[perso/Immae/Config/Nix.git] / modules / private / monitoring / default.nix

{ config, pkgs, lib, name, nodes, ... }:
let
  cfg = config.myServices.monitoring;
  myplugins = pkgs.runCommand "buildplugins" {
    buildInputs = [ pkgs.makeWrapper pkgs.perl ];
  } ''
    mkdir $out
    cp ${./plugins}/* $out/
    patchShebangs $out
    wrapProgram $out/check_command --prefix PATH : ${config.security.wrapperDir}
    wrapProgram $out/send_nrdp.sh --prefix PATH : ${lib.makeBinPath [
      pkgs.curl pkgs.jq
    ]}
    wrapProgram $out/check_maison_bbc --prefix PATH : ${lib.makeBinPath [
      pkgs.curl pkgs.jq
    ]}
    wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.gawk pkgs.procps-ng
    ]}
    wrapProgram $out/check_postgres_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.postgresql
    ]}
    wrapProgram $out/check_redis_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.coreutils pkgs.redis
    ]}
    wrapProgram $out/check_mysql_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.mariadb
    ]}
    wrapProgram $out/check_openldap_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.openldap
    ]}
    wrapProgram $out/check_ftp_database --prefix PATH : ${lib.makeBinPath [
      pkgs.lftp
    ]}
    wrapProgram $out/check_git --prefix PATH : ${lib.makeBinPath [
      pkgs.git pkgs.openssh
    ]}
    wrapProgram $out/check_imap_connection --prefix PATH : ${lib.makeBinPath [
      pkgs.openssl
    ]}
    wrapProgram $out/notify_maison_bbc_by_email --prefix PATH : ${lib.makeBinPath [
      pkgs.mailutils pkgs.gawk
    ]}
    wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [
      pkgs.mailutils
    ]}
    wrapProgram $out/notify_by_slack --prefix PATH : ${lib.makeBinPath [
      pkgs.curl pkgs.jq
    ]}
    '';
  toObjects = pkgs.callPackage ./to_objects.nix {};
  commonConfig = {
    eldiron = {
      processWarn = "250"; processAlert = "400";
      loadWarn = "8.0"; loadAlert = "10.0";
    };
    backup-2 = {
      processWarn = "50"; processAlert = "60";
      loadWarn = "1.0"; loadAlert = "2.0";
    };
    monitoring-1 = {
      processWarn = "50"; processAlert = "60";
      loadWarn = "1.0"; loadAlert = "2.0";
    };
  };
  masterPassiveObjects = let
    otherPassiveObjects = map
      (n: (pkgs.callPackage (./. + "/objects_" + n + ".nix") {}))
      [ "caldance-1" "ulminfo-fr" "immae-eu" "phare" "tiboqorl-fr" ];
    otherPassiveServices = lib.flatten (map (h: h.service or []) otherPassiveObjects);
    otherPassiveHosts = (map (h: h.host)) otherPassiveObjects;
    passiveNodes = lib.attrsets.filterAttrs (n: _: builtins.elem n ["backup-2" "eldiron"]) nodes;
    toPassiveServices = map (s: s.passiveInfo.filter s // s.passiveInfo);
    passiveServices = lib.flatten (lib.attrsets.mapAttrsToList
      (_: n: toPassiveServices n.config.myServices.monitoring.services)
      passiveNodes
      );
  in {
    service = passiveServices ++ otherPassiveServices;
    host = lib.lists.foldr
      (a: b: a//b)
      {}
      (otherPassiveHosts ++ lib.attrsets.mapAttrsToList (_: h: h.config.myServices.monitoring.hosts) passiveNodes);
  };
  masterObjects = pkgs.callPackage ./objects_master.nix { inherit config; };
  commonObjects = pkgs.callPackage ./objects_common.nix ({
    master = cfg.master;
    hostFQDN = config.hostEnv.fqdn;
    hostName = name;
    sudo = "/run/wrappers/bin/sudo";
  } // builtins.getAttr name commonConfig);
  hostObjects =
    let
      specific_file = ./. + "/objects_" + name + ".nix";
    in
      lib.attrsets.optionalAttrs
        (builtins.pathExists specific_file)
        (pkgs.callPackage specific_file {
          inherit config;
          hostFQDN = config.hostEnv.fqdn;
          hostName = name;
        });
in
{
  options = {
    myServices.monitoring = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = ''
          Whether to enable monitoring.
        '';
      };
      master = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = ''
          This instance is the master instance
        '';
      };
      hosts = lib.mkOption {
        readOnly = true;
        description = "Hosts list for this host";
        default = (commonObjects.host or {}) // (hostObjects.host or {});
      };
      services = lib.mkOption {
        readOnly = true;
        description = "Services list for this host";
        default = commonObjects.service ++ hostObjects.service;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.monitoring = {
      rootDir = config.services.naemon.varDir;
    };
    security.sudo.extraRules = [
      {
        commands = [
          { command = "${pkgs.mdadm}/bin/mdadm --monitor --scan -1"; options = [ "NOPASSWD" ]; }
          { command = "${pkgs.postfix}/bin/mailq"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "root";
      }
      {
        commands = [
          { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "ALL";
      }
      {
        commands = [
          { command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "postgres";
      }
      {
        commands = [
          { command = "${myplugins}/check_mysql_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "mysql";
      }
      {
        commands = [
          { command = "${myplugins}/check_openldap_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "openldap";
      }
      {
        commands = [
          { command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "redis";
      }
    ];
    environment.etc."mdadm.conf" = {
      enable = true;
      mode = "0644";
      user = "root";
      text = "MAILADDR ${config.myEnv.monitoring.email}";
    };

    secrets.keys = [
      {
        dest = "naemon/id_rsa";
        user = "naemon";
        group = "naemon";
        premissions = "0400";
        text = config.myEnv.monitoring.ssh_secret_key;
      }
    ];
    # needed since extraResource is not in the closure
    systemd.services.naemon.path = [ myplugins ];
    services.naemon = {
      enable = true;
      extraConfig = ''
        broker_module=${pkgs.naemon-livestatus}/lib/naemon-livestatus/livestatus.so ${config.services.naemon.runDir}/live
        use_syslog=1
        log_initial_states=1
        date_format=iso8601
        admin_email=${config.myEnv.monitoring.email}
      '' + lib.optionalString (!cfg.master) ''
        obsess_over_services=1
        ocsp_command=notify-master
      '';
      extraResource = ''
        $USER2$=${myplugins}
        $USER200$=${config.myEnv.monitoring.status_url}
        $USER201$=${config.myEnv.monitoring.status_token}
        $USER202$=${config.myEnv.monitoring.http_user_password}
        $USER203$=${config.secrets.fullPaths."naemon/id_rsa"}
        $USER204$=${config.myEnv.monitoring.imap_login}
        $USER205$=${config.myEnv.monitoring.imap_password}
        $USER206$=${config.myEnv.monitoring.slack_channel}
        $USER207$=${config.myEnv.monitoring.slack_url}
      '';
      objectDefs = toObjects commonObjects
        + toObjects hostObjects
        + lib.optionalString cfg.master (toObjects masterObjects)
        + lib.optionalString cfg.master (toObjects masterPassiveObjects);
    };
  };
}
Commit	Line	Data
e820134d	1	{ config, pkgs, lib, name, nodes, ... }:
3bc32d9e	2	let
e820134d	3	cfg = config.myServices.monitoring;
3bc32d9e IB	4	myplugins = pkgs.runCommand "buildplugins" {
	5	buildInputs = [ pkgs.makeWrapper pkgs.perl ];
	6	} ''
	7	mkdir $out
	8	cp ${./plugins}/* $out/
	9	patchShebangs $out
	10	wrapProgram $out/check_command --prefix PATH : ${config.security.wrapperDir}
	11	wrapProgram $out/send_nrdp.sh --prefix PATH : ${lib.makeBinPath [
b11f0e17	12	pkgs.curl pkgs.jq
3bc32d9e	13	]}
e820134d IB	14	wrapProgram $out/check_maison_bbc --prefix PATH : ${lib.makeBinPath [
	15	pkgs.curl pkgs.jq
	16	]}
3bc32d9e IB	17	wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
	18	pkgs.gnugrep pkgs.gawk pkgs.procps-ng
	19	]}
9f202523 IB	20	wrapProgram $out/check_postgres_replication --prefix PATH : ${lib.makeBinPath [
	21	pkgs.postgresql
	22	]}
6015a3b5 IB	23	wrapProgram $out/check_redis_replication --prefix PATH : ${lib.makeBinPath [
	24	pkgs.gnugrep pkgs.coreutils pkgs.redis
	25	]}
	26	wrapProgram $out/check_mysql_replication --prefix PATH : ${lib.makeBinPath [
	27	pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.mariadb
	28	]}
16b80abd IB	29	wrapProgram $out/check_openldap_replication --prefix PATH : ${lib.makeBinPath [
	30	pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.openldap
	31	]}
e820134d IB	32	wrapProgram $out/check_ftp_database --prefix PATH : ${lib.makeBinPath [
	33	pkgs.lftp
	34	]}
	35	wrapProgram $out/check_git --prefix PATH : ${lib.makeBinPath [
	36	pkgs.git pkgs.openssh
	37	]}
	38	wrapProgram $out/check_imap_connection --prefix PATH : ${lib.makeBinPath [
	39	pkgs.openssl
	40	]}
	41	wrapProgram $out/notify_maison_bbc_by_email --prefix PATH : ${lib.makeBinPath [
	42	pkgs.mailutils pkgs.gawk
	43	]}
	44	wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [
	45	pkgs.mailutils
	46	]}
	47	wrapProgram $out/notify_by_slack --prefix PATH : ${lib.makeBinPath [
	48	pkgs.curl pkgs.jq
	49	]}
3bc32d9e	50	'';
eb071dd4 IB	51	toObjects = pkgs.callPackage ./to_objects.nix {};
	52	commonConfig = {
	53	eldiron = {
	54	processWarn = "250"; processAlert = "400";
	55	loadWarn = "8.0"; loadAlert = "10.0";
	56	};
	57	backup-2 = {
	58	processWarn = "50"; processAlert = "60";
	59	loadWarn = "1.0"; loadAlert = "2.0";
	60	};
e820134d IB	61	monitoring-1 = {
	62	processWarn = "50"; processAlert = "60";
	63	loadWarn = "1.0"; loadAlert = "2.0";
	64	};
eb071dd4	65	};
e820134d IB	66	masterPassiveObjects = let
	67	otherPassiveObjects = map
	68	(n: (pkgs.callPackage (./. + "/objects_" + n + ".nix") {}))
	69	[ "caldance-1" "ulminfo-fr" "immae-eu" "phare" "tiboqorl-fr" ];
	70	otherPassiveServices = lib.flatten (map (h: h.service or []) otherPassiveObjects);
	71	otherPassiveHosts = (map (h: h.host)) otherPassiveObjects;
	72	passiveNodes = lib.attrsets.filterAttrs (n: _: builtins.elem n ["backup-2" "eldiron"]) nodes;
	73	toPassiveServices = map (s: s.passiveInfo.filter s // s.passiveInfo);
	74	passiveServices = lib.flatten (lib.attrsets.mapAttrsToList
	75	(_: n: toPassiveServices n.config.myServices.monitoring.services)
	76	passiveNodes
	77	);
	78	in {
	79	service = passiveServices ++ otherPassiveServices;
	80	host = lib.lists.foldr
	81	(a: b: a//b)
	82	{}
	83	(otherPassiveHosts ++ lib.attrsets.mapAttrsToList (_: h: h.config.myServices.monitoring.hosts) passiveNodes);
	84	};
	85	masterObjects = pkgs.callPackage ./objects_master.nix { inherit config; };
eb071dd4	86	commonObjects = pkgs.callPackage ./objects_common.nix ({
e820134d	87	master = cfg.master;
619e4f46	88	hostFQDN = config.hostEnv.fqdn;
e820134d	89	hostName = name;
eb071dd4 IB	90	sudo = "/run/wrappers/bin/sudo";
	91	} // builtins.getAttr name commonConfig);
	92	hostObjects =
	93	let
	94	specific_file = ./. + "/objects_" + name + ".nix";
9f202523	95	in
e820134d IB	96	lib.attrsets.optionalAttrs
	97	(builtins.pathExists specific_file)
	98	(pkgs.callPackage specific_file {
	99	inherit config;
619e4f46	100	hostFQDN = config.hostEnv.fqdn;
e820134d IB	101	hostName = name;
e820134d IB	102	});
3bc32d9e IB	103	in
	104	{
	105	options = {
9f202523 IB	106	myServices.monitoring = {
	107	enable = lib.mkOption {
	108	type = lib.types.bool;
	109	default = false;
	110	description = ''
	111	Whether to enable monitoring.
	112	'';
	113	};
e820134d IB	114	master = lib.mkOption {
	115	type = lib.types.bool;
	116	default = false;
	117	description = ''
	118	This instance is the master instance
	119	'';
	120	};
	121	hosts = lib.mkOption {
	122	readOnly = true;
	123	description = "Hosts list for this host";
	124	default = (commonObjects.host or {}) // (hostObjects.host or {});
	125	};
	126	services = lib.mkOption {
	127	readOnly = true;
	128	description = "Services list for this host";
	129	default = commonObjects.service ++ hostObjects.service;
	130	};
3bc32d9e IB	131	};
	132	};
	133
e820134d	134	config = lib.mkIf cfg.enable {
d2e703c5	135	services.duplyBackup.profiles.monitoring = {
6a8252b1 IB	136	rootDir = config.services.naemon.varDir;
6a8252b1 IB	137	};
3bc32d9e IB	138	security.sudo.extraRules = [
	139	{
	140	commands = [
	141	{ command = "${pkgs.mdadm}/bin/mdadm --monitor --scan -1"; options = [ "NOPASSWD" ]; }
	142	{ command = "${pkgs.postfix}/bin/mailq"; options = [ "NOPASSWD" ]; }
	143	];
	144	users = [ "naemon" ];
	145	runAs = "root";
	146	}
9f202523 IB	147	{
9f202523 IB	148	commands = [
9f202523 IB	149	{ command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; }
	150	];
	151	users = [ "naemon" ];
16b80abd IB	152	runAs = "ALL";
	153	}
	154	{
	155	commands = [
	156	{ command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; }
	157	];
	158	users = [ "naemon" ];
9f202523 IB	159	runAs = "postgres";
	160	}
	161	{
	162	commands = [
6015a3b5	163	{ command = "${myplugins}/check_mysql_replication *"; options = [ "NOPASSWD" ]; }
9f6a7862 IB	164	];
	165	users = [ "naemon" ];
	166	runAs = "mysql";
	167	}
6015a3b5 IB	168	{
6015a3b5 IB	169	commands = [
16b80abd	170	{ command = "${myplugins}/check_openldap_replication *"; options = [ "NOPASSWD" ]; }
6015a3b5 IB	171	];
6015a3b5 IB	172	users = [ "naemon" ];
16b80abd	173	runAs = "openldap";
6015a3b5	174	}
9f6a7862 IB	175	{
9f6a7862 IB	176	commands = [
16b80abd	177	{ command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; }
9f202523 IB	178	];
9f202523 IB	179	users = [ "naemon" ];
16b80abd	180	runAs = "redis";
9f202523	181	}
3bc32d9e IB	182	];
	183	environment.etc."mdadm.conf" = {
	184	enable = true;
	185	mode = "0644";
	186	user = "root";
ab8f306d	187	text = "MAILADDR ${config.myEnv.monitoring.email}";
3bc32d9e IB	188	};
3bc32d9e IB	189
e820134d IB	190	secrets.keys = [
	191	{
	192	dest = "naemon/id_rsa";
	193	user = "naemon";
	194	group = "naemon";
	195	premissions = "0400";
	196	text = config.myEnv.monitoring.ssh_secret_key;
	197	}
	198	];
3bc32d9e IB	199	# needed since extraResource is not in the closure
	200	systemd.services.naemon.path = [ myplugins ];
	201	services.naemon = {
	202	enable = true;
	203	extraConfig = ''
	204	broker_module=${pkgs.naemon-livestatus}/lib/naemon-livestatus/livestatus.so ${config.services.naemon.runDir}/live
	205	use_syslog=1
	206	log_initial_states=1
	207	date_format=iso8601
ab8f306d	208	admin_email=${config.myEnv.monitoring.email}
e820134d	209	'' + lib.optionalString (!cfg.master) ''
3bc32d9e IB	210	obsess_over_services=1
	211	ocsp_command=notify-master
	212	'';
	213	extraResource = ''
	214	$USER2$=${myplugins}
ab8f306d IB	215	$USER200$=${config.myEnv.monitoring.status_url}
ab8f306d IB	216	$USER201$=${config.myEnv.monitoring.status_token}
e820134d IB	217	$USER202$=${config.myEnv.monitoring.http_user_password}
	218	$USER203$=${config.secrets.fullPaths."naemon/id_rsa"}
	219	$USER204$=${config.myEnv.monitoring.imap_login}
	220	$USER205$=${config.myEnv.monitoring.imap_password}
	221	$USER206$=${config.myEnv.monitoring.slack_channel}
	222	$USER207$=${config.myEnv.monitoring.slack_url}
3bc32d9e	223	'';
e820134d IB	224	objectDefs = toObjects commonObjects
	225	+ toObjects hostObjects
	226	+ lib.optionalString cfg.master (toObjects masterObjects)
	227	+ lib.optionalString cfg.master (toObjects masterPassiveObjects);
3bc32d9e IB	228	};
	229	};
	230	}