3 次代碼提交 9529e4bdd9 ... f7c77f855f

作者 SHA1 備註 提交日期
  Philipp Fromme f7c77f855f icinga2: Unite stretch and buster config 3 年之前
  Philipp Fromme 9ddb49aed7 icinga2: Move ApiListener certs to new location 3 年之前
  Maximilian Wilhelm ec06b1c43a fastd: It's all buster now, no tag needed anymore 3 年之前
共有 5 個文件被更改,包括 27 次插入71 次删除
  1. 1 1
      fastd/fastd.conf
  2. 0 3
      icinga2/api.conf
  3. 0 6
      icinga2/icinga2.conf
  4. 0 51
      icinga2/icinga2.conf.Debian.buster
  5. 26 10
      icinga2/init.sls

+ 1 - 1
fastd/fastd.conf

@@ -53,7 +53,7 @@ on up "
 	ip link set $INTERFACE up
 
 	batctl {{ meshif }} {{ bat_iface }} if add $INTERFACE
-{%- if grains.oscodename == "buster" or 'batman-iface-penalty' in node_config.get ('tags', []) %}
+{%- if grains.oscodename == "buster" %}
 	# Make VPN more expensive than intra DC/DCI/WBBL links
 	batctl hardif $INTERFACE hop_penalty 50
 {%- endif %}

+ 0 - 3
icinga2/api.conf

@@ -4,9 +4,6 @@
 
 object ApiListener "api" {
 	bind_host = "127.0.0.1"
-	cert_path = "/etc/icinga2/pki/ffhohost.cert.pem"
-	key_path  = "/etc/icinga2/pki/ffhohost.key.pem"
-	ca_path   = "/etc/ssl/certs/ffho-cacert.pem"
 
 	ticket_salt = TicketSalt
 

+ 0 - 6
icinga2/icinga2.conf

@@ -47,11 +47,5 @@ include <nscp>
  */
 include "features-enabled/*.conf"
 
-/**
- * The repository.d directory contains all configuration objects
- * managed by the 'icinga2 repository' CLI commands.
- */
-include_recursive "repository.d"
-
 # Include command definitions
 include_recursive "commands.d"

+ 0 - 51
icinga2/icinga2.conf.Debian.buster

@@ -1,51 +0,0 @@
-#
-# Icinga2 main configuration for nodes (Salt managed)
-#
-
-/**
- * Icinga 2 configuration file
- * - this is where you define settings for the Icinga application including
- * which hosts/services to check.
- *
- * For an overview of all available configuration options please refer
- * to the documentation that is distributed as part of Icinga 2.
- */
-
-/**
- * The constants.conf defines global constants.
- */
-include "constants.conf"
-
-/**
- * The zones.conf defines zones for a cluster setup.
- * Not required for single instance setups.
- */
-include "zones.conf"
-
-/**
- * The Icinga Template Library (ITL) provides a number of useful templates
- * and command definitions.
- * Common monitoring plugin command definitions are included separately.
- */
-include <itl>
-include <plugins>
-include <plugins-contrib>
-include <manubulon>
-
-/**
- * This includes the NSClient++ check commands. These command definitions
- * are required on a master node when a client is used as command endpoint.
- */
-include <nscp>
-
-/**
- * The features-available directory contains a number of configuration
- * files for features which can be enabled and disabled using the
- * icinga2 feature enable / icinga2 feature disable CLI commands.
- * These commands work by creating and removing symbolic links in
- * the features-enabled directory.
- */
-include "features-enabled/*.conf"
-
-# Include command definitions
-include_recursive "commands.d"

+ 26 - 10
icinga2/init.sls

@@ -96,31 +96,45 @@ ffho-plugins:
       - service: icinga2
 
 
-# Install host cert + key readable for icinga
+# Install CA cert + host cert + key readable for icinga
+/var/lib/icinga2/certs:
+  file.directory:
+    - makedirs: True
+
+/var/lib/icinga2/certs/ca.crt:
+  file.managed:
+    - source: salt://certs/ffho-cacert.pem
+    - user: nagios
+    - group: nagios
+    - mode: 644
+    - require:
+      - pkg: icinga2
+      - file: /var/lib/icinga2/certs
+    - watch_in:
+      - sevice: icinga2
+
 {% set pillar_name = 'nodes:' ~ grains['id'] ~ ':certs:' ~ grains['id'] %}
-/etc/icinga2/pki/ffhohost.cert.pem:
+/var/lib/icinga2/certs/{{ grains['id'] }}.crt:
   file.managed:
-    {% if salt['pillar.get'](pillar_name ~ ':cert') == "file" %}
-    - source: salt://certs/certs/{{ cn }}.cert.pem
-    {% else %}
     - contents_pillar: {{ pillar_name }}:cert
-    {% endif %}
-    - user: root
-    - group: root
+    - user: nagios
+    - group: nagios
     - mode: 644
     - require:
       - pkg: icinga2
+      - file: /var/lib/icinga2/certs
     - watch_in:
       - service: icinga2
 
-/etc/icinga2/pki/ffhohost.key.pem:
+/var/lib/icinga2/certs/{{ grains['id'] }}.key:
   file.managed:
     - contents_pillar: {{ pillar_name }}:privkey
-    - user: root
+    - user: nagios
     - group: nagios
     - mode: 440
     - require:
       - pkg: icinga2
+      - file: /var/lib/icinga2/certs
     - watch_in:
       - service: icinga2
 
@@ -130,6 +144,8 @@ ffho-plugins:
 /etc/icinga2/features-enabled/{{ feature }}.conf:
   file.symlink:
     - target: "../features-available/{{ feature }}.conf"
+    - user: nagios
+    - group: nagios
     - require:
       - pkg: icinga2
     - watch_in: