Ansible Role icinga2_master¶
This role installs and configures Icinga2 as a monitoring master.
Mandatory Requirements¶
Install InfluxDB, and create a database and a user for said database. This can be done using the linuxfabrik.lfops.influxdb role.
Install MariaDB, and create a database and a user for said database. This can be done using the linuxfabrik.lfops.mariadb_server role.
On RHEL-compatible systems, enable the
icinga2_can_connect_all,icinga2_run_sudoandnagios_run_sudoSELinux booleans. This can be done using the linuxfabrik.lfops.selinux role.
If you use the „Setup Icinga2 Master“ Playbook, this is automatically done for you.
Mandatory Role Variables¶
icinga2_master__enrolment_api_user
The API account for generating tickets. This can be used to enrol new hosts.
Type: Dictionary.
icinga2_master__influxdb_login
The user account for accessing the Icinga2 InfluxDB database.
Type: Dictionary.
Example:
# mandatory
icinga2_master__enrolment_api_user:
username: 'enrolment-user'
password: 'linuxfabrik'
icinga2_master__influxdb_login:
username: 'icinga2'
password: 'linuxfabrik'
Optional Role Variables¶
icinga2_master__api_users__host_var / icinga2_master__api_users__group_var
A list of dictionaries for the Icinga2 API users.
Type: List of dictionaries.
Default:
[]Subkeys:
password:Mandatory. The password of the API user.
Type: String.
permissions:Mandatory. The permissions for the API user. Have a look at the example and https://icinga.com/docs/icinga-2/latest/doc/12-icinga2-api/#icinga2-api-permissions.
Type: List or String.
state:Optional. Either
presentorabsent.Type: String.
username:Mandatory. The username of the API user.
Type: String.
icinga2_master__bind_host
The bind host. This allows restricting on which IP addresses Icinga2 is listening.
Type: String.
Default: unset
icinga2_master__cn
The common name of the Icinga2 master. Tries to default to the FQDN of the server.
Type: String.
Default:
'{{ ansible_facts["nodename"] }}'
icinga2_master__influxdb_database_name
The name of the InfluxDB database.
Type: String.
Default:
'icinga2'
icinga2_master__influxdb_host
The host on which the InfluxDB database is reachable.
Type: String.
Default:
'localhost'
icinga2_master__influxdb_retention
Determines how long InfluxDB should keep the Icinga2 data. If specified, it should be
INFor at least one hour.Type: String.
Default:
'216d'
icinga2_master__service_enabled
Enables or disables the Icinga2 service, analogous to
systemctl enable/disable --now.Type: Bool.
Default:
true
Example:
# optional
icinga2_master__api_users__group_var: []
icinga2_master__api_users__host_var:
- username: 'dashboard' # for example for grafinga
password: "{{ lookup('linuxfabrik.lfops.bitwarden_item',
{
'hostname': inventory_hostname,
'purpose': 'Icinga2 API',
'username': 'dashboard',
'collection_id': lfops__bitwarden_collection_id,
'organization_id': lfops__bitwarden_organization_id,
},
)['password'] }}"
permissions:
- 'objects/query/*'
- 'status/query'
- username: 'downtime-user'
password: 'linuxfabrik'
permissions:
- 'actions/schedule-downtime'
- 'actions/remove-downtime'
- 'actions/reschedule-check'
state: 'present'
- username: 'ticket-user'
password: 'linuxfabrik'
permissions:
- 'actions/generate-ticket'
state: 'present'
- username: 'check-logfile-windows-api-user'
password: 'linuxfabrik'
permissions: |-
[
{% raw %}
{
permission = "objects/query/Service"
filter = {{ regex("^check-logfile-windows-api-user", service.vars.logfile_windows_icinga_username ) }}
}
{% endraw %}
]
state: 'present'
icinga2_master__bind_host: '192.0.2.12'
icinga2_master__cn: '{{ ansible_facts["nodename"] }}'
icinga2_master__influxdb_database_name: 'icinga2'
icinga2_master__influxdb_host: 'localhost'
icinga2_master__influxdb_retention: '216d'
icinga2_master__service_enabled: true
Primary-Secondary Setup¶
Adjust the following variables for the secondary Icinga2 master.
icinga2_master__additional_master_endpoints
A list of endpoints which should be in the Icinga2 master zone. For example, the primary Icinga2 master endpoint on the secondary, and vice versa.
Type: List of dictionaries.
Default:
[]Subkeys:
cn:Mandatory. The common name of the additional Icinga2 master. This should be equal to
icinga2_master__cnon the additional master.Type: String.
host:Mandatory. The hostname or IP of the additional Icinga2 master.
Type: String.
port:Optional. Icinga2 Port.
Type: Number.
Default:
5665
icinga2_master__api_ticket_login
The Icinga2 API user which should be used to create a ticket for CSR (certificate signing request) auto-signing. The user needs to have the
actions/generate-ticketpermission.Type: Dictionary.
Default:
'{{ icinga2_master__enrolment_api_user }}'
icinga2_master__influxdb_enable_ha
If high availability should be enabled for the InfluxDB database or not. Have a look at https://icinga.com/docs/icinga-2/latest/doc/14-features/#influxdb-in-cluster-ha-zones.
Type: Bool.
Default:
false
icinga2_master__influxdb_ssl_enable
If SSL should be enabled for the InfluxDB database connection. Have a look at https://icinga.com/docs/icinga-2/latest/doc/09-object-types/#objecttype-influxdbwriter.
Type: Bool.
Default:
false
icinga2_master__node_role
The role of this Icinga2 node. Possible options:
primary,secondary.Type: String.
Default:
'primary'
icinga2_master__primary_host
The host on which the Icinga2 master is running. Needs to be reachable from the secondary node.
Type: String.
Default: unset
icinga2_master__primary_port
The port on which the Icinga2 master is running. Needs to be reachable from the secondary node.
Type: Number.
Default:
5665
Example:
# primary-secondary
icinga2_master__additional_master_endpoints:
- cn: 'master1.example.com'
host: 'master1.example.com'
port: 5666
icinga2_master__api_ticket_login:
username: 'ticket-user'
password: 'linuxfabrik'
icinga2_master__influxdb_enable_ha: false
icinga2_master__influxdb_ssl_enable: false
icinga2_master__node_role: 'primary'
icinga2_master__primary_host: 'master1.example.com'
icinga2_master__primary_port: 5666