freifunkMUC · DasSkelett · Oct 8, 2024 · Oct 3, 2024 · Oct 3, 2024
@@ -50,7 +50,7 @@ salt-repo:
 apt-transport-https:
   pkg.installed
 
-python-apt:
+python3-apt:
   pkg.installed
 
 # Purge old stuff

@@ -0,0 +1,42 @@
+# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
+# newer versions of the distribution.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy main restricted
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy main restricted
+
+## Major bug fix updates produced after the final release of the
+## distribution.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-updates main restricted
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-updates main restricted
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team. Also, please note that software in universe WILL NOT receive any
+## review or updates from the Ubuntu security team.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy universe
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy universe
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-updates universe
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-updates universe
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team, and may not be under a free licence. Please satisfy yourself as to
+## your rights to use the software. Also, please note that software in
+## multiverse WILL NOT receive any review or updates from the Ubuntu
+## security team.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy multiverse
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy multiverse
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-updates multiverse
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-updates multiverse
+
+## N.B. software from this repository may not have been tested as
+## extensively as that contained in the main release, although it includes
+## newer versions of some applications which may provide useful features.
+## Also, please note that software in backports WILL NOT receive any review
+## or updates from the Ubuntu security team.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
+
+deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted
+# deb-src http://security.ubuntu.com/ubuntu/ jammy-security main restricted
+deb http://security.ubuntu.com/ubuntu/ jammy-security universe
+# deb-src http://security.ubuntu.com/ubuntu/ jammy-security universe
+deb http://security.ubuntu.com/ubuntu/ jammy-security multiverse
+# deb-src http://security.ubuntu.com/ubuntu/ jammy-security multiverse
@@ -0,0 +1,62 @@
+#
+# {{ node_id }}
+#
+{%- set role = salt['mine.get'](node_id,'minion_role')[node_id] %}
+{%- set tags = salt['mine.get'](node_id,'minion_tags')[node_id] %}
+{%- set location = salt['mine.get'](node_id,'minion_location', tgt_type='glob')[node_id] %}
+{%- set overlay_address = salt['mine.get'](node_id,'minion_overlay_address', tgt_type='glob')[node_id] %}
+{%- set minion_external_address6 = salt['mine.get'](node_id,'minion_external_ip6', tgt_type='glob')[node_id] %}
+
+{%- if 'icinga2_server' not in tags %}
+object Endpoint "{{ node_id }}" {
+		host = "{{ node_id }}"
+}
+
+object Zone "{{ node_id }}" {
+	endpoints = [ "{{ node_id }}" ]
+	parent = "master"
+}
+{%- endif %}
+
+object Host "{{ node_id }}" {
+	import "generic-host"
+
+	display_name = "{{ node_id }}"
+	check_command = "hostalive"
+
+	{%- if 'mine_interval' not in overlay_address %}
+	address = "{{ overlay_address | regex_replace('/\d+$','') }}"
+	{%- endif %}
+
+	{%- if minion_external_address6 %}
+	# Used to determine whether a host has IPv6
+	vars.external_address_6 = "{{ minion_external_address6 }}"
+	{%- endif %}
+
+	vars.os = "Linux"
+
+	vars.role = "{{ role }}"
+
+	vars.tags = [
+	{%- for tag in tags|sort %}
+		"{{ tag }}",
+	{%- endfor %}
+	]
+
+	vars.location = "{{ location }}"
+
+	vars.disk_wfree = "4%"
+	vars.disk_cfree = "2%"
+	vars.disks["disk /"] = {
+		disk_partitions = "/"
+	}
+	{% if 'backupserver' == role %}
+	vars.disks["disk /srv"] = {
+		disk_partitions = "/srv"
+	}
+	{% elif 'buildserver' == role %}
+	vars.disks["disk /build"] = {
+		disk_partitions = "/build"
+	}
+	{% endif %}
+}
@@ -248,14 +248,13 @@ Cleanup /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/:
       - service: icinga2-service
 
   # Generate config file for every client known to pillar
-{% for node_id,data in salt['mine.get']('netbox:tag_list:icinga2_client', 'minion_id', tgt_type='pillar').items() %}
+{% for node_id in salt['mine.get']('netbox:tag_list:icinga2_client', 'minion_id', tgt_type='pillar').keys() %}
 /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/{{ node_id }}.conf:
   file.managed:
-    - source: salt://icinga2/host.conf.tmpl
+    - source: salt://icinga2/host.conf.jinja
     - template: jinja
     - context:
         node_id: {{ node_id }}
-        node_config: {{ data }}
     - require:
       - file: Create /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/
     - require_in:

@@ -15,10 +15,10 @@ apply Service "dhcp_pool" {
 		command_endpoint = host.name
 	}
 
-	assign where host.address && host.vars.os == "Linux" && ("gateway" in host.vars.roles || "dhcp-server" in host.vars.roles)
+	assign where host.address && host.vars.os == "Linux" && host.vars.role == "nextgen-gateway"
 }
 
-apply Service "isc-dhcpd" {
+apply Service "dhcpd" {
         import "generic-service"
 
         check_command = "procs"
@@ -34,5 +34,5 @@ apply Service "isc-dhcpd" {
         max_check_attempts = 3
         retry_interval = 1m
 
-        assign where ("gateway" in host.vars.roles || "dhcp-server" in host.vars.roles)
+        assign where host.address && host.vars.os == "Linux" && host.vars.role == "nextgen-gateway"
 }
@@ -1,11 +1,9 @@
 #
-# dns.srv.in.ffho.net
+# Check DNS servers
 #
 
-# Anycast DNS server
-
-# Check DNS servers
-apply Service "dns4" {
+# Check whether DNS servers on anycast addresses are responding
+apply Service "dns4-" for (key => value in {"VIE01" = "5.1.66.255", "MUC01" = "185.150.99.255"}) {
 	import "generic-service"
 
 	if (host.name != NodeName) {
@@ -14,13 +12,13 @@ apply Service "dns4" {
 	check_command = "dns"
 	vars.dns_lookup = "anycast01.ffmuc.net"
 	vars.dns_expected_answer = "5.1.66.255"
-	vars.dns_server = "5.1.66.255"
 
-	assign where host.address
-	ignore where "VIE01" == host.vars.location
+	vars.dns_server = value
+
+	assign where host.address && host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
-apply Service "dns6" {
+apply Service "dns6-" for (key => value in {"VIE01" = "2001:678:e68:f000::", "MUC01" = "2001:678:ed0:f000::"}) {
 	import "generic-service"
 
 	if (host.name != NodeName) {
@@ -29,12 +27,14 @@ apply Service "dns6" {
 	check_command = "dns"
 	vars.dns_lookup = "anycast01.ffmuc.net"
 	vars.dns_expected_answer = "5.1.66.255"
-	vars.dns_server = "2001:678:e68:f000::"
 
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "nextgen-gateway" in host.vars.roles)
+	vars.dns_server = value
+
+	assign where host.vars.external_address_6 && host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
 
+# Check whether bind is running
 apply Service "named" {
 	import "generic-service"
 
@@ -51,9 +51,10 @@ apply Service "named" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "dnsserver" in host.vars.roles
+	assign where "authorative-dns" in host.vars.tags
 }
 
+# Check whether pdns recursor is running
 apply Service "pdns_recursor" {
 	import "generic-service"
 
@@ -70,10 +71,10 @@ apply Service "pdns_recursor" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
+	assign where "recursor" in host.vars.tags
 }
 
-
+# Check whether dnsdist is running
 apply Service "dnsdist" {
 	import "generic-service"
 
@@ -90,10 +91,10 @@ apply Service "dnsdist" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
+	assign where "dnsdist" in host.vars.tags
 }
 
-
+# Check whether nginx is running
 apply Service "nginx" {
 	import "generic-service"
 
@@ -110,5 +111,5 @@ apply Service "nginx" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "webserver-external" in host.vars.roles
+	assign where host.vars.role == "webserver-external"
 }
@@ -3,7 +3,7 @@
 #
 
 
-# Check if graylog-sidecar is running on every node
+# Check if docker is running
 apply Service "dockerd" {
 	import "generic-service"
 
@@ -20,5 +20,5 @@ apply Service "dockerd" {
 	max_check_attempts = 3
 	retry_interval = 30s
 
-	assign where host.name == "guardian.in.ffmuc.net" || "docker" in host.vars.roles
+	assign where (host.vars.role == "docker" || "docker" in host.vars.tags)
 }
@@ -3,7 +3,7 @@
 #
 
 
-# Check if graylog-sidecar is running on every node
+# Check if libvirtd is running on every node
 apply Service "libvirtd" {
 	import "generic-service"
 
@@ -20,5 +20,5 @@ apply Service "libvirtd" {
 	max_check_attempts = 3
 	retry_interval = 5m
 
-	assign where "vmhost" in host.vars.roles
+	assign where host.vars.role == "vmhost"
 }