Configure munin nodes & master.

Interhost communications are protected by stunnel4.  The graphs are only
visible on the master itself, and content is generated by Fast CGI.

2 files changed, 212 insertions, 4 deletions

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 477bd34..df609d3 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -27,10 +27,11 @@
 - name: Generate DH parameters
   command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
   tags: genkey
-- include: logging.yml  tags=logging
-- include: ntp.yml      tags=ntp
-- include: mail.yml     tags=mail,postfix
-- include: bacula.yml   tags=bacula-fd,bacula
+- include: logging.yml      tags=logging
+- include: ntp.yml          tags=ntp
+- include: mail.yml         tags=mail,postfix
+- include: bacula.yml       tags=bacula-fd,bacula
+- include: munin-node.yml   tags=munin-node,munin
 
 - name: Install common packages
   apt: pkg={{ item }}
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
new file mode 100644
index 0000000..9e5d8f4
--- /dev/null
+++ b/roles/common/tasks/munin-node.yml
@@ -0,0 +1,207 @@
+- name: Install munin-node
+  apt: pkg={{ item }}
+  with_items:
+    - munin-node
+    - munin-plugins-extra
+    ###
+    - acpi
+    - lm-sensors
+    - ethtool
+    - hdparm
+    - libwww-perl
+    - libxml-simple-perl
+    - logtail
+
+- name: Create directory /usr/local/share/munin/plugins
+  file: path=/usr/local/share/munin/plugins
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy our own Munin plugins
+  copy: src={{ item }}
+        dest=/usr/local/share/munin/plugins/
+        owner=root group=root
+        mode=0755
+  with_fileglob:
+    - usr/local/share/munin/plugins/*
+
+- name: Configure munin-node
+  template: src=etc/munin/{{ item }}.j2
+            dest=/etc/munin/{{ item }}
+            owner=root group=root
+            mode=0644
+  register: r1
+  with_items:
+    - munin-node.conf
+    - plugin-conf.d/munin-node
+  notify:
+    - Restart munin-node
+
+- name: Install Munin plugins
+  file: src=/usr/share/munin/plugins/{{ item }}
+        dest=/etc/munin/plugins/{{ item }}
+        owner=root group=root
+        state=link force=yes
+  register: r2
+  with_items:
+    - cpu
+    - df
+    - df_inode
+    - diskstats
+    - entropy
+    - fail2ban
+    - forks
+    - fw_conntrack
+    - fw_forwarded_local
+    - fw_packets
+    - hddtemp_smartctl
+    - interrupts
+    - irqstats
+    - load
+    - memory
+    - netstat
+    - ntp_kernel_err
+    - ntp_kernel_pll_freq
+    - ntp_kernel_pll_off
+    - ntp_offset
+    - open_files
+    - open_inodes
+    - processes
+    - proc_pri
+    - swap
+    - threads
+    - uptime
+    - users
+    - vmstat
+  notify:
+    - Restart munin-node
+
+- name: Delete Munin plugins
+  file: path=/etc/munin/plugins/{{ item }}
+        state=absent
+  register: r3
+  with_items:
+    - http_loadtime
+    - ip_255.255.255.255
+    - postfix_mailqueue
+    - postfix_mailvolume
+  notify:
+    - Restart munin-node
+
+- name: Install 'if_' Munin wildcard plugin
+  file: src=/usr/share/munin/plugins/{{ item.0 }}_
+        dest=/etc/munin/plugins/{{ item.0 }}_{{ item.1 }}
+        owner=root group=root
+        state=link force=yes
+  register: r4
+  with_nested:
+    - [ if, if_err ]
+    - [ lo, "{{ ansible_default_ipv4.interface }}" ]
+  notify:
+    - Restart munin-node
+
+- name: Install 'postfix_mailvolume2' Munin plugin
+  file: src=/usr/local/share/munin/plugins/postfix_mailvolume2
+        dest=/etc/munin/plugins/postfix_mailvolume2
+        owner=root group=root
+        state=link force=yes
+  register: r5
+  notify:
+    - Restart munin-node
+
+- name: Install 'postfix_mailqueue_' Munin wildcard plugin
+  file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
+        dest=/etc/munin/plugins/postfix_mailqueue_postfix
+        owner=root group=root
+        state=link force=yes
+  register: r6
+  notify:
+    - Restart munin-node
+
+- name: Install 'postfix_stats_' Munin wildcard plugin
+  file: src=/usr/local/share/munin/plugins/postfix_stats_
+        dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix
+        owner=root group=root
+        state=link force=yes
+  register: r7
+  with_items:
+    - smtpd
+    - qmgr
+    - smtp
+  notify:
+    - Restart munin-node
+
+- name: Start munin-node
+  service: name=munin-node state=started
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed)
+
+- meta: flush_handlers
+
+
+
+- name: Install stunnel
+  apt: pkg=stunnel4
+
+- name: Auto-enable stunnel
+  lineinfile: dest=/etc/default/stunnel4
+              regexp='^(\s*#)?\s*ENABLED='
+              line='ENABLED=1'
+              owner=root group=root
+              mode=0644
+
+- name: Create /etc/stunnel/certs
+  file: path=/etc/stunnel/certs
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Generate a private key and a X.509 certificate for munin-node
+  command: genkeypair.sh x509
+                         --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
+                         --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
+                         --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
+                         -t rsa -b 4096 -h sha512
+  register: r1
+  changed_when: r1.rc == 0
+  failed_when: r1.rc > 1
+  notify:
+    - Restart stunnel
+  tags:
+    - genkey
+
+- name: Fetch Munin X.509 certificate
+  # Ensure we don't fetch private data
+  sudo: False
+  fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
+         dest=certs/munin/{{ inventory_hostname }}.pem
+         fail_on_missing=yes
+         flat=yes
+  tags:
+    - genkey
+
+- name: Copy munin-master X.509 certificates
+  assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no
+            dest=/etc/stunnel/certs/munin-master.pem
+            owner=root group=root
+            mode=0644
+  register: r2
+  when: "'munin-master' not in group_names"
+  notify:
+    - Restart stunnel
+
+- name: Configure stunnel
+  template: src=etc/stunnel/munin-node.conf.j2
+            dest=/etc/stunnel/munin-node.conf
+            owner=root group=root
+            mode=0644
+  register: r3
+  when: "'munin-master' not in group_names"
+  notify:
+    - Restart stunnel
+
+- name: Start stunnel
+  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
+  when: not (r1.changed or r2.changed or r3.changed)
+
+- meta: flush_handlers