[WIP] Complete rework of the role to simplify distributed site setup

.travis.yml

@@ -1,6 +1,7 @@
 ---
 
-sudo: True
+sudo: required
+dist: trusty
 language: 'python'
 python: '2.7'
 

README.md

@@ -20,7 +20,7 @@ This role installs and manages [Check_MK](http://mathias-kettner.com/check_mk.ht
 
 ### Installation
 
-This role requires at least Ansible `v2.1.5`. To install it, run:
+This role requires at least Ansible `v2.3.0`. To install it, run:
 
 ```Shell
 ansible-galaxy install debops-contrib.checkmk_server

docs/playbooks/checkmk_server.yml

@@ -6,16 +6,30 @@
 
   roles:
 
+    - role: debops.apache/env
+      tags: [ 'role::apache', 'role::apache:env' ]
+
+    - role: debops-contrib.checkmk_server/env
+      tags: [ 'role::checkmk_server', 'role::checkmk_server:env' ]
+
     - role: debops.etc_services
       tags: [ 'role::etc_services' ]
-      etc_services__dependent_list:
-        - '{{ checkmk_server__etc_services__dependent_list }}'
-      when: checkmk_server__multisite_livestatus|d()
+      etc_services__dependent_list: '{{ checkmk_server__etc_services__dependent_list }}'
 
     - role: debops.ferm
       tags: [ 'role::ferm' ]
       ferm__dependent_rules:
-        - '{{ checkmk_server__ferm_dependent_rules }}'
+        - '{{ apache__ferm__dependent_rules }}'
+        - '{{ checkmk_server__ferm__dependent_rules }}'
+
+    - role: debops.apache
+      tags: [ 'role::apache' ]
+      apache__dependent_snippets: '{{ checkmk_server__apache__dependent_snippets }}'
+      apache__dependent_vhosts: '{{ checkmk_server__apache__dependent_vhosts }}'
+
+    - role: debops.users
+      tags: [ 'role::users' ]
+      users__dependent_accounts: '{{ checkmk_server__users__dependent_accounts }}'
 
     - role: debops-contrib.checkmk_server
       tags: [ 'role::checkmk_server' ]

env/defaults

@@ -0,0 +1 @@
+../defaults

files/check-mk-raw-1.2.8-set-https-proxy-header.patch → env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch

@@ -1,5 +1,5 @@
 Author: Reto Gantenbein <[email protected]>
-Date:   Tue Jun 21 06:51:23 2016 +0200
+Date:   Tue May 8 17:57:28 2017 +0200
 
     Set X-Forwarded headers when accessed via HTTPS
 
@@ -14,15 +14,21 @@ Date:   Tue Jun 21 06:51:23 2016 +0200
     %{SERVER_PORT} in in the X-Forwarded-Port header
     failed because it seemed to be undefined "(null)".
 
+    v2: - Guard 'RequestHeader' statements with
+          <IfModule> to avoid errors if mod_headers
+          is not (yet) enabled
+
 --- /omd/versions/default/skel/etc/apache/apache-own.conf.orig  2016-05-13 19:19:07.000000000 +0200
-+++ /omd/versions/default/skel/etc/apache/apache-own.conf       2016-06-21 06:50:03.169171120 +0200
-@@ -11,6 +11,10 @@
++++ /omd/versions/default/skel/etc/apache/apache-own.conf       2017-05-08 17:56:25.342383031 +0200
+@@ -11,6 +11,12 @@
    ProxyRequests Off
    ProxyPreserveHost On
 
 +  # Indicate when the site was accessed via HTTPS
++  <IfModule mod_headers.c>
 +  RequestHeader set X-Forwarded-Proto https env=HTTPS
 +  RequestHeader set X-Forwarded-Port 443 env=HTTPS
++  </IfModule>
 +
    # Include file created by 'omd config', which 
    # sets the TCP port of the site local webserver

env/tasks/create_sites.yml

@@ -0,0 +1,14 @@
+---
+# IMPORTANT:
+# These tasks are run for each Check_MK site defined
+# in `checkmk_server__sites`. This means they can run multiple
+# times per server. If the monitoring site is a remote slave,
+# they might even run on a different server. The site configuration
+# is available through `site_item`.
+
+- name: Create Check_MK site
+  command: omd create '{{ site_item.name }}'
+  args:
+    creates: '{{ site_item.home }}/etc/omd/site.conf'
+  delegate_to: '{{ site_item.delegate_to
+                   if (not site_item.delegate_to == inventory_hostname) else omit }}'

env/tasks/facts.yml

@@ -0,0 +1,34 @@
+---
+#
+# Set site facts so that later tasks can depend on it
+#
+# IMPORTANT:
+# These tasks are run for each Check_MK site defined
+# in `checkmk_server__sites`. This means they can run multiple
+# times per server. If the monitoring site is a remote slave,
+# they might even run on a different server. The site configuration
+# is available through `site_item`.
+
+- name: Persist site facts
+  block:
+
+  - name: Make sure that local fact directory exists
+    file:
+      dest: '/etc/ansible/facts.d'
+      state: 'directory'
+      owner: 'root'
+      group: 'root'
+      mode: '0755'
+
+  - name: Save Check_MK server local facts
+    template:
+      src: 'etc/ansible/facts.d/checkmk_server.fact.j2'
+      dest: '/etc/ansible/facts.d/checkmk_server.fact'
+      owner: 'root'
+      group: 'root'
+      mode: '0644'
+    register: checkmk_server__register_local_facts
+
+  # Delegate entire block to corresponding host
+  delegate_to: '{{ site_item.delegate_to
+                   if (not site_item.delegate_to == inventory_hostname) else omit }}'

env/tasks/main.yml

@@ -0,0 +1,81 @@
+---
+- name: Check that involved distributed sites servers are play hosts
+  assert:
+    that: checkmk_server__sites | map(attribute="delegate_to") | list | issubset(play_hosts)
+    msg: 'Make sure that playbook is run on all servers included in distributed sites. Not doing so might result in wrong variable defaults.'
+
+- name: Install prerequisite packages
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items: '{{ checkmk_server__prerequisite_packages }}'
+
+- name: Check check-mk-raw package version
+  shell: dpkg-query -W -f='${Version}\n' check-mk-raw-{{ checkmk_server__version }} | cut -d- -f1
+  register: checkmk_server__register_version
+  changed_when: False
+  failed_when: False
+  check_mode: no
+
+- name: Download Check_MK RAW package
+  get_url:
+    url: '{{ checkmk_server__raw_package }}'
+    dest: '/var/cache/apt/archives/{{ checkmk_server__raw_package | basename }}'
+  register: checkmk_server__register_download
+  when: (not checkmk_server__register_version.stdout) and
+        (checkmk_server__raw_package | match('^http'))
+
+- name: Install local Check_MK RAW package
+  apt:
+    deb: '{{ "/var/cache/apt/archives/" + (checkmk_server__raw_package | basename)
+             if (not checkmk_server__register_download | skipped)
+             else checkmk_server__raw_package }}'
+    state: present
+  register: checkmk_server__register_deb_install
+  when: (not checkmk_server__register_version.stdout) and
+        ((checkmk_server__raw_package | splitext)[1] == '.deb')
+
+- name: Install Check_MK RAW package from repository
+  apt:
+    name: '{{ checkmk_server__raw_package }}'
+    state: present
+  register: checkmk_server__register_apt_install
+  when: (not checkmk_server__register_version.stdout) and
+        (not checkmk_server__register_deb_install|d())
+
+- name: Apply patches
+  patch:
+    src: '{{ item.patch }}'
+    dest: '{{ item.file }}'
+    basedir: '/'
+  with_items: '{{ checkmk_server__patches }}'
+  when: (checkmk_server__register_apt_install | changed) or
+        (checkmk_server__register_deb_install | changed)
+
+- name: Get Check_MK default version
+  stat:
+    path: '/omd/versions/default'
+  register: checkmk_server__register_default
+  check_mode: no
+
+- name: Set new default version
+  command: omd setversion '{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}'
+  when: (checkmk_server__register_default.stat.lnk_source |
+         basename) != (checkmk_server__version + checkmk_server__version_suffix)
+
+- name: Create Check_MK sites
+  include: create_sites.yml
+  with_items: '{{ checkmk_server__sites }}'
+  loop_control:
+    loop_var: site_item
+
+- name: Set site facts
+  include: facts.yml
+  with_items: '{{ checkmk_server__sites }}'
+  loop_control:
+    loop_var: site_item
+  tags: [ 'role::checkmk_server:facts' ]
+
+- name: Re-read local facts
+  action: setup
+  tags: [ 'role::checkmk_server:facts' ]

env/templates

@@ -0,0 +1 @@
+../templates

meta/main.yml

@@ -11,14 +11,21 @@ galaxy_info:
   author: Reto Gantenbein
   description: 'Setup Check_MK monitoring server'
   license: 'GPL-3.0'
-  min_ansible_version: '2.1.5'
+  min_ansible_version: '2.3.0'
 
   platforms:
 
     - name: Debian
       versions:
         - wheezy
         - jessie
+        - stretch
+    - name: Ubuntu
+      versions:
+        - trusty
+        - xenial
+        - yakkety
+        - zesty
 
   galaxy_tags:
     - debops

tasks/login.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Login on remote site
+  uri:
+    url: '{{ item.multisite_url }}/login.py'
+    method: POST
+    body: '{{ [ "_login=1",
+                "_username=" + item.multisite_username,
+                "_password=" + item.multisite_password,
+                "_origtarget=automation_login.py",
+                "_plain_error=1" ] | join("&") }}'
+    force_basic_auth: yes
+    user: '{{ item.multisite_username }}'
+    password: '{{ item.multisite_password }}'
+    status_code: 302
+    validate_certs: '{{ not item.multisite_insecure|bool }}'
+  register: checkmk_server__register_multisite_login
+  when: (not item.connection|d('remote') == 'local')
+  with_items: '{{ checkmk_server__sites }}'
+
+- name: Get Multisite distribution secrets
+  uri:
+    url: '{{ item.location }}'
+    HEADER_Cookie: '{{ item.set_cookie }}'
+    return_content: True
+    validate_certs: '{{ item.invocation.module_args.validate_certs }}'
+  register: checkmk_server__register_multisite_automation_login
+  no_log: True
+  when: not item | skipped
+  with_items: '{{ checkmk_server__register_multisite_login.results
+                  if "results" in checkmk_server__register_multisite_login else [] }}'
+
+- name: Generate distributed sites configuration
+  template:
+    src: 'etc/check_mk/multisite.d/sites.mk.j2'
+    dest: '{{ item.home }}/{{ checkmk_server__multisite_config_path }}/sites.mk'
+    owner: '{{ item.user }}'
+    group: '{{ item.group }}'
+  when: (item.connection|d('remote') == 'local')
+  with_items: '{{ checkmk_server__sites }}'