add munin monitoring

roles/configure_iptables/templates/ip6tables.rules

@@ -31,13 +31,15 @@ COMMIT
 
 # SSH-Server
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+# nginx
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+# munin
+-A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT
 
 {% if 'fastd' in group_names %}
 # dns
 -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -p udp -m udp --dport 53 -j ACCEPT
-# nginx
--A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 # ntp
 -A INPUT -p udp -m udp --dport 123 -j ACCEPT
 # fastd
@@ -85,8 +87,8 @@ COMMIT
 -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT
 {% if 'ffrl_uplink' in group_names %}
 {% for peer in ffrl_peers %}
-iptables -A FORWARD -i {{ peer.name }} -d 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-iptables -A FORWARD -o {{ peer.name }} -s 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A FORWARD -i {{ peer.name }} -d 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A FORWARD -o {{ peer.name }} -s 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 {% endfor %}
 {% endif %}
 COMMIT

roles/configure_iptables/templates/iptables.rules

@@ -31,6 +31,8 @@ COMMIT
 
 # SSH-Server
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+# nginx
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 
 {% if 'fastd' in group_names %}
 # dns
@@ -40,8 +42,6 @@ COMMIT
 {% for site in sites %}
 -I INPUT -i bat{{ site.name }} -p udp --dport 67:68 --sport 67:68 -j ACCEPT
 {% endfor %}
-# nginx
--A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 # ntp
 -A INPUT -p udp -m udp --dport 123 -j ACCEPT
 # fastd
@@ -71,8 +71,8 @@ COMMIT
 -A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT
 {% if 'ffrl_uplink' in group_names %}
 {% for peer in ffrl_peers %}
-iptables -A FORWARD -i {{ peer.name }} -d 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-iptables -A FORWARD -o {{ peer.name }} -s 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A FORWARD -i {{ peer.name }} -d 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A FORWARD -o {{ peer.name }} -s 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 {% endfor %}
 {% endif %}
 

roles/install_monitoring/files/munin/munin_fastd_conf

@@ -1,5 +0,0 @@
-[fastd_*]
-user root
-group root
-env.socketfile /run/ffmyk.socket
-

roles/install_monitoring/files/munin/munin_fastd_peers

@@ -0,0 +1,73 @@
+#!/usr/bin/perl -w
+# -*- perl -*-
+
+=head1 NAME
+
+fastd_peers_ - Plugin to monitor fastd peers
+
+=head1 CONFIGURATION
+
+Set user and group to have access to the socket
+Set path to socketfile if not /tmp/fastd.sock
+
+    [fastd_peers_*]
+    user fastd
+    group fastd
+    env.socketfile /tmp/fastd.sock
+
+=head1 USAGE
+
+Link this plugin to /etc/munin/plugins/
+
+After creating the links, restart munin-node. Don't forget to configure the plugin!
+
+=head1 AUTHORS
+
+Dominique Goersch <mail@dgoersch.info>
+Niklas Yann Wettengel <niyawe@niyawe.de>
+
+=head1 LICENSE
+
+GPLv2
+
+=head1 MAGIC MARKERS
+
+ #%# family=manual
+
+=cut
+
+
+use strict;
+use warnings;
+use File::Basename;
+use IO::Socket::UNIX qw( SOCK_STREAM );
+use JSON;
+
+if ($ARGV[0] and $ARGV[0] eq "config") {                                                #config graph
+	print "graph_title fastd peers\n";
+	print "graph_info This graph shows the peers of the fastd on this supernode\n";
+	print "graph_args -l 0\n";
+	print "graph_scale no\n";
+	print "graph_vlabel peers count\n";
+	print "graph_category fastd\n";
+	print "peers.label peers\n";
+	print "peers.draw AREA\n";
+    exit 0;
+}
+
+
+my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock";    #get path to socket from environment or use default
+my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile)             #open socket
+   or die("Can't connect to server: $!\n");
+
+my $fastdstatus = "";
+foreach my $line (<$socket>) {$fastdstatus .= $line;}                                   #read contents from socket
+my $json = decode_json($fastdstatus);                                                   #decode json
+
+#my $fastd_peers      = scalar(keys(%{$json->{peers}}));                                 #get number of peers from json
+my $fastd_peers = 0;
+for my $key (keys(%{$json->{peers}})) {
+	$fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0);
+}
+
+print "peers.value $fastd_peers\n";                                                 #return number of peers

roles/install_monitoring/files/munin/munin_fastd_traffic

@@ -0,0 +1,79 @@
+#!/usr/bin/perl -w
+# -*- perl -*-
+
+=head1 NAME
+
+fastd_traffic_ - Plugin to monitor fastd traffic
+
+=head1 CONFIGURATION
+
+Set user and group to have access to the socket
+Set path to socketfile if not /tmp/fastd.sock
+
+    [fastd_traffic_*]
+    user fastd
+    group fastd
+    env.socketfile /tmp/fastd.sock
+
+=head1 USAGE
+
+Link this plugin to /etc/munin/plugins/ 
+
+After creating the links, restart munin-node. Don't forget to configure the plugin!
+
+=head1 AUTHORS
+
+Dominique Goersch <mail@dgoersch.info>
+Niklas Yann Wettengel <niyawe@niyawe.de>
+
+=head1 LICENSE
+
+GPLv2
+
+=head1 MAGIC MARKERS
+
+ #%# family=manual
+
+=cut
+
+
+use strict;
+use warnings;
+use File::Basename;
+use IO::Socket::UNIX qw( SOCK_STREAM );
+use JSON;
+
+if ($ARGV[0] and $ARGV[0] eq "config") {                                                #config graph
+	print "graph_order down up\n";
+	print "graph_title fastd traffic\n";
+	print "graph_args --base 1000\n";
+	print "graph_vlabel bits in (-) / out (+) per second\n";
+	print "graph_category fastd\n";
+	print "graph_info This graph shows the traffic of fast.\n";
+	print "down.label received\n";
+	print "down.type DERIVE\n";
+	print "down.graph no\n";
+	print "down.cdef down,8,*\n";
+	print "down.min 0\n";
+	print "up.label bps\n";
+	print "up.type DERIVE\n";
+	print "up.negative down\n";
+	print "up.cdef up,8,*\n";
+	print "up.min 0\n";
+    exit 0;
+}
+
+
+my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock";    #get path to socket from environment or use default
+my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile)             #open socket
+   or die("Can't connect to server: $!\n");
+
+my $fastdstatus = "";
+foreach my $line (<$socket>) {$fastdstatus .= $line;}                                   #read contents from socket
+my $json = decode_json($fastdstatus);                                                   #decode json
+
+my $fastd_rx_bytes   = $json->{statistics}->{rx}->{bytes};                              #get recieved bytes from json
+my $fastd_tx_bytes   = $json->{statistics}->{tx}->{bytes};                              #get transmittetd bytes from json
+
+print "up.value $fastd_tx_bytes\n";                                                 #return transmitted bytes
+print "down.value $fastd_rx_bytes\n";                                               #and recieved bytes

roles/install_monitoring/files/munin/munin_global_conf

@@ -1,6 +1,6 @@
 [fw_*]
   user root
 
-[if_ens3]
+[if_ens*]
   env.speed 1000
 

roles/install_monitoring/tasks/install_munin.yml

@@ -10,23 +10,65 @@
       dest: /etc/munin/munin-node.conf
   notify: restart munin-node
 
-- name: copy fastd plugin
+- name: install perl-json
+  pacman:
+      name: perl-json
+      state: present
+  when: "'fastd' in group_names"
+
+- name: copy fastd peers plugin
+  copy:
+      src: munin/munin_fastd_peers
+      dest: /usr/lib/munin/plugins/fastd_peers_
+      mode: 0755
+  when: "'fastd' in group_names"
+
+- name: copy fastd traffic plugin
   copy:
-      src: munin/munin_fastd_plugin
-      dest: /usr/lib/munin/plugins/fastd_
+      src: munin/munin_fastd_traffic
+      dest: /usr/lib/munin/plugins/fastd_traffic_
       mode: 0755
+  when: "'fastd' in group_names"
+
+- name: enable munin plugins for fastd peers
+  file:
+      path: /etc/munin/plugins/fastd_peers_ff{{ item.name }}
+      src: /usr/lib/munin/plugins/fastd_peers_
+      state: link
+  with_items: "{{ sites }}"
+  notify: restart munin-node
+  when: "'fastd' in group_names"
+
+- name: enable munin plugins for fastd traffic
+  file:
+      path: /etc/munin/plugins/fastd_traffic_ff{{ item.name }}
+      src: /usr/lib/munin/plugins/fastd_traffic_
+      state: link
+  with_items: "{{ sites }}"
+  notify: restart munin-node
+  when: "'fastd' in group_names"
+
+- name: copy fastd plugin config
+  template:
+      src: munin_fastd_conf.j2
+      dest: /etc/munin/plugin-conf.d/fastd
+  notify: restart munin-node
+  when: "'fastd' in group_names"
 
 - name: copy dhcp-pool plugin
   copy:
       src: munin/munin_dhcp_pool_plugin
       dest: /usr/lib/munin/plugins/dhcp-pool
       mode: 0755
+  when: "'fastd' in group_names"
 
-- name: copy fastd plugin config
-  copy:
-      src: munin/munin_fastd_conf
-      dest: /etc/munin/plugin-conf.d/fastd
+- name: enable munin plugins for dhcp
+  file:
+      path: /etc/munin/plugins/dhcp-pool
+      src: /usr/lib/munin/plugins/dhcp-pool
+      state: link
   notify: restart munin-node
+  when: "'fastd' in group_names"
 
 - name: copy global config
   copy:
@@ -44,17 +86,109 @@
       name: perl-lwp-protocol-https
       state: present
 
-- name: install perl-json
-  pacman:
-      name: perl-json
-      state: present
+- name: enable munin plugins for network monitoring (1/8)
+  file:
+      path: /etc/munin/plugins/if_{{ ansible_default_ipv4.interface }}
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+
+- name: enable munin plugins for network monitoring (2/8)
+  file:
+      path: /etc/munin/plugins/if_{{ ansible_default_ipv6.interface }}
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+
+- name: enable munin plugins for network monitoring (3/8)
+  file:
+      path: /etc/munin/plugins/if_{{ item[0] }}{{ item[1].name }}
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+  with_nested:
+      - [ 'bat', 'vpn', 'wg' ]
+      - "{{ sites }}"
+  when: "'fastd' in group_names"
+
+- name: enable munin plugins for network monitoring (4/8)
+  file:
+      path: /etc/munin/plugins/if_bb{{ hostvars[item]['wireguard_bb_name'] }}
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+  with_items: "{{ groups['uplink'] }}"
+  when: "'fastd' in group_names"
+
+- name: enable munin plugins for network monitoring (5/8)
+  file:
+      path: /etc/munin/plugins/if_bb{{ hostvars[item]['wireguard_bb_name'] }}
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+  with_items: "{{ groups['fastd'] }}"
+  when: "'uplink' in group_names"
+
+- name: enable munin plugins for network monitoring (6/8)
+  file:
+      path: /etc/munin/plugins/if_bb{{ item.name }}
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+  with_items: "{{ wireguard_bb_peers|default([]) }}"
+  when: "'uplink' in group_names"
+
+- name: enable munin plugins for network monitoring (7/8)
+  file:
+      path: /etc/munin/plugins/if_bb{{ item.name }}
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+  with_items: "{{ ffrl_peers }}"
+  when: "'ffrl_uplink' in group_names"
+
+- name: enable munin plugins for network monitoring (8/8)
+  file:
+      path: /etc/munin/plugins/if_mullvad
+      src: /usr/lib/munin/plugins/if_
+      state: link
+  notify: restart munin-node
+  when: "'mullvad_uplink' in group_names"
 
 - name: enable munin plugins
   file:
-      path: /etc/munin/plugins/{{ item.name }}
-      src: /usr/lib/munin/plugins/{{ item.plugin | default( item.name ) }}
+      path: /etc/munin/plugins/{{ item }}
+      src: /usr/lib/munin/plugins/{{ item }}
       state: link
-  with_items: "{{ munin_node_plugins }}"
+  with_items:
+      - cpu
+      - df
+      - df_inode
+      - diskstats
+      - entropy
+      - forks
+      - fw_conntrack
+      - fw_forwarded_local
+      - fw_packets
+      - interrupts
+      - irqstats
+      - load
+      - memory
+      - netstat
+      - nginx_request
+      - nginx_status
+      - ntp_kernel_err
+      - ntp_kernel_pll_freq
+      - ntp_kernel_pll_off
+      - ntp_offset
+      - open_files
+      - open_inodes
+      - proc_pri
+      - processes
+      - threads
+      - uptime
+      - users
+      - vmstat
   notify: restart munin-node
 
 - name: start and enable munin-node

roles/install_monitoring/tasks/install_vnstat.yml

@@ -15,6 +15,7 @@
   args:
       creates: '/var/lib/vnstat/bat{{ item.name }}'
   with_items: "{{ sites }}"
+  when: "'fastd' in group_names"
 
 - name: add interfaces to vnstat for uplink interfaces
   command: /usr/bin/vnstat -u -i bb{{ hostvars[item]['wireguard_bb_name'] }}
@@ -22,6 +23,7 @@
       creates: "/var/lib/vnstat/bb{{ hostvars[item]['wireguard_bb_name'] }}"
   with_items:
       - "{{ groups['uplink'] }}"
+  when: "'fastd' in group_names"
 
 - name: add interfaces to vnstat for outgoing v4 interface
   command: /usr/bin/vnstat -u -i {{ ansible_default_ipv4.interface }}

roles/install_monitoring/tasks/main.yml

@@ -5,5 +5,5 @@
 #- name: install ffmyk-influx
 #  include: install_ffmyk-influx.yml
 
-#- name: install munin
-#  include: install_munin.yml
+- name: install munin
+  import_tasks: install_munin.yml

roles/install_monitoring/templates/munin_fastd_conf.j2

@@ -0,0 +1,12 @@
+{% for site in sites %}
+[fastd_peers_ff{{ site.name }}]
+user root
+group root
+env.socketfile /run/ff{{ site.name }}1.socket
+
+[fastd_traffic_ff{{ site.name }}]
+user root
+group root
+env.socketfile /run/ff{{ site.name }}1.socket
+
+{% endfor %}

setup_fastd.yml

@@ -35,13 +35,13 @@
       - configure_static_routes
       - install_cronie
       #- install_php
-      #- install_nginx
+      - install_nginx
       - install_ntp
       - install_haveged
       - install_wireguard
       - install_wireguard_backbone
       - install_babeld
-      #- install_monitoring
+      - install_monitoring
       - update_ssh_keys
       - install_admin_packages
 - name: install openvpn uplink