Initial

roles/server/files/nrpe/check_hddtemp

@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# USAGE:
+# ./check_hddtemp.sh <device> <warn> <crit>
+# Nagios script to get the temperatue of HDD from hddtemp
+#
+# You may have to let nagios run this script as root
+# This is how the sudoers file looks in my debian system:
+# nagios  ALL=(root) NOPASSWD:/usr/lib/nagios/plugins/check_hddtemp
+#
+# Version 1.0
+# Another note: install the hddtemp package as well
+
+
+OK=0
+WARNING=1
+CRITICAL=2
+UNKNOWN=3
+
+function usage()
+{
+	echo "Usage: ./check_hddtemp <device> <warn> <crit>"
+}
+
+function check_root()
+{
+	# make sure script is running as root
+	if [ `whoami` != root ]; then
+		echo "UNKNOWN: please make sure script is running as root"
+		exit $UNKNOWN
+	fi
+}
+function check_arg()
+{
+	# make sure you supplied all 3 arguments
+	if [ $# -ne 3 ]; then
+		usage
+		exit $OK
+	fi
+}
+function check_device()
+{
+	# make sure device is a special block
+	if [ ! -b $DEVICE ];then
+		echo "UNKNOWN: $DEVICE is not a block special file"
+		exit $UNKNOWN
+	fi
+}
+function check_warn_vs_crit()
+{
+	# make sure CRIT is larger than WARN
+	if [ $WARN -ge $CRIT ];then
+		echo "UNKNOWN: WARN value may not be greater than or equal the CRIT value"
+		exit $UNKNOWN
+	fi
+}
+
+function init()
+{
+check_root
+check_arg $*
+check_device
+check_warn_vs_crit
+}
+
+function get_hddtemp()
+{
+	# gets temperature and stores it in $HEAT
+	# and make sure we get a numeric output
+	if [ -x $HDDTEMP ];then
+		HEAT=`$HDDTEMP $DEVICE -n`
+		case "$HEAT" in
+		[0-9]* )
+			echo "do nothing" > /dev/null
+			;;
+		* )
+			echo "UNKNOWN: Could not get temperature from: $DEVICE"
+			exit $UNKNOWN
+			;;
+		esac
+	else
+		echo "UNKNOWN: cannot execute $HDDTEMP"
+		exit $UNKNOWN
+	fi
+}
+function check_heat()
+{
+	# checks temperature and replies according to $CRIT and $WARN
+	if [ $HEAT -lt $WARN ];then
+		echo "OK: Temperature is below warn treshold ($DEVICE is $HEAT)"
+		exit $OK
+	elif [ $HEAT -lt $CRIT ];then
+		echo "WARNING: Temperature is above warn treshold ($DEVICE is $HEAT)"
+		exit $WARNING
+	elif [ $HEAT -ge $CRIT ];then
+		echo "CRITICAL: Temperature is above crit treshold ($DEVICE is $HEAT)"
+		exit $CRITICAL
+	else
+		echo "UNKNOWN: This error message should never occur, if it does happen anyway, get a new cup of coffee and fix the code :)"
+		exit $UNKNOWN
+	fi
+		
+}
+
+# -- Main -- #
+
+HDDTEMP=/usr/sbin/hddtemp
+DEVICE=$1
+WARN=$2
+CRIT=$3
+
+
+init $*
+get_hddtemp
+check_heat

roles/server/files/nrpe/check_md_raid

@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Created by Sebastian Grewe, Jammicron Technology
+#
+
+# Get count of raid arrays
+RAID_DEVICES=`grep ^md -c /proc/mdstat`
+
+# Get count of degraded arrays
+RAID_STATUS=`grep "\[.*_.*\]" /proc/mdstat -c`
+
+# Is an array currently recovering, get percentage of recovery
+RAID_RECOVER=`grep recovery /proc/mdstat | awk '{print $4}'`
+RAID_RESYNC=`grep resync /proc/mdstat | awk '{print $4}'`
+
+# Check raid status
+# RAID recovers --> Warning
+if [[ $RAID_RECOVER ]]; then
+  STATUS="WARNING - Checked $RAID_DEVICES arrays, recovering : $RAID_RECOVER"
+  EXIT=1
+elif [[ $RAID_RESYNC ]]; then
+  STATUS="WARNING - Checked $RAID_DEVICES arrays, resync : $RAID_RESYNC"
+  EXIT=1
+# RAID ok
+elif [[ $RAID_STATUS == "0" ]]; then
+  STATUS="OK - Checked $RAID_DEVICES arrays."
+  EXIT=0
+# All else critical, better save than sorry
+else
+  STATUS="CRITICAL - Checked $RAID_DEVICES arrays, $RAID_STATUS have FAILED"
+  EXIT=2
+fi
+
+# Status and quit
+echo $STATUS
+exit $EXIT

roles/server/files/nrpe/check_mem

@@ -0,0 +1,116 @@
+#!/bin/sh
+# 
+# Plugin to check system memory
+# by hugme (nagios@hugme.org)
+# You can find my checks here: https://github.com/hugme/Nag_checks
+# Nagios script to check memory usage on linux server
+# version 1.2.0
+# 
+##########################################################
+
+MEMINFO="/proc/meminfo"
+
+##########################################################
+# We call them functions because they're fun
+##########################################################
+
+print_help() {
+cat << EOF
+Linux Memory Plugin for Nagios
+Copyright (c) hugme (nagios@hugme.org)
+Version: 1.2.0
+Last Modified: 10-07-2014
+License: This software can be used for free unless I meet you, then you owe me lunch.
+
+Usage: check_linux_memory -w [warning %] -c [critical %]
+
+Options:
+ -w [0-99]	= Your warning %. 20 means 20% of your memory can remain before a warning alarm. Do not use the % sign.
+ -c [0-99]	= Your critical %. 10 means 10% of your memory can remain before a critical alarm. Do not use the % sign.
+ -d [K,M,G,T]	= divider K=kilobytes, M=megabytes, G=gigabytes, T=terabytes
+ -f		= Include cached memory as free memory when calculating your percentage free
+
+EOF
+	}
+
+invalid_type() {
+	echo "\nInvalid $1\n"
+	print_help
+	exit 3
+	}
+
+##############################################
+## Suck in the user input
+##############################################
+
+
+while test -n "$1"; do
+ case $1 in
+  --help) print_help ; exit 0 ;;
+  -h) print_help ; exit 0 ;;
+  -w) WARN="$2"; shift ;;
+  -c) CRIT="$2"; shift ;;
+  -d) DIV="$2"; shift ;;
+  -f) FC=1 ;;
+ esac
+ shift
+done
+
+##############################################
+## Set the defaults if needed
+##############################################
+
+[ -z "$WARN" ] && WARN=20
+[ -z "$CRIT" ] && CRIT=10
+[ -z "$DIV" ] && DIV=M
+[ -z "$FC" ] && FC=0
+
+##############################################
+## Check user input
+##############################################
+
+[ ! -z `echo $WARN | tr -d [:digit:]` ] && invalid_type "Warning: Warning value can only contain numbers"
+[ ! -z `echo $CRIT | tr -d [:digit:]` ] && invalid_type "Critical: Critical value can only contain numbers"
+[ "${WARN%.*}" -ge 100 ] && invalid_type "Warning: Warning must be smaller than 100%"
+[ "${CRIT%.*}" -ge 100 ] && invalid_type "Critical: Critical must be smaller than 100%"
+[ "${CRIT%.*}" -gt "${WARN%.*}" ] && invalid_type "Critical: Your Warning must be Higher than your Critical"
+
+case $DIV in
+	k|K) DIVNUM=1;;
+	m|M) DIVNUM=1024;;
+	g|G) DIVNUM=1048576;;
+	t|T) DIVNUM=1073741824;;
+	*) invalid_type;; 
+esac
+
+[ ! -f "$MEMINFO" ] && {
+	echo "Your Memory info file seems to be missing"
+	exit 1
+	}
+
+##############################################
+## Do the work
+## Pull the memory file into awk
+## grab the lines we need
+## Print the information
+##############################################
+
+RESULT=$(awk -v warn=$WARN -v crit=$CRIT -v div=$DIV -v divnum=$DIVNUM -v fc=$FC '/^MemTotal:/ { total=$2 }
+/^MemTotal:/ { tot=$2 }
+/^MemFree:/ { free=$2 }
+/^Buffers:/ { buff=$2 }
+/^Cached:/ { cache=$2 }
+/^Active:/ { active=$2 }
+/^Inactive:/ { inactive=$2 }
+END { if ( fc == 1 ) { free=free+cache+buff }
+	{ freeperct=free/tot*100 }
+	if ( freeperct > warn ) { result="OK" ; xit="0"}
+	if ( freeperct <= warn ) {
+		if ( freeperct > crit ) { result="WARNING" ; xit="1" }
+		else if ( freeperct <= crit ) { result="CRITICAL" ; xit="2" }
+		}
+	{print xit" MEMORY "result" - "freeperct"% Free - Total:"tot/divnum div" Active:"active/divnum div" Inactive:"inactive/divnum div" Buffers:"buff/divnum div" Cached:"cache/divnum div" |Free="freeperct";"warn";"crit";0 Active="active";0;0;0 Inactive="inactive";0;0;0 Buffers="buff";0;0;0 Cached="cache";0;0;0" }
+	}' /proc/meminfo)
+
+echo ${RESULT#* }
+exit ${RESULT%% *}

roles/server/files/nrpe/check_nfs

@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+## FILE: check_nfs.sh
+##
+## DESCRIPTION: This is a nagios compatible script to checks NFS mounts against what
+## 							should be mounted in /etc/fstab and if there is a stale mount.
+##
+## AUTHOR: Dennis Ruzeski (denniruz@gmail.com)
+##
+## Creation Date: 1/23/2013
+##
+## Last Modified: 1/25/2013
+##
+## VERSION: 1.0
+##
+## USAGE: ./check_nfs.sh
+##        This version takes no arguments
+##
+## TODO: Improve the check for stale mounts, add command line arguments to provide the ability to
+## 			 check mount statut, stale mounts, and latency separately.
+#
+declare -a nfs_mounts=( $(grep -v ^\# /etc/fstab |grep nfs |awk '{print $2}') )
+declare -a MNT_STATUS
+declare -a SFH_STATUS
+for mount_type in ${nfs_mounts[@]} ; do
+	if [ $(stat -f -c '%T' ${mount_type}) = nfs ]; then
+		read -t3 < <(stat -t ${mount_type})
+			if [ $? -ne 0 ]; then
+			SFH_STATUS=("${SFH_STATUS[@]}" "ERROR: ${mount_type} might be stale.")
+			else
+			MNT_STATUS=("${MNT_STATUS[@]}" "OK: ${mount_type} is ok.")
+			fi
+		else
+		MNT_STATUS=("${MNT_STATUS[@]}" "ERROR: ${mount_type} is not properly mounted.")
+fi
+done
+echo ${MNT_STATUS[@]} ${SFH_STATUS[@]} |grep -q ERROR
+	if [ $? -eq 0 ]; then
+		RETVAL=2
+        echo "CRITICAL - NFS mounts may be stale or unavailable"
+	else
+		RETVAL=0
+        echo "OK - NFS mounts are not reporting any errors"
+	fi
+unset -v MNT_STATUS
+unset -v SFH_STATUS
+exit ${RETVAL}
+

roles/server/files/nrpe/logrotate

@@ -0,0 +1,7 @@
+/var/log/nrpe.log {
+  rotate 3
+  daily
+  compress
+  missingok
+  notifempty
+}

roles/server/files/unattended-upgrades/20auto-upgrades

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

roles/server/files/unattended-upgrades/50unattended-upgrades_debian

@@ -0,0 +1,102 @@
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// Lines below have the format format is "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "jessie")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+//      "o=Debian,n=jessie";
+//      "o=Debian,n=jessie-updates";
+//      "o=Debian,n=jessie-proposed-updates";
+//      "o=Debian,n=jessie,l=Debian-Security";
+
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+        "o=Debian,a=stable";
+        "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+//	"vim";
+//	"libc6";
+//	"libc6-dev";
+//	"libc6-i686";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "bzoicas@learnlinux.tv";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "yes";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade 
+//Unattended-Upgrade::Automatic-Reboot "false";
+
+// Automatically reboot even if there are users currently logged in.
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+

roles/server/files/unattended-upgrades/50unattended-upgrades_ubuntu

@@ -0,0 +1,131 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	// Extended Security Maintenance; doesn't necessarily exist for
+	// every release and this system may not have it installed, but if
+	// available, the policy for updates is such that unattended-upgrades
+	// should also install from here by default.
+	"${distro_id}ESMApps:${distro_codename}-apps-security";
+	"${distro_id}ESM:${distro_codename}-infra-security";
+	"${distro_id}:${distro_codename}-updates";
+//	"${distro_id}:${distro_codename}-proposed";
+//	"${distro_id}:${distro_codename}-backports";
+};
+
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+    // The following matches all packages starting with linux-
+//  "linux-";
+
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
+
+// This option controls whether the development release of Ubuntu will be
+// upgraded automatically. Valid values are "true", "false", and "auto".
+Unattended-Upgrade::DevRelease "auto";
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "bzoicas@learnlinux.tv";
+
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "on-change";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+//Unattended-Upgrade::Automatic-Reboot "false";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";