Initial commit

Signed-off-by: Julien Riou <julien@riou.xyz>

files/apt/raspi.list

@@ -0,0 +1,3 @@
+# Managed by Ansible
+deb http://mirror.unix-solutions.be/raspbian/raspbian/ buster main
+deb http://mirror.nl.leaseweb.net/raspbian/raspbian/ buster main

files/bacula/bacula-director-sqlite3.conf

@@ -0,0 +1,16 @@
+# Managed by Ansible
+dbc_install='true'
+dbc_upgrade='true'
+dbc_remove='true'
+dbc_dbtype='sqlite3'
+dbc_dbuser=''
+dbc_dbpass=''
+dbc_dballow=''
+dbc_dbserver=''
+dbc_dbport=''
+dbc_dbname='bacula.db'
+dbc_dbadmin=''
+dbc_basepath='/var/lib/bacula'
+dbc_ssl=''
+dbc_authmethod_admin=''
+dbc_authmethod_user=''

files/bacula/make_catalog_backup.pl

@@ -0,0 +1,196 @@
+#!/usr/bin/perl
+# Managed by Ansible
+#
+# Author: Eric Bollengier, Copyright, 2006-2017
+# License: BSD 2-Clause; see file LICENSE-FOSS
+
+use strict;
+
+=head1 SCRIPT
+
+  This script dumps your Bacula catalog in ASCII format
+  It works for MySQL, SQLite, and PostgreSQL
+
+=head1 USAGE
+
+    make_catalog_backup.pl [-m] MyCatalog
+
+=head1 LICENSE
+   Author: Eric Bollengier, 2010
+   License: BSD 2-Clause; see file LICENSE-FOSS
+=cut
+
+my $cat = shift or die "Usage: $0 [-m] catalogname";
+my $mode = "dump";
+
+if ($cat eq '-m') {
+    $mode = "analyse";
+    $cat = shift or die "Usage: $0 [-m] catalogname";
+}
+
+my $dir_conf='/usr/sbin/dbcheck -B -c /etc/bacula/bacula-dir.conf';
+my $wd = "/var/lib/bacula";
+
+sub dump_sqlite3
+{
+    my %args = @_;
+
+    exec("echo .dump | sqlite3 '$wd/$args{db_name}.db' > '$wd/$args{db_name}.sql'");
+    print "Error while executing sqlite dump $!\n";
+    return 1;
+}
+
+# TODO: use just ENV and drop the pg_service.conf file
+sub setup_env_pgsql
+{
+    my %args = @_;
+    my $username = getpwuid $ENV{'UID'}; 
+    umask(0077);
+
+    if ($args{db_address}) {
+        $ENV{PGHOST}=$args{db_address};
+    }
+    if ($args{db_socket}) {
+        $ENV{PGHOST}=$args{db_socket};
+    }
+    if ($args{db_port}) {
+        $ENV{PGPORT}=$args{db_port};
+    }
+    if ($args{db_user}) {
+        $ENV{PGUSER}=$args{db_user};
+    }
+    if ($args{db_password}) {
+        $ENV{PGPASSWORD}=$args{db_password};
+    }
+    $ENV{PGDATABASE}=$args{db_name};
+    system("echo '\\q' | HOME='$wd' psql") == 0 or die "$username doesn't have access to the catalog database\n";
+}
+
+sub dump_pgsql
+{
+    my %args = @_;
+    setup_env_pgsql(%args);
+    exec("HOME='$wd' pg_dump -c > '$wd/$args{db_name}.sql'");
+    print "Error while executing postgres dump $!\n";
+    return 1;               # in case of error
+}
+
+sub analyse_pgsql
+{
+    my %args = @_;
+    setup_env_pgsql(%args);
+    my @output =`LANG=C HOME='$wd' vacuumdb -z 2>&1`;
+    my $exitcode = $? >> 8;
+    print grep { !/^WARNING:\s+skipping\s\"(pg_|sql_)/ } @output;
+    if ($exitcode != 0) {
+        print "Error while executing postgres analyse. Exitcode=$exitcode\n";
+    }
+    return $exitcode;
+}
+
+sub setup_env_mysql
+{
+    my %args = @_;
+    umask(0077);
+    unlink("$wd/.my.cnf");
+    open(MY, ">$wd/.my.cnf") 
+        or die "Can't open $wd/.my.cnf for writing $@";
+
+    $args{db_address} = $args{db_address} || "localhost";
+    my $addr = "host=$args{db_address}";
+    if ($args{db_socket}) {     # unix socket is fastest than net socket
+        $addr = "socket=\"$args{db_socket}\"";
+    }
+    my $mode = $args{mode} || 'client';
+    print MY "[$mode]
+$addr
+user=\"$args{db_user}\"
+password=\"$args{db_password}\"
+";
+    if ($args{db_port}) {
+       print MY "port=$args{db_port}\n";
+    }
+    close(MY);
+}
+
+sub dump_mysql
+{
+    my %args = @_;
+
+    setup_env_mysql(%args);
+    exec("HOME='$wd' mysqldump -f --opt $args{db_name} > '$wd/$args{db_name}.sql'");
+    print "Error while executing mysql dump $!\n";
+    return 1;
+}
+
+sub analyse_mysql
+{
+    my %args = @_;
+
+    $args{mode} = 'mysqlcheck';
+    setup_env_mysql(%args);
+
+    exec("HOME='$wd' mysqlcheck -a $args{db_name}");
+    print "Error while executing mysql analyse $!\n";
+    return 1;
+}
+
+sub handle_catalog
+{
+    my ($mode, %args) = @_;
+    if ($args{db_type} eq 'SQLite3') {
+        $ENV{PATH}="/usr/bin:$ENV{PATH}";
+        if ($mode eq 'dump') {
+            dump_sqlite3(%args);
+        }
+    } elsif ($args{db_type} eq 'PostgreSQL') {
+        $ENV{PATH}="/usr/bin:$ENV{PATH}";
+        if ($mode eq 'dump') {
+            dump_pgsql(%args);
+        } else {
+            analyse_pgsql(%args);
+        }
+    } elsif ($args{db_type} eq 'MySQL') {
+        $ENV{PATH}="/usr/bin:$ENV{PATH}";
+        if ($mode eq 'dump') {
+            dump_mysql(%args);
+        } else {
+            analyse_mysql(%args);
+        }
+    } else {
+        die "This database type isn't supported";
+    }
+}
+
+open(FP, "$dir_conf -C '$cat'|") or die "Can't get catalog information $@";
+# catalog=MyCatalog
+# db_type=SQLite
+# db_name=regress
+# db_driver=
+# db_user=regress
+# db_password=
+# db_address=
+# db_port=0
+# db_socket=
+my %cfg;
+
+while(my $l = <FP>)
+{
+    if ($l =~ /catalog=(.+)/) {
+        if (exists $cfg{catalog} and $cfg{catalog} eq $cat) {
+            exit handle_catalog($mode, %cfg);
+        }
+        %cfg = ();              # reset
+    }
+
+    if ($l =~ /(\w+)=(.+)/) {
+        $cfg{$1}=$2;
+    }
+}
+
+if (exists $cfg{catalog} and $cfg{catalog} eq $cat) {
+    exit handle_catalog($mode, %cfg);
+}
+
+print "Can't find your catalog ($cat) in director configuration\n";
+exit 1;

files/nagios/apache2.conf

@@ -0,0 +1,24 @@
+# Managed by Ansible
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+
+    AuthUserFile "/etc/nagios4/htdigest.users"
+    AuthType Basic
+    AuthName "Restricted Files"
+    AuthBasicProvider file
+    AuthUserFile "/etc/nagios4/htdigest.users"
+    Require user admin
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+    Options	+ExecCGI	
+</Directory>

files/nagios/cgi.cfg

@@ -0,0 +1,27 @@
+# Managed by Ansible
+
+main_config_file=/etc/nagios4/nagios.cfg
+physical_html_path=/usr/share/nagios4/htdocs
+url_html_path=/nagios4
+show_context_help=0
+use_pending_states=1
+use_authentication=1
+use_ssl_authentication=0
+default_user_name=admin
+authorized_for_system_information=nagiosadmin
+authorized_for_configuration_information=nagiosadmin
+authorized_for_system_commands=nagiosadmin
+authorized_for_all_services=nagiosadmin
+authorized_for_all_hosts=nagiosadmin
+authorized_for_all_service_commands=nagiosadmin
+authorized_for_all_host_commands=nagiosadmin
+default_statuswrl_layout=4
+ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
+refresh_rate=90
+result_limit=100
+escape_html_tags=1
+action_url_target=_blank
+notes_url_target=_blank
+lock_author_names=1
+navbar_search_for_addresses=1
+navbar_search_for_aliases=1

files/nagios/check_timesyncd

@@ -0,0 +1,15 @@
+#!/bin/bash
+/usr/bin/timedatectl status | grep -q "NTP service: active"
+if [ $? -ne 0 ] ; then
+    echo "NTP service not active"
+    exit 1
+fi
+
+/usr/bin/timedatectl status | grep -q "System clock synchronized: yes"
+if [ $? -ne 0 ] ; then
+    echo "System clock not synchronized"
+    exit 1
+fi
+
+echo "NTP is healthy"
+exit 0

files/nagios/nagios.cfg

@@ -0,0 +1,112 @@
+# Managed by Ansible
+log_file=/var/log/nagios4/nagios.log
+cfg_dir=/etc/nagios-plugins/config
+cfg_dir=/etc/nagios4/conf.d
+cfg_file=/etc/nagios4/objects/commands.cfg
+cfg_file=/etc/nagios4/objects/contacts.cfg
+cfg_file=/etc/nagios4/objects/timeperiods.cfg
+cfg_file=/etc/nagios4/objects/templates.cfg
+object_cache_file=/var/lib/nagios4/objects.cache
+precached_object_file=/var/lib/nagios4/objects.precache
+resource_file=/etc/nagios4/resource.cfg
+status_file=/var/lib/nagios4/status.dat
+status_update_interval=10
+nagios_user=nagios
+nagios_group=nagios
+check_external_commands=1
+command_file=/var/lib/nagios4/rw/nagios.cmd
+lock_file=/var/run/nagios4/nagios4.pid
+temp_file=/var/lib/nagios4/nagios.tmp
+temp_path=/tmp
+event_broker_options=-1
+log_rotation_method=d
+log_archive_path=/var/log/nagios4/archives
+use_syslog=1
+log_notifications=1
+log_service_retries=1
+log_host_retries=1
+log_event_handlers=1
+log_initial_states=0
+log_current_states=1
+log_external_commands=1
+log_passive_checks=1
+service_inter_check_delay_method=s
+max_service_check_spread=30
+service_interleave_factor=s
+host_inter_check_delay_method=s
+max_host_check_spread=30
+max_concurrent_checks=0
+check_result_reaper_frequency=10
+max_check_result_reaper_time=30
+check_result_path=/var/lib/nagios4/spool/checkresults
+max_check_result_file_age=3600
+cached_host_check_horizon=15
+cached_service_check_horizon=15
+enable_predictive_host_dependency_checks=1
+enable_predictive_service_dependency_checks=1
+soft_state_dependencies=0
+auto_reschedule_checks=0
+auto_rescheduling_interval=30
+auto_rescheduling_window=180
+service_check_timeout=60
+host_check_timeout=30
+event_handler_timeout=30
+notification_timeout=30
+ocsp_timeout=5
+perfdata_timeout=5
+retain_state_information=1
+state_retention_file=/var/lib/nagios4/retention.dat
+retention_update_interval=60
+use_retained_program_state=1
+use_retained_scheduling_info=1
+retained_host_attribute_mask=0
+retained_service_attribute_mask=0
+retained_process_host_attribute_mask=0
+retained_process_service_attribute_mask=0
+retained_contact_host_attribute_mask=0
+retained_contact_service_attribute_mask=0
+interval_length=60
+check_for_updates=1
+bare_update_check=0
+use_aggressive_host_checking=0
+execute_service_checks=1
+accept_passive_service_checks=1
+execute_host_checks=1
+accept_passive_host_checks=1
+enable_notifications=1
+enable_event_handlers=1
+process_performance_data=0
+obsess_over_services=0
+obsess_over_hosts=0
+translate_passive_host_checks=0
+passive_host_checks_are_soft=0
+check_for_orphaned_services=1
+check_for_orphaned_hosts=1
+check_service_freshness=1
+service_freshness_check_interval=60
+service_check_timeout_state=c
+check_host_freshness=0
+host_freshness_check_interval=60
+additional_freshness_latency=15
+enable_flap_detection=1
+low_service_flap_threshold=5.0
+high_service_flap_threshold=20.0
+low_host_flap_threshold=5.0
+high_host_flap_threshold=20.0
+date_format=us
+illegal_object_name_chars=`~!$%^&*|'"<>?,()=
+illegal_macro_output_chars=`~$&|'"<>
+use_regexp_matching=0
+use_true_regexp_matching=0
+admin_email=nagios@localhost
+admin_pager=pagenagios@localhost
+daemon_dumps_core=0
+use_large_installation_tweaks=0
+enable_environment_macros=0
+debug_level=0
+debug_verbosity=1
+debug_file=/var/log/nagios4/nagios.debug
+max_debug_file_size=1000000
+allow_empty_hostgroup_assignment=0
+cfg_file=/opt/notify-by-telegram/nagios.cfg
+host_down_disable_service_checks=1

files/nagios/security.conf

@@ -0,0 +1,16 @@
+# Managed by Ansible
+
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+
+<DirectoryMatch "/\.svn">
+   Require all denied
+</DirectoryMatch>
+
+<DirectoryMatch "/\.git">
+   Require all denied
+</DirectoryMatch>
+
+Header set X-Content-Type-Options: "nosniff"
+Header set X-Frame-Options: "sameorigin"

files/serial2mqtt/serial2mqtt.default

@@ -0,0 +1,3 @@
+# Managed by Ansible
+# Options passed as daemon argument
+DAEMON_OPTS="-c /etc/serial2mqtt.ini -v"

files/serial2mqtt/serial2mqtt.service

@@ -0,0 +1,18 @@
+# Managed by Ansible
+
+[Unit]
+Description=Read serial port and send sensors measurements to MQTT broker
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User=serial2mqtt
+Group=serial2mqtt
+EnvironmentFile=-/etc/default/serial2mqtt
+ExecStart=/opt/arduino-sensors-toolkit/serial2mqtt.py $DAEMON_OPTS
+KillMode=process
+TimeoutSec=30
+Restart=no
+
+[Install]
+WantedBy=multi-user.target

files/ssh/sshd_config

@@ -0,0 +1,8 @@
+# Managed by Ansible
+PermitRootLogin without-password
+ChallengeResponseAuthentication no
+UsePAM yes
+X11Forwarding no
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem       sftp    /usr/lib/openssh/sftp-server

files/users/bashrc

@@ -0,0 +1,13 @@
+# Managed by Ansible
+
+if [[ ${EUID} == 0 ]] ; then
+    PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] '
+else
+    PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
+fi
+
+alias ls='ls $LS_OPTIONS'
+alias ll='ls $LS_OPTIONS -l'
+alias l='ls $LS_OPTIONS -lA'
+
+export EDITOR=vim

files/vim/vimrc

@@ -0,0 +1,6 @@
+" Managed by Ansible
+set mouse=r
+set paste
+set tabstop=4
+set shiftwidth=4
+set expandtab