#!/bin/sh # # Configures an icinga2 agent (with on-demand csr signing) icingauser="nagios" certdir="/etc/icinga2/pki" api_certdir="/var/lib/icinga2/certs" nodename="$(hostname)" global_zone="director-global" apikey= displayname= master_fqdn= help() { echo "usage: icinga-agent --apikey apikey --display name --master master_fqdn" echo "-a, --apikey:\t self-service api key to register with" echo "-d, --display:\t display name for host in Icinga" echo "-m, --master:\t full hostname of Icinga master (e.g. monitoring.example.com)" exit 1 } error() { echo "error: $1" exit 2 } [ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1 opts=$(getopt -o "a:,d:,h,m:" -l "apikey:,display:,help,master:" -- "$@") eval set -- "$opts" while true do case "$1" in '-a' | '--apikey') apikey="$2" shift 2; continue ;; '-d' | '--display') displayname="$2" shift 2; continue ;; '-m' | '--master') master_fqdn="$2" shift 2; continue ;; '-h' | '--help') help ;; '--') shift; break ;; esac done [ -z "$apikey" ] && help [ -z "$displayname" ] && help [ -z "$master_fqdn" ] && help # Install packages apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib # Register with master via self-service API # Not pretty but gets the job done dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')" ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" proto="http" base="$proto://$master_fqdn/icingaweb2/director/self-service/register-host" url="$base?name=$nodename&key=$apikey" result=$(curl -m 30 -i $url -H "Accept: application/json" -X "POST" \ -d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}" \ || error "unable to register with master") echo $result | grep -q "error" && error "unable to register with master" # Initialize PKI with master icinga2 pki new-cert \ --cn "$nodename" \ --cert "$certdir/$nodename.crt" \ --csr "$certdir/$nodename.csr" \ --key "$certdir/$nodename.key" icinga2 pki save-cert \ --host "$master_fqdn" \ --port 5665 \ --key "$certdir/$nodename.key" \ --trustedcert "$certdir/trusted-master.crt" icinga2 pki request \ --host "$master_fqdn" \ --port 5665 \ --key "$certdir/$nodename.key" \ --cert "$certdir/$nodename.crt" \ --trustedcert "$certdir/trusted-master.crt" \ --ca "$certdir/ca.crt" # Deploy config files echo "include \"constants.conf\" const NodeName = \"$nodename\" include \"zones.conf\" include \"features-enabled/*.conf\" include include include include include include " > /etc/icinga2/icinga2.conf echo "object Endpoint \"$nodename\" {} object Zone \"$nodename\" { parent = \"$master_fqdn\" endpoints = [ \"$nodename\" ] } object Zone \"$master_fqdn\" { endpoints = [ \"$master_fqdn\" ] } object Endpoint \"$master_fqdn\" { host = \"$master_fqdn\" } object Zone \"$global_zone\" { global = true }" > /etc/icinga2/zones.conf echo "object ApiListener \"api\" { accept_commands = true accept_config = true }" > /etc/icinga2/features-available/api.conf # Enable API icinga2 feature enable api mkdir -p $api_certdir cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/ chown -R $icingauser:$icingauser $api_certdir/ # Next step echo " NOW Run the following on the Icinga master: fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\" icinga2 ca sign \$fpr THEN Restart icinga2 on the agent: \"systemctl restart icinga2\" "