summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-06-10 15:35:13 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-10 18:37:19 +0200
commitb408390ae9311b7d703ce57c25a78dce23c31b16 (patch)
treed9b1c795c0ef8b75dbaef709aa8622863d636942
parenta82e3759627a0612592d853796f2a1137f9189f5 (diff)
Configure munin nodes & master.
Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
-rw-r--r--all.yml1
-rw-r--r--certs/munin/antilop.fripost.org.pem32
-rw-r--r--certs/munin/benjamin.marxist.se.pem32
-rw-r--r--certs/munin/civett.friprogramvarusyndikatet.se.pem33
-rw-r--r--certs/munin/elefant.fripost.org.pem32
-rw-r--r--certs/munin/giraff.fripost.org.pem32
-rw-r--r--certs/munin/mistral.fripost.org.pem32
-rw-r--r--common.yml2
-rw-r--r--munin.yml8
-rw-r--r--production3
-rw-r--r--roles/IMAP/handlers/main.yml3
-rw-r--r--roles/IMAP/tasks/imap.yml26
-rw-r--r--roles/IMAP/tasks/mda.yml28
-rw-r--r--roles/MSA/handlers/main.yml3
-rw-r--r--roles/MSA/tasks/main.yml38
-rw-r--r--roles/MX/handlers/main.yml3
-rw-r--r--roles/MX/tasks/main.yml29
-rw-r--r--roles/amavis/handlers/main.yml3
-rw-r--r--roles/amavis/tasks/main.yml12
-rw-r--r--roles/common-SQL/handlers/main.yml3
-rw-r--r--roles/common-SQL/tasks/main.yml35
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/common-local2
-rwxr-xr-xroles/common/files/usr/local/share/munin/plugins/dovecot_logins119
-rwxr-xr-xroles/common/files/usr/local/share/munin/plugins/dovecot_stats_135
-rwxr-xr-xroles/common/files/usr/local/share/munin/plugins/dovecot_who43
-rwxr-xr-xroles/common/files/usr/local/share/munin/plugins/postfix_mailqueue_57
-rwxr-xr-xroles/common/files/usr/local/share/munin/plugins/postfix_mailvolume262
-rwxr-xr-xroles/common/files/usr/local/share/munin/plugins/postfix_sasl_63
-rwxr-xr-xroles/common/files/usr/local/share/munin/plugins/postfix_stats_113
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/main.yml9
-rw-r--r--roles/common/tasks/munin-node.yml207
-rw-r--r--roles/common/templates/etc/iptables/services.j27
-rw-r--r--roles/common/templates/etc/munin/munin-node.conf.j251
-rw-r--r--roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2137
-rw-r--r--roles/common/templates/etc/stunnel/munin-node.conf.j253
-rw-r--r--roles/lists/handlers/main.yml3
-rw-r--r--roles/lists/tasks/mail.yml28
-rw-r--r--roles/munin-master/files/etc/nginx/sites-available/munin31
-rw-r--r--roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service14
-rw-r--r--roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket11
-rw-r--r--roles/munin-master/files/lib/systemd/system/munin-cgi-html.service14
-rw-r--r--roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket11
-rw-r--r--roles/munin-master/handlers/main.yml24
-rw-r--r--roles/munin-master/tasks/main.yml136
-rw-r--r--roles/munin-master/templates/etc/munin/munin.conf.j2115
-rw-r--r--roles/munin-master/templates/etc/stunnel/munin-master.conf.j262
-rw-r--r--roles/out/handlers/main.yml3
-rw-r--r--roles/out/tasks/main.yml27
49 files changed, 1924 insertions, 6 deletions
diff --git a/all.yml b/all.yml
index 9bc36cb..da5e6bc 100644
--- a/all.yml
+++ b/all.yml
@@ -12,3 +12,4 @@
- include: git.yml
- include: wiki.yml
- include: bacula.yml
+- include: munin.yml
diff --git a/certs/munin/antilop.fripost.org.pem b/certs/munin/antilop.fripost.org.pem
new file mode 100644
index 0000000..d523dc4
--- /dev/null
+++ b/certs/munin/antilop.fripost.org.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmzCCA4OgAwIBAgIJALo1zxDUUlypMA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
+BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
+MBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMTQ4NTlaFw0y
+NTA2MDQyMTQ4NTlaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
+cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9y
+ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK8ZSjXPp/xqd0LQp3hN
+rH2fH3Ya7qDPpGehNB9iLt00Ctln6rQG9XBUMtDHApVbWjXSDLEzrmvsKr9HWKNy
+vieMcASJmtDiteyorGofyTN72/9AgRzn1Qnd1tOejWPGcuyk+pyhL8XX5CzZz7bB
+mFPMWlKlGNGbSC2zrwGJjXiql74u5dMhaI6UeGDh+zDHiu1n6VOtHBGC49noQQYI
+Opnsiy6DqKytRbxVIr+QPgP0GnJyq1c6HD90O0ygGkc0Mk/Lve/tqhg9x4SNszsj
+FOXfwUln3WWu669dOD1bMoOQDMOIsG7gfksWUkXaD5GeGtGtjJ+yAtX31XYqnYzD
+EeSZPfiB9lofPziHsjkQGCfhyXBrgadUMpmEjCQCLe6OcMVTASwYt3DAADhyOGhP
+CIEKoa6fe2fSppiApqwF5qJraP0QoNIcyjRumHgZCOZb1SO1Co7SoywW91QbGn5S
+pafEjzWBm0x7Tcwb3Ez5yS7a9n31m0sCSkgu02a4gNzttilss53J+Ey6sQR2I36m
+022YlNbP6VoBjsUoHJ5bBh8BnkHkrPqm6L1t3flS307Op15DGigfgz8aLcKM+kU7
+2/NFnhF+9uXS6RI8NT8Fx/SndMSHFkXiq/3icp+q+8tGKBpC9yhM2rZELqf00KI3
+1ZL1q+XJq0yUgr+0zBxpswmBAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
+aXBvc3Qub3JnghNhbnRpbG9wLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD
+VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBS+XRcfpHDEicAMDsev525N7Ny7JTANBgkq
+hkiG9w0BAQ0FAAOCAgEAO2rPII3Y+yBOOT3NR5SNLlyoVFmuTBwrfustlyytCgkY
+tB9RTgi3JJLIN40YoHsCXzVQTLn7kwSEx/NMCCZekJo4mzBQfM9CmhEO8mAPQXnp
+pyEQVc6PcUu3Wd6S5VDy6HpPPA+HWc0pVFEgVQoyR8Hk/U5dPNfRzUGLdJZJNUxf
+SAbQg8pdeQApVHAsBexY7E8YvVcHoBvkVa9lmI9JwbCWwTzWh+KapgzgnYJAt9lK
+GUAdAdvrFV0/YN2kcDKeCjqzcNi4U3MU7zh1CnSkoeLPYXfXPTNcsXKwsHx8OPqf
+CAasB2104NAVygk6Syd1Sejwxs0q8JKxu62yCplorW1r1W1F2HyrkkivdF1/ueLS
+aU2oIBmBaPFZPtyjE+bmjrM8RQhEkd7gD7wj2X2mi69dUWVfElNHGoPoQPvNqj5o
+iDfRfX2gyGSpeqNdHk0E+vjCmaH7WiWyk0VbLdyHwrGb1vMrg7/qg3OXBTCaTJaa
+9RG3uJ64wB9cVTuaDNZOLSpsDlfbCzXfPT3LyI3JMuqaFaBVwJ1DhJ6HFpPjB6wT
+F32MyabrN7+4Un/KB69wbJpjLweBZk19UbKZ70erzMECpTfx7CekaFCraQ61yo5L
+FXNvp+Hnf8oWb1mp/j4HbxC/RrxTk+FFFXN/WOb9CZuf6z2NjzoLfguKONO7YFE=
+-----END CERTIFICATE-----
diff --git a/certs/munin/benjamin.marxist.se.pem b/certs/munin/benjamin.marxist.se.pem
new file mode 100644
index 0000000..c8187b4
--- /dev/null
+++ b/certs/munin/benjamin.marxist.se.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmzCCA4OgAwIBAgIJAOEeSKT/8HACMA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
+BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
+MBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5zZTAeFw0xNTA2MDcyMTI5MDBaFw0y
+NTA2MDQyMTI5MDBaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
+cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5z
+ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEylnjWaCkttJmUbO+j
+AirK17RcdSLo+AADCEfgfjjS7LgXI7LwWC7y8TB1N+mktOJQp2S8wQdJJovb08KX
+NTgIpBGqzn3eTKy2Tp27o/D4cWmdadb99rWbSJOZ5eXUcUtg25OpgZCXCEqOwpBC
+zH2wrzi5xmX10d4DfUsl6QV5vgCSWsoPTr/m6s01aARmZRfFq8OjR1R+E1NpTp0K
+O9v0dMrDtWsMwOoCXiHgcUYfZPTSwJvqoCWOSYFl6Hj25Ef2SNzVQWtoDliMfndN
+a+aLW7DAs2Y5jrC0V8+ar5AqBtFm1L10wLZeL6AXgmLYooH9VmHprqQXQqWsb8tc
+BVGCSdIemrNEtC1KVAljM3EwlnDm3ALEl1DbOlnvh2arM7uvWPQNEsEy/k3uvlI3
+4Q8c8jn7CO5ceTe/TgJA5ANJZ5SRz6cUqKX4aF79H/7Xbd2iDtTsEFNMABz23Fn8
+rW7DLdEyRbUV0upbleLXUB3gEaNm7gAeSKjOdv40snz1glCgMlw8zxcp+33aNxos
+cKkMauWs1WqPH9egEHj3AiPrLnMHHm0VFfWjEmdeAacNGZ3o66wOchmWuWh1R1ef
+Ab2LdCBlkKSRlZK+wu+/ZnJvadYM3oXKbYCsRYqcEgWiO52nJ/GRDV3xPbNnTu7J
+tRQLIASfRI7shTNofrAkXGELAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
+aXBvc3Qub3JnghNiZW5qYW1pbi5tYXJ4aXN0LnNlMAwGA1UdEwEB/wQCMAAwDgYD
+VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQGvGSnh/caV1KzV8LlnmlXlOiaCzANBgkq
+hkiG9w0BAQ0FAAOCAgEABRcJzubuY1dh8YBfnkMbRK7Pao3jlb0+mLOJEdeWddu2
+KrrCUMMtRHeoNXeTCXwWkhXr6P8wkLuIlqt7U+f1nzyFVj1yyDye88GZopl/lAMr
+j380VEd/XE4xcWYq/9krKoEUdGEwduy3cDwsUwy4KZ287YutObVZkXszCuPGD7d3
+tbRQkJnHL2VvwBOrYrimzMx4L9dl6Vz/BR+sn+aIbx3PeO/R14/7DCFdnbmXzHjH
+mO57lrN5BrGZWqYiEonj77d7UBQuDmUlX7VOHrfcBh+2PUCtuPB+s2DOwPKyepo2
+UehZBSGEkhx6wT2NBrR1aEm3mfDmPzUBoK8VJpQsVUWWCD889zn/6tCoTGwoQ+n5
+gBGxk2DRXikYc4UMLJr7nDudzQI+/T0+ehrYno77EynRqNzaAY54gDiLEG07OAq2
+DWnM/Hf4QNG/ggLORJfCHcgpckaOs9HKxs23vGfrwCVTrIYmQ+IEZxicFkiemRfz
+zIGeITvFCv06ri0kYSI3v6mT7LJzidngd7otFIlxJPUU2j0UqMNOZ/WAhf3HXAGK
+uJw3a/amnxWJY30ZZ/zQmLa3CWC5oYZzypwlrrCZm0ccVNO8KZ1YVrjZ/AfSO9US
+hROIcXPzX9fr7IdBgQ44j7WQ7rm+k9JHsJs/C5gwnM5iYPJTz76Lm6yhBVlBkyQ=
+-----END CERTIFICATE-----
diff --git a/certs/munin/civett.friprogramvarusyndikatet.se.pem b/certs/munin/civett.friprogramvarusyndikatet.se.pem
new file mode 100644
index 0000000..c19e431
--- /dev/null
+++ b/certs/munin/civett.friprogramvarusyndikatet.se.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFyTCCA7GgAwIBAgIJAMiyPdV6HtyYMA0GCSqGSIb3DQEBDQUAMGIxEDAOBgNV
+BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEr
+MCkGA1UEAwwiY2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAeFw0x
+NTA2MDcyMjAxNDhaFw0yNTA2MDQyMjAxNDhaMGIxEDAOBgNVBAoMB0ZyaXBvc3Qx
+ETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjErMCkGA1UEAwwiY2l2
+ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTCCAiIwDQYJKoZIhvcNAQEB
+BQADggIPADCCAgoCggIBALCTTQEtoLENRnxuHzoRLqu7YQQZUvmPrHfOvSpkl1Lc
+mbmuHmnLcecTClT8Usyt/bUhkejnAU+QJYhPToaglwbsj12Qi15kl+WfiDv1GC09
+A/XsTbMvpNbHb23jc7YHrLKviHLbgOOzjpUKNjIR/IvMpjc3y2MB12RQ/YvjOqt1
+7RyL5rYR5c0FGTjEGkBd0diGZdTsbid6+0+NWqpQIDbvc1Cfmt8ppsGAY9jvxavq
+pzkOYaTr76nZM0L6hxYsEz7tcNGL2Ep9y01tReBBwfY1/Y67Vzo7l9sAz0Vo4Ar5
+iF9uRKyncG421Afq6IFUbOJYUHIWRYX7nfglQ5kWoXwjpIOBwDW8ObFBGJKHx0jW
+Br7rQ0G8UjyK9wg8CR+E26+hC4dhB5sUwwvv+1U/hXcC4DreAoTquOnATIY1e6cf
+d9optFmix5g3MV5d6I24zZrNGHeXRKHuwwt7vq+sxlWPYrSLogx3wm3VpullPvX4
+8Btpq1S++DUSpRiEZZAf7AmMaVQ5j4Obs2BCItT1IQBv71rPE3d76CezPsa/qWiL
+33VOkVXPZVSCP5heqrb1C5sXU6IHC0S6jdBWK/Qy7jS3cGmohoCY/980ymytQ23e
+J5wdzdebkAXKaxRBROZ8LCTQZRL9jlao/IWPMvDZMrsCfE9EtmHYb/oLxgRAGl5P
+AgMBAAGjgYEwfzBABgNVHREEOTA3gRFhZG1pbkBmcmlwb3N0Lm9yZ4IiY2l2ZXR0
+LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAMBgNVHRMBAf8EAjAAMA4GA1Ud
+DwEB/wQEAwICpDAdBgNVHQ4EFgQUVCK81aQ1dTq4CxwtM7ytG0WiUTYwDQYJKoZI
+hvcNAQENBQADggIBAK58LrTia7MisnwJWEvaH7gSO4M4BEu6fA+gBXUqkej6QWPe
+iENebekWTwdnA9yjxdOzgIdjzACFDeASHpyey4mvc91cwxNf5ivoCXG3ZuyTgMBL
+mzWnDbGxxybGUDU865eVWKpaoL0orDw3BldxZQfJ8HORAWXno7UKMwdPfhE8eQB4
+2SBYNKpmJDQZ5GiIgrDLrr0DwzsPnF5HEujAN1R8muD9yel1tVKGXA3qhg3NLhjB
+YGM12876KTn8qEm5bGBxYFJZrUnM+C7/feeyPHS48XmjopBmolcwzAzSgOPq4kiO
+keE5sdcOEocJQNO0Oh8dEXbjM9zIyf+xFBH8ov57g2Hr8XyavkRplGR/DNn2h6d/
+ZqszTYToM54zcWBSlg42SVBqMiJTkYSDLT4h8k649jLlmFzB/7DlEQMQrk4ayOKF
+y32A6+LGczcBxHB8Lc8fRiMzytcK5NncFbhJYgcdn88uZApUpWKFT5e6ZcIwyfKS
+cZNj6EKY3HcPDPt5yXNMH1fP/SkUeAfLq9JsEzGjGboxQmuG55ryeyP0i6ZZr4uA
+rEK+kT3i5CekZBgbRDNX0OZwU9JGlYKBR2UhH1uGTeqK/7Kn1pToUJbOCBWhT38A
+KNPGRDQlAIHBvtEBejrBNBgSVPkYhbegXRnP6xMrjSW3S+Z5SRUxUhizbBTc
+-----END CERTIFICATE-----
diff --git a/certs/munin/elefant.fripost.org.pem b/certs/munin/elefant.fripost.org.pem
new file mode 100644
index 0000000..52f00a6
--- /dev/null
+++ b/certs/munin/elefant.fripost.org.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmzCCA4OgAwIBAgIJAM/f4YZpd7G6MA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
+BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
+MBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMjA1MjJaFw0y
+NTA2MDQyMjA1MjJaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
+cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9y
+ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEbZntqTM32vQHJO182
+5UWfLRBBiOD/WySkSHd0Ugfxrvl2ZBw4cXv3gA6THYUwzKJ/wBR0huDcqVj7Ufz5
+18m7Kf4QCyjDlnOJ47lgizGhwk+GRxgz6xSnTJWt2cP7I57ec/x4YPjxEZL09O9N
+QBZ9alFQBeLYWR2OhhzhV+u45AIDeH4ZPUretGVGocv4H7qTW/NGlGJxolAA+lqk
+3Eg6HAziaNESOVXtmQLuRvd8bkyfksSIUXK0uTPgHRPIjDgUAGHrHmKADLivnew2
+yOt3PW6weNphQaixmMF5no3hjS7wqWD/+PVnmKmRhbp6Icek3+iMtaSDopYD060Z
+cL3vxm+Im2chaa8dYZ2qDt4ij0tTeRF9zEhYvnvuJA4tdP7VLJjQDb0N51SKG27i
+gwCQNQs9LwFyvyNckc7K4f5ztnffO+FwNlGJFzwVzmQ++oUL7DjlsxsmNlKZiHQ6
+/QE1j3VBZlh7XYCcHxxFJEB4Tq0Y+Jyrto8G73iHa+rJUnDuA6prqzqdPIGjHL7p
+onx+0SdbD37TqT/dvsMAbWnmivuQY4Y3jVZrZ1bTuOpUBU7K42ThBcioTT63sp+3
++d+gmxT57wPJyQDt94KecWcKt88qgZ93pKJZfO8SYkUR17cIdOqsu845G0QA973U
+rk0T8z3JLV6oJvlfpfI61NRrAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
+aXBvc3Qub3JnghNlbGVmYW50LmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD
+VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBTpY3697NTeGIyhSSvGXMrZK3pxLjANBgkq
+hkiG9w0BAQ0FAAOCAgEAK0FFduIr7GSD8j2NIwiCdQkIoPcgsq2ok+Ge50QwZXyY
+mMRqSygblXhxPt8lQKYkBYPYcp//VoGkGgyl7ALvA4SJIU1zk6PK7vsa7TRe7nCU
+oVCJHCqXSM0t+WH9Huai23T3uE9oTNQSHQSRbnIoTwiEjexXAtizKs0+ZSkQTUrV
+ZntsPgwZVM67cOkxvbbgtDtMRr40tFqWUWT6QIlu5bVLnCDwxX3jRFv6r+efCfTe
+fwZjJGPdXzRAUNNDG6gZCxpAGpRjYmNNwCAQVZmJ8NJnVPyH+GYE4Urb6Ce3q939
+pZZrlFHIplhqiEAL7AE2GBZdI3UoklMgG5P3PGkTLcerY5fSAfG3DcGNtWn7bZdM
+AuGdmf8lVpr/InFP/Ke8sUxc5sBDl9vwndEX57EW8QALyL+S5XMZKlWtJAY3v1+6
+vGuvAwuUsTn2QZyfhP5MK2URNP1FAxIBqEWkG4UVp1RupRBKThwAUeTAGyExMbBD
+2EDDgOZonrl8nbLsc4mXH7CFIakzm0dEnwaQVpNtzFSNMQ+uxQF07rlgwaOrDUu1
+qk3PZDMqDio00f12GpJbmxMUTXjKzVWx62fE+YJ+vc34kLzBluerQn96yT1+BvT0
+Zq/c1/esKLDaWDHKVmS0mgrRRTi2k08Hh7Cove6CcSlqiH0ljFe2goDhaJsXQYc=
+-----END CERTIFICATE-----
diff --git a/certs/munin/giraff.fripost.org.pem b/certs/munin/giraff.fripost.org.pem
new file mode 100644
index 0000000..c1aab21
--- /dev/null
+++ b/certs/munin/giraff.fripost.org.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmDCCA4CgAwIBAgIJANQpG6iifrkuMA0GCSqGSIb3DQEBDQUAMFIxEDAOBgNV
+BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEb
+MBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qub3JnMB4XDTE1MDYwNzIyMDgzNFoXDTI1
+MDYwNDIyMDgzNFowUjEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2Vy
+dHMxDjAMBgNVBAsMBU11bmluMRswGQYDVQQDDBJnaXJhZmYuZnJpcG9zdC5vcmcw
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgu7/OtgeU7nQzt2qeFyGL
+46S9nR/jGCeLysL1ZbGFfOjr19D1bxjl+gLCLaIa77oY+1Ke8JoJQCe1DKTZxY0Z
+XLoOrOYQQLDN2dZJQ9NEtrR/qwGtxb13eAWra+aA/S1MXpOnB4aDTNCPwl5IA6BG
+1iuhgn/NgNjVaZjtlkCoRvwCC515UT1Us/1q2fk8jvVBQheZ5uwFr7M6RUTN+vFw
+MuQrqeDDGpJcyXQsXuWqjfYdcpR+GU53qsRY1zBfpCvsooxJU7HjzfGMV4dZoZg2
+N3gPVJ7u8u3rIGKaRQbKM5o8YWqECiTOxlEYpalUq8mNgBRAwo84Y5vnDnoTNdQF
+gY2dAOmbEsu2ywZ/DDt9yuGxtUOQyqG7PtzvAlbPf2/5m79KfzgYVK1rTfVxQRI+
+dbVbqaIYpAEWO5FeOOXyGcbX3xTkqUwskUsgWiR5RRifEuN76HUsKifwk6goRyhR
+gANO10aEX9484jt2HXPahrcyQ4LvSOV9TVRA6N27A1kGoX/zp6X0mGU/4B2Fo5KO
+lhcfOHP9tU+S9MSxTU90vGusrH/63tz4Q4LKK0QNtr8TdnhH4Q1x1a3UPyRcTauu
++DDQNQWbhWn18I1nSHbBRB8VUu6SOmHDVjITcddh85CzR3ugHHO91ykCgO1k1g3h
+68j5QT7jL09FSOZblxSRawIDAQABo3EwbzAwBgNVHREEKTAngRFhZG1pbkBmcmlw
+b3N0Lm9yZ4ISZ2lyYWZmLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYDVR0P
+AQH/BAQDAgKkMB0GA1UdDgQWBBT0vMjrt5EL+bQp3Wbp52qCVvsoJTANBgkqhkiG
+9w0BAQ0FAAOCAgEAMe6BM9wjqgY3KPuOacoEJZCA41+4QiU42DuYKhwYJAvLD2rs
+AutbZbR6rbBf6+3WqMIkCH09CBiD0TOnpm83VlPorg0ZBandxQdtdc+2Wt5RPA3E
+sgWsKoTXqbuwcyWub324Z3IhcEzjRnX+kL+d+a8m9jqVzWZhyZGJwbbX2UGGEA+e
+fRAg8fTc21jLqmj2Ea6L35IPFcH5ZPMLnwuqZQWAlIOU/aiyCz+skCti3L25Y02L
+yCFqiZ6PpG0hVAsBfQ210Vws1Sb1VqLaUBTXCL1WzfwcLbKCZhZ1o08wmOn3VGN5
+GTqKI8qhg1qmvqGnaECy55cb0oXhzYXcin6gO672MPSDOtnEbRg9tyPxcPVaU8QF
+qcVXCZjyuyLDr5BrSd4FC5abP4NXWNqheX2jIU0kuypNniOe8rJLNT/S88PnQHRW
+Bnyl+TvAlFS1ITKJQu4xc7A8whDd6/RxT8NMKKtGNxZxtfuefULNAsnvUdQpt6tO
+61DM13X1c5IPg121de6qjj+mkKRLAEaPGO8d+c6Zw7MNzZhZYJj+ttaSThJCJWzl
+qA8v4FpMDTnIjs/3S+gAvvNDjFk4hN2Daic+3STJPyScv5OC0u6/EIa/pRp0GcMP
+tGsTtFpfm6QICndQWPMrAz7Dab3VLfuPOvOE0g+n/kGX0IoIoirbKstgPlo=
+-----END CERTIFICATE-----
diff --git a/certs/munin/mistral.fripost.org.pem b/certs/munin/mistral.fripost.org.pem
new file mode 100644
index 0000000..a08af7a
--- /dev/null
+++ b/certs/munin/mistral.fripost.org.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmzCCA4OgAwIBAgIJALWXwKMVhp52MA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
+BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
+MBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMjEwNTRaFw0y
+NTA2MDQyMjEwNTRaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
+cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9y
+ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOf0+etigx5G6GHtRs4Q
+E3zhuEoMS6SL4hG+s7Y6hszDUDDNWqGylv7WfrmtzsjVhADLFtjzdaDhncDwWEKx
+rLBFm6PSDQLYwjmlDz0EckwkYuXxeRS5RO1jhFK+3h0LpJkXUaLDcmaXq7zWSIht
+ZA86vQlEWarmPhva6mv67SyzAkQRSM3pOjahEKy600MwMvccuiyAVbyKeI/hS1E3
+GUivOMOEUHl/h1O2GiX8QYJuAqaJmebMhfGMA3Orv6nM54Fmo1yQEI6pTckOet4K
+Sy8XZBeNcBfrXM2ImxbQo69eWSGzMINt5I1SNaixCyGo0jIfQK8yK7tV69lz9RSu
+1krsSfv+6wEUHdyi1UpA8eJTdakj9+TLZOss3ClLZOyGIRgRe8vZIibwRlL60Bun
+X2f18sTouBUp+OJ4dyd4HQmD1c1rNV/kSBvLV9YFXjJrwNXmdRh2cG3y3gXN/Prg
+jd28sRLh4tPtv4vOYZPQKjS+dj+rHiFDtN/b1z35Cz1Kw1dwvDz/AQqGoJAwzPUQ
+hvnHIl2sXX+lcSSEBtciUSu6aEDQlZ2UUcVBJUKzUKa1jLlVhYCVBpaQfdgW/f9B
+4XfnzV3jyfnplhqZV6ZVhA4Qf231mcVY1vR1oRKrG5UEi0KZy2oHayAp6DQYXT1L
+QQ0yHoNZCyG4BEbKypl3IOzxAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
+aXBvc3Qub3JnghNtaXN0cmFsLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD
+VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBRbW9iAccDKxxaWN8edaSuComhkdTANBgkq
+hkiG9w0BAQ0FAAOCAgEAX16xCNpR6msKvlNzPO4CZGB2+j6V5lj6CaSn5YNHB9fV
+Zi2qhHst16Ccnp4eHDwzgcMqz+GU31YAWK7t/4NykaCeOra3nG2BIEHoA09DjxIy
+qPJRePNaxfUk1H9ZRGqupjhthPT+h83oAhLwnqQ4vEO+J5H9FNt+1w29Znx7gwl6
+sRNQ2xJB0ko7KTrPNAiysWM7b48SOs83L/IOvT2g9/VQI3pPuGyLEIbYCYCKUO/+
+A92cCxFBoKoNZUtMoE3SKpccl1PO9/RtP80fC87rGg7rsaisy6jwUqDiN+00SEoR
+9ns92GB/8WxE5KwTufQcJ9RrmCU15Osk4qkgN1COV25bYnd4hrc8iZb52xkSRzvy
+BmJh3grm9nircacPK3Tw4EnKxXA+/0l5lW8n19fvGteph+JyXeKrMmMcCRKD+wau
+8oUFGTHymeJbHS4PXV1NcG8Rie3YPGu9EUkTJurrbRuVwWC/1s1RxHiMESYOlbPV
+J1J++bB21lva6thFNeJmBvf3rTI4qPfEnv6X2QMm8VUfBlmuTHb5W84qLegkKyqF
+iITAFz5KNntuyIIATeTe9iArtjzJav0irHNU29PTio6ljJLFg3pGPUR6hCEGohMT
+LNeTF6RczyxJhvZQcuzTxBeZRPC3e5lc1x9qdl9tnYqwwOSBCoNk0xIkcRjF2gM=
+-----END CERTIFICATE-----
diff --git a/common.yml b/common.yml
index 9593782..bd2f3db 100644
--- a/common.yml
+++ b/common.yml
@@ -34,7 +34,7 @@
- LDAP-provider
- name: Configure the Web servers
- hosts: webmail:wiki:lists:git
+ hosts: webmail:wiki:lists:git:munin-master
gather_facts: False
tags: nginx,www,web
roles:
diff --git a/munin.yml b/munin.yml
new file mode 100644
index 0000000..317bfea
--- /dev/null
+++ b/munin.yml
@@ -0,0 +1,8 @@
+---
+- name: Configure the Munin master
+ hosts: munin-master
+ tags:
+ - munin
+ - munin-master
+ roles:
+ - munin-master
diff --git a/production b/production
index 3f84154..f5f52dc 100644
--- a/production
+++ b/production
@@ -65,6 +65,9 @@ civett
[git:children]
wiki
+[munin-master:children]
+benjamin
+
[non-free:children]
elefant
diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml
index 46cf1fb..10a717d 100644
--- a/roles/IMAP/handlers/main.yml
+++ b/roles/IMAP/handlers/main.yml
@@ -26,3 +26,6 @@
mysql_db: name=spamassassin state=import
target=/tmp/spamassassin.sql
encoding=latin1 collation=latin1_unicode_ci
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index e7023e7..0c55535 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -142,3 +142,29 @@
when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
+
+
+- name: Install 'dovecot_stats_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/dovecot_stats_
+ dest=/etc/munin/plugins/dovecot_stats_fripost.org
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install 'dovecot_logins' and 'dovecot_who' Munin plugin
+ file: src=/usr/local/share/munin/plugins/{{ item }}
+ dest=/etc/munin/plugins/{{ item }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ - dovecot_logins
+ - dovecot_who
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 04d2b54..ac4b733 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -49,3 +49,31 @@
- name: Start Postfix
service: name=postfix state=started
+
+
+- name: Install 'postfix_mailqueue_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
+ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_stats_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_stats_
+ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ - smtpd
+ - qmgr
+ - smtp
+ - lmtp
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/MSA/handlers/main.yml b/roles/MSA/handlers/main.yml
index 99a5db2..9edf610 100644
--- a/roles/MSA/handlers/main.yml
+++ b/roles/MSA/handlers/main.yml
@@ -1,3 +1,6 @@
---
- name: Reload Postfix
service: name=postfix state=reloaded
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml
index c7424d8..6b1551f 100644
--- a/roles/MSA/tasks/main.yml
+++ b/roles/MSA/tasks/main.yml
@@ -23,3 +23,41 @@
- name: Start Postfix
service: name=postfix state=started
+
+
+- name: Install 'postfix_mailqueue_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
+ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_stats_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_stats_
+ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ - smtpd
+ - qmgr
+ - smtp
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_sasl_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_sasl_
+ dest=/etc/munin/plugins/postfix_sasl_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/MX/handlers/main.yml b/roles/MX/handlers/main.yml
index 99a5db2..9edf610 100644
--- a/roles/MX/handlers/main.yml
+++ b/roles/MX/handlers/main.yml
@@ -1,3 +1,6 @@
---
- name: Reload Postfix
service: name=postfix state=reloaded
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index 3c96fad..4302502 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -77,3 +77,32 @@
- name: Start Postfix
service: name=postfix state=started
+
+
+- name: Install 'postfix_mailqueue_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
+ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_stats_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_stats_
+ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ - postscreen
+ - smtpd
+ - qmgr
+ - smtp
+ - pipe
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/amavis/handlers/main.yml b/roles/amavis/handlers/main.yml
index ab974e6..62cc6fc 100644
--- a/roles/amavis/handlers/main.yml
+++ b/roles/amavis/handlers/main.yml
@@ -8,3 +8,6 @@
- name: Restart Amavis
service: name=amavis state=restarted
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/amavis/tasks/main.yml b/roles/amavis/tasks/main.yml
index a30772d..4009c05 100644
--- a/roles/amavis/tasks/main.yml
+++ b/roles/amavis/tasks/main.yml
@@ -71,3 +71,15 @@
- name: Start Amavis
service: name=amavis state=started
+
+
+- name: Install 'amavis' Munin plugin
+ file: src=/usr/share/munin/plugins/amavis
+ dest=/etc/munin/plugins/amavis
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/common-SQL/handlers/main.yml b/roles/common-SQL/handlers/main.yml
index 435c20e..d1d355f 100644
--- a/roles/common-SQL/handlers/main.yml
+++ b/roles/common-SQL/handlers/main.yml
@@ -1,3 +1,6 @@
---
- name: Restart MySQL
service: name=mysql state=restarted
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/common-SQL/tasks/main.yml b/roles/common-SQL/tasks/main.yml
index b5c6773..9541be8 100644
--- a/roles/common-SQL/tasks/main.yml
+++ b/roles/common-SQL/tasks/main.yml
@@ -10,6 +10,8 @@
- mysql-common
- mysql-server
- python-mysqldb
+ # for the 'mysql_' munin plugin
+ - libcache-cache-perl
- name: Copy MySQL's configuration
copy: src=etc/mysql/my.cnf
@@ -43,3 +45,36 @@
- name: Start MySQL
service: name=mysql state=started
+
+
+- name: Install 'mysql_' Munin wildcard plugin
+ file: src=/usr/share/munin/plugins/mysql_
+ dest=/etc/munin/plugins/mysql_{{ item }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ # sudo /usr/share/munin/plugins/mysql_ suggest
+ - bin_relay_log
+ - commands
+ - connections
+ - files_tables
+ - innodb_bpool
+ - innodb_bpool_act
+ - innodb_io
+ - innodb_log
+ - innodb_rows
+ - innodb_semaphores
+ - innodb_tnx
+ - myisam_indexes
+ - qcache
+ - qcache_mem
+ - select_types
+ - slow
+ - sorts
+ - table_locks
+ - tmp_tables
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local
index 887688a..67e9335 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local
@@ -31,3 +31,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z]+|<stdin>): Invoked with
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (sympa\((command|distribute)\)|wwsympa|archived|bounced|bulk|task_manager)\[[[:digit:]]+\]: (info|notice)\s
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: err .* main::check_action_parameters\(\) user not logged in$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: (flushing old values|rotating journals|started new journal /\S+$|removing old journal /\S+$)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: queue_thread_main: rrd_update_r \(([^)]+)\) failed with status -1. \(opening '\1': No such file or directory\)
diff --git a/roles/common/files/usr/local/share/munin/plugins/dovecot_logins b/roles/common/files/usr/local/share/munin/plugins/dovecot_logins
new file mode 100755
index 0000000..09b79d9
--- /dev/null
+++ b/roles/common/files/usr/local/share/munin/plugins/dovecot_logins
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+# Munin plugin for monitoring Dovecot logins and IMAP throughput.
+# Copyright © 2015 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+LOGFILE="/var/log/${logfile:-mail.log}"
+STATEFILE="$MUNIN_PLUGSTATE/${0##*/}.offset"
+
+. $MUNIN_LIBDIR/plugins/plugin.sh
+is_multigraph
+
+case "${1:-}" in
+ config) cat <<- EOF
+ multigraph dovecot_login_status
+ graph_title Dovecot login status
+ graph_vlabel logins per \${graph_period}
+ graph_args --base 1000 -l 0
+ graph_scale no
+ graph_period minute
+ graph_category dovecot
+ successful.label auth successful
+ successful.type DERIVE
+ successful.draw AREA
+ successful.min 0
+ failed.label auth failed
+ failed.type DERIVE
+ failed.draw STACK
+ failed.min 0
+ noauth.label no auth attempt
+ noauth.type DERIVE
+ noauth.draw STACK
+ noauth.min 0
+
+ multigraph dovecot_login_types
+ graph_title Dovecot login types
+ graph_vlabel logins per \${graph_period}
+ graph_args --base 1000 -l 0
+ graph_scale no
+ graph_period minute
+ graph_category dovecot
+ imap.label IMAP
+ imap.type DERIVE
+ imap.draw AREA
+ imap.min 0
+ pop3.label POP3
+ pop3.type DERIVE
+ pop3.draw STACK
+ pop3.min 0
+ managesieve.label managesieve
+ managesieve.type DERIVE
+ managesieve.draw STACK
+ managesieve.min 0
+
+ multigraph dovecot_imap_throughput
+ graph_title Dovecot IMAP throughput
+ graph_vlabel bytes per \${graph_period}
+ graph_args --base 1024 -l 0
+ graph_scale yes
+ graph_period minute
+ graph_category dovecot
+ read.label read
+ read.type DERIVE
+ read.min 0
+ written.label written
+ written.type DERIVE
+ written.min 0
+ EOF
+ exit 0
+ ;;
+esac
+
+if [ ! -f "$LOGFILE" ]; then
+ for field in successful failed noauth imap pop3 managesieve read written; do
+ echo $field.value U
+ done
+ exit 0;
+fi
+
+tmpfile="$(mktemp --tmpdir)"
+trap 'rm -f "$tmpfile"' EXIT
+
+logtail -f"$LOGFILE" -o"$STATEFILE" | sed -nr "s#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ##p" >"$tmpfile"
+
+sum() {
+ awk 'BEGIN{x=0} {x+=$0} END{print x}'
+}
+
+prefix="^(pop3|imap|managesieve)-login"
+echo multigraph dovecot_login_status
+echo successful.value $(grep -Ec "$prefix: Login: user=<[^>]+>,\s" "$tmpfile")
+echo failed.value $(sed -nr "s#$prefix: Aborted login \(auth failed, ([[:digit:]]+) attempts in [[:digit:]]+ secs\): user=<[^>]*>, .*#\2#p" "$tmpfile" | sum)
+echo noauth.value $(grep -Ec "$prefix: Aborted login \(no auth attempts in [[:digit:]]+ secs\): user=<>,\s" "$tmpfile")
+
+
+echo multigraph dovecot_login_types
+for type in imap pop3 managesieve; do
+ echo $type.value $(grep -Ec "^$type-login:\s" "$tmpfile")
+done
+
+
+regexp="^imap\([-_.@[:alnum:]]+\): .* in=([[:digit:]]+) out=([[:digit:]]+)$"
+echo multigraph dovecot_imap_throughput
+echo read.value $(sed -nr "s#$regexp#\1#p" "$tmpfile" | sum)
+echo written.value $(sed -nr "s#$regexp#\2#p" "$tmpfile" | sum)
diff --git a/roles/common/files/usr/local/share/munin/plugins/dovecot_stats_ b/roles/common/files/usr/local/share/munin/plugins/dovecot_stats_
new file mode 100755
index 0000000..7f0f51a
--- /dev/null
+++ b/roles/common/files/usr/local/share/munin/plugins/dovecot_stats_
@@ -0,0 +1,135 @@
+#!/bin/bash
+: <<=cut
+
+=head1 NAME
+
+dovecot_stats_ - Munin plugin to display statistics for the dovecot mail server
+
+=head1 CONFIGURATION
+
+This plugin must be run with permissions to run "doveadm". That usually means root, but to test, run the following as any user:
+
+ doveadm who
+
+If you get a permission denied message, check the permissions on the socket mentioned in the error line.
+
+=head1 MAGIC MARKERS
+
+ #%# family=contrib
+ #%# capability=autoconf suggest
+
+=head1 AUTHOR
+
+Paul Saunders <darac+munin@darac.org.uk>
+
+=cut
+
+. $MUNIN_LIBDIR/plugins/plugin.sh
+is_multigraph
+
+if [[ "$1" == "autoconf" ]]; then
+ if [[ -x /usr/bin/doveadm ]]; then
+ echo yes
+ else
+ echo no
+ fi
+ exit 0
+fi
+
+if [[ "$1" == "suggest" ]]; then
+ doveadm stats dump domain|awk 'NR!=1 {print $1}'
+ exit 0
+fi
+
+domain=$(basename $0)
+domain=${domain#dovecot_stats_}
+
+if [[ -z $domain ]]; then
+ exit 1
+fi
+
+if [[ "$1" == "config" ]]; then
+ cat <<EOF
+multigraph dovecot_cpu_${domain//\./_}
+graph_title Dovecot CPU Usage for $domain
+graph_vlabel Seconds
+graph_category dovecot
+user_cpu.label User CPU
+user_cpu.type DERIVE
+user_cpu.min 0
+user_cpu.cdef user_cpu,1000000,/
+sys_cpu.label System CPU
+sys_cpu.type DERIVE
+sys_cpu.min 0
+sys_cpu.cdef sys_cpu,1000000,/
+
+multigraph dovecot_system_${domain//\./_}
+graph_title Dovecot System Usage for $domain
+graph_category dovecot
+min_faults.label Minor page faults
+min_faults.type DERIVE
+min_faults.min 0
+maj_faults.label Major page faults
+maj_faults.type DERIVE
+maj_faults.min 0
+vol_cs.label Voluntary context switches
+vol_cs.type DERIVE
+vol_cs.min 0
+invol_cs.label Involuntary context switches
+invol_cs.type DERIVE
+invol_cs.min 0
+read_count.label read() syscalls
+read_count.type DERIVE
+read_count.min 0
+write_count.label write() syscalls
+write_count.type DERIVE
+write_count.min 0
+
+multigraph dovecot_mail_${domain//\./_}
+graph_title Dovecot Mail Access for $domain
+graph_category dovecot
+num_logins.label Logins
+num_logins.type DERIVE
+num_logins.min 0
+num_cmds.label Commands
+num_cmds.type DERIVE
+num_cmds.min 0
+mail_lookup_path.label Path Lookups
+mail_lookup_path.type DERIVE
+mail_lookup_path.min 0
+mail_lookup_attr.label Attr lookups
+mail_lookup_attr.type DERIVE
+mail_lookup_attr.min 0
+mail_read_count.label Messages read
+mail_read_count.type DERIVE
+mail_read_count.min 0
+mail_cache_hits.label Cache hits
+mail_cache_hits.type DERIVE
+mail_cache_hits.min 0
+EOF
+ exit 0
+fi
+
+# Fetch data
+# Gawk script cadged from http://awk.info/?JanisP
+doveadm stats dump domain domain=$domain | gawk -F\\t -v cols="user_cpu sys_cpu min_faults maj_faults vol_cs invol_cs read_count write_count num_logins num_cmds mail_lookup_path mail_lookup_attr mail_read_count mail_cache_hits " -v domain=${domain//\./_} '
+ BEGIN {
+ n=split(cols,col," ")
+ for (i=1; i<=n; i++) s[col[i]]=i
+ }
+ NR==1 {
+ for (f=1;f<=NF; f++)
+ if ($f in s) c[s[$f]]=f
+ next
+ }
+ { for (f=1; f<=n; f++) {
+ if (col[f] == "user_cpu") printf ("\nmultigraph dovecot_cpu_%s\n", domain)
+ if (col[f] == "min_faults") printf ("\nmultigraph dovecot_system_%s\n", domain)
+ if (col[f] == "num_logins") printf ("\nmultigraph dovecot_mail_%s\n", domain)
+ if (col[f] == "user_cpu" || col[f] == "sys_cpu")
+ printf("%s.value %d\n",col[f],$c[f] * 1000000)
+ else
+ printf("%s.value %d\n",col[f],$c[f])
+ }
+ }
+'
diff --git a/roles/common/files/usr/local/share/munin/plugins/dovecot_who b/roles/common/files/usr/local/share/munin/plugins/dovecot_who
new file mode 100755
index 0000000..fe3c743
--- /dev/null
+++ b/roles/common/files/usr/local/share/munin/plugins/dovecot_who
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Munin plugin for monitoring Dovecot IMAP connections and unique users.
+# Copyright © 2015 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PATH=/usr/bin:/bin:/usr/sbin:/sbin
+set -u
+
+case "${1:-}" in
+ config) cat <<- EOF
+ graph_title Dovecot concurrent IMAP usage
+ graph_args --base 1000 -l 0
+ graph_scale no
+ graph_category dovecot
+ connections.label connections
+ connections.min 0
+ users.label unique users
+ users.min 0
+ EOF
+ exit 0
+ ;;
+esac
+
+tmpfile="$(mktemp --tmpdir)"
+trap 'rm -f "$tmpfile"' EXIT
+
+doveadm -f flow who -1 | sed -nr 's/^username=(\S+)\s+proto=imap\s.*/\1/p' >"$tmpfile"
+
+echo connections.value $(wc -l <"$tmpfile")
+echo users.value $(sort -u "$tmpfile" | wc -l)
diff --git a/roles/common/files/usr/local/share/munin/plugins/postfix_mailqueue_ b/roles/common/files/usr/local/share/munin/plugins/postfix_mailqueue_
new file mode 100755
index 0000000..31b6269
--- /dev/null
+++ b/roles/common/files/usr/local/share/munin/plugins/postfix_mailqueue_
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# Munin plugin for monitoring the Postfix mail queue in multi-instance
+# systems. Symlink/rename to 'postfix_mailqueue_$SPOOLDIR'.
+# Copyright © 2015 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+name="${0##*/}"
+[ "${name#postfix_mailqueue_}" != "$name" ] && postfix="${name#postfix_mailqueue_}" || postfix=
+SPOOLDIR="/var/spool/${postfix:-postfix}"
+
+. $MUNIN_LIBDIR/plugins/plugin.sh
+
+case "${1:-}" in
+ config) cat <<- EOF
+ graph_title Postfix mailqueue ($([ -n "$postfix" -a "$postfix" != postfix ] && echo "'${postfix#postfix-}'" || echo default) instance)
+ graph_vlabel Mails in queue
+ graph_args --base 1000 -l 0
+ graph_scale no
+ graph_category postfix
+ graph_total Total
+ active.label active
+ deferred.label deferred
+ maildrop.label maildrop
+ incoming.label incoming
+ corrupt.label corrupt
+ hold.label held
+ EOF
+ for field in active deferred maildrop incoming corrupt hold; do
+ print_warning "$field"
+ print_critical "$field"
+ done
+ exit 0
+ ;;
+esac
+
+for field in active deferred maildrop incoming corrupt hold; do
+ if [ -d "$SPOOLDIR/$field" ]; then
+ echo $field.value $(find "$SPOOLDIR/$field" -type f | wc -l)
+ else
+ echo $field.value U
+ fi
+done
diff --git a/roles/common/files/usr/local/share/munin/plugins/postfix_mailvolume2 b/roles/common/files/usr/local/share/munin/plugins/postfix_mailvolume2
new file mode 100755
index 0000000..d16d88e
--- /dev/null
+++ b/roles/common/files/usr/local/share/munin/plugins/postfix_mailvolume2
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# Munin plugin for monitoring Postfix per-instance mail throughput.
+# Copyright © 2015 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PATH=/usr/bin:/bin:/usr/sbin:/sbin
+set -u
+
+LOGFILE="/var/log/${logfile:-mail.log}"
+STATEFILE="$MUNIN_PLUGSTATE/${0##*/}.offset"
+
+case "${1:-}" in
+ config) cat <<- EOF
+ graph_title Postfix per-instance bytes throughput
+ graph_vlabel bytes per \${graph_period}
+ graph_args --base 1024 -l 0
+ graph_scale yes
+ graph_period minute
+ graph_category postfix
+ EOF
+ if [ $(echo "${postmulti:-postfix}" | wc -w) -gt 1 ]; then
+ echo graph_total total throughput
+ fi
+ for postfix in ${postmulti:-postfix}; do
+ echo "${postfix}_volume.label" "$postfix throughput"
+ echo "${postfix}_volume.type" DERIVE
+ echo "${postfix}_volume.min" 0
+ done
+ exit 0
+ ;;
+esac
+
+if [ ! -f "$LOGFILE" ]; then
+ for postfix in ${postmulti:-postfix}; do
+ echo "${postfix}_volume.value U"
+ done
+ exit 0;
+fi
+
+tmpfile="$(mktemp --tmpdir)"
+trap 'rm -f "$tmpfile"' EXIT
+
+logtail -f"$LOGFILE" -o"$STATEFILE" >"$tmpfile"
+
+for postfix in ${postmulti:-postfix}; do
+ echo -n "${postfix}_volume.value "
+ sed -nr "s#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ $postfix/qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: from=<[^>]*>, size=([[:digit:]]+), nrcpt=[[:digit:]]+ \(queue active\)\$#\1#p" "$tmpfile" \
+ | awk 'BEGIN{x=0} {x+=$0} END{print x}'
+done
diff --git a/roles/common/files/usr/local/share/munin/plugins/postfix_sasl_ b/roles/common/files/usr/local/share/munin/plugins/postfix_sasl_
new file mode 100755
index 0000000..8dc1219
--- /dev/null
+++ b/roles/common/files/usr/local/share/munin/plugins/postfix_sasl_
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# Munin plugin for monitoring Postfix SASL logins. Symlink/rename to
+# 'postfix_sasl_$SYSLOGNAME'.
+# Copyright © 2015 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PATH=/usr/bin:/bin:/usr/sbin:/sbin
+set -u
+
+LOGFILE="/var/log/${logfile:-mail.log}"
+STATEFILE="$MUNIN_PLUGSTATE/${0##*/}.offset"
+
+name="${0##*/}"
+[ "${name#postfix_sasl_}" != "$name" ] && postfix="${name#postfix_sasl_}" || postfix=
+
+case "${1:-}" in
+ config) cat <<- EOF
+ graph_title Postfix SASL ($([ -n "$postfix" -a "$postfix" != postfix ] && echo "'${postfix#postfix-}'" || echo default) instance)
+ graph_vlabel logins per \${graph_period}
+ graph_args --base 1000 -l 0
+ graph_scale no
+ graph_period minute
+ graph_category postfix
+ successful.label successful
+ successful.type DERIVE
+ successful.draw AREA
+ successful.min 0
+ failed.label failed
+ failed.type DERIVE
+ failed.draw STACK
+ failed.min 0
+ EOF
+ exit 0
+ ;;
+esac
+
+if [ ! -f "$LOGFILE" ]; then
+ for postfix in ${postmulti:-postfix}; do
+ echo "${postfix}_volume.value U"
+ done
+ exit 0;
+fi
+
+tmpfile="$(mktemp --tmpdir)"
+trap 'rm -f "$tmpfile"' EXIT
+
+logtail -f"$LOGFILE" -o"$STATEFILE" | sed -nr "s#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ $postfix/smtpd\[[[:digit:]]+\]: ##p" >"$tmpfile"
+
+echo successful.value $(grep -Ec "^warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL \S+ authentication failed(:.*)?$" "$tmpfile")
+echo failed.value $(grep -Ec "^[[:xdigit:]]{10}: client=\S+, sasl_method=\S+, sasl_username=" "$tmpfile")
diff --git a/roles/common/files/usr/local/share/munin/plugins/postfix_stats_ b/roles/common/files/usr/local/share/munin/plugins/postfix_stats_
new file mode 100755
index 0000000..5678870
--- /dev/null
+++ b/roles/common/files/usr/local/share/munin/plugins/postfix_stats_
@@ -0,0 +1,113 @@
+#!/bin/sh
+
+# Munin plugin for monitoring Postfix per-service and per-instance
+# usage. Symlink/rename to 'postfix_sasl_$SERVICE_$SYSLOGNAME'.
+# Copyright © 2015 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PATH=/usr/bin:/bin:/usr/sbin:/sbin
+set -u
+
+LOGFILE="/var/log/${logfile:-mail.log}"
+STATEFILE="$MUNIN_PLUGSTATE/${0##*/}.offset"
+
+name="${0##*/}"
+name="${name#postfix_stats_}"
+
+if [ "${name#postscreen_}" != "$name" ]; then
+ postfix="${name#postscreen_}"
+ service=postscreen
+ fields='connected accepted passed'
+elif [ "${name#smtpd_}" != "$name" ]; then
+ postfix="${name#smtpd_}"
+ service=smtpd
+ fields='connected accepted queued'
+elif [ "${name#qmgr_}" != "$name" ]; then
+ postfix="${name#qmgr_}"
+ service=qmgr
+ fields='queued'
+elif [ "${name#smtp_}" != "$name" ]; then
+ postfix="${name#smtp_}"
+ service=smtp
+ fields='sent deliverable deferred undeliverable bounced'
+elif [ "${name#lmtp_}" != "$name" ]; then
+ postfix="${name#lmtp_}"
+ service=lmtp
+ fields='sent deliverable deferred undeliverable bounced'
+elif [ "${name#pipe_}" != "$name" ]; then
+ postfix="${name#pipe_}"
+ service=pipe
+ fields='sent deliverable deferred undeliverable bounced'
+fi
+
+case "${1:-}" in
+ config) cat <<- EOF
+ graph_title Postfix $service message throughput ($([ -n "$postfix" -a "$postfix" != postfix ] && echo "'${postfix#postfix-}'" || echo default) instance)
+ graph_vlabel mails per \${graph_period}
+ graph_args --base 1000 -l 0
+ graph_scale no
+ graph_period minute
+ graph_category postfix
+ EOF
+ for field in $fields; do
+ echo "$field.label $field"
+ echo "$field.type DERIVE"
+ echo "$field.draw AREA"
+ echo "$field.min 0"
+ done
+ exit 0
+ ;;
+esac
+
+if [ ! -f "$LOGFILE" ]; then
+ for field in $fields; do
+ echo "$field.value U"
+ done
+ exit 0;
+fi
+
+tmpfile="$(mktemp --tmpdir)"
+trap 'rm -f "$tmpfile"' EXIT
+
+logtail -f"$LOGFILE" -o"$STATEFILE" | sed -nr "s#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ $postfix/$service\[[[:digit:]]+\]: ##p" >"$tmpfile"
+
+case "$service" in
+ postscreen)
+ connected=$(grep -Ec "^CONNECT from\s" "$tmpfile")
+ rejected=$( grep -Ec "^NOQUEUE: reject:\s" "$tmpfile")
+ passed=$( grep -Ec "^(PASS (OLD|NEW)|WHITELISTED)\s" "$tmpfile")
+ echo connected.value $connected
+ echo accepted.value $(($rejected + $passed))
+ echo passed.value $passed
+ ;;
+ smtpd)
+ connected=$(grep -Ec "^connect from\s" "$tmpfile")
+ rejected=$( grep -Ec "^NOQUEUE: reject:\s" "$tmpfile")
+ queued=$( grep -Ec "^[[:xdigit:]]+: client=" "$tmpfile")
+ echo connected.value $connected
+ echo accepted.value $(($rejected + $queued))
+ echo queued.value $queued
+ ;;
+ qmgr)
+ queued=$(grep -Ec "^[[:xdigit:]]+: from=<\S+>, .*\(queue active\)$" "$tmpfile")
+ echo queued.value $queued
+ ;;
+ smtp|lmtp|pipe)
+ for field in $fields; do
+ v=$(grep -Ec "^[[:xdigit:]]+:( [^ =]+=\S+,)+ status=$field(\s.*)?$" "$tmpfile")
+ echo $field.value $v
+ done
+ ;;
+esac
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index b7ecaab..3dbbf90 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -46,3 +46,6 @@
- name: Update certificate
command: update-ca-certificates
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 477bd34..df609d3 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -27,10 +27,11 @@
- name: Generate DH parameters
command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
tags: genkey
-- include: logging.yml tags=logging
-- include: ntp.yml tags=ntp
-- include: mail.yml tags=mail,postfix
-- include: bacula.yml tags=bacula-fd,bacula
+- include: logging.yml tags=logging
+- include: ntp.yml tags=ntp
+- include: mail.yml tags=mail,postfix
+- include: bacula.yml tags=bacula-fd,bacula
+- include: munin-node.yml tags=munin-node,munin
- name: Install common packages
apt: pkg={{ item }}
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
new file mode 100644
index 0000000..9e5d8f4
--- /dev/null
+++ b/roles/common/tasks/munin-node.yml
@@ -0,0 +1,207 @@
+- name: Install munin-node
+ apt: pkg={{ item }}
+ with_items:
+ - munin-node
+ - munin-plugins-extra
+ ###
+ - acpi
+ - lm-sensors
+ - ethtool
+ - hdparm
+ - libwww-perl
+ - libxml-simple-perl
+ - logtail
+
+- name: Create directory /usr/local/share/munin/plugins
+ file: path=/usr/local/share/munin/plugins
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Copy our own Munin plugins
+ copy: src={{ item }}
+ dest=/usr/local/share/munin/plugins/
+ owner=root group=root
+ mode=0755
+ with_fileglob:
+ - usr/local/share/munin/plugins/*
+
+- name: Configure munin-node
+ template: src=etc/munin/{{ item }}.j2
+ dest=/etc/munin/{{ item }}
+ owner=root group=root
+ mode=0644
+ register: r1
+ with_items:
+ - munin-node.conf
+ - plugin-conf.d/munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install Munin plugins
+ file: src=/usr/share/munin/plugins/{{ item }}
+ dest=/etc/munin/plugins/{{ item }}
+ owner=root group=root
+ state=link force=yes
+ register: r2
+ with_items:
+ - cpu
+ - df
+ - df_inode
+ - diskstats
+ - entropy
+ - fail2ban
+ - forks
+ - fw_conntrack
+ - fw_forwarded_local
+ - fw_packets
+ - hddtemp_smartctl
+ - interrupts
+ - irqstats
+ - load
+ - memory
+ - netstat
+ - ntp_kernel_err
+ - ntp_kernel_pll_freq
+ - ntp_kernel_pll_off
+ - ntp_offset
+ - open_files
+ - open_inodes
+ - processes
+ - proc_pri
+ - swap
+ - threads
+ - uptime
+ - users
+ - vmstat
+ notify:
+ - Restart munin-node
+
+- name: Delete Munin plugins
+ file: path=/etc/munin/plugins/{{ item }}
+ state=absent
+ register: r3
+ with_items:
+ - http_loadtime
+ - ip_255.255.255.255
+ - postfix_mailqueue
+ - postfix_mailvolume
+ notify:
+ - Restart munin-node
+
+- name: Install 'if_' Munin wildcard plugin
+ file: src=/usr/share/munin/plugins/{{ item.0 }}_
+ dest=/etc/munin/plugins/{{ item.0 }}_{{ item.1 }}
+ owner=root group=root
+ state=link force=yes
+ register: r4
+ with_nested:
+ - [ if, if_err ]
+ - [ lo, "{{ ansible_default_ipv4.interface }}" ]
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_mailvolume2' Munin plugin
+ file: src=/usr/local/share/munin/plugins/postfix_mailvolume2
+ dest=/etc/munin/plugins/postfix_mailvolume2
+ owner=root group=root
+ state=link force=yes
+ register: r5
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_mailqueue_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
+ dest=/etc/munin/plugins/postfix_mailqueue_postfix
+ owner=root group=root
+ state=link force=yes
+ register: r6
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_stats_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_stats_
+ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix
+ owner=root group=root
+ state=link force=yes
+ register: r7
+ with_items:
+ - smtpd
+ - qmgr
+ - smtp
+ notify:
+ - Restart munin-node
+
+- name: Start munin-node
+ service: name=munin-node state=started
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed)
+
+- meta: flush_handlers
+
+
+
+- name: Install stunnel
+ apt: pkg=stunnel4
+
+- name: Auto-enable stunnel
+ lineinfile: dest=/etc/default/stunnel4
+ regexp='^(\s*#)?\s*ENABLED='
+ line='ENABLED=1'
+ owner=root group=root
+ mode=0644
+
+- name: Create /etc/stunnel/certs
+ file: path=/etc/stunnel/certs
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Generate a private key and a X.509 certificate for munin-node
+ command: genkeypair.sh x509
+ --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
+ --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
+ --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
+ -t rsa -b 4096 -h sha512
+ register: r1
+ changed_when: r1.rc == 0
+ failed_when: r1.rc > 1
+ notify:
+ - Restart stunnel
+ tags:
+ - genkey
+
+- name: Fetch Munin X.509 certificate
+ # Ensure we don't fetch private data
+ sudo: False
+ fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
+ dest=certs/munin/{{ inventory_hostname }}.pem
+ fail_on_missing=yes
+ flat=yes
+ tags:
+ - genkey
+
+- name: Copy munin-master X.509 certificates
+ assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no
+ dest=/etc/stunnel/certs/munin-master.pem
+ owner=root group=root
+ mode=0644
+ register: r2
+ when: "'munin-master' not in group_names"
+ notify:
+ - Restart stunnel
+
+- name: Configure stunnel
+ template: src=etc/stunnel/munin-node.conf.j2
+ dest=/etc/stunnel/munin-node.conf
+ owner=root group=root
+ mode=0644
+ register: r3
+ when: "'munin-master' not in group_names"
+ notify:
+ - Restart stunnel
+
+- name: Start stunnel
+ service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
+ when: not (r1.changed or r2.changed or r3.changed)
+
+- meta: flush_handlers
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index a0bb714..8792771 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -69,7 +69,12 @@ in tcp 9103 # BACULA-SD
{% elif groups['bacula-sd'] | difference([inventory_hostname]) %}
out tcp 9103 # BACULA-SD
{% endif %}
-
+{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %}
+out tcp 4949 # MUNIN
+{% endif %}
+{% if groups['munin-master'] | difference([inventory_hostname]) %}
+in tcp 4949 # MUNIN
+{% endif %}
{% if 'LDAP-provider' in group_names %}
out tcp 11371 # HKP
out tcp 43 # WHOIS
diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2
new file mode 100644
index 0000000..de4098a
--- /dev/null
+++ b/roles/common/templates/etc/munin/munin-node.conf.j2
@@ -0,0 +1,51 @@
+#
+# Example config-file for munin-node
+#
+
+log_level 4
+log_file /var/log/munin/munin-node.log
+pid_file /var/run/munin/munin-node.pid
+
+background 1
+setsid 1
+
+user root
+group root
+
+# This is the timeout for the whole transaction.
+# Units are in sec. Default is 15 min
+#
+# global_timeout 900
+
+# This is the timeout for each plugin.
+# Units are in sec. Default is 1 min
+#
+# timeout 60
+
+# Regexps for files to ignore
+ignore_file [\#~]$
+ignore_file DEADJOE$
+ignore_file \.bak$
+ignore_file %$
+ignore_file \.dpkg-(tmp|new|old|dist)$
+ignore_file \.rpm(save|new)$
+ignore_file \.pod$
+
+# Set this if the client doesn't report the correct hostname when
+# telnetting to localhost, port 4949
+#
+host_name {{ inventory_hostname_short }}
+
+# A list of addresses that are allowed to connect. This must be a
+# regular expression, since Net::Server does not understand CIDR-style
+# network notation unless the perl module Net::CIDR is installed. You
+# may repeat the allow line as many times as you'd like
+
+allow ^127\.0\.0\.1$
+allow ^::1$
+
+# Which address to bind to;
+host 127.0.0.1
+
+# And which port
+port 4994
diff --git a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
new file mode 100644
index 0000000..fa05327
--- /dev/null
+++ b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
@@ -0,0 +1,137 @@
+# This file is used to configure how the plugins are invoked.
+# Place in /etc/munin/plugin-conf.d/ or corresponding directory.
+#
+# PLEASE NOTE: Changes in the plugin-conf.d directory are only
+# read at munin-node startup, so restart at any changes.
+#
+# user <user> # Set the user to run the plugin as.
+# group <group> # Set the group to run the plugin as.
+# command <command> # Run <command> instead of the plugin. %c expands to
+# what would normally be run.
+# env.<variable> <value> # Sets <variable> in the plugin's environment, see the
+# individual plugins to find out which variables they
+# care about.
+
+
+[amavis]
+group adm
+env.MUNIN_MKTEMP /bin/mktemp -p /tmp/ $1
+env.amavislog /var/log/mail.info
+
+[apt]
+user root
+
+[courier_mta_mailqueue]
+group daemon
+
+[courier_mta_mailstats]
+group adm
+
+[courier_mta_mailvolume]
+group adm
+
+[cps*]
+user root
+
+[df*]
+env.warning 92
+env.critical 98
+
+[exim_mailqueue]
+group adm, (Debian-exim)
+
+[exim_mailstats]
+group adm, (Debian-exim)
+env.logdir /var/log/exim4/
+env.logname mainlog
+
+[fw_conntrack]
+user root
+
+[fw_forwarded_local]
+user root
+
+[hddtemp_smartctl]
+user root
+
+[hddtemp2]
+user root
+
+[if_*]
+user root
+
+[if_err_*]
+user nobody
+
+[ip_*]
+user root
+
+[ipmi_*]
+user root
+
+[mysql*]
+user root
+env.mysqlopts --defaults-file=/etc/mysql/debian.cnf
+env.mysqluser debian-sys-maint
+env.mysqlconnection DBI:mysql:mysql;mysql_read_default_file=/etc/mysql/debian.cnf
+
+[postfix_mailqueue_*]
+user postfix
+
+[postfix_stats_*]
+group adm
+
+[postfix_sasl_*]
+group adm
+
+[postfix_mailvolume2]
+group adm
+env.postmulti postfix{% for g in postfix_instance.keys() | sort %}{% if g in group_names %} postfix-{{ postfix_instance[g].name }}{% endif %}{% endfor %}
+
+
+[dovecot_logins]
+group adm
+
+[dovecot_stats_*]
+user root
+
+[dovecot_who]
+user root
+
+[sendmail_*]
+user smmta
+
+[smart_*]
+user root
+
+[vlan*]
+user root
+
+[ejabberd*]
+user ejabberd
+env.statuses available away chat xa
+env.days 1 7 30
+
+[dhcpd3]
+user root
+env.leasefile /var/lib/dhcp3/dhcpd.leases
+env.configfile /etc/dhcp3/dhcpd.conf
+
+[jmx_*]
+env.ip 127.0.0.1
+env.port 5400
+
+[samba]
+user root
+
+[munin_stats]
+user munin
+group munin
+
+[postgres_*]
+user postgres
+env.PGUSER postgres
+env.PGPORT 5432
+
+[fail2ban]
+user root
diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2
new file mode 100644
index 0000000..de6c156
--- /dev/null
+++ b/roles/common/templates/etc/stunnel/munin-node.conf.j2
@@ -0,0 +1,53 @@
+; **************************************************************************
+; * Global options *
+; **************************************************************************
+
+; setuid()/setgid() to the specified user/group in daemon mode
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid = /var/run/stunnel4/munin-node.pid
+
+; Only log messages at severity warning (4) and higher
+debug = 4
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
+key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+; Prevent MITM attacks
+verify = 4
+
+; Disable support for insecure protocols
+options = NO_SSLv2
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
+
+; These options provide additional security at some performance degradation
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+; Select permitted SSL ciphers
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode) *
+; **************************************************************************
+
+[munin-node]
+client = no
+accept = 4949
+connect = 127.0.0.1:4994
+CAfile = /etc/stunnel/certs/munin-master.pem
+
+; vim:ft=dosini
diff --git a/roles/lists/handlers/main.yml b/roles/lists/handlers/main.yml
index d4dd998..57a35db 100644
--- a/roles/lists/handlers/main.yml
+++ b/roles/lists/handlers/main.yml
@@ -13,3 +13,6 @@
- name: Restart wwsympa
service: name=wwsympa state=restarted
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml
index 6d1a4f5..85d3103 100644
--- a/roles/lists/tasks/mail.yml
+++ b/roles/lists/tasks/mail.yml
@@ -52,3 +52,31 @@
dest=/usr/local/bin/sympa-queue
owner=root group=root
mode=0755
+
+
+- name: Install 'postfix_mailqueue_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
+ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_stats_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_stats_
+ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ - smtpd
+ - qmgr
+ - smtp
+ - pipe
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin
new file mode 100644
index 0000000..ade1888
--- /dev/null
+++ b/roles/munin-master/files/etc/nginx/sites-available/munin
@@ -0,0 +1,31 @@
+server {
+ listen 127.0.0.1:80;
+ listen [::1]:80;
+
+ server_name munin.fripost.org;
+
+ access_log /var/log/nginx/munin.access.log;
+ error_log /var/log/nginx/munin.error.log info;
+
+ location = / {
+ return 302 /munin$args;
+ }
+
+ location /munin/static/ {
+ alias /etc/munin/static/;
+ }
+
+ location /munin-cgi/munin-cgi-graph/ {
+ fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
+ include fastcgi/params;
+ fastcgi_pass unix:/run/munin/cgi-graph.socket;
+ gzip off;
+ }
+
+ location /munin/ {
+ fastcgi_split_path_info ^(/munin)(.*);
+ include fastcgi/params;
+ fastcgi_pass unix:/run/munin/cgi-html.socket;
+ gzip off;
+ }
+}
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service
new file mode 100644
index 0000000..9e4d820
--- /dev/null
+++ b/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Munin CGI Graph Service
+After=network.target
+PartOf=munin.service
+Requires=munin-cgi-graph.socket
+
+[Service]
+StandardInput=socket
+User=www-data
+Group=munin
+ExecStart=/usr/lib/munin/cgi/munin-cgi-graph
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket b/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket
new file mode 100644
index 0000000..d4d2e27
--- /dev/null
+++ b/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Munin CGI Graph Listen Socket
+
+[Socket]
+SocketUser=www-data
+SocketGroup=www-data
+SocketMode=0600
+ListenStream=/run/munin/cgi-graph.socket
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service b/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service
new file mode 100644
index 0000000..11a7470
--- /dev/null
+++ b/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Munin CGI HTML Service
+After=network.target
+PartOf=munin.service
+Requires=munin-cgi-html.socket
+
+[Service]
+StandardInput=socket
+User=www-data
+Group=munin
+ExecStart=/usr/lib/munin/cgi/munin-cgi-html
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket b/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket
new file mode 100644
index 0000000..77be2cf
--- /dev/null
+++ b/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Munin CGI HTML Listen Socket
+
+[Socket]
+SocketUser=www-data
+SocketGroup=www-data
+SocketMode=0600
+ListenStream=/run/munin/cgi-html.socket
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/munin-master/handlers/main.yml b/roles/munin-master/handlers/main.yml
new file mode 100644
index 0000000..4c41033
--- /dev/null
+++ b/roles/munin-master/handlers/main.yml
@@ -0,0 +1,24 @@
+---
+- name: systemctl daemon-reload
+ command: /bin/systemctl daemon-reload
+
+- name: Restart rrdcached
+ service: name=rrdcached state=restarted
+
+- name: Restart munin
+ service: name=munin state=restarted
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
+
+- name: Restart munin-cgi-graph
+ service: name=munin-cgi-graph state=restarted
+
+- name: Restart munin-cgi-html
+ service: name=munin-cgi-html state=restarted
+
+- name: Restart Nginx
+ service: name=nginx state=restarted
+
+- name: Restart stunnel
+ service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted
diff --git a/roles/munin-master/tasks/main.yml b/roles/munin-master/tasks/main.yml
new file mode 100644
index 0000000..5dd1151
--- /dev/null
+++ b/roles/munin-master/tasks/main.yml
@@ -0,0 +1,136 @@
+- name: Install munin
+ apt: pkg={{ item }}
+ with_items:
+ - munin
+ - rrdcached
+ - libcgi-fast-perl
+
+- name: Configure rrdcached
+ lineinfile: "dest=/etc/default/rrdcached
+ regexp='^#?OPTS='
+ line='OPTS=\"-s munin -m 660 -l unix:/var/run/rrdcached.sock -w 1800 -z 1800 -f 3600 -j /var/lib/rrdcached/journal -F -b /var/lib/munin -B\"'"
+ register: r
+ notify:
+ - Restart rrdcached
+
+- name: Start rrdcached
+ service: name=rrdcached state=started
+ when: not r.changed
+
+- meta: flush_handlers
+
+
+- name: Configure munin
+ template: src=etc/munin/munin.conf.j2
+ dest=/etc/munin/munin.conf
+ owner=root group=root
+ mode=0644
+ notify:
+ - Restart munin-cgi-graph
+ - Restart munin-cgi-html
+
+- name: chown www-data:adm /var/log/munin/munin-cgi-{graph,html}.log
+ file: path=/var/log/munin/{{ item }}
+ owner=www-data group=adm
+ mode=0640
+ with_items:
+ - munin-cgi-graph.log
+ - munin-cgi-html.log
+
+- name: Copy munin-cgi-graph.{service,socket}
+ copy: src=lib/systemd/system/{{ item }}
+ dest=/lib/systemd/system/{{ item }}
+ owner=root group=root
+ mode=0644
+ notify:
+ - systemctl daemon-reload
+ - Restart munin-cgi-graph
+ with_items:
+ - munin-cgi-graph.service
+ - munin-cgi-graph.socket
+
+- name: Copy munin-cgi-html.{service,socket}
+ copy: src=lib/systemd/system/{{ item }}
+ dest=/lib/systemd/system/{{ item }}
+ owner=root group=root
+ mode=0644
+ notify:
+ - systemctl daemon-reload
+ - Restart munin-cgi-html
+ with_items:
+ - munin-cgi-html.service
+ - munin-cgi-html.socket
+
+- meta: flush_handlers
+
+- name: Start munin-cgi-{graph,html}
+ service: name={{ item }} state=started enabled=yes
+ with_items:
+ - munin-cgi-graph
+ - munin-cgi-html
+
+
+- name: Copy /etc/nginx/sites-available/munin
+ copy: src=etc/nginx/sites-available/munin
+ dest=/etc/nginx/sites-available/munin
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart Nginx
+
+- name: Create /etc/nginx/sites-enabled/munin
+ file: src=../sites-available/munin
+ dest=/etc/nginx/sites-enabled/munin
+ owner=root group=root
+ state=link force=yes
+ register: r2
+ notify:
+ - Restart Nginx
+
+- name: Start Nginx
+ service: name=nginx state=started
+ when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
+
+
+- name: Copy munin-node X.509 certificates
+ copy: src=certs/munin/{{ item }}.pem
+ dest=/etc/stunnel/certs/munin-{{ hostvars[item].inventory_hostname_short }}.pem
+ owner=root group=root
+ mode=0644
+ with_items: groups.all | difference([inventory_hostname])
+ register: r1
+ notify:
+ - Restart stunnel
+
+- name: Configure stunnel
+ template: src=etc/stunnel/munin-master.conf.j2
+ dest=/etc/stunnel/munin-master.conf
+ owner=root group=root
+ mode=0644
+ register: r2
+ notify:
+ - Restart stunnel
+
+- name: Start stunnel
+ service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
+ when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
+
+
+- name: Install 'munin_stats' and 'munin_update' plugins
+ file: src=/usr/share/munin/plugins/{{ item }}
+ dest=/etc/munin/plugins/{{ item }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ - munin_stats
+ - munin_update
+ tags:
+ - munin-node
+ - munin
+ notify:
+ - Restart munin-node
diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2
new file mode 100644
index 0000000..8273a83
--- /dev/null
+++ b/roles/munin-master/templates/etc/munin/munin.conf.j2
@@ -0,0 +1,115 @@
+# Example configuration file for Munin, generated by 'make build'
+
+# The next three variables specifies where the location of the RRD
+# databases, the HTML output, logs and the lock/pid files. They all
+# must be writable by the user running munin-cron. They are all
+# defaulted to the values you see here.
+#
+#dbdir /var/lib/munin
+#htmldir /var/cache/munin/www
+#logdir /var/log/munin
+#rundir /var/run/munin
+
+# Where to look for the HTML templates
+#
+#tmpldir /etc/munin/templates
+
+# Where to look for the static www files
+#
+#staticdir /etc/munin/static
+
+# temporary cgi files are here. note that it has to be writable by
+# the cgi user (usually nobody or httpd).
+#
+# cgitmpdir /var/lib/munin/cgi-tmp
+
+# (Exactly one) directory to include all files from.
+includedir /etc/munin/munin-conf.d
+
+# You can choose the time reference for "DERIVE" like graphs, and show
+# "per minute", "per hour" values instead of the default "per second"
+#
+#graph_period second
+
+# Graphics files are generated either via cron or by a CGI process.
+# See http://munin-monitoring.org/wiki/CgiHowto2 for more
+# documentation.
+# Since 2.0, munin-graph has been rewritten to use the cgi code.
+# It is single threaded *by design* now.
+#
+graph_strategy cgi
+
+# munin-cgi-graph is invoked by the web server up to very many times at the
+# same time. This is not optimal since it results in high CPU and memory
+# consumption to the degree that the system can thrash. Again the default is
+# 6. Most likely the optimal number for max_cgi_graph_jobs is the same as
+# max_graph_jobs.
+#
+#munin_cgi_graph_jobs 6
+
+# If the automatic CGI url is wrong for your system override it here:
+#
+#cgiurl_graph /munin-cgi/munin-cgi-graph
+
+# max_size_x and max_size_y are the max size of images in pixel.
+# Default is 4000. Do not make it too large otherwise RRD might use all
+# RAM to generate the images.
+#
+#max_size_x 4000
+#max_size_y 4000
+
+# HTML files are normally generated by munin-html, no matter if the
+# files are used or not. You can change this to on-demand generation
+# by following the instructions in http://munin-monitoring.org/wiki/CgiHowto2
+#
+# Notes:
+# - moving to CGI for HTML means you cannot have graph generated by cron.
+# - cgi html has some bugs, mostly you still have to launch munin-html by hand
+#
+html_strategy cgi
+
+# munin-update runs in parallel.
+#
+# The default max number of processes is 16, and is probably ok for you.
+#
+# If set too high, it might hit some process/ram/filedesc limits.
+# If set too low, munin-update might take more than 5 min.
+#
+# If you want munin-update to not be parallel set it to 0.
+#
+#max_processes 16
+
+# RRD updates are per default, performed directly on the rrd files.
+# To reduce IO and enable the use of the rrdcached, uncomment it and set it to
+# the location of the socket that rrdcached uses.
+#
+rrdcached_socket /var/run/rrdcached.sock
+
+# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime
+# something changes (OK -> WARNING, CRITICAL -> OK, etc)
+contact.admin.command mail -s "Munin notification" admin@fripost.org
+#
+# For those with Nagios, the following might come in handy. In addition,
+# the services must be defined in the Nagios server as well.
+#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
+
+local_address 127.0.0.1
+
+{% set n = 0 %}
+{% for node in groups.all | sort %}
+{% set n = n + 1 %}
+[all;{{ hostvars[node].inventory_hostname_short }}]
+{% if node == inventory_hostname %}
+ address 127.0.0.1
+{% else %}
+ address 127.0.{{ n }}.1
+{% endif %}
+ port 4994
+
+{% for g in hostvars[node].group_names | sort %}
+[{{ g }};{{ hostvars[node].inventory_hostname_short }}]
+ update no
+
+{% endfor %}
+
+{% endfor %}
diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
new file mode 100644
index 0000000..c025183
--- /dev/null
+++ b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
@@ -0,0 +1,62 @@
+; **************************************************************************
+; * Global options *
+; **************************************************************************
+
+; setuid()/setgid() to the specified user/group in daemon mode
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid = /var/run/stunnel4/munin-master.pid
+
+; Only log messages at severity warning (4) and higher
+debug = 4
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
+key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+; Prevent MITM attacks
+verify = 4
+
+; Disable support for insecure protocols
+options = NO_SSLv2
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
+
+; These options provide additional security at some performance degradation
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+; Select permitted SSL ciphers
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode) *
+; **************************************************************************
+
+{% set n = 0 %}
+{% for node in groups.all | sort %}
+{% set n = n + 1 %}
+{% if node != inventory_hostname %}
+[{{ hostvars[node].inventory_hostname_short }}]
+accept = 127.0.{{ n }}.1:4994
+connect = {{ node }}:4949
+delay = yes
+CAfile = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem
+{% endif %}
+
+{% endfor %}
+
+; vim:ft=dosini
diff --git a/roles/out/handlers/main.yml b/roles/out/handlers/main.yml
index 99a5db2..9edf610 100644
--- a/roles/out/handlers/main.yml
+++ b/roles/out/handlers/main.yml
@@ -1,3 +1,6 @@
---
- name: Reload Postfix
service: name=postfix state=reloaded
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/out/tasks/main.yml b/roles/out/tasks/main.yml
index 2a9cf71..10429b1 100644
--- a/roles/out/tasks/main.yml
+++ b/roles/out/tasks/main.yml
@@ -28,3 +28,30 @@
- name: Start Postfix
service: name=postfix state=started
+
+
+- name: Install 'postfix_mailqueue_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
+ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
+
+- name: Install 'postfix_stats_' Munin wildcard plugin
+ file: src=/usr/local/share/munin/plugins/postfix_stats_
+ dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ - smtpd
+ - qmgr
+ - smtp
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node