Merge branch '124-recevoir-les-alertes-de-alertmanager-dans-matrix' into 'main'

Resolve "Recevoir les alertes de Alertmanager dans Matrix"

Closes #124

See merge request Neutrinet/infra!138

inventories/group_vars/alertmanager/vars.yml

@@ -5,3 +5,8 @@ alertmanager_smtp_from: alertmanager@neutrinet.be
 alertmanager_smtp_to: alertmanager@neutrinet.be
 alertmanager_smtp_username: alertmanager@neutrinet.be
 alertmanager_smtp_password: "{{ vault_alertmanager_smtp_password }}"
+
+alertmanager_matrix_username: "neutribot"
+alertmanager_matrix_password: "{{ vault_alertmanager_matrix_password }}"
+alertmanager_matrix_host: matrix.domainepublic.net
+alertmanager_matrix_room: "!RwsRwTYSutAOiujkCC:matrix.domainepublic.net"

inventories/group_vars/alertmanager/vault.yml

 $ANSIBLE_VAULT;1.1;AES256
-34383065666533393561666533323764383030653431666634343665623531386266306463396537
-6466363838666264376563613938616537333030353136360a313636616130663563336463333934
-36396637343562303661316539306535306564316332653239646637656463393637346334346530
-6166363633623135640a336233646162633066653538633139666135356535313235356164663439
-35383937633431386632353731313164383061333964306236323466666564333033646530353833
-36613265613333383737303239323937333362366465363138363434643933646265623134383735
-36303938656466613362396464623266663939306330386638663562316237383837373462323662
-37613836333536393431
+62626466633261303663333034346364316330363965633631356166373333333237623436656635
+3935666663656361636565653865333766616134373465370a653832656638653334373965303335
+31393434613461363032633232636132393736356137373263653733393232393162303964313038
+3064353464343938620a316536393730393437656333333261393663323836326164643830356534
+30336662623866636638613331323461333766353037633930363862313263656338363063303662
+66346663326464363937336165303832623162383463646339363462646336333534333264346132
+35666432326362336434663032343834316364633030643733373037643837646432393737383662
+30666637323535386235616434363465393731363063653534616563396266323462373866616562
+31643837316361336530316463613536326331663634646333373335653333663535333665636239
+66636465366638346439393335303464363838333531643134356464626236376330633335343237
+36656531343532323465353161363434373839356165643636646137346632323239623466613132
+38653338656333323465

roles/alertmanager/defaults/main.yml

@@ -5,3 +5,16 @@ alertmanager_smtp_from: alertmanager@example.com
 alertmanager_smtp_to: root@localhost
 alertmanager_smtp_username: ""
 alertmanager_smtp_password: ""
+
+alertmanager_matrix_username: "neutribot-test"
+alertmanager_matrix_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34383335643538646530393665623666306662346530303532383566616535343338353266373233
+          3035303838326636336539653333613561643565633064660a663334633836313835356133383266
+          39663636363633343634343231373334343064333230333239333430376633313362376531333164
+          6630346434653362370a636435353564363861363138663262353963623162346537313139616132
+          34396536303537613833633534633330386631303561373130313237303936633363326630316237
+          3866626638383930336339626361313565336334616665636536
+alertmanager_matrix_host: matrix.domainepublic.net
+alertmanager_matrix_room: "!wjECRmYYmDbBJcebBt:matrix.domainepublic.net"
+alertmanager_matrix_service: alertmanager_service

roles/alertmanager/files/systemd/matrix-goneb.service

+[Unit]
+Description=Matrix Go-NEB - A Matrix bot written in Go
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=2s
+ExecStart=/usr/local/bin/matrix-goneb
+ExecReload = /bin/kill -s HUP $MAINPID
+ExecStop = /bin/kill -s TERM $MAINPID
+
+User=matrix-goneb
+Group=matrix-goneb
+WorkingDirectory=/opt/matrix-goneb/dist
+ReadWritePaths=/opt/matrix-goneb/dist/db
+Environment=BIND_ADDRESS=localhost:4050 DATABASE_TYPE=sqlite3 DATABASE_URL=db/go-neb.db?_busy_timeout=5000 BASE_URL=http://localhost:4050 CONFIG_FILE=config.yml
+
+# Systemd hardening
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectHostname=true
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+PrivateTmp=true
+PrivateUsers=true
+RemoveIPC=true
+LockPersonality=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

roles/alertmanager/handlers/main.yml

+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
 - name: restart alertmanager
   service:
     name: prometheus-alertmanager
     state: restarted
 
+- name: restart matrix-goneb
+  service:
+    name: matrix-goneb
+    state: restarted
+
 - name: reload prometheus
   service:
     name: prometheus

roles/alertmanager/molecule/default/molecule.yml

@@ -8,7 +8,7 @@ platforms:
   - name: buster-alertmanager-molecule
     box: debian/buster64
     cpu: 2
-    memory: 512
+    memory: 1024
     interfaces:
       - network_name: private_network
         type: dhcp
@@ -18,6 +18,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: /usr/bin/python3
+      vault_password_file: "${MOLECULE_PROJECT_DIRECTORY}/../../vault.key"
     ssh_connection:
       pipelining: true
 verifier:

roles/alertmanager/molecule/default/prepare.yml

@@ -9,6 +9,16 @@
         update_cache: true
         cache_valid_time: 3600
 
+    - name: Installation de Git
+      package:
+        name: git
+        state: present
+
+    - name: Installation des ACL
+      package:
+        name: acl
+        state: present
+
   roles:
     - telegraf
     - prometheus

roles/alertmanager/tasks/main.yml

@@ -63,3 +63,7 @@
     mode: "u=rw,go=r"
     validate: promtool check rules %s
   notify: reload prometheus
+
+- name: Installation de matrix-goneb
+  import_tasks: matrix-goneb.yml
+  tags: ['matrix_goneb']

roles/alertmanager/tasks/matrix-goneb.yml

+- name: Installation de Go
+  import_role:
+    name: go
+  vars:
+    go_version: "1.17.5"
+  tags: ['go']
+
+- name: Création de l'utilisateur matrix-goneb
+  user:
+    name: matrix-goneb
+    home: /opt/matrix-goneb
+    shell: /sbin/nologin
+    system: true
+    state: present
+
+- name: Création des dossiers pour matrix-goneb
+  file:
+    path: "{{ matrix_goneb_dir }}"
+    owner: matrix-goneb
+    group: matrix-goneb
+    mode: "u=rwx,go=rx"
+    state: directory
+  loop:
+    - /opt/matrix-goneb/src
+    - /opt/matrix-goneb/dist
+    - /opt/matrix-goneb/dist/db
+  loop_control:
+    loop_var: matrix_goneb_dir
+
+- name: Récupération du dépôt git de matrix-goneb
+  git:
+    repo: https://github.com/matrix-org/go-neb.git
+    version: master
+    dest: /opt/matrix-goneb/src
+    single_branch: true
+    update: true
+  become_user: matrix-goneb
+  register: _alertmanager_matrix_goneb_repo
+  notify: restart matrix-goneb
+
+- name: Installation des dépendences de matrix-goneb
+  apt:
+    name: libolm-dev
+    # See https://github.com/matrix-org/go-neb/issues/338#issuecomment-707989819
+    default_release: "{{ (ansible_distribution_release == 'buster') | ternary('buster-backports',omit) }}"
+    state: present
+
+- name: Compilation de matrix-goneb # noqa no-handler
+  command:
+    cmd: "go{{ go_version }} build github.com/matrix-org/go-neb"
+    chdir: /opt/matrix-goneb/src
+  become_user: matrix-goneb
+  when: _alertmanager_matrix_goneb_repo is changed
+
+- name: Création du lien symbolique pour le binaire matrix-goneb
+  file:
+    src: /opt/matrix-goneb/src/go-neb
+    dest: /usr/local/bin/matrix-goneb
+    owner: matrix-goneb
+    group: matrix-goneb
+    mode: "u=rwx,go=rx"
+    state: link
+
+- name: Connexion de l'utilisateur Matrix
+  uri:
+    url: https://{{ alertmanager_matrix_host }}/_matrix/client/r0/login
+    method: POST
+    body:
+      identifier:
+        type: m.id.user
+        user: "{{ alertmanager_matrix_username }}"
+      password: "{{ alertmanager_matrix_password }}"
+      type: m.login.password
+    body_format: json
+    creates: /opt/matrix-goneb/matrix-session.secret
+    dest: /opt/matrix-goneb/matrix-session.secret
+    owner: matrix-goneb
+    group: matrix-goneb
+    mode: "u=rw,go="
+
+- name: Récupération des infos de connexion
+  slurp:
+    src: /opt/matrix-goneb/matrix-session.secret
+  register: _alertmanager_matrix_session_encoded
+
+- name: Définition du token et device de l'utilisateur Matrix
+  set_fact:
+    alertmanager_matrix_token: "{{ _alertmanager_matrix_session.access_token }}"
+    alertmanager_matrix_device: "{{ _alertmanager_matrix_session.device_id }}"
+  vars:
+    _alertmanager_matrix_session: "{{ _alertmanager_matrix_session_encoded.content | b64decode | from_json }}"
+
+- name: Vérification de la connexion
+  uri:
+    url: https://{{ alertmanager_matrix_host }}/_matrix/client/r0/devices/{{ alertmanager_matrix_device }}
+    headers:
+      Authorization: Bearer {{ alertmanager_matrix_token }}
+
+- name: Configuration de matrix-goneb
+  template:
+    src: matrix-goneb/config.yml.j2
+    dest: /opt/matrix-goneb/dist/config.yml
+    owner: matrix-goneb
+    group: matrix-goneb
+    mode: "u=rw,g=r,o="
+  notify: restart matrix-goneb
+
+- name: Configuration du service systemd
+  copy:
+    src: systemd/matrix-goneb.service
+    dest: /etc/systemd/system/matrix-goneb.service
+    owner: root
+    group: root
+    mode: "u=rw,go=r"
+  notify:
+    - reload systemd
+    - restart matrix-goneb
+
+- name: Activation de matrix-goneb au démarrage
+  service:
+    name: matrix-goneb
+    state: started
+    enabled: true

roles/alertmanager/templates/alertmanager/alertmanager.yml.j2

@@ -52,3 +52,7 @@ receivers:
   - name: default-receiver
     email_configs:
       - to: {{ alertmanager_smtp_to }}
+        send_resolved: true
+    webhook_configs:
+      - url: {{ alertmanager_matrix_webhook_url }}
+        send_resolved: true

roles/alertmanager/templates/matrix-goneb/config.yml.j2

+{{ ansible_managed | comment }}
+
+# Go-NEB Configuration File
+#
+# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs.
+#
+# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`.
+# It will force Go-NEB to operate in "config" mode. This means:
+#   - Go-NEB will ONLY use the data contained inside this file.
+#   - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime.
+#   - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead.
+
+clients:
+  - UserID: "@{{ alertmanager_matrix_username }}:{{ alertmanager_matrix_host }}"
+    AccessToken: "{{ alertmanager_matrix_token }}"
+    DeviceID: "{{ alertmanager_matrix_device }}"
+    HomeserverURL: "https://{{ alertmanager_matrix_host }}"
+    Sync: true
+    AutoJoinRooms: true
+    DisplayName: "Neutrinet Alert"
+    AcceptVerificationFromUsers: [":{{ alertmanager_matrix_host }}"]
+
+services:
+  - ID: "echo"
+    Type: "echo"
+    UserID: "@{{ alertmanager_matrix_username }}:{{ alertmanager_matrix_host }}"
+    Config: {}
+
+  - ID: "{{ alertmanager_matrix_service }}"
+    Type: "alertmanager"
+    UserID: "@{{ alertmanager_matrix_username }}:{{ alertmanager_matrix_host }}"
+    Config:
+      # This is for information purposes only. It should point to Go-NEB path as follows:
+      # `/services/hooks/<base64 encoded service ID>`
+      # Where in this case "service ID" is "alertmanager_service"
+      # Make sure your BASE_URL can be accessed by the Alertmanager instance!
+      webhook_url: {{ alertmanager_matrix_webhook_url }}
+      # Each room will get the notification with the alert rendered with the given template
+      rooms:
+        "{{ alertmanager_matrix_room }}":
+{% raw %}
+          text_template: >-
+            {{ range .Alerts -}}
+              {{ if eq .Status "firing" -}}
+                {{ $severity := index .Labels "severity" }}
+                {{- if eq $severity "critical" -}}
+                  [🔥 CRITICAL]
+                {{- else if eq $severity "warning" -}}
+                  [⚠️ WARNING]
+                {{- else -}}
+                  [🔔️ {{ $severity }}]
+                {{- end -}}
+              {{ else -}}
+                [✅ RESOLVED]
+              {{- end }} {{ index .Labels "alertname" }}: {{ index .Annotations "description" }}
+            {{- end }}
+          html_template: >-
+            {{ range .Alerts -}}
+              {{ if eq .Status "firing" -}}
+                {{ $severity := index .Labels "severity" }}
+                {{- if eq $severity "critical" -}}
+                  <font color='#dc3545'><b>[🔥 CRITICAL]</b></font>
+                {{- else if eq $severity "warning" -}}
+                  <font color='#ffc107'><b>[⚠️ WARNING]</b></font>
+                {{- else -}}
+                  <b>[🔔️ {{ $severity }}]</b>
+                {{- end -}}
+              {{ else -}}
+                <font color='#33cc33'><b>[✅ RESOLVED]</b></font>
+              {{- end }} <a href="{{ .GeneratorURL }}">{{ index .Labels "alertname" }}</a> ({{ index .Labels "job" }})<br/>
+              {{- index .Annotations "description" }}
+            {{- end }}
+{% endraw %}
+          msg_type: "m.text"  # Must be either `m.text` or `m.notice`

roles/alertmanager/vars/main.yml

+alertmanager_matrix_webhook_url: http://localhost:4050/services/hooks/{{ alertmanager_matrix_service | b64encode | trim('=') }}

roles/go/defaults/main.yml

+go_version: "1.17.5"

roles/go/molecule/default/INSTALL.rst

+*********************************
+Vagrant driver installation guide
+*********************************
+
+Requirements
+============
+
+* Vagrant
+* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule_vagrant'

roles/go/molecule/default/converge.yml

+---
+- name: Converge
+  hosts: all
+  become: true
+
+  roles:
+    - go

roles/go/molecule/default/molecule.yml

+dependency:
+  name: galaxy
+driver:
+  name: vagrant
+  provider:
+    name: virtualbox
+platforms:
+  - name: buster-go-molecule
+    box: debian/buster64
+    cpu: 2
+    memory: 512
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: /usr/bin/python3
+    ssh_connection:
+      pipelining: true
+verifier:
+  name: ansible

roles/go/molecule/default/prepare.yml

+---
+- name: Prepare
+  hosts: all
+  become: true
+
+  pre_tasks:
+    - name: Mise à jour du cache APT
+      apt:
+        update_cache: true
+        cache_valid_time: 3600

roles/go/tasks/main.yml

+- name: Création du dossier d'installation de Go v{{ go_version }}
+  file:
+    path: /opt/go/{{ go_version }}
+    owner: root
+    group: root
+    mode: "u=rwx,go=rx"
+    state: directory
+
+- name: Téléchargement de la checksum de Go v{{ go_version }}
+  uri:
+    url: https://dl.google.com/go/go{{ go_version }}.linux-amd64.tar.gz.sha256
+    return_content: true
+  register: go_checksum
+
+- name: Téléchargement de l'archive de Go v{{ go_version }}
+  get_url:
+    url: https://dl.google.com/go/go{{ go_version }}.linux-amd64.tar.gz
+    checksum: sha256:{{ go_checksum.content }}
+    dest: /usr/local/src/go{{ go_version }}.tar.gz
+    mode: "u=rw,go=r"
+    owner: root
+    group: root
+
+- name: Décompression de l'archive
+  unarchive:
+    src: /usr/local/src/go{{ go_version }}.tar.gz
+    dest: /opt/go/{{ go_version }}
+    remote_src: true
+    creates: /opt/go/{{ go_version }}/bin/go
+    extra_opts:
+      - --strip-components=1
+    owner: root
+    group: root
+
+- name: Création du lien symbolique pour le binaire go{{ go_version }}
+  file:
+    src: /opt/go/{{ go_version }}/bin/go
+    dest: /usr/local/bin/go{{ go_version }}
+    state: link
+    owner: root
+    group: root
+    mode: "u=rwx,go=rx"
+
+- name: Installaiton des outils de compilation
+  package:
+    name: build-essential
+    state: present