#!/bin/sh
#
# Configures an icinga2 agent (with on-demand csr signing)

icingauser="nagios"
certdir="/etc/icinga2/pki"
api_certdir="/var/lib/icinga2/certs"
nodename="$(hostname)"
global_zone="director-global"

apikey=
displayname=
master_fqdn=

help() {
	echo "usage: icinga-agent --apikey apikey --display name --master master_fqdn"
	echo "-a, --apikey:\t self-service api key to register with"
	echo "-d, --display:\t display name for host in Icinga"
	echo "-m, --master:\t full hostname of Icinga master (e.g. monitoring.example.com)"
	exit 1
}

error() {
	echo "error: $1"
	exit 2
}

[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1

opts=$(getopt -o "a:,d:,h,m:" -l "apikey:,display:,help,master:" -- "$@")
eval set -- "$opts"
while true
do
		case "$1" in
				'-a' | '--apikey') apikey="$2" shift 2; continue ;;
				'-d' | '--display') displayname="$2" shift 2; continue ;;
				'-m' | '--master') master_fqdn="$2" shift 2; continue ;;
				'-h' | '--help') help ;;
				'--') shift; break ;;
		esac
done

[ -z "$apikey" ] && help
[ -z "$displayname" ] && help
[ -z "$master_fqdn" ] && help


# Install packages
apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib

# Register with master via self-service API
# Not pretty but gets the job done
dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')"
ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"

proto="http"
base="$proto://$master_fqdn/icingaweb2/director/self-service/register-host"
url="$base?name=$nodename&key=$apikey"
result=$(curl -m 30 -i $url -H "Accept: application/json" -X "POST" \
		-d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}")
#\|| error "unable to register with master")

#echo $result | grep -q "error" && error "unable to register with master"


# Initialize PKI with master
icinga2 pki new-cert \
		--cn "$nodename" \
		--cert "$certdir/$nodename.crt" \
		--csr "$certdir/$nodename.csr" \
		--key "$certdir/$nodename.key"


icinga2 pki save-cert \
		--host "$master_fqdn" \
		--port 5665 \
		--key "$certdir/$nodename.key" \
		--trustedcert "$certdir/trusted-master.crt"

icinga2 pki request \
		--host "$master_fqdn" \
		--port 5665 \
		--key "$certdir/$nodename.key" \
		--cert "$certdir/$nodename.crt" \
		--trustedcert "$certdir/trusted-master.crt" \
		--ca "$certdir/ca.crt" 

# Deploy config files
echo "include \"constants.conf\"
const NodeName = \"$nodename\"
include \"zones.conf\"
include \"features-enabled/*.conf\"
include <itl>
include <plugins>
include <plugins-contrib>
include <manubulon>
include <windows-plugins>
include <nscp>" > /etc/icinga2/icinga2.conf

echo "object Endpoint \"$nodename\" {}
object Zone \"$nodename\" {
  parent = \"$master_fqdn\"
  endpoints = [ \"$nodename\" ]
}
object Zone \"$master_fqdn\" {
  endpoints = [ \"$master_fqdn\" ]
}
object Endpoint \"$master_fqdn\" {
  host = \"$master_fqdn\"
}
object Zone \"$global_zone\" {
  global = true
}" > /etc/icinga2/zones.conf

echo "object ApiListener \"api\" {
  accept_commands = true
  accept_config = true
}" > /etc/icinga2/features-available/api.conf

# Enable API
icinga2 feature enable api
mkdir -p $api_certdir
cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/
chown -R $icingauser:$icingauser $api_certdir/

# Next step
echo "

NOW

Run the following on the Icinga master:
fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\"
icinga2 ca sign \$fpr


THEN

Restart icinga2 on the agent:
\"systemctl restart icinga2\"

"