Commit 24884d04 authored by HgO's avatar HgO
Browse files

Merge branch '124-recevoir-les-alertes-de-alertmanager-dans-matrix' into 'main'

Resolve "Recevoir les alertes de Alertmanager dans Matrix"

Closes #124

See merge request Neutrinet/infra!138
parents 961fccfa e88e9397
Pipeline #648 passed with stage
in 1 minute and 58 seconds
......@@ -5,3 +5,8 @@ alertmanager_smtp_from: alertmanager@neutrinet.be
alertmanager_smtp_to: alertmanager@neutrinet.be
alertmanager_smtp_username: alertmanager@neutrinet.be
alertmanager_smtp_password: "{{ vault_alertmanager_smtp_password }}"
alertmanager_matrix_username: "neutribot"
alertmanager_matrix_password: "{{ vault_alertmanager_matrix_password }}"
alertmanager_matrix_host: matrix.domainepublic.net
alertmanager_matrix_room: "!RwsRwTYSutAOiujkCC:matrix.domainepublic.net"
$ANSIBLE_VAULT;1.1;AES256
34383065666533393561666533323764383030653431666634343665623531386266306463396537
6466363838666264376563613938616537333030353136360a313636616130663563336463333934
36396637343562303661316539306535306564316332653239646637656463393637346334346530
6166363633623135640a336233646162633066653538633139666135356535313235356164663439
35383937633431386632353731313164383061333964306236323466666564333033646530353833
36613265613333383737303239323937333362366465363138363434643933646265623134383735
36303938656466613362396464623266663939306330386638663562316237383837373462323662
37613836333536393431
62626466633261303663333034346364316330363965633631356166373333333237623436656635
3935666663656361636565653865333766616134373465370a653832656638653334373965303335
31393434613461363032633232636132393736356137373263653733393232393162303964313038
3064353464343938620a316536393730393437656333333261393663323836326164643830356534
30336662623866636638613331323461333766353037633930363862313263656338363063303662
66346663326464363937336165303832623162383463646339363462646336333534333264346132
35666432326362336434663032343834316364633030643733373037643837646432393737383662
30666637323535386235616434363465393731363063653534616563396266323462373866616562
31643837316361336530316463613536326331663634646333373335653333663535333665636239
66636465366638346439393335303464363838333531643134356464626236376330633335343237
36656531343532323465353161363434373839356165643636646137346632323239623466613132
38653338656333323465
......@@ -5,3 +5,16 @@ alertmanager_smtp_from: alertmanager@example.com
alertmanager_smtp_to: root@localhost
alertmanager_smtp_username: ""
alertmanager_smtp_password: ""
alertmanager_matrix_username: "neutribot-test"
alertmanager_matrix_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34383335643538646530393665623666306662346530303532383566616535343338353266373233
3035303838326636336539653333613561643565633064660a663334633836313835356133383266
39663636363633343634343231373334343064333230333239333430376633313362376531333164
6630346434653362370a636435353564363861363138663262353963623162346537313139616132
34396536303537613833633534633330386631303561373130313237303936633363326630316237
3866626638383930336339626361313565336334616665636536
alertmanager_matrix_host: matrix.domainepublic.net
alertmanager_matrix_room: "!wjECRmYYmDbBJcebBt:matrix.domainepublic.net"
alertmanager_matrix_service: alertmanager_service
[Unit]
Description=Matrix Go-NEB - A Matrix bot written in Go
After=network.target
[Service]
Type=simple
Restart=always
RestartSec=2s
ExecStart=/usr/local/bin/matrix-goneb
ExecReload = /bin/kill -s HUP $MAINPID
ExecStop = /bin/kill -s TERM $MAINPID
User=matrix-goneb
Group=matrix-goneb
WorkingDirectory=/opt/matrix-goneb/dist
ReadWritePaths=/opt/matrix-goneb/dist/db
Environment=BIND_ADDRESS=localhost:4050 DATABASE_TYPE=sqlite3 DATABASE_URL=db/go-neb.db?_busy_timeout=5000 BASE_URL=http://localhost:4050 CONFIG_FILE=config.yml
# Systemd hardening
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectClock=true
ProtectHostname=true
CapabilityBoundingSet=
NoNewPrivileges=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
PrivateTmp=true
PrivateUsers=true
RemoveIPC=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
- name: reload systemd
systemd:
daemon_reload: true
- name: restart alertmanager
service:
name: prometheus-alertmanager
state: restarted
- name: restart matrix-goneb
service:
name: matrix-goneb
state: restarted
- name: reload prometheus
service:
name: prometheus
......
......@@ -8,7 +8,7 @@ platforms:
- name: buster-alertmanager-molecule
box: debian/buster64
cpu: 2
memory: 512
memory: 1024
interfaces:
- network_name: private_network
type: dhcp
......@@ -18,6 +18,7 @@ provisioner:
config_options:
defaults:
interpreter_python: /usr/bin/python3
vault_password_file: "${MOLECULE_PROJECT_DIRECTORY}/../../vault.key"
ssh_connection:
pipelining: true
verifier:
......
......@@ -9,6 +9,16 @@
update_cache: true
cache_valid_time: 3600
- name: Installation de Git
package:
name: git
state: present
- name: Installation des ACL
package:
name: acl
state: present
roles:
- telegraf
- prometheus
......@@ -63,3 +63,7 @@
mode: "u=rw,go=r"
validate: promtool check rules %s
notify: reload prometheus
- name: Installation de matrix-goneb
import_tasks: matrix-goneb.yml
tags: ['matrix_goneb']
- name: Installation de Go
import_role:
name: go
vars:
go_version: "1.17.5"
tags: ['go']
- name: Création de l'utilisateur matrix-goneb
user:
name: matrix-goneb
home: /opt/matrix-goneb
shell: /sbin/nologin
system: true
state: present
- name: Création des dossiers pour matrix-goneb
file:
path: "{{ matrix_goneb_dir }}"
owner: matrix-goneb
group: matrix-goneb
mode: "u=rwx,go=rx"
state: directory
loop:
- /opt/matrix-goneb/src
- /opt/matrix-goneb/dist
- /opt/matrix-goneb/dist/db
loop_control:
loop_var: matrix_goneb_dir
- name: Récupération du dépôt git de matrix-goneb
git:
repo: https://github.com/matrix-org/go-neb.git
version: master
dest: /opt/matrix-goneb/src
single_branch: true
update: true
become_user: matrix-goneb
register: _alertmanager_matrix_goneb_repo
notify: restart matrix-goneb
- name: Installation des dépendences de matrix-goneb
apt:
name: libolm-dev
# See https://github.com/matrix-org/go-neb/issues/338#issuecomment-707989819
default_release: "{{ (ansible_distribution_release == 'buster') | ternary('buster-backports',omit) }}"
state: present
- name: Compilation de matrix-goneb # noqa no-handler
command:
cmd: "go{{ go_version }} build github.com/matrix-org/go-neb"
chdir: /opt/matrix-goneb/src
become_user: matrix-goneb
when: _alertmanager_matrix_goneb_repo is changed
- name: Création du lien symbolique pour le binaire matrix-goneb
file:
src: /opt/matrix-goneb/src/go-neb
dest: /usr/local/bin/matrix-goneb
owner: matrix-goneb
group: matrix-goneb
mode: "u=rwx,go=rx"
state: link
- name: Connexion de l'utilisateur Matrix
uri:
url: https://{{ alertmanager_matrix_host }}/_matrix/client/r0/login
method: POST
body:
identifier:
type: m.id.user
user: "{{ alertmanager_matrix_username }}"
password: "{{ alertmanager_matrix_password }}"
type: m.login.password
body_format: json
creates: /opt/matrix-goneb/matrix-session.secret
dest: /opt/matrix-goneb/matrix-session.secret
owner: matrix-goneb
group: matrix-goneb
mode: "u=rw,go="
- name: Récupération des infos de connexion
slurp:
src: /opt/matrix-goneb/matrix-session.secret
register: _alertmanager_matrix_session_encoded
- name: Définition du token et device de l'utilisateur Matrix
set_fact:
alertmanager_matrix_token: "{{ _alertmanager_matrix_session.access_token }}"
alertmanager_matrix_device: "{{ _alertmanager_matrix_session.device_id }}"
vars:
_alertmanager_matrix_session: "{{ _alertmanager_matrix_session_encoded.content | b64decode | from_json }}"
- name: Vérification de la connexion
uri:
url: https://{{ alertmanager_matrix_host }}/_matrix/client/r0/devices/{{ alertmanager_matrix_device }}
headers:
Authorization: Bearer {{ alertmanager_matrix_token }}
- name: Configuration de matrix-goneb
template:
src: matrix-goneb/config.yml.j2
dest: /opt/matrix-goneb/dist/config.yml
owner: matrix-goneb
group: matrix-goneb
mode: "u=rw,g=r,o="
notify: restart matrix-goneb
- name: Configuration du service systemd
copy:
src: systemd/matrix-goneb.service
dest: /etc/systemd/system/matrix-goneb.service
owner: root
group: root
mode: "u=rw,go=r"
notify:
- reload systemd
- restart matrix-goneb
- name: Activation de matrix-goneb au démarrage
service:
name: matrix-goneb
state: started
enabled: true
......@@ -52,3 +52,7 @@ receivers:
- name: default-receiver
email_configs:
- to: {{ alertmanager_smtp_to }}
send_resolved: true
webhook_configs:
- url: {{ alertmanager_matrix_webhook_url }}
send_resolved: true
{{ ansible_managed | comment }}
# Go-NEB Configuration File
#
# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs.
#
# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`.
# It will force Go-NEB to operate in "config" mode. This means:
# - Go-NEB will ONLY use the data contained inside this file.
# - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime.
# - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead.
clients:
- UserID: "@{{ alertmanager_matrix_username }}:{{ alertmanager_matrix_host }}"
AccessToken: "{{ alertmanager_matrix_token }}"
DeviceID: "{{ alertmanager_matrix_device }}"
HomeserverURL: "https://{{ alertmanager_matrix_host }}"
Sync: true
AutoJoinRooms: true
DisplayName: "Neutrinet Alert"
AcceptVerificationFromUsers: [":{{ alertmanager_matrix_host }}"]
services:
- ID: "echo"
Type: "echo"
UserID: "@{{ alertmanager_matrix_username }}:{{ alertmanager_matrix_host }}"
Config: {}
- ID: "{{ alertmanager_matrix_service }}"
Type: "alertmanager"
UserID: "@{{ alertmanager_matrix_username }}:{{ alertmanager_matrix_host }}"
Config:
# This is for information purposes only. It should point to Go-NEB path as follows:
# `/services/hooks/<base64 encoded service ID>`
# Where in this case "service ID" is "alertmanager_service"
# Make sure your BASE_URL can be accessed by the Alertmanager instance!
webhook_url: {{ alertmanager_matrix_webhook_url }}
# Each room will get the notification with the alert rendered with the given template
rooms:
"{{ alertmanager_matrix_room }}":
{% raw %}
text_template: >-
{{ range .Alerts -}}
{{ if eq .Status "firing" -}}
{{ $severity := index .Labels "severity" }}
{{- if eq $severity "critical" -}}
[🔥 CRITICAL]
{{- else if eq $severity "warning" -}}
[⚠️ WARNING]
{{- else -}}
[🔔️ {{ $severity }}]
{{- end -}}
{{ else -}}
[✅ RESOLVED]
{{- end }} {{ index .Labels "alertname" }}: {{ index .Annotations "description" }}
{{- end }}
html_template: >-
{{ range .Alerts -}}
{{ if eq .Status "firing" -}}
{{ $severity := index .Labels "severity" }}
{{- if eq $severity "critical" -}}
<font color='#dc3545'><b>[🔥 CRITICAL]</b></font>
{{- else if eq $severity "warning" -}}
<font color='#ffc107'><b>[⚠️ WARNING]</b></font>
{{- else -}}
<b>[🔔️ {{ $severity }}]</b>
{{- end -}}
{{ else -}}
<font color='#33cc33'><b>[✅ RESOLVED]</b></font>
{{- end }} <a href="{{ .GeneratorURL }}">{{ index .Labels "alertname" }}</a> ({{ index .Labels "job" }})<br/>
{{- index .Annotations "description" }}
{{- end }}
{% endraw %}
msg_type: "m.text" # Must be either `m.text` or `m.notice`
alertmanager_matrix_webhook_url: http://localhost:4050/services/hooks/{{ alertmanager_matrix_service | b64encode | trim('=') }}
go_version: "1.17.5"
*********************************
Vagrant driver installation guide
*********************************
Requirements
============
* Vagrant
* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ pip install 'molecule_vagrant'
---
- name: Converge
hosts: all
become: true
roles:
- go
dependency:
name: galaxy
driver:
name: vagrant
provider:
name: virtualbox
platforms:
- name: buster-go-molecule
box: debian/buster64
cpu: 2
memory: 512
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: /usr/bin/python3
ssh_connection:
pipelining: true
verifier:
name: ansible
---
- name: Prepare
hosts: all
become: true
pre_tasks:
- name: Mise à jour du cache APT
apt:
update_cache: true
cache_valid_time: 3600
- name: Création du dossier d'installation de Go v{{ go_version }}
file:
path: /opt/go/{{ go_version }}
owner: root
group: root
mode: "u=rwx,go=rx"
state: directory
- name: Téléchargement de la checksum de Go v{{ go_version }}
uri:
url: https://dl.google.com/go/go{{ go_version }}.linux-amd64.tar.gz.sha256
return_content: true
register: go_checksum
- name: Téléchargement de l'archive de Go v{{ go_version }}
get_url:
url: https://dl.google.com/go/go{{ go_version }}.linux-amd64.tar.gz
checksum: sha256:{{ go_checksum.content }}
dest: /usr/local/src/go{{ go_version }}.tar.gz
mode: "u=rw,go=r"
owner: root
group: root
- name: Décompression de l'archive
unarchive:
src: /usr/local/src/go{{ go_version }}.tar.gz
dest: /opt/go/{{ go_version }}
remote_src: true
creates: /opt/go/{{ go_version }}/bin/go
extra_opts:
- --strip-components=1
owner: root
group: root
- name: Création du lien symbolique pour le binaire go{{ go_version }}
file:
src: /opt/go/{{ go_version }}/bin/go
dest: /usr/local/bin/go{{ go_version }}
state: link
owner: root
group: root
mode: "u=rwx,go=rx"
- name: Installaiton des outils de compilation
package:
name: build-essential
state: present
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment