Default variable details¶
Some of the debops-contrib.checkmk_server default variables have more extensive configuration than simple strings or lists, here you can find documentation and examples for them.
checkmk_server__omd_config¶
omd is a command line utility which is used to manage Check_MK
monitoring sites. Some basic configuration options of the site will be
set via this tool. These options are defined in
checkmk_server__omd_config
which is a list of YAML dictionaries,
each with two key/value pairs defining the OMD property to be set. One key
has to be var
with the variable name to be set as value. The other
key has to be value
with the variable value to be set as value.
See checkmk_server__omd_config_core
for an example.
checkmk_server__sshkeys¶
This configuration variable indicates if SSH keys should be configured for
accessing the Check_MK agent. If set to a non-empty value a additional
Check_MK host tag "Check_MK Agent via SSH" is configured and the SSH public
key is set as Ansible fact, so that it can be used by the
debops-contrib.checkmk_agent role to configure SSH-based agent access. The
checkmk_server__sshkeys
variable is a dictionary which support the
following keys:
generate_keypair
- Generate a new SSH keypair for the Check_MK site user. Possible values:
True
orFalse
keysize
- Specify the number of bits used when generating a new keypair. Only valid
when
generate_keypair
is set toTrue
. Defaults to4096
. privatekey_file
- Pre-generated SSH private key file which should be configured for SSH-based Check_MK agent access.
publickey_file
- Pre-generated SSH public key file. Must be the public key of the private
key set with
privatekey_file
.
checkmk_server__site_packages¶
Check_MK has a plugin system where site customizations such as additional
checks can be installed. This is done via .mkp
packages. For more
information see the upstream documentation about Check_MK extension packages.
Packages which should be installed for the current Check_MK site are defined
as a list of YAML dictionaries with the following configuration keys. One of
path
or url
must be given:
name
- Name of the package, required.
path
- Optional. Local file system path of the
.mkp
package archive on the Ansible controller. Cannot be combined with theurl
parameter. url
- Optional. Download URL of the
.mkp
package archive. Cannot be combined with thepath
parameter. checksum
- Optional. Checksum of the download archive given in the
url
parameter. Cannot be combined with thepath
parameter. Refer to the Ansible get_url module for the accepted parameter format.
checkmk_server__multisite_users¶
Configuration dictionary to define local WATO users. When running Ansible
they are merged into the users.mk
user database of Check_MK. Users
already defined in WATO or synchronized from an identity management system
such as LDAP won't be overwritten.
The dictionary key has to be the user name to create or manage. The following properties can be set via Ansible inventory:
alias
- Full name, required.
automation_secret
- Optional. Automation secret for machine accounts. Set this instead of
item.password
if the account is used for authentication of WebAPI calls.
contactgroups
- Optional. List of contact groups the user is a member of. Defaults to
[]
. disable_notifications
- Optional. Temporarily disable all notifications for this user. Defaults to
False
. email
- Optional. Email address.
force_authuser
- Optional. Only show hosts and services the user is a contact for. Defaults
to
False
. force_authuser_webservice
- Optional. Export only hosts and services the user is a contact for.
Defaults to
False
. host_notification_options
- Optional. Host events which should be notified. String combined of the
following letters:
d
: Host goes downu
: Host get unreachabler
: Host goes up againf
: Start or end of flapping states
: Start or end of a scheduled downtime Defaults todurfs
. locked
- Optional. Disable login to this account. Defaults to
False
. notification_method
- Optional. Event notification method. Defaults to
email
(currently only supported method). notification_period
- Optional. Notification time period. Default to
24x7
(currently only supported period). notifications_enabled
- Optional. Generally enable notifications for this user. Defaults to
False
. pager
- Optional. Pager address.
password
- Optional. Set given password in Apache
htpasswd
file. Can be used for form-based authentication in WATO and HTTP basic authentication in Icinga, PNP4Nagios and NagVis. roles
- Optional. List of permission roles defined in
checkmk_server__multisite_cfg_roles
. Defaults to[ 'user' ]
. service_notification_options
- Optional. Service events which should be notified. String combined of the
following letters:
w
: Service goes into warning stateu
: Service goes into unknown statec
: Service goes into critical stater
: Service recovers to OKf
: Start or end of flapping states
: Start or end of a scheduled downtime Defaults towucrfs
. start_url
- Optional. Start URL to display in main frame. Defaults to
dashboard.py
.
Example¶
Create custom administrator account with random password:
checkmk_server__multisite_users:
bob:
alias: 'Bob Admin'
password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/bob/password length=15") }}'
roles: [ 'admin' ]
checkmk_server__multisite_user_connections¶
List of LDAP user synchronization connection definitions. Multiple connection definitions are allowed. Each connection can define the following properties via Ansible inventory:
binddn
- Distinguished name used for authenticating against the LDAP server, required.
bindpw
- Password used for authenticating against the LDAP server, required.
server
- LDAP server host name, required.
group_dn
- Base DN for LDAP group queries, required.
userdn
- Base DN for LDAP user queries, required.
active_plugins
- Optional. Configuration dictionary of attribute synchronization plugins. See LDAP Attribute Synchronization Plugins for more details.
cache_livetime
- Optional. Time in seconds how long to cache LDAP user information. Defaults
to:
300
. comment
- Optional. Comment about user connection definition.
connect_timeout
- Optional. Connect timeout.
debug_log
- Optional. Enable debug logging for LDAP user synchronization. Allowed values
are
True
orFalse
. Defaults to:False
description
- Optional. Short description of user connection definition being displayed in the connection list.
directory_type
- Optional. LDAP directory type used to set default user and group attributes.
Allowed values are
openldap
,389directoryserver
orad
. Defaults to:openldap
. disabled
- Optional. Do not enable user connection. Allowed values are
True
orFalse
. Defaults to:False
docu_url
- Optional. Documentation URL.
failover_servers
- Optional. List of failover LDAP host names.
group_filter
- Optional. Group search filter (e. g.
(objectclass=groupOfNames)
). This will overwrite the default set byitem.directory_type
. group_member
- Optional. Group member attribute name (e. g.
member
). group_scope
- Optional. Group search scope. Allowed values are
sub
(search whole subtree below base DN),base
(search only the entry at the base DN) orone
(search all entries one level below the base DN). Defaults to:sub
. id
- Optional. Connection identifier. Defaults to
default
. lower_user_ids
- Optional. Set lower case user IDs. Allowed values are
True
orFalse
. Defaults to:False
no_persistent
- Optional. Don't use persistent LDAP connections. Allowed values are
True
orFalse
. Defaults to:False
port
- Optional. TCP port. Defaults to:
389
response_timeout
- Optional. Response timeout.
suffix
- Optional. LDAP connection suffix.
use_ssl
- Optional. Encrypt the network connection using SSL. Allowed values are
True
orFalse
. Defaults to:False
user_filter
- Optional. User search filter (e. g.
(objectclass=account)
). This will overwrite the default set byitem.directory_type
. user_filter_group
- Optional. Filter users by group.
user_id
- Optional. User ID attribute name (e. g.
uid
). user_id_umlauts
- Optional. Translate Umlauts in user IDs (deprecated). Allowed values are
keep
orreplace
. Defaults tokeep
. user_scope
- Optional. User search scope. Allowed values are
sub
(search whole subtree below base DN),base
(search only the entry at the base DN) orone
(search all entries one level below the base DN). Defaults to:sub
.
LDAP Attribute Synchronization Plugins¶
The LDAP user synchronization connector supports various plugins for setting WATO user properties based on LDAP attributes and filters. Each plugin is a configuration dictionary with the plugin name as key.
alias
Set user alias based on LDAP attribute.
attr
- Optional. LDAP attribute to sync. Defaults to
cn
.
auth_expire
Checks wether or not the user auth must be invalidated.
attr
- Optional. LDAP attribute to be used as indicator. Defaults to
krbpasswordexpiration
.
disable_notifications
Disable notifications based on LDAP attribute.
attr
- Optional. LDAP attribute to sync.
email
Set email address based on LDAP attribute.
attr
Optional. LDAP attribute to sync. Default tomail
.force_authuser
Set visibility of host/services based on LDAP attribute.
attr
- Optional. LDAP attribute to sync.
force_authuser_webservice
Set visibility of host/services for WebAPI access based on LDAP attribute.
attr
- Optional. LDAP attribute to sync.
groups_to_attributes
Set custom user attributes based on the group memberships in LDAP.
nested
- Optional. Handle nested group memberships (Active Directory only at the moment)
other_connections
- Optional. List of alternative LDAP connection IDs to sync group membership.
groups_to_contactgroups
Add the user to contactgroups based on the group memberships in LDAP.
nested
- Optional. Handle nested group memberships (Active Directory only at the moment)
other_connections
- Optional. List of alternative LDAP connection IDs to sync contactgroup membership.
groups_to_roles
Set user roles based on distinguished names from LDAP. This is a configuration dictionary with the role name defined in
checkmk_server__multisite_cfg_roles
as key and a list of group references as value. Each group reference supports the following properties.group_dn
- Group DN used for role assignment.
connection
- Optional. Alternative connection ID used for group query.
pager
Set pager number based on LDAP attribute.
attr
- Optional. LDAP attribute to be used as indicator. Defaults to
mobile
.
start_url
Set WATO start URL based on LDAP attribute.
attr
- Optional. LDAP attribute to sync. Defaults to
start_url
.
Example¶
Small example configuration for user authentication via LDAP showing the use of some LDAP plugins:
checkmk_server__multisite_user_connections:
- server: 'localhost'
binddn: 'cn=admin,dc=example,dc=com'
bindpw: 'secret'
group_dn: 'ou=groups,dc=example,dc=com'
user_dn: 'ou=users,dc=example,dc=com'
user_filter: '(objectclass=posixAccount)'
active_plugins:
alias:
attr: 'gecos'
groups_to_roles:
admin:
- group_dn: 'cn=wato-admin,ou=groups,dc=example,dc=com'
This will synchronize all users in from the DN ou=users,dc=example,dc=com
to WATO, fills the user's alias property with the value from the gecos
LDAP attribute and assign the admin role to the members of the 'wato-admin'
group.
checkmk_server__distributed_sites¶
This setting will define Check_MK Multisite connections to other Check_MK monitoring sites. Each site entry is a nested YAML dictionary with the site name as top key. The following sub keys are supported as site properties.
alias
- An alias or description of the site, required.
disabled
- Optional. Temporarily disable this connection. Defaults to
False
. disable_wato
- Optional. Disable configuration via WATO on this site. Defaults to
True
. insecure
- Optional. Ignore SSL certificate errors. Defaults to
False
. multisiteurl
- Optional. URL of the remote Check_MK site including
/check_mk/
. This will be used by the main site to fetch resources from this site. password
- Optional. User password for user defined in
item.username
used for authentication on this site. persist
- Optional. Use persistent connections to this site. Defaults to
False
. replicate_ec
- Optional. Replicate Event Console configuration to this site. Defaults to
False
. replicate_mkps
- Optional. Replicate extensions (MKPs and files in
~/local/
). Defaults toTrue
. replication
- Optional. WATO replication allows you to manage several monitoring sites
with a logically centralized WATO. Slave sites receive their configuration
from master sites. By default this value is unset which means that the there
is no replication with this site. Set this to
slave
to enable configuration push to this site. socket
- Optional. Livestatus connection socket. By default this value is unset which
corresponds to the local site. In case this is a foreign site on localhost
or a remote site, this value must be set to a TCP or UNIX socket such as
tcp:<hostname>:<port>
orunix:<path>
. When connecting to remote site make sure that Livestatus over TCP is activated there. status_host
- Optional. By specifying a status host for each non-local connection you
prevent Multisite from running into timeouts when remote sites do not
respond. The value must be specified as
[ '<site>', '<hostname>' ]
. By default this value is unset. Check the upstream documentation for more information.
timeout
- Optional. Connect timeout in seconds before this site is considered to be
unreachable. Defaults to
10
. url_prefix
- Optional. The URL prefix will be prepended to links of addons like PNP4Nagios or the classical Icinga GUI when a link to such applications points to a host or service on that site.
username
- Optional. User name used to synchronize configuration data with this site
in case
item.replication
is set toslave
. Defaults tositesync
. user_login
- Optional. Allow users to directly directly login into the Web GUI of this
site. Defaults to
True
.
The default values for the distributed sites configuration are defined in
checkmk_server__distributed_sites_defaults
and can be overwritten
via Ansible inventory.
A lot of parameter descriptions are copied from the upstream source code which is copyrighted by Mathias Kettner and released under the GPL-2.0.