This module will install and manage LibreNMS, NGINX, PHP + PHP-FPM, RRD + RRDCached, MySQL (MariaDB), SNMP, on a single machine (optionally: Cron, Oxidized and LibreNMS plugins).
This module acts as a "meta module", as it depends heavily on other modules in order to tie everything together.
This module has been tested on a Debian based OS (Ubuntu 18.04.x), but should work on RHEL based OS'es with minor tweaking.
NOTE: If you have a backup file, you can import that instead
Since this module creates and manages the appropiate database, and a fresh LibreNMS installation doesn't like that, you have to drop the database first, before you can continue on the installation page:
mysql -u root -p -e 'DROP DATABASE librenms;'- Go to
http://librenms.example.com/install.php
If you have a previous mysqldump of a LibreNMS installation, you can import it using the $import_mysqldump parameter:
- Copy the MySQL dump onto the new LibreNMS server, and place it somewhere (e.g.
/tmp/librenms_dump.sql) - In Puppet, specify
import_mysqldump => '/tmp/librenms_dump.sql' - Delete the current database (resolves database version mismatch), run
mysql -u root -p -e 'DROP DATABASE librenms;' - Run Puppet
- Migrate the database to newest version, run
/opt/librenms/lnms migrate - Remove the
$import_mysqldumpparameter again, to not re-import the dump
A backup (mysqldump) of the LibreNMS database will be taken automatically, everyday at 01:30 (AM).
The number of revisions to keep on disk, can be controlled by the $mysql_backup_revisions parameter.
Backups are placed here: ${librenms::vcs_root_dir}/backup/
When updating database username or -password, this module will do most of the legwork.
However, LibreNMS keeps "temporary" settings in a environment file, found at ${librenms::vcs_root_dir}/.env, including the database username and -password. You have to manually update this file!
The main LibreNMS configuration file can be managed with Puppet, using the $config_raw_input parameter. This parameter will be converted to config.php viable code, using a very basic built-in parser (lib/puppet/functions/to_phpconfig.rb)
All nested configuration options can be specified in Puppet with a dot (.), example: auth_ad_groups.LibreNMS_Admins.level (Puppet) turns into $config['auth_ad_groups']['LibreNMS_Admins']['level'] (config.php)
Strings, Booleans, Integers, Floats, Hashes, Arrays, and Array of Hashes are supported by the built-in parser.
If $nginx_enable_mon_sites is set to true, monitoring pages will be enabled.
These pages can be queried using the following commands:
# Can only be done locally from the server
curl "localhost:8080/nginx_status"
curl "localhost:8080/fpm-status"
curl "localhost:8080/fpm-ping"The following plugins can be installed using Puppet, but has to be enabled manually in the LibreNMS web-interface.
The Weathermap plugin can be installed by setting the $weathermap_enabled to true.
The Oxidized plugin can be installed by setting the $oxidized_enabled parameter to true.
Oxidized can be futher customized by setting the $oxidized_configuration parameter, and the oxidized specific settings in $config_raw_input.
A basic TestSSL plugin is included in this Puppet module, and can be installed by setting the $testssl_enabled to true.
The TestSSL plugin runs TestSSL, and displays the output directly in LibreNMS.
NOTE: SNMP traps are a in-progress feature in LibreNMS. Support may be very varied!
This module can configure SNMP traps for LibreNMS. You simply add this configuration:
class { '::librenms':
snmp_trap_enabled => true,
snmp_trap_ensure => running,
config_raw_input => {
'snmptraps.eventlog' => 'all',
}
snmp_trap_mib_dirs => [
'/opt/librenms/mibs',
'/opt/librenms/mibs/cisco',
'/opt/librenms/mibs/hp',
'/opt/librenms/mibs/paloaltonetworks',
],
snmp_trap_mibs => ['ALL'],
}For $snmp_trap_mib_dirs and $snmp_trap_mibs it is recommended to specify which MIBs to use, and not all.
A full list can be found in the LibreNMS github repository.
# LibreNMS with Oxidized + Weathermap plugins, active Netscaler poller, AD logins, and sample TLS config
class { '::librenms':
config_admin_email => $admin_email,
config_poller_threads => 32,
mysql_librenms_password => $mysql_librenms_password,
mysql_root_password => $mysql_root_password,
oxidized_auth_token => $oxidized_api_token,
oxidized_enabled => true,
oxidized_manage_repo => true,
snmp_location => 'Null Island',
snmp_ro_community => $snmp_ro_community,
weathermap_enabled => true,
config_override_pollers => {
'netscaler-vsvr' => 1,
},
config_raw_input => {
'active_directory.users_purge' => 14, # days
'auth_ad_base_dn' => 'DC=domain,DC=com',
'auth_ad_bindpassword' => $ad_bind_password,
'auth_ad_binduser' => $ad_bind_username,
'auth_ad_check_certificates' => 0,
'auth_ad_domain' => 'domain.com',
'auth_ad_groups.LibreNMS_Admins.level' => 10,
'auth_ad_groups.LibreNMS_Users.level' => 5,
'auth_ad_require_groupmembership' => 1,
'auth_ad_url' => 'ldaps://domain.com',
'auth_mechanism' => 'active_directory',
'authlog_purge' => 15, # days
'oxidized.enabled' => true,
'oxidized.url' => 'http://127.0.0.1:8888',
'oxidized.group_support' => true,
'oxidized.features.versioning' => true,
'oxidized.reload_nodes' => false,
'oxidized.group.os' => [
{ 'match' => 'asa', 'group' => 'cisco-asa-device' },
{ 'match' => 'ios', 'group' => 'cisco-device' },
{ 'match' => 'iosxe', 'group' => 'cisco-device' },
{ 'match' => 'netscaler', 'group' => 'netscaler-device' },
{ 'match' => 'procurve', 'group' => 'procurve-device' },
],
'oxidized.group.hostname' => [
{ 'regex' => '/^switch\d.*/', 'group' => 'switches' },
{ 'regex' => '/^router\d.*/', 'group' => 'routers' },
],
}
# TLS settings are primary taken from these:
# https://ssl-config.mozilla.org/#server=nginx&config=intermediate&ocsp=false
# https://cipherli.st/
nginx_ssl_enable => true,
nginx_ssl_protocols => 'TLSv1.2 TLSv1.3',
nginx_ssl_ciphers => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384', #lint:ignore:140chars
nginx_ssl_cert => "${cert_root_path}/full_cert.pem",
nginx_ssl_key => "${cert_root_path}/cert.key",
nginx_ssl_prefer_server_ciphers => 'on',
nginx_ssl_cache => 'shared:ssl_cache:10m',
nginx_ssl_session_tickets => 'off',
nginx_ssl_session_timeout => '1d',
nginx_ssl_dhparam => "${cert_root_path}/dhparam.pem",
nginx_ssl_headers => {
'Strict-Transport-Security' => 'max-age=31557600',
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1; mode=block',
},
oxidized_configuration => {
'groups' => $oxidized_config_groups,
'input' => {
'ssh' => {
'secure' => false, # Disable hostkey verification
},
},
'model_map' => {
'procurve' => 'procurve',
'cisco' => 'ios',
'asa' => 'asa',
'ciscowlc' => 'aireos',
'arista' => 'eos'
},
},
}