automatic_reboot
- name: create APT auto-upgrades configuration
template:
src: auto-upgrades.j2
dest: /etc/apt/apt.conf.d/20auto-upgrades
owner: root
group: root
mode: 0644
- name: create unattended-upgrades configuration
template:
src: unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: 0644

25
roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 Normal file
View File

@ -0,0 +1,25 @@
APT::Periodic::Unattended-Upgrade "1";
{% if unattended_update_package_list is defined %}
APT::Periodic::Update-Package-Lists "{{unattended_update_package_list}}";
{% endif %}
{% if unattended_download_upgradeable is defined %}
APT::Periodic::Download-Upgradeable-Packages "{{unattended_download_upgradeable}}";
{% endif %}
{% if unattended_autoclean_interval is defined %}
APT::Periodic::AutocleanInterval "{{unattended_autoclean_interval}}";
{% endif %}
{% if unattended_clean_interval is defined %}
APT::Periodic::CleanInterval "{{unattended_clean_interval}}";
{% endif %}
{% if unattended_verbose is defined %}
APT::Periodic::Verbose "{{unattended_verbose}}";
{% endif %}
{% if unattended_random_sleep is defined %}
APT::Periodic::RandomSleep "{{unattended_random_sleep}}";
{% endif %}

106
roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 Normal file
View File

@ -0,0 +1,106 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
Unattended-Upgrade::Origins-Pattern {
{% if unattended_origins_patterns is defined %}
{% for origin in unattended_origins_patterns %}
"{{ origin }}";
{% endfor %}
{% else %}
{% for origin in __unattended_origins_patterns %}
"{{ origin }}";
{% endfor %}
{% endif %}
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
{% for package in unattended_package_blacklist %}
"{{package}}";
{% endfor %}
};
{% if not unattended_autofix_interrupted_dpkg %}
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
Unattended-Upgrade::AutoFixInterruptedDpkg "false";
{% endif %}
{% if unattended_minimal_steps %}
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";
{% endif %}
{% if unattended_install_on_shutdown %}
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "true";
{% endif %}
{% if unattended_mail %}
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed.
Unattended-Upgrade::Mail "{{unattended_mail}}";
{% endif %}
{% if unattended_mail_only_on_error %}
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
{% endif %}
{% if unattended_remove_unused_dependencies %}
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
{% endif %}
{% if unattended_automatic_reboot %}
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";
{% endif %}
{% if unattended_automatic_reboot_time %}
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_automatic_reboot_time }}";
{% endif %}
{% if unattended_update_days is defined %}
// Set the days of the week that updates should be applied. The days can be specified
// as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is
// Monday etc.
// Example - apply updates only on Monday and Friday:
// {"Mon";"Fri"};
Unattended-Upgrade::Update-Days {{ unattended_update_days }};
{% endif %}
{% if unattended_ignore_apps_require_restart %}
// Do upgrade application even if it requires restart after upgrade
// I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file
Unattended-Upgrade::IgnoreAppsRequireRestart "true";
{% endif %}
{% if unattended_dpkg_options %}
// Append options for governing dpkg behavior, e.g. --force-confdef.
Dpkg::Options {
{% for dpkg_option in unattended_dpkg_options %}
"{{ dpkg_option }}";
{% endfor %}
};
{% endif %}
{% if unattended_dl_limit is defined %}
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "{{ unattended_dl_limit }}";
{% endif %}

3
roles/jnv.unattended-upgrades/tests/ansible.cfg Normal file
View File

@ -0,0 +1,3 @@
[defaults]
roles_path = ../../
retry_files_enabled = False

1
roles/jnv.unattended-upgrades/tests/inventory Normal file
View File

@ -0,0 +1 @@
localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python"

3
roles/jnv.unattended-upgrades/tests/requirements.yml Normal file
View File

@ -0,0 +1,3 @@
---
- src: chrismeyersfsu.provision_docker
name: provision_docker

29
roles/jnv.unattended-upgrades/tests/test.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
# Exit on any individual command failure
set -e
# Pretty colors.
red='\033[0;31m'
green='\033[0;32m'
neutral='\033[0m'
section() {
echo -e "\033[33;1m$1\033[0m"
}
fold_start() {
echo -e "travis_fold:start:$1\033[33;1m$2\033[0m"
}
fold_end() {
echo -e "\ntravis_fold:end:$1\r"
}
# Ensure we are in the tests dir
cd "$( dirname "${BASH_SOURCE[0]}" )"
section "Syntax check"
ansible-playbook -i inventory --syntax-check test.yml
section "Running role"
ansible-playbook -i inventory test.yml

70
roles/jnv.unattended-upgrades/tests/test.yml Normal file
View File

@ -0,0 +1,70 @@
---
- name: Bring up Docker containers
hosts: localhost
gather_facts: false
vars:
inventory:
- name: ubuntu_latest
image: "ubuntu:latest"
- name: ubuntu_xenial
image: "ubuntu:xenial"
- name: ubuntu_trusty
image: "ubuntu:trusty"
- name: debian_testing
image: "debian:testing"
- name: debian_stable
image: "debian:stable"
- name: debian_oldstable
image: "debian:oldstable"
roles:
- role: provision_docker
provision_docker_inventory: "{{ inventory }}"
provision_docker_privileged: true
provision_docker_use_docker_connection: true
- name: Test role
hosts: docker_containers
gather_facts: false
pre_tasks:
- name: Provision Python
raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-simplejson)"
register: output
changed_when: output.stdout
- setup: # Gather facts
vars:
unattended_autofix_interrupted_dpkg: false
unattended_minimal_steps: true
unattended_install_on_shutdown: true
unattended_automatic_reboot: true
unattended_update_days: '{"Sat"}'
roles:
# Searched for in ../.. (see ansible.cfg)
- ansible-role-unattended-upgrades
tasks:
- name: Idempotency check
include_role:
name: ansible-role-unattended-upgrades
register: idempotency
- fail:
msg: Role failed idempotency check
when: idempotency.changed
- name: Get apt-config variables
shell: apt-config dump
register: aptconfig
- name: Check for registered variables
assert:
that: item in aptconfig.stdout
with_items:
- 'APT::Periodic::Unattended-Upgrade "1"'
- 'Unattended-Upgrade::AutoFixInterruptedDpkg "false"'
- 'Unattended-Upgrade::MinimalSteps "true"'
- 'Unattended-Upgrade::InstallOnShutdown "true"'
- 'Unattended-Upgrade::Automatic-Reboot "true"'
# NOTE: this uses the array syntax, which requires one
# top-level record, then one item per line
- 'Unattended-Upgrade::Update-Days "";'
- 'Unattended-Upgrade::Update-Days:: "Sat";'
- name: Dry run unattended-upgrades
command: /usr/bin/unattended-upgrades --dry-run

11
roles/jnv.unattended-upgrades/vars/Debian-wheezy.yml Normal file
View File

@ -0,0 +1,11 @@
---
# This workaround for Debian Wheezy which doesn't support ${distro_codename} macro
# See
# https://github.com/jnv/ansible-role-unattended-upgrades/issues/19
# https://github.com/jnv/ansible-role-unattended-upgrades/pull/20
# for details
__unattended_origins_patterns:
- 'origin=Debian,archive=stable,label=Debian-Security'
- 'origin=Debian,archive=oldstable,label=Debian-Security'

3
roles/jnv.unattended-upgrades/vars/Debian.yml Normal file
View File

@ -0,0 +1,3 @@
---
__unattended_origins_patterns:
- 'origin=Debian,codename=${distro_codename},label=Debian-Security'

3
roles/jnv.unattended-upgrades/vars/Ubuntu.yml Normal file
View File

@ -0,0 +1,3 @@
---
__unattended_origins_patterns:
- 'origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu'

3
roles/kibana/defaults/main.yml
View File

@ -31,9 +31,8 @@ server_port: 5601
server_host: localhost
# The Kibana server's name. This is used for display purposes.
server_name: {{ ansible_hostname }}
server_name: ansible_hostname
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch_hosts:
- localhost
- server02

6
roles/sensu.sensu/.gitattributes vendored Normal file
View File

@ -0,0 +1,6 @@
Pipfile export-ignore
Pipfile.lock export-ignore
.travis.yml export-ignore
docs/ export-ignore
mkdocs.yml export-ignore
molecule/ export-ignore

4
roles/sensu.sensu/.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
site
molecule/shared/data/*
!molecule/shared/data/static/
molecule/*/cache/

11
roles/sensu.sensu/.yamllint Normal file
View File

@ -0,0 +1,11 @@
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
truthy: disable

194
roles/sensu.sensu/CHANGELOG.md Normal file
View File

@ -0,0 +1,194 @@
# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/)
The format is based on [Keep a Changelog](http://keepachangelog.com/).
## [Unreleased]
## [5.2.0] - 2019-03-12
## Added
- Add official support for OracleLinux 7 (@michaelpporter)
## [5.1.0] - 2019-02-27
## Changed
- Add `client_templates` option for group based tempaltes (@michaelpporter)
- Add `run_once: true` to `delegate_to: localhost` (@michaelpporter)
## [5.0.2] - 2019-02-19
## Fixed
- Fixup new loop logic to deploy checks/handlers/plugins to hosts (@michaelpporter)
## [5.0.1] - 2019-02-19
## Fixed
- Fixup sensu_rabbitmq_host to use new default variable for sensu_rabbitmq_servers (@michaelpporter)
## [5.0.0] - 2019-02-19
### Breaking Changes
- Prefix all variables with `sensu_` to reduce collisions with other roles (@michaelpporter)
## [4.0.0] - 2019-02-17
### Breaking Changes
- Upgrade all playbooks to `loop` syntax, requiring Ansible 2.5 or higher (@michaelpporter)
- Update role metadata to require Ansible 2.5 or higher (@jaredledvina)
### Changed
- Upgrade Inspec to 3.6.6 (@jaredledvina)
- Re-enabled Ubuntu 18.04 integration tests (@michaelpporter)
- Switch from `local_action` to `delegate_to: localhost` (@michaelpporter)
## [3.0.0] - 2019-02-16
### Breaking Changes
- Officially drop support for Ansible 2.3 (@jaredledvina)
- Switch to `include_tasks` and `import_tasks` (@michaelpporter)
### Fixed
- Update the use of tags to support Ansible 2.5 or higher (@michaelpporter)
## [2.7.0] - 2019-01-31
### Fixed
- RabbitMQ - Configure ciphers when SSL is enabled (@mkobel)
- Check if sensu_available_checks was skipped to support running in check mode (@jaredledvina)
### Changed
- Tests - Update Dockerfile and bump Inspec to 3.1.1 (@jaredledvina)
- Docs - Change theme to readthedocs from flatly to fix builds (@jaredledvina)
## [2.6.0] - 2018-07-03
### Changed
- Add support for configuring [Tessen](https://docs.sensu.io/sensu-core/1.4/reference/tessen/) via `sensu_enable_tessen` (@jaredledvina)
- Stop publishing development/testing files to Ansible Galaxy (@jaredledvina)
- Update molecule's testing configuration for speed and task profiling (@jaredledvina)
- Update Inspec to latest stable & refactor shared testing files (@jaredledvina)
- RabbitMQ - Expose a varient distro repo configs via variables for more flexibility (@jaredledvina)
- RabbitMQ - Configure apt-preferences and pin erlang to version 20.3.X (@jaredledvina)
- Fedora - RabbitMQ - Reconfigure GPG key pinning to match CentOS/AmazonLinux (@jaredledvina)
- Fedora/CentOS/AmazonLinux - Upgrade to zero-dep erlang v20 repo's (@jaredledvina)
## [2.5.0] - 2018-06-16
### Changed
- Ansible role is officially mirrored to the `sensu.sensu` namespace (@jaredledvina)
- Deprecated `sensu_pkg_version` for Redhat, Fedora, CentOS, and FreeBSD. To pin going forward across all operating systems, simply append the Sensu version to `sensu_package`. For example, `sensu_package: sensu-1.3.3` will ensure that only Sensu 1.3.3 is ever installed. (@jaredledvina)
- Ensure that on first install we install the latest stable Sensu release (@jaredledvina)
- Document `sensu_pkg_state`. If you'd like to ensure the latest stable release is always installed, simply leave `sensu_package` to the default `sensu` and change `sensu_pkg_state` to `latest`. (@jaredledvina)
- Switched entirely to [molecule](https://github.com/metacloud/molecule) for integration testing (@jaredledvina)
- Configure [Inspec](https://www.inspec.io/) for full automated verification after integration testing (@jaredledvina)
- Amazon Linux now installs proper version of EPEL (@jaredledvina)
- Amazon Linux now installs a supported version of Erlang and RabbitMQ from Bintray (@jaredledvina)
- Fixup the CentOS RabbitMQ install w/ full GPG signing verification (@jaredledvina)
- Various syntax cleanups and testing documentation updates (@jaredledvina)
- Enable `yamllint` checking and fixup all files to pass checks (@jaredledvina)
- Enable `ansible-lint` checking and fixup all errors to pass checks (@jaredledvina)
- Various doc cleanup and fixes (@jaredledvina)
- Switch openssl to `present` as `installed` is deprecated (@rlizana)
## [2.4.0] - 2018-05-06
### Fixed:
- Automated SSL key & cert generation fails on systems with Python 2.6 or older (@jaredledvina)
### Changed
- Port over the latest ssl_tools code to more native Ansible `command` instructions for greater flexibility (@jaredledvina)
## [2.3.0] - 2018-05-04
### Fixed
- Issue that prevented older OS such as CentOS 5 from installing the Sensu RPM package as they are unsigned (@smbambling)
- Security issue with redis.json being world readable, as it can contain sensitive information (@smbambling)
- Issue with conf.d that limited access and prevent automated tests from passing (@smbambling)
### Added
- Support for keepalive attributes: handlers and thresholds (warning/critical) in client.json (@smbambling)
- Support for managing safe_mode in client.json (@smbambling)
## [2.2.0] - 2018-02-22
### Added
- Fedora support. Tested in the wild on Fedora 25 as a client and Fedora 27 on the test suite as both master and client. (@danragnar)
- `tasks/Fedora/redis.yml`, `tasks/Fedora/rabbit.yml`: Based on CentOS equivalents but with dnf module instead of yum
- `tasks/Fedora/main.yml`, `tasks/Fedora/dashboard.yml`: links to Centos files
- `vars/Fedora.yml`: vars for Fedora
### Changed
- `tasks/CentOS/dashboard.yml`, `tasks/CentOS/main.yml`: Use generic package module to support Fedora (@danragnar)
## [2.1.0]
### Fixed
- `defaults/main.yaml`,`tasks/plugins.yml`: Fix Python 3.X compatability issue when checking the contents of sensu_remote_plugins. (@danragnar)
### Added
- `templates/sensu-api-json.j2`, `templates/uchiwa_config.json.j2`: Check for explicitly defining sensu_uchiwa_users and sensu_api_user_name as empty to disable authentication, useful when having a reverse proxy handling auth in front of the API and/or the uchiwa dashboard (@danragnar)
- `tasks/rabbit.yml`: Consistency of remote_src option for rabbitmq and sensu when copying SSL cert/key files. Useful if certificates are generated by another CA (e.g. FreeIPA) on the sensu host. (@danragnar)
## [2.0.0] - 2018-02-07
### Breaking Change
- Split up the variables used to determine if a host gets rabbitmq/redis for more flexibility in deployments. (@tculp) `sensu_deploy_rabbitmq` and `sensu_deploy_redis` are now `sensu_deploy_rabbitmq_server` and `sensu_deploy_redis_server` respectively. See the [role variable documentation](https://github.com/sensu/sensu-ansible/blob/master/docs/role_variables.md) for details on the parameters.
- Redis on Ubuntu will now be configured to bind to `0.0.0.0` to ensure accessiblity and to match the other supported OS configurations. (@tculp)
- Updated the supported Ansible version to the last two stable releases (currently that's Ansible 2.3 and 2.4). (@jaredledvina) Please note that we have not explicitly broken support for running this role on versions of Ansible <2.3. However, we will only be actively supporting the last two stable Ansible releases to reduce the maintenance burden.
### Added
- Initial support for OpenBSD! (@smbambling)
- Ubuntu now get's `apt-transport-https` installed to support HTTPS repos. (@kevit)
- Default to HTTPS APT repos. @jaredledvina
- Allow for configuring when a node gets the `sensu-client` config file. (@tculp)
- Allow for deploying client definitions based on groups. (@tculp)
- Default to HTTPS Yum repo's and install the Yum key for package signing validation via HTTPS. (@jaredledvina)
- Used HTTPS for APT key. (@jaredledvina)
- Amazon Linux has proper yum repo configured and supports Amazon Linux 2. (@romainrbr)
- Yum based distros now get EPEL to support installing a newer and supported version of RabbitMQ. (@romainrbr)
- CentOS now supports using Bintray mirrors for installing RabbitMQ to work around Erlang issues with older versions. (@romainrbr)
- All PRs are now required to pass TravisCI integrations tests. (@jaredledvina)
- Ensure that we configure the `mode` and `umask` for files to work in a more restrictive environment. (@roumano)
- Debian and Ubuntu switch to Bintray for RabbitMQ to match yum distros. (@jaredledvina)
### Changed
- Switched from Gitter to `#ansible` in the Sensu Community Slack. (@grepory)
- Bumped SSL tools version to 1.2 by default. (@marji)
- Update 'Generate SSL Certs' to support Ansible 2.4. (@tculp)
## [1.2.0] - 2017-05-13
### Added
- RedHat support
- Sensu enterprise support
- Adds a few other minor features as well, such as the ability to toggle rabbitmq's SSL
- Uchiwa HA support
### Changed
- Rely on the existing sensu repositories to install Uchiwa
- Use the FreeBSD repository
- Update documentation to note Ubuntu 15's EOL
- Allow overriding the use of EPEL on CentOS/RedHat
### Fixed
- Make sure any local directories that are assumed to exist actually do
## [1.1.0] - 2017-04-03
### Added
- Toggle for SSL cert management
### Changed
- Updated repository URLs and versions for all platforms
### Fixed
- Fixed behaivor changed by recent versions of Ansible
## 1.0.0 - 2017-02-14
First tagged release, starting at 1.0.0 since the project can be considered stable at this point.
[Unreleased]: https://github.com/sensu/sensu-ansible/compare/5.2.0...HEAD
[5.2.0]: https://github.com/sensu/sensu-ansible/compare/5.1.0...5.2.0
[5.1.0]: https://github.com/sensu/sensu-ansible/compare/5.0.2...5.1.0
[5.0.2]: https://github.com/sensu/sensu-ansible/compare/5.0.1...5.0.2
[5.0.1]: https://github.com/sensu/sensu-ansible/compare/5.0.0...5.0.1
[5.0.0]: https://github.com/sensu/sensu-ansible/compare/4.0.0...5.0.0
[4.0.0]: https://github.com/sensu/sensu-ansible/compare/3.0.0...4.0.0
[3.0.0]: https://github.com/sensu/sensu-ansible/compare/2.7.0...3.0.0
[2.7.0]: https://github.com/sensu/sensu-ansible/compare/2.6.0...2.7.0
[2.6.0]: https://github.com/sensu/sensu-ansible/compare/2.5.0...2.6.0
[2.5.0]: https://github.com/sensu/sensu-ansible/compare/2.4.0...2.5.0
[2.4.0]: https://github.com/sensu/sensu-ansible/compare/2.3.0...2.4.0
[2.3.0]: https://github.com/sensu/sensu-ansible/compare/2.2.0...2.3.0
[2.2.0]: https://github.com/sensu/sensu-ansible/compare/2.1.0...2.2.0
[2.1.0]: https://github.com/sensu/sensu-ansible/compare/2.0.0...2.1.0
[2.0.0]: https://github.com/sensu/sensu-ansible/compare/1.2.0...2.0.0
[1.2.0]: https://github.com/sensu/sensu-ansible/compare/1.1.0...1.2.0
[1.1.0]: https://github.com/sensu/sensu-ansible/compare/1.0.0...1.1.0

18
roles/sensu.sensu/LICENSE Normal file
View File

@ -0,0 +1,18 @@
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

85
roles/sensu.sensu/README.md Normal file
View File

@ -0,0 +1,85 @@
# Sensu [![Ansible Galaxy](https://img.shields.io/badge/galaxy-sensu.sensu-660198.svg?style=flat)](https://galaxy.ansible.com/sensu/sensu/) [![Build Status](https://travis-ci.org/sensu/sensu-ansible.svg?branch=master)](https://travis-ci.org/sensu/sensu-ansible)
[![Join the chat at https://slack.sensu.io/](https://slack.sensu.io/badge.svg)](https://slack.sensu.io/)
This role deploys a full [Sensu](https://sensu.io) stack, a modern, open source monitoring framework.
## Features
- Deploy a full [Sensu](https://sensu.io) stack, including RabbitMQ, redis, and the [Uchiwa dashboard](https://uchiwa.io/#/)
- Full support for [Sensu Enterprise](https://sensu.io/products/enterprise)
- Tight integration with the Ansible inventory - deployment of monitoring checks based on inventory grouping
- Fine grained control over dynamic client configurations
- Remote plugin deployment
- Automatic generation and dynamic deployment of SSL certs for secure communication between your clients and servers
- Highly configurable
## Batteries included, but not imposed
Along with deploying the Sensu Server, API and clients, this role can deploy a full stack: [RabbitMQ](http://www.rabbitmq.com/), [redis](http://redis.io), and the [Uchiwa dashboard](https://uchiwa.io/#/).
However, if you want to rely on other roles/management methods to deploy/manage these services, [it's nice and easy to integrate this role](http://ansible-sensu.readthedocs.io/en/latest/integration/).
## Documentation [![Documentation](https://readthedocs.org/projects/ansible-sensu/badge/?version=latest)](http://ansible-sensu.readthedocs.io/en/latest/)
[Read the full documentation](http://ansible-sensu.readthedocs.io/en/latest/) for a comprehensive overview of this role and its powerful features.
## Requirements
This role requires:
- A supported version of Ansible, see [Ansible version support](#ansible-version-support) for details.
- The `dynamic_data_store` variable to be set: see [Dynamic Data Store](http://ansible-sensu.readthedocs.io/en/latest/dynamic_data/)
- If `sensu_include_plugins` is true (the default), the `static_data_store` variable needs to be set: see [Check Deployment](http://ansible-sensu.readthedocs.io/en/latest/dynamic_checks/)
## Supported Platforms
### Automatically tested via TravisCI
- [CentOS - 6](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.9)
- [CentOS - 7](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7)
- [Debian - 8 (Jessie)](https://wiki.debian.org/DebianJessie)
- [Debian - 9 (Stretch)](https://wiki.debian.org/DebianStretch)
- [Ubuntu - 14.04 (Trusty Tahr)](http://releases.ubuntu.com/14.04/)
- [Ubuntu - 16.04 (Xenial Xerus)](http://releases.ubuntu.com/16.04/)
- [Fedora - 26](https://docs.fedoraproject.org/f26/release-notes/)
- [Fedora - 27](https://docs.fedoraproject.org/f27/release-notes/)
- [Fedora - 28](https://docs.fedoraproject.org/f28/release-notes/)
- [Amazon Linux](https://aws.amazon.com/amazon-linux-ami/)
- [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/)
### Supported manually (compatibility not always guaranteed)
- [SmartOS - base-64 15.x.x](https://docs.joyent.com/images/smartos/base#version-15xx)
- [FreeBSD - 10.3, 11.0 (64-bit only)](https://www.freebsd.org/releases/10.2R/relnotes.html)
- [OpenBSD - 6.2](https://www.openbsd.org/62.html)
## Role Variables
See [Role Variables](http://ansible-sensu.readthedocs.io/en/latest/role_variables/) for a detailed list of the variables this role uses
## Example Playbook
``` yaml
- hosts: all
roles:
- role: sensu.sensu
```
Or, passing parameter values:
``` yaml
- hosts: sensu_masters
roles:
- { role: sensu.sensu, sensu_master: true, sensu_include_dashboard: true }
```
## Ansible version support
All changes to this role are actively tested against Ansible 2.6 and 2.7 at this time. Ansible 2.5 is required at a minimum.
License
-------
MIT
Author Information
------------------
Originally created by [Calum MacRae](http://cmacr.ae) and supported by the [Sensu Community Ansible Maintainers](https://github.com/sensu-plugins/community/#maintained-areas)
### Contributors
See the projects [Contributors page](https://github.com/sensu/sensu-ansible/graphs/contributors)
Feel free to:
[Raise an issue](https://github.com/sensu/sensu-ansible/issues)
[Contribute](https://github.com/sensu/sensu-ansible/pulls)

126
roles/sensu.sensu/defaults/main.yml Normal file
View File

@ -0,0 +1,126 @@
---
# Sensu enterprise credential
# Variables for Sensu Enterprise License
se_enterprise: false
se_user: ''
se_pass: ''
# Sensu package
sensu_package: sensu
sensu_enterprise_package: sensu-enterprise
sensu_enterprise_dashboard_package: sensu-enterprise-dashboard
# Sensu repo urls
sensu_yum_repo_url: "https://sensu.global.ssl.fastly.net/yum/$releasever/$basearch/"
sensu_yum_key_url: "https://sensu.global.ssl.fastly.net/yum/pubkey.gpg"
sensu_apt_repo_url: "deb https://repositories.sensuapp.org/apt {{ ansible_distribution_release }} main"
sensu_apt_key_url: "https://sensu.global.ssl.fastly.net/apt/pubkey.gpg"
sensu_freebsd_url: "https://sensu.global.ssl.fastly.net/freebsd/FreeBSD:{{ ansible_distribution_major_version }}:{{ ansible_architecture }}/"
sensu_ol_yum_repo_url: "https://dl.fedoraproject.org/pub/epel/$releasever/$basearch/"
sensu_ol_yum_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-$releasever"
# Sensu service names
sensu_server_service_name: sensu-server
sensu_api_service_name: sensu-api
sensu_client_service_name: sensu-client
sensu_enterprise_service_name: sensu-enterprise
sensu_enterprise_dashboard_service_name: sensu-enterprise-dashboard
uchiwa_service_name: uchiwa
# Service deployment options
sensu_deploy_rabbitmq_server: true
sensu_deploy_redis_server: true
# RabbitMQ server properties
sensu_rabbitmq_config_path: /etc/rabbitmq
sensu_rabbitmq_config_template: rabbitmq.config.j2
sensu_rabbitmq_enable_ssl: true
sensu_rabbitmq_host: "{{ groups['sensu_rabbitmq_servers'][0] }}"
sensu_rabbitmq_port: 5671
sensu_rabbitmq_pkg_state: present
sensu_rabbitmq_server: false
sensu_rabbitmq_service_name: rabbitmq-server
sensu_rabbitmq_user_name: sensu
sensu_rabbitmq_password: sensu
sensu_rabbitmq_vhost: /sensu
# redis server properties
sensu_redis_host: "{{ groups['sensu_redis_servers'][0] }}"
sensu_redis_server: false
sensu_redis_service_name: redis
sensu_redis_pkg_repo: ~
sensu_redis_pkg_name: redis
sensu_redis_pkg_state: present
sensu_redis_port: 6379
sensu_redis_password:
sensu_redis_sentinels: []
sensu_redis_master_name:
sensu_redis_config: sensu-redis.json.j2
# Sensu/Uchiwa user/group/service properties
sensu_api_host: "{{ groups['sensu_masters'][0] }}"
sensu_api_port: 4567
sensu_api_ssl: "false"
sensu_api_user_name: admin
sensu_api_password: secret
sensu_api_uchiwa_path: ''
sensu_api_timeout: 5000
sensu_client_config: client.json.j2
sensu_rabbitmq_config: sensu-rabbitmq.json.j2
sensu_config_path: /etc/sensu
sensu_pkg_state: present
sensu_gem_state: present
sensu_plugin_gem_state: present
sensu_group_name: sensu
sensu_include_plugins: true
sensu_include_dashboard: false
sensu_master: false
sensu_client: true
sensu_user_name: sensu
sensu_remote_plugins: []
sensu_transport: rabbitmq
sensu_client_name: "{{ ansible_hostname }}"
sensu_client_subscriptions: "{{ group_names }}"
sensu_client_keepalive_handlers:
- default
sensu_client_keepalive_threshold_warning: 120
sensu_client_keepalive_threshold_critical: 180
sensu_client_safe_mode: false
sensu_deploy_rabbitmq_config: true
sensu_deploy_redis_config: true
sensu_deploy_transport_config: true
sensu_enable_tessen: false
# Sensu/RabbitMQ SSL certificate properties
sensu_ssl_gen_certs: true
sensu_ssl_deploy_remote_src: false
sensu_ssl_manage_certs: true
sensu_master_config_path: "{{ hostvars[groups['sensu_masters'][0]]['sensu_config_path'] | default('/etc/sensu') }}"
sensu_ssl_tool_base_path: "{{ dynamic_data_store }}/{{ groups['sensu_masters'][0] }}{{ sensu_master_config_path }}/ssl_generation/sensu_ssl_tool"
sensu_ssl_client_cert: "{{ sensu_ssl_tool_base_path }}/client/cert.pem"
sensu_ssl_client_key: "{{ sensu_ssl_tool_base_path }}/client/key.pem"
sensu_ssl_server_cacert: "{{ sensu_ssl_tool_base_path }}/sensu_ca/cacert.pem"
sensu_ssl_server_cert: "{{ sensu_ssl_tool_base_path }}/server/cert.pem"
sensu_ssl_server_key: "{{ sensu_ssl_tool_base_path }}/server/key.pem"
dynamic_data_store: "{{ playbook_dir }}/data/store"
static_data_store: "{{ playbook_dir }}/data/static"
# Uchiwa properties
sensu_uchiwa_dc_name: ~
sensu_uchiwa_path: /opt/uchiwa
sensu_uchiwa_redis_use_ssl: false
sensu_uchiwa_users:
- username: admin
password: admin
sensu_uchiwa_port: 3000
sensu_uchiwa_refresh: 5
sensu_uchiwa_api_port: "{{ sensu_api_port }}"
sensu_uchiwa_auth_privatekey: ~
sensu_uchiwa_auth_publickey: ~
# CentOS repository for redis and rabbitmq
sensu_centos_repository: epel
# Internal settings
__bash_path: /bin/bash
__root_group: root

69
roles/sensu.sensu/handlers/main.yml Normal file
View File

@ -0,0 +1,69 @@
---
- name: restart rabbitmq service
service:
name: "{{ sensu_rabbitmq_service_name }}"
state: restarted
- name: restart redis service
service:
name: "{{ sensu_redis_service_name }}"
pattern: /usr/bin/redis-server
state: restarted
- name: restart uchiwa service
service:
name: "{{ uchiwa_service_name }}"
state: restarted
- name: restart sensu-server service
service:
name: "{{ sensu_server_service_name }}"
state: restarted
when: sensu_master and not se_enterprise
- name: restart sensu-api service
service:
name: "{{ sensu_api_service_name }}"
state: restarted
when: sensu_master and not se_enterprise
- name: restart sensu-client service
service:
name: "{{ sensu_client_service_name }}"
state: restarted
- name: restart sensu-enterprise service
service:
name: "{{ sensu_enterprise_service_name }}"
state: restarted
when: se_enterprise and sensu_master
- name: restart sensu-enterprise-dashboard service
service:
name: "{{ sensu_enterprise_dashboard_service_name }}"
state: restarted
when: se_enterprise and sensu_master
# Joyent SmartOS specific handlers
- name: import sensu-server service
command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/sensu-server.xml
- name: import sensu-api service
command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/sensu-api.xml
- name: import sensu-client service
command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/sensu-client.xml
- name: import uchiwa service
command: /usr/sbin/svccfg import /opt/local/lib/svc/manifest/uchiwa.xml
- name: Build and deploy Uchiwa
command: npm install --production
args:
chdir: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa"
become: true
become_user: "{{ sensu_user_name }}"
- name: Update pkgng database
command: /usr/sbin/pkg update

2
roles/sensu.sensu/meta/.galaxy_install_info Normal file
View File

@ -0,0 +1,2 @@
install_date: Sun Apr 28 17:44:58 2019
version: 5.2.0

39
roles/sensu.sensu/meta/main.yml Normal file
View File

@ -0,0 +1,39 @@
---
galaxy_info:
author: Calum MacRae
description: Deploy a full Sensu monitoring stack; including redis, RabbitMQ & the Uchiwa dashboard
license: MIT
min_ansible_version: 2.5
platforms:
- name: EL
versions:
- 6
- 7
- name: Ubuntu
versions:
- trusty
- vivid
- name: Debian
versions:
- jessie
- stretch
- name: Fedora
versions:
- 26
- 27
- 28
galaxy_tags:
- cloud
- monitoring
- system
- web
- sensu
- rabbitmq
- redis
- metrics
- amqp
- alerting
- stack
- dashboard
dependencies: []

21
roles/sensu.sensu/tasks/Amazon/dashboard.yml Normal file
View File

@ -0,0 +1,21 @@
---
# tasks/Amazon/dashboard.yml: Deployment of the Uchiwa dashboard
# Specific to CentOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: dashboard
- name: Ensure Uchiwa is installed
tags: dashboard
yum:
name: uchiwa
state: present
- name: Deploy Uchiwa config
tags: dashboard
template:
src: uchiwa_config.json.j2
dest: "{{ sensu_config_path }}/uchiwa.json"
notify: restart uchiwa service

30
roles/sensu.sensu/tasks/Amazon/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
# tasks/Amazon/main.yml: CentOS specific set-up
# This takes care of base prerequisites for Amazon Linux AMI
- name: Include ansible_distribution vars
tags: setup
include_vars:
file: "{{ ansible_distribution }}.yml"
- name: Set epel_version override when AmazonLinux AMIv2
tags: setup
set_fact:
epel_version: 7
when: ansible_distribution_version == 'Candidate'
- name: Ensure the Sensu Core Yum repo is present
tags: setup
yum_repository:
name: sensu
description: The Sensu Core yum repository
baseurl: "{{ sensu_yum_repo_url }}"
gpgkey: "{{ sensu_yum_key_url }}"
gpgcheck: yes
enabled: yes
- name: Ensure Sensu is installed
tags: setup
yum:
name: "{{ sensu_package }}"
state: "{{ sensu_pkg_state }}"

66
roles/sensu.sensu/tasks/Amazon/rabbit.yml Normal file
View File

@ -0,0 +1,66 @@
---
# tasks/Amazon/rabbit.yml: Deploy RabbitMQ
# Specific to Amazon Linux
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- name: Configure RabbitMQ/RabbitMQ-erlang GPG keys in the RPM keyring
tags: rabbitmq
rpm_key:
key: "{{ sensu_rabbitmq_signing_key }}"
state: present
register: sensu_rabbitmq_import_key
- name: Add RabbitMQ's repo
tags: rabbitmq
yum_repository:
name: rabbitmq
description: rabbitmq
baseurl: "{{ sensu_rabbitmq_baseurl }}"
gpgcheck: yes
gpgkey: "{{ sensu_rabbitmq_signing_key }}"
repo_gpgcheck: no
- name: Add RabbitMQ's Erlang repo
tags: rabbitmq
yum_repository:
name: rabbitmq-erlang
description: rabbitmq-erlang
baseurl: "{{ sensu_rabbitmq_erlang_baseurl }}"
gpgcheck: yes
gpgkey: "{{ sensu_rabbitmq_erlang_signing_key }}"
repo_gpgcheck: no
# HACK: https://github.com/ansible/ansible/issues/20711#issuecomment-306260869
# Can be removed once we're running w/ a version of Ansible that has https://github.com/ansible/ansible/pull/35989
- name: Make yum cache to import GPG keys
tags: rabbitmq
command: "yum -q makecache -y --disablerepo='*' --enablerepo='{{ item }}'"
args:
warn: false
when: sensu_rabbitmq_import_key.changed
loop:
- rabbitmq
- rabbitmq-erlang
# Hard dependency for rabbitmq-server, however, typically comes from EPEL, so
# we simply install it here, as we purposely disable epel when installing rabbitmq
# causing dependency issues during installs
- name: Ensure socat is installed
tags: rabbitmq
yum:
name: socat
state: present
- name: Ensure Erlang & RabbitMQ are installed
tags: rabbitmq
yum:
name:
- erlang
- rabbitmq-server
state: present
enablerepo: rabbitmq,rabbitmq-erlang
disablerepo: '*'

29
roles/sensu.sensu/tasks/Amazon/redis.yml Normal file
View File

@ -0,0 +1,29 @@
---
# tasks/Amazon/redis.yml: Deploy redis
# Specific to Amazon Linux AMI
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: redis
- name: Install EPEL repo
tags: redis
yum:
name: "{{ epel_repo_rpm }}"
state: present
when: enable_epel_repo
- name: Ensure redis is installed
tags: redis
yum:
name: "{{ sensu_redis_pkg_name }}"
state: "{{ sensu_redis_pkg_state }}"
enablerepo: epel
- name: Ensure redis binds to accessible IP
tags: redis
lineinfile:
dest: /etc/redis.conf
regexp: '^bind'
line: 'bind 0.0.0.0'

41
roles/sensu.sensu/tasks/CentOS/dashboard.yml Normal file
View File

@ -0,0 +1,41 @@
---
# tasks/CentOS/dashboard.yml: Deployment of the Uchiwa dashboard
# Specific to CentOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: dashboard
- name: Ensure Uchiwa is installed
tags: dashboard
package:
name: uchiwa
state: present
when: not se_enterprise
- name: Ensure Sensu Enterprise Dashboard is installed
tags: dashboard
package:
name: "{{ sensu_enterprise_dashboard_package }}"
state: present
when: se_enterprise
- name: Deploy Uchiwa config
tags: dashboard
template:
src: uchiwa_config.json.j2
dest: "{{ sensu_config_path }}/uchiwa.json"
when: not se_enterprise
notify:
- restart uchiwa service
- name: Deploy Sensu Enterprise Dashboard
tags: dashboard
template:
src: sensu_enterprise_dashboard_config.json.j2
dest: "{{ sensu_config_path }}/dashboard.json"
when: se_enterprise
notify:
- restart sensu-enterprise-dashboard service

83
roles/sensu.sensu/tasks/CentOS/main.yml Normal file
View File

@ -0,0 +1,83 @@
---
# tasks/CentOS/main.yml: CentOS specific set-up
# This takes care of base prerequisites for CentOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: setup
- name: Ensure the Sensu Core Yum repo is present
tags: setup
yum_repository:
name: sensu
description: The Sensu Core yum repository
baseurl: "{{ sensu_yum_repo_url }}"
gpgkey: "{{ sensu_yum_key_url }}"
gpgcheck: "{{ (
(ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux') and
ansible_distribution_major_version == '5'
) | ternary('no', 'yes') }}"
enabled: yes
- name: Ensure the epel present for OracleLinux
tags: setup
yum_repository:
name: epel
description: EPEL YUM repo
baseurl: "{{ sensu_ol_yum_repo_url }}"
gpgkey: "{{ sensu_ol_yum_key_url }}"
enabled: yes
when: ansible_distribution == 'OracleLinux'
- name: Ensure that credential is supplied if installing Sensu Enterprise
tags: setup
assert:
that:
- "se_user != ''"
- "se_pass != ''"
msg: Sensu enterprise credential must not be empty. Did you forget to set se_user and se_pass?
when: se_enterprise
- name: Ensure the Sensu Enterprise repo is present
tags: setup
copy:
dest: /etc/yum.repos.d/sensu-enterprise.repo
content: |
[sensu-enterprise]
name=sensu-enterprise
baseurl=http://{{ se_user }}:{{ se_pass }}@enterprise.sensuapp.com/yum/noarch/
gpgcheck=0
enabled=1
owner: root
group: root
mode: 0644
when: se_enterprise
- name: Ensure the Sensu Enterprise Dashboard repo is present
tags: setup
copy:
dest: /etc/yum.repos.d/sensu-enterprise-dashboard.repo
content: |
[sensu-enterprise-dashboard]
name=sensu-enterprise-dashboard
baseurl=http://{{ se_user }}:{{ se_pass }}@enterprise.sensuapp.com/yum/\$basearch/
gpgcheck=0
enabled=1
owner: root
group: root
mode: 0644
when: se_enterprise
- name: Ensure Sensu is installed
tags: setup
package:
name: "{{ sensu_package }}"
state: "{{ sensu_pkg_state }}"
- name: Ensure Sensu Enterprise is installed
tags: setup
package:
name: "{{ sensu_enterprise_package }}"
state: "{{ sensu_pkg_state }}"
when: se_enterprise

66
roles/sensu.sensu/tasks/CentOS/rabbit.yml Normal file
View File

@ -0,0 +1,66 @@
---
# tasks/CentOS/rabbit.yml: Deploy RabbitMQ
# Specific to CentOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- name: Configure RabbitMQ GPG keys in the RPM keyring
tags: rabbitmq
rpm_key:
key: "{{ sensu_rabbitmq_signing_key }}"
state: present
register: sensu_rabbitmq_import_key
- name: Add RabbitMQ's repo
tags: rabbitmq
yum_repository:
name: rabbitmq
description: rabbitmq
baseurl: "{{ sensu_rabbitmq_baseurl }}"
gpgcheck: yes
gpgkey: "{{ sensu_rabbitmq_signing_key }}"
repo_gpgcheck: no
- name: Add RabbitMQ's Erlang repo
tags: rabbitmq
yum_repository:
name: rabbitmq-erlang
description: rabbitmq-erlang
baseurl: "{{ sensu_rabbitmq_erlang_baseurl }}"
gpgcheck: yes
gpgkey: "{{ sensu_rabbitmq_erlang_signing_key }}"
repo_gpgcheck: no
# HACK: https://github.com/ansible/ansible/issues/20711#issuecomment-306260869
# Can be removed once we're running w/ a version of Ansible that has https://github.com/ansible/ansible/pull/35989
- name: Make yum cache to import GPG keys
tags: rabbitmq
command: "yum -q makecache -y --disablerepo='*' --enablerepo='{{ item }}'"
args:
warn: false
when: sensu_rabbitmq_import_key.changed
loop:
- rabbitmq
- rabbitmq-erlang
# Hard dependency for rabbitmq-server, however, typically comes from EPEL, so
# we simply install it here, as we purposely disable epel when installing rabbitmq
# causing dependency issues during installs
- name: Ensure socat is installed
tags: rabbitmq
yum:
name: socat
state: present
- name: Ensure Erlang & RabbitMQ are installed
tags: rabbitmq
yum:
name:
- erlang
- rabbitmq-server
state: present
enablerepo: rabbitmq,rabbitmq-erlang
disablerepo: epel

29
roles/sensu.sensu/tasks/CentOS/redis.yml Normal file
View File

@ -0,0 +1,29 @@
---
# tasks/CentOS/redis.yml: Deploy redis
# Specific to CentOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: redis
- name: Install EPEL repo
tags: redis
yum:
name: epel-release
state: present
when: enable_epel_repo
- name: Ensure redis is installed
tags: redis
yum:
name: "{{ sensu_redis_pkg_name }}"
state: "{{ sensu_redis_pkg_state }}"
enablerepo: "{{ sensu_centos_repository }}"
- name: Ensure redis binds to accessible IP
tags: redis
lineinfile:
dest: /etc/redis.conf
regexp: '^bind'
line: 'bind 0.0.0.0'

21
roles/sensu.sensu/tasks/Debian/dashboard.yml Normal file
View File

@ -0,0 +1,21 @@
---
# tasks/Debian/dashboard.yml: Deployment of the Uchiwa dashboard
# Specific to Debian
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: dashboard
- name: Install uchiwa
tags: dashboard
apt:
name: uchiwa
state: present
- name: Deploy Uchiwa config
tags: dashboard
template:
src: uchiwa_config.json.j2
dest: "{{ sensu_config_path }}/uchiwa.json"
notify: restart uchiwa service

41
roles/sensu.sensu/tasks/Debian/main.yml Normal file
View File

@ -0,0 +1,41 @@
---
# tasks/Debian/main.yml: Debian specific set-up
# This takes care of base prerequisites for Debian
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: setup
- name: Ensure apt-transport-https is installed
tags: setup
apt:
name: apt-transport-https
state: present
cache_valid_time: 3600
update_cache: true
- name: Ensure that gnupg is installed for apt_key
tags: setup
apt:
name: gnupg
state: present
- name: Ensure the Sensu APT repo GPG key is present
tags: setup
apt_key:
url: "{{ sensu_apt_key_url }}"
state: present
- name: Ensure the Sensu Core APT repo is present
tags: setup
apt_repository:
repo: "{{ sensu_apt_repo_url }}"
state: present
update_cache: true
- name: Ensure Sensu is installed
tags: setup
apt:
name: "{{ sensu_package }}"
state: "{{ sensu_pkg_state }}"

53
roles/sensu.sensu/tasks/Debian/rabbit.yml Normal file
View File

@ -0,0 +1,53 @@
---
# tasks/Debian/rabbit.yml: Deploy RabbitMQ
# Specific to Debian
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- name: Ensure the RabbitMQ APT repo GPG key is present
tags: rabbitmq
apt_key:
url: "{{ sensu_rabbitmq_signing_key }}"
state: present
- name: Ensure the RabbitMQ APT repo is present
tags: rabbitmq
apt_repository:
repo: "{{ sensu_rabbitmq_repo }}"
filename: rabbitmq
state: present
update_cache: true
- name: Ensure Erlang APT preferences is configured
tags: rabbitmq
template:
src: erlang-apt-preferences.j2
dest: /etc/apt/preferences.d/erlang
owner: root
group: root
mode: 0755
- name: Ensure the Erlang APT repo GPG key is present
tags: rabbitmq
apt_key:
url: "{{ sensu_rabbitmq_erlang_signing_key }}"
state: present
- name: Ensure the Erlang APT repo is present
tags: rabbitmq
apt_repository:
repo: "{{ sensu_rabbitmq_erlang_repo }}"
filename: erlang
state: present
update_cache: true
- name: Ensure RabbitMQ is installed
tags: rabbitmq
apt:
name: rabbitmq-server
state: "{{ sensu_rabbitmq_pkg_state }}"
cache_valid_time: 600
update_cache: true

26
roles/sensu.sensu/tasks/Debian/redis.yml Normal file
View File

@ -0,0 +1,26 @@
---
# tasks/Debian/redis.yml: Deploy redis
# Specific to Debian
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: redis
- name: Ensure redis is installed
tags: redis
apt:
name: "{{ sensu_redis_pkg_name }}"
state: "{{ sensu_redis_pkg_state }}"
update_cache: true
- name: Ensure redis binds to accessible IP
tags: redis
lineinfile:
dest: /etc/redis/redis.conf
regexp: '^bind'
line: 'bind 0.0.0.0'
notify: restart redis service
- meta: flush_handlers
tags: redis

1
roles/sensu.sensu/tasks/Fedora/dashboard.yml Symbolic link
View File

@ -0,0 +1 @@
../CentOS/dashboard.yml

1
roles/sensu.sensu/tasks/Fedora/main.yml Symbolic link
View File

@ -0,0 +1 @@
../CentOS/main.yml

66
roles/sensu.sensu/tasks/Fedora/rabbit.yml Normal file
View File

@ -0,0 +1,66 @@
---
# tasks/Fedora/rabbit.yml: Deploy RabbitMQ
# Specific to Fedora
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- name: Configure RabbitMQ GPG keys in the RPM keyring
tags: rabbitmq
rpm_key:
key: "{{ sensu_rabbitmq_signing_key }}"
state: present
register: sensu_rabbitmq_import_key
- name: Add RabbitMQ's repo
tags: rabbitmq
yum_repository:
name: rabbitmq
description: rabbitmq
baseurl: "{{ sensu_rabbitmq_baseurl }}"
gpgcheck: yes
gpgkey: "{{ sensu_rabbitmq_signing_key }}"
repo_gpgcheck: no
- name: Add RabbitMQ's Erlang repo
tags: rabbitmq
yum_repository:
name: rabbitmq-erlang
description: rabbitmq-erlang
baseurl: "{{ sensu_rabbitmq_erlang_baseurl }}"
gpgcheck: yes
gpgkey: "{{ sensu_rabbitmq_erlang_signing_key }}"
repo_gpgcheck: no
# HACK: https://github.com/ansible/ansible/issues/20711#issuecomment-306260869
# Can be removed once we're running w/ a version of Ansible that has https://github.com/ansible/ansible/pull/35989
- name: Make yum cache to import GPG keys
tags: rabbitmq
command: "yum -q makecache -y --disablerepo='*' --enablerepo='{{ item }}'"
args:
warn: false
when: sensu_rabbitmq_import_key.changed
loop:
- rabbitmq
- rabbitmq-erlang
# Hard dependency for rabbitmq-server, however, typically comes from EPEL, so
# we simply install it here, as we purposely disable epel when installing rabbitmq
# causing dependency issues during installs
- name: Ensure socat is installed
tags: rabbitmq
dnf:
name: socat
state: present
- name: Ensure Erlang & RabbitMQ are installed
tags: rabbitmq
dnf:
name:
- erlang
- rabbitmq-server
state: present
enablerepo: rabbitmq,rabbitmq-erlang
disablerepo: epel

27
roles/sensu.sensu/tasks/Fedora/redis.yml Normal file
View File

@ -0,0 +1,27 @@
---
# tasks/Fedora/redis.yml: Deploy redis
# Specific to Fedora
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: redis
- name: Ensure jemalloc is installed as a dependency of Redis
tags: redis
dnf:
name: jemalloc
state: present
- name: Ensure redis is installed
tags: redis
dnf:
name: "{{ sensu_redis_pkg_name }}"
state: "{{ sensu_redis_pkg_state }}"
- name: Ensure redis binds to accessible IP
tags: redis
lineinfile:
dest: /etc/redis.conf
regexp: '^bind'
line: 'bind 0.0.0.0'

86
roles/sensu.sensu/tasks/FreeBSD/dashboard.yml Normal file
View File

@ -0,0 +1,86 @@
---
# tasks/FreeBSD/dashboard.yml: Deployment of the Uchiwa dashboard
# Specific to FreeBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: dashboard
- name: Ensure Uchiwa (dashboard) dependencies are installed
tags: dashboard
pkgng:
name: "{{ item }}"
state: present
loop:
- go
- git
- npm
- name: Ensure Uchiwa directory exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
recurse: true
- name: Ensure Uchiwa Go/config directory exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}/{{ item }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
recurse: true
loop:
- etc
- go
- name: Ensure Uchiwa GOPATH exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}/go/{{ item }}"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
state: directory
recurse: true
loop:
- bin
- pkg
- src
- name: Fetch Uchiwa from GitHub
tags: dashboard
command: go get github.com/sensu/uchiwa
environment:
GOPATH: "{{ sensu_uchiwa_path }}/go"
args:
creates: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa"
notify: Build and deploy Uchiwa
become: true
become_user: "{{ sensu_user_name }}"
- meta: flush_handlers
tags: dashboard
- name: Deploy Uchiwa config
tags: dashboard
template:
src: uchiwa_config.json.j2
dest: "{{ sensu_uchiwa_path }}/etc/config.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
notify: restart uchiwa service
- name: Deploy Uchiwa service file
tags: dashboard
template:
src: uchiwa_freebsd.j2
dest: "/usr/local/etc/rc.d/uchiwa"
mode: "0755"
- name: Ensure Uchiwa server service is running
tags: dashboard
service: name=uchiwa state=started enabled=yes

53
roles/sensu.sensu/tasks/FreeBSD/main.yml Normal file
View File

@ -0,0 +1,53 @@
---
# tasks/FreeBSD/main.yml: FreeBSD specific set-up
# This takes care of base prerequisites for FreeBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: setup
- name: Ensure the Sensu group is present
tags: setup
group:
name: "{{ sensu_group_name }}"
state: present
- name: Ensure the Sensu user is present
tags: setup
user:
name: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
shell: /bin/false
home: "{{ sensu_config_path }}"
createhome: true
state: present
- name: Ensure pkgng custom repo config directory exists
tags: setup
file:
path: /usr/local/etc/pkg/repos/
state: directory
- name: Ensure Sensu repo is configured
tags: setup
template:
src: sensu-freebsd-repo.conf.j2
dest: /usr/local/etc/pkg/repos/sensu.conf
notify:
- Update pkgng database
- name: Ensure prerequisite packages are installed
tags: setup
pkgng:
name: "{{ item }}"
state: present
loop:
- bash
- ca_root_nss
- name: Ensure Sensu is installed
tags: setup
pkgng:
name: "{{ sensu_package }}"
state: "{{ sensu_pkg_state }}"

14
roles/sensu.sensu/tasks/FreeBSD/rabbit.yml Normal file
View File

@ -0,0 +1,14 @@
---
# tasks/FreeBSD/rabbit.yml: Deploy RabbitMQ
# Specific to FreeBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- name: Ensure RabbitMQ is installed
tags: rabbitmq
pkgng:
name: rabbitmq
state: "{{ sensu_rabbitmq_pkg_state }}"

25
roles/sensu.sensu/tasks/FreeBSD/redis.yml Normal file
View File

@ -0,0 +1,25 @@
---
# tasks/FreeBSD/redis.yml: Deploy redis
# Specific to FreeBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: redis
- name: Ensure redis is installed
tags: redis
pkgng:
name: "{{ sensu_redis_pkg_name }}"
state: "{{ sensu_redis_pkg_state }}"
- name: Ensure redis binds to accessible IP
tags: redis
lineinfile:
dest: /usr/local/etc/redis.conf
regexp: '^bind'
line: 'bind 0.0.0.0'
notify: restart redis service
- meta: flush_handlers
tags: redis

86
roles/sensu.sensu/tasks/OpenBSD/dashboard.yml Normal file
View File

@ -0,0 +1,86 @@
---
# tasks/OpenBSD/dashboard.yml: Deployment of the Uchiwa dashboard
# Specific to OpenBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: dashboard
- name: Ensure Uchiwa (dashboard) dependencies are installed
tags: dashboard
openbsd_pkg:
name: "{{ item }}"
state: present
loop:
- go
- git
- npm
- name: Ensure Uchiwa directory exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
recurse: true
- name: Ensure Uchiwa Go/config directory exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}/{{ item }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
recurse: true
loop:
- etc
- go
- name: Ensure Uchiwa GOPATH exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}/go/{{ item }}"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
state: directory
recurse: true
loop:
- bin
- pkg
- src
- name: Fetch Uchiwa from GitHub
tags: dashboard
command: go get github.com/sensu/uchiwa
environment:
GOPATH: "{{ sensu_uchiwa_path }}/go"
args:
creates: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa"
notify: Build and deploy Uchiwa
become: true
become_user: "{{ sensu_user_name }}"
- meta: flush_handlers
tags: dashboard
- name: Deploy Uchiwa config
tags: dashboard
template:
src: uchiwa_config.json.j2
dest: "{{ sensu_uchiwa_path }}/etc/config.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
notify: restart uchiwa service
- name: Deploy Uchiwa service file
tags: dashboard
template:
src: uchiwa_openbsd.j2
dest: "/usr/local/etc/rc.d/uchiwa"
mode: "0755"
- name: Ensure Uchiwa server service is running
tags: dashboard
service: name=uchiwa state=started enabled=yes

69
roles/sensu.sensu/tasks/OpenBSD/main.yml Normal file
View File

@ -0,0 +1,69 @@
---
# tasks/OpenBSD/main.yml: OpenBSD specific set-up
# This takes care of base prerequisites for OpenBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: setup
- name: Ensure the Sensu group is present
tags: setup
group: name={{ sensu_group_name }} state=present
- name: Ensure the Sensu user is present
tags: setup
user:
name: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
shell: /bin/false
home: "{{ sensu_config_path }}"
createhome: true
state: present
- name: Install prerequisite packages
tags: setup
openbsd_pkg:
name: "{{ item }}"
state: present
loop:
- bash
- ruby%2.3
- name: Get the current version of rubygems
tags: setup
shell: /usr/local/bin/gem23 --version
check_mode: no
register: gem23_version
changed_when: False
- name: Update rubygems to work around rubygems/rubygems/issues/1448
tags: setup
shell: /usr/local/bin/gem23 update --system
when: "{{ gem23_version.stdout | version_compare('2.5.3', '<') }}"
- name: Install sensu gem and all of its dependencies
tags: setup
gem:
name: sensu
repository: "{{ sensu_gem_repository | default('https://api.rubygems.org/') }}"
user_install: no
version: "{{ sensu_gem_version }}"
executable: /usr/local/bin/gem23
- name: Create the sensu log folder
tags: setup
file:
path: /var/log/sensu
owner: root
group: wheel
state: directory
- name: Deploy OpenBSD rc script
tags: setup
template:
src: sensuclient_openbsd.j2
dest: /etc/rc.d/sensuclient
owner: root
group: wheel
mode: 0755

14
roles/sensu.sensu/tasks/OpenBSD/rabbit.yml Normal file
View File

@ -0,0 +1,14 @@
---
# tasks/OpenBSD/rabbit.yml: Deploy RabbitMQ
# Specific to OpenBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- name: Ensure RabbitMQ is installed
tags: rabbitmq
pkgng:
name: rabbitmq
state: "{{ sensu_rabbitmq_pkg_state }}"

25
roles/sensu.sensu/tasks/OpenBSD/redis.yml Normal file
View File

@ -0,0 +1,25 @@
---
# tasks/OpenBSD/redis.yml: Deploy redis
# Specific to OpenBSD
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: redis
- name: Ensure redis is installed
tags: redis
pkgng:
name: "{{ sensu_redis_pkg_name }}"
state: "{{ sensu_redis_pkg_state }}"
- name: Ensure redis binds to accessible IP
tags: redis
lineinfile:
dest: /usr/local/etc/redis.conf
regexp: '^bind'
line: 'bind 0.0.0.0'
notify: restart redis service
- meta: flush_handlers
tags: redis

1
roles/sensu.sensu/tasks/OracleLinux Symbolic link
View File

@ -0,0 +1 @@
CentOS

1
roles/sensu.sensu/tasks/RedHat Symbolic link
View File

@ -0,0 +1 @@
CentOS

23
roles/sensu.sensu/tasks/SmartOS/client.yml Normal file
View File

@ -0,0 +1,23 @@
---
# tasks/SmartOS/client.yml: Deploy various client-side configurations for Sensu
# Specific to Joyent SmartOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: client
- name: Deploy Sensu client service manifest
tags: client
template:
dest: /opt/local/lib/svc/manifest/sensu-client.xml
src: sensu-client.smartos_smf_manifest.xml.j2
owner: root
group: root
mode: 0644
notify:
- import sensu-client service
- restart sensu-client service
- meta: flush_handlers
tags: client

96
roles/sensu.sensu/tasks/SmartOS/dashboard.yml Normal file
View File

@ -0,0 +1,96 @@
---
# tasks/SmartOS/dashboard.yml: Deployment of the Uchiwa dashboard
# Specific to Joyent SmartOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: dashboard
- name: Ensure Uchiwa (dashboard) dependencies are installed
tags: dashboard
pkgin: name=go state=present
- name: Ensure Uchiwa directory exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
recurse: true
- name: Ensure Uchiwa Go/config directory exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}/{{ item }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
recurse: true
loop:
- etc
- go
- name: Ensure Uchiwa GOPATH exists
tags: dashboard
file:
dest: "{{ sensu_uchiwa_path }}/go/{{ item }}"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
state: directory
recurse: true
loop:
- bin
- pkg
- src
- name: Fetch Uchiwa from GitHub
tags: dashboard
command: go get github.com/sensu/uchiwa
environment:
GOPATH: "{{ sensu_uchiwa_path }}/go"
args:
creates: "{{ sensu_uchiwa_path }}/go/src/github.com/sensu/uchiwa"
notify: Build and deploy Uchiwa
become: true
become_user: "{{ sensu_user_name }}"
- meta: flush_handlers
tags: dashboard
- name: Deploy Uchiwa config
tags: dashboard
template:
src: uchiwa_config.json.j2
dest: "{{ sensu_uchiwa_path }}/etc/config.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
notify: restart uchiwa service
- name: Deploy Uchiwa service script
tags: dashboard
template:
src: uchiwa.sh.j2
dest: /opt/local/lib/svc/method/uchiwa
owner: root
group: root
mode: 0755
notify: restart uchiwa service
- name: Deploy Uchiwa service manifest
tags: dashboard
template:
dest: /opt/local/lib/svc/manifest/uchiwa.xml
src: uchiwa.smartos_smf_manifest.xml.j2
owner: root
group: root
mode: 0644
notify: import uchiwa service
- meta: flush_handlers
tags: dashboard
- name: Ensure Uchiwa server service is running
service: name=uchiwa state=started enabled=yes
tags: dashboard

36
roles/sensu.sensu/tasks/SmartOS/main.yml Normal file
View File

@ -0,0 +1,36 @@
---
# tasks/SmartOS/main.yml: "Set-up" playbook for sensu.sensu role
# This takes care of base prerequisites for Joyent SmartOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: setup
- name: Ensure the Sensu group is present
tags: setup
group: name={{ sensu_group_name }} state=present
- name: Ensure the Sensu user is present
tags: setup
user:
name: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
shell: /bin/false
home: "{{ sensu_config_path }}"
createhome: true
state: present
- name: Ensure Sensu dependencies are installed
tags: setup
pkgin: name=build-essential,ruby21-base state=present
- name: Ensure Sensu is installed
tags: setup
gem: name=sensu state={{ sensu_gem_state }} user_install=no
notify:
- restart sensu-client service
- name: Ensure Sensu 'plugins' gem is installed
tags: setup
gem: name=sensu-plugin state={{ sensu_plugin_gem_state }} user_install=no

14
roles/sensu.sensu/tasks/SmartOS/rabbit.yml Normal file
View File

@ -0,0 +1,14 @@
---
# tasks/SmartOS/rabbit.yml: Deploy RabbitMQ
# Specific to Joyent SmartOS
- name: Ensure RabbitMQ is installed
tags: rabbitmq
pkgin: name=rabbitmq state=present
- name: Ensure EPMD is running
tags: rabbitmq
service:
name: epmd
state: started
enabled: true

12
roles/sensu.sensu/tasks/SmartOS/redis.yml Normal file
View File

@ -0,0 +1,12 @@
---
# tasks/SmartOS/redis.yml: Deploy redis
# Specific to Ubuntu
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: redis
- name: Ensure redis is installed
tags: redis
pkgin: name=redis state={{ sensu_redis_pkg_state }}

32
roles/sensu.sensu/tasks/SmartOS/server.yml Normal file
View File

@ -0,0 +1,32 @@
---
# tasks/SmartOS/server.yml: Deploy the necessary configuration for
# a Sensu 'master' node.
# Specific to SmartOS
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: server
- name: Deploy Sensu server service manifest
tags: server
template:
dest: /opt/local/lib/svc/manifest/sensu-server.xml
src: sensu-server.smartos_smf_manifest.xml.j2
owner: root
group: root
mode: 0644
notify: import sensu-server service
- name: Deploy Sensu API service manifest
tags: server
template:
dest: /opt/local/lib/svc/manifest/sensu-api.xml
src: sensu-api.smartos_smf_manifest.xml.j2
owner: root
group: root
mode: 0644
notify: import sensu-api service
- meta: flush_handlers
tags: server

21
roles/sensu.sensu/tasks/Ubuntu/dashboard.yml Normal file
View File

@ -0,0 +1,21 @@
---
# tasks/Ubuntu/dashboard.yml: Deployment of the Uchiwa dashboard
# Specific to Ubuntu
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: dashboard
- name: Install Uchiwa
tags: dashboard
apt:
name: uchiwa
state: present
- name: Deploy Uchiwa config
tags: dashboard
template:
src: uchiwa_config.json.j2
dest: "{{ sensu_config_path }}/uchiwa.json"
notify: restart uchiwa service

35
roles/sensu.sensu/tasks/Ubuntu/main.yml Normal file
View File

@ -0,0 +1,35 @@
---
# tasks/Ubuntu/main.yml: Ubuntu specific set-up
# This takes care of base prerequisites for Ubuntu
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: setup
- name: Ensure that https transport is ready
tags: setup
apt:
name: apt-transport-https
state: present
cache_valid_time: 3600
update_cache: true
- name: Ensure the Sensu APT repo GPG key is present
tags: setup
apt_key:
url: "{{ sensu_apt_key_url }}"
state: present
- name: Ensure the Sensu Core APT repo is present
tags: setup
apt_repository:
repo: "{{ sensu_apt_repo_url }}"
state: present
update_cache: true
- name: Ensure Sensu is installed
tags: setup
apt:
name: "{{ sensu_package }}"
state: "{{ sensu_pkg_state }}"

53
roles/sensu.sensu/tasks/Ubuntu/rabbit.yml Normal file
View File

@ -0,0 +1,53 @@
---
# tasks/Ubuntu/rabbit.yml: Deploy RabbitMQ
# Specific to Ubuntu
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- name: Ensure the RabbitMQ APT repo GPG key is present
tags: rabbitmq
apt_key:
url: "{{ sensu_rabbitmq_signing_key }}"
state: present
- name: Ensure the RabbitMQ APT repo is present
tags: rabbitmq
apt_repository:
repo: "{{ sensu_rabbitmq_repo }}"
filename: rabbitmq
state: present
update_cache: true
- name: Ensure Erlang APT preferences is configured
tags: rabbitmq
template:
src: erlang-apt-preferences.j2
dest: /etc/apt/preferences.d/erlang
owner: root
group: root
mode: 0755
- name: Ensure the Erlang APT repo GPG key is present
tags: rabbitmq
apt_key:
url: "{{ sensu_rabbitmq_erlang_signing_key }}"
state: present
- name: Ensure the Erlang APT repo is present
tags: rabbitmq
apt_repository:
repo: "{{ sensu_rabbitmq_erlang_repo }}"
filename: erlang
state: present
update_cache: true
- name: Ensure RabbitMQ is installed
tags: rabbitmq
apt:
name: rabbitmq-server
state: "{{ sensu_rabbitmq_pkg_state }}"
cache_valid_time: 600
update_cache: true

33
roles/sensu.sensu/tasks/Ubuntu/redis.yml Normal file
View File

@ -0,0 +1,33 @@
---
# tasks/Ubuntu/redis.yml: Deploy redis
# Specific to Ubuntu
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
- name: Ensure redis is installed
apt:
name: "{{ sensu_redis_pkg_name }}"
state: "{{ sensu_redis_pkg_state }}"
update_cache: true
register: sensu_ubuntu_redis_install
# BUG: On Ubuntu 14.04, when first installed, redis, will be started
# however, the /var/run/redis/redis-server.pid file gets lost during the restart
# causing the process to be orphaned from the init system.
# We manually stop it right after install to account for this.
- name: Stop redis manually
shell: kill $(pgrep redis-server)
when:
- sensu_ubuntu_redis_install is changed
- ansible_distribution_version == '14.04'
- name: Ensure redis binds to accessible IP
lineinfile:
dest: /etc/redis/redis.conf
regexp: '^bind'
line: 'bind 0.0.0.0'
notify: restart redis service
- meta: flush_handlers

28
roles/sensu.sensu/tasks/client.yml Normal file
View File

@ -0,0 +1,28 @@
---
# tasks/client.yml: Deploy various client-side configurations for Sensu
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: client
- name: Deploy Sensu client service configuration
tags: client
template:
dest: "{{ sensu_config_path }}/conf.d/client.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
src: "{{ sensu_client_config }}"
mode: "0640"
notify: restart sensu-client service
- include_tasks: "{{ role_path }}/tasks/SmartOS/client.yml"
tags: client
when: ansible_distribution == "SmartOS"
- name: Ensure Sensu client service is running
tags: client
service:
name: "{{ sensu_client_service_name }}"
state: started
enabled: yes

57
roles/sensu.sensu/tasks/common.yml Normal file
View File

@ -0,0 +1,57 @@
---
# tasks/common.yml: Deploy configurations common to client and server for Sensu
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
- name: Ensure the Sensu config directory is present
file:
dest: "{{ sensu_config_path }}/conf.d"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
mode: "0555"
- name: Deploy Sensu Redis configuration
template:
dest: "{{ sensu_config_path }}/conf.d/redis.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
src: "{{ sensu_redis_config }}"
mode: "0640"
when: sensu_deploy_redis_config
notify:
- restart sensu-server service
- restart sensu-api service
- restart sensu-enterprise service
- restart sensu-client service
- name: Deploy Sensu RabbitMQ configuration
template:
dest: "{{ sensu_config_path }}/conf.d/rabbitmq.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
src: "{{ sensu_rabbitmq_config }}"
mode: "0640"
when: sensu_transport == "rabbitmq"
and sensu_deploy_rabbitmq_config
notify:
- restart sensu-server service
- restart sensu-api service
- restart sensu-enterprise service
- restart sensu-client service
- name: Deploy Sensu transport configuration
template:
dest: "{{ sensu_config_path }}/conf.d/transport.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
src: transport.json.j2
mode: "0640"
when: sensu_deploy_transport_config
notify:
- restart sensu-server service
- restart sensu-api service
- restart sensu-enterprise service
- restart sensu-client service

12
roles/sensu.sensu/tasks/dashboard.yml Normal file
View File

@ -0,0 +1,12 @@
---
# tasks/dashboard.yml: Deployment of the Uchiwa dashboard
- name: Include ansible_distribution vars
include_tasks: "{{ role_path }}/tasks/{{ ansible_distribution }}/dashboard.yml"
tags: dashboard
- name: Ensure Uchiwa/Sensu Enterprise Dashboard server service is running
tags: dashboard
service:
name: "{{ uchiwa_service_name if not se_enterprise else sensu_enterprise_dashboard_service_name }}"
state: started
enabled: yes

45
roles/sensu.sensu/tasks/main.yml Normal file
View File

@ -0,0 +1,45 @@
---
# tasks/main.yml: "Master" playbook for the sensu.sensu role
- name: Include distribution specific variables
include_vars:
file: "{{ ansible_distribution }}.yml"
- include_tasks: "{{ role_path }}/tasks/{{ ansible_distribution }}/main.yml"
tags: setup
when: sensu_master
or sensu_client
- import_tasks: "redis.yml"
tags: redis
when: sensu_redis_server
and sensu_deploy_redis_server
- import_tasks: "ssl.yml"
tags: ssl
- import_tasks: "rabbit.yml"
tags: rabbitmq
when: sensu_rabbitmq_server
and sensu_deploy_rabbitmq_server
- import_tasks: "common.yml"
tags: common
when: sensu_master
or sensu_client
- import_tasks: "server.yml"
tags: server
when: sensu_master
- import_tasks: "dashboard.yml"
tags: dashboard
when: sensu_include_dashboard
- import_tasks: "client.yml"
tags: client
when: sensu_client
- import_tasks: "plugins.yml"
tags: plugins
when: sensu_include_plugins

152
roles/sensu.sensu/tasks/plugins.yml Normal file
View File

@ -0,0 +1,152 @@
---
# tasks/plugins.yml: Deploy available checks/plugins/handlers/filters/mutators
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
- name: Ensure Sensu plugin directory exists
file:
dest: "{{ sensu_config_path }}/plugins"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
- name: Ensure local directories exist
file:
state: directory
dest: "{{ static_data_store }}/sensu/{{ item }}"
delegate_to: localhost
become: no
run_once: true
loop:
- checks
- filters
- handlers
- mutators
- definitions
- client_definitions
- client_templates
- name: Ensure any remote plugins defined are present
shell: umask 0022; sensu-install -p {{ item }}
loop: "{{ sensu_remote_plugins }}"
changed_when: false
when: sensu_remote_plugins | length > 0
- name: Register available checks
command: "ls {{ static_data_store }}/sensu/checks"
delegate_to: localhost
register: sensu_available_checks
changed_when: false
become: false
run_once: true
- name: Deploy check plugins
copy:
src: "{{ static_data_store }}/sensu/checks/{{ item }}/"
dest: "{{ sensu_config_path }}/plugins/"
mode: 0755
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when:
- sensu_available_checks is defined
- sensu_available_checks is not skipped
- item in sensu_available_checks.stdout_lines
loop: "{{ group_names|flatten }}"
notify: restart sensu-client service
- name: Deploy handler plugins
copy:
src: "{{ static_data_store }}/sensu/handlers/"
dest: "{{ sensu_config_path }}/plugins/"
mode: 0755
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
notify: restart sensu-client service
- name: Deploy filter plugins
copy:
src: "{{ static_data_store }}/sensu/filters/"
dest: "{{ sensu_config_path }}/plugins/"
mode: 0755
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
notify: restart sensu-client service
- name: Deploy mutator plugins
copy:
src: "{{ static_data_store }}/sensu/mutators/"
dest: "{{ sensu_config_path }}/plugins/"
mode: 0755
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
notify: restart sensu-client service
- name: Deploy check/handler/filter/mutator definitions to the master
template:
src: "{{ item }}"
dest: "{{ sensu_config_path }}/conf.d/{{ item | basename | regex_replace('.j2', '') }}"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when: sensu_master
with_fileglob:
- "{{ static_data_store }}/sensu/definitions/*"
notify:
- restart sensu-server service
- restart sensu-api service
- restart sensu-enterprise service
- name: Register available client definitions
command: "ls {{ static_data_store }}/sensu/client_definitions"
delegate_to: localhost
register: sensu_available_client_definitions
changed_when: false
become: false
run_once: true
- name: Deploy client definitions
copy:
src: "{{ static_data_store }}/sensu/client_definitions/{{ item }}/"
dest: "{{ sensu_config_path }}/conf.d/{{ item | basename | regex_replace('.j2', '') }}"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when:
- sensu_available_client_definitions is defined
- sensu_available_client_definitions is not skipped
- item in sensu_available_client_definitions.stdout_lines
loop: "{{ group_names|flatten }}"
notify: restart sensu-client service
- name: Register available client templates
command: "ls {{ static_data_store }}/sensu/client_templates"
delegate_to: localhost
register: sensu_available_client_templates
changed_when: false
become: false
run_once: true
- name: Deploy client template folders
file:
path: '{{ sensu_config_path }}/conf.d/{{ item | basename }}'
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when:
- sensu_available_client_templates is defined
- sensu_available_client_templates is not skipped
- item in sensu_available_client_templates.stdout_lines
loop: "{{ group_names|flatten }}"
notify: restart sensu-client service
- name: Deploy client templates
template:
src: "{{ static_data_store }}/sensu/client_templates/{{ item.path | dirname }}/{{ item.path | basename }}"
dest: "{{ sensu_config_path }}/conf.d/{{ item.path | dirname }}/{{ item.path | basename | regex_replace('.j2', '') }}"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
with_filetree: "{{ static_data_store }}/sensu/client_templates"
when:
- item.state == 'file'
- item.path | dirname in group_names
notify: restart sensu-client service

76
roles/sensu.sensu/tasks/rabbit.yml Normal file
View File

@ -0,0 +1,76 @@
---
# tasks/rabbit.yml: Deploy RabbitMQ and set-up vhost for Sensu messaging
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: rabbitmq
- include_tasks: "{{ ansible_distribution }}/rabbit.yml"
tags: rabbitmq
- name: Ensure RabbitMQ SSL directory exists
tags: rabbitmq
file:
dest: "{{ sensu_rabbitmq_config_path }}/ssl"
state: directory
- name: Ensure RabbitMQ SSL certs/keys are in place
tags: rabbitmq
copy:
src: "{{ item.src }}"
dest: "{{ sensu_rabbitmq_config_path }}/ssl/{{ item.dest }}"
remote_src: "{{ sensu_ssl_deploy_remote_src }}"
loop:
- { src: "{{ sensu_ssl_server_cacert }}", dest: cacert.pem }
- { src: "{{ sensu_ssl_server_cert }}", dest: cert.pem }
- { src: "{{ sensu_ssl_server_key }}", dest: key.pem }
notify:
- restart rabbitmq service
- restart sensu-api service
- restart sensu-server service
- restart sensu-enterprise service
when: sensu_ssl_manage_certs
- name: Deploy RabbitMQ config
tags: rabbitmq
template:
dest: "{{ sensu_rabbitmq_config_path }}/rabbitmq.config"
src: "{{ sensu_rabbitmq_config_template }}"
owner: root
group: "{{ __root_group }}"
mode: 0644
notify: restart rabbitmq service
- name: Ensure RabbitMQ is running
tags: rabbitmq
service:
name: "{{ sensu_rabbitmq_service_name }}"
state: started
enabled: true
register: sensu_rabbitmq_state
- name: Wait for RabbitMQ to be up and running before asking to create a vhost
tags: rabbitmq
pause:
seconds: 3
when: sensu_rabbitmq_state is changed
- block:
- name: Ensure Sensu RabbitMQ vhost exists
rabbitmq_vhost:
name: "{{ sensu_rabbitmq_vhost }}"
state: present
- name: Ensure Sensu RabbitMQ user has access to the Sensu vhost
rabbitmq_user:
user: "{{ sensu_rabbitmq_user_name }}"
password: "{{ sensu_rabbitmq_password }}"
vhost: "{{ sensu_rabbitmq_vhost }}"
configure_priv: .*
read_priv: .*
write_priv: .*
state: present
become: true
become_user: rabbitmq
tags: rabbitmq

14
roles/sensu.sensu/tasks/redis.yml Normal file
View File

@ -0,0 +1,14 @@
---
# tasks/redis.yml: Deploy redis
- name: Include ansible_distribution vars
include_tasks: "{{ role_path }}/tasks/{{ ansible_distribution }}/redis.yml"
tags: redis
- name: Ensure redis is running
tags: redis
service:
name: "{{ sensu_redis_service_name }}"
pattern: /usr/bin/redis-server
state: started
enabled: true

44
roles/sensu.sensu/tasks/server.yml Normal file
View File

@ -0,0 +1,44 @@
---
# tasks/server.yml: Deploy Sensu Server/API
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
tags: server
- name: Deploy Sensu server API configuration
tags: server
template:
dest: "{{ sensu_config_path }}/conf.d/api.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
src: sensu-api.json.j2
notify: restart sensu-api service
- name: Deploy Tessen server configuratiuon
tags: server
template:
dest: "{{ sensu_config_path }}/conf.d/tessen.json"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
src: sensu-tessen.json.j2
notify: restart sensu-server service
- include_tasks: "{{ role_path }}/tasks/SmartOS/server.yml"
tags: server
when: ansible_distribution == "SmartOS"
- name: Ensure Sensu server service is running
tags: server
service:
name: "{{ sensu_server_service_name if not se_enterprise else sensu_enterprise_service_name }}"
state: started
enabled: yes
- name: Ensure Sensu API service is running
tags: server
service:
name: sensu-api
state: started
enabled: yes
when: not se_enterprise

31
roles/sensu.sensu/tasks/ssl.yml Normal file
View File

@ -0,0 +1,31 @@
---
# tasks/ssl.yml: Deploy the client SSL cert/key to client systems
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
- name: Ensure Sensu SSL directory exists
file:
dest: "{{ sensu_config_path }}/ssl"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when: sensu_ssl_manage_certs
- include_tasks: "{{ role_path }}/tasks/ssl_generate.yml"
when: sensu_ssl_gen_certs
- name: Deploy the Sensu client SSL cert/key
copy:
src: "{{ item.src }}"
owner: "{{ sensu_user_name }}"
remote_src: "{{ sensu_ssl_deploy_remote_src }}"
group: "{{ sensu_group_name }}"
dest: "{{ sensu_config_path }}/ssl/{{ item.dest }}"
mode: " {{ item.perm }}"
loop:
- {src: "{{ sensu_ssl_client_cert }}", dest: cert.pem, perm: "0640" }
- {src: "{{ sensu_ssl_client_key }}", dest: key.pem, perm: "0640" }
notify: restart sensu-client service
when: sensu_ssl_manage_certs

129
roles/sensu.sensu/tasks/ssl_generate.yml Normal file
View File

@ -0,0 +1,129 @@
---
# tasks/ssl_generate.yml: Generate SSL data and stash to dynamic
# data store for deployment to clients
- name: Include ansible_distribution vars
include_vars:
file: "{{ ansible_distribution }}.yml"
- name: Ensure OpenSSL is installed
package:
name: openssl
state: present
- name: Ensure SSL generation directory exists
file:
dest: "{{ sensu_config_path }}/{{ item }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when: sensu_master
loop:
- ssl_generation
- ssl_generation/sensu_ssl_tool
- ssl_generation/sensu_ssl_tool/client
- ssl_generation/sensu_ssl_tool/server
- ssl_generation/sensu_ssl_tool/sensu_ca
- ssl_generation/sensu_ssl_tool/sensu_ca/private
- ssl_generation/sensu_ssl_tool/sensu_ca/certs
- name: Ensure OpenSSL configuration is in place
template:
src: openssl.cnf.j2
dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/openssl.cnf"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when: sensu_master
- block:
- name: Ensure the Sensu CA serial configuration
shell: 'echo 01 > sensu_ca/serial'
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/serial"
register: sensu_ca_new_serial
- name: Ensure sensu_ca/index.txt exists
file:
dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/index.txt"
state: touch
when: sensu_ca_new_serial is changed
# TODO: The following mirrors the commands used in sensu_ssl_tool/ssl_certs.sh
# from the 1.3 version of the script. Ideally, this moves into the native openssl_* modules.
# See https://docs.sensu.io/sensu-core/1.3/reference/ssl/#reference-documentation for limitations and further instructions
- name: Generate Sensu CA certificate
command: openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 1825 -out cacert.pem -outform PEM -subj /CN=SensuCA/ -nodes
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem"
- name: Generate CA cert
command: openssl x509 -in cacert.pem -out cacert.cer -outform DER
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.cer"
- name: Generate server keys
command: openssl genrsa -out key.pem 2048
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/key.pem"
- name: Generate server certificate signing request
command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=server/ -nodes
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/req.pem"
- name: Sign the server certificate
command: openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/cert.pem"
- name: Convert server certificate and key to PKCS12 formart
command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/keycert.p12"
- name: Generate client key
command: openssl genrsa -out key.pem 2048
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/key.pem"
- name: Generate client certificate signing request
command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=client/ -nodes
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/req.pem"
- name: Sign the client certificate
command: openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/cert.pem"
- name: Convert client key/certificate to PKCS12 format
command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/keycert.p12"
when: sensu_master|bool
become: true
become_user: "{{ sensu_user_name }}"
- name: Stash the Sensu SSL certs/keys
fetch:
src: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/{{ item }}"
dest: "{{ dynamic_data_store }}"
when: sensu_master
loop:
- sensu_ca/cacert.pem
- server/cert.pem
- server/key.pem
- client/cert.pem
- client/key.pem

15
roles/sensu.sensu/templates/client.json.j2 Normal file
View File

@ -0,0 +1,15 @@
{
"client": {
"name": "{{ sensu_client_name }}",
"address": "{{ ansible_default_ipv4['address'] }}",
"subscriptions": {{ sensu_client_subscriptions | to_nice_json(indent=6) }},
"keepalive": {
"handlers": {{ sensu_client_keepalive_handlers | to_nice_json(indent=8) }},
"thresholds": {
"warning": {{ sensu_client_keepalive_threshold_warning }},
"critical": {{ sensu_client_keepalive_threshold_critical }}
}
},
"safe_mode": {{ sensu_client_safe_mode | bool | lower }}
}
}

4
roles/sensu.sensu/templates/erlang-apt-preferences.j2 Normal file
View File

@ -0,0 +1,4 @@
{{ ansible_managed | comment }}
Package: {{ sensu_erlang_pin_package }}
Pin: version {{ sensu_erlang_pin_version }}
Pin-Priority: 1000

56
roles/sensu.sensu/templates/openssl.cnf.j2 Normal file
View File

@ -0,0 +1,56 @@
{{ ansible_managed | comment }}
# Source: http://docs.sensu.io/sensu-core/1.3/files/sensu_ssl_tool.tar
[ ca ]
default_ca = sensu_ca
[ sensu_ca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 1825
default_md = sha1
policy = sensu_ca_policy
x509_extensions = certificate_extensions
[ sensu_ca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = sensu
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

16
roles/sensu.sensu/templates/rabbitmq.config.j2 Normal file
View File

@ -0,0 +1,16 @@
[
{rabbit, [
{% if sensu_rabbitmq_enable_ssl %}
{ssl_listeners, [{{ sensu_rabbitmq_port }}]},
{ssl_options, [{cacertfile,"{{ sensu_rabbitmq_config_path }}/ssl/cacert.pem"},
{certfile,"{{ sensu_rabbitmq_config_path }}/ssl/cert.pem"},
{keyfile,"{{ sensu_rabbitmq_config_path }}/ssl/key.pem"},
{verify,verify_peer},
{versions, ['tlsv1.2']},
{ciphers, [{rsa,aes_256_cbc,sha256}]},
{fail_if_no_peer_cert,true}]}
{% else %}
{tcp_listeners, [{{ sensu_rabbitmq_port }}]}
{% endif %}
]}
].

10
roles/sensu.sensu/templates/sensu-api.json.j2 Normal file
View File

@ -0,0 +1,10 @@
{
"api": {
{% if sensu_api_user_name %}
"user": "{{ sensu_api_user_name }}",
"password": "{{ sensu_api_password }}",
{% endif %}
"host": "{{ sensu_api_host }}",
"port": {{ sensu_api_port }}
}
}

32
roles/sensu.sensu/templates/sensu-api.smartos_smf_manifest.xml.j2 Normal file
View File

@ -0,0 +1,32 @@
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="sensu-api">
<service name="application/sensu-api" type="service" version="1">
<create_default_instance enabled="false" />
<single_instance />
<dependency name="network" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/milestone/network:default" />
</dependency>
<dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/system/filesystem/local" />
</dependency>
<method_context>
<method_credential user="{{ sensu_user_name }}" group="{{ sensu_group_name }}" />
<method_environment>
<envvar name="HOME" value="{{ sensu_config_path }}" />
<envvar name="PATH" value="/opt/local/sbin:/opt/local/bin:/sbin:/usr/sbin:/usr/bin" />
</method_environment>
</method_context>
<exec_method type="method" name="start" exec="/opt/local/bin/sensu-api --background --config_dir ${HOME}" timeout_seconds="60" />
<exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" />
<property_group name="startd" type="framework">
<propval name="duration" type="astring" value="contract" />
</property_group>
<stability value="Evolving" />
<template>
<common_name>
<loctext xml:lang="C">Sensu API</loctext>
</common_name>
</template>
</service>
</service_bundle>

32
roles/sensu.sensu/templates/sensu-client.smartos_smf_manifest.xml.j2 Normal file
View File

@ -0,0 +1,32 @@
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="sensu-client">
<service name="application/sensu-client" type="service" version="1">
<create_default_instance enabled="false" />
<single_instance />
<dependency name="network" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/milestone/network:default" />
</dependency>
<dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/system/filesystem/local" />
</dependency>
<method_context>
<method_credential user="{{ sensu_user_name }}" group="{{ sensu_group_name }}" />
<method_environment>
<envvar name="HOME" value="{{ sensu_config_path }}" />
<envvar name="PATH" value="/opt/local/sbin:/opt/local/bin:/sbin:/usr/sbin:/usr/bin" />
</method_environment>
</method_context>
<exec_method type="method" name="start" exec="/opt/local/bin/sensu-client --background --config_dir ${HOME}" timeout_seconds="60" />
<exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" />
<property_group name="startd" type="framework">
<propval name="duration" type="astring" value="contract" />
</property_group>
<stability value="Evolving" />
<template>
<common_name>
<loctext xml:lang="C">Sensu Client</loctext>
</common_name>
</template>
</service>
</service_bundle>

5
roles/sensu.sensu/templates/sensu-freebsd-repo.conf.j2 Normal file
View File

@ -0,0 +1,5 @@
sensu: {
url: "{{ sensu_freebsd_url }}",
enabled: true,
mirror_type: "http"
}

15
roles/sensu.sensu/templates/sensu-rabbitmq.json.j2 Normal file
View File

@ -0,0 +1,15 @@
{
"rabbitmq": {
{% if sensu_rabbitmq_enable_ssl %}
"ssl": {
"cert_chain_file": "{{ sensu_config_path }}/ssl/cert.pem",
"private_key_file": "{{ sensu_config_path }}/ssl/key.pem"
},
{% endif %}
"host": "{{ sensu_rabbitmq_host }}",
"port": {{ sensu_rabbitmq_port }},
"vhost": "{{ sensu_rabbitmq_vhost }}",
"user": "{{ sensu_rabbitmq_user_name }}",
"password": "{{ sensu_rabbitmq_password }}"
}
}

14
roles/sensu.sensu/templates/sensu-redis.json.j2 Normal file
View File

@ -0,0 +1,14 @@
{
"redis": {
{% if sensu_redis_password %}
"password": "{{ sensu_redis_password }}",
{% endif %}
{% if sensu_redis_sentinels %}
"sentinels": {{ sensu_redis_sentinels | to_nice_json }},
"master": "{{ sensu_redis_master_name }}"
{% else %}
"host": "{{ sensu_redis_host }}",
"port": {{ sensu_redis_port }}
{% endif %}
}
}

32
roles/sensu.sensu/templates/sensu-server.smartos_smf_manifest.xml.j2 Normal file
View File

@ -0,0 +1,32 @@
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="sensu-server">
<service name="application/sensu-server" type="service" version="1">
<create_default_instance enabled="false" />
<single_instance />
<dependency name="network" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/milestone/network:default" />
</dependency>
<dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/system/filesystem/local" />
</dependency>
<method_context>
<method_credential user="{{ sensu_user_name }}" group="{{ sensu_group_name }}" />
<method_environment>
<envvar name="HOME" value="{{ sensu_config_path }}" />
<envvar name="PATH" value="/opt/local/sbin:/opt/local/bin:/sbin:/usr/sbin:/usr/bin" />
</method_environment>
</method_context>
<exec_method type="method" name="start" exec="/opt/local/bin/sensu-server --background --config_dir ${HOME}" timeout_seconds="60" />
<exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" />
<property_group name="startd" type="framework">
<propval name="duration" type="astring" value="contract" />
</property_group>
<stability value="Evolving" />
<template>
<common_name>
<loctext xml:lang="C">Sensu Server</loctext>
</common_name>
</template>
</service>
</service_bundle>

5
roles/sensu.sensu/templates/sensu-tessen.json.j2 Normal file
View File

@ -0,0 +1,5 @@
{
"tessen": {
"enabled": {{ sensu_enable_tessen | bool | lower }}
}
}

Some files were not shown because too many files have changed in this diff Show More