Skip to content
This repository has been archived by the owner on Oct 1, 2024. It is now read-only.

jwillikers/icinga-config

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

157 Commits
.vscode
.vscode
 
 
etc/icinga2
etc/icinga2
 
 
.gitignore
.gitignore
 
 
CODE_OF_CONDUCT.adoc
CODE_OF_CONDUCT.adoc
 
 
LICENSE.adoc
LICENSE.adoc
 
 
README.adoc
README.adoc
 
 

Repository files navigation

Icinga Config

My configuration for the Icinga monitoring tool.

Usage

This repository contains the configuration files for Icinga. The configuration is meant to be used with the containers from the Home Lab Helm repository.

  1. Create a Projects directory in the current user’s home directory.

    mkdir --parents ~/Projects

  2. Clone this repository under ~/Projects.

    git -C ~/Projects clone [email protected]:jwillikers/icinga-config.git

  3. For each template file in the etc/icinga2/constants.d directory, copy it to the same directory without the .template extension.

    Bash
    for host_template in etc/icinga2/constants.d/*.conf.template; do cp --no-clobber -- "$host_template" etc/icinga2/constants.d/$(basename -- "$host_template" ".template"); done
    fish
    for host_template in etc/icinga2/constants.d/*.conf.template; cp --no-clobber -- "$host_template" etc/icinga2/constants.d/(basename -- "$host_template" ".template"); end
    Nushell
    for host_template in (glob "etc/icinga2/constants.d/*.conf.template") { cp --no-clobber $host_template $"($host_template | path parse | reject extension | path join)" }

  4. Fill in any missing credentials in the files in the constants.d directory, such as SNMPv3 authentication and encryption keys.

    ℹ️

    Be sure to escape characters in string constants. Escape any $ with an additional $ character. Escape other characters, such as the " character, with a backslash, \. Refer to String Literals Escape Sequences in the Language Reference for which characters need to be escaped.

    1. Generate the IcingaDbWebApiPassword constant with the following command.

      echo "const IcingaDbWebApiPassword = \"$(openssl rand -base64 30)\"" > etc/icinga2/constants.d/icingadb-web-api-user-password.conf

    2. Use the following command to create the TicketSalt variable.

      echo "const TicketSalt = \"$(openssl rand -base64 30)\"" > etc/icinga2/constants.d/ticket-salt.conf

    3. Create an icinga bucket in InfluxDB with an expiration policy.

    4. Generate an API key with Write access to the icinga bucket.

    5. Add the InfluxDB API token to etc/icinga2/constants.d/influxdb-auth-token.conf.

  5. Make sure that the sensitive files are not world readable.

    chmod 0660 etc/icinga2/constants.d/{*-credentials.conf,*-password.conf,ticket-salt.conf}

  6. Determine the UID mappings inside the rootless user’s namespace.

    podman unshare cat /proc/self/uid_map
         0        818          1
         1     655360      65536

  7. Do the math to determine the UID outside of the container that is used for user inside the container. In this case, the container defaults to UID 5665 inside the container. From the output of the previous command, we can see that UID 1 maps to UID 655360. The following expression yields the UID outside of the container.

    math 655360 + 5665 - 1
661024

  8. Make sure that sensitive files are owned by the subuid that will map to the icinga user in the container.

    sudo chown 661024 etc/icinga2/constants.d/{*-auth-token.conf,*-credentials.conf,*-password.conf,ticket-salt.conf}

  9. Then mount the provided etc/ directory inside the Icinga2 server container at /data/etc.

Features

To enable a feature, create a relative symlink in the features-enabled subdirectory that points to the feature configuration file in the features-available subdirectory. The following command demonstrates this by enabling the icingadb feature.

ln --relative --symbolic etc/icinga2/features-available/icingadb.conf etc/icinga2/features-enabled/icingadb.conf

Validate

Use the following Podman command to validate the Icinga configuration.

podman run \
  --env ICINGA_MASTER=1 \
  --hostname icinga.jwillikers.io \
  --interactive \
  --rm \
  --tty \
  --volume icinga-data:/data:Z \
  --volume ~/Projects/icinga-config/etc/icinga2:/data/etc/icinga2:ro,Z \
  docker.io/icinga/icinga2:latest \
  icinga2 daemon --validate

Tips & Tricks

List Available Network Interfaces
podman run \
  --interactive \
  --entrypoint [] \
  --rm \
  --tty \
  quay.io/jwillikers/icinga-manubulon:latest \
    /usr/lib/nagios/plugins/check_interfaces -j MD5 --user 'username' -J 'authPassphrase' -h 10.1.0.5
Convert MIB to OID
snmptranslate -On NET-SNMP-EXTEND-MIB::nsExtendOutput1Line.\"getenforce\"
.1.3.6.1.4.1.8072.1.3.2.3.1.1.10.103.101.116.101.110.102.111.114.99.101

Code of Conduct

Please refer to the project’s Code of Conduct.

License

This repository is licensed under the GPLv3. Please refer to the bundled license.

Copyright

© 2023-2024 Jordan Williams

Authors

About

My configuration for the Icinga monitoring tool

codeberg.org/jwillikers/icinga-config

Topics

config monitoring snmp icinga icinga2 icingaweb icingadb

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages