diff --git a/host_vars/fastd b/host_vars/fastd index 3bd2cbf..c041d00 100644 --- a/host_vars/fastd +++ b/host_vars/fastd @@ -16,4 +16,54 @@ mullvad_key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- - +munin_node_plugins: + - name: cpu + - name: df + - name: df_inode + - name: dhcp-pool + - name: diskstats + - name: entropy + - name: fastd_peers + plugin: fastd_ + - name: fastd_traffic + plugin: fastd_ + - name: forks + - name: fw_conntrack + - name: fw_forwarded_local + - name: fw_packets + - name: if_bat0 + plugin: if_ + - name: if_err_bat0 + plugin: if_err_ + - name: if_ens3 + plugin: if_ + - name: if_err_ens3 + plugin: if_err_ + - name: if_ffmyk-mesh-vpn + plugin: if_ + - name: if_err_ffmyk-mesh-vpn + plugin: if_err_ + - name: if_mullvad + plugin: if_ + - name: if_err_mullvad + plugin: if_err_ + - name: interrupts + - name: irqstats + - name: load + - name: memory + - name: netstat + - name: nginx_request + - name: nginx_status + - name: ntp_kernel_err + - name: ntp_kernel_pll_freq + - name: ntp_kernel_pll_off + - name: ntp_offset + - name: open_files + - name: open_inodes + - name: proc_pri + - name: processes + - name: swap + - name: threads + - name: uptime + - name: users + - name: vmstat diff --git a/roles/install_dhcp/files/fastd-services-api.php b/roles/install_dhcp/files/fastd-services-api.php new file mode 100644 index 0000000..4eedd73 --- /dev/null +++ b/roles/install_dhcp/files/fastd-services-api.php @@ -0,0 +1,44 @@ +#!/usr/bin/php -f + diff --git a/roles/install_dhcp/tasks/main.yml b/roles/install_dhcp/tasks/main.yml index 60cac06..c8912be 100644 --- a/roles/install_dhcp/tasks/main.yml +++ b/roles/install_dhcp/tasks/main.yml @@ -9,6 +9,24 @@ path: /etc/dhcpd.hosts.conf state: touch +- name: install php + pacman: + name: php + state: present + +- name: copy fastd-services-api.php + copy: + src: fastd-services-api.php + dest: /etc/fastd-services-api.php + +- name: setup cronjob for fastd-services-api + cron: + name: fastd-services-api + minute: '*/10' + user: root + cron_file: fastd-api + job: '/usr/bin/php /etc/fastd-services-api.php' + - name: dhcpd.conf template: src: dhcpd.conf.j2 diff --git a/roles/install_monitoring/files/check_internet.sh b/roles/install_monitoring/files/check_internet.sh new file mode 100755 index 0000000..5fbe0c2 --- /dev/null +++ b/roles/install_monitoring/files/check_internet.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +INTERFACE=mullvad +FAILED_FILE=/tmp/mullvad.failed +fail=false + +if [ ! -e /sys/class/net/$INTERFACE ]; then + echo "$INTERFACE interface does not exist" + fail=true +else + start_bytes=$(cat /sys/class/net/$INTERFACE/statistics/rx_bytes) + sleep 30 + end_bytes=$(cat /sys/class/net/$INTERFACE/statistics/rx_bytes) + + if [ $(($end_bytes-$start_bytes)) -lt 1000 ]; then + #echo "no traffic via $INTERFACE" + fail=true + fi +fi + +if $fail; then + systemctl is-active openvpn-client@mullvad.service > /dev/null + if [ $? -ne 0 ]; then + systemctl status openvpn-client@mullvad.service + if [ -e $FAILED_FILE ]; then + echo restart openvpn-client@mullvad.service + systemctl restart openvpn-client@mullvad.service + else + touch $FAILED_FILE + fi + fi +else + if [ -e $FAILED_FILE ]; then + rm $FAILED_FILE + fi +fi + diff --git a/roles/install_monitoring/files/munin_dhcp_pool_plugin b/roles/install_monitoring/files/munin_dhcp_pool_plugin new file mode 100755 index 0000000..2cb715d --- /dev/null +++ b/roles/install_monitoring/files/munin_dhcp_pool_plugin @@ -0,0 +1,192 @@ +#!/usr/bin/perl -w +# +# Copyright (C) 2008 Rien Broekstra +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 dated June, +# 1991. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# +# Munin plugin to measure saturation of DHCP pools. +# +# Configuration variables: +# +# conffile - path to dhcpd's configuration file (default "/etc/dhcpd.conf") +# leasefile - path to dhcpd's leases file (default "/var/lib/dhcp/dhcpd.leases") +# +# Parameters: +# +# config (required) +# +# Version 1.0, 2-12-2008 + +use POSIX; +use Time::Local; +use strict; + +my $CONFFILE = exists $ENV{'conffile'} ? $ENV{'conffile'} : "/etc/dhcpd.conf"; +my $LEASEFILE = exists $ENV{'leasefile'} ? $ENV{'leasefile'} : "/var/lib/dhcp/dhcpd.leases"; + +if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) { + +} +elsif ( defined $ARGV[0] and $ARGV[0] eq "config" ) { + my (%pools, $start, $label); + + # Print general information + print "graph_title DHCP pool usage (in %)\n"; + print "graph_args --upper-limit 100 -l 0\n"; + print "graph_vlabel %\n"; + print "graph_category network\n"; + + # Determine the available IP pools + %pools = determine_pools(); + + # Print a label for each pool + foreach $start (keys %pools) { + $label = ip2string($start); + $label =~ s/\./\_/g; + print "$label.label Pool ".ip2string($start)."\n"; + print "$label.warning 75\n"; + print "$label.critical 100\n"; + } +} +else { + my (@activeleases, %pools, $start, $end, $size, $free, $label, $lease); + + # Determine all leased IP addresses + @activeleases = determine_active_leases(); + + # Determine the available IP pools + %pools = determine_pools(); + + # For each pool, count how many leases from that pool are currently active + foreach $start (keys %pools) { + $size = $pools{$start}; + $end = $start+$size; + $free = $size; + + foreach $lease (@activeleases) { + if ($lease >= $start && $lease <= $end) { + $free--; + } + } + $label = ip2string($start); + $label =~ s/\./\_/g; + print "$label.value ".sprintf("%.1f", 100*($size-$free)/$size)."\n"; + } +} + +# Parse dhcpd.conf for range statements. +# +# Returns a hash with start IP -> size +sub determine_pools { + my (%pools, @conffile, $line, $start, $end, $size); + + open(CONFFILE, "<${CONFFILE}") || exit -1; + @conffile = ; + close (CONFFILE); + + foreach $line (@conffile) { + if ($line =~ /range[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)/) { + $start = string2ip($1); + $end = string2ip($2); + $size = $end - $start; + defined($start) || next; + defined($end) || next; + + $pools{$start} = $size; + } + } + return %pools; +} + +# Very simple parser for dhcpd.leases. This will break very easily if dhcpd decides to +# format the file differently. Ideally a simple recursive-descent parser should be used. +# +# Returns an array with currently leased IP's +sub determine_active_leases { + my (@leasefile, $startdate, $enddate, $lease, @activeleases, $mytz, $line, %saw); + + open(LEASEFILE, "<${LEASEFILE}") || exit -1; + @leasefile = ; + close (LEASEFILE); + + @activeleases = (); + + # Portable way of converting a GMT date/time string to timestamp is setting TZ to UTC, and then calling mktime() + $mytz = $ENV{'TZ'}; + $ENV{'TZ'} = 'UTC 0'; + tzset(); + + foreach $line (@leasefile) { + if ($line =~ /lease ([\d]+\.[\d]+\.[\d]+\.[\d]+)/) { + $lease = string2ip($1); + defined($lease) || next; + + undef $startdate; + undef $enddate; + } + elsif ($line =~ /starts \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) { + $startdate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0); + } + elsif ($line =~ /ends \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) { + $enddate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0); + if (defined($enddate) && defined($startdate) && defined($lease)) { + if ($startdate < time() && $enddate > time()) { + push (@activeleases, $lease); + } + } + } + + } + + # Set TZ back to its original setting + if (defined($mytz)) { + $ENV{'TZ'} = $mytz; + } + else { + delete $ENV{'TZ'}; + } + tzset(); + + # Sort the array, strip doubles, and return + return grep(!$saw{$_}++, @activeleases); +} + +# +# Helper routine to convert an IP address a.b.c.d into an integer +# +# Returns an integer representation of an IP address +sub string2ip { + my $string = shift; + defined($string) || return undef; + if ($string =~ /([\d]+)\.([\d]+)\.([\d]+)\.([\d]+)/) { + if ($1 < 0 || $1 > 255 || $2 < 0 || $2 > 255 || $3 < 0 || $3 > 255 || $4 < 0 || $4 > 255) { + return undef; + } + else { + return $1 << 24 | $2 << 16 | $3 << 8 | $4; + } + } + return undef; +} + +# +# Returns a dotted quad notation of an +# +sub ip2string { + my $ip = shift; + defined ($ip) || return undef; + return sprintf ("%d.%d.%d.%d", ($ip >> 24) & 0xff, ($ip >> 16) & 0xff, ($ip >> 8) & 0xff, $ip & 0xff); +} diff --git a/roles/install_monitoring/files/munin_fastd_conf b/roles/install_monitoring/files/munin_fastd_conf new file mode 100644 index 0000000..984b05a --- /dev/null +++ b/roles/install_monitoring/files/munin_fastd_conf @@ -0,0 +1,5 @@ +[fastd_*] +user root +group root +env.socketfile /run/ffmyk.socket + diff --git a/roles/install_monitoring/files/munin_fastd_plugin b/roles/install_monitoring/files/munin_fastd_plugin new file mode 100755 index 0000000..35ad65d --- /dev/null +++ b/roles/install_monitoring/files/munin_fastd_plugin @@ -0,0 +1,124 @@ +#!/usr/bin/perl -w +# -*- perl -*- + +=head1 NAME + +fastd_ - Plugin to monitor fastd uptime, peers and traffic + +=head1 CONFIGURATION + +Set user and group to have access to the socket +Set path to socketfile if not /tmp/fastd.sock + + [fastd_*] + user fastd + group fastd + env.socketfile /tmp/fastd.sock + +=head1 USAGE + +Link this plugin to /etc/munin/plugins/ with the type of graph (uptime, peers, traffic) +append to the linkname, ie: /etc/munin/plugins/fastd_peers + +After creating the links, restart munin-node. Don't forget to configure the plugin! + +=head1 AUTHORS + +Dominique Goersch + +=head1 LICENSE + +GPLv2 + +=head1 MAGIC MARKERS + + #%# family=manual + #%# capabilities=suggest + +=cut + + +use strict; +use warnings; +use File::Basename; +use IO::Socket::UNIX qw( SOCK_STREAM ); +use JSON; + +my $mode = basename($0); #get basename +$mode =~ s/fastd_//; #and strip 'fastd_' to get the mode + +if ($ARGV[0] and $ARGV[0] eq "config") { #config graph + if ($mode eq 'uptime') { #for uptime + print "graph_title fastd Uptime\n"; + print "graph_info This graph shows the uptime of the fastd on this supernode\n"; + print "graph_args -l 0\n"; + print "graph_scale no\n"; + print "graph_vlabel uptime in days\n"; + print "graph_category fastd\n"; + print "uptime.label uptime\n"; + print "uptime.draw AREA\n"; + } + elsif ($mode eq 'peers') { #for peers + print "graph_title fastd peers\n"; + print "graph_info This graph shows the peers of the fastd on this supernode\n"; + print "graph_args -l 0\n"; + print "graph_scale no\n"; + print "graph_vlabel peers count\n"; + print "graph_category fastd\n"; + print "peers.label peers\n"; + print "peers.draw AREA\n"; + } + elsif ($mode eq 'traffic') { #for traffic + print "graph_order down up\n"; + print "graph_title fastd traffic\n"; + print "graph_args --base 1000\n"; + print "graph_vlabel bits in (-) / out (+) per second\n"; + print "graph_category fastd\n"; + print "graph_info This graph shows the traffic of fast.\n"; + print "down.label received\n"; + print "down.type DERIVE\n"; + print "down.graph no\n"; + print "down.cdef down,8,*\n"; + print "down.min 0\n"; + print "up.label bps\n"; + print "up.type DERIVE\n"; + print "up.negative down\n"; + print "up.cdef up,8,*\n"; + print "up.min 0\n"; + } + exit 0; +} + +if ($ARGV[0] and $ARGV[0] eq "suggest") { #tell munin about our graphs + print "uptime\n"; + print "peers\n"; + print "traffic\n"; +} + + + +my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default +my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket + or die("Can't connect to server: $!\n"); + +my $fastdstatus = ""; +foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket +my $json = decode_json($fastdstatus); #decode json + +my $fastd_uptime = $json->{uptime}; #get the uptime from json +#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json +my $fastd_peers = 0; +for my $key (keys(%{$json->{peers}})) { + $fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0); +} +my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json +my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json + +if ( $mode eq 'uptime' ) { + printf "uptime.value %.0f\n",$fastd_uptime/86400000; #return uptime in seconds +} elsif ($mode eq 'peers') { + print "peers.value $fastd_peers\n"; #return number of peers +} elsif ($mode eq 'traffic') { + print "up.value $fastd_tx_bytes\n"; #return transmitted bytes + print "down.value $fastd_rx_bytes\n"; #and recieved bytes +} diff --git a/roles/install_monitoring/files/munin_global_conf b/roles/install_monitoring/files/munin_global_conf new file mode 100644 index 0000000..cf418ec --- /dev/null +++ b/roles/install_monitoring/files/munin_global_conf @@ -0,0 +1,6 @@ +[fw_*] + user root + +[if_ens3] + env.speed 1000 + diff --git a/roles/install_monitoring/files/vnstat b/roles/install_monitoring/files/vnstat new file mode 100644 index 0000000..cbd2f7c --- /dev/null +++ b/roles/install_monitoring/files/vnstat @@ -0,0 +1,37 @@ +server { + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; + server_name localhost; + + charset UTF-8; + + index index.html index.htm; + root /srv/http/vnstat; + + location / { + try_files $uri $uri/ =404; + autoindex on; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + allow ::1; + deny all; + } + + + location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|svg)$ { + expires 30d; + # Optional: Don't log access to assets + access_log off; + } +} diff --git a/roles/install_monitoring/files/vnstat.sh b/roles/install_monitoring/files/vnstat.sh new file mode 100755 index 0000000..7ff875c --- /dev/null +++ b/roles/install_monitoring/files/vnstat.sh @@ -0,0 +1,45 @@ +#!/bin/sh +set -e + +IFACES=$(ls /var/lib/vnstat/) + +TARGET=/srv/http/vnstat/ + +for iface in $IFACES; do + /usr/bin/vnstati -i ${iface} -h -o ${TARGET}${iface}_hourly.png + /usr/bin/vnstati -i ${iface} -d -o ${TARGET}${iface}_daily.png + /usr/bin/vnstati -i ${iface} -m -o ${TARGET}${iface}_monthly.png + /usr/bin/vnstati -i ${iface} -t -o ${TARGET}${iface}_top10.png + /usr/bin/vnstati -i ${iface} -s -o ${TARGET}${iface}_summary.png +done + +cat > ${TARGET}index.html < + + + + + + + + + +EOT + + +for iface in $IFACES; do + sed s/IFACE/${iface}/g >> ${TARGET}index.html < + traffic summary
+ traffic per month
+ traffic per hour
+ traffic top10
+ traffic per day + +EOT + +done + +echo "" >> ${TARGET}index.html + diff --git a/roles/install_monitoring/tasks/main.yml b/roles/install_monitoring/tasks/main.yml new file mode 100644 index 0000000..5ca468d --- /dev/null +++ b/roles/install_monitoring/tasks/main.yml @@ -0,0 +1,124 @@ +--- +- name: install vnstat + pacman: + name: vnstat + state: present + +- name: start and enable vnstat service + systemd: + name: vnstat.service + enabled: yes + state: started + +- name: add interfaces to vnstat + command: /usr/bin/vnstat -u -i {{ item }} + args: + creates: '/var/lib/vnstat/{{ item }}' + with_items: + - bat0 + - ens3 + - ffmyk-mesh-vpn + - mullvad + +- name: add output folder for vnstat graphs + file: + path: /srv/http/vnstat + state: directory + +- name: add bash script to generate vnstat graphs + copy: + src: vnstat.sh + dest: /usr/local/bin/vnstat.sh + mode: 0744 + +- name: add cronjob to generate vnstat graphs + cron: + name: vnstat + minute: '*/5' + user: root + cron_file: fastd-api + job: '/usr/local/bin/vnstat.sh' + +- name: add vnstat nginx config + copy: + src: vnstat + dest: /etc/nginx/sites-available/vnstat + register: nginx_config + +- name: enable vnstat nginx config + file: + src: /etc/nginx/sites-available/vnstat + dest: /etc/nginx/sites-enabled/vnstat + state: link + +- name: reload nginx + when: nginx_config.changed + systemd: + name: nginx.service + state: reloaded + +- name: add bash script to check internet + copy: + src: check_internet.sh + dest: /usr/local/bin/check_internet.sh + mode: 0744 + +- name: add cronjob to check internet + cron: + name: check_internet + user: root + cron_file: fastd-api + job: '/usr/local/bin/check_internet.sh' + +- name: install munin + pacman: + name: munin-node + state: present + +- name: copy munin-node config + template: + src: munin-node.conf.j2 + dest: /etc/munin/munin-node.conf + +- name: copy fastd plugin + copy: + src: munin_fastd_plugin + dest: /usr/lib/munin/plugins/fastd_ + +- name: copy dhcp-pool plugin + copy: + src: munin_dhcp_pool_plugin + dest: /usr/lib/munin/plugins/dhcp-pool + +- name: copy fastd plugin config + copy: + src: munin_fastd_conf + dest: /etc/munin/plugin-conf.d/fastd + +- name: copy global config + copy: + src: munin_global_conf + dest: /etc/munin/plugin-conf.d/global + +- name: install netstat + pacman: + name: net-tools + state: present + +- name: install perl-lwp-protocol-https + pacman: + name: perl-lwp-protocol-https + state: present + +- name: enable munin plugins + file: + path: /etc/munin/plugins/{{ item.name }} + src: /usr/lib/munin/plugins/{{ item.plugin | default( item.name ) }} + state: link + with_items: "{{ munin_node_plugins }}" + +- name: start and enable munin-node + systemd: + name: munin-node.service + enabled: yes + state: started diff --git a/roles/install_monitoring/templates/munin-node.conf.j2 b/roles/install_monitoring/templates/munin-node.conf.j2 new file mode 100644 index 0000000..309833a --- /dev/null +++ b/roles/install_monitoring/templates/munin-node.conf.j2 @@ -0,0 +1,49 @@ +log_level 4 +log_file Sys::Syslog +pid_file /run/munin/munin-node.pid + +background 1 +setsid 1 + +user root +group root + +# This is the timeout for the whole transaction. +# Units are in sec. Default is 15 min +# +global_timeout 290 + +# This is the timeout for each plugin. +# Units are in sec. Default is 1 min +# +timeout 60 + +# Regexps for files to ignore +ignore_file [\#~]$ +ignore_file DEADJOE$ +ignore_file \.bak$ +ignore_file %$ +ignore_file \.dpkg-(tmp|new|old|dist)$ +ignore_file \.rpm(save|new)$ +ignore_file \.pod$ + +# Set this if the client doesn't report the correct hostname when +# telnetting to localhost, port 4949 +# +host_name {{ ansible_nodename }} + +# A list of addresses that are allowed to connect. This must be a +# regular expression, since Net::Server does not understand CIDR-style +# network notation unless the perl module Net::CIDR is installed. You +# may repeat the allow line as many times as you'd like + +allow ^127\.0\.0\.1$ +allow ^2a01:4f8:151:13cd::35$ +allow ^::1$ + +# Which address to bind to; +host * + +# And which port +port 4949 + diff --git a/roles/install_nginx/files/nginx.conf b/roles/install_nginx/files/nginx.conf new file mode 100644 index 0000000..c27e4c1 --- /dev/null +++ b/roles/install_nginx/files/nginx.conf @@ -0,0 +1,29 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + + access_log off; + error_log /var/log/nginx/error.log; + + #gzip on; + gzip off; + gzip_disable "msie6"; + + charset UTF-8; + + # Virtual Host Config + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/roles/install_nginx/tasks/main.yml b/roles/install_nginx/tasks/main.yml new file mode 100644 index 0000000..5b8fe65 --- /dev/null +++ b/roles/install_nginx/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: install nginx + pacman: + name: nginx + state: present + +- name: copy nginx.conf + copy: + src: nginx.conf + dest: /etc/nginx/nginx.conf + +- name: add sites-available folder + file: + path: /etc/nginx/sites-available + state: directory + +- name: add sites-enabled folder + file: + path: /etc/nginx/sites-enabled + state: directory + +- name: start and enable nginx + systemd: + name: nginx.service + enabled: yes + state: started diff --git a/setup_fastd.yml b/setup_fastd.yml index e041d6f..cc5079c 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -7,6 +7,7 @@ - configure_journald - configure_sysctl - configure_iptables + - install_nginx - install_ntp - install_haveged - setup_batman @@ -14,4 +15,5 @@ - install_bind - install_fastd - install_openvpn + - install_monitoring - install_admin_packages