inital commit - various scripts

author: Sam Chudnick <sam@chudnick.com> 2022-04-15 21:08:34 -0400
committer: Sam Chudnick <sam@chudnick.com> 2022-04-15 21:08:34 -0400
commit: 85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 (patch)
tree: 637c319270201555d66f9bf1cbcc63d893405e69
6 files changed, 481 insertions, 0 deletions
diff --git a/automap b/automap
new file mode 100755
index 0000000..b92b0b9
--- /dev/null
+++ b/automap
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# Configures a FreeIPA client to use a provided location for automount
+help() {
+        echo "usage: automap [--append] --location location"
+        echo "-a, --append:\tappend location (default is to replace existing locations)"
+        echo "-l, --location:\tname of automount location"
+        exit 1
+}
+[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
+opts=$(getopt -o "a,h,l:" -l "append,help,location:" -- "$@")
+eval set -- "$opts"
+location=
+append=0
+while true
+do
+                case "$1" in
+                                '-a' | '--append') append=1 shift; continue ;;
+                                '-l' | '--location') location="$2" shift 2; continue ;;
+                                '-h' | '--help') help ;;
+                                '--') shift; break ;;
+                esac
+done
+[ -z "$location" ] && help
+domain="$(grep "domain =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ')"
+dc1="$(echo $domain | cut -d '.' -f 1)"
+dc2="$(echo $domain | cut -d '.' -f 2)"
+mstr="+ldap:automountmapname=auto.master,cn=$location,cn=automount,dc=$dc1,dc=$dc2"
+drct="/-\tldap:automountmapname=auto.direct,cn=$location,cn=automount,dc=$dc1,dc=$dc2"
+str="$mstr\n$drct"
+[ $append -eq 0 ] && echo $str > /etc/auto.master || echo $str >> /etc/auto.master
+systemctl restart autofs
diff --git a/ipaconf b/ipaconf
new file mode 100755
index 0000000..7d653d2
--- /dev/null
+++ b/ipaconf
@@ -0,0 +1,107 @@
+#!/bin/sh
+#
+# configures a FreeIPA client system by:
+# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp
+# setting up FreeIPA server as an nss target
+# configuring as a kerberized NFSv4 client or server
+# configuring for FreeIPA-managed automount
+help() {
+        echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\
+                        "--ntp-server ntp_server [--nfs-server]"
+        echo "\n-d, --dns-server:\tIP of DNS server containing IPA records"
+        echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain"
+        echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)"
+        echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain"
+        exit 1
+}
+[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
+opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@")
+eval set -- "$opts"
+dnssrv=
+nfssrv=0
+ipadomain=
+ntpsrv=
+while true
+do
+                case "$1" in
+                                '-d' | '--dns-server') dnssrv="$2" shift 2; continue ;;
+                                '-f' | '--nfs-server') nfssrv=1 shift; continue ;;
+                                '-i' | '--ipa-domain') ipadomain="$2" shift 2; continue ;;
+                                '-n' | '--ntp-server') ntpsrv="$2" shift 2; continue ;;
+                                '-h' | '--help') help ;;
+                                '--') shift; break ;;
+                esac
+done
+[ -z "$dnssrv" ] && help
+[ -z "$ipadomain" ] && help
+[ -z "$ntpsrv" ] && help
+# FreeIPA client currently only in backports for Debian 11
+grep -q bullseye-backports /etc/apt/sources.list || echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
+# Install required packages
+apt update
+apt install freeipa-client nfs-common autofs autofs-ldap -y
+[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y
+# Change DNS
+echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf
+# Move chrony conf so IPA installer can configure its own
+mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk
+# Configure and enroll client
+ipa-client-install --mkhomedir --ntp-server=$ntpsrv
+# Configure SSSD
+# Do not specify services if using systemd as they will be socket activated
+$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf
+# Enable enumeration of domain if NFS server - for assigning permissions to shares
+[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf
+systemctl restart sssd
+# Configure automount
+dc1="$(echo $ipadomain | cut -d '.' -f 1)"
+dc2="$(echo $ipadomain | cut -d '.' -f 2)"
+echo "[ autofs ]
+master_map_name = /etc/auto.master
+timeout = 300
+browse_mode = no
+ldap_uri = "ldap:///dc=$dc1,dc=$dc2"
+map_object_class = automountMap
+entry_object_class = automount
+map_attribute = automountMapName
+entry_attribute = automountKey
+value_attribute= automountInformation
+auth_conf_file = /etc/autofs_ldap_auth.conf
+[ amd ]
+dismount_interval = 300" > /etc/autofs.conf
+echo "<?xml version="1.0" ?>
+<autofs_ldap_sasl_conf
+        usetls="no"
+        tlsrequired="no"
+        authrequired="yes"
+        authtype="GSSAPI"
+        clientprinc="host/$(hostname)@$(echo $ipadomain | tr [:lower:] [:upper:])"
+/>" > /etc/autofs_ldap_auth.conf
+chmod 600 /etc/autofs_ldap_auth.conf
+# Restart autofs to apply existing automount configuration
+systemctl restart autofs
+# Configure NFS
+sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes"
+sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes"
+[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server
+systemctl restart nfs-kernel-server
+# Manaul steps for NFS server
+ipasrv=$(grep "server =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ')
+[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine"
diff --git a/mknfs b/mknfs
new file mode 100755
index 0000000..5b04a9f
--- /dev/null
+++ b/mknfs
@@ -0,0 +1,56 @@
+#!/bin/sh
+#
+# Configures and exports an NFS share 
+help() {
+        echo "usage: mknfs --clients nfs_client --path nfs_path"\
+                        "[--options \"opt1,opt2,opt3...\"] [--sec sec_option] [-f]"
+        echo "\n-c, --clients\tNFS export client"
+        echo "-f, --force\tmake directory if it doesn't exist"
+        echo "-o, --options\tAdditional NFS export options - quoted and comma separated"
+        echo "-p, --path\tPath of directory to be exported - must be absolute"
+        echo "-s, --sec\tNFS security settings - defaults to sys"
+        echo "\nexample: mknfs --clients server.example.com --path /srv/nfs/backups"\
+                        "--options \"crossmnt,async\" --sec krb5p"
+        exit
+}
+opts=$(getopt -o "c:,f,h,o:,p:,s:" -l "clients:,force, help,options:,path:,sec:" -- "$@")
+eval set -- "$opts"
+clients=
+options=""
+path=
+sec="sys"
+force=0
+while true
+do 
+        case "$1" in
+                '-c' | '--clients') clients="$2" shift 2; continue ;;
+                '-f' | '--force') force=1 shift; continue ;;
+                '-o' | '--options') options="$2" shift 2; continue ;;
+                '-p' | '--path') path="$2" shift 2; continue ;;
+                '-s' | '--sec') sec="$2" shift 2; continue ;;
+                '-h' | '--help') help ;;
+                '--') shift; break ;;
+        esac 
+done
+[ -z "$clients" ] && help
+[ -z "$path" ] && help
+# Validate path
+[ "$(echo $path | cut -d'/' -f1)" != "" ] && 
+                echo "error: path is not absolute" && exit 1
+[ ! -d $path -a $force -eq 0 ] && 
+                echo "error: directory does not exist (use -f to create)" && exit 1
+[ ! -d $path -a $force -eq 1 ] && mkdir -p $path 
+# Set some sane defaults if no options are specified
+[ "$options" = "" ] && options="rw,sync,no_subtree_check"
+# Make sure security option is valid
+[ $sec != "sys" -a $sec != "krb5" -a $sec != "krb5i" -a $sec != "krb5p" ] &&
+                echo "error: invalid security option - must be one of sys,krb5,krb5i,krb5p"
+echo "$path\t$clients(sec=$sec,$options)" >> /etc/exports
+exportfs -au
+exportfs -ar
diff --git a/mkraid b/mkraid
new file mode 100755
index 0000000..b2fe60b
--- /dev/null
+++ b/mkraid
@@ -0,0 +1,53 @@
+#!/bin/sh
+help() {
+        echo "usage: mkraid --id array_id --name array_name --level raid_level" \
+                        "--devices 'raid_device_1 raid_device_2 ...'" \
+                        "--spares 'spare_device_1 spare_device_2 ...'"
+        echo "\n-i, --id:\tid of RAID array as a number up to 127"
+        echo "-n, --name:\tname of RAID array"
+        echo "-l, --level:\tRAID level"
+        echo "-d, --devices:\tdevices in RAID array - quoted and space separated"
+        echo "-s, --spares:\thot spare devices - quoted and space separated if multiple"
+        echo "\nexample: mkraid --id 0 --name arr1 --level 5 --devices"\
+                        "'/dev/sda /dev/sdb /dev/sdc' --spares /dev/sdd" 
+        exit
+}
+opts=$(getopt -o "i:,n:,l:,d:,s:h" -l "id:,name:,level:,devices:,spares:,help" -- "$@")
+eval set -- "$opts"
+id=
+name=
+level=
+devices=
+spares=
+while true
+do 
+        case "$1" in
+                '-i' | '--id') id="$2" shift 2; continue ;;
+                '-n' | '--name') name="$2" shift 2; continue ;;
+                '-l' | '--level') level="$2" shift 2; continue ;;
+                '-d' | '--devices') devices="$2" shift 2; continue ;;
+                '-s' | '--spares') spares="$2" shift 2; continue ;;
+                '-h' | '--help') help ;;
+                '--') shift; break ;;
+        esac 
+done
+[ -z "$id" ] && help
+[ -z "$name" ] && help
+[ -z "$level" ] && help
+[ -z "$devices" ] && help
+[ -z "$spares" ] && help
+numdevs=$(echo $devices | tr ' ' '\n' | wc -l)
+numspare=$(echo $spares | tr ' ' '\n' | wc -l)
+echo "mdadm --create /dev/md$id --level=$level --raid-devices=$numdevs $devices --spare-devices=$numspare $spares"
+exit 
+mdadm --create /dev/md$id --level=$level --raid-devices=$numdevs $devices --spare-devices=$numspare $spares
+uuid="$(mdadm --detail /dev/md0 | grep UUID | tr -d '[:space:]' | cut -d ':' -f 2-)"
+echo "ARRAY /dev/md$id  metadata=1.2    UUID=$uuid      name=$name" >> /etc/mdadm/mdadm.conf
diff --git a/monitoring/icinga-agent b/monitoring/icinga-agent
new file mode 100755
index 0000000..328d65b
--- /dev/null
+++ b/monitoring/icinga-agent
@@ -0,0 +1,108 @@
+#!/bin/sh
+#
+# Configirues an icinga2 agent (with on-demand csr signing)
+icingauser="nagios"
+certdir="/etc/icinga2/pki"
+api_certdir="/var/lib/icinga2/certs"
+nodename="$(hostname)"
+global_zone="director-global"
+master_fqdn=""
+# Install packages
+apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib
+# Register with master via self-service API
+apikey=""
+displayname=""
+# Not pretty but gets the job done
+dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')"
+ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
+ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
+result=$(curl -i "http://$master_fqdn/icingaweb2/director/self-service/register-host?name=$nodename&key=$apikey" \
+         -H "Accept: application/json" \
+         -X "POST" \
+         -d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}")
+echo $result | grep -q error && \
+                echo "error: unable to register with master (is the api key correct?)" && \
+                exit 2
+# Initialize PKI with master
+icinga2 pki new-cert \
+                --cn "pbs.home.local" \
+                --cert "$certdir/$nodename.crt" \
+                --csr "$certdir/$nodename.csr" \
+                --key "$certdir/$nodename.key"
+icinga2 pki save-cert \
+                --host "$master_fqdn" \
+                --port 5665 \
+                --key "$certdir/$nodename.key" \
+                --trustedcert "$certdir/trusted-master.crt"
+icinga2 pki request \
+                --host "$master_fqdn" \
+                --port 5665 \
+                --key "$certdir/$nodename.key" \
+                --cert "$certdir/$nodename.crt" \
+                --trustedcert "$certdir/trusted-master.crt" \
+                --ca "$certdir/ca.crt" 
+# Deploy config files
+echo "include \"constants.conf\"
+const NodeName = \"$nodename\"
+include \"zones.conf\"
+include \"features-enabled/*.conf\"
+include <itl>
+include <plugins>
+include <plugins-contrib>
+include <manubulon>
+include <windows-plugins>
+include <nscp>" > /etc/icinga2/icinga2.conf
+echo "object Endpoint \"$nodename\" {}
+object Zone \"$nodename\" {
+  parent = \"$master_fqdn\"
+  endpoints = [ \"$nodename\" ]
+}
+object Zone \"$master_fqdn\" {
+  endpoints = [ \"$master_fqdn\" ]
+}
+object Endpoint \"$master_fqdn\" {
+  host = \"$master_fqdn\"
+}
+object Zone \"$global_zone\" {
+  global = true
+}" > /etc/icinga2/zones.conf
+echo "object ApiListener \"api\" {
+  accept_commands = true
+  accept_config = true
+}" > /etc/icinga2/features-available/api.conf
+# Enable API
+icinga2 feature enable api
+mkdir -p $api_certdir
+cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/
+chown -R $icingauser:$icingauser $api_certdir/
+# Next step
+echo "
+NOW
+Run the following on the Icinga master:
+fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\"
+icinga2 ca sign \$fpr
+THEN
+Restart icinga2 on the agent:
+\"systemctl restart icinga2\"
+"
diff --git a/monitoring/icinga-master b/monitoring/icinga-master
new file mode 100755
index 0000000..ed82bc5
--- /dev/null
+++ b/monitoring/icinga-master
@@ -0,0 +1,120 @@
+#!/bin/sh
+#
+# Configuration for an Iciniga2 master (with icingaweb2, director, and mysql backend)
+ido_user="icinga2"
+ido_password="changeme"
+icingaweb2_user="icingaweb2"
+icingaweb2_password="changeme"
+director_user="director"
+director_password="changeme"
+admin_user="admin"
+admin_password="changeme"
+# Install packages
+apt install -y incinga2 icingaweb2 icinga2-ido-mysql icingaweb2-module-director \
+                           monitoring-plugins monitoring-plugins-contrib
+# Secure mysql
+mysql_secure_installation
+# Create primary monitoring database
+mysql -u root -e "CREATE DATABASE icinga2;
+GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
+ON icinga2.* TO '$ido_user'@'localhost' IDENTIFIED BY '$ido_password';
+FLUSH PRIVILEGES; "
+mysql -u root icinga2 </usr/share/icinga2-ido-mysql/scheme/mysql.sql
+echo "library \"db_ido_mysql\"
+object IdoMysqlConnection \"ido-mysql\" {
+  user = \"$ido_user\",
+  password = \"$ido_password\",
+  host = \"localhost\",
+  databse = \"icinga2\"
+}" > /etc/icinga2/features-available/ido-mysql.conf
+icinga2 feature enable ido-mysql
+# Create icingaweb2 database
+mysql -u root -e "CREATE DATABASE icingaweb2;
+GRANT ALL ON icingaweb2.* TO '$icingaweb2_user'@'localhost'
+IDENTIFIED BY '$icingaweb2_password';
+FLUSH PRIVILEGES;"
+mysql icingaweb2 </usr/share/icingaweb2/etc/scheme/mysql.schema.sql
+# Create initial admin user to login to icingaweb2
+passhash="$(php -r "echo password_hash(\"$admin_password\", PASSWORD_DEFAULT);")"
+mysql -u root -e "USE icingaweb2; 
+INSERT INTO icingaweb_user (name, active, password_hash)
+VALUES (\"$admin_user\", 1, \"$passhash\");
+FLUSH PRIVILEGES; "
+# Create director database
+mysql -u root -e "CREATE DATABASE director CHARACTER SET 'utf8';
+GRANT ALL on director.* TO '$director_user'@'localhost'
+IDENTIFIED BY '$director_password';
+FLUSH PRIVILEGES;"
+icingacli module enable director
+icingacli director migration run --verbose
+# Setup API
+icinga2 api setup
+# Restart service
+systemctl restart icinga2
+# -- Icingaweb2 Configuration --
+# Configure authentication
+echo "[icingaweb2]
+backend = \"db\"
+resource = \"icingaweb2\"
+" > /etc/icingaweb2/authentication.ini
+# Configure resources
+echo "[icinga2]
+type = \"db\"
+db = \"mysql\"
+host \"localhost\"
+port = \"\"
+dbname = \"icinga2\"
+username = \"$icinga2_user\"
+password = \"$icinga2_password\"
+charset = \"\"
+use_ssl = \"0\"
+[icingaweb2]
+type = \"db\"
+db = \"mysql\"
+host \"localhost\"
+port = \"\"
+dbname = \"icingaweb2\"
+username = \"$icingaweb2_user\"
+password = \"$icingaweb2_password\"
+charset = \"\"
+use_ssl = \"0\"
+[icingaweb2]
+type = \"db\"
+db = \"mysql\"
+host \"localhost\"
+port = \"\"
+dbname = \"director\"
+username = \"$director_user\"
+password = \"$director_password\"
+charset = \"utf8\"
+use_ssl = \"0\"
+" > /etc/icingaweb2/resources.ini
+# Configure roles
+echo "[admins]
+users = \"$admin_user\"
+permissions = \"*\" " > /etc/icingaweb2/roles.ini
+# Configure director
+echo "[db]
+resource = \"director\"
+" > /etc/icingaweb2/modules/director/config.ini
+echo "NOW\nBrowse to http://$(hostname)/icingaweb2/ and login as $admin_user"
author	Sam Chudnick <sam@chudnick.com>	2022-04-15 21:08:34 -0400
committer	Sam Chudnick <sam@chudnick.com>	2022-04-15 21:08:34 -0400
commit	85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 (patch)
tree	637c319270201555d66f9bf1cbcc63d893405e69

diff --git a/automap b/automap new file mode 100755 index 0000000..b92b0b9 --- /dev/null +++ b/automap
@@ -0,0 +1,37 @@
	1	#!/bin/sh
	2	#
	3	# Configures a FreeIPA client to use a provided location for automount
	4
	5	help() {
	6	echo "usage: automap [--append] --location location"
	7	echo "-a, --append:\tappend location (default is to replace existing locations)"
	8	echo "-l, --location:\tname of automount location"
	9	exit 1
	10	}
	11
	12	[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
	13
	14	opts=$(getopt -o "a,h,l:" -l "append,help,location:" -- "$@")
	15	eval set -- "$opts"
	16	location=
	17	append=0
	18	while true
	19	do
	20	case "$1" in
	21	'-a' \| '--append') append=1 shift; continue ;;
	22	'-l' \| '--location') location="$2" shift 2; continue ;;
	23	'-h' \| '--help') help ;;
	24	'--') shift; break ;;
	25	esac
	26	done
	27	[ -z "$location" ] && help
	28
	29	domain="$(grep "domain =" /etc/ipa/default.conf \| cut -d '=' -f 2 \| tr -d ' ')"
	30	dc1="$(echo $domain \| cut -d '.' -f 1)"
	31	dc2="$(echo $domain \| cut -d '.' -f 2)"
	32	mstr="+ldap:automountmapname=auto.master,cn=$location,cn=automount,dc=$dc1,dc=$dc2"
	33	drct="/-\tldap:automountmapname=auto.direct,cn=$location,cn=automount,dc=$dc1,dc=$dc2"
	34	str="$mstr\n$drct"
	35	[ $append -eq 0 ] && echo $str > /etc/auto.master \|\| echo $str >> /etc/auto.master
	36
	37	systemctl restart autofs


diff --git a/ipaconf b/ipaconf new file mode 100755 index 0000000..7d653d2 --- /dev/null +++ b/ipaconf
@@ -0,0 +1,107 @@
	1	#!/bin/sh
	2	#
	3	# configures a FreeIPA client system by:
	4	# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp
	5	# setting up FreeIPA server as an nss target
	6	# configuring as a kerberized NFSv4 client or server
	7	# configuring for FreeIPA-managed automount
	8
	9	help() {
	10	echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\
	11	"--ntp-server ntp_server [--nfs-server]"
	12	echo "\n-d, --dns-server:\tIP of DNS server containing IPA records"
	13	echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain"
	14	echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)"
	15	echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain"
	16	exit 1
	17	}
	18
	19	[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
	20
	21	opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@")
	22	eval set -- "$opts"
	23	dnssrv=
	24	nfssrv=0
	25	ipadomain=
	26	ntpsrv=
	27	while true
	28	do
	29	case "$1" in
	30	'-d' \| '--dns-server') dnssrv="$2" shift 2; continue ;;
	31	'-f' \| '--nfs-server') nfssrv=1 shift; continue ;;
	32	'-i' \| '--ipa-domain') ipadomain="$2" shift 2; continue ;;
	33	'-n' \| '--ntp-server') ntpsrv="$2" shift 2; continue ;;
	34	'-h' \| '--help') help ;;
	35	'--') shift; break ;;
	36	esac
	37	done
	38	[ -z "$dnssrv" ] && help
	39	[ -z "$ipadomain" ] && help
	40	[ -z "$ntpsrv" ] && help
	41
	42
	43	# FreeIPA client currently only in backports for Debian 11
	44	grep -q bullseye-backports /etc/apt/sources.list \|\| echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
	45
	46	# Install required packages
	47	apt update
	48	apt install freeipa-client nfs-common autofs autofs-ldap -y
	49	[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y
	50
	51	# Change DNS
	52	echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf
	53
	54	# Move chrony conf so IPA installer can configure its own
	55	mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk
	56
	57	# Configure and enroll client
	58	ipa-client-install --mkhomedir --ntp-server=$ntpsrv
	59
	60	# Configure SSSD
	61	# Do not specify services if using systemd as they will be socket activated
	62	$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf
	63	# Enable enumeration of domain if NFS server - for assigning permissions to shares
	64	[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf
	65	systemctl restart sssd
	66
	67	# Configure automount
	68	dc1="$(echo $ipadomain \| cut -d '.' -f 1)"
	69	dc2="$(echo $ipadomain \| cut -d '.' -f 2)"
	70	echo "[ autofs ]
	71	master_map_name = /etc/auto.master
	72	timeout = 300
	73	browse_mode = no
	74	ldap_uri = "ldap:///dc=$dc1,dc=$dc2"
	75	map_object_class = automountMap
	76	entry_object_class = automount
	77	map_attribute = automountMapName
	78	entry_attribute = automountKey
	79	value_attribute= automountInformation
	80	auth_conf_file = /etc/autofs_ldap_auth.conf
	81	[ amd ]
	82	dismount_interval = 300" > /etc/autofs.conf
	83
	84	echo "<?xml version="1.0" ?>
	85	<autofs_ldap_sasl_conf
	86	usetls="no"
	87	tlsrequired="no"
	88	authrequired="yes"
	89	authtype="GSSAPI"
	90	clientprinc="host/$(hostname)@$(echo $ipadomain \| tr [:lower:] [:upper:])"
	91	/>" > /etc/autofs_ldap_auth.conf
	92	chmod 600 /etc/autofs_ldap_auth.conf
	93
	94	# Restart autofs to apply existing automount configuration
	95	systemctl restart autofs
	96
	97	# Configure NFS
	98	sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes"
	99	sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes"
	100	[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server
	101	systemctl restart nfs-kernel-server
	102
	103	# Manaul steps for NFS server
	104	ipasrv=$(grep "server =" /etc/ipa/default.conf \| cut -d '=' -f 2 \| tr -d ' ')
	105	[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine"
	106
	107


diff --git a/mknfs b/mknfs new file mode 100755 index 0000000..5b04a9f --- /dev/null +++ b/mknfs
@@ -0,0 +1,56 @@
	1	#!/bin/sh
	2	#
	3	# Configures and exports an NFS share
	4
	5	help() {
	6	echo "usage: mknfs --clients nfs_client --path nfs_path"\
	7	"[--options \"opt1,opt2,opt3...\"] [--sec sec_option] [-f]"
	8	echo "\n-c, --clients\tNFS export client"
	9	echo "-f, --force\tmake directory if it doesn't exist"
	10	echo "-o, --options\tAdditional NFS export options - quoted and comma separated"
	11	echo "-p, --path\tPath of directory to be exported - must be absolute"
	12	echo "-s, --sec\tNFS security settings - defaults to sys"
	13	echo "\nexample: mknfs --clients server.example.com --path /srv/nfs/backups"\
	14	"--options \"crossmnt,async\" --sec krb5p"
	15	exit
	16	}
	17
	18	opts=$(getopt -o "c:,f,h,o:,p:,s:" -l "clients:,force, help,options:,path:,sec:" -- "$@")
	19	eval set -- "$opts"
	20	clients=
	21	options=""
	22	path=
	23	sec="sys"
	24	force=0
	25	while true
	26	do
	27	case "$1" in
	28	'-c' \| '--clients') clients="$2" shift 2; continue ;;
	29	'-f' \| '--force') force=1 shift; continue ;;
	30	'-o' \| '--options') options="$2" shift 2; continue ;;
	31	'-p' \| '--path') path="$2" shift 2; continue ;;
	32	'-s' \| '--sec') sec="$2" shift 2; continue ;;
	33	'-h' \| '--help') help ;;
	34	'--') shift; break ;;
	35	esac
	36	done
	37	[ -z "$clients" ] && help
	38	[ -z "$path" ] && help
	39
	40	# Validate path
	41	[ "$(echo $path \| cut -d'/' -f1)" != "" ] &&
	42	echo "error: path is not absolute" && exit 1
	43	[ ! -d $path -a $force -eq 0 ] &&
	44	echo "error: directory does not exist (use -f to create)" && exit 1
	45	[ ! -d $path -a $force -eq 1 ] && mkdir -p $path
	46
	47	# Set some sane defaults if no options are specified
	48	[ "$options" = "" ] && options="rw,sync,no_subtree_check"
	49
	50	# Make sure security option is valid
	51	[ $sec != "sys" -a $sec != "krb5" -a $sec != "krb5i" -a $sec != "krb5p" ] &&
	52	echo "error: invalid security option - must be one of sys,krb5,krb5i,krb5p"
	53
	54	echo "$path\t$clients(sec=$sec,$options)" >> /etc/exports
	55	exportfs -au
	56	exportfs -ar


diff --git a/mkraid b/mkraid new file mode 100755 index 0000000..b2fe60b --- /dev/null +++ b/mkraid
@@ -0,0 +1,53 @@
	1	#!/bin/sh
	2
	3	help() {
	4	echo "usage: mkraid --id array_id --name array_name --level raid_level" \
	5	"--devices 'raid_device_1 raid_device_2 ...'" \
	6	"--spares 'spare_device_1 spare_device_2 ...'"
	7	echo "\n-i, --id:\tid of RAID array as a number up to 127"
	8	echo "-n, --name:\tname of RAID array"
	9	echo "-l, --level:\tRAID level"
	10	echo "-d, --devices:\tdevices in RAID array - quoted and space separated"
	11	echo "-s, --spares:\thot spare devices - quoted and space separated if multiple"
	12	echo "\nexample: mkraid --id 0 --name arr1 --level 5 --devices"\
	13	"'/dev/sda /dev/sdb /dev/sdc' --spares /dev/sdd"
	14	exit
	15	}
	16
	17	opts=$(getopt -o "i:,n:,l:,d:,s:h" -l "id:,name:,level:,devices:,spares:,help" -- "$@")
	18	eval set -- "$opts"
	19	id=
	20	name=
	21	level=
	22	devices=
	23	spares=
	24	while true
	25	do
	26	case "$1" in
	27	'-i' \| '--id') id="$2" shift 2; continue ;;
	28	'-n' \| '--name') name="$2" shift 2; continue ;;
	29	'-l' \| '--level') level="$2" shift 2; continue ;;
	30	'-d' \| '--devices') devices="$2" shift 2; continue ;;
	31	'-s' \| '--spares') spares="$2" shift 2; continue ;;
	32	'-h' \| '--help') help ;;
	33	'--') shift; break ;;
	34	esac
	35	done
	36	[ -z "$id" ] && help
	37	[ -z "$name" ] && help
	38	[ -z "$level" ] && help
	39	[ -z "$devices" ] && help
	40	[ -z "$spares" ] && help
	41
	42	numdevs=$(echo $devices \| tr ' ' '\n' \| wc -l)
	43	numspare=$(echo $spares \| tr ' ' '\n' \| wc -l)
	44
	45	echo "mdadm --create /dev/md$id --level=$level --raid-devices=$numdevs $devices --spare-devices=$numspare $spares"
	46
	47	exit
	48
	49	mdadm --create /dev/md$id --level=$level --raid-devices=$numdevs $devices --spare-devices=$numspare $spares
	50
	51	uuid="$(mdadm --detail /dev/md0 \| grep UUID \| tr -d '[:space:]' \| cut -d ':' -f 2-)"
	52
	53	echo "ARRAY /dev/md$id metadata=1.2 UUID=$uuid name=$name" >> /etc/mdadm/mdadm.conf


diff --git a/monitoring/icinga-agent b/monitoring/icinga-agent new file mode 100755 index 0000000..328d65b --- /dev/null +++ b/monitoring/icinga-agent
@@ -0,0 +1,108 @@
	1	#!/bin/sh
	2	#
	3	# Configirues an icinga2 agent (with on-demand csr signing)
	4
	5	icingauser="nagios"
	6	certdir="/etc/icinga2/pki"
	7	api_certdir="/var/lib/icinga2/certs"
	8	nodename="$(hostname)"
	9	global_zone="director-global"
	10	master_fqdn=""
	11
	12	# Install packages
	13	apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib
	14
	15	# Register with master via self-service API
	16	apikey=""
	17	displayname=""
	18	# Not pretty but gets the job done
	19	dev="$(ip link \| grep ^2: \| head -1 \| cut -d':' -f 2 \| tr -d ' ')"
	20	ipv4="$(ip addr show $dev \| grep "inet " \| sed "s/^\s*//;s/\// /" \| cut -d ' ' -f 2)"
	21	ipv6="$(ip addr show $dev \| grep "inet6 " \| sed "s/^\s*//;s/\// /" \| cut -d ' ' -f 2)"
	22
	23	result=$(curl -i "http://$master_fqdn/icingaweb2/director/self-service/register-host?name=$nodename&key=$apikey" \
	24	-H "Accept: application/json" \
	25	-X "POST" \
	26	-d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}")
	27	echo $result \| grep -q error && \
	28	echo "error: unable to register with master (is the api key correct?)" && \
	29	exit 2
	30
	31
	32	# Initialize PKI with master
	33	icinga2 pki new-cert \
	34	--cn "pbs.home.local" \
	35	--cert "$certdir/$nodename.crt" \
	36	--csr "$certdir/$nodename.csr" \
	37	--key "$certdir/$nodename.key"
	38
	39
	40	icinga2 pki save-cert \
	41	--host "$master_fqdn" \
	42	--port 5665 \
	43	--key "$certdir/$nodename.key" \
	44	--trustedcert "$certdir/trusted-master.crt"
	45
	46	icinga2 pki request \
	47	--host "$master_fqdn" \
	48	--port 5665 \
	49	--key "$certdir/$nodename.key" \
	50	--cert "$certdir/$nodename.crt" \
	51	--trustedcert "$certdir/trusted-master.crt" \
	52	--ca "$certdir/ca.crt"
	53
	54	# Deploy config files
	55	echo "include \"constants.conf\"
	56	const NodeName = \"$nodename\"
	57	include \"zones.conf\"
	58	include \"features-enabled/*.conf\"
	59	include <itl>
	60	include <plugins>
	61	include <plugins-contrib>
	62	include <manubulon>
	63	include <windows-plugins>
	64	include <nscp>" > /etc/icinga2/icinga2.conf
	65
	66	echo "object Endpoint \"$nodename\" {}
	67	object Zone \"$nodename\" {
	68	parent = \"$master_fqdn\"
	69	endpoints = [ \"$nodename\" ]
	70	}
	71	object Zone \"$master_fqdn\" {
	72	endpoints = [ \"$master_fqdn\" ]
	73	}
	74	object Endpoint \"$master_fqdn\" {
	75	host = \"$master_fqdn\"
	76	}
	77	object Zone \"$global_zone\" {
	78	global = true
	79	}" > /etc/icinga2/zones.conf
	80
	81	echo "object ApiListener \"api\" {
	82	accept_commands = true
	83	accept_config = true
	84	}" > /etc/icinga2/features-available/api.conf
	85
	86	# Enable API
	87	icinga2 feature enable api
	88	mkdir -p $api_certdir
	89	cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/
	90	chown -R $icingauser:$icingauser $api_certdir/
	91
	92	# Next step
	93	echo "
	94
	95	NOW
	96
	97	Run the following on the Icinga master:
	98	fpr=\"\$(icinga2 ca list \| tail -1 \| cut -d '\|' -f 1)\"
	99	icinga2 ca sign \$fpr
	100
	101
	102	THEN
	103
	104	Restart icinga2 on the agent:
	105	\"systemctl restart icinga2\"
	106
	107	"
	108


diff --git a/monitoring/icinga-master b/monitoring/icinga-master new file mode 100755 index 0000000..ed82bc5 --- /dev/null +++ b/monitoring/icinga-master
@@ -0,0 +1,120 @@
	1	#!/bin/sh
	2	#
	3	# Configuration for an Iciniga2 master (with icingaweb2, director, and mysql backend)
	4
	5	ido_user="icinga2"
	6	ido_password="changeme"
	7
	8	icingaweb2_user="icingaweb2"
	9	icingaweb2_password="changeme"
	10
	11	director_user="director"
	12	director_password="changeme"
	13
	14	admin_user="admin"
	15	admin_password="changeme"
	16
	17	# Install packages
	18	apt install -y incinga2 icingaweb2 icinga2-ido-mysql icingaweb2-module-director \
	19	monitoring-plugins monitoring-plugins-contrib
	20
	21	# Secure mysql
	22	mysql_secure_installation
	23
	24	# Create primary monitoring database
	25	mysql -u root -e "CREATE DATABASE icinga2;
	26	GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
	27	ON icinga2.* TO '$ido_user'@'localhost' IDENTIFIED BY '$ido_password';
	28	FLUSH PRIVILEGES; "
	29	mysql -u root icinga2 </usr/share/icinga2-ido-mysql/scheme/mysql.sql
	30	echo "library \"db_ido_mysql\"
	31	object IdoMysqlConnection \"ido-mysql\" {
	32	user = \"$ido_user\",
	33	password = \"$ido_password\",
	34	host = \"localhost\",
	35	databse = \"icinga2\"
	36	}" > /etc/icinga2/features-available/ido-mysql.conf
	37	icinga2 feature enable ido-mysql
	38
	39	# Create icingaweb2 database
	40	mysql -u root -e "CREATE DATABASE icingaweb2;
	41	GRANT ALL ON icingaweb2.* TO '$icingaweb2_user'@'localhost'
	42	IDENTIFIED BY '$icingaweb2_password';
	43	FLUSH PRIVILEGES;"
	44	mysql icingaweb2 </usr/share/icingaweb2/etc/scheme/mysql.schema.sql
	45	# Create initial admin user to login to icingaweb2
	46	passhash="$(php -r "echo password_hash(\"$admin_password\", PASSWORD_DEFAULT);")"
	47	mysql -u root -e "USE icingaweb2;
	48	INSERT INTO icingaweb_user (name, active, password_hash)
	49	VALUES (\"$admin_user\", 1, \"$passhash\");
	50	FLUSH PRIVILEGES; "
	51
	52	# Create director database
	53	mysql -u root -e "CREATE DATABASE director CHARACTER SET 'utf8';
	54	GRANT ALL on director.* TO '$director_user'@'localhost'
	55	IDENTIFIED BY '$director_password';
	56	FLUSH PRIVILEGES;"
	57	icingacli module enable director
	58	icingacli director migration run --verbose
	59
	60	# Setup API
	61	icinga2 api setup
	62
	63	# Restart service
	64	systemctl restart icinga2
	65
	66
	67	# -- Icingaweb2 Configuration --
	68
	69	# Configure authentication
	70	echo "[icingaweb2]
	71	backend = \"db\"
	72	resource = \"icingaweb2\"
	73	" > /etc/icingaweb2/authentication.ini
	74
	75	# Configure resources
	76	echo "[icinga2]
	77	type = \"db\"
	78	db = \"mysql\"
	79	host \"localhost\"
	80	port = \"\"
	81	dbname = \"icinga2\"
	82	username = \"$icinga2_user\"
	83	password = \"$icinga2_password\"
	84	charset = \"\"
	85	use_ssl = \"0\"
	86
	87	[icingaweb2]
	88	type = \"db\"
	89	db = \"mysql\"
	90	host \"localhost\"
	91	port = \"\"
	92	dbname = \"icingaweb2\"
	93	username = \"$icingaweb2_user\"
	94	password = \"$icingaweb2_password\"
	95	charset = \"\"
	96	use_ssl = \"0\"
	97
	98	[icingaweb2]
	99	type = \"db\"
	100	db = \"mysql\"
	101	host \"localhost\"
	102	port = \"\"
	103	dbname = \"director\"
	104	username = \"$director_user\"
	105	password = \"$director_password\"
	106	charset = \"utf8\"
	107	use_ssl = \"0\"
	108	" > /etc/icingaweb2/resources.ini
	109
	110	# Configure roles
	111	echo "[admins]
	112	users = \"$admin_user\"
	113	permissions = \"*\" " > /etc/icingaweb2/roles.ini
	114
	115	# Configure director
	116	echo "[db]
	117	resource = \"director\"
	118	" > /etc/icingaweb2/modules/director/config.ini
	119
	120	echo "NOW\nBrowse to http://$(hostname)/icingaweb2/ and login as $admin_user"