[perso/Immae/Config/Nix.git] / modules / private / monitoring / default.nix

{ config, pkgs, lib, name, nodes, ... }:
let
  cfg = config.myServices.monitoring;
  myplugins = pkgs.runCommand "buildplugins" {
    buildInputs = [ pkgs.makeWrapper pkgs.perl ];
  } ''
    mkdir $out
    cp ${./plugins}/* $out/
    patchShebangs $out
    wrapProgram $out/check_command --prefix PATH : ${config.security.wrapperDir}
    wrapProgram $out/send_nrdp.sh --prefix PATH : ${lib.makeBinPath [
      pkgs.curl pkgs.jq
    ]}
    wrapProgram $out/check_maison_bbc --prefix PATH : ${lib.makeBinPath [
      pkgs.curl pkgs.jq
    ]}
    wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.gawk pkgs.procps-ng
    ]}
    wrapProgram $out/check_postgres_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.postgresql
    ]}
    wrapProgram $out/check_redis_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.coreutils pkgs.redis
    ]}
    wrapProgram $out/check_mysql_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.mariadb
    ]}
    wrapProgram $out/check_openldap_replication --prefix PATH : ${lib.makeBinPath [
      pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.openldap
    ]}
    wrapProgram $out/check_ftp_database --prefix PATH : ${lib.makeBinPath [
      pkgs.lftp
    ]}
    wrapProgram $out/check_git --prefix PATH : ${lib.makeBinPath [
      pkgs.git pkgs.openssh
    ]}
    wrapProgram $out/check_imap_connection --prefix PATH : ${lib.makeBinPath [
      pkgs.openssl
    ]}
    wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [
      pkgs.s3cmd pkgs.python3
    ]}
    wrapProgram $out/notify_maison_bbc_by_email --prefix PATH : ${lib.makeBinPath [
      pkgs.mailutils pkgs.gawk
    ]}
    wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [
      pkgs.mailutils
    ]}
    wrapProgram $out/notify_by_slack --prefix PATH : ${lib.makeBinPath [
      pkgs.curl pkgs.jq
    ]}
    '';
  toObjects = pkgs.callPackage ./to_objects.nix {};
  commonConfig = {
    eldiron = {
      processWarn = "250"; processAlert = "400";
      loadWarn = "8.0"; loadAlert = "10.0";
    };
    backup-2 = {
      processWarn = "60"; processAlert = "70";
      loadWarn = "1.0"; loadAlert = "2.0";
    };
    monitoring-1 = {
      processWarn = "50"; processAlert = "60";
      loadWarn = "1.0"; loadAlert = "2.0";
    };
  };
  masterPassiveObjects = let
    otherPassiveObjects = map
      (n: (pkgs.callPackage (./. + "/objects_" + n + ".nix") {}))
      [ "caldance-1" "ulminfo-fr" "immae-eu" "phare" "tiboqorl-fr" ];
    otherPassiveServices = lib.flatten (map (h: h.service or []) otherPassiveObjects);
    otherPassiveHosts = (map (h: h.host)) otherPassiveObjects;
    passiveNodes = lib.attrsets.filterAttrs (n: _: builtins.elem n ["backup-2" "eldiron"]) nodes;
    toPassiveServices = map (s: s.passiveInfo.filter s // s.passiveInfo);
    passiveServices = lib.flatten (lib.attrsets.mapAttrsToList
      (_: n: toPassiveServices n.config.myServices.monitoring.services)
      passiveNodes
      );
  in {
    service = passiveServices ++ otherPassiveServices;
    host = lib.lists.foldr
      (a: b: a//b)
      {}
      (otherPassiveHosts ++ lib.attrsets.mapAttrsToList (_: h: h.config.myServices.monitoring.hosts) passiveNodes);
  };
  masterObjects = pkgs.callPackage ./objects_master.nix { inherit config; };
  commonObjects = pkgs.callPackage ./objects_common.nix ({
    master = cfg.master;
    hostFQDN = config.hostEnv.fqdn;
    hostName = name;
    sudo = "/run/wrappers/bin/sudo";
  } // builtins.getAttr name commonConfig);
  hostObjects =
    let
      specific_file = ./. + "/objects_" + name + ".nix";
    in
      lib.attrsets.optionalAttrs
        (builtins.pathExists specific_file)
        (pkgs.callPackage specific_file {
          inherit config;
          hostFQDN = config.hostEnv.fqdn;
          hostName = name;
        });
in
{
  options = {
    myServices.monitoring = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = ''
          Whether to enable monitoring.
        '';
      };
      master = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = ''
          This instance is the master instance
        '';
      };
      hosts = lib.mkOption {
        readOnly = true;
        description = "Hosts list for this host";
        default = (commonObjects.host or {}) // (hostObjects.host or {});
      };
      services = lib.mkOption {
        readOnly = true;
        description = "Services list for this host";
        default = commonObjects.service ++ hostObjects.service;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.monitoring = {
      rootDir = config.services.naemon.varDir;
    };
    security.sudo.extraRules = [
      {
        commands = [
          { command = "${pkgs.mdadm}/bin/mdadm --monitor --scan -1"; options = [ "NOPASSWD" ]; }
          { command = "${pkgs.postfix}/bin/mailq"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "root";
      }
      {
        commands = [
          { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "ALL";
      }
      {
        commands = [
          { command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "postgres";
      }
      {
        commands = [
          { command = "${myplugins}/check_mysql_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "mysql";
      }
      {
        commands = [
          { command = "${myplugins}/check_openldap_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "openldap";
      }
      {
        commands = [
          { command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; }
        ];
        users = [ "naemon" ];
        runAs = "redis";
      }
    ];
    environment.etc."mdadm.conf" = {
      enable = true;
      mode = "0644";
      user = "root";
      text = "MAILADDR ${config.myEnv.monitoring.email}";
    };

    secrets.keys = [
      {
        dest = "naemon/id_rsa";
        user = "naemon";
        group = "naemon";
        premissions = "0400";
        text = config.myEnv.monitoring.ssh_secret_key;
      }
    ];
    # needed since extraResource is not in the closure
    systemd.services.naemon.path = [ myplugins ];
    services.naemon = {
      enable = true;
      extraConfig = ''
        broker_module=${pkgs.naemon-livestatus}/lib/naemon-livestatus/livestatus.so ${config.services.naemon.runDir}/live
        use_syslog=1
        log_initial_states=1
        date_format=iso8601
        admin_email=${config.myEnv.monitoring.email}
      '' + lib.optionalString (!cfg.master) ''
        obsess_over_services=1
        ocsp_command=notify-master
      '';
      extraResource = ''
        $USER2$=${myplugins}
        $USER200$=${config.myEnv.monitoring.status_url}
        $USER201$=${config.myEnv.monitoring.status_token}
        $USER202$=${config.myEnv.monitoring.http_user_password}
        $USER203$=${config.secrets.fullPaths."naemon/id_rsa"}
        $USER204$=${config.myEnv.monitoring.imap_login}
        $USER205$=${config.myEnv.monitoring.imap_password}
        $USER206$=${config.myEnv.monitoring.slack_channel}
        $USER207$=${config.myEnv.monitoring.slack_url}
        $USER208$=${builtins.concatStringsSep "," (map (builtins.concatStringsSep ":") config.myEnv.monitoring.eriomem_keys)}
      '';
      objectDefs = toObjects commonObjects
        + toObjects hostObjects
        + lib.optionalString cfg.master (toObjects masterObjects)
        + lib.optionalString cfg.master (toObjects masterPassiveObjects);
    };
  };
}
Commit	Line	Data
e820134d	1	{ config, pkgs, lib, name, nodes, ... }:
3bc32d9e	2	let
e820134d	3	cfg = config.myServices.monitoring;
3bc32d9e IB	4	myplugins = pkgs.runCommand "buildplugins" {
	5	buildInputs = [ pkgs.makeWrapper pkgs.perl ];
	6	} ''
	7	mkdir $out
	8	cp ${./plugins}/* $out/
	9	patchShebangs $out
	10	wrapProgram $out/check_command --prefix PATH : ${config.security.wrapperDir}
	11	wrapProgram $out/send_nrdp.sh --prefix PATH : ${lib.makeBinPath [
b11f0e17	12	pkgs.curl pkgs.jq
3bc32d9e	13	]}
e820134d IB	14	wrapProgram $out/check_maison_bbc --prefix PATH : ${lib.makeBinPath [
	15	pkgs.curl pkgs.jq
	16	]}
3bc32d9e IB	17	wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
	18	pkgs.gnugrep pkgs.gawk pkgs.procps-ng
	19	]}
9f202523 IB	20	wrapProgram $out/check_postgres_replication --prefix PATH : ${lib.makeBinPath [
	21	pkgs.postgresql
	22	]}
6015a3b5 IB	23	wrapProgram $out/check_redis_replication --prefix PATH : ${lib.makeBinPath [
	24	pkgs.gnugrep pkgs.coreutils pkgs.redis
	25	]}
	26	wrapProgram $out/check_mysql_replication --prefix PATH : ${lib.makeBinPath [
	27	pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.mariadb
	28	]}
16b80abd IB	29	wrapProgram $out/check_openldap_replication --prefix PATH : ${lib.makeBinPath [
	30	pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.openldap
	31	]}
e820134d IB	32	wrapProgram $out/check_ftp_database --prefix PATH : ${lib.makeBinPath [
	33	pkgs.lftp
	34	]}
	35	wrapProgram $out/check_git --prefix PATH : ${lib.makeBinPath [
	36	pkgs.git pkgs.openssh
	37	]}
	38	wrapProgram $out/check_imap_connection --prefix PATH : ${lib.makeBinPath [
	39	pkgs.openssl
	40	]}
25844101 IB	41	wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [
	42	pkgs.s3cmd pkgs.python3
	43	]}
e820134d IB	44	wrapProgram $out/notify_maison_bbc_by_email --prefix PATH : ${lib.makeBinPath [
	45	pkgs.mailutils pkgs.gawk
	46	]}
	47	wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [
	48	pkgs.mailutils
	49	]}
	50	wrapProgram $out/notify_by_slack --prefix PATH : ${lib.makeBinPath [
	51	pkgs.curl pkgs.jq
	52	]}
3bc32d9e	53	'';
eb071dd4 IB	54	toObjects = pkgs.callPackage ./to_objects.nix {};
	55	commonConfig = {
	56	eldiron = {
	57	processWarn = "250"; processAlert = "400";
	58	loadWarn = "8.0"; loadAlert = "10.0";
	59	};
	60	backup-2 = {
25844101	61	processWarn = "60"; processAlert = "70";
eb071dd4 IB	62	loadWarn = "1.0"; loadAlert = "2.0";
eb071dd4 IB	63	};
e820134d IB	64	monitoring-1 = {
	65	processWarn = "50"; processAlert = "60";
	66	loadWarn = "1.0"; loadAlert = "2.0";
	67	};
eb071dd4	68	};
e820134d IB	69	masterPassiveObjects = let
	70	otherPassiveObjects = map
	71	(n: (pkgs.callPackage (./. + "/objects_" + n + ".nix") {}))
	72	[ "caldance-1" "ulminfo-fr" "immae-eu" "phare" "tiboqorl-fr" ];
	73	otherPassiveServices = lib.flatten (map (h: h.service or []) otherPassiveObjects);
	74	otherPassiveHosts = (map (h: h.host)) otherPassiveObjects;
	75	passiveNodes = lib.attrsets.filterAttrs (n: _: builtins.elem n ["backup-2" "eldiron"]) nodes;
	76	toPassiveServices = map (s: s.passiveInfo.filter s // s.passiveInfo);
	77	passiveServices = lib.flatten (lib.attrsets.mapAttrsToList
	78	(_: n: toPassiveServices n.config.myServices.monitoring.services)
	79	passiveNodes
	80	);
	81	in {
	82	service = passiveServices ++ otherPassiveServices;
	83	host = lib.lists.foldr
	84	(a: b: a//b)
	85	{}
	86	(otherPassiveHosts ++ lib.attrsets.mapAttrsToList (_: h: h.config.myServices.monitoring.hosts) passiveNodes);
	87	};
	88	masterObjects = pkgs.callPackage ./objects_master.nix { inherit config; };
eb071dd4	89	commonObjects = pkgs.callPackage ./objects_common.nix ({
e820134d	90	master = cfg.master;
619e4f46	91	hostFQDN = config.hostEnv.fqdn;
e820134d	92	hostName = name;
eb071dd4 IB	93	sudo = "/run/wrappers/bin/sudo";
	94	} // builtins.getAttr name commonConfig);
	95	hostObjects =
	96	let
	97	specific_file = ./. + "/objects_" + name + ".nix";
9f202523	98	in
e820134d IB	99	lib.attrsets.optionalAttrs
	100	(builtins.pathExists specific_file)
	101	(pkgs.callPackage specific_file {
	102	inherit config;
619e4f46	103	hostFQDN = config.hostEnv.fqdn;
e820134d IB	104	hostName = name;
e820134d IB	105	});
3bc32d9e IB	106	in
	107	{
	108	options = {
9f202523 IB	109	myServices.monitoring = {
	110	enable = lib.mkOption {
	111	type = lib.types.bool;
	112	default = false;
	113	description = ''
	114	Whether to enable monitoring.
	115	'';
	116	};
e820134d IB	117	master = lib.mkOption {
	118	type = lib.types.bool;
	119	default = false;
	120	description = ''
	121	This instance is the master instance
	122	'';
	123	};
	124	hosts = lib.mkOption {
	125	readOnly = true;
	126	description = "Hosts list for this host";
	127	default = (commonObjects.host or {}) // (hostObjects.host or {});
	128	};
	129	services = lib.mkOption {
	130	readOnly = true;
	131	description = "Services list for this host";
	132	default = commonObjects.service ++ hostObjects.service;
	133	};
3bc32d9e IB	134	};
	135	};
	136
e820134d	137	config = lib.mkIf cfg.enable {
d2e703c5	138	services.duplyBackup.profiles.monitoring = {
6a8252b1 IB	139	rootDir = config.services.naemon.varDir;
6a8252b1 IB	140	};
3bc32d9e IB	141	security.sudo.extraRules = [
	142	{
	143	commands = [
	144	{ command = "${pkgs.mdadm}/bin/mdadm --monitor --scan -1"; options = [ "NOPASSWD" ]; }
	145	{ command = "${pkgs.postfix}/bin/mailq"; options = [ "NOPASSWD" ]; }
	146	];
	147	users = [ "naemon" ];
	148	runAs = "root";
	149	}
9f202523 IB	150	{
9f202523 IB	151	commands = [
9f202523 IB	152	{ command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; }
	153	];
	154	users = [ "naemon" ];
16b80abd IB	155	runAs = "ALL";
	156	}
	157	{
	158	commands = [
	159	{ command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; }
	160	];
	161	users = [ "naemon" ];
9f202523 IB	162	runAs = "postgres";
	163	}
	164	{
	165	commands = [
6015a3b5	166	{ command = "${myplugins}/check_mysql_replication *"; options = [ "NOPASSWD" ]; }
9f6a7862 IB	167	];
	168	users = [ "naemon" ];
	169	runAs = "mysql";
	170	}
6015a3b5 IB	171	{
6015a3b5 IB	172	commands = [
16b80abd	173	{ command = "${myplugins}/check_openldap_replication *"; options = [ "NOPASSWD" ]; }
6015a3b5 IB	174	];
6015a3b5 IB	175	users = [ "naemon" ];
16b80abd	176	runAs = "openldap";
6015a3b5	177	}
9f6a7862 IB	178	{
9f6a7862 IB	179	commands = [
16b80abd	180	{ command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; }
9f202523 IB	181	];
9f202523 IB	182	users = [ "naemon" ];
16b80abd	183	runAs = "redis";
9f202523	184	}
3bc32d9e IB	185	];
	186	environment.etc."mdadm.conf" = {
	187	enable = true;
	188	mode = "0644";
	189	user = "root";
ab8f306d	190	text = "MAILADDR ${config.myEnv.monitoring.email}";
3bc32d9e IB	191	};
3bc32d9e IB	192
e820134d IB	193	secrets.keys = [
	194	{
	195	dest = "naemon/id_rsa";
	196	user = "naemon";
	197	group = "naemon";
	198	premissions = "0400";
	199	text = config.myEnv.monitoring.ssh_secret_key;
	200	}
	201	];
3bc32d9e IB	202	# needed since extraResource is not in the closure
	203	systemd.services.naemon.path = [ myplugins ];
	204	services.naemon = {
	205	enable = true;
	206	extraConfig = ''
	207	broker_module=${pkgs.naemon-livestatus}/lib/naemon-livestatus/livestatus.so ${config.services.naemon.runDir}/live
	208	use_syslog=1
	209	log_initial_states=1
	210	date_format=iso8601
ab8f306d	211	admin_email=${config.myEnv.monitoring.email}
e820134d	212	'' + lib.optionalString (!cfg.master) ''
3bc32d9e IB	213	obsess_over_services=1
	214	ocsp_command=notify-master
	215	'';
	216	extraResource = ''
	217	$USER2$=${myplugins}
ab8f306d IB	218	$USER200$=${config.myEnv.monitoring.status_url}
ab8f306d IB	219	$USER201$=${config.myEnv.monitoring.status_token}
e820134d IB	220	$USER202$=${config.myEnv.monitoring.http_user_password}
	221	$USER203$=${config.secrets.fullPaths."naemon/id_rsa"}
	222	$USER204$=${config.myEnv.monitoring.imap_login}
	223	$USER205$=${config.myEnv.monitoring.imap_password}
	224	$USER206$=${config.myEnv.monitoring.slack_channel}
	225	$USER207$=${config.myEnv.monitoring.slack_url}
25844101	226	$USER208$=${builtins.concatStringsSep "," (map (builtins.concatStringsSep ":") config.myEnv.monitoring.eriomem_keys)}
3bc32d9e	227	'';
e820134d IB	228	objectDefs = toObjects commonObjects
	229	+ toObjects hostObjects
	230	+ lib.optionalString cfg.master (toObjects masterObjects)
	231	+ lib.optionalString cfg.master (toObjects masterPassiveObjects);
3bc32d9e IB	232	};
	233	};
	234	}