diff --git a/.gitignore b/.gitignore index 7b69326..383c91a 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,14 @@ tests/test_out.mk Session.vim .netrwhist *~ +## For quick testing. +## Generated by https://github.com/ypid/ypid-ansible-common/blob/master/bin/sphinx-debops-role-build +docs/Makefile +docs/_build/ +docs/conf.py +docs/defaults.rst +docs/includes/global.rst +docs/_templates/page.html +docs/_templates/.gitkeep +docs/_static/custom.css +docs/_static/.gitkeep diff --git a/CHANGES.rst b/CHANGES.rst index b4206eb..c896930 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,12 +1,14 @@ Changelog ========= +.. include:: includes/all.rst + **debops-contrib.checkmk_server** -This project adheres to `Semantic Versioning `_ -and `human-readable changelog `_. +This project adheres to `Semantic Versioning `__ +and `human-readable changelog `__. -The current role maintainer is ganto. +The current role maintainer_ is ganto. debops-contrib.checkmk_server master - unreleased @@ -15,4 +17,10 @@ debops-contrib.checkmk_server master - unreleased Added ~~~~~ -- Initial release [ganto] +- Initial release [ganto_] + +Fixed +~~~~~ + +- Fix ``checkmk_server__ssh_command`` which would have been wrongly generated + with ``checkmk_server__ssh_user`` set to ``root``. [ypid_] diff --git a/COPYRIGHT b/COPYRIGHT index 12afa09..ba9bd54 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -1,7 +1,7 @@ debops-contrib.checkmk_server - Manage Check_MK monitoring server -Copyright (C) 2016 Reto Gantenbein -Copyright (C) 2016 DebOps Project http://debops.org/ +Copyright (C) 2016-2017 Reto Gantenbein +Copyright (C) 2016-2017 DebOps https://debops.org/ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 3, as @@ -13,4 +13,4 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License -along with this program. If not, see http://www.gnu.org/licenses/ +along with this program. If not, see https://www.gnu.org/licenses/ diff --git a/README.md b/README.md index 6f78a26..02c9893 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ This role installs and manages [Check_MK](http://mathias-kettner.com/check_mk.ht ### Installation -This role requires at least Ansible `v2.1.1`. To install it, run: +This role requires at least Ansible `v2.1.5`. To install it, run: ```Shell ansible-galaxy install debops-contrib.checkmk_server diff --git a/TODO b/TODO new file mode 100644 index 0000000..b64889e --- /dev/null +++ b/TODO @@ -0,0 +1,3 @@ + +* Fix internal role namespace + git ls-files -z "$(git rev-parse --show-toplevel)" | xargs --null -I '{}' find '{}' -type f -print0 | xargs --null sed --in-place --regexp-extended 's/\<(checkmk_server)_([^_])/\1__\2/g;' diff --git a/defaults/main.yml b/defaults/main.yml index 9c8b28b..ded54ab 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,31 +1,38 @@ --- -# Default variables -# ================= +# .. vim: foldmarker=[[[,]]]:foldmethod=marker + +# debops-contrib.checkmk_server default variables [[[ +# =================================================== + +# .. contents:: Sections +# :local: +# +# .. include:: includes/all.rst -# --------------------- -# General Configuration -# --------------------- -# .. envvar:: checkmk_server__version +# General Configuration [[[ +# ------------------------- + +# .. envvar:: checkmk_server__version [[[ # # Check_MK software version. checkmk_server__version: '1.2.8p20' - -# .. envvar:: checkmk_server__version_label + # ]]] +# .. envvar:: checkmk_server__version_label [[[ # # Check_MK version label used with the :command:`omd` tool. checkmk_server__version_label: '{{ checkmk_server__version }}.cre' - -# .. envvar:: checkmk_server__site_update + # ]]] +# .. envvar:: checkmk_server__site_update [[[ # # Update Check_MK site if current version is lower than # :envvar:`checkmk_server__version` checkmk_server__site_update: False - -# .. envvar:: checkmk_server__patches + # ]]] +# .. envvar:: checkmk_server__patches [[[ # # Custom patches to apply after installing Check_MK package checkmk_server__patches: @@ -34,17 +41,17 @@ checkmk_server__patches: - patch: 'check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch' file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/conf.d/omd.conf' - -# .. envvar:: checkmk_server__ferm_dependent_rules + # ]]] +# .. envvar:: checkmk_server__ferm_dependent_rules [[[ # -# Firewall configuration using the ``debops.ferm`` Ansible role. +# Firewall configuration using the debops.ferm_ Ansible role. checkmk_server__ferm_dependent_rules: '{{ - checkmk_server__ferm_web_rules + - (checkmk_server__ferm_livestatus_rules if checkmk_server__multisite_livestatus else []) -}}' + checkmk_server__ferm_web_rules + + (checkmk_server__ferm_livestatus_rules if checkmk_server__multisite_livestatus else []) + }}' + # ]]] - -# .. envvar:: checkmk_server__ferm_web_rules +# .. envvar:: checkmk_server__ferm_web_rules [[[ # # Firewall configuration for WATO Web access. checkmk_server__ferm_web_rules: @@ -55,8 +62,8 @@ checkmk_server__ferm_web_rules: weight: '40' role: 'checkmk_server' - -# .. envvar:: checkmk_server__ferm_livestatus_rules + # ]]] +# .. envvar:: checkmk_server__ferm_livestatus_rules [[[ # # Firewall configuration for Multisite Livestatus access. checkmk_server__ferm_livestatus_rules: @@ -67,79 +74,81 @@ checkmk_server__ferm_livestatus_rules: weight: '40' role: 'checkmk_server' - -# .. envvar:: checkmk_server__web_allow + # ]]] +# .. envvar:: checkmk_server__web_allow [[[ # # List of IP addresses or network CIDR ranges allowed to connect to the # Check_MK Web interface. If list is empty, anyone can connect. checkmk_server__web_allow: [] - -# .. envvar:: checkmk_server__livestatus_allow + # ]]] +# .. envvar:: checkmk_server__livestatus_allow [[[ # # List of IP addresses or network CIDR ranges allowed to connect to the # Check_MK Livestatus TCP socket. If list is empty, anyone can connect. checkmk_server__livestatus_allow: [] - -# .. envvar:: checkmk_server__etc_services__dependent_list + # ]]] +# .. envvar:: checkmk_server__etc_services__dependent_list [[[ # # Add entry for Livestatus to :file:`/etc/services` using the -# `debops.etc_services` role. +# ``debops.etc_services`` role. checkmk_server__etc_services__dependent_list: - name: 'check-mk-livestatus' port: '{{ checkmk_server__livestatus_port }}' comment: 'Check_MK server Livestatus' - -# .. envvar:: checkmk_server__livestatus_port + # ]]] +# .. envvar:: checkmk_server__livestatus_port [[[ # # TCP port for Multisite Livestatus socket. checkmk_server__livestatus_port: 6557 - -# .. envvar:: checkmk_server__software_inventory + # ]]] +# .. envvar:: checkmk_server__software_inventory [[[ # # Enable collection of installed software. Requires the ``mk_inventory`` # plugin to be installed on the Check_MK agents. checkmk_server__software_inventory: True + # ]]] + # ]]] +# APT packages [[[ +# ---------------- - -# ------------ -# APT packages -# ------------ - -# .. envvar:: checkmk_server__raw_package +# .. envvar:: checkmk_server__raw_package [[[ # # Check_MK RAW package download URL. Alternatively this can also be a local # deb file or a package name in an already available apt repository. checkmk_server__raw_package: 'https://mathias-kettner.de/support/{{ checkmk_server__version }}/check-mk-raw-{{ checkmk_server__version }}_0.{{ ansible_distribution_release }}_amd64.deb' - -# .. envvar:: checkmk_server__prerequisite_packages + # ]]] +# .. envvar:: checkmk_server__prerequisite_packages [[[ # # List of prerequisite packages which must be available before installing # the Check_MK RAW package checkmk_server__prerequisite_packages: [ 'apache2', 'python-passlib' ] + # ]]] + # ]]] +# Check_MK Site Configuration [[[ +# ------------------------------- - -# --------------------------- -# Check_MK Site Configuration -# --------------------------- - -# .. envvar:: checkmk_server__site +# .. envvar:: checkmk_server__site [[[ # -# Check_MK site name. Set to `False` to disable site configuration. +# Check_MK site name. Set to ``False`` to disable site configuration. checkmk_server__site: 'debops' - -# .. envvar:: checkmk_server__hostname + # ]]] +# .. envvar:: checkmk_server__hostname [[[ # -# Set Check_MK server DNS hostname (e.g. for agent download, API calls, ...). -checkmk_server__hostname: '{{ ansible_fqdn }}' - +# Set Check_MK server DNS hostname (e. g. for agent download, API calls, ...). +# FIXME: Rename to checkmk_server__fqdn. +checkmk_server__hostname: '{{ ansible_local.core.fqdn + if (ansible_local|d() and ansible_local.core|d() and + ansible_local.core.fqdn|d()) + else ansible_fqdn }}' -# .. envvar:: checkmk_server__site_url + # ]]] +# .. envvar:: checkmk_server__site_url [[[ # # Check_MK server site URL. checkmk_server__site_url: '{{ ("https://" if checkmk_server__pki else "http://") + @@ -147,43 +156,43 @@ checkmk_server__site_url: '{{ ("https://" if checkmk_server__pki else "http://") checkmk_server__site if checkmk_server__site|d() else "" }}' - -# .. envvar:: checkmk_server__webapi_url + # ]]] +# .. envvar:: checkmk_server__webapi_url [[[ # # WebAPI URL of monitoring site. checkmk_server__webapi_url: '{{ checkmk_server__site_url + "/check_mk/webapi.py" if checkmk_server__site|d() else "" }}' - -# .. envvar:: checkmk_server__omd_config + # ]]] +# .. envvar:: checkmk_server__omd_config [[[ # # Check_MK site configuration set via :command:`omd config`. Changing these # values will shutdown Check_MK during reconfiguration. Check # :ref:`checkmk_server__ref_omd_config` for more details. checkmk_server__omd_config: '{{ - checkmk_server__omd_config_email + - checkmk_server__omd_config_core + - (checkmk_server__omd_config_livestatus if checkmk_server__multisite_livestatus|d() else []) -}}' - + checkmk_server__omd_config_email + + checkmk_server__omd_config_core + + (checkmk_server__omd_config_livestatus if checkmk_server__multisite_livestatus|d() else []) + }}' + # ]]] -# .. envvar:: checkmk_server__omd_config_email +# .. envvar:: checkmk_server__omd_config_email [[[ # -# Administrator email address set via OMD +# Administrator email address set via OMD. checkmk_server__omd_config_email: - var: 'ADMIN_MAIL' value: 'hostmaster@{{ ansible_domain if ansible_domain else ansible_hostname }}' - -# .. envvar:: checkmk_server__omd_config_core + # ]]] +# .. envvar:: checkmk_server__omd_config_core [[[ # -# Monitoring core set via OMD. Possible values: `icinga` or `nagios`. +# Monitoring core set via OMD. Possible values: ``icinga`` or ``nagios``. checkmk_server__omd_config_core: - var: 'CORE' value: 'icinga' - -# .. envvar:: checkmk_server__omd_config_livestatus + # ]]] +# .. envvar:: checkmk_server__omd_config_livestatus [[[ # # Livestatus service configuration via OMD. checkmk_server__omd_config_livestatus: @@ -192,8 +201,8 @@ checkmk_server__omd_config_livestatus: - var: 'LIVESTATUS_TCP_PORT' value: '{{ checkmk_server__livestatus_port }}' - -# .. envvar:: checkmk_server__sshkeys + # ]]] +# .. envvar:: checkmk_server__sshkeys [[[ # # Indicate if a SSH keypair should be provided to allow agent # connections via SSH. For more information check @@ -201,54 +210,53 @@ checkmk_server__omd_config_livestatus: checkmk_server__sshkeys: generate_keypair: True - -# .. envvar:: checkmk_server__ssh_user + # ]]] +# .. envvar:: checkmk_server__ssh_user [[[ # # User account which is used to query Check_MK agent via SSH. checkmk_server__ssh_user: 'checkmk' - -# .. envvar:: checkmk_server__ssh_command + # ]]] +# .. envvar:: checkmk_server__ssh_command [[[ # # Command which is executed when querying the Check_MK agent via SSH. Set this # to :command:`/usr/bin/check_mk_caching_agent` when agents are queried by # multiple servers. -checkmk_server__ssh_command: '{{ "/usr/bin/sudo " if not checkmk_server__ssh_user == "root" else omit }}/usr/bin/check_mk_agent' +checkmk_server__ssh_command: '{{ "/usr/bin/sudo " if (checkmk_server__ssh_user != "root") else "" }}/usr/bin/check_mk_agent' - -# .. envvar:: checkmk_server__ssh_options + # ]]] +# .. envvar:: checkmk_server__ssh_arguments [[[ # # SSH arguments used when querying the Check_MK agent. For possible options # check :command:`man 5 ssh_config`. checkmk_server__ssh_arguments: '-o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=10s' + # ]]] + # ]]] +# Multisite Web Configuration [[[ +# ------------------------------- - -# --------------------------- -# Multisite Web Configuration -# --------------------------- - -# .. envvar:: checkmk_server__multisite_slave +# .. envvar:: checkmk_server__multisite_slave [[[ # # Indicate if this site is a distributed monitoring slave which receives the # Check_MK configuration from another Check_MK server instance. checkmk_server__multisite_slave: False - -# .. envvar:: checkmk_server__multisite_livestatus + # ]]] +# .. envvar:: checkmk_server__multisite_livestatus [[[ # # Enable multisite Livestatus service. This is required for distributed # monitoring of this site. checkmk_server__multisite_livestatus: '{{ True if checkmk_server__multisite_slave|d() else False }}' - -# .. envvar:: checkmk_server__multisite_config_path + # ]]] +# .. envvar:: checkmk_server__multisite_config_path [[[ # # Configuration path for Check_MK multisite configurations. Relative to the # site's chroot directory. checkmk_server__multisite_config_path: 'etc/check_mk/multisite.d' - -# .. envvar:: checkmk_server__multisite_config_map + # ]]] +# .. envvar:: checkmk_server__multisite_config_map [[[ # # List of dictionaries which will generate the Check_MK multisite # configuration in :envvar:`checkmk_server__multisite_config_path`. @@ -256,71 +264,71 @@ checkmk_server__multisite_config_map: '{{ checkmk_server__multisite_cfg_wato_hos checkmk_server__multisite_cfg_wato_aux_tags + checkmk_server__multisite_cfg_roles }}' - -# .. envvar:: checkmk_server__multisite_cfg_default_hosttags + # ]]] +# .. envvar:: checkmk_server__multisite_cfg_wato_host_tags [[[ # # Multisite ``wato_host_tags`` variable definition. checkmk_server__multisite_cfg_wato_host_tags: - name: 'wato_host_tags' value: '{{ checkmk_server__multisite_default_wato_host_tags }}' - -# .. envvar:: checkmk_server__multisite_default_wato_host_tags + # ]]] +# .. envvar:: checkmk_server__multisite_default_wato_host_tags [[[ # # Default upstream host tag configuration with additional ``cmk-agent-ssh`` tag # to indicate SSH-based Check_MK agents. checkmk_server__multisite_default_wato_host_tags: - agent: 'Agent type': - - cmk-agent-ssh: + - 'cmk-agent-ssh': 'Check_MK Agent (ssh)': [] - - cmk-agent: + - 'cmk-agent': 'Check_MK Agent (xinetd)': ['tcp'] - - snmp-only: + - 'snmp-only': 'SNMP (Networking device, Appliance)': ['snmp'] - - snmp-v1: + - 'snmp-v1': 'Legacy SNMP device (using V1)': ['snmp'] - - snmp-tcp: + - 'snmp-tcp': 'Dual: Check_MK Agent + SNMP': ['snmp', 'tcp'] - - ping: + - 'ping': 'No Agent': [] - criticality: 'Criticality': - - prod: + - 'prod': 'Productive system': [] - - critical: + - 'critical': 'Business critical': [] - - test: + - 'test': 'Test system': [] - - offline: + - 'offline': 'Do not monitor this host': [] - networking: 'Networking Segment': - - lan: + - 'lan': 'Local network (low latency)': [] - - wan: + - 'wan': 'WAN (high latency)': [] - dmz: 'DMZ (low latency, secure access)': [] - -# .. envvar:: checkmk_server__multisite_cfg_wato_aux_tags + # ]]] +# .. envvar:: checkmk_server__multisite_cfg_wato_aux_tags [[[ # # Multisite ``wato_aux_tags`` variable definition. checkmk_server__multisite_cfg_wato_aux_tags: - name: 'wato_aux_tags' value: '{{ checkmk_server__multisite_default_wato_aux_tags }}' - -# .. envvar:: checkmk_server__multisite_default_wato_aux_tags + # ]]] +# .. envvar:: checkmk_server__multisite_default_wato_aux_tags [[[ # # Default upstream auxiliary tags configuration. checkmk_server__multisite_default_wato_aux_tags: - snmp: 'monitor via SNMP' - tcp: 'monitor via Check_MK Agent' - -# .. envvar:: checkmk_server__multisite_cfg_roles + # ]]] +# .. envvar:: checkmk_server__multisite_cfg_roles [[[ # # Multisite user ``roles`` configuration. checkmk_server__multisite_cfg_roles: @@ -329,10 +337,10 @@ checkmk_server__multisite_cfg_roles: combine(checkmk_server__multisite_debops_roles, recursive=True) | combine(checkmk_server__multisite_custom_roles, recursive=True) }}' - -# .. envvar:: checkmk_server__multisite_default_roles + # ]]] +# .. envvar:: checkmk_server__multisite_default_roles [[[ # -# Default upstream multisite user role definitions. +# Default upstream Multisite user role definitions. checkmk_server__multisite_default_roles: admin: alias: 'Administrator' @@ -347,8 +355,8 @@ checkmk_server__multisite_default_roles: builtin: True permissions: {} - -# .. envvar:: checkmk_server__multisite_debops_roles + # ]]] +# .. envvar:: checkmk_server__multisite_debops_roles [[[ # # Multisite user role definitions used by the Ansible role. checkmk_server__multisite_debops_roles: @@ -356,29 +364,29 @@ checkmk_server__multisite_debops_roles: alias: 'Automation API' basedon: 'user' permissions: - general.see_all: True - wato.all_folders: True - wato.hosttags: True - wato.see_all_folders: True - wato.seeall: True - wato.use: True - + 'general.see_all': True + 'wato.all_folders': True + 'wato.hosttags': True + 'wato.see_all_folders': True + 'wato.seeall': True + 'wato.use': True -# .. envvar:: checkmk_server__multisite_custom_roles + # ]]] +# .. envvar:: checkmk_server__multisite_custom_roles [[[ # # Custom multisite user role definitions. checkmk_server__multisite_custom_roles: {} - -# .. envvar:: checkmk_server__multisite_users + # ]]] +# .. envvar:: checkmk_server__multisite_users [[[ # # Locally defined multisite users to be configured. See # :ref:`checkmk_server__multisite_users` for more information. checkmk_server__multisite_users: '{{ checkmk_server__multisite_debops_users | combine(checkmk_server__multisite_custom_users, recursive=True) }}' - -# .. envvar:: checkmk_server__multisite_default_users: + # ]]] +# .. envvar:: checkmk_server__multisite_debops_users [[[ # # Multisite user definitions used by the Ansible role. checkmk_server__multisite_debops_users: @@ -391,14 +399,14 @@ checkmk_server__multisite_debops_users: password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' roles: [ 'admin' ] - -# .. envvar:: checkmk_server__multisite_custom_users: + # ]]] +# .. envvar:: checkmk_server__multisite_custom_users [[[ # # Custom multisite user definitions. checkmk_server__multisite_custom_users: {} - -# .. envvar:: checkmk_server__multisite_user_defaults + # ]]] +# .. envvar:: checkmk_server__multisite_user_defaults [[[ # # Default user properties for local users defined in # :envvar:`checkmk_server__multisite_users` @@ -409,15 +417,15 @@ checkmk_server__multisite_user_defaults: roles: [ 'user' ] start_url: 'dashboard.py' - -# .. envvar:: checkmk_server__multisite_user_connections + # ]]] +# .. envvar:: checkmk_server__multisite_user_connections [[[ # # LDAP user synchronization connection settings. See # :ref:`checkmk_server__multisite_user_connections` for more information. checkmk_server__multisite_user_connections: [] - -# .. envvar:: checkmk_server__multisite_user_connection_defaults + # ]]] +# .. envvar:: checkmk_server__multisite_user_connection_defaults [[[ # # Default properties for LDAP user connections defined in # :envvar:`checkmk_server__multisite_user_connections` @@ -437,15 +445,15 @@ checkmk_server__multisite_user_connection_defaults: user_id_umlauts: 'keep' user_scope: 'sub' - -# .. envvar:: checkmk_server__distributed_sites + # ]]] +# .. envvar:: checkmk_server__distributed_sites [[[ # # Distributed monitoring sites configuration. For more details see # :ref:`checkmk_server__ref_distributed_sites` checkmk_server__distributed_sites: {} - -# .. envvar:: checkmk_server__distributed_sites_defaults + # ]]] +# .. envvar:: checkmk_server__distributed_sites_defaults [[[ # # Default sites properties for distributed monitoring. checkmk_server__distributed_sites_defaults: @@ -463,20 +471,19 @@ checkmk_server__distributed_sites_defaults: timeout: 10 url_prefix: '' user_login: True + # ]]] + # ]]] +# Monitoring Rules [[[ +# -------------------- - -# ---------------- -# Monitoring Rules -# ---------------- - -# .. envvar:: checkmk_server__site_config_path +# .. envvar:: checkmk_server__site_config_path [[[ # # Configuration path for Check_MK main configurations. Relative to the site's # chroot directory. checkmk_server__site_config_path: 'etc/check_mk/conf.d' - -# .. envvar:: checkmk_server__site_config_map + # ]]] +# .. envvar:: checkmk_server__site_config_map [[[ # # List of configuration dictionaries which will generate the Check_MK # monitoring definitions. @@ -489,11 +496,11 @@ checkmk_server__site_config_map: '{{ checkmk_server__site_cfg_contactgroups + checkmk_server__site_cfg_notification_defaults + checkmk_server__site_cfg_software_inventory }}' - -# .. envvar:: checkmk_server__contact_defaults + # ]]] +# .. envvar:: checkmk_server__contact_defaults [[[ # # Default contact properties. For a list of valid contact properties -# see `checkmk_server__contact_properties` defined in :file:`vars/main.yml`. +# see ``checkmk_server__contact_properties`` defined in :file:`vars/main.yml`. # They are described under :envvar:`checkmk_server__multisite_users`. checkmk_server__contact_defaults: contactgroups: [ 'all' ] @@ -506,8 +513,8 @@ checkmk_server__contact_defaults: pager: '' service_notification_options: 'wucrfs' - -# .. envvar:: checkmk_server__site_cfg_contactgroups + # ]]] +# .. envvar:: checkmk_server__site_cfg_contactgroups [[[ # # Define default contact group for all contacts. checkmk_server__site_cfg_contactgroups: @@ -515,14 +522,14 @@ checkmk_server__site_cfg_contactgroups: value: all: 'Everything' - -# .. envvar:: checkmk_server__site_cfg_rules + # ]]] +# .. envvar:: checkmk_server__site_cfg_rules [[[ # # Define Check_MK monitoring rules. checkmk_server__site_cfg_rules: '{{ checkmk_server__site_upstream_rules }}' - -# .. envvar:: checkmk_server__site_upstream_rules + # ]]] +# .. envvar:: checkmk_server__site_upstream_rules [[[ # # Default upstream rule definitions. checkmk_server__site_upstream_rules: @@ -549,24 +556,24 @@ checkmk_server__site_upstream_rules: tags: [ 'wan' ] description: 'Allow longer round trip times when pinging WAN hosts' - -# .. envvar:: checkmk_server__site_cfg_hostgroups + # ]]] +# .. envvar:: checkmk_server__site_cfg_hostgroups [[[ # # Define host groups. checkmk_server__site_cfg_hostgroups: - name: 'define_hostgroups' value: {} - -# .. envvar:: checkmk_server__site_cfg_servicegroups + # ]]] +# .. envvar:: checkmk_server__site_cfg_servicegroups [[[ # # Define service groups. checkmk_server__site_cfg_servicegroups: - name: 'define_servicegroups' value: {} - -# .. envvar:: checkmk_server__site_cfg_datasource_programs + # ]]] +# .. envvar:: checkmk_server__site_cfg_datasource_programs [[[ # # Define additional ``datasource_programs`` for agent access via SSH. checkmk_server__site_cfg_datasource_programs: @@ -575,24 +582,24 @@ checkmk_server__site_cfg_datasource_programs: tags: [ 'cmk-agent-ssh' ] description: 'Check_MK Agent via SSH' - -# .. envvar:: checkmk_server__site_cfg_software_inventory: + # ]]] +# .. envvar:: checkmk_server__site_cfg_software_inventory [[[ # # Check_MK rules for enabling software inventory check. This check can be # enabled/disabled by setting :envvar:`checkmk_server__software_inventory`. checkmk_server__site_cfg_software_inventory: - name: 'inventory_check_interval' value: 1440 - rule_state: '{{ "present" if checkmk_server__software_inventory|d() | bool + rule_state: '{{ "present" if (checkmk_server__software_inventory|d() | bool) else "absent" }}' - name: 'active_checks' element: 'cmk_inv' description: 'Enable collection of hardware/software information' - rule_state: '{{ "present" if checkmk_server__software_inventory|d() | bool + rule_state: '{{ "present" if (checkmk_server__software_inventory|d() | bool) else "absent" }}' - -# .. envvar:: checkmk_server__site_cfg_notification_defaults + # ]]] +# .. envvar:: checkmk_server__site_cfg_notification_defaults [[[ # # Set fallback email address for rule based notifications. Must be set # including domain otherwise it won't be accepted by Check_MK. @@ -601,12 +608,12 @@ checkmk_server__site_cfg_notification_defaults: filename: 'global.mk' template: 'key_value' value: '{{ ansible_local.core.admin_public_email[0] - if ("core" in ansible_local) and - ("admin_public_email" in ansible_local.core) + if (("core" in ansible_local) and + ("admin_public_email" in ansible_local.core)) else "root@" + ansible_domain }}' - -# .. envvar:: checkmk_server__site_cfg_netif_description + # ]]] +# .. envvar:: checkmk_server__site_cfg_netif_description [[[ # # Set interface name instead of index for network interface check via # ``if_inventory_uses_description``. @@ -617,29 +624,28 @@ checkmk_server__site_cfg_netif_description: value: 'True' wato: False - -# .. envvar:: checkmk_server__site_packages + # ]]] +# .. envvar:: checkmk_server__site_packages [[[ # # Additional Check_MK packages (MKP) to be installed. See # :ref:`checkmk_server__site_packages` for more information. checkmk_server__site_packages: [] + # ]]] + # ]]] +# PKI Configuration [[[ +# --------------------- - -# ----------------- -# PKI Configuration -# ----------------- - -# .. envvar:: checkmk_server__pki +# .. envvar:: checkmk_server__pki [[[ # # Enable or disable support for HTTPS in Check_MK server (using -# ``debops.pki``). +# debops.pki_). checkmk_server__pki: '{{ (True if (ansible_local|d() and ansible_local.pki|d() and ansible_local.pki.enabled|d() | bool) else False) | bool }}' - -# .. envvar:: checkmk_server__pki_path + # ]]] +# .. envvar:: checkmk_server__pki_path [[[ # # Base path for PKI directory. checkmk_server__pki_path: '{{ ansible_local.pki.path @@ -647,8 +653,8 @@ checkmk_server__pki_path: '{{ ansible_local.pki.path ansible_local.pki.path|d()) else "/etc/pki/realms" }}' - -# .. envvar:: checkmk_server__pki_realm + # ]]] +# .. envvar:: checkmk_server__pki_realm [[[ # # Default PKI realm used by Check_MK server. checkmk_server__pki_realm: '{{ ansible_local.pki.realm @@ -656,26 +662,26 @@ checkmk_server__pki_realm: '{{ ansible_local.pki.realm ansible_local.pki.realm|d()) else "domain" }}' - -# .. envvar:: checkmk_server__pki_ca + # ]]] +# .. envvar:: checkmk_server__pki_ca [[[ # -# Root CA certificate, relative to ``checkmk_server__pki_realm``. +# Root CA certificate, relative to :envvar:`checkmk_server__pki_realm`. checkmk_server__pki_ca: 'CA.crt' - -# .. envvar:: checkmk_server__pki_crt + # ]]] +# .. envvar:: checkmk_server__pki_crt [[[ # -# Host certificate, relative to ``checkmk_server__pki_realm``. +# Host certificate, relative to :envvar:`checkmk_server__pki_realm`. checkmk_server__pki_crt: 'default.crt' - -# .. envvar:: checkmk_server__pki_key + # ]]] +# .. envvar:: checkmk_server__pki_key [[[ # -# Host private key, relative to ``checkmk_server__pki_realm``. +# Host private key, relative to :envvar:`checkmk_server__pki_realm`. checkmk_server__pki_key: 'default.key' - -# .. envvar:: checkmk_server__tls_options + # ]]] +# .. envvar:: checkmk_server__tls_options [[[ # # Additional Apache mod_ssl options. Valid configuration keys: # ``SSLCipherSuite``, ``SSLHonorCipherOrder``, ``SSLProtocols``, @@ -683,3 +689,6 @@ checkmk_server__pki_key: 'default.key' checkmk_server__tls_options: SSLHonorCipherOrder: 'On' SSLCipherSuite: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' + # ]]] + # ]]] + # ]]] diff --git a/docs/credits.rst b/docs/credits.rst index 5d4ccf8..1209468 100644 --- a/docs/credits.rst +++ b/docs/credits.rst @@ -1,6 +1,8 @@ Credits ======= +.. include:: includes/all.rst + * Reto Gantenbein - * author of the ``debops.checkmk_server`` role + * author of the debops-contrib.checkmk_server_ role diff --git a/docs/defaults-configuration.rst b/docs/defaults-detailed.rst similarity index 91% rename from docs/defaults-configuration.rst rename to docs/defaults-detailed.rst index b40a425..2a3e98c 100644 --- a/docs/defaults-configuration.rst +++ b/docs/defaults-detailed.rst @@ -1,7 +1,9 @@ -Default variables: configuration +Default variable details ================================ -Some of the ``debops.checkmk_server`` default variables have more extensive +.. include:: includes/all.rst + +Some of the debops-contrib.checkmk_server_ default variables have more extensive configuration than simple strings or lists, here you can find documentation and examples for them. @@ -35,8 +37,8 @@ This configuration variable indicates if SSH keys should be configured for accessing the Check_MK agent. If set to a non-empty value a additional Check_MK host tag "Check_MK Agent via SSH" is configured and the SSH public key is set as Ansible fact, so that it can be used by the -``debops.checkmk_agent`` role to configure SSH-based agent access. The -``checkmk_server__sshkeys`` variable is a dictionary which support the +debops-contrib.checkmk_agent_ role to configure SSH-based agent access. The +:envvar:`checkmk_server__sshkeys` variable is a dictionary which support the following keys: ``generate_keypair`` @@ -84,10 +86,8 @@ as a list of YAML dictionaries with the following configuration keys. One of ``checksum`` Optional. Checksum of the download archive given in the ``url`` parameter. - Cannot be combined with the ``path`` parameter. For the accepted parameter - format check the Ansible `get_url module`_ documentation. - -.. _get_url module: https://docs.ansible.com/ansible/get_url_module.html#options + Cannot be combined with the ``path`` parameter. Refer to the `Ansible get_url + module`_ for the accepted parameter format. .. _checkmk_server__multisite_users: @@ -260,11 +260,11 @@ via Ansible inventory: Optional. List of failover LDAP host names. ``group_filter`` - Optional. Group search filter (e.g. ``(objectclass=groupOfNames)``). This + Optional. Group search filter (e. g. ``(objectclass=groupOfNames)``). This will overwrite the default set by ``item.directory_type``. ``group_member`` - Optional. Group member attribute name (e.g. ``member``). + Optional. Group member attribute name (e. g. ``member``). ``group_scope`` Optional. Group search scope. Allowed values are ``sub`` (search whole @@ -297,14 +297,14 @@ via Ansible inventory: ``True`` or ``False``. Defaults to: ``False`` ``user_filter`` - Optional. User search filter (e.g. ``(objectclass=account)``). This + Optional. User search filter (e. g. ``(objectclass=account)``). This will overwrite the default set by ``item.directory_type``. ``user_filter_group`` Optional. Filter users by group. ``user_id`` - Optional. User ID attribute name (e.g. ``uid``). + Optional. User ID attribute name (e. g. ``uid``). ``user_id_umlauts`` Optional. Translate Umlauts in user IDs (deprecated). Allowed values are @@ -415,21 +415,23 @@ Example ~~~~~~~ Small example configuration for user authentication via LDAP showing the use -of some LDAP plugins:: - - checkmk_server__multisite_user_connections: - - server: 'localhost' - binddn: 'cn=admin,dc=example,dc=com' - bindpw: 'secret' - group_dn: 'ou=groups,dc=example,dc=com' - user_dn: 'ou=users,dc=example,dc=com' - user_filter: '(objectclass=posixAccount)' - active_plugins: - alias: - attr: 'gecos' - groups_to_roles: - admin: - - group_dn: 'cn=wato-admin,ou=groups,dc=example,dc=com' +of some LDAP plugins: + +.. code-block:: yaml + + checkmk_server__multisite_user_connections: + - server: 'localhost' + binddn: 'cn=admin,dc=example,dc=com' + bindpw: 'secret' + group_dn: 'ou=groups,dc=example,dc=com' + user_dn: 'ou=users,dc=example,dc=com' + user_filter: '(objectclass=posixAccount)' + active_plugins: + alias: + attr: 'gecos' + groups_to_roles: + admin: + - group_dn: 'cn=wato-admin,ou=groups,dc=example,dc=com' This will synchronize all users in from the DN ``ou=users,dc=example,dc=com`` to WATO, fills the user's alias property with the value from the ``gecos`` @@ -442,7 +444,7 @@ group. checkmk_server__distributed_sites --------------------------------- -This setting will define Check_MK multisite connections to other Check_MK +This setting will define Check_MK Multisite connections to other Check_MK monitoring sites. Each site entry is a nested YAML dictionary with the site name as top key. The following sub keys are supported as site properties. @@ -459,7 +461,7 @@ name as top key. The following sub keys are supported as site properties. Optional. Ignore SSL certificate errors. Defaults to ``False``. ``multisiteurl`` - Optional. URL of the remote Check_MK site including ``/check_mk/``. This + Optional. URL of the remote Check_MK site including :file:`/check_mk/`. This will be used by the main site to fetch resources from this site. ``password`` @@ -525,4 +527,4 @@ via Ansible inventory. A lot of parameter descriptions are copied from the upstream source code which is copyrighted by `Mathias Kettner `_ and released under the -`GNU Public License v2 `_. +`GPL-2.0 `_. diff --git a/docs/getting-started.rst b/docs/getting-started.rst index 0d451b9..7cac997 100644 --- a/docs/getting-started.rst +++ b/docs/getting-started.rst @@ -1,6 +1,8 @@ Getting started =============== +.. include:: includes/all.rst + .. contents:: :local: @@ -28,7 +30,7 @@ to install Check_MK server: .. literalinclude:: playbooks/checkmk_server.yml :language: yaml -The inclusion of the ``debops.ferm`` is optional. This playbooks is shipped +The inclusion of the debops.ferm_ is optional. This playbooks is shipped with this role under :file:`docs/playbooks/checkmk_server.yml` from which you can symlink it to your playbook directory. @@ -37,9 +39,9 @@ Ansible tags ------------ You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what -tasks are performed during Ansible run. This can be used after host is first +tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the -configuration has not been changed. +configuration is already in the desired state. Available role tags: diff --git a/docs/guides.rst b/docs/guides.rst index 8ed46e7..71d04b8 100644 --- a/docs/guides.rst +++ b/docs/guides.rst @@ -19,20 +19,24 @@ However, it is possible to define an alternative installation sources for the ``check-mk-raw`` package: * In case the package is managed in a custom Apt repository the package - name can be specified. E.g.:: + name can be specified. E.g.: - checkmk_server__raw_package: 'check-mk-raw-{{ checkmk_server__version }}' + .. code-block:: yaml + + checkmk_server__raw_package: 'check-mk-raw-{{ checkmk_server__version }}' .. topic:: Important - The application version is always part of the package name. This will - allow multiple versions to be installed at once. + The application version is always part of the package name. This will + allow multiple versions to be installed at once. * If no direct Internet connection and no local repository is available, for example in a simple Vagrant environment, a local file path can be - defined. E.g.:: + defined. E.g.: + + .. code-block:: yaml - checkmk_server__raw_package: '/vagrant/check-mk-raw-{{ checkmk_server__version }}_0.{{ ansible_distribution_release }}_amd64.deb' + checkmk_server__raw_package: '/vagrant/check-mk-raw-{{ checkmk_server__version }}_0.{{ ansible_distribution_release }}_amd64.deb' .. _checkmk_server_manual_site: @@ -43,11 +47,13 @@ Manually setup Monitoring Site By default the role will setup a monitoring site named according to :envvar:`checkmk_server__site`. Sometimes it might be desired to not let Ansible generate a site configuration by itself but use the :program:`omd` -tool manually instead. This can be achieved by simply setting:: +tool manually instead. This can be achieved by simply setting: + +.. code-block:: yaml - checkmk_server__site: False + checkmk_server__site: False When not managing the site configuration through Ansible, the -`debops-contrib/checkmk_agent` role won't be able to auto-detect the server +``debops-contrib.checkmk_agent`` role won't be able to auto-detect the server properties. They need to be specified manually in the Ansible inventory. For more details check the agent role documentation. diff --git a/docs/includes/all.rst b/docs/includes/all.rst new file mode 100644 index 0000000..73b2598 --- /dev/null +++ b/docs/includes/all.rst @@ -0,0 +1 @@ +.. include:: includes/global.rst diff --git a/docs/index.rst b/docs/index.rst index 5f055e2..db07bcb 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,5 +1,5 @@ -Ansible role: debops.checkmk_server -=================================== +Ansible role: debops-contrib.checkmk_server +=========================================== .. toctree:: :maxdepth: 2 @@ -7,7 +7,7 @@ Ansible role: debops.checkmk_server introduction getting-started defaults - defaults-configuration + defaults-detailed guides copyright credits diff --git a/docs/introduction.rst b/docs/introduction.rst index 1ec03b2..b785da4 100644 --- a/docs/introduction.rst +++ b/docs/introduction.rst @@ -1,20 +1,18 @@ Introduction ============ -``debops.checkmk_server`` is an Ansible_ role which installs and manages +.. include:: includes/all.rst + +debops-contrib.checkmk_server_ is an Ansible_ role which installs and manages Check_MK_, a Nagios-based system monitoring solution. Check_MK supports different monitoring backends such as Nagios_ or Icinga_ (v1.x) and features a powerful configuration language for creating check inventories. -.. _Ansible: https://www.ansible.com/ -.. _Check_MK: http://mathias-kettner.com/check_mk.html -.. _Nagios: https://www.nagios.org/ -.. _Icinga: https://www.icinga.org/ Installation ~~~~~~~~~~~~ -This role requires at least Ansible ``v2.1.1``. To install it, run: +This role requires at least Ansible ``v2.1.5``. To install it, run: .. code-block:: console diff --git a/meta/main.yml b/meta/main.yml index e4d6012..fc40342 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -10,8 +10,8 @@ galaxy_info: company: 'DebOps' author: Reto Gantenbein description: 'Setup Check_MK monitoring server' - license: 'GPLv3' - min_ansible_version: '2.1.1' + license: 'GPL-3.0' + min_ansible_version: '2.1.5' platforms: diff --git a/tasks/main.yml b/tasks/main.yml index 16b84f9..974a786 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,5 @@ --- +# vim: foldmarker=[[[,]]]:foldmethod=marker - name: Install prerequisite packages apt: @@ -23,7 +24,9 @@ - name: Install local Check_MK RAW package apt: - deb: '{{ "/var/cache/apt/archives/" + (checkmk_server__raw_package | basename) if checkmk_server_register_download|d() else checkmk_server__raw_package }}' + deb: '{{ ("/var/cache/apt/archives/" + (checkmk_server__raw_package | basename)) + if checkmk_server_register_download|d() + else checkmk_server__raw_package }}' state: present ignore_errors: '{{ ansible_check_mode }}' register: checkmk_server_register_deb_install @@ -131,7 +134,7 @@ register: checkmk_server_register_local_facts when: checkmk_server__sshkeys|d() -- name: Re-read local facts if they have been changed +- name: Gather facts if they were modified action: setup when: checkmk_server_register_local_facts|d() and (checkmk_server_register_local_facts | changed) diff --git a/tasks/site.yml b/tasks/site.yml index b7c178c..9cbd60d 100644 --- a/tasks/site.yml +++ b/tasks/site.yml @@ -1,7 +1,7 @@ --- -# -# Check_MK site configuration -# +# vim: foldmarker=[[[,]]]:foldmethod=marker + +# Check_MK site configuration [[[1 - name: Get Check_MK default version stat: path: '/omd/versions/default' diff --git a/tasks/users.yml b/tasks/users.yml index d9883cf..20ea697 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -1,7 +1,7 @@ --- -# -# Read existing Check_MK configuration -# +# vim: foldmarker=[[[,]]]:foldmethod=marker + +# Read existing Check_MK configuration [[[1 - name: Wait for the site to be started wait_for: path: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' @@ -35,9 +35,7 @@ tags: [ 'role::checkmk_server:multisite' ] -# -# Check_MK multisite authentication -# +# Check_MK Multisite authentication [[[1 - name: Set local httpd user passwords htpasswd: path: '{{ checkmk_server__site_home }}/etc/htpasswd' @@ -52,7 +50,7 @@ with_items: '{{ checkmk_server__multisite_users|d({})|list }}' tags: [ 'role::checkmk_server:multisite' ] -- name: Create Web directory for multisite users +- name: Create Web directory for Multisite users file: path: '{{ checkmk_server__site_home }}/var/check_mk/web/{{ item }}' state: directory @@ -71,7 +69,7 @@ when: ("automation_secret" in checkmk_server__multisite_users[item]) with_items: '{{ checkmk_server__multisite_users|d({})|list }}' -- name: Generate Check_MK multisite user definitions +- name: Generate Check_MK Multisite user definitions template: src: 'etc/check_mk/multisite.d/wato/users.mk.j2' dest: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' diff --git a/tasks/wato.yml b/tasks/wato.yml index 1e79bde..2a28ea1 100644 --- a/tasks/wato.yml +++ b/tasks/wato.yml @@ -1,7 +1,7 @@ --- -# -# Check_MK multisite/WATO configuration -# +# vim: foldmarker=[[[,]]]:foldmethod=marker + +# Check_MK Multisite/WATO configuration [[[ - name: Login on slave sites uri: url: '{{ checkmk_server__distributed_sites[item].multisiteurl }}/login.py' @@ -15,7 +15,7 @@ else checkmk_server__distributed_sites_defaults.password), "_origtarget=automation_login.py", "_plain_error=1" ] | join("&") }}' - force_basic_auth: yes + force_basic_auth: True user: '{{ checkmk_server__distributed_sites[item].username if "username" in checkmk_server__distributed_sites[item] else checkmk_server__distributed_sites_defaults.username }}' @@ -28,7 +28,7 @@ else checkmk_server__distributed_sites_defaults.insecure }}' register: checkmk_server__register_multisite_login ignore_errors: '{{ ansible_check_mode }}' - when: not item == checkmk_server__site + when: item != checkmk_server__site with_items: '{{ checkmk_server__distributed_sites|d([]) }}' - name: Get Multisite distribution secrets @@ -51,20 +51,20 @@ group: '{{ checkmk_server__group }}' tags: [ 'role::checkmk_server:multisite' ] -- name: Generate Check_MK WATO multisite definitions +- name: Generate Check_MK WATO Multisite definitions template: src: '{{ lookup("template_src", "etc/check_mk/multisite.d/wato/" + item | basename) }}' dest: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/{{ item | basename | replace(".j2", "") }}' owner: '{{ checkmk_server__user }}' group: '{{ checkmk_server__group }}' mode: '{{ "0660" - if item | basename | replace(".j2", "") in [ "hosttags.mk", "users.mk", "user_connections.mk" ] + if (item|basename | replace(".j2", "")) in [ "hosttags.mk", "users.mk", "user_connections.mk" ] else "0644" }}' with_fileglob: [ '../templates/etc/check_mk/multisite.d/wato/*.mk.j2' ] notify: [ 'Reload Check_MK configuration' ] tags: [ 'role::checkmk_server:rules', 'role::checkmk_server:multisite' ] -- name: Generate Check_MK custom multisite definitions +- name: Generate Check_MK custom Multisite definitions template: src: 'etc/check_mk/multisite.d/custom.mk.j2' dest: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/{{ item["filename"] }}' @@ -83,7 +83,7 @@ owner: '{{ checkmk_server__user }}' group: '{{ checkmk_server__group }}' mode: '{{ "0660" - if item | basename | replace(".j2", "") in [ "contacts.mk" ] + if (item|basename | replace(".j2", "")) in [ "contacts.mk" ] else "0644" }}' with_fileglob: [ '../templates/etc/check_mk/conf.d/wato/*.mk.j2' ] notify: [ 'Reload Check_MK configuration' ]