From 85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 Mon Sep 17 00:00:00 2001
From: Sam Chudnick <sam@chudnick.com>
Date: Fri, 15 Apr 2022 21:08:34 -0400
Subject: inital commit - various scripts

---
 monitoring/icinga-agent | 108 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100755 monitoring/icinga-agent

(limited to 'monitoring/icinga-agent')

diff --git a/monitoring/icinga-agent b/monitoring/icinga-agent
new file mode 100755
index 0000000..328d65b
--- /dev/null
+++ b/monitoring/icinga-agent
@@ -0,0 +1,108 @@
+#!/bin/sh
+#
+# Configirues an icinga2 agent (with on-demand csr signing)
+
+icingauser="nagios"
+certdir="/etc/icinga2/pki"
+api_certdir="/var/lib/icinga2/certs"
+nodename="$(hostname)"
+global_zone="director-global"
+master_fqdn=""
+
+# Install packages
+apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib
+
+# Register with master via self-service API
+apikey=""
+displayname=""
+# Not pretty but gets the job done
+dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')"
+ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
+ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
+
+result=$(curl -i "http://$master_fqdn/icingaweb2/director/self-service/register-host?name=$nodename&key=$apikey" \
+	 -H "Accept: application/json" \
+	 -X "POST" \
+	 -d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}")
+echo $result | grep -q error && \
+		echo "error: unable to register with master (is the api key correct?)" && \
+		exit 2
+
+
+# Initialize PKI with master
+icinga2 pki new-cert \
+		--cn "pbs.home.local" \
+		--cert "$certdir/$nodename.crt" \
+		--csr "$certdir/$nodename.csr" \
+		--key "$certdir/$nodename.key"
+
+
+icinga2 pki save-cert \
+		--host "$master_fqdn" \
+		--port 5665 \
+		--key "$certdir/$nodename.key" \
+		--trustedcert "$certdir/trusted-master.crt"
+
+icinga2 pki request \
+		--host "$master_fqdn" \
+		--port 5665 \
+		--key "$certdir/$nodename.key" \
+		--cert "$certdir/$nodename.crt" \
+		--trustedcert "$certdir/trusted-master.crt" \
+		--ca "$certdir/ca.crt" 
+
+# Deploy config files
+echo "include \"constants.conf\"
+const NodeName = \"$nodename\"
+include \"zones.conf\"
+include \"features-enabled/*.conf\"
+include <itl>
+include <plugins>
+include <plugins-contrib>
+include <manubulon>
+include <windows-plugins>
+include <nscp>" > /etc/icinga2/icinga2.conf
+
+echo "object Endpoint \"$nodename\" {}
+object Zone \"$nodename\" {
+  parent = \"$master_fqdn\"
+  endpoints = [ \"$nodename\" ]
+}
+object Zone \"$master_fqdn\" {
+  endpoints = [ \"$master_fqdn\" ]
+}
+object Endpoint \"$master_fqdn\" {
+  host = \"$master_fqdn\"
+}
+object Zone \"$global_zone\" {
+  global = true
+}" > /etc/icinga2/zones.conf
+
+echo "object ApiListener \"api\" {
+  accept_commands = true
+  accept_config = true
+}" > /etc/icinga2/features-available/api.conf
+
+# Enable API
+icinga2 feature enable api
+mkdir -p $api_certdir
+cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/
+chown -R $icingauser:$icingauser $api_certdir/
+
+# Next step
+echo "
+
+NOW
+
+Run the following on the Icinga master:
+fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\"
+icinga2 ca sign \$fpr
+
+
+THEN
+
+Restart icinga2 on the agent:
+\"systemctl restart icinga2\"
+
+"
+
-- 
cgit v1.2.3