smartmachine 1.2.3 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (62) hide show
  1. checksums.yaml +4 -4
  2. data/lib/smart_machine/commands/grid.rb +8 -0
  3. data/lib/smart_machine/commands/grid_commands/emailer.rb +107 -0
  4. data/lib/smart_machine/commands/grid_commands/roundcube.rb +65 -0
  5. data/lib/smart_machine/configuration.rb +35 -2
  6. data/lib/smart_machine/credentials.rb +10 -0
  7. data/lib/smart_machine/engine.rb +6 -0
  8. data/lib/smart_machine/grids/adminer.rb +1 -0
  9. data/lib/smart_machine/grids/certbot.rb +1 -0
  10. data/lib/smart_machine/grids/emailer/.keep +0 -0
  11. data/lib/smart_machine/grids/emailer.rb +188 -0
  12. data/lib/smart_machine/grids/haproxy.rb +1 -0
  13. data/lib/smart_machine/grids/mariadb.rb +1 -0
  14. data/lib/smart_machine/grids/postgresql.rb +1 -0
  15. data/lib/smart_machine/grids/roundcube.rb +114 -0
  16. data/lib/smart_machine/machine.rb +7 -0
  17. data/lib/smart_machine/syncer.rb +10 -0
  18. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/docker/command.rb +50 -0
  19. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/docker/entrypoint.rb +196 -0
  20. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/docker/logtailer.rb +75 -0
  21. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/10-auth.conf +132 -0
  22. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/10-mail.conf +427 -0
  23. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/10-master.conf +153 -0
  24. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/10-ssl.conf +87 -0
  25. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/15-mailboxes.conf +94 -0
  26. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/20-imap.conf +102 -0
  27. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/20-lmtp.conf +43 -0
  28. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/90-quota.conf +114 -0
  29. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/90-sieve.conf +229 -0
  30. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/dovecot-sql.conf.ext +163 -0
  31. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-ham.sh +2 -0
  32. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-ham.sieve +5 -0
  33. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-spam.sh +2 -0
  34. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-spam.sieve +2 -0
  35. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve-after/spam-to-folder.sieve +6 -0
  36. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/haproxy/haproxy.cfg +58 -0
  37. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/monit/conf.d/services.cfg +70 -0
  38. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/monit/monitrc +344 -0
  39. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/opendkim.conf +71 -0
  40. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/main.cf +123 -0
  41. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/master.cf +149 -0
  42. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-sender-login-maps.cf +7 -0
  43. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-virtual-alias-domains.cf +7 -0
  44. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-virtual-alias-maps-domains.cf +7 -0
  45. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-virtual-alias-maps-masters.cf +7 -0
  46. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-virtual-alias-maps-users.cf +7 -0
  47. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-virtual-alias-maps-userstothemselves.cf +7 -0
  48. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-virtual-mailbox-domains.cf +7 -0
  49. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix/mysql-virtual-mailbox-maps.cf +7 -0
  50. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/postfix-policyd-spf-python/policyd-spf.conf +12 -0
  51. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/spamassassin/local.cf +124 -0
  52. data/lib/smart_machine/templates/dotsmartmachine/config/emailer/usr/local/bin/quota-warning.sh +22 -0
  53. data/lib/smart_machine/templates/dotsmartmachine/config/emailer.yml +37 -0
  54. data/lib/smart_machine/templates/dotsmartmachine/config/engine.yml +2 -0
  55. data/lib/smart_machine/templates/dotsmartmachine/config/roundcube/etc/apache2/sites-available/000-default.conf +35 -0
  56. data/lib/smart_machine/templates/dotsmartmachine/config/roundcube/usr/local/etc/php/conf.d/zzz_roundcube-custom.ini +4 -0
  57. data/lib/smart_machine/templates/dotsmartmachine/config/roundcube/var/roundcube/config/config.custom.inc.php +25 -0
  58. data/lib/smart_machine/templates/dotsmartmachine/config/roundcube.yml +41 -0
  59. data/lib/smart_machine/templates/dotsmartmachine/config/users.yml +1 -1
  60. data/lib/smart_machine/version.rb +2 -2
  61. data/lib/smart_machine.rb +2 -0
  62. metadata +55 -4
@@ -0,0 +1,163 @@
1
+ # This file is commonly accessed via passdb {} or userdb {} section in
2
+ # conf.d/auth-sql.conf.ext
3
+
4
+ # This file is opened as root, so it should be owned by root and mode 0600.
5
+ #
6
+ # http://wiki2.dovecot.org/AuthDatabase/SQL
7
+ #
8
+ # For the sql passdb module, you'll need a database with a table that
9
+ # contains fields for at least the username and password. If you want to
10
+ # use the user@domain syntax, you might want to have a separate domain
11
+ # field as well.
12
+ #
13
+ # If your users all have the same uig/gid, and have predictable home
14
+ # directories, you can use the static userdb module to generate the home
15
+ # dir based on the username and domain. In this case, you won't need fields
16
+ # for home, uid, or gid in the database.
17
+ #
18
+ # If you prefer to use the sql userdb module, you'll want to add fields
19
+ # for home, uid, and gid. Here is an example table:
20
+ #
21
+ # CREATE TABLE users (
22
+ # username VARCHAR(128) NOT NULL,
23
+ # domain VARCHAR(128) NOT NULL,
24
+ # password VARCHAR(64) NOT NULL,
25
+ # home VARCHAR(255) NOT NULL,
26
+ # uid INTEGER NOT NULL,
27
+ # gid INTEGER NOT NULL,
28
+ # active CHAR(1) DEFAULT 'Y' NOT NULL
29
+ # );
30
+
31
+ # Database driver: mysql, pgsql, sqlite
32
+ #driver =
33
+ ##### SmartMachine Begin.
34
+ driver = mysql
35
+ ##### SmartMachine Close.
36
+
37
+ # Database connection string. This is driver-specific setting.
38
+ #
39
+ # HA / round-robin load-balancing is supported by giving multiple host
40
+ # settings, like: host=sql1.host.org host=sql2.host.org
41
+ #
42
+ # pgsql:
43
+ # For available options, see the PostgreSQL documentation for the
44
+ # PQconnectdb function of libpq.
45
+ # Use maxconns=n (default 5) to change how many connections Dovecot can
46
+ # create to pgsql.
47
+ #
48
+ # mysql:
49
+ # Basic options emulate PostgreSQL option names:
50
+ # host, port, user, password, dbname
51
+ #
52
+ # But also adds some new settings:
53
+ # client_flags - See MySQL manual
54
+ # connect_timeout - Connect timeout in seconds (default: 5)
55
+ # read_timeout - Read timeout in seconds (default: 30)
56
+ # write_timeout - Write timeout in seconds (default: 30)
57
+ # ssl_ca, ssl_ca_path - Set either one or both to enable SSL
58
+ # ssl_cert, ssl_key - For sending client-side certificates to server
59
+ # ssl_cipher - Set minimum allowed cipher security (default: HIGH)
60
+ # ssl_verify_server_cert - Verify that the name in the server SSL certificate
61
+ # matches the host (default: no)
62
+ # option_file - Read options from the given file instead of
63
+ # the default my.cnf location
64
+ # option_group - Read options from the given group (default: client)
65
+ #
66
+ # You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
67
+ # Note that currently you can't use spaces in parameters.
68
+ #
69
+ # sqlite:
70
+ # The path to the database file.
71
+ #
72
+ # Examples:
73
+ # connect = host=192.168.1.1 dbname=users
74
+ # connect = host=sql.example.com dbname=virtual user=virtual password=blarg
75
+ # connect = /etc/dovecot/authdb.sqlite
76
+ #
77
+ #connect =
78
+ ##### SmartMachine Begin.
79
+ connect = host=%<mysql_host>s port=%<mysql_port>s dbname=%<mysql_database_name>s user=%<mysql_user>s password=%<mysql_password>s
80
+ ##### SmartMachine Close.
81
+
82
+ # Default password scheme.
83
+ #
84
+ # List of supported schemes is in
85
+ # http://wiki2.dovecot.org/Authentication/PasswordSchemes
86
+ #
87
+ #default_pass_scheme = MD5
88
+
89
+ # passdb query to retrieve the password. It can return fields:
90
+ # password - The user's password. This field must be returned.
91
+ # user - user@domain from the database. Needed with case-insensitive lookups.
92
+ # username and domain - An alternative way to represent the "user" field.
93
+ #
94
+ # The "user" field is often necessary with case-insensitive lookups to avoid
95
+ # e.g. "name" and "nAme" logins creating two different mail directories. If
96
+ # your user and domain names are in separate fields, you can return "username"
97
+ # and "domain" fields instead of "user".
98
+ #
99
+ # The query can also return other fields which have a special meaning, see
100
+ # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
101
+ #
102
+ # Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
103
+ # for full list):
104
+ # %u = entire user@domain
105
+ # %n = user part of user@domain
106
+ # %d = domain part of user@domain
107
+ #
108
+ # Note that these can be used only as input to SQL query. If the query outputs
109
+ # any of these substitutions, they're not touched. Otherwise it would be
110
+ # difficult to have eg. usernames containing '%' characters.
111
+ #
112
+ # Example:
113
+ # password_query = SELECT userid AS user, pw AS password \
114
+ # FROM users WHERE userid = '%u' AND active = 'Y'
115
+ #
116
+ #password_query = \
117
+ # SELECT username, domain, password \
118
+ # FROM users WHERE username = '%n' AND domain = '%d'
119
+ ##### SmartMachine Begin.
120
+ password_query = SELECT password FROM virtual_users WHERE email='%u'
121
+ ##### SmartMachine Close.
122
+
123
+ # userdb query to retrieve the user information. It can return fields:
124
+ # uid - System UID (overrides mail_uid setting)
125
+ # gid - System GID (overrides mail_gid setting)
126
+ # home - Home directory
127
+ # mail - Mail location (overrides mail_location setting)
128
+ #
129
+ # None of these are strictly required. If you use a single UID and GID, and
130
+ # home or mail directory fits to a template string, you could use userdb static
131
+ # instead. For a list of all fields that can be returned, see
132
+ # http://wiki2.dovecot.org/UserDatabase/ExtraFields
133
+ #
134
+ # Examples:
135
+ # user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
136
+ # user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
137
+ # user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
138
+ #
139
+ #user_query = \
140
+ # SELECT home, uid, gid \
141
+ # FROM users WHERE username = '%n' AND domain = '%d'
142
+ ##### SmartMachine Begin.
143
+ user_query = SELECT email as user, \
144
+ concat('*:bytes=', quota_bytes) AS quota_rule, \
145
+ '/var/vmail/%d/%n' AS home, \
146
+ 5000 AS uid, 5000 AS gid \
147
+ FROM virtual_users WHERE email='%u'
148
+ ##### SmartMachine Close.
149
+
150
+ # If you wish to avoid two SQL lookups (passdb + userdb), you can use
151
+ # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
152
+ # also have to return userdb fields in password_query prefixed with "userdb_"
153
+ # string. For example:
154
+ #password_query = \
155
+ # SELECT userid AS user, password, \
156
+ # home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
157
+ # FROM users WHERE userid = '%u'
158
+
159
+ # Query to get a list of all usernames.
160
+ #iterate_query = SELECT username AS user FROM users
161
+ ##### SmartMachine Begin.
162
+ iterate_query = SELECT email AS user FROM virtual_users
163
+ ##### SmartMachine Close.
@@ -0,0 +1,2 @@
1
+ #!/bin/sh
2
+ exec /usr/bin/sa-learn --ham
@@ -0,0 +1,5 @@
1
+ require ["vnd.dovecot.pipe", "copy", "imapsieve", "variables"];
2
+ if string "${mailbox}" "Trash" {
3
+ stop;
4
+ }
5
+ pipe :copy "learn-ham.sh";
@@ -0,0 +1,2 @@
1
+ #!/bin/sh
2
+ exec /usr/bin/sa-learn --spam
@@ -0,0 +1,2 @@
1
+ require ["vnd.dovecot.pipe", "copy", "imapsieve"];
2
+ pipe :copy "learn-spam.sh";
@@ -0,0 +1,6 @@
1
+ require ["fileinto"];
2
+
3
+ if header :contains "X-Spam-Flag" "YES" {
4
+ fileinto "Junk";
5
+ stop;
6
+ }
@@ -0,0 +1,58 @@
1
+ global
2
+ log /dev/log local0
3
+ log /dev/log local1 notice
4
+ chroot /var/lib/haproxy
5
+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
6
+ stats timeout 30s
7
+ user haproxy
8
+ group haproxy
9
+ daemon
10
+
11
+ # Default SSL material locations
12
+ ca-base /etc/ssl/certs
13
+ crt-base /etc/ssl/private
14
+
15
+ # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
16
+ ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
17
+ ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
18
+ ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
19
+
20
+ defaults
21
+ log global
22
+ mode http
23
+ option httplog
24
+ option dontlognull
25
+ timeout connect 5000
26
+ timeout client 50000
27
+ timeout server 50000
28
+ errorfile 400 /etc/haproxy/errors/400.http
29
+ errorfile 403 /etc/haproxy/errors/403.http
30
+ errorfile 408 /etc/haproxy/errors/408.http
31
+ errorfile 500 /etc/haproxy/errors/500.http
32
+ errorfile 502 /etc/haproxy/errors/502.http
33
+ errorfile 503 /etc/haproxy/errors/503.http
34
+ errorfile 504 /etc/haproxy/errors/504.http
35
+
36
+ ##### SmartMachine Begin.
37
+ frontend myfrontend
38
+ bind :80
39
+ acl oracle_ips_listed str("%<oracle_ips_allowed>s") -m len gt 0
40
+ acl oracle_ip_allowed req.hdr(X-Real-IP) -m ip %<oracle_ips_allowed>s
41
+ http-request redirect code 302 location %<oracle_deflect_url>s unless oracle_ips_listed oracle_ip_allowed
42
+ http-request redirect code 302 location /oracle/monit/ if { path /oracle/monit }
43
+ use_backend monitbackend if { path_beg -i /oracle/monit/ }
44
+ stats enable
45
+ stats uri /oracle/haproxy
46
+ stats refresh 30s
47
+ stats admin if oracle_ips_listed oracle_ip_allowed
48
+
49
+ backend monitbackend
50
+ balance roundrobin
51
+ option forwardfor
52
+ http-request add-header X-Forwarded-Proto https if { ssl_fc }
53
+ http-request set-header X-Forwarded-Host %[req.hdr(Host)]
54
+ http-request set-header X-Forwarded-Port %[dst_port]
55
+ http-request replace-path /oracle/monit(/)?(.*) /\2
56
+ option httpchk GET /
57
+ server s1 127.0.0.1:2812 check
58
+ ##### SmartMachine Close.
@@ -0,0 +1,70 @@
1
+ # system
2
+ check system $HOST
3
+ if loadavg (5min) > 3 then alert
4
+ if loadavg (15min) > 1 then alert
5
+ if memory usage > 90% for 4 cycles then alert
6
+ if swap usage > 60% for 4 cycles then alert
7
+ # Test the user part of CPU usage
8
+ if cpu usage (user) > 80% for 2 cycles then alert
9
+ # Test the system part of CPU usage
10
+ if cpu usage (system) > 20% for 2 cycles then alert
11
+ # Test the i/o wait part of CPU usage
12
+ if cpu usage (wait) > 80% for 2 cycles then alert
13
+ # Test CPU usage including user, system and wait. Note that
14
+ # multi-core systems can generate 100% per core
15
+ # so total CPU usage can be more than 100%
16
+ if cpu usage > 200% for 4 cycles then alert
17
+
18
+ # rsyslog
19
+ check process rsyslog with pidfile /run/rsyslogd.pid
20
+ start program = "/usr/sbin/service rsyslog start"
21
+ stop program = "/usr/sbin/service rsyslog stop"
22
+
23
+ # rsyslog.syslog
24
+ check file rsyslog.syslog with path /var/log/syslog
25
+ if timestamp > 65 minutes then alert
26
+
27
+ # haproxy
28
+ check process haproxy with pidfile /run/tmpfs/haproxy.pid
29
+ start program = "/usr/sbin/haproxy -W -f /etc/haproxy/haproxy.cfg -p /run/tmpfs/haproxy.pid -S /run/haproxy-master.sock"
30
+ stop program = "/bin/bash -c '/bin/kill --signal SIGUSR1 `cat /run/tmpfs/haproxy.pid`'"
31
+
32
+ # spamassassin
33
+ check process spamassassin with pidfile /home/spamd/spamd.pid
34
+ start program = "/usr/sbin/spamd -d --pidfile=/home/spamd/spamd.pid --create-prefs --max-children 5 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"
35
+ stop program = "/bin/bash -c '/bin/kill --signal SIGTERM `cat /home/spamd/spamd.pid`'"
36
+ if cpu usage > 99% for 5 cycles then alert
37
+ if mem usage > 99% for 5 cycles then alert
38
+
39
+ # spamassassin.update
40
+ check program spamassassin.update with path "/bin/bash -c '/usr/bin/sa-update && /bin/kill --signal SIGHUP `cat /home/spamd/spamd.pid`'"
41
+ every "0-15 12-1 * * *"
42
+ if changed status then alert
43
+
44
+ # opendkim
45
+ check process opendkim with pidfile /var/run/opendkim/opendkim.pid
46
+ start program = "/usr/sbin/opendkim"
47
+ stop program = "/bin/bash -c '/bin/kill --signal SIGTERM `cat /var/run/opendkim/opendkim.pid`'"
48
+
49
+ # postfix
50
+ check process postfix with pidfile /var/spool/postfix/pid/master.pid
51
+ start program = "/bin/bash -c '/usr/lib/postfix/configure-instance.sh - && /usr/sbin/postmulti -i - -p start'"
52
+ stop program = "/usr/sbin/postmulti -i - -p stop"
53
+ if failed port 25 protocol smtp then restart
54
+
55
+ # dovecot
56
+ check process dovecot with pidfile /run/dovecot/master.pid
57
+ start program = "/usr/sbin/dovecot"
58
+ stop program = "/usr/bin/doveadm stop"
59
+ if failed host %<fqdn>s port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
60
+
61
+ # certbot
62
+ check file certbot.fullchain with path /etc/letsencrypt/live/%<fqdn>s/fullchain.pem
63
+ if changed checksum then exec "/bin/bash -c '/usr/sbin/postfix reload && /usr/sbin/dovecot reload'"
64
+ check file certbot.key with path /etc/letsencrypt/live/%<fqdn>s/key.pem
65
+ if changed checksum then exec "/bin/bash -c '/usr/sbin/postfix reload && /usr/sbin/dovecot reload'"
66
+
67
+ # monit
68
+ check process monit with pidfile /var/run/tmpfs/monit.pid
69
+ start program = "/usr/bin/monit"
70
+ stop program = "/usr/bin/monit quit"
@@ -0,0 +1,344 @@
1
+ ###############################################################################
2
+ ## Monit control file
3
+ ###############################################################################
4
+ ##
5
+ ## Comments begin with a '#' and extend through the end of the line. Keywords
6
+ ## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
7
+ ##
8
+ ## Below you will find examples of some frequently used statements. For
9
+ ## information about the control file and a complete list of statements and
10
+ ## options, please have a look in the Monit manual.
11
+ ##
12
+ ##
13
+ ###############################################################################
14
+ ## Global section
15
+ ###############################################################################
16
+ ##
17
+ ## Start Monit in the background (run as a daemon):
18
+ #
19
+ set daemon 120 # check services at 2-minute intervals
20
+ # with start delay 240 # optional: delay the first check by 4-minutes (by
21
+ # # default Monit check immediately after Monit start)
22
+ #
23
+ #
24
+ ## Set syslog logging. If you want to log to a standalone log file instead,
25
+ ## specify the full path to the log file
26
+ #
27
+ set log /var/log/monit.log
28
+
29
+ #
30
+ #
31
+ ## Set the location of the Monit lock file which stores the process id of the
32
+ ## running Monit instance. By default this file is stored in $HOME/.monit.pid
33
+ #
34
+ # set pidfile /var/run/monit.pid
35
+ ##### SmartMachine Begin.
36
+ set pidfile /run/tmpfs/monit.pid
37
+ ##### SmartMachine Close.
38
+ #
39
+ ## Set the location of the Monit id file which stores the unique id for the
40
+ ## Monit instance. The id is generated and stored on first Monit start. By
41
+ ## default the file is placed in $HOME/.monit.id.
42
+ #
43
+ # set idfile /var/.monit.id
44
+ set idfile /var/lib/monit/id
45
+ #
46
+ ## Set the location of the Monit state file which saves monitoring states
47
+ ## on each cycle. By default the file is placed in $HOME/.monit.state. If
48
+ ## the state file is stored on a persistent filesystem, Monit will recover
49
+ ## the monitoring state across reboots. If it is on temporary filesystem, the
50
+ ## state will be lost on reboot which may be convenient in some situations.
51
+ #
52
+ set statefile /var/lib/monit/state
53
+ #
54
+ #
55
+
56
+ ## Set limits for various tests. The following example shows the default values:
57
+ ##
58
+ # set limits {
59
+ # programOutput: 512 B, # check program's output truncate limit
60
+ # sendExpectBuffer: 256 B, # limit for send/expect protocol test
61
+ # fileContentBuffer: 512 B, # limit for file content test
62
+ # httpContentBuffer: 1 MB, # limit for HTTP content test
63
+ # networkTimeout: 5 seconds # timeout for network I/O
64
+ # programTimeout: 300 seconds # timeout for check program
65
+ # stopTimeout: 30 seconds # timeout for service stop
66
+ # startTimeout: 30 seconds # timeout for service start
67
+ # restartTimeout: 30 seconds # timeout for service restart
68
+ # }
69
+
70
+ ## Set global SSL options (just most common options showed, see manual for
71
+ ## full list).
72
+ #
73
+ # set ssl {
74
+ # verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
75
+ # selfsigned : allow # allow self signed SSL certificates (reject by default)
76
+ # }
77
+ #
78
+ #
79
+ ## Set the list of mail servers for alert delivery. Multiple servers may be
80
+ ## specified using a comma separator. If the first mail server fails, Monit
81
+ # will use the second mail server in the list and so on. By default Monit uses
82
+ # port 25 - it is possible to override this with the PORT option.
83
+ #
84
+ # set mailserver mail.bar.baz, # primary mailserver
85
+ # backup.bar.baz port 10025, # backup mailserver on port 10025
86
+ # localhost # fallback relay
87
+ ##### SmartMachine Begin.
88
+ set mailserver %<monit_smtp_host>s port %<monit_smtp_port>s username "%<monit_smtp_username>s" password "%<monit_smtp_password>s" using SSL using HOSTNAME %<container_name>s.%<fqdn>s
89
+ ##### SmartMachine Close.
90
+ #
91
+ #
92
+ ## By default Monit will drop alert events if no mail servers are available.
93
+ ## If you want to keep the alerts for later delivery retry, you can use the
94
+ ## EVENTQUEUE statement. The base directory where undelivered alerts will be
95
+ ## stored is specified by the BASEDIR option. You can limit the queue size
96
+ ## by using the SLOTS option (if omitted, the queue is limited by space
97
+ ## available in the back end filesystem).
98
+ #
99
+ set eventqueue
100
+ basedir /var/lib/monit/events # set the base directory where events will be stored
101
+ slots 100 # optionally limit the queue size
102
+ #
103
+ #
104
+ ## Send status and events to M/Monit (for more information about M/Monit
105
+ ## see https://mmonit.com/). By default Monit registers credentials with
106
+ ## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
107
+ ## have to register Monit credentials manually in M/Monit. It is possible to
108
+ ## disable credential registration using the commented out option below.
109
+ ## Though, if safety is a concern we recommend instead using https when
110
+ ## communicating with M/Monit and send credentials encrypted. The password
111
+ ## should be URL encoded if it contains URL-significant characters like
112
+ ## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
113
+ ## adding the timeout option.
114
+ #
115
+ # set mmonit http://monit:monit@192.168.1.10:8080/collector
116
+ # # with timeout 30 seconds # Default timeout is 5 seconds
117
+ # # and register without credentials # Don't register credentials
118
+ #
119
+ #
120
+ ## Monit by default uses the following format for alerts if the mail-format
121
+ ## statement is missing::
122
+ ## --8<--
123
+ ## set mail-format {
124
+ ## from: Monit <monit@$HOST>
125
+ ## subject: monit alert -- $EVENT $SERVICE
126
+ ## message: $EVENT Service $SERVICE
127
+ ## Date: $DATE
128
+ ## Action: $ACTION
129
+ ## Host: $HOST
130
+ ## Description: $DESCRIPTION
131
+ ##
132
+ ## Your faithful employee,
133
+ ## Monit
134
+ ## }
135
+ ## --8<--
136
+ ##
137
+ ## You can override this message format or parts of it, such as subject
138
+ ## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
139
+ ## are expanded at runtime. For example, to override the sender, use:
140
+ #
141
+ # set mail-format { from: monit@foo.bar }
142
+ ##### SmartMachine Begin.
143
+ set mail-format {
144
+ from: %<monit_smtp_email_name>s <%<monit_smtp_email_address>s>
145
+ subject: Monit | $SERVICE | $EVENT
146
+ message:
147
+ While monitoring the system, I observed a change and have performed the actions you had asked.
148
+
149
+ Date: $DATE
150
+ Timezone: %<timezone>s
151
+ Host: $HOST
152
+ FQDN: %<fqdn>s
153
+ Container: %<container_name>s
154
+ Service: $SERVICE
155
+ Event: $EVENT
156
+ Action: $ACTION
157
+ Description: $DESCRIPTION
158
+
159
+ Please check if you need to do something about it further.
160
+
161
+ Your Faithful Employee,
162
+ Monit
163
+ }
164
+ ##### SmartMachine Close.
165
+ #
166
+ #
167
+ ## You can set alert recipients whom will receive alerts if/when a
168
+ ## service defined in this file has errors. Alerts may be restricted on
169
+ ## events by using a filter as in the second example below.
170
+ #
171
+ # set alert sysadm@foo.bar # receive all alerts
172
+ ##### SmartMachine Begin.
173
+ set alert %<sysadmin_email>s
174
+ ##### SmartMachine Close.
175
+ #
176
+ ## Do not alert when Monit starts, stops or performs a user initiated action.
177
+ ## This filter is recommended to avoid getting alerts for trivial cases.
178
+ #
179
+ # set alert your-name@your.domain not on { instance, action }
180
+ #
181
+ #
182
+ ## Monit has an embedded HTTP interface which can be used to view status of
183
+ ## services monitored and manage services from a web interface. The HTTP
184
+ ## interface is also required if you want to issue Monit commands from the
185
+ ## command line, such as 'monit status' or 'monit restart service' The reason
186
+ ## for this is that the Monit client uses the HTTP interface to send these
187
+ ## commands to a running Monit daemon. See the Monit Wiki if you want to
188
+ ## enable SSL for the HTTP interface.
189
+ #
190
+ # set httpd port 2812 and
191
+ # use address localhost # only accept connection from localhost (drop if you use M/Monit)
192
+ # allow localhost # allow localhost to connect to the server and
193
+ # allow admin:monit # require user 'admin' with password 'monit'
194
+ # #with ssl { # enable SSL/TLS and set path to server certificate
195
+ # # pemfile: /etc/ssl/certs/monit.pem
196
+ # #}
197
+ ##### SmartMachine Begin.
198
+ set httpd port 2812 and
199
+ use address localhost
200
+ allow localhost
201
+ ##### SmartMachine Close.
202
+
203
+ ###############################################################################
204
+ ## Services
205
+ ###############################################################################
206
+ ##
207
+ ## Check general system resources such as load average, cpu and memory
208
+ ## usage. Each test specifies a resource, conditions and the action to be
209
+ ## performed should a test fail.
210
+ #
211
+ # check system $HOST
212
+ # if loadavg (1min) per core > 2 for 5 cycles then alert
213
+ # if loadavg (5min) per core > 1.5 for 10 cycles then alert
214
+ # if cpu usage > 95% for 10 cycles then alert
215
+ # if memory usage > 75% then alert
216
+ # if swap usage > 25% then alert
217
+ #
218
+ #
219
+ ## Check if a file exists, checksum, permissions, uid and gid. In addition
220
+ ## to alert recipients in the global section, customized alert can be sent to
221
+ ## additional recipients by specifying a local alert handler. The service may
222
+ ## be grouped using the GROUP option. More than one group can be specified by
223
+ ## repeating the 'group name' statement.
224
+ #
225
+ # check file apache_bin with path /usr/local/apache/bin/httpd
226
+ # if failed checksum and
227
+ # expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
228
+ # if failed permission 755 then unmonitor
229
+ # if failed uid "root" then unmonitor
230
+ # if failed gid "root" then unmonitor
231
+ # alert security@foo.bar on {
232
+ # checksum, permission, uid, gid, unmonitor
233
+ # } with the mail-format { subject: Alarm! }
234
+ # group server
235
+ #
236
+ #
237
+ ## Check that a process is running, in this case Apache, and that it respond
238
+ ## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
239
+ ## and number of children. If the process is not running, Monit will restart
240
+ ## it by default. In case the service is restarted very often and the
241
+ ## problem remains, it is possible to disable monitoring using the TIMEOUT
242
+ ## statement. This service depends on another service (apache_bin) which
243
+ ## is defined above.
244
+ #
245
+ # check process apache with pidfile /usr/local/apache/logs/httpd.pid
246
+ # start program = "/etc/init.d/httpd start" with timeout 60 seconds
247
+ # stop program = "/etc/init.d/httpd stop"
248
+ # if cpu > 60% for 2 cycles then alert
249
+ # if cpu > 80% for 5 cycles then restart
250
+ # if totalmem > 200.0 MB for 5 cycles then restart
251
+ # if children > 250 then restart
252
+ # if disk read > 500 kb/s for 10 cycles then alert
253
+ # if disk write > 500 kb/s for 10 cycles then alert
254
+ # if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
255
+ # if failed port 443 protocol https with timeout 15 seconds then restart
256
+ # if 3 restarts within 5 cycles then unmonitor
257
+ # depends on apache_bin
258
+ # group server
259
+ #
260
+ #
261
+ ## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
262
+ ## Other services, such as databases, may depend on this resource and an automatically
263
+ ## graceful stop may be cascaded to them before the filesystem will become full and data
264
+ ## lost.
265
+ #
266
+ # check filesystem datafs with path /dev/sdb1
267
+ # start program = "/bin/mount /data"
268
+ # stop program = "/bin/umount /data"
269
+ # if failed permission 660 then unmonitor
270
+ # if failed uid "root" then unmonitor
271
+ # if failed gid "disk" then unmonitor
272
+ # if space usage > 80% for 5 times within 15 cycles then alert
273
+ # if space usage > 99% then stop
274
+ # if inode usage > 30000 then alert
275
+ # if inode usage > 99% then stop
276
+ # if read rate > 1 MB/s for 5 cycles then alert
277
+ # if read rate > 500 operations/s for 5 cycles then alert
278
+ # if write rate > 1 MB/s for 5 cycles then alert
279
+ # if write rate > 500 operations/s for 5 cycles then alert
280
+ # if service time > 10 milliseconds for 3 times within 5 cycles then alert
281
+ # group server
282
+ #
283
+ #
284
+ ## Check a file's timestamp. In this example, we test if a file is older
285
+ ## than 15 minutes and assume something is wrong if its not updated. Also,
286
+ ## if the file size exceed a given limit, execute a script
287
+ #
288
+ # check file database with path /data/mydatabase.db
289
+ # if failed permission 700 then alert
290
+ # if failed uid "data" then alert
291
+ # if failed gid "data" then alert
292
+ # if timestamp > 15 minutes then alert
293
+ # if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
294
+ #
295
+ #
296
+ ## Check directory permission, uid and gid. An event is triggered if the
297
+ ## directory does not belong to the user with uid 0 and gid 0. In addition,
298
+ ## the permissions have to match the octal description of 755 (see chmod(1)).
299
+ #
300
+ # check directory bin with path /bin
301
+ # if failed permission 755 then unmonitor
302
+ # if failed uid 0 then unmonitor
303
+ # if failed gid 0 then unmonitor
304
+ #
305
+ #
306
+ ## Check a remote host availability by issuing a ping test and check the
307
+ ## content of a response from a web server. Up to three pings are sent and
308
+ ## connection to a port and an application level network check is performed.
309
+ #
310
+ # check host myserver with address 192.168.1.1
311
+ # if failed ping then alert
312
+ # if failed port 3306 protocol mysql with timeout 15 seconds then alert
313
+ # if failed port 80 protocol http
314
+ # and request /some/path with content = "a string"
315
+ # then alert
316
+ #
317
+ #
318
+ ## Check a network link status (up/down), link capacity changes, saturation
319
+ ## and bandwidth usage.
320
+ #
321
+ # check network public with interface eth0
322
+ # if failed link then alert
323
+ # if changed link then alert
324
+ # if saturation > 90% then alert
325
+ # if download > 10 MB/s then alert
326
+ # if total uploaded > 1 GB in last hour then alert
327
+ #
328
+ #
329
+ ## Check custom program status output.
330
+ #
331
+ # check program myscript with path /usr/local/bin/myscript.sh
332
+ # if status != 0 then alert
333
+ #
334
+ #
335
+ ###############################################################################
336
+ ## Includes
337
+ ###############################################################################
338
+ ##
339
+ ## It is possible to include additional configuration parts from other files or
340
+ ## directories.
341
+ #
342
+ include /etc/monit/conf.d/*
343
+ include /etc/monit/conf-enabled/*
344
+ #