Added icinga2 and sql states and backups/restores

pillars/roles/aurpkgs/icinga.sls

@@ -0,0 +1,4 @@
+aurpkgs:
+  icinga2: []
+  icingaweb2: []
+  icingaweb2-module-director: []

pillars/roles/backup/icinga.sls

@@ -0,0 +1,12 @@
+backup:
+  icingaweb2:
+    location: /etc/icingaweb2/
+    rsync_user: backups
+    key: backups_key
+    host: host.actcur.com
+    user: http
+    group: icingaweb2
+    fmode: 660
+    dmode: 770
+    services:
+      - icinga2

pillars/roles/backup/mysql.sls

@@ -0,0 +1,10 @@
+backup:
+  mysql:
+    location: /dbdump/
+    rsync_user: backups
+    key: backups_key
+    host: host.actcur.com
+    user: root
+    group: root
+    fmode: 600
+    dmode: 700

pillars/roles/database/gogs.sls

@@ -0,0 +1,9 @@
+database:
+  users:
+    gogs:
+      host: git.actcur.com
+  databases:
+    gogs:
+      gogs:
+        host: git.actcur.com
+        grant: all privileges

pillars/roles/database/icinga.sls

@@ -0,0 +1,17 @@
+database:
+  users:
+    icinga:
+      host: icinga.actcur.com
+  databases:
+    icinga2_ido:
+      icinga:
+        host: icinga.actcur.com
+        grant: all privileges
+    icinga2_web:
+      icinga:
+        host: icinga.actcur.com
+        grant: all privileges
+    icinga2_director:
+      icinga:
+        host: icinga.actcur.com
+        grant: all privileges

pillars/roles/database/init.sls

@@ -0,0 +1,15 @@
+{% set states = salt['cp.list_states'](saltenv) %}
+include:
+  - roles.database.none
+{%- if grains['roles'] is defined -%}
+  {%- if grains['roles'] is not none -%}
+    {%- if 'mysql' in grains['roles'] -%}
+      {%- for state in states %}
+        {%- if state.startswith("pillars.roles.database.") -%}
+          {%- set role = state.split('.')[3] %}
+  - roles.database.{{ role }}
+        {%- endif -%}
+      {%- endfor -%}
+    {%- endif -%}
+  {%- endif -%}
+{%- endif -%}

pillars/roles/database/ttrss.sls

@@ -0,0 +1,9 @@
+database:
+  users:
+    ttrss:
+      host: tt.actcur.com
+  databases:
+    ttrss:
+      ttrss:
+        host: tt.actcur.com
+        grant: all privileges

pillars/roles/firewalld/mysql.sls

@@ -0,0 +1,4 @@
+firewalld:
+  70_internal:
+    port:
+      - 3306/tcp

pillars/roles/firewalld/vpnserver.sls

@@ -0,0 +1,7 @@
+firewalld:
+  99_public:
+    service:
+      - openvpn
+    port:
+      - 1194/udp
+    masquerade: true

pillars/roles/init.sls

@@ -7,3 +7,4 @@ include:
   - roles.git
   - roles.backup
   - roles.ca
+  - roles.database

pillars/roles/nginx/icinga.sls

@@ -0,0 +1,6 @@
+nginx:
+  icinga:
+    auth: blocked
+    https:
+      port: 8080
+      prot: http

pillars/servers/env/server/archicinga.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/env/server/archsql.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/env/server/archtest.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/env/server/debiantest.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/maintainer/server/archicinga.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/maintainer/server/archsql.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/maintainer/server/archtest.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/maintainer/server/debiantest.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/roles/server/archicinga.sls

@@ -0,0 +1,7 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion
+    - icinga
+    - nginx-proxy

pillars/servers/roles/server/archsql.sls

@@ -0,0 +1,6 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion
+    - mysql

pillars/servers/roles/server/archtest.sls

@@ -0,0 +1,6 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion
+    - mysql

pillars/servers/roles/server/debiantest.sls

@@ -0,0 +1,5 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion

states/basepkgs/init.sls

@@ -9,7 +9,10 @@ htop:
   pkg.installed
 git:
   pkg.installed
-
+net-tools:
+  pkg.installed
+bind-tools:
+  pkg.installed
 {% elif grains['os_family'] == 'Debian' %}
 nano:
   pkg.installed

states/roles/maintain/aurrepo/init.sls

@@ -24,7 +24,7 @@ git-aur_repo:
 
 build-aur_repo:
   cmd.run:
-    - name: "makepkg -si --noconfirm;git reset --hard"
+    - name: "makepkg -si --noconfirm;git reset --hard;git clean -f"
     - runas: build
     - cwd: /home/build/aur_repo
     - onchanges:
@@ -56,4 +56,3 @@ build-aur_repo:
 "updateaur.timer":
   service.running:
     - enable: true
-

states/roles/maintain/backup/backup.timer

@@ -1,5 +1,5 @@
 [Unit]
-Description=Daily Timer
+Description=Runs backup weekly
 
 [Timer]
 OnCalendar=weekly

states/roles/maintain/icinga/api-users.conf

@@ -0,0 +1,23 @@
+/**
+ * The APIUser objects are used for authentication against the API.
+ */
+object ApiUser "root" {
+  password = "{%- include 'secure/passwords/icingaapi_root_password.txt' -%}"
+  // client_cn = ""
+
+  permissions = [ "*" ]
+}
+
+object ApiUser "monitoring" {
+ password = "{%- include 'secure/passwords/icingaapi_monitoring_password.txt' -%}"
+ // client_cn = ""
+
+ permissions = [ "*" ]
+}
+
+object ApiUser "director" {
+ password = "{%- include 'secure/passwords/icingaapi_director_password.txt' -%}"
+ // client_cn = ""
+
+ permissions = [ "*" ]
+}

states/roles/maintain/icinga/ido-mysql.conf

@@ -0,0 +1,13 @@
+/**
+ * The db_ido_mysql library implements IDO functionality
+ * for MySQL.
+ */
+
+library "db_ido_mysql"
+
+object IdoMysqlConnection "ido-mysql" {
+  user = "icinga"
+  password = "{%- include 'secure/passwords/icinga_db_password.txt' -%}"
+  host = "sql.actcur.com"
+  database = "icinga2_ido"
+}

states/roles/maintain/icinga/init.sls

@@ -0,0 +1,72 @@
+
+icinga2:
+  pkg.installed
+icingaweb2:
+  pkg.installed
+icingaweb2-module-director:
+  pkg.installed
+icinga-php:
+  pkg.installed:
+    - name: php
+icinga-php-fpm:
+  pkg.installed:
+    - name: php-fpm
+  service.running:
+    - name: php-fpm
+    - enable: true
+    - watch:
+      - file: /etc/php/php.ini
+icinga-php-xsl:
+  pkg.installed:
+    - name: php-xsl
+icinga-mysql-client:
+  pkg.installed:
+    - name: mariadb-clients
+
+/etc/nginx/conf.d/icinga-local.conf:
+  file.managed:
+    - source: salt://roles/maintain/icinga/nginx.conf
+    - user: root
+    - group: root
+    - mode: 644
+/etc/php/php.ini:
+  file.managed:
+    - source: salt://roles/maintain/icinga/php.ini
+    - user: root
+    - group: root
+    - mode: 644
+/etc/icinga2/features-available/ido-mysql.conf:
+  file.managed:
+    - source: salt://roles/maintain/icinga/ido-mysql.conf
+    - user: icinga
+    - group: icinga
+    - mode: 644
+    - template: jinja
+/etc/icinga2/conf.d/api-users.conf:
+  file.managed:
+    - source: salt://roles/maintain/icinga/api-users.conf
+    - user: icinga
+    - group: icinga
+    - mode: 644
+    - template: jinja
+
+/etc/icinga2/features-enabled/ido-mysql.conf:
+  file.symlink:
+    - target: /etc/icinga2/features-available/ido-mysql.conf
+
+
+icinga2-service:
+  service.running:
+    - name: icinga2
+    - enable: true
+
+#databases:
+  #icinga2_ido
+  #icinga2_director
+  #icinga2_web
+
+#need to create icinga ido db and generate schema from /usr/share/icinga2-ido-mysql/schema/mysql.sql
+#backup /etc/icingaweb2 - this is generated during setup in the GUI if it doesn't exist
+
+#limit php open_basedir to icinga stuff - should be done for *all* php based web uis
+#will want ldap php module eventually

states/roles/maintain/icinga/nginx.conf

@@ -0,0 +1,44 @@
+server {
+  listen *:8080;
+  server_name icinga.actcur.com;
+
+  root /usr/share/webapps/icingaweb2/public; #Path of icinga2 web directory
+  index index.php;
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+  location = /favicon.ico {
+    log_not_found off;
+    access_log off;
+    expires max;
+  }
+
+  location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  location ~ \..*/.*\.php$ {
+    return 403;
+  }
+
+  if (!-d $request_filename) {
+    rewrite ^/(.+)/$ /$1 permanent;
+  }
+
+  location / {
+    try_files $1 $uri $uri/ /index.php$is_args$args;
+  }
+
+  location ~ ^/index\.php(.*)$ {
+    fastcgi_index index.php;
+    include /etc/nginx/fastcgi_params;
+    try_files $uri =404;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; #Replace with the port if php fpm is configured to run on port.
+    fastcgi_param SCRIPT_FILENAME /usr/share/webapps/icingaweb2/public/index.php; #Replace with icinga2 web index.php file path.
+    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+    fastcgi_param REMOTE_USER $remote_user;
+  }
+}

states/roles/maintain/mysql/dumpdb.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Runs dumpdb.sh
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/bin/bash /root/scripts/dumpdb.sh
+
+[Install]
+WantedBy=multi-user.target

states/roles/maintain/mysql/dumpdb.sh

@@ -0,0 +1,13 @@
+#! /bin/bash
+DUMP_DIR="/dbdump/"
+MYSQL_USER="dumpdb"
+MYSQL_PASSWORD="{%- include 'secure/passwords/dumpdb_password.txt' -%}"
+
+mkdir -p "$DUMP_DIR"
+
+databases=`mysql --user=$MYSQL_USER -p$MYSQL_PASSWORD -e "SHOW DATABASES;" | grep -Ev "(Database|information_schema|performance_schema)"`
+
+echo $databases
+for db in $databases; do
+  mysqldump --force --opt --user=$MYSQL_USER -p$MYSQL_PASSWORD --databases $db > "$DUMP_DIR/$db.sql"
+done

states/roles/maintain/mysql/dumpdb.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Runs dumbdb every 6 hours
+
+[Timer]
+OnCalendar=0/6:00:00
+AccuracySec=2h
+Unit=dumpdb.service
+
+[Install]
+WantedBy=multi-user.target

states/roles/maintain/mysql/init.sls

@@ -0,0 +1,144 @@
+{%- set os=grains['os'] -%}
+mysql-pkg:
+  pkg.installed:
+    - name: mariadb
+
+mysql-python:
+  pkg.installed: []
+
+initialize_mysql:
+  cmd.run:
+    - name: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
+    - unless: 'test -e /var/lib/mysql/mysql'
+
+mysql-service:
+  service.running:
+    - name: mysqld
+    - enable: true
+
+#This currently displays root password in output of salt-call upon failure, should probably create several mysql_query.run states instead
+set_root:
+  mysql_query.run:
+    - database: mysql
+    - query: "UPDATE mysql.user SET Password=PASSWORD('{%- include 'secure/passwords/root_db_password.txt' -%}') WHERE User='root';FLUSH PRIVILEGES;"
+    - onchanges:
+      - cmd: initialize_mysql
+
+secure_mysql:
+  mysql_query.run:
+    - database: mysql
+    - query: "DELETE FROM mysql.user WHERE User='';DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');DROP DATABASE IF EXISTS test;DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';FLUSH PRIVILEGES;"
+    - connection_user: root
+    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"
+
+#create salt db user
+user_salt:
+  mysql_user.present:
+    - name: salt
+    - host: "localhost"
+    - password: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+    - connection_user: root
+    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"
+
+grant_salt:
+  mysql_grants.present:
+    - grant: all privileges
+    - database: "*.*"
+    - user: salt
+    - host: "localhost"
+    - grant_option: true
+    - revoke_first: true
+    - connection_user: root
+    - connection_pass: "{%- include 'secure/passwords/root_db_password.txt' -%}"
+
+{##ensure that database pillar exists##}
+{%- if pillar['database'] is defined -%}
+  {%- if pillar['database']['users'] is defined -%}
+    {%- for user in pillar['database']['users'] %}
+user_{{user}}:
+  mysql_user.present:
+    - name: {{user}}
+      {%- if pillar['database']['users'][user]['host'] is defined %}
+    - host: "{{pillar['database']['users'][user]['host']}}"
+      {%- else %}
+    - host: "%"
+      {%- endif %}
+    - password: "{%- include 'secure/passwords/'+user+'_db_password.txt' -%}"
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+    {%- endfor %}
+  {%- endif %}
+
+  {% if pillar['database']['databases'] is defined -%}
+    {%- for db in pillar['database']['databases'] %}
+db_{{db}}:
+  mysql_database.present:
+    - name: {{db}}
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+      {%- for user in pillar['database']['databases'][db] %}
+{{db}}_grant_{{user}}:
+  mysql_grants.present:
+    - grant: {{pillar['database']['databases'][db][user]['grant']}}
+    - database: "{{db}}.*"
+    - user: {{user}}
+    - host: {{pillar['database']['databases'][db][user]['host']}}
+    - revoke_first: true
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+      {%- endfor %}
+    {%- endfor %}
+  {%- endif %}
+{%- endif %}
+
+#set up dbdumb
+user_dumpdb:
+  mysql_user.present:
+    - name: dumpdb
+    - host: "localhost"
+    - password: "{%- include 'secure/passwords/dumpdb_password.txt' -%}"
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+
+grant_dumpdb:
+  mysql_grants.present:
+    - grant: select, lock tables, show view, event, trigger
+    - database: "*.*"
+    - user: dumpdb
+    - host: "localhost"
+    - revoke_first: true
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+
+"/root/scripts/dumpdb.sh":
+  file.managed:
+    - source: salt://roles/maintain/mysql/dumpdb.sh
+    - user: root
+    - group: root
+    - mode: 600
+    - makedirs: true
+    - template: jinja
+
+/usr/lib/systemd/system/dumpdb.service:
+  file.managed:
+    - source: salt://roles/maintain/mysql/dumpdb.service
+    - user: root
+    - group: root
+    - mode: 644
+
+/usr/lib/systemd/system/dumpdb.timer:
+  file.managed:
+    - source: salt://roles/maintain/mysql/dumpdb.timer
+    - user: root
+    - group: root
+    - mode: 644
+
+dumpdb.timer:
+  service.running:
+    - enable: true
+
+dumpdb-reload:
+  module.run:
+    - name: service.systemctl_reload
+    - onchanges:
+      - file: /usr/lib/systemd/system/*

states/roles/maintain/mysql/restoredb.sls

@@ -0,0 +1,48 @@
+{##ensure that database pillar exists##}
+{%- if pillar['database'] is defined -%}
+  {% if pillar['database']['databases'] is defined -%}
+    {%- for db in pillar['database']['databases'] %}
+#destroy and create fresh db
+absent_{{db}}:
+  mysql_database.absent:
+    - name: {{db}}
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+present_{{db}}:
+  mysql_database.present:
+    - name: {{db}}
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+
+#create temp user w/ perms for db
+{%- set pass=range(0,999999999)|random -%}
+user_temp_{{db}}:
+  mysql_user.present:
+    - name: temp
+    - host: "localhost"
+    - password: "{{pass}}"
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+grant_temp_{{db}}:
+  mysql_grants.present:
+    - grant: all privileges
+    - database: "{{db}}.*"
+    - user: temp
+    - host: "localhost"
+    - revoke_first: true
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+#restore db
+restore_{{db}}:
+  cmd.run:
+    - name: "mysql -utemp -p{{pass}} < /dbdump/{{db}}.sql"
+#remove temp user
+rm_user_temp_{{db}}:
+  mysql_user.absent:
+    - name: temp
+    - host: "localhost"
+    - connection_user: salt
+    - connection_pass: "{%- include 'secure/passwords/salt_db_password.txt' -%}"
+    {%- endfor %}
+  {%- endif %}
+{%- endif %}