From 85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Fri, 15 Apr 2022 21:08:34 -0400 Subject: inital commit - various scripts --- automap | 37 +++++++++++++++ ipaconf | 107 ++++++++++++++++++++++++++++++++++++++++++ mknfs | 56 ++++++++++++++++++++++ mkraid | 53 +++++++++++++++++++++ monitoring/icinga-agent | 108 ++++++++++++++++++++++++++++++++++++++++++ monitoring/icinga-master | 120 +++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 481 insertions(+) create mode 100755 automap create mode 100755 ipaconf create mode 100755 mknfs create mode 100755 mkraid create mode 100755 monitoring/icinga-agent create mode 100755 monitoring/icinga-master diff --git a/automap b/automap new file mode 100755 index 0000000..b92b0b9 --- /dev/null +++ b/automap @@ -0,0 +1,37 @@ +#!/bin/sh +# +# Configures a FreeIPA client to use a provided location for automount + +help() { + echo "usage: automap [--append] --location location" + echo "-a, --append:\tappend location (default is to replace existing locations)" + echo "-l, --location:\tname of automount location" + exit 1 +} + +[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1 + +opts=$(getopt -o "a,h,l:" -l "append,help,location:" -- "$@") +eval set -- "$opts" +location= +append=0 +while true +do + case "$1" in + '-a' | '--append') append=1 shift; continue ;; + '-l' | '--location') location="$2" shift 2; continue ;; + '-h' | '--help') help ;; + '--') shift; break ;; + esac +done +[ -z "$location" ] && help + +domain="$(grep "domain =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ')" +dc1="$(echo $domain | cut -d '.' -f 1)" +dc2="$(echo $domain | cut -d '.' -f 2)" +mstr="+ldap:automountmapname=auto.master,cn=$location,cn=automount,dc=$dc1,dc=$dc2" +drct="/-\tldap:automountmapname=auto.direct,cn=$location,cn=automount,dc=$dc1,dc=$dc2" +str="$mstr\n$drct" +[ $append -eq 0 ] && echo $str > /etc/auto.master || echo $str >> /etc/auto.master + +systemctl restart autofs diff --git a/ipaconf b/ipaconf new file mode 100755 index 0000000..7d653d2 --- /dev/null +++ b/ipaconf @@ -0,0 +1,107 @@ +#!/bin/sh +# +# configures a FreeIPA client system by: +# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp +# setting up FreeIPA server as an nss target +# configuring as a kerberized NFSv4 client or server +# configuring for FreeIPA-managed automount + +help() { + echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\ + "--ntp-server ntp_server [--nfs-server]" + echo "\n-d, --dns-server:\tIP of DNS server containing IPA records" + echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain" + echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)" + echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain" + exit 1 +} + +[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1 + +opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@") +eval set -- "$opts" +dnssrv= +nfssrv=0 +ipadomain= +ntpsrv= +while true +do + case "$1" in + '-d' | '--dns-server') dnssrv="$2" shift 2; continue ;; + '-f' | '--nfs-server') nfssrv=1 shift; continue ;; + '-i' | '--ipa-domain') ipadomain="$2" shift 2; continue ;; + '-n' | '--ntp-server') ntpsrv="$2" shift 2; continue ;; + '-h' | '--help') help ;; + '--') shift; break ;; + esac +done +[ -z "$dnssrv" ] && help +[ -z "$ipadomain" ] && help +[ -z "$ntpsrv" ] && help + + +# FreeIPA client currently only in backports for Debian 11 +grep -q bullseye-backports /etc/apt/sources.list || echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list + +# Install required packages +apt update +apt install freeipa-client nfs-common autofs autofs-ldap -y +[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y + +# Change DNS +echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf + +# Move chrony conf so IPA installer can configure its own +mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk + +# Configure and enroll client +ipa-client-install --mkhomedir --ntp-server=$ntpsrv + +# Configure SSSD +# Do not specify services if using systemd as they will be socket activated +$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf +# Enable enumeration of domain if NFS server - for assigning permissions to shares +[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf +systemctl restart sssd + +# Configure automount +dc1="$(echo $ipadomain | cut -d '.' -f 1)" +dc2="$(echo $ipadomain | cut -d '.' -f 2)" +echo "[ autofs ] +master_map_name = /etc/auto.master +timeout = 300 +browse_mode = no +ldap_uri = "ldap:///dc=$dc1,dc=$dc2" +map_object_class = automountMap +entry_object_class = automount +map_attribute = automountMapName +entry_attribute = automountKey +value_attribute= automountInformation +auth_conf_file = /etc/autofs_ldap_auth.conf +[ amd ] +dismount_interval = 300" > /etc/autofs.conf + +echo " +" > /etc/autofs_ldap_auth.conf +chmod 600 /etc/autofs_ldap_auth.conf + +# Restart autofs to apply existing automount configuration +systemctl restart autofs + +# Configure NFS +sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes" +sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes" +[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server +systemctl restart nfs-kernel-server + +# Manaul steps for NFS server +ipasrv=$(grep "server =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ') +[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine" + + diff --git a/mknfs b/mknfs new file mode 100755 index 0000000..5b04a9f --- /dev/null +++ b/mknfs @@ -0,0 +1,56 @@ +#!/bin/sh +# +# Configures and exports an NFS share + +help() { + echo "usage: mknfs --clients nfs_client --path nfs_path"\ + "[--options \"opt1,opt2,opt3...\"] [--sec sec_option] [-f]" + echo "\n-c, --clients\tNFS export client" + echo "-f, --force\tmake directory if it doesn't exist" + echo "-o, --options\tAdditional NFS export options - quoted and comma separated" + echo "-p, --path\tPath of directory to be exported - must be absolute" + echo "-s, --sec\tNFS security settings - defaults to sys" + echo "\nexample: mknfs --clients server.example.com --path /srv/nfs/backups"\ + "--options \"crossmnt,async\" --sec krb5p" + exit +} + +opts=$(getopt -o "c:,f,h,o:,p:,s:" -l "clients:,force, help,options:,path:,sec:" -- "$@") +eval set -- "$opts" +clients= +options="" +path= +sec="sys" +force=0 +while true +do + case "$1" in + '-c' | '--clients') clients="$2" shift 2; continue ;; + '-f' | '--force') force=1 shift; continue ;; + '-o' | '--options') options="$2" shift 2; continue ;; + '-p' | '--path') path="$2" shift 2; continue ;; + '-s' | '--sec') sec="$2" shift 2; continue ;; + '-h' | '--help') help ;; + '--') shift; break ;; + esac +done +[ -z "$clients" ] && help +[ -z "$path" ] && help + +# Validate path +[ "$(echo $path | cut -d'/' -f1)" != "" ] && + echo "error: path is not absolute" && exit 1 +[ ! -d $path -a $force -eq 0 ] && + echo "error: directory does not exist (use -f to create)" && exit 1 +[ ! -d $path -a $force -eq 1 ] && mkdir -p $path + +# Set some sane defaults if no options are specified +[ "$options" = "" ] && options="rw,sync,no_subtree_check" + +# Make sure security option is valid +[ $sec != "sys" -a $sec != "krb5" -a $sec != "krb5i" -a $sec != "krb5p" ] && + echo "error: invalid security option - must be one of sys,krb5,krb5i,krb5p" + +echo "$path\t$clients(sec=$sec,$options)" >> /etc/exports +exportfs -au +exportfs -ar diff --git a/mkraid b/mkraid new file mode 100755 index 0000000..b2fe60b --- /dev/null +++ b/mkraid @@ -0,0 +1,53 @@ +#!/bin/sh + +help() { + echo "usage: mkraid --id array_id --name array_name --level raid_level" \ + "--devices 'raid_device_1 raid_device_2 ...'" \ + "--spares 'spare_device_1 spare_device_2 ...'" + echo "\n-i, --id:\tid of RAID array as a number up to 127" + echo "-n, --name:\tname of RAID array" + echo "-l, --level:\tRAID level" + echo "-d, --devices:\tdevices in RAID array - quoted and space separated" + echo "-s, --spares:\thot spare devices - quoted and space separated if multiple" + echo "\nexample: mkraid --id 0 --name arr1 --level 5 --devices"\ + "'/dev/sda /dev/sdb /dev/sdc' --spares /dev/sdd" + exit +} + +opts=$(getopt -o "i:,n:,l:,d:,s:h" -l "id:,name:,level:,devices:,spares:,help" -- "$@") +eval set -- "$opts" +id= +name= +level= +devices= +spares= +while true +do + case "$1" in + '-i' | '--id') id="$2" shift 2; continue ;; + '-n' | '--name') name="$2" shift 2; continue ;; + '-l' | '--level') level="$2" shift 2; continue ;; + '-d' | '--devices') devices="$2" shift 2; continue ;; + '-s' | '--spares') spares="$2" shift 2; continue ;; + '-h' | '--help') help ;; + '--') shift; break ;; + esac +done +[ -z "$id" ] && help +[ -z "$name" ] && help +[ -z "$level" ] && help +[ -z "$devices" ] && help +[ -z "$spares" ] && help + +numdevs=$(echo $devices | tr ' ' '\n' | wc -l) +numspare=$(echo $spares | tr ' ' '\n' | wc -l) + +echo "mdadm --create /dev/md$id --level=$level --raid-devices=$numdevs $devices --spare-devices=$numspare $spares" + +exit + +mdadm --create /dev/md$id --level=$level --raid-devices=$numdevs $devices --spare-devices=$numspare $spares + +uuid="$(mdadm --detail /dev/md0 | grep UUID | tr -d '[:space:]' | cut -d ':' -f 2-)" + +echo "ARRAY /dev/md$id metadata=1.2 UUID=$uuid name=$name" >> /etc/mdadm/mdadm.conf diff --git a/monitoring/icinga-agent b/monitoring/icinga-agent new file mode 100755 index 0000000..328d65b --- /dev/null +++ b/monitoring/icinga-agent @@ -0,0 +1,108 @@ +#!/bin/sh +# +# Configirues an icinga2 agent (with on-demand csr signing) + +icingauser="nagios" +certdir="/etc/icinga2/pki" +api_certdir="/var/lib/icinga2/certs" +nodename="$(hostname)" +global_zone="director-global" +master_fqdn="" + +# Install packages +apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib + +# Register with master via self-service API +apikey="" +displayname="" +# Not pretty but gets the job done +dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')" +ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" +ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" + +result=$(curl -i "http://$master_fqdn/icingaweb2/director/self-service/register-host?name=$nodename&key=$apikey" \ + -H "Accept: application/json" \ + -X "POST" \ + -d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}") +echo $result | grep -q error && \ + echo "error: unable to register with master (is the api key correct?)" && \ + exit 2 + + +# Initialize PKI with master +icinga2 pki new-cert \ + --cn "pbs.home.local" \ + --cert "$certdir/$nodename.crt" \ + --csr "$certdir/$nodename.csr" \ + --key "$certdir/$nodename.key" + + +icinga2 pki save-cert \ + --host "$master_fqdn" \ + --port 5665 \ + --key "$certdir/$nodename.key" \ + --trustedcert "$certdir/trusted-master.crt" + +icinga2 pki request \ + --host "$master_fqdn" \ + --port 5665 \ + --key "$certdir/$nodename.key" \ + --cert "$certdir/$nodename.crt" \ + --trustedcert "$certdir/trusted-master.crt" \ + --ca "$certdir/ca.crt" + +# Deploy config files +echo "include \"constants.conf\" +const NodeName = \"$nodename\" +include \"zones.conf\" +include \"features-enabled/*.conf\" +include +include +include +include +include +include " > /etc/icinga2/icinga2.conf + +echo "object Endpoint \"$nodename\" {} +object Zone \"$nodename\" { + parent = \"$master_fqdn\" + endpoints = [ \"$nodename\" ] +} +object Zone \"$master_fqdn\" { + endpoints = [ \"$master_fqdn\" ] +} +object Endpoint \"$master_fqdn\" { + host = \"$master_fqdn\" +} +object Zone \"$global_zone\" { + global = true +}" > /etc/icinga2/zones.conf + +echo "object ApiListener \"api\" { + accept_commands = true + accept_config = true +}" > /etc/icinga2/features-available/api.conf + +# Enable API +icinga2 feature enable api +mkdir -p $api_certdir +cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/ +chown -R $icingauser:$icingauser $api_certdir/ + +# Next step +echo " + +NOW + +Run the following on the Icinga master: +fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\" +icinga2 ca sign \$fpr + + +THEN + +Restart icinga2 on the agent: +\"systemctl restart icinga2\" + +" + diff --git a/monitoring/icinga-master b/monitoring/icinga-master new file mode 100755 index 0000000..ed82bc5 --- /dev/null +++ b/monitoring/icinga-master @@ -0,0 +1,120 @@ +#!/bin/sh +# +# Configuration for an Iciniga2 master (with icingaweb2, director, and mysql backend) + +ido_user="icinga2" +ido_password="changeme" + +icingaweb2_user="icingaweb2" +icingaweb2_password="changeme" + +director_user="director" +director_password="changeme" + +admin_user="admin" +admin_password="changeme" + +# Install packages +apt install -y incinga2 icingaweb2 icinga2-ido-mysql icingaweb2-module-director \ + monitoring-plugins monitoring-plugins-contrib + +# Secure mysql +mysql_secure_installation + +# Create primary monitoring database +mysql -u root -e "CREATE DATABASE icinga2; +GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE +ON icinga2.* TO '$ido_user'@'localhost' IDENTIFIED BY '$ido_password'; +FLUSH PRIVILEGES; " +mysql -u root icinga2 /etc/icinga2/features-available/ido-mysql.conf +icinga2 feature enable ido-mysql + +# Create icingaweb2 database +mysql -u root -e "CREATE DATABASE icingaweb2; +GRANT ALL ON icingaweb2.* TO '$icingaweb2_user'@'localhost' +IDENTIFIED BY '$icingaweb2_password'; +FLUSH PRIVILEGES;" +mysql icingaweb2 /etc/icingaweb2/authentication.ini + +# Configure resources +echo "[icinga2] +type = \"db\" +db = \"mysql\" +host \"localhost\" +port = \"\" +dbname = \"icinga2\" +username = \"$icinga2_user\" +password = \"$icinga2_password\" +charset = \"\" +use_ssl = \"0\" + +[icingaweb2] +type = \"db\" +db = \"mysql\" +host \"localhost\" +port = \"\" +dbname = \"icingaweb2\" +username = \"$icingaweb2_user\" +password = \"$icingaweb2_password\" +charset = \"\" +use_ssl = \"0\" + +[icingaweb2] +type = \"db\" +db = \"mysql\" +host \"localhost\" +port = \"\" +dbname = \"director\" +username = \"$director_user\" +password = \"$director_password\" +charset = \"utf8\" +use_ssl = \"0\" +" > /etc/icingaweb2/resources.ini + +# Configure roles +echo "[admins] +users = \"$admin_user\" +permissions = \"*\" " > /etc/icingaweb2/roles.ini + +# Configure director +echo "[db] +resource = \"director\" +" > /etc/icingaweb2/modules/director/config.ini + +echo "NOW\nBrowse to http://$(hostname)/icingaweb2/ and login as $admin_user" -- cgit v1.2.3