#!/bin/sh # # Configirues an icinga2 agent (with on-demand csr signing) icingauser="nagios" certdir="/etc/icinga2/pki" api_certdir="/var/lib/icinga2/certs" nodename="$(hostname)" global_zone="director-global" master_fqdn="" # Install packages apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib # Register with master via self-service API apikey="" displayname="" # Not pretty but gets the job done dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')" ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)" result=$(curl -i "http://$master_fqdn/icingaweb2/director/self-service/register-host?name=$nodename&key=$apikey" \ -H "Accept: application/json" \ -X "POST" \ -d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}") echo $result | grep -q error && \ echo "error: unable to register with master (is the api key correct?)" && \ exit 2 # Initialize PKI with master icinga2 pki new-cert \ --cn "pbs.home.local" \ --cert "$certdir/$nodename.crt" \ --csr "$certdir/$nodename.csr" \ --key "$certdir/$nodename.key" icinga2 pki save-cert \ --host "$master_fqdn" \ --port 5665 \ --key "$certdir/$nodename.key" \ --trustedcert "$certdir/trusted-master.crt" icinga2 pki request \ --host "$master_fqdn" \ --port 5665 \ --key "$certdir/$nodename.key" \ --cert "$certdir/$nodename.crt" \ --trustedcert "$certdir/trusted-master.crt" \ --ca "$certdir/ca.crt" # Deploy config files echo "include \"constants.conf\" const NodeName = \"$nodename\" include \"zones.conf\" include \"features-enabled/*.conf\" include include include include include include " > /etc/icinga2/icinga2.conf echo "object Endpoint \"$nodename\" {} object Zone \"$nodename\" { parent = \"$master_fqdn\" endpoints = [ \"$nodename\" ] } object Zone \"$master_fqdn\" { endpoints = [ \"$master_fqdn\" ] } object Endpoint \"$master_fqdn\" { host = \"$master_fqdn\" } object Zone \"$global_zone\" { global = true }" > /etc/icinga2/zones.conf echo "object ApiListener \"api\" { accept_commands = true accept_config = true }" > /etc/icinga2/features-available/api.conf # Enable API icinga2 feature enable api mkdir -p $api_certdir cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/ chown -R $icingauser:$icingauser $api_certdir/ # Next step echo " NOW Run the following on the Icinga master: fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\" icinga2 ca sign \$fpr THEN Restart icinga2 on the agent: \"systemctl restart icinga2\" "