From 6772b3b5d0fbcf0e93201bcd2cc6195bc712b6de Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sat, 24 Apr 2021 11:45:58 +0200
Subject: [PATCH] bundles: various fixes for telegraf plugins

---
 bundles/dovecot/files/dovecot.conf   | 14 +++++++++++++-
 bundles/dovecot/metadata.py          |  4 +++-
 bundles/icinga2/metadata.py          |  2 +-
 bundles/postfix/metadata.py          |  2 +-
 bundles/powerdns/files/pdns.conf     |  3 +++
 bundles/powerdns/metadata.py         |  3 +++
 bundles/smartd/metadata.py           |  1 +
 bundles/systemd-networkd/metadata.py |  3 +++
 bundles/unbound/files/unbound.conf   | 10 ++++------
 bundles/unbound/metadata.py          |  4 ++++
 bundles/wireguard/metadata.py        |  3 +++
 11 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf
index c0dd7ce..e105b23 100644
--- a/bundles/dovecot/files/dovecot.conf
+++ b/bundles/dovecot/files/dovecot.conf
@@ -52,6 +52,9 @@ plugin {
     sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin
     sieve_extensions = +vnd.dovecot.pipe
 
+    old_stats_refresh = 30 secs
+    old_stats_track_cmds = yes
+
 % if node.has_bundle('rspamd'):
     sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve
 
@@ -122,7 +125,7 @@ protocol lmtp {
 }
 
 protocol imap {
-    mail_plugins = $mail_plugins imap_zlib imap_sieve
+    mail_plugins = $mail_plugins imap_zlib imap_sieve imap_old_stats
     mail_max_userip_connections = 50
     imap_idle_notify_interval = 29 mins
 }
@@ -133,3 +136,12 @@ protocol sieve {
         sieve_storage = /var/mail/vmail/sieve/%d/%n/
     }
 }
+
+% if node.has_bundle('telegraf'):
+service old-stats {
+    inet_listener {
+        address = 127.0.0.1
+        port = 24242
+    }
+}
+% endif
diff --git a/bundles/dovecot/metadata.py b/bundles/dovecot/metadata.py
index 99d052a..82adb0a 100644
--- a/bundles/dovecot/metadata.py
+++ b/bundles/dovecot/metadata.py
@@ -49,7 +49,9 @@ if node.has_bundle('telegraf'):
     defaults['telegraf'] = {
         'input_plugins': {
             'builtin': {
-                'dovecot': [{}],
+                'dovecot': [{
+                    'type': 'global',
+                }],
             },
         },
     }
diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py
index 9691e61..d9b26b2 100644
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@@ -78,7 +78,7 @@ if node.has_bundle('telegraf'):
     defaults['icinga2']['api_users']['telegraf'] = {
         'password': repo.vault.password_for(f'{node.name} icinga2 api telegraf'),
         'permissions': {
-            'objects/Services',
+            'objects/query/Service',
         },
     }
 
diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py
index 9d72683..33177ca 100644
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@@ -56,7 +56,7 @@ if node.has_bundle('telegraf'):
             'exec': {
                 'postfix': {
                     'commands': ['postfix-telegraf-queue'],
-                    'interval': '15s',
+                    'interval': '30s',
                     'data_format': 'influx',
                     'timeout': '5s',
                 },
diff --git a/bundles/powerdns/files/pdns.conf b/bundles/powerdns/files/pdns.conf
index afbf7e0..1e2a5de 100644
--- a/bundles/powerdns/files/pdns.conf
+++ b/bundles/powerdns/files/pdns.conf
@@ -13,6 +13,9 @@ server-id=${my_hostname}
 
 default-ttl=60
 
+setuid=pdns
+setgid=pdns
+
 % if is_secondary:
 allow-notify-from=${','.join(sorted(my_primary_servers))}
 
diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py
index 28337e4..ff087a1 100644
--- a/bundles/powerdns/metadata.py
+++ b/bundles/powerdns/metadata.py
@@ -44,6 +44,9 @@ if node.has_bundle('telegraf'):
                 'powerdns': [{}],
             },
         },
+        'additional_groups': {
+            'pdns',
+        },
     }
 
 
diff --git a/bundles/smartd/metadata.py b/bundles/smartd/metadata.py
index c1a1df9..8d43d94 100644
--- a/bundles/smartd/metadata.py
+++ b/bundles/smartd/metadata.py
@@ -2,6 +2,7 @@ defaults = {
     'apt': {
         'packages': {
             'smartmontools': {},
+            'nvme-cli': {},
         },
     },
     'icinga2_api': {
diff --git a/bundles/systemd-networkd/metadata.py b/bundles/systemd-networkd/metadata.py
index ba9a108..7ba7b6d 100644
--- a/bundles/systemd-networkd/metadata.py
+++ b/bundles/systemd-networkd/metadata.py
@@ -46,6 +46,9 @@ def telegraf(metadata):
                         }],
                     },
                 },
+                'additional_capabilities': {
+                    'CAP_NET_ADMIN',
+                },
             },
         }
 
diff --git a/bundles/unbound/files/unbound.conf b/bundles/unbound/files/unbound.conf
index 0f7fff1..36c8c1e 100644
--- a/bundles/unbound/files/unbound.conf
+++ b/bundles/unbound/files/unbound.conf
@@ -4,11 +4,9 @@ server:
 
     verbosity: 0
 
-% if node.has_bundle('netdata'):
-# FIXME reenable this once debian has 1.19
-#    statistics-interval: 1
-#    extended-statistics: yes
-    statistics-interval: 300
+% if node.has_bundle('netdata') or node.has_bundle('telegraf'):
+    statistics-interval: 1
+    extended-statistics: yes
 % else:
     statistics-interval: 300
 % endif
@@ -47,7 +45,7 @@ server:
     tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
 
 remote-control:
-% if node.has_bundle('netdata'):
+% if node.has_bundle('netdata') or node.has_bundle('telegraf'):
     control-enable: yes
 % else:
     control-enable: no
diff --git a/bundles/unbound/metadata.py b/bundles/unbound/metadata.py
index 78458bf..efa54d2 100644
--- a/bundles/unbound/metadata.py
+++ b/bundles/unbound/metadata.py
@@ -29,9 +29,13 @@ if node.has_bundle('telegraf'):
             'builtin': {
                 'unbound': [{
                     'thread_as_tag': True,
+                    'use_sudo': True
                 }],
             },
         },
+        'sudo_commands': {
+            '/usr/sbin/unbound-control',
+        },
     }
 
 
diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py
index d38b6a9..f393c3c 100644
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@@ -38,6 +38,9 @@ if node.has_bundle('telegraf'):
                 'wireguard': [{}],
             },
         },
+        'additional_capabilities': {
+            'CAP_NET_ADMIN',
+        },
     }