Compare commits

..

5 Commits

Author SHA1 Message Date
c362effe2a Remove NRPE 2021-09-07 14:33:45 -05:00
bad192e93e Refactor Nagios checks into check_by_ssh instead of NRPE
I was never particularly fond of having a random one-off daemon doing my RCE. Sure, it offers some protection, but limiting my exposure to the open internet is far more ideal.

I have tremendously more trust in the OpenSSH project than I do in Nagios. And for that reason, I'll be deprecating NRPE and shredding config files once these plays clean up
2021-09-07 14:27:23 -05:00
b38bb4bf62 Fix improper tagging on NRPE role 2021-09-07 13:41:21 -05:00
1ca062d6ea Modularize declaration of Nagios commands 2021-09-07 13:37:06 -05:00
2a7d343ef1 Move SSH check into YAML declaration of services 2021-09-07 13:29:19 -05:00
5 changed files with 71 additions and 100 deletions

View File

@ -1,67 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: tags_nagios-nrpe
roles:
- role: git
vars:
git_repos:
- repo: https://git.desu.ltd/salt/monitoring-scripts
dest: /usr/local/bin/monitoring-scripts
tags: [ nrpe ]
- role: nrpe
vars:
nrpe_server_bind_address: 0.0.0.0
nrpe_server_allowed_hosts:
- 127.0.0.0/24 # Local machines
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
- 45.79.24.6/32 # web3.desu.ltd
nrpe_plugin_packages:
- monitoring-plugins
- nagios-plugins-contrib
nrpe_command:
check_disk_all:
script: check_disk
option: -M -u GB -X nfs -X tracefs -X cgroup -X tmpfs -X overlay -X shm -w 15% -c 10% -W 15% -K 10% -A -I '^/run/' -I '^udev$' -I '^/var/lib/kubelet/'
check_load:
script: check_load
option: -r -w 0.8,0.8,0.8 -c 1.0,0.9,0.9
check_pgsql:
script: check_pgsql
option: "-H localhost -l nagios -p {{ secret_postgresql_monitoring_password }} -w 2 -c 5"
check_swap:
script: check_swap
option: -w 20% -c 10%
check_users:
script: check_users
option: -w 3 -c 5
nrpe_command_extra:
check_reboot_required:
script: /usr/local/bin/monitoring-scripts/check_reboot_required
option: 604800
check_systemd_ansiblepull_service:
script: /usr/local/bin/monitoring-scripts/check_systemd_unit
option: ansible-pull.service
check_systemd_ansiblepull_timer:
script: /usr/local/bin/monitoring-scripts/check_systemd_unit
option: ansible-pull.timer
check_systemd_backup_service:
script: /usr/local/bin/monitoring-scripts/check_systemd_unit
option: backup.service
check_systemd_backup_timer:
script: /usr/local/bin/monitoring-scripts/check_systemd_unit
option: backup.timer
check_systemd_docker_service:
script: /usr/local/bin/monitoring-scripts/check_systemd_unit
option: docker.service
tags: [ nrpe ]
- hosts: all
tasks:
- name: disable nrped when not tagged
systemd: name={{ item }} state=stopped enabled=no
with_items:
- nagios-nrpe-server.service
when: "'tags_nagios-nrpe' not in group_names and item in services"
tags: [ nrpe, zerotier ]

30
playbooks/tags_nagios.yml Executable file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: tags_nagios
roles:
- role: git
vars:
git_repos:
- repo: https://git.desu.ltd/salt/monitoring-scripts
dest: /usr/local/bin/monitoring-scripts
tags: [ nagios ]
tasks:
- name: assure nagios plugin packages
apt: name=monitoring-plugins,nagios-plugins-contrib
tags: [ nagios ]
- name: assure nagios user
user: name=nagios-checker state=present system=yes
tags: [ nagios ]
- name: assure nagios user ssh key
authorized_key:
user: nagios-checker
state: present
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNavw28C0mKIQVRLQDW2aoovliU1XCGaenDhIMwumK/ Nagios monitoring"
tags: [ nagios ]
- hosts: all
tasks:
- name: disable nagios user when not tagged
user: name=nagios-checker state=absent remove=yes
when: "'tags_nagios' not in group_names"
tags: [ nagios ]

View File

@ -1,5 +1,9 @@
# This file is managed via Ansible
# Any changes made WILL be overwritten
#
# STOP
#
# This file is managed via Ansible; any changes made WILL be overwritten
# If you need to add site-specific configuration, do it in another file!
#
# Templates
define host {
@ -37,24 +41,27 @@ define contact {
email rehashedsalt@cock.li
}
# Default hostgroup and its checks
# Default hostgroup
define hostgroup {
hostgroup_name ansible
alias Ansible-managed Hosts
}
define service {
use ansible-generic-service
service_description SSH
check_command check_ssh
hostgroup_name ansible
}
# Commands
# Everything here is defined in nagios_commands
{% if nagios_commands is defined %}
{% for command in nagios_commands %}
define command {
# This command is included in the container image
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
command_name {{ command.name }}
command_line {{ command.command }}
{% if command.extra is defined %}
{% for kvp in command.extra %}
{{ kvp.key }} {{ kvp.value }}
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
# Services
# Everything here is defined in nagios_services
@ -64,7 +71,7 @@ define service {
use ansible-generic-service
service_description {{ service.name }}
check_command {{ service.command }}
hostgroup_name {{ service.hostgroup }}
hostgroup_name {{ service.hostgroup | default('ansible', true) }}
{% if service.extra is defined %}
{% for kvp in service.extra %}
{{ kvp.key }} {{ kvp.value }}

View File

@ -5,6 +5,12 @@
- name: template out config for nagios
template: src=nagios-ansible.cfg.j2 dest=/data/nagios/etc/objects/ansible.cfg owner=root group=root mode=0644
vars:
nagios_commands:
# This command is included in the container image
- name: check_nrpe
command: "$USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$"
- name: check_by_ssh
command: "$USER1$/check_by_ssh -H $HOSTADDRESS$ -F /opt/nagios/etc/ssh_config -q -i /opt/nagios/etc/id_ed25519 -l nagios-checker -C \"$ARG1$\""
nagios_services:
# Agentless checks
- name: HTTP
@ -13,43 +19,38 @@
- name: HTTPS
command: check_http!--ssl
hostgroup: nagios-checkhttp
# Agented checks
- name: SSH
command: check_ssh
# check_by_ssh checks
- name: CPU Load
command: check_nrpe!check_load
hostgroup: nagios-nrpe
command: check_by_ssh!/usr/lib/nagios/plugins/check_load -r -w 0.8,0.8,0.8 -c 1.0,0.9,0.9
- name: Disk Usage
command: check_nrpe!check_disk_all
hostgroup: nagios-nrpe
command: check_by_ssh!/usr/lib/nagios/plugins/check_disk -M -u GB -X nfs -X tracefs -X cgroup -X tmpfs -X overlay -X shm -w 15% -c 10% -W 15% -K 10% -A -I '^/run/' -I '^udev$' -I '^/var/lib/kubelet/'
- name: Reboot Required
command: check_nrpe!check_reboot_required
hostgroup: nagios-nrpe
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_reboot_required
- name: Unit backup.service
command: check_nrpe!check_systemd_backup_service
hostgroup: nagios-nrpe
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit backup.service
- name: Unit backup.timer
command: check_nrpe!check_systemd_backup_timer
hostgroup: nagios-nrpe
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit backup.timer
- name: Unit docker.service
command: check_nrpe!check_systemd_docker_service
hostgroup: nagios-nrpe
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit docker.service
- name: Users
command: check_nrpe!check_users
hostgroup: nagios-nrpe
command: check_by_ssh!/usr/lib/nagios/plugins/check_users -w 3 -c 5
# Tag-specific checks
# ansible-pull
- name: Unit ansible-pull.service
command: check_nrpe!check_systemd_ansiblepull_service
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.service
hostgroup: ansible-pull
- name: Unit ansible-pull.timer
command: check_nrpe!check_systemd_ansiblepull_timer
command: check_by_ssh!/usr/local/bin/monitoring-scripts/check_systemd_unit ansible-pull.timer
hostgroup: ansible-pull
# nagios-checkpgsql
- name: PostgreSQL
command: check_nrpe!check_pgsql
command: "check_by_ssh!/usr/lib/nagios/plugins/check_pgsql -H localhost -l nagios -p {{ secret_postgresql_monitoring_password }} -w 2 -c 5"
hostgroup: nagios-checkpgsql
# nagios-nrpeswap
- name: Swap Usage
command: check_nrpe!check_swap
command: check_by_ssh!/usr/lib/nagios/plugins/check_swap -w 20% -c 10%
hostgroup: nagios-nrpeswap
register: config
tags: [ nagios, template ]

View File

@ -9,7 +9,7 @@
# Tags for fundamental services
- import_playbook: playbooks/tags_zerotier.yml
- import_playbook: playbooks/tags_snmp.yml
- import_playbook: playbooks/tags_nagios-nrpe.yml
- import_playbook: playbooks/tags_nagios.yml
# Device roles
- import_playbook: playbooks/device_roles_pik8s-storage.yml
- import_playbook: playbooks/device_roles_pik8s.yml