Automatically install and configure Monit on your Debian 10/11 and Ubuntu 20.04 server

Discussion in 'Plugins/Modules/Addons' started by Th0m, Sep 23, 2022.

Tags:
Thread Status:
Not open for further replies.
  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Note, 23-09-2022: this script has been tested by me but it might very well be that in the upcoming days I will make some minor improvements. What might be changed is the monitor interval (currently 30, configured in /etc/monit/monitrc) and some services could be added if any are suggested.

    After building a function for the ISPConfig autoinstaller that adds support for automatically installing and configuring Monit, I figured that it might come in handy on existing servers where you can't re-run the autoinstaller. So I made some changes and got it working well on any Debian 10/11 and Ubuntu 20.04 server.

    If any of the supported services are installed, it will add a monitor config for them. The scripts also sets up the web UI and you can let it configure a email address to send alerts to.

    Currently supported services (please PM if you think I should add one!):
    • sshd
    • mariadb
    • pure-ftpd-mysql
    • apache2
    • nginx
    • named
    • postfix
    • dovecot
    • rspamd
    • php-fpm for PHP versions 5.6 - 8.1.
    All you have to do to get a working Monit instance set up within seconds is to download the script and run it.
    To set it up without a recipient for email alerts, run:
    Code:
    curl https://git.ispconfig.org/ispconfig/tools/-/raw/master/setup_monit.php -sL | php
    To set it up with a recipient for email alerts, run:
    Code:
    curl https://git.ispconfig.org/ispconfig/tools/-/raw/master/setup_monit.php -sL | php -- [email protected]
    Make sure to change the email address "[email protected]" to the email address that shall receive the alerts.

    You can configure a SMTP server to send through in /etc/monit/conf-available/alerts - by default it uses localhost.

    SSL for the Monit UI can be configured in /etc/monit/conf-available/webui - it might be necessary to change the path of the .pem file, and probably the file permissions for that file as well. Untested.

    Monit documentation:
    https://mmonit.com/monit/documentation/monit.html
    https://mmonit.com/wiki/Monit/ConfigurationExamples

    Feedback is welcome as always. Feel free to send me a PM.
     
    Last edited: Sep 25, 2022
    webguyz, till and ahrasis like this.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Setting up SSL for the web UI when using Let's Encrypt with the acme.sh client:
    Please note: if you already set up something like this for the ISPConfig panel, your mail services, or FTP services, this guide might be incompatible and following it is at own risk.
    - Create a website for the hostname of the server, e.g. "server1.example.com".
    - Disable auto subdomain
    - Enable Let's Encrypt for the site.

    Make sure the certificate for your hostname is created. I will use server1.example.com.
    You can check if it exists with
    Code:
    ls -la /root/.acme.sh/server1.example.com
    The certificate files should be there.

    To use this certificate for the Monit UI, run:
    Code:
    cd /var/www/server1.example.com/ssl/
    cat server1.example.com-le.{key,crt} > server1.example.com-le.pem
    chmod 600 server1.example.com-le.pem
    Then open the webui config file with your favorite editor:
    Code:
    nano /etc/monit/conf-available/webui
    Change the path to the .pem file and uncomment the 2 SSL lines:
    Code:
    set httpd port 2812 and
            SSL ENABLE
            PEMFILE /var/www/server1.example.com/ssl/server1.example.com-le.pem
            allow admin:MyPassword1
    Restart Monit to apply changes:
    Code:
    systemctl restart monit

    You can set up a script to regenerate the .PEM file automatically when the certificate has been renewed:

    Open a new script file:
    Code:
    nano /usr/local/bin/le_server1_pem.sh
    Paste this in that file:
    Code:
    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides: LE .PEM AUTO UPDATER FOR MONIT
    # Required-Start: $local_fs $network
    # Required-Stop: $local_fs
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: LE .PEM AUTO UPDATER FOR MONIT
    ### END INIT INFO
    cd /var/www/server1.example.com/ssl/
    cat server1.example.com-le.{key,crt} > server1.example.com-le.pem
    chmod 600 server1.example.com-le.pem
    systemctl restart monit
    Make the script executable:
    Code:
    chmod +x /usr/local/bin/le_server1_pem.sh
    To automatically trigger this script on renewal, we are going to use systemd.

    Create and open the new systemd service:
    Code:
    nano /etc/systemd/system/le_server1_pem.service
    Paste this in that file:
    Code:
    [Unit]
    Description="Create new .pem file on certificate renewal"
    
    [Service]
    ExecStart=/usr/local/bin/le_server1_pem.sh
    Save and close this file. Then create and open the new systemd path file:
    Code:
    nano /etc/systemd/system/le_server1_pem.path
    Paste this in that file and replace server1.example.com with the hostname you used:
    Code:
    [Unit]
    Description="Monitor the hostname certificate files to trigger a recreation of the .pem file after renewal"
    
    [Path]
    PathModified=/root/.acme.sh/server1.example.com/
    Unit=le_server1_pem.service
    
    [Install]
    WantedBy=multi-user.target
    Save and close this file. Then start the service and enable it so it runs on startup:
    Code:
    systemctl start le_server1_pem.path
    And enable it so it runs on startup:
    Code:
    systemctl enable le_server1_pem.path
    And we're done!

    Of course, replace server1.example.com in this guide with your hostname.
     
    Last edited: Nov 5, 2024
    till and ahrasis like this.
Thread Status:
Not open for further replies.

Share This Page