Fix icinga2 role and tag conditions

freifunkMUC · Oct 3, 2024 · ac98a26 · ac98a26
1 parent 355559a
commit ac98a26
Show file tree

Hide file tree

Showing 9 changed files with 100 additions and 128 deletions.
diff --git a/icinga2/host.conf.jinja b/icinga2/host.conf.jinja
@@ -0,0 +1,62 @@
+#
+# {{ node_id }}
+#
+{%- set role = salt['mine.get'](node_id,'minion_role')[node_id] %}
+{%- set tags = salt['mine.get'](node_id,'minion_tags')[node_id] %}
+{%- set location = salt['mine.get'](node_id,'minion_location', tgt_type='glob')[node_id] %}
+{%- set overlay_address = salt['mine.get'](node_id,'minion_overlay_address', tgt_type='glob')[node_id] %}
+{%- set minion_external_address6 = salt['mine.get'](node_id,'minion_external_ip6', tgt_type='glob')[node_id] %}
+
+{%- if 'icinga2_server' not in tags %}
+object Endpoint "{{ node_id }}" {
+		host = "{{ node_id }}"
+}
+
+object Zone "{{ node_id }}" {
+	endpoints = [ "{{ node_id }}" ]
+	parent = "master"
+}
+{%- endif %}
+
+object Host "{{ node_id }}" {
+	import "generic-host"
+
+	display_name = "{{ node_id }}"
+	check_command = "hostalive"
+
+	{%- if 'mine_interval' not in overlay_address %}
+	address = "{{ overlay_address | regex_replace('/\d+$','') }}"
+	{%- endif %}
+
+	{%- if minion_external_address6 %}
+	# Used to determine whether a host has IPv6
+	vars.external_address_6 = "{{ minion_external_address6 }}"
+	{%- endif %}
+
+	vars.os = "Linux"
+
+	vars.role = "{{ role }}"
+
+	vars.tags = [
+	{%- for tag in tags|sort %}
+		"{{ tag }}",
+	{%- endfor %}
+	]
+
+	vars.location = "{{ location }}"
+
+	vars.disk_wfree = "4%"
+	vars.disk_cfree = "2%"
+	vars.disks["disk /"] = {
+		disk_partitions = "/"
+	}
+	{% if 'backupserver' == role %}
+	vars.disks["disk /srv"] = {
+		disk_partitions = "/srv"
+	}
+	{% elif 'buildserver' == role %}
+	vars.disks["disk /build"] = {
+		disk_partitions = "/build"
+	}
+	{% endif %}
+}
diff --git a/icinga2/host.conf.tmpl b/icinga2/host.conf.tmpl
diff --git a/icinga2/init.sls b/icinga2/init.sls
@@ -248,14 +248,13 @@ Cleanup /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/:
       - service: icinga2-service
 
   # Generate config file for every client known to pillar
-{% for node_id,data in salt['mine.get']('netbox:tag_list:icinga2_client', 'minion_id', tgt_type='pillar').items() %}
+{% for node_id in salt['mine.get']('netbox:tag_list:icinga2_client', 'minion_id', tgt_type='pillar').keys() %}
 /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/{{ node_id }}.conf:
   file.managed:
-    - source: salt://icinga2/host.conf.tmpl
+    - source: salt://icinga2/host.conf.jinja
     - template: jinja
     - context:
         node_id: {{ node_id }}
-        node_config: {{ data }}
     - require:
       - file: Create /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/
     - require_in:

diff --git a/icinga2/services/dhcp-server.conf b/icinga2/services/dhcp-server.conf
@@ -15,10 +15,10 @@ apply Service "dhcp_pool" {
 		command_endpoint = host.name
 	}
 
-	assign where host.address && host.vars.os == "Linux" && ("gateway" in host.vars.roles || "dhcp-server" in host.vars.roles)
+	assign where host.address && host.vars.os == "Linux" && host.vars.role == "nextgen-gateway"
 }
 
-apply Service "isc-dhcpd" {
+apply Service "dhcpd" {
         import "generic-service"
 
         check_command = "procs"
@@ -34,5 +34,5 @@ apply Service "isc-dhcpd" {
         max_check_attempts = 3
         retry_interval = 1m
 
-        assign where ("gateway" in host.vars.roles || "dhcp-server" in host.vars.roles)
+        assign where host.address && host.vars.os == "Linux" && host.vars.role == "nextgen-gateway"
 }
diff --git a/icinga2/services/dns.conf b/icinga2/services/dns.conf
@@ -1,11 +1,9 @@
 #
-# dns.srv.in.ffho.net
+# Check DNS servers
 #
 
-# Anycast DNS server
-
-# Check DNS servers
-apply Service "dns4" {
+# Check whether DNS servers on anycast addresses are responding
+apply Service "dns4-" for (key => value in {"VIE01" = "5.1.66.255", "MUC01" = "185.150.99.255"}) {
 	import "generic-service"
 
 	if (host.name != NodeName) {
@@ -14,13 +12,13 @@ apply Service "dns4" {
 	check_command = "dns"
 	vars.dns_lookup = "anycast01.ffmuc.net"
 	vars.dns_expected_answer = "5.1.66.255"
-	vars.dns_server = "5.1.66.255"
 
-	assign where host.address
-	ignore where "VIE01" == host.vars.location
+	vars.dns_server = value
+
+	assign where host.address && host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
-apply Service "dns6" {
+apply Service "dns6-" for (key => value in {"VIE01" = "2001:678:e68:f000::", "MUC01" = "2001:678:ed0:f000::"}) {
 	import "generic-service"
 
 	if (host.name != NodeName) {
@@ -29,12 +27,14 @@ apply Service "dns6" {
 	check_command = "dns"
 	vars.dns_lookup = "anycast01.ffmuc.net"
 	vars.dns_expected_answer = "5.1.66.255"
-	vars.dns_server = "2001:678:e68:f000::"
 
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "nextgen-gateway" in host.vars.roles)
+	vars.dns_server = value
+
+	assign where host.vars.external_address_6 && host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
 
+# Check whether bind is running
 apply Service "named" {
 	import "generic-service"
 
@@ -51,9 +51,10 @@ apply Service "named" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "dnsserver" in host.vars.roles
+	assign where "authorative-dns" in host.vars.tags
 }
 
+# Check whether pdns recursor is running
 apply Service "pdns_recursor" {
 	import "generic-service"
 
@@ -70,10 +71,10 @@ apply Service "pdns_recursor" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
+	assign where "recursor" in host.vars.tags
 }
 
-
+# Check whether dnsdist is running
 apply Service "dnsdist" {
 	import "generic-service"
 
@@ -90,10 +91,10 @@ apply Service "dnsdist" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
+	assign where "dnsdist" in host.vars.tags
 }
 
-
+# Check whether nginx is running
 apply Service "nginx" {
 	import "generic-service"
 
@@ -110,5 +111,5 @@ apply Service "nginx" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "webserver-external" in host.vars.roles
+	assign where host.vars.role == "webserver-external"
 }
diff --git a/icinga2/services/docker.conf b/icinga2/services/docker.conf
@@ -3,7 +3,7 @@
 #
 
 
-# Check if graylog-sidecar is running on every node
+# Check if docker is running
 apply Service "dockerd" {
 	import "generic-service"
 
@@ -20,5 +20,5 @@ apply Service "dockerd" {
 	max_check_attempts = 3
 	retry_interval = 30s
 
-	assign where host.name == "guardian.in.ffmuc.net" || "docker" in host.vars.roles
+	assign where (host.vars.role == "docker" || "docker" in host.vars.tags)
 }
diff --git a/icinga2/services/kvm.conf b/icinga2/services/kvm.conf
@@ -3,7 +3,7 @@
 #
 
 
-# Check if graylog-sidecar is running on every node
+# Check if libvirtd is running on every node
 apply Service "libvirtd" {
 	import "generic-service"
 
@@ -20,5 +20,5 @@ apply Service "libvirtd" {
 	max_check_attempts = 3
 	retry_interval = 5m
 
-	assign where "vmhost" in host.vars.roles
+	assign where host.vars.role == "vmhost"
 }
diff --git a/icinga2/services/network.conf b/icinga2/services/network.conf
@@ -15,27 +15,6 @@ apply Service "conntrack_size" {
 	assign where host.address && host.vars.os == "Linux"
 }
 
-apply Service "dhcpd" {
-	import "generic-service"
-
-	check_command = "procs"
-
-	if (host.name != NodeName) {
-		command_endpoint = host.name
-	}
-
-	vars.procs_command = "dhcpd"
-	vars.procs_critical = "1"
-	vars.procs_warning = "1"
-	check_interval = 1m
-	max_check_attempts = 3
-	retry_interval = 30s
-
-	assign where host.address && host.vars.os == "Linux" && ("master" in host.vars.roles || "gateway" in host.vars.roles)
-}
-
-
-#
 # bird process
 apply Service "bird" {
 	import "generic-service"
@@ -53,11 +32,11 @@ apply Service "bird" {
 	max_check_attempts = 3
 	retry_interval = 3m
 
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "gateway" in host.vars.roles)
+	assign where host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
 # Are we able to reach the internet?
-apply Service "gw-ping4" {
+apply Service "ping4-google" {
 	import "generic-service"
 
 	check_command = "ping4"
@@ -69,13 +48,14 @@ apply Service "gw-ping4" {
 	assign where host.address
 }
 
-apply Service "gw-ping6" {
+apply Service "ping6-google" {
 	import "generic-service"
 
 	check_command = "ping6"
 	vars.ping_address = "2001:4860:4860::8888"
 	if (host.name != NodeName) {
 		command_endpoint = host.name
 	}
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "gateway" in host.vars.roles)
+
+	assign where host.vars.external_address_6
 }
diff --git a/icinga2/services/ntp.conf b/icinga2/services/ntp.conf
@@ -1,16 +1,16 @@
 #
-# ntp.srv.in.ffho.net
+# NTP checks
 #
 
 
-# Check NTP servers
+# Check system clock against NTP servers
 apply Service "ntp4" {
 	import "generic-service"
 
 	check_command = "ntp_time"
 	vars.ntp_ipv4 = true
 	vars.ntp_address = "2.de.pool.ntp.org"
-	
+
 	max_check_attempts = 5
 
 	check_interval = 5m
@@ -28,15 +28,15 @@ apply Service "ntp6" {
 	check_command = "ntp_time"
 	vars.ntp_ipv6 = true
 	vars.ntp_address = "2.de.pool.ntp.org"
-	
+
 	max_check_attempts = 5
 	check_interval = 5m
 	retry_interval = 1m
-	
+
 	if (host.name != NodeName) {
 		command_endpoint = host.name
 	}
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "gateway" in host.vars.roles)
+	assign where host.vars.os == "Linux" && host.vars.external_address_6
 }
 
 # Check if ntpd is running on every node