1 files changed, 135 insertions, 0 deletions

diff --git a/articles/icinga-agent.html b/articles/icinga-agent.html
new file mode 100644
index 0000000..e0aa6c0
--- /dev/null
+++ b/articles/icinga-agent.html
@@ -0,0 +1,135 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>Icinga Agent Node Installation and Configuration</h1></header>
+    <main>
+                <p>With the Icinga master node configured, the servers we want
+                to monitor can now be added as agent nodes. As the names suggest,
+                the Icinga master node pushes the desired configuration to agent
+                nodes, while agent nodes report the configured status checks back
+                to the master. Communication between the master and agent nodes is
+                encrypted via TLS, with the master node acting as a certificate
+                authority.</p>
+
+                <p>You can find my script to automate this process 
+                <a href=https://git.chudnick.com/server-scripts/tree/monitoring/icinga-agent>
+                                here</a>.</p>
+
+                <h2>Install Pakcages</h2>
+                <p>Start by installing the required packages on the server to be 
+                monitored.</p>
+
+                <pre><code>apt install icinga2 monitoring-plugins 
+monitoring-plugins-contrib</code></pre>
+
+                <h2>Initialize PKI with master</h2>
+                <p>Now we need to setup the PKI that will be used for the communication
+                with the master node. The first step is to generate a certificate
+                signing request. Replace <em>hostname</em> with the FQDN of the server.</p>
+
+                <pre><code>icinga2 pki new-cert --cn "<em>hostname</em>" --cert "/etc/icinga2/pki/<em>hostname</em>.crt" --csr "/etc/icinga2/pki/<em>hostname</em>.csr" --key "/etc/icinga2/pki/<em>hostname</em>.key"</code></pre>
+
+                <p>Next we save the master node's public key certificate. Replace
+                <em>master</em> with the FQDN of your master node.</p>
+
+                <pre><code>icinga2 pki save-cert --host "<em>master</em>" --port 5665 --key "/etc/icinga2/pki/<em>hostname</em>.key" --trustedcert "/etc/icinga2/pki/trusted-master.crt"</code></pre>
+
+                <p>Receive signed certificate from the master node.</p>
+
+                <pre><code>icinga2 pki request --host "<em>master</em>" --port 5665 --key "/etc/icinga2/pki/<em>hostname</em>.key" --cert "/etc/icinga2/pki/<em>hostname</em>.crt" --trustedcert "/etc/icinga2/pki/trusted-master.crt" --ca "/etc/icinga2/pki/ca.crt"</code></pre>
+
+                <h2>Deploy configuration files</h2>
+                <p>Write Icinga configuration.</p>
+
+                <pre><code><strong>/etc/icinga2/icinga2.conf</strong> 
+include "constants.conf"
+const NodeName = "$nodename"
+include "zones.conf"
+include "features-enabled/*.conf"
+include &lt;itl&gt;
+include &lt;plugins&gt;
+include &lt;plugins-contrib&gt;
+include &lt;manubulon&gt;
+include &lt;windows-plugins&gt;
+include &lt;nscp&gt;"</code></pre>
+
+                <p>Write zones configuration.</p>
+
+                <pre><code><strong>/etc/icinga2/zones.conf</strong> 
+echo "object Endpoint "<em>hostname</em>" {}
+object Zone "<em>hostname</em>" {
+  parent = "<em>master</em>"
+  endpoints = [ "<em>hostname</em>" ]
+}
+object Zone "<em>master</em>" {
+  endpoints = [ "<em>master</em>" ]
+}
+object Endpoint "<em>master</em>" {
+  host = "<em>master</em>"
+}
+object Zone "director-global" {
+  global = true
+}</code></pre>
+
+                <p>Write API configuration file.</p>
+
+                <pre><code><strong>/etc/icinga2/features-available/api.conf</strong> 
+echo "object ApiListener \"api\" {
+  accept_commands = true
+  accept_config = true
+}</code></pre>
+
+                <h2>Enable API</h2>
+                <p>Next, we need to enable the API on the agent.</p>
+
+                <pre><code>icinga2 feature enable api
+
+mkdir -p /var/lib/icinga2/certs
+
+cp /etc/icinga2/pki/<em>hostname</em>.crt /etc/icinga2/pki/<em>hostname</em>.key /etc/icinga2/pki/ca.crt /var/lib/icinga2/certs/
+
+chown -R nagios: /var/lib/icinga2/certs/</code></pre>
+
+                <h2>Sign agent CSR on Master</h2>
+                <p>The only action needed on the master node is to sign the agent's
+                CSR. Logon to your master node and run the following:</p>
+
+                <pre><code>fpr="$(icinga2 ca list | tail -1 | cut -d '|' -f 1)"
+icinga2 ca sign $fpr</code></pre>
+
+                <h2>Configure Firewall</h2>
+                <p>Before finishing we need to open the proper firewall port.
+                I will use UFW in the example here and allow traffic only only
+                from the master node for best security.</p>
+
+                <pre><code>ufw allow proto tcp from <em>master-ip</em> to any port 5665</code></pre>
+
+                <h2>Restart Icinga on Agent</h2>
+                <p>Finally, restart the icinga service on the agent node.</p>
+
+                <pre><code>systemctl restart icinga2</code></pre>
+
+                <p>The Icinga agent node will now pull down configuration from the master.
+                You will know that this worked if <em>/var/lib/icinga2/api/zones</em> 
+                begins to populate with new files.</p>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+    </main>
+    <footer>
+                        <a href=../kb.html>Knowledge Base</a>
+                        <br>
+                        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>
+