From 85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Fri, 15 Apr 2022 21:08:34 -0400 Subject: inital commit - various scripts --- monitoring/icinga-agent | 108 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100755 monitoring/icinga-agent (limited to 'monitoring/icinga-agent') diff --git a/monitoring/icinga-agent b/monitoring/icinga-agent new file mode 100755 index 0000000..328d65b --- /dev/null +++ b/monitoring/icinga-agent @@ -0,0 +1,108 @@ +#!/bin/sh +# +# Configirues an icinga2 agent (with on-demand csr signing) + +icingauser="nagios" +certdir="/etc/icinga2/pki" +api_certdir="/var/lib/icinga2/certs" +nodename="$(hostname)" +global_zone="director-global" +master_fqdn="" + +# Install packages +apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib + +# Register with master via self-service API +apikey="" +displayname="" +# Not pretty but gets the job done +dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')" +ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" +ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" + +result=$(curl -i "http://$master_fqdn/icingaweb2/director/self-service/register-host?name=$nodename&key=$apikey" \ + -H "Accept: application/json" \ + -X "POST" \ + -d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}") +echo $result | grep -q error && \ + echo "error: unable to register with master (is the api key correct?)" && \ + exit 2 + + +# Initialize PKI with master +icinga2 pki new-cert \ + --cn "pbs.home.local" \ + --cert "$certdir/$nodename.crt" \ + --csr "$certdir/$nodename.csr" \ + --key "$certdir/$nodename.key" + + +icinga2 pki save-cert \ + --host "$master_fqdn" \ + --port 5665 \ + --key "$certdir/$nodename.key" \ + --trustedcert "$certdir/trusted-master.crt" + +icinga2 pki request \ + --host "$master_fqdn" \ + --port 5665 \ + --key "$certdir/$nodename.key" \ + --cert "$certdir/$nodename.crt" \ + --trustedcert "$certdir/trusted-master.crt" \ + --ca "$certdir/ca.crt" + +# Deploy config files +echo "include \"constants.conf\" +const NodeName = \"$nodename\" +include \"zones.conf\" +include \"features-enabled/*.conf\" +include +include +include +include +include +include " > /etc/icinga2/icinga2.conf + +echo "object Endpoint \"$nodename\" {} +object Zone \"$nodename\" { + parent = \"$master_fqdn\" + endpoints = [ \"$nodename\" ] +} +object Zone \"$master_fqdn\" { + endpoints = [ \"$master_fqdn\" ] +} +object Endpoint \"$master_fqdn\" { + host = \"$master_fqdn\" +} +object Zone \"$global_zone\" { + global = true +}" > /etc/icinga2/zones.conf + +echo "object ApiListener \"api\" { + accept_commands = true + accept_config = true +}" > /etc/icinga2/features-available/api.conf + +# Enable API +icinga2 feature enable api +mkdir -p $api_certdir +cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/ +chown -R $icingauser:$icingauser $api_certdir/ + +# Next step +echo " + +NOW + +Run the following on the Icinga master: +fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\" +icinga2 ca sign \$fpr + + +THEN + +Restart icinga2 on the agent: +\"systemctl restart icinga2\" + +" + -- cgit v1.2.3