From c536de80536e71af6e69eb1a57575ca1a41101c6 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Wed, 24 Apr 2024 00:52:50 -0400 Subject: [PATCH] minor fixes/improves for new host --- brc2 | 2 +- disabled/nagios | 124 ++++++++++++++++++++++++++++++++++++++++++++++++ distro-begin | 2 +- distro-end | 122 +++++------------------------------------------ mail-setup | 19 +++++--- 5 files changed, 151 insertions(+), 118 deletions(-) create mode 100644 disabled/nagios diff --git a/brc2 b/brc2 index 2795e2e..e936bad 100644 --- a/brc2 +++ b/brc2 @@ -2777,7 +2777,7 @@ EOF for f in "${files[@]}"; do host=${f%%/*} if [[ ! ${vpn_ips[$host]} ]]; then - e /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service + e rm /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service fi done diff --git a/disabled/nagios b/disabled/nagios new file mode 100644 index 0000000..f9f38eb --- /dev/null +++ b/disabled/nagios @@ -0,0 +1,124 @@ +#!/bin/bash +# I, Ian Kelling, follow the GNU license recommendations at +# https://www.gnu.org/licenses/license-recommendations.en.html. They +# recommend that small programs, < 300 lines, be licensed under the +# Apache License 2.0. This file contains or is part of one or more small +# programs. If a small program grows beyond 300 lines, I plan to switch +# its license to GPL. + +# Copyright 2024 Ian Kelling + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# this was part of distro-end + +### begin nagios ### + +pi nagios-nrpe-server + +case $HOSTNAME in + kd) + # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345 + pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports + s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf + + # to add a password for admin: + # htdigest /etc/nagios4/htdigest.users Nagios4 iank + # now using the same pass as prometheus + + # nagstamon auth settings, set to digest instead of basic. + + web-conf -p 3005 - apache2 i.b8.nz <<'EOF' +# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf + +ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4 +ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4 + +# Where the stylesheets (config files) reside +Alias /nagios4/stylesheets /etc/nagios4/stylesheets + +# Where the HTML pages live +Alias /nagios4 /usr/share/nagios4/htdocs + + + Options FollowSymLinks + DirectoryIndex index.php index.html + AllowOverride AuthConfig + # + # The default Debian nagios4 install sets use_authentication=0 in + # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication. + # This is insecure. As a compromise this default apache2 configuration + # only allows private IP addresses access. + # + # The ... below shows how you can secure the nagios4 + # web site so anybody can view it, but only authenticated users can issue + # commands (such as silence notifications). To do that replace the + # "Require all granted" with "Require valid-user", and use htdigest + # program from the apache2-utils package to add users to + # /etc/nagios4/htdigest.users. + # + # A step up is to insist all users validate themselves by moving + # the stanza's in the .. into the . + # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you + # can configure which people get to see a particular service from + # within the nagios configuration. + # + AuthDigestDomain "Nagios4" + AuthDigestProvider file + AuthUserFile "/etc/nagios4-htdigest.users" + AuthGroupFile "/etc/group" + AuthName "Nagios4" + AuthType Digest + Require valid-user + + + + Options +ExecCGI + +EOF + ;; +esac + +# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example: +# notifications_enabled=1 +# note, the same variable exists in the correspdonding "define service {" + +# in the default config, we have these definitions + +# 11 define command { +# 2 define contact { +# 1 define contactgroup { +# 9 define host { +# 4 define hostgroup { +# 23 define service { +# 5 define timeperiod { + + +# on klaxon + +# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c +# 76 define command +# 11 define contact +# 6 define contactgroup +# 162 define host +# 1 define hostextinfo +# 16 define hostgroup +# 3040 define service +# 2 define servicedependency +# 6 define timeperiod + + + + +### end nagios ### diff --git a/distro-begin b/distro-begin index 8da3f16..5752961 100755 --- a/distro-begin +++ b/distro-begin @@ -382,7 +382,7 @@ if [[ -e $f ]]; then fi fi done - if $apparmor_reload && systemctl is-enabled apparmor; then + if $apparmor_reload && systemctl is-active apparmor; then m ser reload apparmor fi fi diff --git a/distro-end b/distro-end index e9b797a..19cdaba 100755 --- a/distro-end +++ b/distro-end @@ -1906,10 +1906,11 @@ case $HOSTNAME in # listen on the wireguard interface *) - wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf) - # old filename. remove once all hosts are updated. - s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf - web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF' + if [[ -e /etc/wireguard/wghole.conf ]]; then + wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf) + # old filename. remove once all hosts are updated. + s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf + web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF' AuthType Basic AuthName "basic_auth" @@ -1919,14 +1920,14 @@ AuthUserFile "/etc/prometheus-export-htpasswd" Require valid-user EOF - # For work, i think we will just use the firewall for hosts in the main data center, and - # vpn for hosts outside it. + # For work, i think we will just use the firewall for hosts in the main data center, and + # vpn for hosts outside it. - # TODO: figure out how to detect the ping failure and try again. + # TODO: figure out how to detect the ping failure and try again. - # Binding to the wg interface, it might go down, so always restart, and wait for it on boot. - s mkdir /etc/systemd/system/apache2.service.d - sd /etc/systemd/system/apache2.service.d/restart.conf < - Options FollowSymLinks - DirectoryIndex index.php index.html - AllowOverride AuthConfig - # - # The default Debian nagios4 install sets use_authentication=0 in - # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication. - # This is insecure. As a compromise this default apache2 configuration - # only allows private IP addresses access. - # - # The ... below shows how you can secure the nagios4 - # web site so anybody can view it, but only authenticated users can issue - # commands (such as silence notifications). To do that replace the - # "Require all granted" with "Require valid-user", and use htdigest - # program from the apache2-utils package to add users to - # /etc/nagios4/htdigest.users. - # - # A step up is to insist all users validate themselves by moving - # the stanza's in the .. into the . - # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you - # can configure which people get to see a particular service from - # within the nagios configuration. - # - AuthDigestDomain "Nagios4" - AuthDigestProvider file - AuthUserFile "/etc/nagios4-htdigest.users" - AuthGroupFile "/etc/group" - AuthName "Nagios4" - AuthType Digest - Require valid-user - - - - Options +ExecCGI - -EOF - ;; -esac - -# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example: -# notifications_enabled=1 -# note, the same variable exists in the correspdonding "define service {" - -# in the default config, we have these definitions - -# 11 define command { -# 2 define contact { -# 1 define contactgroup { -# 9 define host { -# 4 define hostgroup { -# 23 define service { -# 5 define timeperiod { - - -# on klaxon - -# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c -# 76 define command -# 11 define contact -# 6 define contactgroup -# 162 define host -# 1 define hostextinfo -# 16 define hostgroup -# 3040 define service -# 2 define servicedependency -# 6 define timeperiod - - - - -### end nagios ### - ### begin bitcoin ### case $HOSTNAME in diff --git a/mail-setup b/mail-setup index 3ac3476..050a716 100755 --- a/mail-setup +++ b/mail-setup @@ -454,7 +454,7 @@ fi bhost_t=false case $HOSTNAME in $MAIL_HOST) : ;; - kd|frodo|x2|x3|kw|sy|bo) + kd|x2|x3|kw|sy|bo|so) bhost_t=true ;; esac @@ -1143,6 +1143,10 @@ banaction = iptables-exim ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1 EOF if $ur; then + # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start. + if [[ ! -e /var/log/exim4/mainlog ]]; then + install -m 640 -o Debian-exim -g adm /dev/null /var/log/exim4/mainlog + fi m systemctl restart fail2ban fi @@ -2533,8 +2537,8 @@ EOF m mkdir -p $rctmpdir /m/rc m chown -R www-data.www-data $rctmpdir /m/rc m chmod 750 $rctmpdir - # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start. # todo: check for other mailinabox things + # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start. m sudo -u www-data touch $rclogdir/errors.log #### begin carddav install @@ -3564,11 +3568,13 @@ backup_local: EOF # Bind to wghole to receive mailbackup. - wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf) - cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <