def _install_icinga_core(args): """ Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created and set up with the standard icinga db-schema. The "hard" part is setting up the object base, which is done in via helper functions. """ # Disable SELinux for now, Install icinga-packages. x("setenforce 0") install.rforge_repo() x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe") # Set set up icinga mysql-database icinga_sql_password = _setup_icinga_mysql() # Let ido2db know password has changed general.use_original_file("/etc/icinga/ido2db.cfg") general.set_config_property("/etc/icinga/ido2db.cfg","db_pass=icinga","db_pass={0}".format(icinga_sql_password, False)) x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg".format(constant.SYCO_USR_PATH)) x("chown icinga:icinga /etc/icinga/icinga.cfg") # Add icinga-server iptables chain iptables.add_icinga_chain() iptables.save() # Reload the icinga object structure _reload_icinga(args,reload=False) return icinga_sql_password
def _install_icinga_core(args): """ Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created and set up with the standard icinga db-schema. The "hard" part is setting up the object base, which is done in via helper functions. """ # Disable SELinux for now, Install icinga-packages. x("setenforce 0") install.rforge_repo() x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe" ) # Set set up icinga mysql-database icinga_sql_password = _setup_icinga_mysql() # Let ido2db know password has changed general.use_original_file("/etc/icinga/ido2db.cfg") general.set_config_property( "/etc/icinga/ido2db.cfg", "db_pass=icinga", "db_pass={0}".format(icinga_sql_password, False)) x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg" .format(constant.SYCO_USR_PATH)) x("chown icinga:icinga /etc/icinga/icinga.cfg") # Add icinga-server iptables chain iptables.add_icinga_chain() iptables.save() # Reload the icinga object structure _reload_icinga(args, reload=False) return icinga_sql_password
def _configure_ldap(): app.print_verbose("Copying config") use_original_file("/etc/raddb/modules/ldap") # General ldap setup. ldapconf = scOpen("/etc/raddb/modules/ldap") ldapconf.replace( '\\t*server =.*', '\\tserver="ldaps://{0}"'.format(config.general.get_ldap_hostname())) ldapconf.replace( '\\t#identity = .*', '\\tidentity = "cn=Manager,{0}"'.format(config.general.get_ldap_dn())) ldapconf.replace( '\\t#password = .*', '\\tpassword = "******"'.format(re.escape(app.get_ldap_admin_password()))) ldapconf.replace('\\tbasedn = .*', '\\tbasedn ="{0}"'.format(config.general.get_ldap_dn())) ldapconf.replace('\\tfilter = .*', '\\tfilter ="(uid=%u)"') ldapconf.replace('\\t#base_filter = .*', '\\tbase_filter = "(employeeType=Sysop)"') # Deal with certs ldapconf.replace('\\t\\t# cacertfile.*=.*', '\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt') ldapconf.replace('\\t\\t# certfile.*=.*', '\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt') ldapconf.replace('\\t\\t# keyfile.*=.*', '\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key')
def install_mail_client(args): """ Installs a local postfix MTA which accepts email on localhost forwards relays everything to mailrelay-server. Also installs mailx. See line comments in install_mail_server """ if config.host(net.get_hostname()).has_command_re("install-postfix-server"): app.print_verbose("This server will later install the postfix server, abort client installation.") return version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION) version_obj.check_executed() # Install required packages install.package("postfix") # Set config file parameters # general.use_original_file("/etc/postfix/main.cf") postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf") postfix_main_cf.replace( "#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain()), ) # monitor.syco.com postfix_main_cf.replace( "#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain()) ) # syco.com postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname") # Listen only on localhost postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost") postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1") postfix_main_cf.replace( "mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost" ) # Relay everything not for local machine to mailrelay. postfix_main_cf.replace( "#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain()) ) postfix_main_cf.replace( "#relayhost = $mydomain", "relayhost = [{0}]".format(config.general.get_mail_relay_domain_name()) ) postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/") postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4") # Install a simple mail CLI-tool install_mailx() # Tell iptables and nrpe that this server is configured as a mail-relay server. iptables.add_mail_relay_chain() iptables.save() # Restart postfix x("service postfix restart") # Send test mail to the syco admin send_test_mail((None, config.general.get_admin_email()))
def install_mail_server(args): """ Installs a postfix-based mail relay MTA that listens on the DMZ, and relays towards the internet. Also possible to send from localhost. Also installs mailx. """ version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION) version_obj.check_executed() app.print_verbose("Installing postfix-server version: {0}".format(SCRIPT_VERSION)) init_properties = PostFixProperties() # Install required packages install.package("postfix") # Set config file parameters # general.use_original_file("/etc/postfix/main.cf") postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf") # Hostname is full canonical name of machine. postfix_main_cf.replace( "#myhostname = host.domain.tld", "myhostname = {0}".format(config.general.get_mail_relay_domain_name()) ) # mailrelay.syco.com postfix_main_cf.replace( "#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain()) ) # syco.com postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname") # Accept email from frontnet and backnet postfix_main_cf.replace( "inet_interfaces = localhost", "inet_interfaces = 127.0.0.1,{0},{1}".format(init_properties.server_front_ip, init_properties.server_back_ip), ) postfix_main_cf.replace( "#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = {0}, {1}, 127.0.0.0/8".format( init_properties.server_network_front, init_properties.server_network_back ), ) # Do not relay anywhere special, i.e straight to internet. postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains =") postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/") # Stop warning about IPv6. postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4") # Install a simple mail CLI-tool install_mailx() # Tell iptables and nrpe that this server is configured as a mail-relay server. iptables.add_mail_relay_chain() iptables.save() x("service postfix restart") # Send test mail to the syco admin send_test_mail((None, config.general.get_admin_email()))
def install_mail_server(args): ''' Installs a postfix-based mail relay MTA that listens on the DMZ, and relays towards the internet. Also possible to send from localhost. Also installs mailx. ''' version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION) version_obj.check_executed() app.print_verbose( "Installing postfix-server version: {0}".format(SCRIPT_VERSION)) # Install required packages install.package("postfix") # Set config file parameters # general.use_original_file("/etc/postfix/main.cf") postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf") # Hostname is full canonical name of machine. postfix_main_cf.replace( "#myhostname = host.domain.tld", "myhostname = {0}".format( config.general.get_mail_relay_domain_name())) # mailrelay.syco.com postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format( config.general.get_resolv_domain())) # syco.com postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname") # Accept email from frontnet and backnet postfix_main_cf.replace( "inet_interfaces = localhost", "inet_interfaces = 127.0.0.1,{0},{1}".format(server_front_ip, server_back_ip)) postfix_main_cf.replace( "#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = {0}, {1}, 127.0.0.0/8".format(server_front_network, server_back_network)) # Do not relay anywhere special, i.e straight to internet. postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains =") postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/") # Stop warning about IPv6. postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4") # Install a simple mail CLI-tool install_mailx() # Tell iptables and nrpe that this server is configured as a mail-relay server. iptables.add_mail_relay_chain() iptables.save() x("service postfix restart") # Send test mail to the syco admin send_test_mail((None, config.general.get_admin_email()))
def _modify_configs(): ''' Modify openvas config files. ''' app.print_verbose('Modify config.') general.use_original_file("/etc/sysconfig/gsad") gsadconf = scOpen("/etc/sysconfig/gsad") gsadconf.replace("^GSA_ADDRESS=127\.0\.0\.1", "GSA_ADDRESS=0\.0\.0\.0") gsadconf.replace("^#GSA_SSL_PRIVATE_KEY=", "GSA_SSL_PRIVATE_KEY=/var/lib/openvas/private/CA/serverkey.pem") gsadconf.replace("^#GSA_SSL_CERTIFICATE=", "GSA_SSL_CERTIFICATE=/var/lib/openvas/CA/servercert.pem")
def _configure_ldap(): app.print_verbose("Copying config") use_original_file("/etc/raddb/modules/ldap") # General ldap setup. ldapconf = scOpen("/etc/raddb/modules/ldap") ldapconf.replace( '\\t*server =.*', '\\tserver="ldaps://{0}"'.format( config.general.get_ldap_hostname() ) ) ldapconf.replace( '\\t#identity = .*', '\\tidentity = "cn=Manager,{0}"'.format( config.general.get_ldap_dn() ) ) ldapconf.replace( '\\t#password = .*', '\\tpassword = "******"'.format( re.escape(app.get_ldap_admin_password()) ) ) ldapconf.replace( '\\tbasedn = .*', '\\tbasedn ="{0}"'.format( config.general.get_ldap_dn() ) ) ldapconf.replace( '\\tfilter = .*', '\\tfilter ="(uid=%u)"' ) ldapconf.replace( '\\t#base_filter = .*', '\\tbase_filter = "(employeeType=Sysop)"' ) # Deal with certs ldapconf.replace( '\\t\\t# cacertfile.*=.*', '\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt' ) ldapconf.replace( '\\t\\t# certfile.*=.*', '\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt' ) ldapconf.replace( '\\t\\t# keyfile.*=.*', '\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key' )
def _enable_ldap(): ''' Enable ldap auth. ''' use_original_file("/etc/raddb/sites-enabled/default") # Replace first occurance of "#\tldap" with "\tldap" x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s" % "/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp" ) x("cp -f /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default") x("rm -f /etc/raddb/sites-enabled/default.tmp")
def _install_pnp4nagios(): ''' PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png ''' # Get packages from epel repo install.epel_repo() x("yum install -y pnp4nagios icinga-web-module-pnp") # Pnp4 uses the nagios password file, which will not exist general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf", "AuthName \"Nagios Access\"", "AuthName \"Icinga Access\"", False) general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf", "AuthUserFile /etc/nagios/passwd", "AuthUserFile /etc/icinga/passwd", False) # NPCD config prepped to work with icinga instead of nagios x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format( constant.SYCO_USR_PATH)) x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg") # Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it x("touch /var/log/pnp4nagios/perfdata.log") # Since we are using icinga (not nagios) we need to change permissions. # Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good. x("chown -R icinga:icinga /var/log/pnp4nagios") x("chown -R icinga:icinga /var/spool/pnp4nagios") x("chown -R icinga:icinga /var/lib/pnp4nagios") # Set npcd (bulk parser/spooler) to auto-start x(" /sbin/chkconfig --level 3 npcd on") # Setup LDAP-login for PNP4NAgios. general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") x("rm -f /etc/httpd/conf.d/pnp4nagios.conf") x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format( constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf") htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn()) htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password()) htconf.replace( "${LDAP_URL}", "ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(), config.general.get_ldap_dn())) # Restart everything x("service icinga restart") x("service httpd restart") x("service npcd restart")
def install_mail_client(args): """ Installs a local postfix MTA which accepts email on localhost forwards relays everything to mailrelay-server. Also installs mailx. See line comments in install_mail_server """ if config.host(net.get_hostname()).has_command_re("install-postfix-server"): app.print_verbose( "This server will later install the postfix server, abort client installation." ) return version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION) version_obj.check_executed() # Install required packages install.package("postfix") # Set config file parameters # general.use_original_file("/etc/postfix/main.cf") postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf") postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain())) # monitor.syco.com postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname") # Listen only on localhost postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost") postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1") postfix_main_cf.replace("mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost") # Relay everything not for local machine to mailrelay. postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain())) postfix_main_cf.replace("#relayhost = $mydomain","relayhost = [{0}]".format(config.general.get_mail_relay_domain_name())) postfix_main_cf.replace("#home_mailbox = Maildir/","home_mailbox = Maildir/") postfix_main_cf.replace("inet_protocols = all","inet_protocols = ipv4") # Install a simple mail CLI-tool install_mailx() # Tell iptables and nrpe that this server is configured as a mail-relay server. iptables.add_mail_relay_chain() iptables.save() # Restart postfix x("service postfix restart") # Send test mail to the syco admin send_test_mail((None, config.general.get_admin_email()))
def _modify_configs(): ''' Modify openvas config files. ''' app.print_verbose('Modify config.') general.use_original_file("/etc/sysconfig/gsad") gsadconf = scOpen("/etc/sysconfig/gsad") gsadconf.replace("^GSA_ADDRESS=127\.0\.0\.1", "GSA_ADDRESS=0\.0\.0\.0") gsadconf.replace( "^#GSA_SSL_PRIVATE_KEY=", "GSA_SSL_PRIVATE_KEY=/var/lib/openvas/private/CA/serverkey.pem") gsadconf.replace("^#GSA_SSL_CERTIFICATE=", "GSA_SSL_CERTIFICATE=/var/lib/openvas/CA/servercert.pem")
def _enable_ldap(): ''' Enable ldap auth. ''' use_original_file("/etc/raddb/sites-enabled/default") # Replace first occurance of "#\tldap" with "\tldap" x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s" % "/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp" ) x("cp -f /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default" ) x("rm -f /etc/raddb/sites-enabled/default.tmp")
def _install_pnp4nagios(): ''' PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png ''' # Get packages from epel repo install.epel_repo() x("yum install -y pnp4nagios icinga-web-module-pnp") # Pnp4 uses the nagios password file, which will not exist general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthName \"Nagios Access\"","AuthName \"Icinga Access\"", False) general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthUserFile /etc/nagios/passwd","AuthUserFile /etc/icinga/passwd",False) # NPCD config prepped to work with icinga instead of nagios x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(constant.SYCO_USR_PATH)) x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg") # Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it x("touch /var/log/pnp4nagios/perfdata.log") # Since we are using icinga (not nagios) we need to change permissions. # Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good. x("chown -R icinga:icinga /var/log/pnp4nagios") x("chown -R icinga:icinga /var/spool/pnp4nagios") x("chown -R icinga:icinga /var/lib/pnp4nagios") # Set npcd (bulk parser/spooler) to auto-start x(" /sbin/chkconfig --level 3 npcd on") # Setup LDAP-login for PNP4NAgios. general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") x("rm -f /etc/httpd/conf.d/pnp4nagios.conf") x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf") htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() ) htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() ) htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) ) # Restart everything x("service icinga restart") x("service httpd restart") x("service npcd restart")
def _disable_all_repos_in_file(repofile): ''' Disable all repos in a config file by setting "enabled" to 0 in config section. ''' # Parse the configuration-file c = ConfigParser.SafeConfigParser() c.read(repofile) # Set "enabled" to 0 for every section in config file (one section per repo defined.) for section in c.sections(): back = c.set(section,"enabled","0") app.print_verbose("Disabled [{0}] in file :{1}".format(section,repofile)) # Flush configparser writes to file. # Make a backup of original file, just in case transacion fails use_original_file(repofile) with open(repofile, 'wb') as repofile: c.write(repofile)
def _disable_all_repos_in_file(repofile): ''' Disable all repos in a config file by setting "enabled" to 0 in config section. ''' # Parse the configuration-file c = ConfigParser.SafeConfigParser() c.read(repofile) # Set "enabled" to 0 for every section in config file (one section per repo defined.) for section in c.sections(): back = c.set(section, "enabled", "0") app.print_verbose("Disabled [{0}] in file :{1}".format( section, repofile)) # Flush configparser writes to file. # Make a backup of original file, just in case transacion fails use_original_file(repofile) with open(repofile, 'wb') as repofile: c.write(repofile)
def _configure_icinga_web(icinga_db_pass, web_sqlpassword): ''' Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone. Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the /usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache permissions). ''' # Configure upp database passwords general.use_original_file("/usr/share/icinga-web/app/config/databases.xml") general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga_web:icinga_web", "mysql://icinga-web:{0}".format(web_sqlpassword), False) general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga:icinga", "mysql://icinga:{0}".format(icinga_db_pass), False) # Configure LDAP login general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ") x("rm -f /etc/httpd/conf.d/icinga-web.conf ") x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format( constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ") htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn()) htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password()) htconf.replace( "${LDAP_URL}", "ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(), config.general.get_ldap_dn())) x("/usr/bin/icinga-web-clearcache") # Configure timezone and laguage general.use_original_file( "/usr/share/icinga-web/app/config/translation.xml") general.set_config_property( "/usr/share/icinga-web/app/config/translation.xml", "default_locale=\"en\"", "default_locale=\"en\" default_timezone=\"CET\"", False)
def _configure_icinga_web(icinga_db_pass, web_sqlpassword): ''' Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone. Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the /usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache permissions). ''' # Configure upp database passwords general.use_original_file("/usr/share/icinga-web/app/config/databases.xml") general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga_web:icinga_web", "mysql://icinga-web:{0}".format(web_sqlpassword), False ) general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga:icinga", "mysql://icinga:{0}".format(icinga_db_pass), False ) # Configure LDAP login general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ") x("rm -f /etc/httpd/conf.d/icinga-web.conf ") x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ") htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() ) htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() ) htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) ) x("/usr/bin/icinga-web-clearcache") # Configure timezone and laguage general.use_original_file("/usr/share/icinga-web/app/config/translation.xml") general.set_config_property("/usr/share/icinga-web/app/config/translation.xml", "default_locale=\"en\"","default_locale=\"en\" default_timezone=\"CET\"",False)
def install_mail_server(args): """ Installs a postfix-based mail relay MTA that listens on the DMZ, and relays towards the internet. Also possible to send from localhost. Also installs mailx. """ version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION) version_obj.check_executed() app.print_verbose("Installing postfix-server version: {0}".format(SCRIPT_VERSION)) init_properties = PostFixProperties() # Install required packages x("yum install -y postfix augeas") #Initialize augeas augeas = Augeas(x) # Set config file parameters # general.use_original_file("/etc/postfix/main.cf") postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf") # Hostname is full canonical name of machine. postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}".format(config.general.get_mail_relay_domain_name())) # mailrelay.syco.com postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname") # Accept email from all IP addresses for this server augeas.set_enhanced("/files/etc/postfix/main.cf/inet_interfaces", ",".join(init_properties.server_ips)) #Allow networks augeas.set_enhanced("/files/etc/postfix/main.cf/mynetworks", ",".join(init_properties.server_networks)) # Do not relay anywhere special, i.e straight to internet. postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains =") postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/") # Stop warning about IPv6. postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4") #Set virtual_alias_maps and virtual_alias_domains in main.cf augeas.set("/files/etc/postfix/main.cf/virtual_alias_maps", "hash:/etc/postfix/virtual") if init_properties.virtual_alias_domains: augeas.set("/files/etc/postfix/main.cf/virtual_alias_domains", init_properties.virtual_alias_domains) #Add virtual aliases if they do not already exist for virt_alias_from, virt_alias_to in init_properties.virtual_aliases.iteritems(): existing = augeas.find_entries("/files/etc/postfix/virtual/pattern[. = '%s']" % virt_alias_from) if len(existing) == 0: x("echo \"%s %s\" >> /etc/postfix/virtual" % (virt_alias_from, virt_alias_to)) else: augeas.set_enhanced("/files/etc/postfix/virtual/pattern[. = '%s']/destination" % virt_alias_from, virt_alias_to) if len(init_properties.virtual_aliases) > 0: x("postmap /etc/postfix/virtual") # Install a simple mail CLI-tool install_mailx() # Tell iptables and nrpe that this server is configured as a mail-relay server. iptables.add_mail_relay_chain() iptables.save() x("service postfix restart") # Send test mail to the syco admin # and to any virtual alias emails send_test_mail((None, config.general.get_admin_email()), init_properties.virtual_aliases.keys())