Initial

roles/server/files/nrpe/check_hddtemp

@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# USAGE:
+# ./check_hddtemp.sh <device> <warn> <crit>
+# Nagios script to get the temperatue of HDD from hddtemp
+#
+# You may have to let nagios run this script as root
+# This is how the sudoers file looks in my debian system:
+# nagios  ALL=(root) NOPASSWD:/usr/lib/nagios/plugins/check_hddtemp
+#
+# Version 1.0
+# Another note: install the hddtemp package as well
+
+
+OK=0
+WARNING=1
+CRITICAL=2
+UNKNOWN=3
+
+function usage()
+{
+	echo "Usage: ./check_hddtemp <device> <warn> <crit>"
+}
+
+function check_root()
+{
+	# make sure script is running as root
+	if [ `whoami` != root ]; then
+		echo "UNKNOWN: please make sure script is running as root"
+		exit $UNKNOWN
+	fi
+}
+function check_arg()
+{
+	# make sure you supplied all 3 arguments
+	if [ $# -ne 3 ]; then
+		usage
+		exit $OK
+	fi
+}
+function check_device()
+{
+	# make sure device is a special block
+	if [ ! -b $DEVICE ];then
+		echo "UNKNOWN: $DEVICE is not a block special file"
+		exit $UNKNOWN
+	fi
+}
+function check_warn_vs_crit()
+{
+	# make sure CRIT is larger than WARN
+	if [ $WARN -ge $CRIT ];then
+		echo "UNKNOWN: WARN value may not be greater than or equal the CRIT value"
+		exit $UNKNOWN
+	fi
+}
+
+function init()
+{
+check_root
+check_arg $*
+check_device
+check_warn_vs_crit
+}
+
+function get_hddtemp()
+{
+	# gets temperature and stores it in $HEAT
+	# and make sure we get a numeric output
+	if [ -x $HDDTEMP ];then
+		HEAT=`$HDDTEMP $DEVICE -n`
+		case "$HEAT" in
+		[0-9]* )
+			echo "do nothing" > /dev/null
+			;;
+		* )
+			echo "UNKNOWN: Could not get temperature from: $DEVICE"
+			exit $UNKNOWN
+			;;
+		esac
+	else
+		echo "UNKNOWN: cannot execute $HDDTEMP"
+		exit $UNKNOWN
+	fi
+}
+function check_heat()
+{
+	# checks temperature and replies according to $CRIT and $WARN
+	if [ $HEAT -lt $WARN ];then
+		echo "OK: Temperature is below warn treshold ($DEVICE is $HEAT)"
+		exit $OK
+	elif [ $HEAT -lt $CRIT ];then
+		echo "WARNING: Temperature is above warn treshold ($DEVICE is $HEAT)"
+		exit $WARNING
+	elif [ $HEAT -ge $CRIT ];then
+		echo "CRITICAL: Temperature is above crit treshold ($DEVICE is $HEAT)"
+		exit $CRITICAL
+	else
+		echo "UNKNOWN: This error message should never occur, if it does happen anyway, get a new cup of coffee and fix the code :)"
+		exit $UNKNOWN
+	fi
+		
+}
+
+# -- Main -- #
+
+HDDTEMP=/usr/sbin/hddtemp
+DEVICE=$1
+WARN=$2
+CRIT=$3
+
+
+init $*
+get_hddtemp
+check_heat

roles/server/files/nrpe/check_md_raid

@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Created by Sebastian Grewe, Jammicron Technology
+#
+
+# Get count of raid arrays
+RAID_DEVICES=`grep ^md -c /proc/mdstat`
+
+# Get count of degraded arrays
+RAID_STATUS=`grep "\[.*_.*\]" /proc/mdstat -c`
+
+# Is an array currently recovering, get percentage of recovery
+RAID_RECOVER=`grep recovery /proc/mdstat | awk '{print $4}'`
+RAID_RESYNC=`grep resync /proc/mdstat | awk '{print $4}'`
+
+# Check raid status
+# RAID recovers --> Warning
+if [[ $RAID_RECOVER ]]; then
+  STATUS="WARNING - Checked $RAID_DEVICES arrays, recovering : $RAID_RECOVER"
+  EXIT=1
+elif [[ $RAID_RESYNC ]]; then
+  STATUS="WARNING - Checked $RAID_DEVICES arrays, resync : $RAID_RESYNC"
+  EXIT=1
+# RAID ok
+elif [[ $RAID_STATUS == "0" ]]; then
+  STATUS="OK - Checked $RAID_DEVICES arrays."
+  EXIT=0
+# All else critical, better save than sorry
+else
+  STATUS="CRITICAL - Checked $RAID_DEVICES arrays, $RAID_STATUS have FAILED"
+  EXIT=2
+fi
+
+# Status and quit
+echo $STATUS
+exit $EXIT

roles/server/files/nrpe/check_mem

@@ -0,0 +1,116 @@
+#!/bin/sh
+# 
+# Plugin to check system memory
+# by hugme (nagios@hugme.org)
+# You can find my checks here: https://github.com/hugme/Nag_checks
+# Nagios script to check memory usage on linux server
+# version 1.2.0
+# 
+##########################################################
+
+MEMINFO="/proc/meminfo"
+
+##########################################################
+# We call them functions because they're fun
+##########################################################
+
+print_help() {
+cat << EOF
+Linux Memory Plugin for Nagios
+Copyright (c) hugme (nagios@hugme.org)
+Version: 1.2.0
+Last Modified: 10-07-2014
+License: This software can be used for free unless I meet you, then you owe me lunch.
+
+Usage: check_linux_memory -w [warning %] -c [critical %]
+
+Options:
+ -w [0-99]	= Your warning %. 20 means 20% of your memory can remain before a warning alarm. Do not use the % sign.
+ -c [0-99]	= Your critical %. 10 means 10% of your memory can remain before a critical alarm. Do not use the % sign.
+ -d [K,M,G,T]	= divider K=kilobytes, M=megabytes, G=gigabytes, T=terabytes
+ -f		= Include cached memory as free memory when calculating your percentage free
+
+EOF
+	}
+
+invalid_type() {
+	echo "\nInvalid $1\n"
+	print_help
+	exit 3
+	}
+
+##############################################
+## Suck in the user input
+##############################################
+
+
+while test -n "$1"; do
+ case $1 in
+  --help) print_help ; exit 0 ;;
+  -h) print_help ; exit 0 ;;
+  -w) WARN="$2"; shift ;;
+  -c) CRIT="$2"; shift ;;
+  -d) DIV="$2"; shift ;;
+  -f) FC=1 ;;
+ esac
+ shift
+done
+
+##############################################
+## Set the defaults if needed
+##############################################
+
+[ -z "$WARN" ] && WARN=20
+[ -z "$CRIT" ] && CRIT=10
+[ -z "$DIV" ] && DIV=M
+[ -z "$FC" ] && FC=0
+
+##############################################
+## Check user input
+##############################################
+
+[ ! -z `echo $WARN | tr -d [:digit:]` ] && invalid_type "Warning: Warning value can only contain numbers"
+[ ! -z `echo $CRIT | tr -d [:digit:]` ] && invalid_type "Critical: Critical value can only contain numbers"
+[ "${WARN%.*}" -ge 100 ] && invalid_type "Warning: Warning must be smaller than 100%"
+[ "${CRIT%.*}" -ge 100 ] && invalid_type "Critical: Critical must be smaller than 100%"
+[ "${CRIT%.*}" -gt "${WARN%.*}" ] && invalid_type "Critical: Your Warning must be Higher than your Critical"
+
+case $DIV in
+	k|K) DIVNUM=1;;
+	m|M) DIVNUM=1024;;
+	g|G) DIVNUM=1048576;;
+	t|T) DIVNUM=1073741824;;
+	*) invalid_type;; 
+esac
+
+[ ! -f "$MEMINFO" ] && {
+	echo "Your Memory info file seems to be missing"
+	exit 1
+	}
+
+##############################################
+## Do the work
+## Pull the memory file into awk
+## grab the lines we need
+## Print the information
+##############################################
+
+RESULT=$(awk -v warn=$WARN -v crit=$CRIT -v div=$DIV -v divnum=$DIVNUM -v fc=$FC '/^MemTotal:/ { total=$2 }
+/^MemTotal:/ { tot=$2 }
+/^MemFree:/ { free=$2 }
+/^Buffers:/ { buff=$2 }
+/^Cached:/ { cache=$2 }
+/^Active:/ { active=$2 }
+/^Inactive:/ { inactive=$2 }
+END { if ( fc == 1 ) { free=free+cache+buff }
+	{ freeperct=free/tot*100 }
+	if ( freeperct > warn ) { result="OK" ; xit="0"}
+	if ( freeperct <= warn ) {
+		if ( freeperct > crit ) { result="WARNING" ; xit="1" }
+		else if ( freeperct <= crit ) { result="CRITICAL" ; xit="2" }
+		}
+	{print xit" MEMORY "result" - "freeperct"% Free - Total:"tot/divnum div" Active:"active/divnum div" Inactive:"inactive/divnum div" Buffers:"buff/divnum div" Cached:"cache/divnum div" |Free="freeperct";"warn";"crit";0 Active="active";0;0;0 Inactive="inactive";0;0;0 Buffers="buff";0;0;0 Cached="cache";0;0;0" }
+	}' /proc/meminfo)
+
+echo ${RESULT#* }
+exit ${RESULT%% *}

roles/server/files/nrpe/check_nfs

@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+## FILE: check_nfs.sh
+##
+## DESCRIPTION: This is a nagios compatible script to checks NFS mounts against what
+## 							should be mounted in /etc/fstab and if there is a stale mount.
+##
+## AUTHOR: Dennis Ruzeski (denniruz@gmail.com)
+##
+## Creation Date: 1/23/2013
+##
+## Last Modified: 1/25/2013
+##
+## VERSION: 1.0
+##
+## USAGE: ./check_nfs.sh
+##        This version takes no arguments
+##
+## TODO: Improve the check for stale mounts, add command line arguments to provide the ability to
+## 			 check mount statut, stale mounts, and latency separately.
+#
+declare -a nfs_mounts=( $(grep -v ^\# /etc/fstab |grep nfs |awk '{print $2}') )
+declare -a MNT_STATUS
+declare -a SFH_STATUS
+for mount_type in ${nfs_mounts[@]} ; do
+	if [ $(stat -f -c '%T' ${mount_type}) = nfs ]; then
+		read -t3 < <(stat -t ${mount_type})
+			if [ $? -ne 0 ]; then
+			SFH_STATUS=("${SFH_STATUS[@]}" "ERROR: ${mount_type} might be stale.")
+			else
+			MNT_STATUS=("${MNT_STATUS[@]}" "OK: ${mount_type} is ok.")
+			fi
+		else
+		MNT_STATUS=("${MNT_STATUS[@]}" "ERROR: ${mount_type} is not properly mounted.")
+fi
+done
+echo ${MNT_STATUS[@]} ${SFH_STATUS[@]} |grep -q ERROR
+	if [ $? -eq 0 ]; then
+		RETVAL=2
+        echo "CRITICAL - NFS mounts may be stale or unavailable"
+	else
+		RETVAL=0
+        echo "OK - NFS mounts are not reporting any errors"
+	fi
+unset -v MNT_STATUS
+unset -v SFH_STATUS
+exit ${RETVAL}
+

roles/server/files/nrpe/logrotate

@@ -0,0 +1,7 @@
+/var/log/nrpe.log {
+  rotate 3
+  daily
+  compress
+  missingok
+  notifempty
+}

roles/server/files/unattended-upgrades/20auto-upgrades

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

roles/server/files/unattended-upgrades/50unattended-upgrades_debian

@@ -0,0 +1,102 @@
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// Lines below have the format format is "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "jessie")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+//      "o=Debian,n=jessie";
+//      "o=Debian,n=jessie-updates";
+//      "o=Debian,n=jessie-proposed-updates";
+//      "o=Debian,n=jessie,l=Debian-Security";
+
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+        "o=Debian,a=stable";
+        "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+//	"vim";
+//	"libc6";
+//	"libc6-dev";
+//	"libc6-i686";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "bzoicas@learnlinux.tv";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "yes";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade 
+//Unattended-Upgrade::Automatic-Reboot "false";
+
+// Automatically reboot even if there are users currently logged in.
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+

roles/server/files/unattended-upgrades/50unattended-upgrades_ubuntu

@@ -0,0 +1,131 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	// Extended Security Maintenance; doesn't necessarily exist for
+	// every release and this system may not have it installed, but if
+	// available, the policy for updates is such that unattended-upgrades
+	// should also install from here by default.
+	"${distro_id}ESMApps:${distro_codename}-apps-security";
+	"${distro_id}ESM:${distro_codename}-infra-security";
+	"${distro_id}:${distro_codename}-updates";
+//	"${distro_id}:${distro_codename}-proposed";
+//	"${distro_id}:${distro_codename}-backports";
+};
+
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+    // The following matches all packages starting with linux-
+//  "linux-";
+
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
+
+// This option controls whether the development release of Ubuntu will be
+// upgraded automatically. Valid values are "true", "false", and "auto".
+Unattended-Upgrade::DevRelease "auto";
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "bzoicas@learnlinux.tv";
+
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "on-change";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+//Unattended-Upgrade::Automatic-Reboot "false";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";

roles/server/handlers/main.yml

@@ -0,0 +1,18 @@
+---
+- name: restart_nrpe
+  tags: nagios,nrpe
+  service:
+    name: "{{ nrpe_service }}"
+    state: restarted
+
+- name: restart_qemu_agent
+  tags: qemu,qemu-agent
+  service:
+    name: "{{ qemu_agent_service }}"
+    state: restarted
+
+- name: restart_ufw
+  tags: ufw
+  service:
+    name: ufw
+    state: restarted

roles/server/tasks/main.yml

@@ -0,0 +1,17 @@
+# Load distro-specific variables
+- include_vars: "{{ ansible_distribution }}.yml"
+  tags: always
+
+- block:
+  - import_tasks: nrpe.yml
+  - import_tasks: ufw.yml
+  - import_tasks: qemu-agent.yml
+
+  - include_tasks: unattended_upgrades.yml
+    when:
+      - ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]
+      - unattended_upgrades is defined
+      - unattended_upgrades == true
+
+  rescue:
+    - set_fact: task_failed=true

roles/server/tasks/nrpe.yml

@@ -0,0 +1,69 @@
+- name: nrpe | install nrpe package and plugins
+  tags: nagios,nrpe
+  package:
+    state: latest
+    name:
+      - "{{ monitoring_plugins_package }}"
+      - "{{ nrpe_package }}"
+  notify:
+    - restart_nrpe
+
+- name: nrpe | generate nrpe.cfg file from template
+  tags: openssh,ssh,system,settings
+  template:
+    src: nrpe.cfg.j2
+    dest: "{{ nrpe_config_file_dest }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart_nrpe
+
+- name: nrpe | enable and start nrpe service
+  tags: nagios,nrpe
+  service:
+    name: "{{ nrpe_service }}"
+    enabled: yes
+    state: started
+
+- name: nrpe | copy additional plugins
+  tags: nagios,nrpe
+  copy:
+    src: nrpe/{{ item }}
+    dest: "{{ monitoring_plugins_path }}/{{ item }}"
+    owner: root
+    group: root
+    mode: 0755
+  with_items:
+    - check_hddtemp
+    - check_md_raid
+    - check_mem
+    - check_nfs
+
+- name: nrpe | create log file
+  tags: ansible,ansible-setup
+  file:
+    path: /var/log/nrpe.log
+    owner: "{{ nrpe_user }}"
+    group: "{{ nrpe_group }}"
+    mode: 0664
+    state: touch
+  changed_when: False
+
+- name: nrpe | add logrotate config for nrpe log file
+  tags: nrpe,server
+  copy:
+    src: nrpe/logrotate
+    dest: /etc/logrotate.d/nrpe
+    owner: root
+    group: root
+    mode: 0644
+
+- name: nrpe | clean up unneeded files (debian, etc)
+  tags: nrpe,server
+  file:
+    path: /etc/nagios/{{ item }}
+    state: absent
+  with_items:
+    - nrpe_local.cfg
+    - nrpe.d
+  when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]

roles/server/tasks/qemu-agent.yml

@@ -0,0 +1,17 @@
+- name: qemu-agent | install package
+  tags: packages,qemu,qemu-agent
+  package:
+    state: latest
+    name:
+      - qemu-guest-agent
+  when: proxmox_instance is defined and proxmox_instance == true
+  notify:
+    - restart_qemu_agent
+
+- name: qemu-agent | enable qemu agent daemon
+  tags: nagios,nrpe
+  service:
+    name: "{{ qemu_agent_service }}"
+    enabled: yes
+    state: started
+  when: proxmox_instance is defined and proxmox_instance == true

roles/server/tasks/ufw.yml

@@ -0,0 +1,329 @@
+- name: ufw | install package
+  tags: ufw
+  package:
+    state: latest
+    name: ufw
+  notify:
+    - restart_ufw
+
+# dns
+- name: ufw | dns | allow dns (tcp)
+  tags: ufw
+  ufw:
+    comment: dns
+    rule: allow
+    port: '53'
+    proto: tcp
+  when:
+    - dns_server is defined
+    - dns_server == true
+
+- name: ufw | dns | allow dns (udp)
+  tags: ufw
+  ufw:
+    comment: dns
+    rule: allow
+    port: '53'
+    proto: udp
+  when:
+    - dns_server is defined
+    - dns_server == true
+
+# k8s
+- name: ufw | k8s | allow api server (master)
+  tags: ufw
+  ufw:
+    comment: k8s master api server
+    rule: allow
+    port: '6443'
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_master is defined
+    - k8s_master == true
+
+- name: ufw | k8s | allow etcd server client api (master)
+  tags: ufw
+  ufw:
+    comment: k8s master etcd server client api
+    rule: allow
+    port: 2379:2380
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_master is defined
+    - k8s_master == true
+
+- name: ufw | k8s | allow kubelet api server (master)
+  tags: ufw
+  ufw:
+    comment: k8s master kubelet api server
+    rule: allow
+    port: '10250'
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_master is defined
+    - k8s_master == true
+
+- name: ufw | k8s | allow scheduler (master)
+  tags: ufw
+  ufw:
+    comment: k8s master scheduler
+    rule: allow
+    port: '10251'
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_master is defined
+    - k8s_master == true
+
+- name: ufw | k8s | allow controller manager (master)
+  tags: ufw
+  ufw:
+    comment: k8s master controller manager
+    rule: allow
+    port: '10252'
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_master is defined
+    - k8s_master == true
+
+- name: ufw | k8s | allow read-only kubelet API (master)
+  tags: ufw
+  ufw:
+    comment: k8s master read-only kubelet api
+    rule: allow
+    port: '10255'
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_master is defined
+    - k8s_master == true
+
+- name: ufw | k8s | allow nodeport services (master)
+  tags: ufw
+  ufw:
+    comment: k8s master read-only kubelet api
+    rule: allow
+    port: 30000:32767
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_worker is defined
+    - k8s_worker == true
+
+- name: ufw | k8s | allow kubelet API (worker)
+  tags: ufw
+  ufw:
+    comment: k8s worker read-only kubelet api
+    rule: allow
+    port: '10250'
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_worker is defined
+    - k8s_worker == true
+
+- name: ufw | k8s | allow kubernetes read-only kubelet API (worker)
+  tags: ufw
+  ufw:
+    comment: k8s worker read-only kubelet api
+    rule: allow
+    port: '10255'
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_worker is defined
+    - k8s_worker == true
+
+- name: ufw | k8s | allow kubernetes nodeport services (worker)
+  tags: ufw
+  ufw:
+    comment: k8s worker read-only kubelet api
+    rule: allow
+    port: 30000:32767
+    proto: tcp
+    src: 172.16.249.0/24
+  when:
+    - k8s_worker is defined
+    - k8s_worker == true
+
+
+# minecraft
+- name: ufw | minecraft | allow server
+  tags: ufw
+  ufw:
+    comment: minecraft
+    rule: allow
+    port: '25565'
+    proto: tcp
+  when:
+    - minecraft_server is defined
+    - minecraft_server == true
+
+
+# nrpe
+- name: ufw | nrpe | allow nrpe from utility server (internal)
+  tags: ufw
+  ufw:
+    comment: nrpe
+    rule: allow
+    port: '5666'
+    src: 172.16.249.9/32
+  when:
+    - proxmox_instance is defined and proxmox_instance == true or
+      raspberry_pi is defined and raspberry_pi == true
+
+- name: ufw | nrpe | allow nrpe (external)
+  tags: ufw
+  ufw:
+    comment: nrpe
+    rule: allow
+    port: '5666'
+    src: 172.14.56.123/32
+  when:
+    - linode_instance is defined
+    - linode_instance == true
+
+# openssh
+- name: ufw | openssh | allow ssh (external)
+  tags: ufw
+  ufw:
+    comment: ssh from home network
+    rule: allow
+    port: ssh
+    src: 172.14.59.123/32
+  when:
+    - linode_instance is defined
+    - linode_instance == true
+
+- name: ufw | openssh | allow ssh (internal)
+  tags: ufw
+  ufw:
+    comment: ssh
+    rule: allow
+    port: ssh
+    src: '{{ item }}'
+  loop:
+    - 10.10.10.10/24
+    - 172.16.248.0/24
+    - 172.16.249.0/24
+    - 172.16.250.0/24
+    - 172.16.251.0/24
+  when:
+    - linode_instance is defined
+    - linode_instance == false
+
+# plex
+- name: ufw | plex | allow plex
+  tags: ufw
+  ufw:
+    comment: plex
+    rule: allow
+    port: '32400'
+    proto: tcp
+  when:
+    - plex_server is defined
+    - plex_server == true
+
+# unifi
+- name: ufw | unifi | allow device discovery
+  tags: ufw
+  ufw:
+    comment: unifi controller device discovery
+    rule: allow
+    port: '10001'
+    proto: udp
+    src: 172.16.248.0/24
+  when:
+    - unifi_controller is defined
+    - unifi_controller == true
+
+- name: ufw | unifi | allow http
+  tags: ufw
+  ufw:
+    comment: unifi controller http
+    rule: allow
+    port: '8080'
+    proto: tcp
+    src: 172.16.248.0/24
+  when:
+    - unifi_controller is defined
+    - unifi_controller == true
+
+- name: ufw | unifi | allow https
+  tags: ufw
+  ufw:
+    comment: unifi controller https
+    rule: allow
+    port: '8443'
+    proto: tcp
+    src: 172.16.248.0/24
+  when:
+    - unifi_controller is defined
+    - unifi_controller == true
+
+- name: ufw | unifi | allow speed test
+  tags: ufw
+  ufw:
+    comment: unifi controller speed test
+    rule: allow
+    port: '6789'
+    proto: tcp
+    src: 172.16.248.0/24
+  when:
+    - unifi_controller is defined
+    - unifi_controller == true
+
+- name: ufw | unifi | allow stun
+  tags: ufw
+  ufw:
+    comment: unifi controller stun
+    rule: allow
+    port: '3478'
+    proto: udp
+    src: 172.16.248.0/24
+  when:
+    - unifi_controller is defined
+    - unifi_controller == true
+
+# web server
+- name: ufw | web server | allow http (80)
+  tags: ufw
+  ufw:
+    comment: http
+    rule: allow
+    port: '80'
+    proto: tcp
+  when:
+    - web_server is defined
+    - web_server == true
+
+- name: ufw | web server | allow http (8080)
+  tags: ufw
+  ufw:
+    comment: http_8080
+    rule: allow
+    port: '8080'
+    proto: tcp
+  when:
+    - web_server_8080 is defined
+    - web_server_8080 == true
+
+- name: ufw | web server | allow https
+  tags: ufw
+  ufw:
+    comment: https
+    rule: allow
+    port: '443'
+    proto: tcp
+  when:
+    - web_server is defined
+    - web_server == true
+
+# all rules set, enable
+- name: ufw | enable firewall
+  ufw:
+    state: enabled

roles/server/tasks/unattended_upgrades.yml

@@ -0,0 +1,37 @@
+- name: unattended upgrades | install unattended-upgrades for debian-based hosts
+  tags: packages,unattended,updates,upgrades
+  package:
+    state: latest
+    name:
+      - unattended-upgrades
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+
+- name: unattended upgrades | copy 20auto-upgrades file for debian-based hosts
+  tags: packages,unattended,updates,upgrades
+  copy:
+    src: unattended-upgrades/20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+
+- name: unattended upgrades | copy 50unattended-upgrades file (debian)
+  tags: debian,packages,unattended,updates,upgrades
+  copy:
+    src: unattended-upgrades/50unattended-upgrades_debian
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_distribution == "Debian"
+
+- name: unattended upgrades | copy 50unattended-upgrades file (ubuntu)
+  tags: packages,unattended,updates,ubuntu,upgrades
+  copy:
+    src: unattended-upgrades/50unattended-upgrades_ubuntu
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_distribution == "Ubuntu"

roles/server/templates/nrpe.cfg.j2

@@ -0,0 +1,40 @@
+# Settings
+allowed_hosts={{ nrpe_allowed_hosts }}
+command_timeout=60
+connection_timeout=300
+debug=0
+dont_blame_nrpe=0
+listen_queue_size=5
+log_facility=daemon
+log_file={{ nrpe_log_file }}
+max_commands=0
+nrpe_group={{ nrpe_group }}
+nrpe_user={{ nrpe_user }}
+pid_file={{ nrpe_pid_file }}
+server_port=5666
+
+# Command Definitions
+command[check_disk_home]={{ monitoring_plugins_path }}/check_disk -w 10% -c 5% -p /home
+command[check_disk_root]={{ monitoring_plugins_path }}/check_disk -w 10% -c 5% -p /
+command[check_load]={{ monitoring_plugins_path }}/check_load -w 4 -c 10
+command[check_load_minecraft]={{ monitoring_plugins_path }}/check_load -w 6 -c 10
+command[check_load_plex]={{ monitoring_plugins_path }}/check_load -w 6 -c 10
+command[check_load_vm-host]={{ monitoring_plugins_path }}/check_load -w 10 -c 20
+command[check_md_raid]={{ monitoring_plugins_path }}/check_md_raid
+command[check_mem]={{ monitoring_plugins_path }}/check_mem -w 10 -c 5 -d G -f
+command[check_nfs]={{ monitoring_plugins_path }}/check_nfs
+command[check_sensors]={{ monitoring_plugins_path }}/check_sensors
+command[check_ssh_pfsense]={{ monitoring_plugins_path }}/check_ssh -p 65001 localhost
+command[check_ssl_alansreptiles.com]={{ monitoring_plugins_path }}/check_http -H alansreptiles.com --ssl --sni -C 20,10
+command[check_ssl_community.learnlinux.tv]={{ monitoring_plugins_path }}/check_http -H community.learnlinux.tv --ssl --sni -C 20,10
+command[check_ssl_bzoicaslacroix.com]={{ monitoring_plugins_path }}/check_http -H bzoicaslacroix.com --ssl --sni -C 20,10
+command[check_ssl_learnlinux.link]={{ monitoring_plugins_path }}/check_http -H learnlinux.link --ssl --sni -C 20,10
+command[check_ssl_learnlinux.tv]={{ monitoring_plugins_path }}/check_http -H learnlinux.tv --ssl --sni -C 20,10
+command[check_ssl_meet.learnlinux.tv]={{ monitoring_plugins_path }}/check_http -H meet.learnlinux.tv --ssl --sni -C 20,10
+command[check_ssl_rss.home-network.io]={{ monitoring_plugins_path }}/check_http -H rss.home-network.io --ssl --sni -C 20,10
+command[check_ssl_wiki.learnlinux.tv]={{ monitoring_plugins_path }}/check_http -H wiki.learnlinux.tv --ssl --sni -C 20,10
+command[check_swap]={{ monitoring_plugins_path }}/check_swap -w 50% -c 10%
+command[check_total_procs]={{ monitoring_plugins_path }}/check_procs -w 150 -c 200
+command[check_users]={{ monitoring_plugins_path }}/check_users -w 2 -c 3
+command[check_users_pfsense]={{ monitoring_plugins_path }}/check_users -w 3 -c 4
+command[check_zombie_procs]={{ monitoring_plugins_path }}/check_procs -w 5 -c 10 -s Z

roles/server/vars/Archlinux.yml

@@ -0,0 +1,12 @@
+nrpe_config_file_dest: /etc/nrpe/nrpe.cfg
+nrpe_config_file_src: nrpe.cfg_arch
+monitoring_plugins_path: /usr/lib/monitoring-plugins
+monitoring_plugins_package: monitoring-plugins
+nrpe_allowed_hosts: 127.0.0.1,172.16.59.104,172.16.249.9
+nrpe_group: nrpe
+nrpe_log_file: /var/log/nrpe.log
+nrpe_package: nrpe
+nrpe_pid_file: /run/nrpe/nrpe.pid
+nrpe_service: nrpe
+nrpe_user: nrpe
+qemu_agent_service: qemu-guest-agent

roles/server/vars/Debian.yml

@@ -0,0 +1,12 @@
+nrpe_config_file_dest: /etc/nagios/nrpe.cfg
+nrpe_config_file_src: nrpe.cfg_debian_ubuntu
+monitoring_plugins_path: /usr/lib/nagios/plugins
+monitoring_plugins_package: monitoring-plugins-basic
+nrpe_allowed_hosts: 127.0.0.1,172.16.59.104,172.16.249.9
+nrpe_group: nagios
+nrpe_log_file: /var/log/nrpe.log
+nrpe_package: nagios-nrpe-server
+nrpe_pid_file: /var/run/nagios/nrpe.pid
+nrpe_service: nagios-nrpe-server
+nrpe_user: nagios
+qemu_agent_service: qemu-guest-agent

roles/server/vars/Manjaro.yml

@@ -0,0 +1,12 @@
+nrpe_config_file_dest: /etc/nrpe/nrpe.cfg
+nrpe_config_file_src: nrpe.cfg_arch
+monitoring_plugins_path: /usr/lib/monitoring-plugins
+monitoring_plugins_package: monitoring-plugins
+nrpe_allowed_hosts: 127.0.0.1,172.16.59.104,172.16.249.9
+nrpe_group: nrpe
+nrpe_log_file: /var/log/nrpe.log
+nrpe_package: nrpe
+nrpe_pid_file: /run/nrpe/nrpe.pid
+nrpe_service: nagios-nrpe-server
+nrpe_user: nrpe
+qemu_agent_service: qemu-ga

roles/server/vars/Pop!_OS.yml

@@ -0,0 +1 @@
+Ubuntu.yml

roles/server/vars/Ubuntu.yml

@@ -0,0 +1,12 @@
+nrpe_config_file_dest: /etc/nagios/nrpe.cfg
+nrpe_config_file_src: nrpe.cfg_debian_ubuntu
+monitoring_plugins_path: /usr/lib/nagios/plugins
+monitoring_plugins_package: monitoring-plugins-basic
+nrpe_allowed_hosts: 127.0.0.1,172.16.59.104,172.16.249.9
+nrpe_group: nagios
+nrpe_log_file: /var/log/nrpe.log
+nrpe_package: nagios-nrpe-server
+nrpe_pid_file: /var/run/nagios/nrpe.pid
+nrpe_service: nagios-nrpe-server
+nrpe_user: nagios
+qemu_agent_service: qemu-guest-agent

roles/server/vars/elementary OS.yml

@@ -0,0 +1 @@
+Ubuntu.yml