add nodered to iot, update mosquitto. monit now also usable with iot.

roles/iot/DESIGN.md

@@ -0,0 +1,19 @@
+# Design Description for IoT Role
+
+This role works differently compared to the others.
+It installs the basics for a home automation setup:
+
+ * InfluxDB time series database
+ * Grafana visualizations
+ * Mosquitto MQTT broker
+ * Node-Red scripting language
+
+It does not work with subdomains, everything runs under one domain.
+The top level routes to grafana.
+Going to the /nodered subdirectory leads to Node-Red.
+Going to /mqtt gets an MQTT-Admin UI.
+
+The ports for MQTT (with and without ssl, 1883 and 8883 respectively), as well as for MQTT SSL WebSockets (8083) will be opened in the firewall.
+
+This should be used together with the sslselfsigned role!
+When monitoring role is used as well, it can be accessed under /monit.

roles/iot/tasks/main.yml

@@ -2,3 +2,4 @@
 - include: influx.yml tags=iot
 - include: mosquitto.yml tags=iot
 - include: mqtt_admin.yml tags=iot
+- include: nodered.yml tags=iot

roles/iot/tasks/mosquitto.yml

@@ -1,16 +1,6 @@
 ---
 # Installs Mosquitto MQTT Broker
 
-- name: Ensure repository key for Mosquitto is in place
-  apt_key: url=https://repo.mosquitto.org/debian/mosquitto-repo.gpg.key state=present
-  tags:
-    - dependencies
-
-- name: Add Mosquitto repository
-  apt_repository: repo="deb https://repo.mosquitto.org/debian {{ ansible_distribution_release }} main"
-  tags:
-    - dependencies
-
 - name: Install Mosquitto from official repository
   apt:
     name: "{{ packages }}"
@@ -46,8 +36,9 @@
 - name: Set firewall rules for Mosquitto
   ufw: rule=allow port={{ item }} proto=tcp
   with_items:
-    - 8883  # mqtts (+ ssl)
-    - 8083  # mqtt websocket
+    - 1883 # mqtt (only enable in private networks!)
+    - 8883 # mqtts (+ ssl)
+    - 8083 # mqtt websocket
   tags: ufw
 
 - name: Register new Mosquitto service

roles/iot/tasks/nodered.yml

@@ -0,0 +1,18 @@
+- name: Create temporary Node-Red directory
+  file: state=directory path=/root/nodered
+
+- name: Download Node-Red install script
+  get_url:
+    url="https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered"
+    dest=/root/nodered/update-nodejs-and-nodered
+    owner=root
+    mode=0755
+
+- name: Run Node-Red install script
+  shell: /root/nodered/update-nodejs-and-nodered --confirm-root --confirm-install --skip-pi --restart --update-nodes
+
+- name: Register new Node-Red service
+  systemd: name=nodered daemon_reload=yes enabled=yes
+
+- name: Start new Node-Red instance
+  service: name=nodered state=started

roles/iot/templates/etc_apache2_sites-available_grafana.j2

@@ -8,6 +8,7 @@
 <VirtualHost *:443>
     ServerName {{ grafana_subdomain }}.{{ item.name }}
     ServerAlias {{ grafana_subdomain }}
+    ServerAlias {{ domain }}
 
     SSLEngine               On
     DocumentRoot            "{{ item.doc_root }}"
@@ -23,6 +24,13 @@
 
     ProxyRequests           Off
     ProxyPreserveHost       On
+
+    ProxyPass               /nodered/ http://localhost:1880/
+    ProxyPassReverse        /nodered/ http://localhost:1880/
+
+    ProxyPass               /monit/ http://localhost:2812/
+    ProxyPassReverse        /monit/ http://localhost:2812/
+
     ProxyPass               / http://localhost:{{ grafana_internal_port }}/
     ProxyPassReverse        / http://localhost:{{ grafana_internal_port }}/
 </VirtualHost>

roles/iot/templates/etc_mosquitto_conf.d_20-default.j2

@@ -1 +1 @@
-listener 1883 localhost
+listener 1883

roles/monitoring/defaults/main.yml

@@ -8,3 +8,5 @@ monit_alert_emails:
 
 monit_page_public: 1
 monit_subdomain: status
+
+default_http_redirect: true

roles/monitoring/files/etc_monit_conf.d_mongodb

@@ -0,0 +1,8 @@
+check process mongodb matching "mongod"
+  group database
+  start program = "/bin/systemctl start mongod"
+  stop program = "/bin/systemctl stop mongod"
+  if failed port 27017 type tcp
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_pgsql_deb11

@@ -0,0 +1,6 @@
+check process postgres with pidfile /var/run/postgresql/13-main.pid
+  group database
+  start program = "/bin/systemctl start postgresql"
+  stop program = "/bin/systemctl stop postgresql"
+  if failed host localhost port 5432 protocol pgsql then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_rocketchat

@@ -0,0 +1,8 @@
+check process rocketchat matching "Rocket.Chat"
+  group social
+  start program = "/bin/systemctl start rocketchat"
+  stop program = "/bin/systemctl stop rocketchat"
+  if failed port 3042 protocol http
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/tasks/logwatch.yml

@@ -12,9 +12,14 @@
 - name: Configure logwatch
   template: src=etc_logwatch_conf_logwatch.conf.j2 dest=/etc/logwatch/conf/logwatch.conf
 
+- name: Determine if rspamd is installed
+  stat: path=/etc/rspamd
+  register: rspamd_config_file
+
 - name: Configure rspamd to let logs through
   template: src=etc_rspamd_rspamd.conf.local.j2 dest=/etc/rspamd/rspamd.conf.local
   notify: restart rspamd
+  when: rspamd_config_file.stat.exists == True
 
 - name: Remove logwatch's dist cronjob
   file: state=absent path=/etc/cron.daily/00logwatch

roles/monitoring/tasks/monit.yml

@@ -1,21 +1,42 @@
 - name: Add monitoring vhost to apache
   template: src=etc_apache2_sites-available_00-status.conf dest=/etc/apache2/sites-available/00-status.conf
+  notify: restart apache
+  when: default_http_redirect
 
 - name: Enable the status vhost
   command: a2ensite 00-status.conf creates=/etc/apache2/sites-enabled/00-status.conf
   notify: restart apache
+  when: default_http_redirect
+
+- name: add buster-backport for Monit
+  apt_repository: repo='deb http://deb.debian.org/debian buster-backports main' state=present update_cache=yes
+  tags:
+    - dependencies
+  when: ansible_distribution_version == '10'
 
 - name: Install monit
   apt:
     name: monit
     state: present
+    default_release: buster-backports
   tags:
     - dependencies
+  when: ansible_distribution_version == '10'
+
+- name: Install monit
+  apt:
+    name: monit
+    state: present
+  tags:
+    - dependencies
+  when: ansible_distribution_version != '10'
 
 - name: Copy monit master config file into place
   template: src=etc_monit_monitrc.j2 dest=/etc/monit/monitrc
   notify: restart monit
 
+# ---------------------------------------
+
 - name: Determine if ZNC is installed
   stat: path=/usr/lib/znc/configs/znc.conf
   register: znc_config_file
@@ -76,6 +97,52 @@
   stat: path=/etc/jitsi/jicofo/config
   register: jitsi_config_file
 
+- name: Determine if MongoDB is installed
+  stat: path=/etc/mongod.conf
+  register: mongodb_config_file
+
+- name: Determine if Rocket.Chat is installed
+  stat: path=/usr/local/bin/Rocket.Chat/main.js
+  register: rocketchat_config_file
+
+- name: Determine if Apache2 is installed
+  stat: path=/etc/apache2/apache2.conf
+  register: apache2_config_file
+
+- name: Determine if Dovecot is installed
+  stat: path=/etc/dovecot/dovecot.conf
+  register: dovecot_config_file
+
+- name: Determine if Postfix is installed
+  stat: path=/etc/postfix/main.cf
+  register: postfix_config_file
+
+- name: Determine if sshd is installed
+  stat: path=/etc/ssh/sshd_config
+  register: sshd_config_file
+
+- name: Determine if pgsql_deb9 is installed
+  stat: path=/etc/postgresql/9.6/main/pg_ctl.conf
+  register: pgsql9_config_file
+
+- name: Determine if pgsql_deb10 is installed
+  stat: path=/etc/postgresql/11/main/pg_ctl.conf
+  register: pgsql10_config_file
+
+- name: Determine if pgsql_deb11 is installed
+  stat: path=/etc/postgresql/13/main/pg_ctl.conf
+  register: pgsql11_config_file
+
+- name: Determine if tomcat_deb9 is installed
+  stat: path=/etc/tomcat8/server.xml
+  register: tomcat9_config_file
+
+- name: Determine if tomcat_deb10 is installed
+  stat: path=/etc/tomcat9/server.xml
+  register: tomcat10_config_file
+
+# ---------------------------------------
+
 - name: Copy ZNC monit service config files into place
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
   notify: restart monit
@@ -156,38 +223,62 @@
   notify: restart monit
   when: openvpn_config_file.stat.exists == True
 
-- name: Copy monit service config files into place
-  copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
-  with_items:
-    - apache2
-    - dovecot
-    - postfix
-    - sshd
+- name: Copy MongoDB monit service config files into place
+  copy: src=etc_monit_conf.d_mongodb dest=/etc/monit/conf.d/mongodb
   notify: restart monit
+  when: mongodb_config_file.stat.exists == True
 
-- name: Copy monit service config files into place
-  copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
-  with_items:
-    - pgsql_deb9
-    - tomcat_deb9
+- name: Copy Rocket.Chat monit service config files into place
+  copy: src=etc_monit_conf.d_rocketchat dest=/etc/monit/conf.d/rocketchat
   notify: restart monit
-  when: ansible_distribution_version == '9'
+  when: rocketchat_config_file.stat.exists == True
 
-- name: Copy monit service config files into place
-  copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
-  with_items:
-    - pgsql_deb10
-    - tomcat_deb10
+- name: Copy apache2 monit service config files into place
+  copy: src=etc_monit_conf.d_apache2 dest=/etc/monit/conf.d/apache2
   notify: restart monit
-  when: ansible_distribution_version == '10'
+  when: apache2_config_file.stat.exists == True
 
-- name: Copy monit service config files into place
-  copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
-  with_items:
-    - pgsql_deb10
-    - tomcat_deb10
+- name: Copy dovecot monit service config files into place
+  copy: src=etc_monit_conf.d_dovecot dest=/etc/monit/conf.d/dovecot
   notify: restart monit
-  when: ansible_distribution_version == '11'
+  when: dovecot_config_file.stat.exists == True
+
+- name: Copy postfix monit service config files into place
+  copy: src=etc_monit_conf.d_postfix dest=/etc/monit/conf.d/postfix
+  notify: restart monit
+  when: postfix_config_file.stat.exists == True
+
+- name: Copy sshd monit service config files into place
+  copy: src=etc_monit_conf.d_sshd dest=/etc/monit/conf.d/ssh
+  notify: restart monit
+  when: sshd_config_file.stat.exists == True
+
+- name: Copy pgsql deb9 monit service config files into place
+  copy: src=etc_monit_conf.d_pgsql_deb9 dest=/etc/monit/conf.d/pgsql_deb9
+  notify: restart monit
+  when: pgsql9_config_file.stat.exists == True
+
+- name: Copy tomcat deb9 monit service config files into place
+  copy: src=etc_monit_conf.d_tomcat_deb9 dest=/etc/monit/conf.d/tomcat_deb9
+  notify: restart monit
+  when: tomcat9_config_file.stat.exists == True
+
+- name: Copy pgsql deb10 monit service config files into place
+  copy: src=etc_monit_conf.d_pgsql_deb10 dest=/etc/monit/conf.d/pgsql_deb10
+  notify: restart monit
+  when: pgsql10_config_file.stat.exists == True
+
+- name: Copy tomcat deb10 monit service config files into place
+  copy: src=etc_monit_conf.d_tomcat_deb10 dest=/etc/monit/conf.d/tomcat_deb10
+  notify: restart monit
+  when: tomcat10_config_file.stat.exists == True
+
+- name: Copy pgsql deb11 monit service config files into place
+  copy: src=etc_monit_conf.d_pgsql_deb11 dest=/etc/monit/conf.d/pgsql_deb11
+  notify: restart monit
+  when: pgsql11_config_file.stat.exists == True
+
+# ---------------------------------------
 
 # TODO add to fail2ban when monit_page_public == 1