summaryrefslogtreecommitdiff
path: root/sitemodules
diff options
context:
space:
mode:
Diffstat (limited to 'sitemodules')
-rw-r--r--sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py66
-rw-r--r--sitemodules/profiles/manifests/gitea.pp4
-rw-r--r--sitemodules/profiles/manifests/icinga2_common.pp25
-rw-r--r--sitemodules/profiles/manifests/icinga2_master.pp23
-rw-r--r--sitemodules/profiles/manifests/icinga2_satellite.pp11
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp2
-rw-r--r--sitemodules/roles/manifests/infra03.pp4
7 files changed, 105 insertions, 30 deletions
diff --git a/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py b/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py
new file mode 100644
index 0000000..9236c9a
--- /dev/null
+++ b/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+
+from apt import cache
+import argparse
+import nagiosplugin
+import logging
+
+_log = logging.getLogger("nagiosplugin")
+
+
+def get_running_kernel_version() -> str:
+ with open("/proc/version", "r") as proc_version:
+ return proc_version.read().split()[2]
+
+
+def get_installed_kernels() -> list[str]:
+ try:
+ pkg_cache = cache.FilteredCache()
+ pkg_cache.set_filter(cache.InstalledFilter())
+ pkg_cache.open()
+
+ return [
+ v
+ for v in [
+ k.name[len("linux-image-") :]
+ for k in pkg_cache
+ if k.name.startswith("linux-image")
+ ]
+ if "-" in v
+ ]
+ finally:
+ pkg_cache.close()
+
+
+class VersionsContext(nagiosplugin.ScalarContext):
+ def evaluate(self, metric, resource):
+ installed = get_installed_kernels()
+ latest = sorted(installed)[-1]
+ _log.info("current kernel version is %s", metric.value)
+ _log.info("installed kernel versions: %s", ",".join(installed))
+ _log.info("latest kernel version: %s", latest)
+
+ if latest == metric.value:
+ return self.result_cls(nagiosplugin.Ok)
+
+ return self.result_cls(nagiosplugin.Critical)
+
+
+class KernelVersion(nagiosplugin.Resource):
+ def probe(self):
+ current = get_running_kernel_version()
+ return [nagiosplugin.Metric("kernel version", current)]
+
+
+def main():
+ argp = argparse.ArgumentParser()
+ argp.add_argument(
+ "-v", "--verbose", action="count", default=0, help="verbose output"
+ )
+ args = argp.parse_args()
+ check = nagiosplugin.Check(KernelVersion(), VersionsContext("kernel version"))
+ check.main(args.verbose)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/sitemodules/profiles/manifests/gitea.pp b/sitemodules/profiles/manifests/gitea.pp
index 0f9d9f6..9b91c0c 100644
--- a/sitemodules/profiles/manifests/gitea.pp
+++ b/sitemodules/profiles/manifests/gitea.pp
@@ -49,8 +49,8 @@ class profiles::gitea (
String $gitea_fqdn = 'code.cacert.org',
String $gitea_socket = '/run/gitea/gitea.sock',
) {
- $gitea_version = '1.16.9'
- $gitea_checksum = '821dd30afed9ae42b18e727174b078ea9118a6ccc5106d8246bebf8180fcbef3'
+ $gitea_version = '1.17.2'
+ $gitea_checksum = 'd0e903671ae04007c5956beb65985825795c1d9b24c9f354b48008fd44db1b57'
$gitea_url = "https://dl.gitea.io/gitea/${gitea_version}/gitea-${gitea_version}-linux-amd64"
$gitea_service = '/etc/systemd/system/gitea.service'
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
index e0c204a..66c946f 100644
--- a/sitemodules/profiles/manifests/icinga2_common.pp
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -19,7 +19,7 @@
# Copyright
# ---------
#
-# Copyright 2019-2021 Jan Dittberner
+# Copyright 2019-2022 Jan Dittberner
class profiles::icinga2_common (
) {
include profiles::icinga2_certificates
@@ -47,4 +47,27 @@ class profiles::icinga2_common (
ensure => latest,
}
}
+
+ file { ['/usr/local/lib/nagios', '/usr/local/lib/nagios/plugins']:
+ ensure => directory,
+ owner => 'root',
+ group => 'staff',
+ mode => '0755',
+ }
+
+ if Integer($facts['os']['release']['major']) >= 9 {
+ package { ['python3-nagiosplugin', 'python3-apt' ]:
+ ensure => present,
+ }
+ }
+
+ if $facts['virtual'] in ['physical', 'kvm'] {
+ file { '/usr/local/lib/nagios/plugins/check_kernel_status':
+ ensure => file,
+ owner => 'root',
+ group => 'staff',
+ mode => '0755',
+ source => 'puppet:///modules/profiles/icinga2_external_commands/check_kernel_status.py',
+ }
+ }
}
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index 6f83146..221a3cb 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -206,20 +206,6 @@ class profiles::icinga2_master (
notify => Exec['reload systemd configuration'],
}
- file { '/usr/local/lib/nagios':
- ensure => directory,
- owner => 'root',
- group => 'staff',
- mode => '0755',
- }
-
- file { '/usr/local/lib/nagios/plugins':
- ensure => directory,
- owner => 'root',
- group => 'staff',
- mode => '0755',
- }
-
file { '/usr/local/lib/nagios/plugins/check_puppetdb_nodes':
ensure => file,
owner => 'root',
@@ -228,7 +214,7 @@ class profiles::icinga2_master (
source => 'puppet:///modules/profiles/icinga2_master/check_puppetdb_nodes',
}
- package {['rsync', 'python3-nagiosplugin', 'python3-cryptography']:
+ package {['rsync', 'python3-cryptography']:
ensure => present,
}
@@ -307,6 +293,13 @@ class profiles::icinga2_master (
},
target => '/etc/icinga2/zones.d/global-templates/cacert_crl-command.conf',
}
+ ::icinga2::object::checkcommand { 'kernel_status':
+ ensure => present,
+ command => [
+ '/usr/local/lib/nagios/plugins/check_kernel_status',
+ ],
+ target => '/etc/icinga2/zones.d/global-templates/kernel-status-command.conf',
+ }
file { '/etc/icinga2/zones.d/global-templates/ssl_cert-cacert-command.conf':
ensure => file,
diff --git a/sitemodules/profiles/manifests/icinga2_satellite.pp b/sitemodules/profiles/manifests/icinga2_satellite.pp
index 2dea62b..5c6df6f 100644
--- a/sitemodules/profiles/manifests/icinga2_satellite.pp
+++ b/sitemodules/profiles/manifests/icinga2_satellite.pp
@@ -24,18 +24,11 @@
# Copyright
# ---------
#
-# Copyright 2021 Jan Dittberner
+# Copyright 2021-2022 Jan Dittberner
class profiles::icinga2_satellite {
include 'profiles::icinga2_common'
include 'profiles::icinga2_agent'
- file { ['/usr/local/lib/nagios', '/usr/local/lib/nagios/plugins']:
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- }
-
$cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
$cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
@@ -52,7 +45,7 @@ class profiles::icinga2_satellite {
],
}
- package {['rsync', 'python3-nagiosplugin', 'python3-cryptography']:
+ package {['rsync', 'python3-cryptography']:
ensure => present,
}
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
index 935d44c..88edace 100644
--- a/sitemodules/profiles/manifests/x509cert_common.pp
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -62,7 +62,7 @@ class profiles::x509cert_common (
file { "/etc/ssl/private/${name}.key.pem":
ensure => file,
owner => pick($cert_info['key_owner'], 'root'),
- group => pick($cert_info['key_group'], 'root'),
+ group => pick($cert_info['key_group'], 'ssl-cert'),
mode => pick($cert_info['key_mode'], '0640'),
content => $cert_info['private_key'],
}
diff --git a/sitemodules/roles/manifests/infra03.pp b/sitemodules/roles/manifests/infra03.pp
index f1f6fe7..6ceb0d6 100644
--- a/sitemodules/roles/manifests/infra03.pp
+++ b/sitemodules/roles/manifests/infra03.pp
@@ -18,10 +18,10 @@
# Copyright
# ---------
#
-# Copyright 2021 Jan Dittberner
+# Copyright 2021-2022 Jan Dittberner
#
class roles::infra03 {
include profiles::base
include profiles::lxc_host
- #include profiles::icinga2_satellite
+ include profiles::icinga2_agent
}