diff --git a/roles/collectd/server/files/collection.conf b/roles/collectd/server/files/collection.conf
index 99aa65e39d..7646b1ad4f 100644
--- a/roles/collectd/server/files/collection.conf
+++ b/roles/collectd/server/files/collection.conf
@@ -901,4 +901,45 @@ GraphWidth 400
+#
+# IPA
+#
+
+ RRDTitle "Groups"
+ DSName "value Total "
+
+
+
+ RRDTitle "Users registration rate"
+ DSName "value Rate "
+ RRDFormat "%4.1lf%s/s"
+
+
+
+ Module GenericStacked
+ RRDTitle "Users"
+ RRDFormat "%5.1lf%s"
+ DSName "active Active "
+ DSName "locked Locked "
+ Order locked active
+ Color locked ff0000
+ Color active 0000ff
+
+
+
+ Module GenericStacked
+ RRDTitle "Registering Users"
+ RRDFormat "%4.0lf"
+ DSName "active Not Spam "
+ DSName "spamcheck_awaiting Awaiting "
+ DSName "spamcheck_denied SPAM "
+ DSName "spamcheck_manual Manual "
+ Order spamcheck_awaiting spamcheck_denied spamcheck_manual active
+ Color spamcheck_awaiting 0000ff
+ Color spamcheck_denied ff0000
+ Color spamcheck_manual ffb000
+ Color active 00ff00
+
+
+
# vim: set sw=2 sts=2 et syntax=apache fileencoding=utf-8 :
diff --git a/roles/collectd/server/tasks/main.yml b/roles/collectd/server/tasks/main.yml
index 3cc9e0e6da..4b33ed29e3 100644
--- a/roles/collectd/server/tasks/main.yml
+++ b/roles/collectd/server/tasks/main.yml
@@ -21,6 +21,7 @@
- collectd-rrdtool
- collectd-web
- collectd-rabbitmq-data
+ - collectd-ipa-data
notify:
- restart collectd
tags:
diff --git a/roles/ipa/server/tasks/scripts.yml b/roles/ipa/server/tasks/scripts.yml
index e1edd34f32..8e2e148ec5 100644
--- a/roles/ipa/server/tasks/scripts.yml
+++ b/roles/ipa/server/tasks/scripts.yml
@@ -70,3 +70,43 @@
tags:
- ipa/server
- otp_script
+
+
+#
+# Collectd statistics plugin
+# Requires the stage-users service to have been defined (above) with the
+# corresponding permissions. That's why I'm keeping this block here and not as
+# a subrole of the collectd role.
+#
+- name: Install and setup collectd-ipa
+ block:
+ - name: install collectd-ipa
+ package:
+ state: present
+ name: python3-collectd-ipa
+ tags:
+ - packages
+ - collectd
+
+ - name: install collectd ipa config
+ template:
+ src: "ipa.collectd.conf.j2"
+ dest: "/etc/collectd.d/ipa.conf"
+ owner: root
+ group: root
+ mode: 0640
+ tags:
+ - collectd
+ - config
+ notify: restart collectd
+
+ - name: Let collectd talk to the RabbitMQ management interface
+ seboolean:
+ name: collectd_tcp_network_connect
+ state: yess
+ persistent: yes
+ tags:
+ - collectd
+ # Only collect stats on one server
+ run_once: yes
+ delegate_to: "ipa01{{ env_suffix }}.iad2.fedoraproject.org"
diff --git a/roles/ipa/server/templates/ipa.collectd.conf.j2 b/roles/ipa/server/templates/ipa.collectd.conf.j2
new file mode 100644
index 0000000000..6aa07d9257
--- /dev/null
+++ b/roles/ipa/server/templates/ipa.collectd.conf.j2
@@ -0,0 +1,42 @@
+# IPA plugin
+
+
+ Globals true
+
+
+
+ LogTraces true
+ Interactive false
+ Import "collectd_ipa"
+
+
+ ## Interval between two collections. The collectd default of 10 seconds is
+ ## way too short, this plugin sets the default to 1h (3600s). Adjust
+ ## depending on the number of users you have and how long it takes to
+ ## collect this data. Remember that if you change the interval, you'll have
+ ## to recreate your RRD files.
+ # Interval 3600
+
+ ## To accomodate clusters, all the metrics will be attached to a virtual
+ ## host named after your domain in IPA. The `domain_prefix` value allows you
+ ## to add a prefix to this domain.
+ # DomainPrefix "ipa."
+
+ ## Path to the IPA configuration file, where the domain will be read from.
+ # IpaConf "/etc/ipa/default.conf"
+
+ ## Path to the LDAP configuration file, where the default directory base DN
+ ## will be read from.
+ # LdapConf "/etc/openldap/ldap.conf"
+
+ ## Set environment variables for Kerberos authentication. The client keytab
+ ## should be linked to an account (user or service) that has the
+ ## permissions to read stage users. In IPA, this means that it must have a
+ ## role that has a privilege granting the "System: Read Stage Users"
+ ## permission.
+ SetEnv KRB5_CLIENT_KTNAME "/etc/krb5.stage-users_{{ ipa_server }}.keytab"
+
+ ## Directory where the Kerberos credential caches will be created.
+ # CredCacheDir "/var/lib/collectd"
+
+