Resolve "feat: authentication for netdata"

3d08ae96 · Arthur BOUDREAULT · Thomas MICHEL · 6b993917 · 3d08ae96 · 3d08ae96
Commit 3d08ae96 authored 4 weeks ago by Arthur BOUDREAULT Committed by Thomas MICHEL 4 weeks ago
--- a/ansible/common.yml
+++ b/ansible/common.yml
@@ -63,3 +63,7 @@
    - name: Install netdata
      ansible.builtin.include_tasks: tasks/netdata.yml
+  handlers:
+    - name: Import handlers
+      ansible.builtin.import_tasks: handlers/main.yml
--- a/ansible/group_vars/all/common.yml
+++ b/ansible/group_vars/all/common.yml
@@ -129,6 +129,7 @@ apt_install_common:
  - mailutils                   # necessary for msmtp usage
  - make
  - needrestart
+  - openssl
  - python3-pip
  - screen                      # detached terminal from session
  - smartmontools
@@ -268,6 +269,46 @@ logrotate_entries:
    create_user: root
    create_group: root
-# https://gitlab.com/lydra/ansible-bootstrap/-/blob/main/ansible/tasks/netdata.yml
+  - name: nginx-access
-netdata_release_channel: stable
+    path: /var/log/nginx/access.log
-netdata_version: 2.5.2
+    frequency: weekly
+    keep: 4
+    missingok: true
+    notifempty: true
+    sharedscripts: true
+    delaycompress: true
+    postrotate: |
+      [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
+  - name: nginx-error
+    path: /var/log/nginx/error.log
+    frequency: weekly
+    keep: 4
+    missingok: true
+    notifempty: true
+    sharedscripts: true
+    delaycompress: true
+    postrotate: |
+      [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
+  - name: netdata-error
+    path: /var/log/netdata/error.log
+    frequency: monthly
+    keep: 6
+    missingok: true
+    notifempty: true
+    delaycompress: true
+    create_mode: "0644"
+    create_user: netdata
+    create_group: netdata
+  - name: netdata-health
+    path: /var/log/netdata/health.log
+    frequency: monthly
+    keep: 6
+    missingok: true
+    notifempty: true
+    delaycompress: true
+    create_mode: "0644"
+    create_user: netdata
+    create_group: netdata
--- a/ansible/group_vars/all/netdata.vault.yml
+++ b/ansible/group_vars/all/netdata.vault.yml
+---
+vault_netdata_user: "admin"
+vault_netdata_password: "your_secure_password_here"
--- a/ansible/group_vars/all/netdata.yml
+++ b/ansible/group_vars/all/netdata.yml
+---
+# Netdata configuration
+netdata_release_channel: stable
+netdata_version: 2.5.2
+netdata_auth_user: "{{ vault_netdata_user }}"
+netdata_auth_password: "{{ vault_netdata_password }}"
+netdata_nginx_https_port: 8443
+netdata_ssl_cert_path: "/etc/ssl/certs/netdata-selfsigned.crt"
+netdata_ssl_key_path: "/etc/ssl/private/netdata-selfsigned.key"
+# https://github.com/geerlingguy/ansible-role-nginx#readme
+nginx_remove_default_vhost: true
+nginx_extra_http_options: |
+  # NetData upstream configuration
+  upstream netdata_backend {
+      server 127.0.0.1:19999;
+      keepalive 64;
+  }
+nginx_vhosts:
+  - listen: "{{ netdata_nginx_https_port }} ssl http2"
+    server_name: "netdata.{{ ansible_fqdn }}"
+    template: "templates/nginx/netdata_https.j2"
--- a/ansible/group_vars/all/security.yml
+++ b/ansible/group_vars/all/security.yml
@@ -10,4 +10,7 @@ ufw_common_rules:
    proto: tcp
  - rule: allow
    to_port: 443
+  - rule: allow
+    to_port: "{{ netdata_nginx_https_port }}"
+    proto: tcp
 ufw_specific_rules: []
--- a/ansible/handlers/main.yml
+++ b/ansible/handlers/main.yml
 ---
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted
+- name: Restart netdata
+  ansible.builtin.service:
+    name: netdata
+    state: restarted
 - name: Restart sshd
  ansible.builtin.service:
    name: sshd

--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -41,6 +41,9 @@ roles:
  - name: arillso.motd
    version: 1.4.0
+  - name: geerlingguy.nginx
+    version: 3.2.0
  - name: hifis.unattended_upgrades
    version: v3.2.1

--- a/ansible/tasks/netdata.yml
+++ b/ansible/tasks/netdata.yml
 ---
 - name: Check if Netdata is already installed
  ansible.builtin.command: which netdata
  register: netdata_check
@@ -36,3 +35,102 @@
  ansible.builtin.file:
    path: /usr/local/bin/netdata-kickstart.sh
    state: absent
+- name: Include role nginx
+  ansible.builtin.include_role:
+    name: geerlingguy.nginx
+- name: Create ssl-cert group if it doesn't exist
+  ansible.builtin.group:
+    name: ssl-cert
+    state: present
+    system: true
+- name: Create SSL directory
+  ansible.builtin.file:
+    path: /etc/ssl/private
+    state: directory
+    owner: root
+    group: ssl-cert
+    mode: '0710'
+- name: Generate self-signed SSL certificate for NetData
+  ansible.builtin.command: >
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048
+    -keyout {{ netdata_ssl_key_path }}
+    -out {{ netdata_ssl_cert_path }}
+    -subj "/C=FR/ST=France/L=Paris/O=Lydra/OU=IT/CN={{ inventory_hostname }}"
+  args:
+    creates: "{{ netdata_ssl_cert_path }}"
+- name: Set permissions on SSL certificate files
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - { path: "{{ netdata_ssl_cert_path }}", owner: "root", group: "root", mode: "0644" }
+    - { path: "{{ netdata_ssl_key_path }}", owner: "root", group: "ssl-cert", mode: "0640" }
+- name: Create netdata directories if they don't exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: netdata
+    group: netdata
+    mode: '0755'
+  loop:
+    - /etc/netdata
+    - /var/log/netdata
+- name: Configure netdata security settings
+  ansible.builtin.template:
+    src: netdata/netdata.conf.j2
+    dest: /etc/netdata/netdata.conf
+    owner: netdata
+    group: netdata
+    mode: '0644'
+  notify: Restart netdata
+- name: Ensure netdata is started and enabled
+  ansible.builtin.service:
+    name: netdata
+    state: started
+    enabled: true
+- name: Create netdata auth directory
+  ansible.builtin.file:
+    path: /etc/nginx/auth
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+- name: Generate netdata authentication file
+  ansible.builtin.shell: >
+    printf "{{ netdata_auth_user }}:$(openssl passwd -apr1 '{{ netdata_auth_password }}')" > /etc/nginx/auth/netdata
+  args:
+    creates: /etc/nginx/auth/netdata
+  no_log: true
+- name: Set permissions on netdata auth file
+  ansible.builtin.file:
+    path: /etc/nginx/auth/netdata
+    owner: root
+    group: www-data
+    mode: '0640'
+- name: Display NetData access information
+  ansible.builtin.debug:
+    msg: |
+      NetData has been configured successfully!
+      Access information:
+      - HTTPS: https://{{ inventory_hostname }}:{{ netdata_nginx_https_port }}/ (Self-signed certificate)
+      Authentication: {{ netdata_auth_user }} / [password from vault]
+      SSL Configuration: Self-signed certificate
+      Status: NetData is accessible through Nginx reverse proxy
+      Note: Your browser will show a security warning due to the self-signed certificate
--- a/ansible/templates/netdata/netdata.conf.j2
+++ b/ansible/templates/netdata/netdata.conf.j2
+# NetData configuration file
+# Managed by Ansible - Do not edit manually
+# Optimized for Nginx reverse proxy
+[global]
+    # Disable update checks and cloud features
+    check for updates every = 0
+[web]
+    # Bind only to localhost since we use nginx reverse proxy
+    bind to = 127.0.0.1:19999
+    # Allow connections from localhost only (nginx handles authentication)
+    allow connections from = localhost 127.0.0.1 ::1
+    # Disable NetData's own gzip compression (nginx handles it)
+    enable gzip compression = no
+    # Security settings
+    web files owner = netdata
+    web files group = netdata
+    # Disable management API for security
+    allow management from = none
+[logs]
+    # Disable access log to prevent double logging (nginx logs access)
+    access = off
+    # Keep error logs for troubleshooting
+    error = /var/log/netdata/error.log
+[cloud]
+    # Completely disable NetData Cloud integration
+    enabled = no
+[plugins]
+    # Disable web log plugins to reduce noise
+    web_log = no
+    # Keep system monitoring plugins enabled
+    proc = yes
+    diskspace = yes
+    cgroups = yes
+    tc = yes
+[registry]
+    # Disable registry functionality for security
+    enabled = no
+[health]
+    # Keep health monitoring enabled
+    enabled = yes
+    # Health log location
+    health log file = /var/log/netdata/health.log
+{% if netdata_custom_config is defined %}
+# Custom configuration
+{{ netdata_custom_config }}
+{% endif %} 
--- a/ansible/templates/nginx/netdata_https.j2
+++ b/ansible/templates/nginx/netdata_https.j2
+# NetData HTTPS virtual host with self-signed certificate
+# {{ ansible_managed }}
+server {
+    listen {{ netdata_nginx_https_port }} ssl http2;
+    listen [::]:{{ netdata_nginx_https_port }} ssl http2;
+    server_name netdata.{{ ansible_fqdn | default(inventory_hostname) }};
+    # SSL configuration with self-signed certificate
+    ssl_certificate {{ netdata_ssl_cert_path }};
+    ssl_certificate_key {{ netdata_ssl_key_path }};
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozTLS:10m;
+    ssl_session_tickets off;
+    # Modern configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    # HSTS (optional for self-signed, but good practice)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    # HTTP Basic Authentication
+    auth_basic "NetData Protected Access";
+    auth_basic_user_file /etc/nginx/auth/netdata;
+    # Security headers
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy strict-origin-when-cross-origin;
+    # Redirect root to /v3 dashboard because of this issue: https://github.com/netdata/netdata/issues/19007
+    location = / {
+        return 301 https://$server_name:{{ netdata_nginx_https_port }}/v3;
+    }
+    # Proxy all requests to netdata backend
+    location / {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_pass http://netdata_backend;
+        proxy_http_version 1.1;
+        proxy_pass_request_headers on;
+        proxy_set_header Connection "keep-alive";
+        proxy_store off;
+        # Enable gzip compression
+        gzip on;
+        gzip_proxied any;
+        gzip_types *;
+    }
+    # Block access to sensitive paths
+    location ~ ^/(netdata\.conf|\.ht) {
+        deny all;
+        return 404;
+    }
+}