aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/private/monitoring/default.nix184
-rw-r--r--modules/private/monitoring/myplugins.nix377
-rw-r--r--modules/private/monitoring/objects_backup-2.nix1
-rw-r--r--modules/private/monitoring/objects_common.nix44
-rw-r--r--modules/private/monitoring/objects_dilion.nix1
-rw-r--r--modules/private/monitoring/objects_eban.nix1
-rw-r--r--modules/private/monitoring/objects_eldiron.nix1
-rw-r--r--modules/private/monitoring/objects_monitoring-1.nix1
-rw-r--r--modules/private/monitoring/objects_phare.nix1
-rw-r--r--modules/private/monitoring/objects_quatresaisons.nix1
-rw-r--r--modules/private/monitoring/objects_ulminfo-fr.nix1
m---------nixops/secrets0
12 files changed, 414 insertions, 199 deletions
diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix
index 5f8a8c9..f00fb7c 100644
--- a/modules/private/monitoring/default.nix
+++ b/modules/private/monitoring/default.nix
@@ -1,109 +1,23 @@
1{ config, pkgs, lib, name, nodes, ... }: 1{ config, pkgs, lib, name, nodes, ... }:
2let 2let
3 cfg = config.myServices.monitoring; 3 cfg = config.myServices.monitoring;
4 send_mails = pkgs.runCommand "send_mails" { 4 activatedPlugins = [ "memory" "command" "bandwidth" ]
5 buildInputs = [ pkgs.makeWrapper ]; 5 ++ (if cfg.master then (masterObjects.activatedPlugins or []) else [])
6 } '' 6 ++ (if cfg.master then (lib.flatten (map (v: v.activatedPlugins or []) otherObjects)) else [])
7 mkdir -p $out/bin 7 ++ (hostObjects.activatedPlugins or [])
8 cp ${./send_mails} $out/bin/send_mails 8 ++ (if cfg.master then ["notify-primary"] else ["notify-secondary"]);
9 patchShebangs $out 9 allPluginsConfig = import ./myplugins.nix {
10 wrapProgram $out/bin/send_mails --prefix PATH : ${lib.makeBinPath [ 10 inherit pkgs lib config;
11 pkgs.mailutils 11 sudo = "/run/wrappers/bin/sudo";
12 ]}
13 '';
14 postgresqlBinary = if config.myServices.databasesReplication.postgresql.enable
15 then config.myServices.databasesReplication.postgresql.mainPackage
16 else if config.myServices.databases.enable
17 then config.myServices.databases.postgresql.package
18 else pkgs.postgresql;
19 zfsPlugin = pkgs.fetchurl {
20 url = "https://www.claudiokuenzler.com/monitoring-plugins/check_zpools.sh";
21 sha256 = "0p9ms9340in80jkds4kfspw62xnzsv5s7ni9m28kxyd0bnzkbzhf";
22 }; 12 };
23 megacli = pkgs.megacli.overrideAttrs(old: { meta = old.meta // { license = null; }; }); 13 mypluginsConfig = lib.getAttrs activatedPlugins allPluginsConfig;
24 megaCliPlugin = pkgs.runCommand "megaCliPlugin" { 14 myplugins = let
25 plugin = pkgs.fetchurl { 15 mypluginsChunk = builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: v.chunk or "") mypluginsConfig);
26 name = "check_megaraid_sas"; 16 in pkgs.runCommand "buildplugins" {
27 url = "https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=6381&cf_id=24";
28 sha256 = "0yf60p4c0hb4q3fng9fc14qc89bqm0f1sijayzygadaqcl44jx4p";
29 };
30 } ''
31 mkdir $out
32 cp $plugin $out/check_megaraid_sas
33 chmod +x $out/check_megaraid_sas
34 patchShebangs $out
35 substituteInPlace $out/check_megaraid_sas --replace /usr/sbin/MegaCli ${megacli}/bin/MegaCli64
36 substituteInPlace $out/check_megaraid_sas --replace 'sudo $megacli' '/run/wrappers/bin/sudo $megacli'
37 sed -i -e "s/use utils qw(%ERRORS);/my %ERRORS = ('OK' => 0, 'WARNING' => 1, 'CRITICAL' => 2, 'UNKNOWN' => 3);/" $out/check_megaraid_sas
38 '';
39 myplugins = pkgs.runCommand "buildplugins" {
40 buildInputs = [ pkgs.makeWrapper pkgs.perl ]; 17 buildInputs = [ pkgs.makeWrapper pkgs.perl ];
41 } '' 18 } ''
42 mkdir $out 19 mkdir $out
43 cp ${zfsPlugin} $out/check_zpool.sh && chmod +x $out/check_zpool.sh 20 ${mypluginsChunk}
44 cp ${megaCliPlugin}/check_megaraid_sas $out/
45 cp ${./plugins}/* $out/
46 patchShebangs $out
47 wrapProgram $out/check_command --prefix PATH : ${config.security.wrapperDir}
48 wrapProgram $out/check_zpool.sh --prefix PATH : ${lib.makeBinPath [
49 pkgs.which pkgs.zfs pkgs.gawk
50 ]}
51 wrapProgram $out/send_nrdp.sh --prefix PATH : ${lib.makeBinPath [
52 pkgs.curl pkgs.jq
53 ]}
54 wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
55 pkgs.gnugrep pkgs.gawk pkgs.procps-ng
56 ]}
57 wrapProgram $out/check_postgres_replication --prefix PATH : ${lib.makeBinPath [
58 postgresqlBinary
59 ]}
60 wrapProgram $out/check_redis_replication --prefix PATH : ${lib.makeBinPath [
61 pkgs.gnugrep pkgs.coreutils pkgs.redis
62 ]}
63 wrapProgram $out/check_mysql_replication --prefix PATH : ${lib.makeBinPath [
64 pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.mariadb
65 ]}
66 wrapProgram $out/check_openldap_replication --prefix PATH : ${lib.makeBinPath [
67 pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.openldap
68 ]}
69 wrapProgram $out/check_emails --prefix PATH : ${lib.makeBinPath [
70 pkgs.openssh send_mails
71 ]} --prefix PERL5LIB : ${pkgs.perlPackages.makePerlPath [
72 pkgs.perlPackages.TimeDate
73 ]}
74 wrapProgram $out/check_ftp_database --prefix PATH : ${lib.makeBinPath [
75 pkgs.lftp
76 ]}
77 wrapProgram $out/check_git --prefix PATH : ${lib.makeBinPath [
78 pkgs.git pkgs.openssh
79 ]}
80 wrapProgram $out/check_imap_connection --prefix PATH : ${lib.makeBinPath [
81 pkgs.openssl
82 ]}
83 wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [
84 pkgs.s3cmd pkgs.python3
85 ]}
86 makeWrapper $out/check_backup_age $out/check_backup_eriomem_age --prefix PATH : ${lib.makeBinPath [
87 pkgs.duplicity
88 ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."eriomem_access_key"}
89 makeWrapper $out/check_backup_age $out/check_backup_ovh_age --prefix PATH : ${lib.makeBinPath [
90 pkgs.duplicity
91 ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."ovh_access_key"}
92 wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [
93 pkgs.mailutils
94 ]}
95 wrapProgram $out/notify_by_slack --prefix PATH : ${lib.makeBinPath [
96 pkgs.curl pkgs.jq
97 ]}
98 wrapProgram $out/notify_eban_url --prefix PATH : ${lib.makeBinPath [
99 pkgs.curl
100 ]}
101 wrapProgram $out/check_ovh_sms --prefix PATH : ${lib.makeBinPath [
102 (pkgs.python3.withPackages (ps: [ps.ovh]))
103 ]}
104 wrapProgram $out/check_bandwidth --prefix PATH : ${lib.makeBinPath [
105 pkgs.iproute pkgs.bc
106 ]}
107 ''; 21 '';
108 toObjects = pkgs.callPackage ./to_objects.nix {}; 22 toObjects = pkgs.callPackage ./to_objects.nix {};
109 commonConfig = { 23 commonConfig = {
@@ -183,7 +97,7 @@ let
183 master = cfg.master; 97 master = cfg.master;
184 hostFQDN = config.hostEnv.fqdn; 98 hostFQDN = config.hostEnv.fqdn;
185 hostName = name; 99 hostName = name;
186 sudo = "/run/wrappers/bin/sudo"; 100 inherit mypluginsConfig;
187 } // builtins.getAttr name commonConfig); 101 } // builtins.getAttr name commonConfig);
188 hostObjects = 102 hostObjects =
189 let 103 let
@@ -263,52 +177,21 @@ in
263 services.duplyBackup.profiles.monitoring = { 177 services.duplyBackup.profiles.monitoring = {
264 rootDir = config.services.naemon.varDir; 178 rootDir = config.services.naemon.varDir;
265 }; 179 };
266 security.sudo.extraRules = [ 180 security.sudo.extraRules = let
181 pluginsSudo = lib.lists.remove null (lib.attrsets.mapAttrsToList (k: v:
182 if (v ? sudo)
183 then ({ users = [ "naemon" ]; } // (v.sudo myplugins))
184 else null) mypluginsConfig);
185 in [
267 { 186 {
268 commands = [ 187 commands = [
269 { command = "${pkgs.mdadm}/bin/mdadm --monitor --scan -1"; options = [ "NOPASSWD" ]; } 188 { command = "${pkgs.mdadm}/bin/mdadm --monitor --scan -1"; options = [ "NOPASSWD" ]; }
270 { command = "${pkgs.postfix}/bin/mailq"; options = [ "NOPASSWD" ]; } 189 { command = "${pkgs.postfix}/bin/mailq"; options = [ "NOPASSWD" ]; }
271 { command = "${megacli}/bin/MegaCli64"; options = [ "NOPASSWD" ]; }
272 ]; 190 ];
273 users = [ "naemon" ]; 191 users = [ "naemon" ];
274 runAs = "root"; 192 runAs = "root";
275 } 193 }
276 { 194 ] ++ pluginsSudo;
277 commands = [
278 { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; }
279 ];
280 users = [ "naemon" ];
281 runAs = "ALL";
282 }
283 {
284 commands = [
285 { command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; }
286 ];
287 users = [ "naemon" ];
288 runAs = "postgres";
289 }
290 {
291 commands = [
292 { command = "${myplugins}/check_mysql_replication *"; options = [ "NOPASSWD" ]; }
293 ];
294 users = [ "naemon" ];
295 runAs = "mysql";
296 }
297 {
298 commands = [
299 { command = "${myplugins}/check_openldap_replication *"; options = [ "NOPASSWD" ]; }
300 ];
301 users = [ "naemon" ];
302 runAs = "openldap";
303 }
304 {
305 commands = [
306 { command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; }
307 ];
308 users = [ "naemon" ];
309 runAs = "redis";
310 }
311 ];
312 environment.etc."mdadm.conf" = { 195 environment.etc."mdadm.conf" = {
313 enable = true; 196 enable = true;
314 mode = "0644"; 197 mode = "0644";
@@ -354,26 +237,13 @@ in
354 broker_module=${pkgs.naemon-livestatus}/lib/naemon-livestatus/livestatus.so ${config.services.naemon.runDir}/live 237 broker_module=${pkgs.naemon-livestatus}/lib/naemon-livestatus/livestatus.so ${config.services.naemon.runDir}/live
355 broker_module=${pkgs.status_engine.module}/lib/status-engine/naemon/statusengine-${pkgs.naemon.status_engine_version}.o use_service_perfdata=1 use_process_data=0 use_system_command_data=0 use_external_command_data=0 use_flapping_data=0 use_program_status_data=0 use_notification_data=0 use_contact_status_data=0 use_contact_notification_data=0 use_event_handler_data=0 use_object_data=0 238 broker_module=${pkgs.status_engine.module}/lib/status-engine/naemon/statusengine-${pkgs.naemon.status_engine_version}.o use_service_perfdata=1 use_process_data=0 use_system_command_data=0 use_external_command_data=0 use_flapping_data=0 use_program_status_data=0 use_notification_data=0 use_contact_status_data=0 use_contact_notification_data=0 use_event_handler_data=0 use_object_data=0
356 ''; 239 '';
357 extraResource = '' 240 extraResource = let
241 resources = lib.mapAttrsToList (k: v: v.resources or {}) mypluginsConfig;
242 joined = lib.zipAttrsWith (n: v: if builtins.length (lib.unique v) == 1 then builtins.head v else abort "Non-unique resources names") resources;
243 joinedStr = builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "$" + "${k}$=${v}") joined);
244 in ''
358 $USER2$=${myplugins} 245 $USER2$=${myplugins}
359 $USER200$=${config.myEnv.monitoring.status_url} 246 ${joinedStr}
360 $USER201$=${config.myEnv.monitoring.status_token}
361 $USER202$=${config.myEnv.monitoring.http_user_password}
362 $USER203$=${config.secrets.fullPaths."naemon/id_rsa"}
363 $USER204$=${config.myEnv.monitoring.imap_login}
364 $USER205$=${config.myEnv.monitoring.imap_password}
365 $USER206$=${config.myEnv.monitoring.slack_channel}
366 $USER207$=${config.myEnv.monitoring.slack_url}
367 $USER208$=${builtins.concatStringsSep "," (map (builtins.concatStringsSep ":") config.myEnv.monitoring.eriomem_keys)}
368 $USER209$=${builtins.concatStringsSep "," [
369 config.myEnv.monitoring.ovh_sms.endpoint
370 config.myEnv.monitoring.ovh_sms.application_key
371 config.myEnv.monitoring.ovh_sms.application_secret
372 config.myEnv.monitoring.ovh_sms.consumer_key
373 config.myEnv.monitoring.ovh_sms.account
374 ]}
375 $USER210$=${config.myEnv.monitoring.eban.user}
376 $USER211$=${config.myEnv.monitoring.eban.password}
377 ''; 247 '';
378 objectDefs = toObjects commonObjects 248 objectDefs = toObjects commonObjects
379 + toObjects hostObjects 249 + toObjects hostObjects
diff --git a/modules/private/monitoring/myplugins.nix b/modules/private/monitoring/myplugins.nix
new file mode 100644
index 0000000..8c77ee7
--- /dev/null
+++ b/modules/private/monitoring/myplugins.nix
@@ -0,0 +1,377 @@
1{ sudo, pkgs, lib, config }:
2let
3 cfg = config.myServices.monitoring;
4in
5{
6 notify-secondary = {
7 resources = {
8 USER200 = config.myEnv.monitoring.status_url;
9 USER201 = config.myEnv.monitoring.status_token;
10 };
11 commands = {
12 notify-master = "$USER2$/send_nrdp.sh -u \"$USER200$\" -t \"$USER201$\" -H \"$HOSTADDRESS$\" -s \"$SERVICEDESC$\" -S \"$SERVICESTATEID$\" -o \"$SERVICEOUTPUT$ | $SERVICEPERFDATA$\"";
13 };
14 chunk = ''
15 cp ${./plugins}/send_nrdp.sh $out
16 patchShebangs $out/send_nrdp.sh
17 wrapProgram $out/send_nrdp.sh --prefix PATH : ${lib.makeBinPath [
18 pkgs.curl pkgs.jq
19 ]}
20 '';
21 };
22 notify-primary = {
23 resources = {
24 USER206 = config.myEnv.monitoring.slack_channel;
25 USER207 = config.myEnv.monitoring.slack_url;
26 USER210 = config.myEnv.monitoring.eban.user;
27 USER211 = config.myEnv.monitoring.eban.password;
28 };
29 commands = {
30 # $OVE is to force naemon to run via shell instead of execve which fails here
31 notify-host-by-email = "ADMINEMAIL=\"$ADMINEMAIL$\" SERVICENOTIFICATIONID=\"$SERVICENOTIFICATIONID$\" HOSTSTATE=\"$HOSTSTATE$\" HOSTOUTPUT=\"$HOSTOUTPUT$\" $USER2$/notify_by_email host \"$NOTIFICATIONTYPE$\" \"$HOSTALIAS$\" \"$LONGDATETIME$\" \"$CONTACTEMAIL$\" $OVE";
32 # $OVE is to force naemon to run via shell instead of execve which fails here
33 notify-service-by-email = "ADMINEMAIL=\"$ADMINEMAIL$\" SERVICENOTIFICATIONID=\"$SERVICENOTIFICATIONID$\" SERVICEDESC=\"$SERVICEDESC$\" SERVICESTATE=\"$SERVICESTATE$\" SERVICEOUTPUT=\"$SERVICEOUTPUT$\" $USER2$/notify_by_email service \"$NOTIFICATIONTYPE$\" \"$HOSTALIAS$\" \"$LONGDATETIME$\" \"$CONTACTEMAIL$\" $OVE";
34 notify-by-slack = "HOST=\"$HOSTALIAS$\" SERVICESTATE=\"$SERVICESTATE$\" SERVICEDESC=\"$SERVICEDESC$\" SERVICEOUTPUT=\"$SERVICEOUTPUT$\" $USER2$/notify_by_slack \"$ARG1$\" \"$ARG2$\"";
35 notify-host-eban-url = "STATUS_NAME=\"Server\" USER=\"$USER210$\" PASSWORD=\"$USER211$\" HOSTSTATE=\"$HOSTSTATE$\" $USER2$/notify_eban_url";
36 notify-service-eban-url = "STATUS_NAME=\"$_SERVICEWEBSTATUS_NAME$\" USER=\"$USER210$\" PASSWORD=\"$USER211$\" SERVICESTATE=\"$SERVICESTATE$\" $USER2$/notify_eban_url";
37 };
38 chunk = ''
39 cp ${./plugins}/{notify_by_email,notify_by_slack,notify_eban_url} $out
40 patchShebangs $out/{notify_by_email,notify_by_slack,notify_eban_url}
41 wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [
42 pkgs.mailutils
43 ]}
44 wrapProgram $out/notify_by_slack --prefix PATH : ${lib.makeBinPath [
45 pkgs.curl pkgs.jq
46 ]}
47 wrapProgram $out/notify_eban_url --prefix PATH : ${lib.makeBinPath [
48 pkgs.curl
49 ]}
50 '';
51 };
52 bandwidth = {
53 commands = {
54 check_local_bandwidth = "$USER2$/check_bandwidth -i=$ARG1$ -w $ARG2$ -c $ARG3$";
55 };
56 chunk = ''
57 cp ${./plugins}/check_bandwidth $out/
58 patchShebangs $out/check_bandwidth
59 wrapProgram $out/check_bandwidth --prefix PATH : ${lib.makeBinPath [
60 pkgs.iproute pkgs.bc
61 ]}
62 '';
63 };
64 command = {
65 commands = {
66 check_command_match = "$USER2$/check_command -c \"$ARG1$\" -C \"$ARG2$\" $ARG3$";
67 check_command_output = "$USER2$/check_command -c \"$ARG1$\" -s 0 -o \"$ARG2$\" $ARG3$";
68 check_command_status = "$USER2$/check_command -c \"$ARG1$\" -s \"$ARG2$\" $ARG3$";
69 };
70 chunk = ''
71 cp ${./plugins}/check_command $out/
72 patchShebangs $out/check_command
73 wrapProgram $out/check_command --prefix PATH : ${config.security.wrapperDir}
74 '';
75 };
76 dns = {
77 commands = {
78 check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";
79 check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";
80 };
81 };
82 emails = {
83 resources = {
84 USER203 = config.secrets.fullPaths."naemon/id_rsa";
85 };
86 commands = {
87 check_emails = "$USER2$/check_emails -H $HOSTADDRESS$ -i $USER203$ -l $ARG1$ -p $ARG2$ -s $ARG3$ -f $ARG4$";
88 check_emails_local = "$USER2$/check_emails -H $HOSTADDRESS$ -n $ARG1$ -r $ADMINEMAIL$ -s $ARG2$ -f $ARG3$";
89 };
90 chunk = let
91 send_mails = pkgs.runCommand "send_mails" {
92 buildInputs = [ pkgs.makeWrapper ];
93 } ''
94 mkdir -p $out/bin
95 cp ${./send_mails} $out/bin/send_mails
96 patchShebangs $out
97 wrapProgram $out/bin/send_mails --prefix PATH : ${lib.makeBinPath [
98 pkgs.mailutils
99 ]}
100 '';
101 in ''
102 cp ${./plugins}/check_emails $out/
103 patchShebangs $out/check_emails
104 wrapProgram $out/check_emails --prefix PATH : ${lib.makeBinPath [
105 pkgs.openssh send_mails
106 ]} --prefix PERL5LIB : ${pkgs.perlPackages.makePerlPath [
107 pkgs.perlPackages.TimeDate
108 ]}
109 '';
110 };
111 eriomem = {
112 resources = {
113 USER208 = builtins.concatStringsSep "," (map (builtins.concatStringsSep ":") config.myEnv.monitoring.eriomem_keys);
114 };
115 commands = {
116 check_backup_eriomem = "$USER2$/check_eriomem $USER208$";
117 check_backup_eriomem_age = "$USER2$/check_backup_eriomem_age $ARG1$";
118 };
119 chunk = ''
120 cp ${./plugins}/check_eriomem $out/
121 patchShebangs $out/check_eriomem
122 wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [
123 pkgs.s3cmd pkgs.python3
124 ]}
125 cp ${./plugins}/check_backup_age $out/check_backup_eriomem_age
126 patchShebangs $out/check_backup_eriomem_age
127 wrapProgram $out/check_backup_eriomem_age --prefix PATH : ${lib.makeBinPath [
128 pkgs.duplicity
129 ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."eriomem_access_key"}
130 '';
131 };
132 file_date = {
133 commands = {
134 check_last_file_date = "${sudo} -u \"$ARG3$\" $USER2$/check_last_file_date \"$ARG1$\" \"$ARG2$\"";
135 };
136 chunk = ''
137 cp ${./plugins}/check_last_file_date $out/
138 patchShebangs $out/check_last_file_date
139 '';
140 sudo = myplugins: {
141 commands = [
142 { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; }
143 ];
144 runAs = "ALL";
145 };
146 };
147 ftp = {
148 commands = {
149 check_ftp_database = "$USER2$/check_ftp_database";
150 };
151 chunk = ''
152 cp ${./plugins}/check_ftp_database $out/
153 patchShebangs $out/check_ftp_database
154 wrapProgram $out/check_ftp_database --prefix PATH : ${lib.makeBinPath [
155 pkgs.lftp
156 ]}
157 '';
158 };
159 git = {
160 resources = {
161 USER203 = config.secrets.fullPaths."naemon/id_rsa";
162 };
163 commands = {
164 check_git = "$USER2$/check_git $USER203$";
165 };
166 chunk = ''
167 cp ${./plugins}/check_git $out/
168 patchShebangs $out/check_git
169 wrapProgram $out/check_git --prefix PATH : ${lib.makeBinPath [
170 pkgs.git pkgs.openssh
171 ]}
172 '';
173 };
174 http = {
175 resources = {
176 USER202 = config.myEnv.monitoring.http_user_password;
177 };
178 commands = {
179 check_http = "$USER1$/check_http --sni -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -r \"$ARG3$\"";
180 check_https = "$USER1$/check_http --sni --ssl -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -r \"$ARG3$\"";
181 check_https_auth = "$USER1$/check_http --sni --ssl -a \"$USER202$\" -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -r \"$ARG3$\"";
182 check_https_certificate = "$USER1$/check_http --sni --ssl -H \"$ARG1$\" -C 21,15";
183 check_https_code = "$USER1$/check_http --sni --ssl -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -e \"$ARG3$\" -r \"$ARG4$\"";
184 };
185 };
186 imap = {
187 resources = {
188 USER204 = config.myEnv.monitoring.imap_login;
189 USER205 = config.myEnv.monitoring.imap_password;
190 };
191 commands = {
192 check_imap_connection = "$USER2$/check_imap_connection -u \"$USER204$\" -p \"$USER205$\" -H \"imap.immae.eu:143\"";
193 };
194 chunk = ''
195 cp ${./plugins}/check_imap_connection $out/
196 patchShebangs $out/check_imap_connection
197 wrapProgram $out/check_imap_connection --prefix PATH : ${lib.makeBinPath [
198 pkgs.openssl
199 ]}
200 '';
201 };
202 megaraid = let
203 megacli = pkgs.megacli.overrideAttrs(old: { meta = old.meta // { license = null; }; });
204 in {
205 commands = {
206 check_megaraid = "$USER2$/check_megaraid_sas --sudo";
207 };
208 chunk = let
209 megaCliPlugin = pkgs.runCommand "megaCliPlugin" {
210 plugin = pkgs.fetchurl {
211 name = "check_megaraid_sas";
212 url = "https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=6381&cf_id=24";
213 sha256 = "0yf60p4c0hb4q3fng9fc14qc89bqm0f1sijayzygadaqcl44jx4p";
214 };
215 } ''
216 mkdir $out
217 cp $plugin $out/check_megaraid_sas
218 chmod +x $out/check_megaraid_sas
219 patchShebangs $out
220 substituteInPlace $out/check_megaraid_sas --replace /usr/sbin/MegaCli ${megacli}/bin/MegaCli64
221 substituteInPlace $out/check_megaraid_sas --replace 'sudo $megacli' '${sudo} $megacli'
222 sed -i -e "s/use utils qw(%ERRORS);/my %ERRORS = ('OK' => 0, 'WARNING' => 1, 'CRITICAL' => 2, 'UNKNOWN' => 3);/" $out/check_megaraid_sas
223 '';
224 in ''
225 cp ${megaCliPlugin}/check_megaraid_sas $out/
226 patchShebangs $out/check_megaraid_sas
227 '';
228 sudo = _: {
229 commands = [
230 { command = "${megacli}/bin/MegaCli64"; options = [ "NOPASSWD" ]; }
231 ];
232 runAs = "root";
233 };
234 };
235 memory = {
236 commands = {
237 check_memory = "$USER2$/check_mem.sh -w $ARG1$ -c $ARG2$";
238 };
239 chunk = ''
240 cp ${./plugins}/check_mem.sh $out/
241 patchShebangs $out/check_mem.sh
242 wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
243 pkgs.gnugrep pkgs.gawk pkgs.procps-ng
244 ]}
245 '';
246 };
247 mysql = {
248 commands = {
249 check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\"";
250 };
251 chunk = ''
252 cp ${./plugins}/check_mysql_replication $out/
253 patchShebangs $out/check_mysql_replication
254 wrapProgram $out/check_mysql_replication --prefix PATH : ${lib.makeBinPath [
255 pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.mariadb
256 ]}
257 '';
258 sudo = myplugins: {
259 commands = [
260 { command = "${myplugins}/check_mysql_replication *"; options = [ "NOPASSWD" ]; }
261 ];
262 runAs = "mysql";
263 };
264 };
265 openldap = {
266 commands = {
267 check_openldap_replication = "${sudo} -u openldap $USER2$/check_openldap_replication \"$ARG1$\" \"$ARG2$\" \"$ARG3$\" \"$ARG4$\" \"$ARG5$\"";
268 };
269 chunk = ''
270 cp ${./plugins}/check_openldap_replication $out/
271 patchShebangs $out/check_openldap_replication
272 wrapProgram $out/check_openldap_replication --prefix PATH : ${lib.makeBinPath [
273 pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.openldap
274 ]}
275 '';
276 sudo = myplugins: {
277 commands = [
278 { command = "${myplugins}/check_openldap_replication *"; options = [ "NOPASSWD" ]; }
279 ];
280 runAs = "openldap";
281 };
282 };
283 ovh = {
284 resources = {
285 USER209 = builtins.concatStringsSep "," [
286 config.myEnv.monitoring.ovh_sms.endpoint
287 config.myEnv.monitoring.ovh_sms.application_key
288 config.myEnv.monitoring.ovh_sms.application_secret
289 config.myEnv.monitoring.ovh_sms.consumer_key
290 config.myEnv.monitoring.ovh_sms.account
291 ];
292 };
293 commands = {
294 check_backup_ovh_age = "$USER2$/check_backup_ovh_age $ARG1$";
295 check_ovh_sms = "$USER2$/check_ovh_sms \"$USER209$\"";
296 };
297 chunk = ''
298 cp ${./plugins}/check_backup_age $out/check_backup_ovh_age
299 patchShebangs $out/check_backup_ovh_age
300 wrapProgram $out/check_backup_ovh_age --prefix PATH : ${lib.makeBinPath [
301 pkgs.duplicity
302 ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."ovh_access_key"}
303 cp ${./plugins}/check_ovh_sms $out/
304 patchShebangs $out/check_ovh_sms
305 wrapProgram $out/check_ovh_sms --prefix PATH : ${lib.makeBinPath [
306 (pkgs.python3.withPackages (ps: [ps.ovh]))
307 ]}
308 '';
309 };
310 postgresql = {
311 commands = {
312 check_postgresql_replication = "${sudo} -u postgres $USER2$/check_postgres_replication \"$ARG1$\" \"$ARG2$\" \"$ARG3$\"";
313 };
314 chunk = let
315 postgresqlBinary = if config.myServices.databasesReplication.postgresql.enable
316 then config.myServices.databasesReplication.postgresql.mainPackage
317 else if config.myServices.databases.enable
318 then config.myServices.databases.postgresql.package
319 else pkgs.postgresql;
320 in ''
321 cp ${./plugins}/check_postgres_replication $out/
322 patchShebangs $out/check_postgres_replication
323 wrapProgram $out/check_postgres_replication --prefix PATH : ${lib.makeBinPath [
324 postgresqlBinary
325 ]}
326 '';
327
328 sudo = myplugins: {
329 commands = [
330 { command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; }
331 ];
332 runAs = "postgres";
333 };
334 };
335 redis = {
336 commands = {
337 check_redis_replication = "${sudo} -u redis $USER2$/check_redis_replication \"$ARG1$\"";
338 };
339 chunk = ''
340 cp ${./plugins}/check_redis_replication $out/
341 patchShebangs $out/check_redis_replication
342 wrapProgram $out/check_redis_replication --prefix PATH : ${lib.makeBinPath [
343 pkgs.gnugrep pkgs.coreutils pkgs.redis
344 ]}
345 '';
346 sudo = myplugins: {
347 commands = [
348 { command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; }
349 ];
350 runAs = "redis";
351 };
352 };
353 tcp = {
354 commands = {
355 check_tcp = "$USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ -e \"$ARG2$\" -Mcrit";
356 check_tcp_ssl = "$USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ -S -D 21,15";
357 };
358 };
359 zfs = {
360 commands = {
361 check_zfs = "$USER2$/check_zpool.sh -p ALL -w 80 -c 90";
362 };
363 chunk = let
364 zfsPlugin = pkgs.fetchurl {
365 url = "https://www.claudiokuenzler.com/monitoring-plugins/check_zpools.sh";
366 sha256 = "0p9ms9340in80jkds4kfspw62xnzsv5s7ni9m28kxyd0bnzkbzhf";
367 };
368 in ''
369 cp ${zfsPlugin} $out/check_zpool.sh
370 chmod +x $out/check_zpool.sh
371 patchShebangs $out/check_zpool.sh
372 wrapProgram $out/check_zpool.sh --prefix PATH : ${lib.makeBinPath [
373 pkgs.which pkgs.zfs pkgs.gawk
374 ]}
375 '';
376 };
377}
diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix
index 4cdf59a..a930a7d 100644
--- a/modules/private/monitoring/objects_backup-2.nix
+++ b/modules/private/monitoring/objects_backup-2.nix
@@ -11,6 +11,7 @@ let
11 }; 11 };
12in 12in
13{ 13{
14 activatedPlugins = [ "file_date" "mysql" "openldap" "redis" "emails" ];
14 service = [ 15 service = [
15 (emailCheck "backup-2" hostFQDN // { 16 (emailCheck "backup-2" hostFQDN // {
16 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-email"; freshness_threshold = "1350"; }; 17 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-email"; freshness_threshold = "1350"; };
diff --git a/modules/private/monitoring/objects_common.nix b/modules/private/monitoring/objects_common.nix
index 10cc149..7c9f642 100644
--- a/modules/private/monitoring/objects_common.nix
+++ b/modules/private/monitoring/objects_common.nix
@@ -10,9 +10,9 @@
10, load5Alert ? loadAlert 10, load5Alert ? loadAlert
11, load15Alert ? load5Alert 11, load15Alert ? load5Alert
12, mdadm 12, mdadm
13, sudo
14, master 13, master
15, lib 14, lib
15, mypluginsConfig
16, ... 16, ...
17}: 17}:
18let 18let
@@ -109,58 +109,18 @@ in
109 ]; 109 ];
110 } 110 }
111 ]; 111 ];
112 command = { 112 command = lib.foldr (v: o: o // (v.commands or {})) {} (builtins.attrValues mypluginsConfig) // {
113 check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";
114 check_emails = "$USER2$/check_emails -H $HOSTADDRESS$ -i $USER203$ -l $ARG1$ -p $ARG2$ -s $ARG3$ -f $ARG4$";
115 check_emails_local = "$USER2$/check_emails -H $HOSTADDRESS$ -n $ARG1$ -r $ADMINEMAIL$ -s $ARG2$ -f $ARG3$";
116 check_backup_eriomem = "$USER2$/check_eriomem $USER208$";
117 check_backup_eriomem_age = "$USER2$/check_backup_eriomem_age $ARG1$";
118 check_backup_ovh_age = "$USER2$/check_backup_ovh_age $ARG1$";
119 check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";
120 check_ftp_database = "$USER2$/check_ftp_database";
121 check_git = "$USER2$/check_git $USER203$";
122 check_http = "$USER1$/check_http --sni -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -r \"$ARG3$\"";
123 check_https = "$USER1$/check_http --sni --ssl -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -r \"$ARG3$\"";
124 check_https_auth = "$USER1$/check_http --sni --ssl -a \"$USER202$\" -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -r \"$ARG3$\"";
125 check_https_certificate = "$USER1$/check_http --sni --ssl -H \"$ARG1$\" -C 21,15";
126 check_https_code = "$USER1$/check_http --sni --ssl -f stickyport -H \"$ARG1$\" -u \"$ARG2$\" -e \"$ARG3$\" -r \"$ARG4$\"";
127 check_imap_connection = "$USER2$/check_imap_connection -u \"$USER204$\" -p \"$USER205$\" -H \"imap.immae.eu:143\"";
128 check_local_disk = "$USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$"; 113 check_local_disk = "$USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$";
129 check_local_procs = "$USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$"; 114 check_local_procs = "$USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$";
130 check_local_load = "$USER1$/check_load -r -w $ARG1$ -c $ARG2$"; 115 check_local_load = "$USER1$/check_load -r -w $ARG1$ -c $ARG2$";
131 check_local_swap = "$USER1$/check_swap -n ok -w $ARG1$ -c $ARG2$"; 116 check_local_swap = "$USER1$/check_swap -n ok -w $ARG1$ -c $ARG2$";
132 check_local_bandwidth = "$USER2$/check_bandwidth -i=$ARG1$ -w $ARG2$ -c $ARG3$";
133 check_memory = "$USER2$/check_mem.sh -w $ARG1$ -c $ARG2$";
134 check_command_match = "$USER2$/check_command -c \"$ARG1$\" -C \"$ARG2$\" $ARG3$";
135 check_command_output = "$USER2$/check_command -c \"$ARG1$\" -s 0 -o \"$ARG2$\" $ARG3$";
136 check_command_status = "$USER2$/check_command -c \"$ARG1$\" -s \"$ARG2$\" $ARG3$";
137 check_ntp = "$USER1$/check_ntp_time -t 30 -q -H 0.arch.pool.ntp.org"; 117 check_ntp = "$USER1$/check_ntp_time -t 30 -q -H 0.arch.pool.ntp.org";
138 check_mailq = "$USER1$/check_mailq -s -w 1 -c 2"; 118 check_mailq = "$USER1$/check_mailq -s -w 1 -c 2";
139 check_megaraid = "$USER2$/check_megaraid_sas --sudo";
140 check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\"";
141 check_postgresql_replication = "${sudo} -u postgres $USER2$/check_postgres_replication \"$ARG1$\" \"$ARG2$\" \"$ARG3$\"";
142 check_openldap_replication = "${sudo} -u openldap $USER2$/check_openldap_replication \"$ARG1$\" \"$ARG2$\" \"$ARG3$\" \"$ARG4$\" \"$ARG5$\"";
143 check_ovh_sms = "$USER2$/check_ovh_sms \"$USER209$\"";
144 check_redis_replication = "${sudo} -u redis $USER2$/check_redis_replication \"$ARG1$\"";
145 check_smtp = "$USER1$/check_smtp -H $HOSTADDRESS$ -p 25 -S -D 21,15"; 119 check_smtp = "$USER1$/check_smtp -H $HOSTADDRESS$ -p 25 -S -D 21,15";
146 check_tcp = "$USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ -e \"$ARG2$\" -Mcrit";
147 check_tcp_ssl = "$USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ -S -D 21,15";
148 check_zfs = "$USER2$/check_zpool.sh -p ALL -w 80 -c 90";
149 120
150 check_host_alive = "$USER1$/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5"; 121 check_host_alive = "$USER1$/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5";
151 check_last_file_date = "${sudo} -u \"$ARG3$\" $USER2$/check_last_file_date \"$ARG1$\" \"$ARG2$\"";
152 check_ok = "$USER1$/check_dummy 0 \"Dummy OK\""; 122 check_ok = "$USER1$/check_dummy 0 \"Dummy OK\"";
153 check_critical = "$USER1$/check_dummy 2 \"Dummy CRITICAL\""; 123 check_critical = "$USER1$/check_dummy 2 \"Dummy CRITICAL\"";
154
155 # $OVE is to force naemon to run via shell instead of execve which fails here
156 notify-host-by-email = "ADMINEMAIL=\"$ADMINEMAIL$\" SERVICENOTIFICATIONID=\"$SERVICENOTIFICATIONID$\" HOSTSTATE=\"$HOSTSTATE$\" HOSTOUTPUT=\"$HOSTOUTPUT$\" $USER2$/notify_by_email host \"$NOTIFICATIONTYPE$\" \"$HOSTALIAS$\" \"$LONGDATETIME$\" \"$CONTACTEMAIL$\" $OVE";
157 # $OVE is to force naemon to run via shell instead of execve which fails here
158 notify-service-by-email = "ADMINEMAIL=\"$ADMINEMAIL$\" SERVICENOTIFICATIONID=\"$SERVICENOTIFICATIONID$\" SERVICEDESC=\"$SERVICEDESC$\" SERVICESTATE=\"$SERVICESTATE$\" SERVICEOUTPUT=\"$SERVICEOUTPUT$\" $USER2$/notify_by_email service \"$NOTIFICATIONTYPE$\" \"$HOSTALIAS$\" \"$LONGDATETIME$\" \"$CONTACTEMAIL$\" $OVE";
159 notify-by-slack = "HOST=\"$HOSTALIAS$\" SERVICESTATE=\"$SERVICESTATE$\" SERVICEDESC=\"$SERVICEDESC$\" SERVICEOUTPUT=\"$SERVICEOUTPUT$\" $USER2$/notify_by_slack \"$ARG1$\" \"$ARG2$\"";
160 notify-host-eban-url = "STATUS_NAME=\"Server\" USER=\"$USER210$\" PASSWORD=\"$USER211$\" HOSTSTATE=\"$HOSTSTATE$\" $USER2$/notify_eban_url";
161 notify-service-eban-url = "STATUS_NAME=\"$_SERVICEWEBSTATUS_NAME$\" USER=\"$USER210$\" PASSWORD=\"$USER211$\" SERVICESTATE=\"$SERVICESTATE$\" $USER2$/notify_eban_url";
162
163 notify-master = "$USER2$/send_nrdp.sh -u \"$USER200$\" -t \"$USER201$\" -H \"$HOSTADDRESS$\" -s \"$SERVICEDESC$\" -S \"$SERVICESTATEID$\" -o \"$SERVICEOUTPUT$ | $SERVICEPERFDATA$\"";
164 }; 124 };
165 timeperiod = { 125 timeperiod = {
166 "24x7" = { 126 "24x7" = {
diff --git a/modules/private/monitoring/objects_dilion.nix b/modules/private/monitoring/objects_dilion.nix
index ea4ec37..1baaf39 100644
--- a/modules/private/monitoring/objects_dilion.nix
+++ b/modules/private/monitoring/objects_dilion.nix
@@ -11,6 +11,7 @@ let
11 }; 11 };
12in 12in
13{ 13{
14 activatedPlugins = [ "zfs" ];
14 service = [ 15 service = [
15 { 16 {
16 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-resources"; }; 17 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-resources"; };
diff --git a/modules/private/monitoring/objects_eban.nix b/modules/private/monitoring/objects_eban.nix
index 9ad49e1..15b19b9 100644
--- a/modules/private/monitoring/objects_eban.nix
+++ b/modules/private/monitoring/objects_eban.nix
@@ -12,6 +12,7 @@ let
12 } // rest; 12 } // rest;
13in 13in
14{ 14{
15 activatedPlugins = [ "http" ];
15 contact = { 16 contact = {
16 eban = { 17 eban = {
17 use = "generic-contact"; 18 use = "generic-contact";
diff --git a/modules/private/monitoring/objects_eldiron.nix b/modules/private/monitoring/objects_eldiron.nix
index 2c15dd6..75e7b0e 100644
--- a/modules/private/monitoring/objects_eldiron.nix
+++ b/modules/private/monitoring/objects_eldiron.nix
@@ -11,6 +11,7 @@ let
11 }; 11 };
12in 12in
13{ 13{
14 activatedPlugins = [ "emails" "postgresql" "zfs" ];
14 service = [ 15 service = [
15 { 16 {
16 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases"; }; 17 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases"; };
diff --git a/modules/private/monitoring/objects_monitoring-1.nix b/modules/private/monitoring/objects_monitoring-1.nix
index 6432ddb..32dbe4b 100644
--- a/modules/private/monitoring/objects_monitoring-1.nix
+++ b/modules/private/monitoring/objects_monitoring-1.nix
@@ -22,6 +22,7 @@ let
22 }) profile.remotes; 22 }) profile.remotes;
23in 23in
24{ 24{
25 activatedPlugins = [ "dns" "ftp" "git" "http" "imap" "ovh" "tcp" ];
25 host = { 26 host = {
26 # Dummy host for testing 27 # Dummy host for testing
27 # "dummy-host" = { 28 # "dummy-host" = {
diff --git a/modules/private/monitoring/objects_phare.nix b/modules/private/monitoring/objects_phare.nix
index a61b46e..082e7e3 100644
--- a/modules/private/monitoring/objects_phare.nix
+++ b/modules/private/monitoring/objects_phare.nix
@@ -1,5 +1,6 @@
1{ emailCheck, ... }: 1{ emailCheck, ... }:
2{ 2{
3 activatedPlugins = [ "emails" ];
3 host = { 4 host = {
4 "phare.normalesup.org" = { 5 "phare.normalesup.org" = {
5 alias = "phare.normalesup.org"; 6 alias = "phare.normalesup.org";
diff --git a/modules/private/monitoring/objects_quatresaisons.nix b/modules/private/monitoring/objects_quatresaisons.nix
index de0ce86..55d5631 100644
--- a/modules/private/monitoring/objects_quatresaisons.nix
+++ b/modules/private/monitoring/objects_quatresaisons.nix
@@ -11,6 +11,7 @@ let
11 }; 11 };
12in 12in
13{ 13{
14 activatedPlugins = [ "megaraid" ];
14 service = [ 15 service = [
15 { 16 {
16 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-resources"; }; 17 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-resources"; };
diff --git a/modules/private/monitoring/objects_ulminfo-fr.nix b/modules/private/monitoring/objects_ulminfo-fr.nix
index 574e0e3..bd2804b 100644
--- a/modules/private/monitoring/objects_ulminfo-fr.nix
+++ b/modules/private/monitoring/objects_ulminfo-fr.nix
@@ -1,5 +1,6 @@
1{ emailCheck, ... }: 1{ emailCheck, ... }:
2{ 2{
3 activatedPlugins = [ "emails" ];
3 host = { 4 host = {
4 "ulminfo.fr" = { 5 "ulminfo.fr" = {
5 alias = "ulminfo.fr"; 6 alias = "ulminfo.fr";
diff --git a/nixops/secrets b/nixops/secrets
Subproject bbc6606211e970d0df974f0f74693f48186aea9 Subproject bf72e9cc77b6c2217ae9e9a272805b1d917336c