debops-contrib.checkmk_server default variables¶
Sections
General Configuration¶
-
checkmk_server__version
¶
Check_MK software version.
checkmk_server__version: '1.2.8p25'
-
checkmk_server__version_label
¶
Check_MK version label used with the omd tool.
checkmk_server__version_label: '{{ checkmk_server__version }}.cre'
-
checkmk_server__site_update
¶
Update Check_MK site if current version is lower than
checkmk_server__version
checkmk_server__site_update: False
-
checkmk_server__patches
¶
Custom patches to apply after installing Check_MK package
checkmk_server__patches:
- patch: 'check-mk-raw-1.2.8-set-https-proxy-header.patch'
file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/apache-own.conf'
- patch: 'check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch'
file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/conf.d/omd.conf'
-
checkmk_server__ferm_dependent_rules
¶
Firewall configuration using the debops.ferm Ansible role.
checkmk_server__ferm_dependent_rules: '{{
checkmk_server__ferm_web_rules +
(checkmk_server__ferm_livestatus_rules if checkmk_server__multisite_livestatus else [])
}}'
-
checkmk_server__ferm_web_rules
¶
Firewall configuration for WATO Web access.
checkmk_server__ferm_web_rules:
- type: 'accept'
dport: '{{ [ "http", "https" ] if checkmk_server__pki else [ "http" ] }}'
saddr: '{{ checkmk_server__web_allow }}'
accept_any: True
weight: '40'
role: 'checkmk_server'
-
checkmk_server__ferm_livestatus_rules
¶
Firewall configuration for Multisite Livestatus access.
checkmk_server__ferm_livestatus_rules:
- type: 'accept'
dport: [ '{{ checkmk_server__livestatus_port|string }}' ]
saddr: '{{ checkmk_server__livestatus_allow }}'
accept_any: True
weight: '40'
role: 'checkmk_server'
-
checkmk_server__web_allow
¶
List of IP addresses or network CIDR ranges allowed to connect to the Check_MK Web interface. If list is empty, anyone can connect.
checkmk_server__web_allow: []
-
checkmk_server__livestatus_allow
¶
List of IP addresses or network CIDR ranges allowed to connect to the Check_MK Livestatus TCP socket. If list is empty, anyone can connect.
checkmk_server__livestatus_allow: []
-
checkmk_server__etc_services__dependent_list
¶
Add entry for Livestatus to /etc/services
using the
debops.etc_services
role.
checkmk_server__etc_services__dependent_list:
- name: 'check-mk-livestatus'
port: '{{ checkmk_server__livestatus_port }}'
comment: 'Check_MK server Livestatus'
-
checkmk_server__livestatus_port
¶
TCP port for Multisite Livestatus socket.
checkmk_server__livestatus_port: 6557
-
checkmk_server__software_inventory
¶
Enable collection of installed software. Requires the mk_inventory
plugin to be installed on the Check_MK agents.
checkmk_server__software_inventory: True
APT packages¶
-
checkmk_server__raw_package
¶
Check_MK RAW package download URL. Alternatively this can also be a local deb file or a package name in an already available apt repository.
checkmk_server__raw_package: 'https://mathias-kettner.de/support/{{ checkmk_server__version }}/check-mk-raw-{{ checkmk_server__version }}_0.{{ ansible_distribution_release }}_amd64.deb'
-
checkmk_server__prerequisite_packages
¶
List of prerequisite packages which must be available before installing the Check_MK RAW package
checkmk_server__prerequisite_packages: [ 'apache2', 'python-passlib' ]
Check_MK Site Configuration¶
-
checkmk_server__site
¶
Check_MK site name. Set to False
to disable site configuration.
checkmk_server__site: 'debops'
-
checkmk_server__hostname
¶
Set Check_MK server DNS hostname (e. g. for agent download, API calls, ...). FIXME: Rename to checkmk_server__fqdn.
checkmk_server__hostname: '{{ ansible_local.core.fqdn
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.fqdn|d())
else ansible_fqdn }}'
-
checkmk_server__site_url
¶
Check_MK server site URL.
checkmk_server__site_url: '{{ ("https://" if checkmk_server__pki else "http://") +
checkmk_server__hostname + "/" +
checkmk_server__site
if checkmk_server__site|d() else "" }}'
-
checkmk_server__webapi_url
¶
WebAPI URL of monitoring site.
checkmk_server__webapi_url: '{{ checkmk_server__site_url + "/check_mk/webapi.py"
if checkmk_server__site|d() else "" }}'
-
checkmk_server__omd_config
¶
Check_MK site configuration set via omd config. Changing these values will shutdown Check_MK during reconfiguration. Check checkmk_server__omd_config for more details.
checkmk_server__omd_config: '{{
checkmk_server__omd_config_email +
checkmk_server__omd_config_core +
(checkmk_server__omd_config_livestatus if checkmk_server__multisite_livestatus|d() else [])
}}'
-
checkmk_server__omd_config_email
¶
Administrator email address set via OMD.
checkmk_server__omd_config_email:
- var: 'ADMIN_MAIL'
value: 'hostmaster@{{ ansible_domain if ansible_domain else ansible_hostname }}'
-
checkmk_server__omd_config_core
¶
Monitoring core set via OMD. Possible values: icinga
or nagios
.
checkmk_server__omd_config_core:
- var: 'CORE'
value: 'icinga'
-
checkmk_server__omd_config_livestatus
¶
Livestatus service configuration via OMD.
checkmk_server__omd_config_livestatus:
- var: 'LIVESTATUS_TCP'
value: 'on'
- var: 'LIVESTATUS_TCP_PORT'
value: '{{ checkmk_server__livestatus_port }}'
-
checkmk_server__sshkeys
¶
Indicate if a SSH keypair should be provided to allow agent connections via SSH. For more information check checkmk_server__sshkeys.
checkmk_server__sshkeys:
generate_keypair: True
-
checkmk_server__ssh_user
¶
User account which is used to query Check_MK agent via SSH.
checkmk_server__ssh_user: 'checkmk'
-
checkmk_server__ssh_command
¶
Command which is executed when querying the Check_MK agent via SSH. Set this to /usr/bin/check_mk_caching_agent when agents are queried by multiple servers.
checkmk_server__ssh_command: '{{ "/usr/bin/sudo " if (checkmk_server__ssh_user != "root") else "" }}/usr/bin/check_mk_agent'
-
checkmk_server__ssh_arguments
¶
SSH arguments used when querying the Check_MK agent. For possible options check man 5 ssh_config.
checkmk_server__ssh_arguments: '-o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=10s'
Multisite Web Configuration¶
-
checkmk_server__multisite_slave
¶
Indicate if this site is a distributed monitoring slave which receives the Check_MK configuration from another Check_MK server instance.
checkmk_server__multisite_slave: False
-
checkmk_server__multisite_livestatus
¶
Enable multisite Livestatus service. This is required for distributed monitoring of this site.
checkmk_server__multisite_livestatus: '{{ True if checkmk_server__multisite_slave|d() else False }}'
-
checkmk_server__multisite_config_path
¶
Configuration path for Check_MK multisite configurations. Relative to the site's chroot directory.
checkmk_server__multisite_config_path: 'etc/check_mk/multisite.d'
-
checkmk_server__multisite_config_map
¶
List of dictionaries which will generate the Check_MK multisite
configuration in checkmk_server__multisite_config_path
.
checkmk_server__multisite_config_map: '{{ checkmk_server__multisite_cfg_wato_host_tags +
checkmk_server__multisite_cfg_wato_aux_tags +
checkmk_server__multisite_cfg_roles }}'
Multisite wato_host_tags
variable definition.
checkmk_server__multisite_cfg_wato_host_tags:
- name: 'wato_host_tags'
value: '{{ checkmk_server__multisite_default_wato_host_tags }}'
Default upstream host tag configuration with additional cmk-agent-ssh
tag
to indicate SSH-based Check_MK agents.
checkmk_server__multisite_default_wato_host_tags:
- agent:
'Agent type':
- 'cmk-agent-ssh':
'Check_MK Agent (ssh)': []
- 'cmk-agent':
'Check_MK Agent (xinetd)': ['tcp']
- 'snmp-only':
'SNMP (Networking device, Appliance)': ['snmp']
- 'snmp-v1':
'Legacy SNMP device (using V1)': ['snmp']
- 'snmp-tcp':
'Dual: Check_MK Agent + SNMP': ['snmp', 'tcp']
- 'ping':
'No Agent': []
- criticality:
'Criticality':
- 'prod':
'Productive system': []
- 'critical':
'Business critical': []
- 'test':
'Test system': []
- 'offline':
'Do not monitor this host': []
- networking:
'Networking Segment':
- 'lan':
'Local network (low latency)': []
- 'wan':
'WAN (high latency)': []
- dmz:
'DMZ (low latency, secure access)': []
Multisite wato_aux_tags
variable definition.
checkmk_server__multisite_cfg_wato_aux_tags:
- name: 'wato_aux_tags'
value: '{{ checkmk_server__multisite_default_wato_aux_tags }}'
Default upstream auxiliary tags configuration.
checkmk_server__multisite_default_wato_aux_tags:
- snmp: 'monitor via SNMP'
- tcp: 'monitor via Check_MK Agent'
-
checkmk_server__multisite_cfg_roles
¶
Multisite user roles
configuration.
checkmk_server__multisite_cfg_roles:
- name: 'roles'
value: '{{ checkmk_server__multisite_default_roles |
combine(checkmk_server__multisite_debops_roles, recursive=True) |
combine(checkmk_server__multisite_custom_roles, recursive=True) }}'
-
checkmk_server__multisite_default_roles
¶
Default upstream Multisite user role definitions.
checkmk_server__multisite_default_roles:
admin:
alias: 'Administrator'
builtin: True
permissions: {}
guest:
alias: 'Guest User'
builtin: True
permissions: {}
user:
alias: 'Normal monitoring user'
builtin: True
permissions: {}
-
checkmk_server__multisite_debops_roles
¶
Multisite user role definitions used by the Ansible role.
checkmk_server__multisite_debops_roles:
api:
alias: 'Automation API'
basedon: 'user'
permissions:
'general.see_all': True
'wato.all_folders': True
'wato.hosttags': True
'wato.see_all_folders': True
'wato.seeall': True
'wato.use': True
-
checkmk_server__multisite_custom_roles
¶
Custom multisite user role definitions.
checkmk_server__multisite_custom_roles: {}
-
checkmk_server__multisite_users
¶
Locally defined multisite users to be configured. See checkmk_server__multisite_users for more information.
checkmk_server__multisite_users: '{{ checkmk_server__multisite_debops_users |
combine(checkmk_server__multisite_custom_users, recursive=True) }}'
-
checkmk_server__multisite_debops_users
¶
Multisite user definitions used by the Ansible role.
checkmk_server__multisite_debops_users:
ansible:
alias: 'Automation User used by Ansible'
automation_secret: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/ansible/secret") }}'
roles: [ 'api' ]
sitesync:
alias: 'Synchronization User for Multisite'
password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}'
roles: [ 'admin' ]
-
checkmk_server__multisite_custom_users
¶
Custom multisite user definitions.
checkmk_server__multisite_custom_users: {}
-
checkmk_server__multisite_user_defaults
¶
Default user properties for local users defined in
checkmk_server__multisite_users
checkmk_server__multisite_user_defaults:
force_authuser: False
force_authuser_webservice: False
locked: False
roles: [ 'user' ]
start_url: 'dashboard.py'
-
checkmk_server__multisite_user_connections
¶
LDAP user synchronization connection settings. See checkmk_server__multisite_user_connections for more information.
checkmk_server__multisite_user_connections: []
-
checkmk_server__multisite_user_connection_defaults
¶
Default properties for LDAP user connections defined in
checkmk_server__multisite_user_connections
checkmk_server__multisite_user_connection_defaults:
active_plugins: {}
cache_livetime: 300
comment: ''
debug_log: False
description: ''
directory_type: 'openldap'
disabled: False
docu_url: ''
group_dn: ''
group_scope: 'sub'
id: 'default'
user_dn: ''
user_id_umlauts: 'keep'
user_scope: 'sub'
-
checkmk_server__distributed_sites
¶
Distributed monitoring sites configuration. For more details see checkmk_server__distributed_sites
checkmk_server__distributed_sites: {}
-
checkmk_server__distributed_sites_defaults
¶
Default sites properties for distributed monitoring.
checkmk_server__distributed_sites_defaults:
username: 'sitesync'
password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}'
disabled: False
disable_wato: True
insecure: False
multisiteurl: ''
persist: False
replicate_ec: False
replicate_mkps: True
replication: ''
status_host: None
timeout: 10
url_prefix: ''
user_login: True
Monitoring Rules¶
-
checkmk_server__site_config_path
¶
Configuration path for Check_MK main configurations. Relative to the site's chroot directory.
checkmk_server__site_config_path: 'etc/check_mk/conf.d'
-
checkmk_server__site_config_map
¶
List of configuration dictionaries which will generate the Check_MK monitoring definitions.
checkmk_server__site_config_map: '{{ checkmk_server__site_cfg_contactgroups +
checkmk_server__site_cfg_rules +
checkmk_server__site_cfg_hostgroups +
checkmk_server__site_cfg_servicegroups +
checkmk_server__site_cfg_datasource_programs +
checkmk_server__site_cfg_netif_description +
checkmk_server__site_cfg_notification_defaults +
checkmk_server__site_cfg_software_inventory }}'
-
checkmk_server__contact_defaults
¶
Default contact properties. For a list of valid contact properties
see checkmk_server__contact_properties
defined in vars/main.yml
.
They are described under checkmk_server__multisite_users
.
checkmk_server__contact_defaults:
contactgroups: [ 'all' ]
disable_notifications: False
email: ''
host_notification_options: 'durfs'
notification_method: 'email'
notification_period: '24X7'
notifications_enabled: False
pager: ''
service_notification_options: 'wucrfs'
-
checkmk_server__site_cfg_contactgroups
¶
Define default contact group for all contacts.
checkmk_server__site_cfg_contactgroups:
- name: 'define_contactgroups'
value:
all: 'Everything'
-
checkmk_server__site_cfg_rules
¶
Define Check_MK monitoring rules.
checkmk_server__site_cfg_rules: '{{ checkmk_server__site_upstream_rules }}'
-
checkmk_server__site_upstream_rules
¶
Default upstream rule definitions.
checkmk_server__site_upstream_rules:
- name: 'bulkwalk_hosts'
tags: [ 'snmp', '!snmp-v1' ]
description: 'Hosts with the tag "snmp-v1" must not use bulkwalk'
- name: 'extra_service_conf'
element: 'check_interval'
value: 1440
conditions: [ 'Check_MK HW/SW Inventory$' ]
description: 'Restrict HW/SW-Inventory to once a day'
- name: 'host_contactgroups'
value: 'all'
description: 'Put all hosts into the contact group "all"'
- name: 'only_hosts'
tags: [ '!offline' ]
description: 'Do not monitor hosts with the tag "offline"'
- name: 'ping_levels'
value:
loss: [ 80.0, 100.0 ]
packets: 6
timeout: 20
rta: [ 1500.0, 3000.0 ]
tags: [ 'wan' ]
description: 'Allow longer round trip times when pinging WAN hosts'
-
checkmk_server__site_cfg_hostgroups
¶
Define host groups.
checkmk_server__site_cfg_hostgroups:
- name: 'define_hostgroups'
value: {}
-
checkmk_server__site_cfg_servicegroups
¶
Define service groups.
checkmk_server__site_cfg_servicegroups:
- name: 'define_servicegroups'
value: {}
-
checkmk_server__site_cfg_datasource_programs
¶
Define additional datasource_programs
for agent access via SSH.
checkmk_server__site_cfg_datasource_programs:
- name: 'datasource_programs'
value: 'ssh {{ checkmk_server__ssh_arguments }} -l {{ checkmk_server__ssh_user }} <IP> {{ checkmk_server__ssh_command }}'
tags: [ 'cmk-agent-ssh' ]
description: 'Check_MK Agent via SSH'
-
checkmk_server__site_cfg_software_inventory
¶
Check_MK rules for enabling software inventory check. This check can be
enabled/disabled by setting checkmk_server__software_inventory
.
checkmk_server__site_cfg_software_inventory:
- name: 'inventory_check_interval'
value: 1440
rule_state: '{{ "present" if (checkmk_server__software_inventory|d() | bool)
else "absent" }}'
- name: 'active_checks'
element: 'cmk_inv'
description: 'Enable collection of hardware/software information'
rule_state: '{{ "present" if (checkmk_server__software_inventory|d() | bool)
else "absent" }}'
-
checkmk_server__site_cfg_notification_defaults
¶
Set fallback email address for rule based notifications. Must be set including domain otherwise it won't be accepted by Check_MK.
checkmk_server__site_cfg_notification_defaults:
- name: 'notification_fallback_email'
filename: 'global.mk'
template: 'key_value'
value: '{{ ansible_local.core.admin_public_email[0]
if (("core" in ansible_local) and
("admin_public_email" in ansible_local.core))
else "root@" + ansible_domain }}'
-
checkmk_server__site_cfg_netif_description
¶
Set interface name instead of index for network interface check via
if_inventory_uses_description
.
checkmk_server__site_cfg_netif_description:
- name: 'if_inventory_uses_description'
filename: 'networking.mk'
template: 'key_value'
value: 'True'
wato: False
-
checkmk_server__site_packages
¶
Additional Check_MK packages (MKP) to be installed. See checkmk_server__site_packages for more information.
checkmk_server__site_packages: []
PKI Configuration¶
-
checkmk_server__pki
¶
Enable or disable support for HTTPS in Check_MK server (using debops.pki).
checkmk_server__pki: '{{ (True
if (ansible_local|d() and ansible_local.pki|d() and
ansible_local.pki.enabled|d() | bool)
else False) | bool }}'
-
checkmk_server__pki_path
¶
Base path for PKI directory.
checkmk_server__pki_path: '{{ ansible_local.pki.path
if (ansible_local|d() and ansible_local.pki|d() and
ansible_local.pki.path|d())
else "/etc/pki/realms" }}'
-
checkmk_server__pki_realm
¶
Default PKI realm used by Check_MK server.
checkmk_server__pki_realm: '{{ ansible_local.pki.realm
if (ansible_local|d() and ansible_local.pki|d() and
ansible_local.pki.realm|d())
else "domain" }}'
-
checkmk_server__pki_ca
¶
Root CA certificate, relative to checkmk_server__pki_realm
.
checkmk_server__pki_ca: 'CA.crt'
-
checkmk_server__pki_crt
¶
Host certificate, relative to checkmk_server__pki_realm
.
checkmk_server__pki_crt: 'default.crt'
-
checkmk_server__pki_key
¶
Host private key, relative to checkmk_server__pki_realm
.
checkmk_server__pki_key: 'default.key'
-
checkmk_server__tls_options
¶
Additional Apache mod_ssl options. Valid configuration keys:
SSLCipherSuite
, SSLHonorCipherOrder
, SSLProtocols
,
SSLStrictSNIVHostCheck
checkmk_server__tls_options:
SSLHonorCipherOrder: 'On'
SSLCipherSuite: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'