Ansible Role icinga2_master¶
This role installs and configures Icinga2 as a monitoring master.
Available since LFOps 2.0.0.
Dependent Roles¶
Any LFOps playbook that installs this role runs these for you. Optional ones can be disabled via the playbook’s skip variables.
InfluxDB must be installed with a database and a user for said database (role: linuxfabrik.lfops.influxdb).
MariaDB must be installed with a database and a user for said database (role: linuxfabrik.lfops.mariadb_server).
On RHEL-compatible systems, the
icinga2_can_connect_all,icinga2_run_sudoandnagios_run_sudoSELinux booleans must be enabled (role: linuxfabrik.lfops.selinux).
Mandatory Role Variables¶
icinga2_master__enrolment_api_user
The API account for generating tickets. This can be used to enrol new hosts.
Type: Dictionary.
icinga2_master__influxdb_login
The user account for accessing the Icinga2 InfluxDB database.
Type: Dictionary.
Example:
# mandatory
icinga2_master__enrolment_api_user:
username: 'enrolment-user'
password: 'linuxfabrik'
icinga2_master__influxdb_login:
username: 'icinga2'
password: 'linuxfabrik'
Optional Role Variables¶
icinga2_master__api_users__host_var / icinga2_master__api_users__group_var
A list of dictionaries for the Icinga2 API users.
Type: List of dictionaries.
Default:
[]Subkeys:
password:Mandatory. The password of the API user.
Type: String.
permissions:Mandatory. The permissions for the API user. Have a look at the example and https://icinga.com/docs/icinga-2/latest/doc/12-icinga2-api/#icinga2-api-permissions.
Type: List or String.
state:Optional. Either
presentorabsent.Type: String.
username:Mandatory. The username of the API user.
Type: String.
icinga2_master__bind_host
The bind host. This allows restricting on which IP addresses Icinga2 is listening.
Type: String.
Default: unset
icinga2_master__cn
The common name of the Icinga2 master. Tries to default to the FQDN of the server.
Type: String.
Default:
'{{ ansible_facts["nodename"] }}'
icinga2_master__influxdb_database_name
The name of the InfluxDB database.
Type: String.
Default:
'icinga2'
icinga2_master__influxdb_host
The host on which the InfluxDB database is reachable.
Type: String.
Default:
'localhost'
icinga2_master__influxdb_retention
Determines how long InfluxDB should keep the Icinga2 data. If specified, it should be
INFor at least one hour.Type: String.
Default:
'216d'
icinga2_master__service_enabled
Enables or disables the Icinga2 service, analogous to
systemctl enable/disable --now.Type: Bool.
Default:
true
Example:
# optional
icinga2_master__api_users__group_var: []
icinga2_master__api_users__host_var:
- username: 'dashboard' # for example for grafinga
password: "{{ lookup('linuxfabrik.lfops.bitwarden_item',
{
'hostname': inventory_hostname,
'purpose': 'Icinga2 API',
'username': 'dashboard',
'collection_id': lfops__bitwarden_collection_id,
'organization_id': lfops__bitwarden_organization_id,
},
)['password'] }}"
permissions:
- 'objects/query/*'
- 'status/query'
- username: 'downtime-user'
password: 'linuxfabrik'
permissions:
- 'actions/schedule-downtime'
- 'actions/remove-downtime'
- 'actions/reschedule-check'
state: 'present'
- username: 'ticket-user'
password: 'linuxfabrik'
permissions:
- 'actions/generate-ticket'
state: 'present'
- username: 'check-logfile-windows-api-user'
password: 'linuxfabrik'
permissions: |-
[
{% raw %}
{
permission = "objects/query/Service"
filter = {{ regex("^check-logfile-windows-api-user", service.vars.logfile_windows_icinga_username ) }}
}
{% endraw %}
]
state: 'present'
icinga2_master__bind_host: '192.0.2.12'
icinga2_master__cn: '{{ ansible_facts["nodename"] }}'
icinga2_master__influxdb_database_name: 'icinga2'
icinga2_master__influxdb_host: 'localhost'
icinga2_master__influxdb_retention: '216d'
icinga2_master__service_enabled: true
Optional Role Variables - Primary-Secondary Setup¶
Adjust the following variables for the secondary Icinga2 master.
icinga2_master__additional_master_endpoints
A list of endpoints which should be in the Icinga2 master zone. For example, the primary Icinga2 master endpoint on the secondary, and vice versa.
Type: List of dictionaries.
Default:
[]Subkeys:
cn:Mandatory. The common name of the additional Icinga2 master. This should be equal to
icinga2_master__cnon the additional master.Type: String.
host:Mandatory. The hostname or IP of the additional Icinga2 master.
Type: String.
port:Optional. Icinga2 Port.
Type: Number.
Default:
5665
icinga2_master__api_ticket_login
The Icinga2 API user which should be used to create a ticket for CSR (certificate signing request) auto-signing. The user needs to have the
actions/generate-ticketpermission.Type: Dictionary.
Default:
'{{ icinga2_master__enrolment_api_user }}'
icinga2_master__influxdb_enable_ha
If high availability should be enabled for the InfluxDB database or not. Have a look at https://icinga.com/docs/icinga-2/latest/doc/14-features/#influxdb-in-cluster-ha-zones.
Type: Bool.
Default:
false
icinga2_master__influxdb_ssl_enable
If SSL should be enabled for the InfluxDB database connection. Have a look at https://icinga.com/docs/icinga-2/latest/doc/09-object-types/#objecttype-influxdbwriter.
Type: Bool.
Default:
false
icinga2_master__node_role
The role of this Icinga2 node. Possible options:
primary,secondary.Type: String.
Default:
'primary'
icinga2_master__primary_host
The host on which the Icinga2 master is running. Needs to be reachable from the secondary node.
Type: String.
Default: unset
icinga2_master__primary_port
The port on which the Icinga2 master is running. Needs to be reachable from the secondary node.
Type: Number.
Default:
5665
Example:
# primary-secondary
icinga2_master__additional_master_endpoints:
- cn: 'master1.example.com'
host: 'master1.example.com'
port: 5666
icinga2_master__api_ticket_login:
username: 'ticket-user'
password: 'linuxfabrik'
icinga2_master__influxdb_enable_ha: false
icinga2_master__influxdb_ssl_enable: false
icinga2_master__node_role: 'primary'
icinga2_master__primary_host: 'master1.example.com'
icinga2_master__primary_port: 5666