228 lines
9.2 KiB
Bash
228 lines
9.2 KiB
Bash
|
|
#!/bin/bash
|
|
|
|
# Comprobar que las variables de entorno están definidas
|
|
if [[ -z "$IP_MAQUINA" || -z "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" ]]; then
|
|
echo "ERROR: Las variables de entorno IP_MAQUINA y OPENSEARCH_INITIAL_ADMIN_PASSWORD deben estar definidas."
|
|
exit 1
|
|
fi
|
|
|
|
# Validar la contraseña cumple con los requisitos
|
|
if [[ ${#OPENSEARCH_INITIAL_ADMIN_PASSWORD} -lt 12 || ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [A-Z] || ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [0-9] || ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [^a-zA-Z0-9] ]]; then
|
|
echo "ERROR: La contraseña OPENSEARCH_INITIAL_ADMIN_PASSWORD no cumple con los requisitos:"
|
|
echo "- Mínimo 12 caracteres."
|
|
echo "- Al menos una mayúscula, un número y un carácter especial."
|
|
exit 1
|
|
fi
|
|
|
|
# Actualizar /etc/hosts con los nombres de dominio
|
|
cat >>/etc/hosts <<EOF
|
|
$IP_MAQUINA oglog-os.mytld
|
|
$IP_MAQUINA oglog-osdb.mytld
|
|
$IP_MAQUINA oglog-jb.mytld
|
|
$IP_MAQUINA oglog-jrem.mytld
|
|
$IP_MAQUINA oglog-prom.mytld
|
|
$IP_MAQUINA oglog-graf.mytld
|
|
EOF
|
|
|
|
# Instalar dependencias iniciales
|
|
apt-get update
|
|
apt-get -y install ca-certificates gnupg2 lsb-release systemd-journal-remote
|
|
|
|
# Ejecutar el script mkcerts.sh
|
|
bash ./mkcerts.sh
|
|
|
|
# Configuración de certificados SSL en el sistema
|
|
cp CA/certs/ca.crt.pem /etc/ssl/certs/
|
|
ln -s /etc/ssl/certs/ca.crt.pem /etc/ssl/certs/"$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0"
|
|
|
|
# Configurar Journalbeat
|
|
|
|
# Verificar si la URL es accesible
|
|
curl -I --connect-timeout 10 --max-time 30 "https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-oss-7.12.1-amd64.deb" -o /dev/null -s
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "ERROR: No se puede resolver la URL. Verifica tu conexión a Internet o la disponibilidad del servidor."
|
|
exit 1 # Detener el script
|
|
fi
|
|
|
|
echo "La URL es accesible. Continuando..."
|
|
|
|
curl --connect-timeout 10 --max-time 60 -L -o /tmp/journalbeat-oss-7.12.1-amd64.deb https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-oss-7.12.1-amd64.deb
|
|
dpkg -i /tmp/journalbeat-oss-7.12.1-amd64.deb
|
|
cp CA/certs/oglog-jb.mytld.crt.pem /etc/journalbeat/
|
|
cp CA/private/oglog-jb.mytld.key.nopass.pem /etc/journalbeat/oglog-jb.mytld.key.pem
|
|
cat >/etc/journalbeat/journalbeat.yml <<EOF
|
|
journalbeat.inputs:
|
|
- paths:
|
|
- "/var/log/journal"
|
|
- "/var/log/journal/remote"
|
|
seek: cursor
|
|
|
|
setup.template.settings:
|
|
index.number_of_shards: 1
|
|
|
|
output.elasticsearch:
|
|
hosts: ["oglog-os.mytld:9200"]
|
|
username: "admin"
|
|
password: "$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
|
|
protocol: "https"
|
|
ssl.enabled: true
|
|
ssl.verification_mode: full
|
|
ssl.certificate: "/etc/journalbeat/oglog-jb.mytld.crt.pem"
|
|
ssl.key: "/etc/journalbeat/oglog-jb.mytld.key.pem"
|
|
|
|
processors:
|
|
- add_docker_metadata: ~
|
|
|
|
seccomp.enabled: false
|
|
EOF
|
|
|
|
systemctl enable --now journalbeat
|
|
|
|
# Configurar repositorios y llaves para OpenSearch
|
|
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
|
|
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" > /etc/apt/sources.list.d/opensearch-2.x.list
|
|
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" > /etc/apt/sources.list.d/opensearch-dashboards-2.x.list
|
|
apt-get update
|
|
apt-get install -y opensearch opensearch-dashboards
|
|
|
|
# Configurar OpenSearch con los certificados y la IP
|
|
cp CA/certs/ca.crt.pem /etc/opensearch/
|
|
cp CA/certs/oglog-os.mytld.crt.pem /etc/opensearch/
|
|
cp CA/private/oglog-os.mytld.key.nopass.pem /etc/opensearch/oglog-os.mytld.key.pem
|
|
chown opensearch:opensearch /etc/opensearch/{ca.crt.pem,oglog-os.mytld.crt.pem,oglog-os.mytld.key.pem}
|
|
|
|
cp CA/certs/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/
|
|
cp CA/private/oglog-osdb.mytld.key.nopass.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
|
|
chown opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
|
|
|
|
sed -i -e '/^plugins.security.ssl.http.pemcert_filepath:/ s/: .*/: oglog-os.mytld.crt.pem/' /etc/opensearch/opensearch.yml
|
|
sed -i -e '/^plugins.security.ssl.http.pemkey_filepath:/ s/: .*/: oglog-os.mytld.key.pem/' /etc/opensearch/opensearch.yml
|
|
sed -i -e '/^plugins.security.ssl.http.pemtrustedcas_filepath:/s/: .*/: ca.crt.pem/' /etc/opensearch/opensearch.yml
|
|
sed -i -e '/^#network.host/ s/.*/network.host: '"$IP_MAQUINA"'/' /etc/opensearch/opensearch.yml
|
|
|
|
cat >>/etc/opensearch/opensearch.yml <<EOF
|
|
|
|
discovery.type: single-node
|
|
compatibility.override_main_response_version: true
|
|
plugins.security.ssl.http.clientauth_mode: REQUIRE
|
|
plugins.security.ssl_cert_reload_enabled: true
|
|
EOF
|
|
|
|
# Configurar OpenSearch Dashboards
|
|
cp -a /etc/opensearch-dashboards/opensearch_dashboards.yml /etc/opensearch-dashboards/opensearch_dashboards.yml.dist
|
|
cat >/etc/opensearch-dashboards/opensearch_dashboards.yml <<EOF
|
|
server.host: 0.0.0.0
|
|
opensearch.hosts: ["https://oglog-os.mytld:9200"]
|
|
opensearch.username: "admin"
|
|
opensearch.password: "$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
|
|
server.ssl.enabled: true
|
|
server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
|
|
server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
|
|
opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
|
|
opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
|
|
opensearch.ssl.verificationMode: full
|
|
opensearch.ssl.certificateAuthorities: [ "/etc/ssl/certs/ca.crt.pem" ]
|
|
opensearch.ssl.alwaysPresentCertificate: true
|
|
EOF
|
|
|
|
# Habilitar servicios de OpenSearch
|
|
systemctl enable --now opensearch.service opensearch-dashboards.service
|
|
|
|
# Configurar systemd-journal-remote
|
|
cp CA/certs/oglog-jrem.mytld.crt.pem /etc/systemd/
|
|
cp CA/private/oglog-jrem.mytld.key.nopass.pem /etc/systemd/oglog-jrem.mytld.key.pem
|
|
chown systemd-journal-remote:systemd-journal-remote /etc/systemd/oglog-jrem.mytld.crt.pem /etc/systemd/oglog-jrem.mytld.key.pem
|
|
install --owner systemd-journal-remote --group systemd-journal-remote --mode 0750 --directory /var/log/journal/remote/
|
|
sed -i -e '/ServerKeyFile/ s%.*%ServerKeyFile=/etc/systemd/oglog-jrem.mytld.key.pem%' /etc/systemd/journal-remote.conf
|
|
sed -i -e '/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/oglog-jrem.mytld.crt.pem%' /etc/systemd/journal-remote.conf
|
|
systemctl enable --now systemd-journal-remote.service
|
|
|
|
|
|
# Configurar Prometheus
|
|
apt-get install -y prometheus
|
|
cp CA/certs/oglog-prom.mytld.crt.pem /etc/prometheus/
|
|
cp CA/private/oglog-prom.mytld.key.nopass.pem /etc/prometheus/oglog-prom.mytld.key.pem
|
|
chown prometheus:prometheus /etc/prometheus/oglog-prom.mytld.crt.pem /etc/prometheus/oglog-prom.mytld.key.pem
|
|
cat >>/etc/prometheus/prometheus.yml <<EOF
|
|
- job_name: ogserver
|
|
static_configs:
|
|
- targets: ['ogserver.mytld:9100']
|
|
|
|
- job_name: ogagent
|
|
static_configs:
|
|
- targets: ['ogagent.mytld:9100']
|
|
EOF
|
|
|
|
cat >/etc/prometheus/web-config.yml <<EOF
|
|
tls_server_config:
|
|
cert_file: /etc/prometheus/oglog-prom.mytld.crt.pem
|
|
key_file: /etc/prometheus/oglog-prom.mytld.key.pem
|
|
EOF
|
|
|
|
sed -i -e '/^ARGS/s%"$%--web.config.file=/etc/prometheus/web-config.yml"%' /etc/default/prometheus
|
|
systemctl restart prometheus
|
|
|
|
# Configurar Grafana
|
|
# Prueba de conexión a la URL de la clave GPG
|
|
echo "Verificando conectividad con https://apt.grafana.com/gpg.key..."
|
|
curl -I --connect-timeout 10 --max-time 30 -s -o /dev/null https://apt.grafana.com/gpg.key
|
|
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "ERROR: No se puede conectar a https://apt.grafana.com/gpg.key. Verifica tu conexión a Internet o la disponibilidad del servidor."
|
|
exit 1
|
|
fi
|
|
curl --connect-timeout 10 --max-time 30 -s https://apt.grafana.com/gpg.key | gpg --dearmor > /etc/apt/keyrings/grafana.gpg
|
|
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" >/etc/apt/sources.list.d/grafana.list
|
|
apt-get update
|
|
apt-get install --yes grafana
|
|
|
|
cp CA/certs/oglog-graf.mytld.crt.pem /etc/grafana/
|
|
cp CA/private/oglog-graf.mytld.key.nopass.pem /etc/grafana/oglog-graf.mytld.key.pem
|
|
chown grafana:grafana /etc/grafana/oglog-graf.mytld.crt.pem /etc/grafana/oglog-graf.mytld.key.pem
|
|
|
|
cp -a /etc/grafana/grafana.ini /etc/grafana/grafana.ini.dist
|
|
cat >/etc/grafana/grafana.ini <<EOF
|
|
[server]
|
|
protocol = https
|
|
cert_file = /etc/grafana/oglog-graf.mytld.crt.pem
|
|
cert_key = /etc/grafana/oglog-graf.mytld.key.pem
|
|
|
|
[analytics]
|
|
reporting_enabled = false
|
|
check_for_updates = false
|
|
check_for_plugin_updates = false
|
|
|
|
# Añadido para configurar Prometheus como fuente de datos
|
|
[database]
|
|
enabled = true
|
|
type = sqlite3
|
|
path = /var/lib/grafana/grafana.db
|
|
|
|
[auth]
|
|
disable_login_form = false
|
|
|
|
[datasources]
|
|
[datasources.prometheus]
|
|
name = Prometheus
|
|
type = prometheus
|
|
access = proxy
|
|
url = https://oglog-prom.mytld:9090
|
|
isDefault = true
|
|
|
|
# Descargar y configurar dashboard
|
|
[dashboardProviders]
|
|
[dashboardProviders.default]
|
|
enabled = true
|
|
folder = /etc/grafana/dashboards
|
|
type = file
|
|
options = {}
|
|
dashboard = /etc/grafana/dashboards/405.json
|
|
EOF
|
|
|
|
# Crear directorio y descargar el dashboard
|
|
mkdir -p /etc/grafana/dashboards
|
|
wget -O /etc/grafana/dashboards/405.json https://grafana.com/api/dashboards/405/revisions/8/download
|
|
|
|
systemctl enable --now grafana-server
|