summaryrefslogtreecommitdiff
path: root/example/site_check_mk/manifests
diff options
context:
space:
mode:
authorkwadronaut <kwadronaut@leap.se>2018-11-14 11:09:02 +0100
committerkwadronaut <kwadronaut@leap.se>2018-11-14 11:09:02 +0100
commit06b521b6887d33b4cfa650c0d26850c8d1cc0ef8 (patch)
treecaa0bac49dfd2573462acef06b68d2ea69d8cdb8 /example/site_check_mk/manifests
parent6ffee2d778992b783bd29a1ddeaab61baf6d47aa (diff)
parent15aba17d007e076ea09e50c837081ee1bec1b301 (diff)
Merge remote-tracking branch 'shared/master'HEADmaster
Diffstat (limited to 'example/site_check_mk/manifests')
-rw-r--r--example/site_check_mk/manifests/agent.pp50
-rw-r--r--example/site_check_mk/manifests/agent/apt.pp25
-rw-r--r--example/site_check_mk/manifests/agent/logwatch.pp36
-rw-r--r--example/site_check_mk/manifests/agent/logwatch/syslog.pp18
-rw-r--r--example/site_check_mk/manifests/server.pp96
5 files changed, 225 insertions, 0 deletions
diff --git a/example/site_check_mk/manifests/agent.pp b/example/site_check_mk/manifests/agent.pp
new file mode 100644
index 0000000..056b007
--- /dev/null
+++ b/example/site_check_mk/manifests/agent.pp
@@ -0,0 +1,50 @@
+class site_check_mk::agent {
+
+ $tags = hiera('check_mk-tags')
+
+ class { 'check_mk::agent':
+ # FIXME: the check_mk module should be enhanced to detect debian so we
+ # don't need to set these
+ agent_package_name => 'check-mk-agent',
+ agent_logwatch_package_name => 'check-mk-agent-logwatch',
+ # we use ssh rather than xinetd and have puppet generate and collect keys
+ method => 'ssh',
+ generate_sshkey => true,
+ sshuser => 'checkmk',
+ # where keys get stored on the check-mk-server (default is an OMD dir)
+ keydir => '/etc/check_mk/keys',
+ # we(riseup) override where authorized keys are stored, since we use a
+ # central directory of user named files rather than
+ # ~user/.ssh/authorized_keys
+ authdir => '/etc/ssh/authorized_keys',
+ authfile => 'checkmk',
+ host_tags => $tags
+ }
+
+ # we ssh as the checkmk user and allow checkmk to run check_mk_agent
+ # with sudo (rather than ssh as root)
+ if !defined(User[checkmk]) {
+ user { 'checkmk':
+ ensure => 'present',
+ home => '/usr/lib/check_mk_agent',
+ gid => 'users',
+ password => '*',
+ comment => 'check_mk agent';
+ }
+ }
+
+ include site_sudo
+
+ sudo::access { 'checkmk':
+ user => 'checkmk',
+ access => 'ALL= NOPASSWD: /usr/bin/check_mk_agent'
+ }
+
+ # include checks we want on all agents here
+ # NOTE: we're currently doing this here, it could also be done within
+ # the actual classes related to the check (as we've done before with munin)
+ include site_check_mk::agent::apt
+
+ # not enabled yet
+ #include site_check_mk::agent::logwatch
+}
diff --git a/example/site_check_mk/manifests/agent/apt.pp b/example/site_check_mk/manifests/agent/apt.pp
new file mode 100644
index 0000000..a74a906
--- /dev/null
+++ b/example/site_check_mk/manifests/agent/apt.pp
@@ -0,0 +1,25 @@
+class site_check_mk::agent::apt {
+ include check_mk::agent::mrpe
+
+
+ # we deliver a wrapper to check_apt that makes it more useful
+ augeas {
+ "Apt":
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'set APT "/usr/local/lib/nagios/plugins/check_apt -t 30"',
+ require => [ File['/usr/local/lib/nagios/plugins' ], Package['check-mk-agent'] ];
+ }
+
+ # installing a local plugin, so include this to get the dirs
+ include site_nagios::localplugin
+
+ file {
+ '/usr/local/lib/nagios/plugins/check_apt':
+ source => 'puppet:///modules/site_check_mk/agent/apt/check_apt',
+ owner => root,
+ group => root,
+ mode => '0750',
+ require => [ File['/usr/local/lib/nagios/plugins' ], Package['nagios-plugins-basic'] ];
+ }
+}
diff --git a/example/site_check_mk/manifests/agent/logwatch.pp b/example/site_check_mk/manifests/agent/logwatch.pp
new file mode 100644
index 0000000..423cace
--- /dev/null
+++ b/example/site_check_mk/manifests/agent/logwatch.pp
@@ -0,0 +1,36 @@
+class site_check_mk::agent::logwatch {
+ # Deploy mk_logwatch 1.2.4 so we can split the config
+ # into multiple config files in /etc/check_mk/logwatch.d
+ # see https://leap.se/code/issues/5135
+
+ file { '/usr/lib/check_mk_agent/plugins/mk_logwatch':
+ source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4',
+ mode => '0755',
+ require => Package['check-mk-agent-logwatch']
+ }
+
+ # only config files that watch a distinct logfile should go in logwatch.d/
+ file { '/etc/check_mk/logwatch.d':
+ ensure => directory,
+ recurse => true,
+ purge => true,
+ require => Package['check-mk-agent-logwatch']
+ }
+
+ # service that share a common logfile (i.e. /var/log/syslog) need to get
+ # concanated in one file, otherwise the last file sourced will override
+ # the config before
+ # see mk_logwatch: "logwatch.cfg overwrites config files in logwatch.d",
+ # https://leap.se/code/issues/5155
+
+ # first, we need to deploy a custom logwatch.cfg that doesn't include
+ # a section about /var/log/syslog
+
+ file { '/etc/check_mk/logwatch.cfg':
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/logwatch.cfg',
+ require => Package['check_mk-agent-logwatch']
+ }
+
+ include concat::setup
+ include site_check_mk::agent::logwatch::syslog
+}
diff --git a/example/site_check_mk/manifests/agent/logwatch/syslog.pp b/example/site_check_mk/manifests/agent/logwatch/syslog.pp
new file mode 100644
index 0000000..c927780
--- /dev/null
+++ b/example/site_check_mk/manifests/agent/logwatch/syslog.pp
@@ -0,0 +1,18 @@
+class site_check_mk::agent::logwatch::syslog {
+
+ concat { '/etc/check_mk/logwatch.d/syslog.cfg':
+ warn => true
+ }
+
+ concat::fragment { 'syslog_header':
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_header.cfg',
+ target => '/etc/check_mk/logwatch.d/syslog.cfg',
+ order => '01';
+ }
+ concat::fragment { 'syslog_tail':
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_tail.cfg',
+ target => '/etc/check_mk/logwatch.d/syslog.cfg',
+ order => '99';
+ }
+
+}
diff --git a/example/site_check_mk/manifests/server.pp b/example/site_check_mk/manifests/server.pp
new file mode 100644
index 0000000..99fee41
--- /dev/null
+++ b/example/site_check_mk/manifests/server.pp
@@ -0,0 +1,96 @@
+class site_check_mk::server {
+
+ # we don't use the main check_mk class, but call things a la carte. The
+ # main class does:
+ # check_mk::install -> we don't want OMD, we install the debian packages
+ # check_mk::config -> we call below with special settings
+ # check_mk::service -> service checks for http/xinetd/omd, we don't want
+ # check_mk::server::configure_ssh -> we call below
+ # FIXME: if the check_mk module was more generic and less OMD focused,
+ # it would just know what to do for a debian install and we could use
+ # the main check_mk class with the right parameters, rather than a la carte
+
+ # install the server package, this also pulls in check-mk-config-nagios3
+ # FIXME: the check_mk module should be enhanced to better support distro
+ # installs and then we'd just set a $distro parameter and it would
+ # detect debian and install the right packages. But until it does...
+ package { 'check-mk-server':
+ ensure => installed,
+ }
+
+ # the server needs check_icmp (among others)
+ if !defined(Package['nagios-plugins-basic']) {
+ package { 'nagios-plugins-basic': ensure => installed }
+ }
+
+ # flush config for certain config changes
+ # FIXME: after testing, maybe this can go in the generic module
+ exec { 'check_mk-flush':
+ command => "/bin/su -l -c '${bin_dir}/check_mk --flush' ${site}",
+ refreshonly => true,
+ notify => Exec['check_mk-reload'],
+ }
+
+ file {
+ '/etc/check_mk/keys':
+ ensure => directory;
+
+ # don't generate host defines
+ '/etc/check_mk/conf.d/nohost.mk':
+ source => 'puppet:///modules/site_check_mk/nohost.mk',
+ owner => root,
+ group => root,
+ mode => '0644',
+ notify => Exec['check_mk-refresh'];
+
+ # setup parent relationships
+ '/etc/check_mk/conf.d/parents.mk':
+ source => 'puppet:///modules/site_check_mk/parents.mk',
+ owner => root,
+ group => root,
+ mode => '0644',
+ notify => Exec['check_mk-refresh'];
+
+ # checks we ignore (requires a flush to get them to go away)
+ '/etc/check_mk/conf.d/ignore.mk':
+ source => 'puppet:///modules/site_check_mk/ignore.mk',
+ owner => root,
+ group => root,
+ mode => '0644',
+ notify => Exec['check_mk-flush'];
+
+ # checks we adjust (requires reload so checks are recompiled)
+ '/etc/check_mk/conf.d/adjust.mk':
+ source => 'puppet:///modules/site_check_mk/adjust.mk',
+ owner => root,
+ group => root,
+ mode => '0644',
+ notify => Exec['check_mk-reload'];
+
+ # check_icmp must be suid root or called by sudo
+ # see https://leap.se/code/issues/5171
+ '/usr/lib/nagios/plugins/check_icmp':
+ mode => '4755',
+ require => Package['nagios-plugins-basic'];
+ }
+
+ # override paths to use the system check_mk rather than OMD
+ class { 'check_mk::config':
+ # default site is 'monitoring', we set to blank
+ site => '',
+ # etc_dir is an OMD dir by default, we use /etc resulting in /etc/check_mk
+ etc_dir => '/etc',
+ # nagios_subdir is nagios by default, debian uses nagios3
+ nagios_subdir => 'nagios3',
+ # bin_dir is an OMD dir by default, we use the system path for debian
+ bin_dir => '/usr/bin',
+ # all our hosts are in the same group
+ host_groups => undef,
+ # use_storedconfigs default is true, which we want
+ # make sure the check-mk-server is installed or initial config will fail
+ # FIXME: like the above, this should move into the check_mk module
+ require => Package['check-mk-server']
+ }
+
+ class { 'check_mk::server::configure_ssh': }
+}