You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Brain 6196f53496
Make compatible with Debian Bullseye
7 months ago
defaults fix linter warnings 2 years ago
handlers Fix linting issues 7 months ago
tasks Make compatible with Debian Bullseye 7 months ago
README.md test commit 2 years ago

README.md

Monitoring - checkmk (https://checkmk.com)

Details

add swap file

dd if=/dev/zero of=swapfile bs=1MiB count=$((2*2014))
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile    none    swap    sw    0    0' >> /etc/fstab

Disable not needed services

systemctl disable --now rpcbind

Installation

root@monitoring01:/tmp# wget https://download.checkmk.com/checkmk/2.0.0b6/check-mk-raw-2.0.0b6_0.buster_amd64.deb
root@monitoring01:/tmp# dpkg -i check-mk-raw-2.0.0b6_0.buster_amd64.deb
root@monitoring01:/tmp# apt install -f

Create monitoring instance 'monitoring01'

root@monitoring01:/tmp# omd create monitoring01
Adding /opt/omd/sites/monitoring01/tmp to /etc/fstab.
Creating temporary filesystem /omd/sites/monitoring01/tmp...OK
Updating core configuration...
Generating configuration for core (type nagios)...Precompiling host checks...OK
OK
Restarting Apache...OK
Created new site monitoring01 with version 2.0.0b6.cre.

  The site can be started with omd start monitoring01.
  The default web UI is available at http://monitoring01/monitoring01/

  The admin user for the web applications is cmkadmin with password: H4UTD8z9
  For command line administration of the site, log in with 'omd su monitoring01'.
  After logging in, you can change the password for cmkadmin with 'htpasswd etc/htpasswd cmkadmin'.

Certbot and United Domains

apt install certbot -y

certbot certonly -d monitoring01.wtf-eg.net

## Configure Apache SSL

root@monitoring01:~# mkdir -p /etc/apache2/ssl root@monitoring01:~# openssl dhparam -out /etc/apache2/ssl/dhp-4096.pem 4096

vim /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

vim /etc/apache2/sites-available/default-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName monitoring01.wtf-eg.net

        ServerAdmin it@wtf-eg.de
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/monitoring01.wtf-eg.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/monitoring01.wtf-eg.net/privkey.pem
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhp-4096.pem"
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
</IfModule>

a2dismod status && vim /etc/apache2/conf-available/security.conf

#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
#   AllowOverride None
#   Require all denied
#</Directory>


# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
ServerSignature Off
#ServerSignature On

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off
#TraceEnable On

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
#   Require all denied
#</DirectoryMatch>

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

a2enmod ssl headers && apache2ctl configtest && systemctl restart apache2

start omd

su - monitoring01
omd start

Login

https://monitoring01.wtf-eg.net/monitoring01