add new zabbix template so we can automatically add new checks

Render the template system wide, then apply.  This way, the
appdefinition.yml can contain everything that is required, and we don't
have to specify this anymore in the main config

ansible.cfg

@@ -2,9 +2,8 @@
 inventory=inventory
 retry_files_enabled = False
 remote_user = root
-ansible_managed = DO NOT MODIFY: this file is managed by ansible!
 deperaction_warnings = True
 display_skipped_hosts = True
 
-stdout_callback = yaml
+result_format=yaml
-stderr_callback = yaml
+

group_vars/all/applications.yml

@@ -15,11 +15,6 @@ ppm_apps:
   - on_server: ppm.pfoe.be
     user: nginx
     chicken_egg_appdefinition: ../nginx/
-    firewall_redirect:
-      - from: 8080
-        to: 80
-      - from: 8443
-        to: 443
     appconfig:
       appinfo:
         url: https://ppm.pfoe.be/ppm/nginx.git

group_vars/all/zabbix.yml

@@ -0,0 +1,2 @@
+zabbix_server: "{{ lookup('file', 'passwords/zabbix_server') }}"
+zabbix_psk: "{{ lookup('file', 'passwords/zabbix_psk') }}"

roles/baseline/files/zabbix-sudoers

@@ -0,0 +1 @@
+zabbix ALL=(ALL) NOPASSWD: /usr/sbin/smartctl

roles/baseline/handlers/main.yml

@@ -6,3 +6,8 @@
   ansible.builtin.systemd:
     name: ssh
     state: restarted
+
+- name: Restart zabbix-agent2
+  ansible.builtin.service:
+    name: zabbix-agent2
+    state: restarted

roles/baseline/tasks/main.yml

@@ -7,5 +7,8 @@
 - name: Manage root user
   ansible.builtin.import_tasks: rootuser.yml
 
+- name: Get zabbix agent installed
+  ansible.builtin.import_tasks: zabbix.yml
+
 - name: Ensure handlers have ran
   ansible.builtin.meta: flush_handlers

roles/baseline/tasks/zabbix.yml

@@ -0,0 +1,41 @@
+- name: Install zabbix related packages
+  ansible.builtin.apt:
+    pkg:
+      - zabbix-agent2
+      # To monitor our physical disks health, not needed for vm's.
+      - smartmontools
+
+- name: Zabbix firewall
+  ansible.builtin.template:
+    dest: /etc/firewall.d/zabbix
+    group: root
+    owner: root
+    mode: "0755"
+    src: zabbix-firewall.j2
+  notify: Restart firewall
+
+- name: Write psk file
+  ansible.builtin.copy:
+    content: "{{ zabbix_psk }}\n"
+    dest: /etc/zabbix/zabbix.psk
+    group: root
+    owner: root
+    mode: "0644"
+  notify: Restart zabbix-agent2
+
+- name: Zabbix agent config file
+  ansible.builtin.template:
+    dest: /etc/zabbix/zabbix_agent2.d/ansible.conf
+    group: root
+    owner: root
+    mode: "0644"
+    src: zabbix-agent.j2
+  notify: Restart zabbix-agent2
+
+- name: Zabbix sudoers file
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/zabbix
+    group: root
+    owner: root
+    mode: "0644"
+    src: zabbix-sudoers

roles/baseline/templates/firewall.j2

@@ -1,5 +1,5 @@
 #!/bin/bash
-# {{ ansible_managed }}
+# This file is managed by ansible, do not modify!
 
 # IPv4:
 iptables -F
@@ -75,4 +75,4 @@ ip6tables -A INPUT -j REJECT
 iptables -A FORWARD -j REJECT
 ip6tables -A FORWARD -j REJECT
 
-# {{ansible_managed}}
+# This file is managed by ansible, do not modify!

roles/baseline/templates/mosh.j2

@@ -1,5 +1,5 @@
 #!/bin/sh
-# {{ansible_managed}}
+# DO NOT MODIFY: this file is written by ansible
 # Firewall to allow mosh sessions
 
 ip6tables -A INPUT -p udp --match multiport --dports 60001:60020 -j ACCEPT

roles/baseline/templates/zabbix-agent.j2

@@ -0,0 +1,10 @@
+Server={{ zabbix_server }}
+ServerActive=
+
+TLSConnect=psk
+TLSAccept=psk
+TLSPSKFile=/etc/zabbix/zabbix.psk
+TLSPSKIdentity={{ inventory_hostname }}
+
+
+UserParameter=smartctl.health[*],sudo /usr/sbin/smartctl -H /dev/$1 | grep 'overall-health' | awk '{print $NF}'

roles/baseline/templates/zabbix-firewall.j2

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Zabbix agent firewall
+
+iptables -A INPUT -p tcp -s {{ zabbix_server }} --dport 10050 -j ACCEPT

roles/ppm/files/ppmfirewall

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# PPM Firewall
+
+{% for app in otherapps -%}
+{%- if "firewall" in otherapps[app]["imports"] -%}
+{%- set oneapp = otherapps[app]["imports"]["firewall"] %}
+
+{% for redirect in oneapp.redirect %}
+# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
+iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+{% endfor %}
+{% for openport in oneapp.open %}
+# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
+iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+{% endfor %}

roles/ppm/files/ppmzabbixagent

@@ -0,0 +1,12 @@
+# Zabbix agent config for ppm
+
+{%- set ns = namespace() -%}
+{%- set ns.allchecks = [] -%}
+{%- for app in otherapps -%}
+{%- if "monitoring" in otherapps[app]["imports"] -%}
+{%- for check in otherapps[app]["imports"]["monitoring"]["checks"] %}
+{%- set ns.allchecks = ns.allchecks + [check | combine({'app':app})] -%}
+{% endfor -%}{%- endif -%}{%- endfor %}
+
+UserParameter=ppm.discover,/bin/echo '{{ ns.allchecks | tojson }}'
+UserParameter=ppm.app[*],/bin/bash -c 'echo $2 | nc -U {{ statedir }}/$1.monitoring'

roles/ppm/handlers/main.yml

@@ -1,3 +1,8 @@
 - name: Restart firewall
   ansible.builtin.command: /etc/network/if-pre-up.d/firewall
   changed_when: true
+
+- name: Restart zabbix-agent2
+  ansible.builtin.service:
+    name: zabbix-agent2
+    state: restarted

roles/ppm/tasks/firewall.yml

@@ -0,0 +1,13 @@
+- name: Configure firewall options
+  ansible.builtin.copy:
+    dest: /home/.ppmfirewalltemplate
+    group: root
+    owner: root
+    mode: "0755"
+    src: ppmfirewall
+
+- name: Render firewall
+  ansible.builtin.shell: ppm template /home/.ppmfirewalltemplate /etc/firewall.d/ppmfirewall ; chmod 755 /etc/firewall.d/ppmfirewall
+  register: firewall_render
+  changed_when: "'content did not change' not in firewall_render.stdout"
+  notify: Restart firewall

roles/ppm/tasks/main.yml

@@ -9,11 +9,8 @@
     label: "{{ ppm_app.user }}"
   when: ppm_app.on_server == inventory_hostname
 
-- name: Configure firewall options
+- name: Arrange firewall
-  ansible.builtin.template:
+  ansible.builtin.import_tasks: firewall.yml
-    dest: /etc/firewall.d/ppmfirewall
+
-    group: root
+- name: Arrange zabbix
-    owner: root
+  ansible.builtin.import_tasks: zabbix.yml
-    mode: "0755"
-    src: ppmfirewall.j2
-  notify: Restart firewall

roles/ppm/tasks/oneapp.yml

@@ -34,3 +34,25 @@
 - name: "Bootstrap the app definition ({{ ppm_app.user }})"
   ansible.builtin.include_tasks: copyappdef.yml
   when: ppm_app.chicken_egg_appdefinition is defined and not appdefinition.stat.exists
+
+- name: "Set up extra files for {{ ppm_app.user }}"
+  ansible.builtin.copy:
+    src: "{{ item.from }}"
+    dest: "{{ ppm_app_user.home }}/{{ item.to }}"
+    mode: "{{ item.mode | default('0644') }}"
+    owner: "{{ ppm_app_user.name }}"
+    group: "{{ ppm_app_user.group }}"
+  loop: "{{ ppm_app.extra_files | default([]) }}"
+
+- name: "Setup and run app ({{ ppm_app.user }})"
+  ansible.builtin.command: ppm setup --start
+  register: ppm_setupstart
+  changed_when: "'No changes have been made, everything was already ok' not in ppm_setupstart.stdout"
+  become: true
+  become_user: "{{ ppm_app.user }}"
+  environment:
+    XDG_RUNTIME_DIR: "/run/user/{{ ppm_app_user.uid }}"
+
+- name: Show ppm output
+  ansible.builtin.debug:
+    var: ppm_setupstart

roles/ppm/tasks/ppminstall.yml

@@ -19,6 +19,8 @@
       - python3-jsonschema
       # Git is required for checking out the app definitions
       - git
+      # Yeah we should use nftables, patches welcome. For now, we install iptables
+      - iptables
 
 - name: Create state directory
   ansible.builtin.file:

roles/ppm/tasks/zabbix.yml

@@ -0,0 +1,13 @@
+- name: Configure firewall options
+  ansible.builtin.copy:
+    dest: /home/.zabbixagenttemplate
+    group: root
+    owner: root
+    mode: "0755"
+    src: ppmzabbixagent
+
+- name: Render zabbix template
+  ansible.builtin.command: ppm template /home/.zabbixagenttemplate /etc/zabbix/zabbix_agent2.d/ppm.conf
+  register: zabbix_render
+  changed_when: "'content did not change' not in zabbix_render.stdout"
+  notify: Restart zabbix-agent2

roles/ppm/templates/ppmfirewall.j2

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# PPM Firewal, written by ansible
-
-{% for ppm_app in ppm_apps %}
-# Firewall for {{ ppm_app.user }}
-{% for redirect in ppm_app.firewall_redirect | default([]) %}
-# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})
-iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-{% endfor %}
-{% for openport in ppm_app.firewall_openport | default([]) %}
-# Open port {{ openport.port }} ({{ openport.proto | default('tcp') }})
-iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-{% endfor %}
-
-{% endfor %}