Automatically install and configure Monit on your Debian 10/11 and Ubuntu 20.04 server

Discussion in 'Plugins/Modules/Addons' started by Th0m, Sep 23, 2022.

Tags:
Thread Status:
Not open for further replies.
  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Note, 23-09-2022: this script has been tested by me but it might very well be that in the upcoming days I will make some minor improvements. What might be changed is the monitor interval (currently 30, configured in /etc/monit/monitrc) and some services could be added if any are suggested.

    After building a function for the ISPConfig autoinstaller that adds support for automatically installing and configuring Monit, I figured that it might come in handy on existing servers where you can't re-run the autoinstaller. So I made some changes and got it working well on any Debian 10/11 and Ubuntu 20.04 server.

    If any of the supported services are installed, it will add a monitor config for them. The scripts also sets up the web UI and you can let it configure a email address to send alerts to.

    Currently supported services (please PM if you think I should add one!):
    • sshd
    • mariadb
    • pure-ftpd-mysql
    • apache2
    • nginx
    • named
    • postfix
    • dovecot
    • rspamd
    • php-fpm for PHP versions 5.6 - 8.1.
    All you have to do to get a working Monit instance set up within seconds is to download the script and run it.
    To set it up without a recipient for email alerts, run:
    Code:
    curl https://git.ispconfig.org/ispconfig/tools/-/raw/master/setup_monit.php -sL | php
    To set it up with a recipient for email alerts, run:
    Code:
    curl https://git.ispconfig.org/ispconfig/tools/-/raw/master/setup_monit.php -sL | php -- [email protected]
    Make sure to change the email address "[email protected]" to the email address that shall receive the alerts.

    You can configure a SMTP server to send through in /etc/monit/conf-available/alerts - by default it uses localhost.

    SSL for the Monit UI can be configured in /etc/monit/conf-available/webui - it might be necessary to change the path of the .pem file, and probably the file permissions for that file as well. Untested.

    Monit documentation:
    https://mmonit.com/monit/documentation/monit.html
    https://mmonit.com/wiki/Monit/ConfigurationExamples

    Feedback is welcome as always. Feel free to send me a PM.
     
    Last edited: Sep 25, 2022
    Th0m, Sep 23, 2022
    #1
    webguyz, till and ahrasis like this.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Setting up SSL for the web UI when using Let's Encrypt with the acme.sh client:
    Please note: if you already set up something like this for the ISPConfig panel, your mail services, or FTP services, this guide might be incompatible and following it is at own risk.
    - Create a website for the hostname of the server, e.g. "server1.example.com".
    - Disable auto subdomain
    - Enable Let's Encrypt for the site.

    Make sure the certificate for your hostname is created. I will use server1.example.com.
    You can check if it exists with
    Code:
    ls -la /root/.acme.sh/server1.example.com
    The certificate files should be there.

    To use this certificate for the Monit UI, run:
    Code:
    cd /var/www/server1.example.com/ssl/
cat server1.example.com-le.{key,crt} > server1.example.com-le.pem
chmod 600 server1.example.com-le.pem
    Then open the webui config file with your favorite editor:
    Code:
    nano /etc/monit/conf-available/webui
    Change the path to the .pem file and uncomment the 2 SSL lines:
    Code:
    set httpd port 2812 and
        SSL ENABLE
        PEMFILE /var/www/server1.example.com/ssl/server1.example.com-le.pem
        allow admin:MyPassword1
    Restart Monit to apply changes:
    Code:
    systemctl restart monit

    You can set up a script to regenerate the .PEM file automatically when the certificate has been renewed:

    Open a new script file:
    Code:
    nano /etc/init.d/le_server1_pem.sh
    Paste this in that file:
    Code:
    #!/bin/sh
### BEGIN INIT INFO
# Provides: LE .PEM AUTO UPDATER FOR MONIT
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE .PEM AUTO UPDATER FOR MONIT
### END INIT INFO
cd /var/www/server1.example.com/ssl/
cat server1.example.com-le.{key,crt} > server1.example.com-le.pem
chmod 600 server1.example.com-le.pem
systemctl restart monit
    Make the script executable:
    Code:
    chmod +x /etc/init.d/le_server1_pem.sh
    To automatically trigger this script on renewal, we are going to use systemd.

    Create and open the new systemd service:
    Code:
    nano /etc/systemd/system/le_server1_pem.service
    Paste this in that file:
    Code:
    [Unit]
Description="Create new .pem file on certificate renewal"

[Service]
ExecStart=/etc/init.d/le_server1_pem.sh
    Save and close this file. Then create and open the new systemd path file:
    Code:
    nano /etc/systemd/system/le_server1_pem.path
    Paste this in that file and replace server1.example.com with the hostname you used:
    Code:
    [Unit]
Description="Monitor the hostname certificate files to trigger a recreation of the .pem file after renewal"

[Path]
PathModified=/root/.acme.sh/server1.example.com/
Unit=le_server1_pem.service

[Install]
WantedBy=multi-user.target
    Save and close this file. Then start the service and enable it so it runs on startup:
    Code:
    systemctl start le_server1_pem.path
    And enable it so it runs on startup:
    Code:
    systemctl enable le_server1_pem.path
    And we're done!

    Of course, replace server1.example.com in this guide with your hostname.
     
    Th0m, Sep 24, 2022
    #2
    till and ahrasis like this.
Thread Status:
Not open for further replies.

Share This Page