blob: 6b8e85335e3e5a8c236397f7426118c759d9186a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
#!/bin/sh
#
# Configures an icinga2 agent (with on-demand csr signing)
icingauser="nagios"
certdir="/etc/icinga2/pki"
api_certdir="/var/lib/icinga2/certs"
nodename="$(hostname)"
global_zone="director-global"
apikey=
displayname=
master_fqdn=
help() {
echo "usage: icinga-agent --apikey apikey --display name --master master_fqdn"
echo "-a, --apikey:\t self-service api key to register with"
echo "-d, --display:\t display name for host in Icinga"
echo "-m, --master:\t full hostname of Icinga master (e.g. monitoring.example.com)"
exit 1
}
error() {
echo "error: $1"
exit 2
}
[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
opts=$(getopt -o "a:,d:,h,m:" -l "apikey:,display:,help,master:" -- "$@")
eval set -- "$opts"
while true
do
case "$1" in
'-a' | '--apikey') apikey="$2" shift 2; continue ;;
'-d' | '--display') displayname="$2" shift 2; continue ;;
'-m' | '--master') master_fqdn="$2" shift 2; continue ;;
'-h' | '--help') help ;;
'--') shift; break ;;
esac
done
[ -z "$apikey" ] && help
[ -z "$displayname" ] && help
[ -z "$master_fqdn" ] && help
# Install packages
apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib
# Register with master via self-service API
# Not pretty but gets the job done
dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')"
ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
proto="http"
base="$proto://$master_fqdn/icingaweb2/director/self-service/register-host"
url="$base?name=$nodename&key=$apikey"
result=$(curl -m 30 -i $url -H "Accept: application/json" -X "POST" \
-d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}")
#\|| error "unable to register with master")
#echo $result | grep -q "error" && error "unable to register with master"
# Initialize PKI with master
icinga2 pki new-cert \
--cn "$nodename" \
--cert "$certdir/$nodename.crt" \
--csr "$certdir/$nodename.csr" \
--key "$certdir/$nodename.key"
icinga2 pki save-cert \
--host "$master_fqdn" \
--port 5665 \
--key "$certdir/$nodename.key" \
--trustedcert "$certdir/trusted-master.crt"
icinga2 pki request \
--host "$master_fqdn" \
--port 5665 \
--key "$certdir/$nodename.key" \
--cert "$certdir/$nodename.crt" \
--trustedcert "$certdir/trusted-master.crt" \
--ca "$certdir/ca.crt"
# Deploy config files
echo "include \"constants.conf\"
const NodeName = \"$nodename\"
include \"zones.conf\"
include \"features-enabled/*.conf\"
include <itl>
include <plugins>
include <plugins-contrib>
include <manubulon>
include <windows-plugins>
include <nscp>" > /etc/icinga2/icinga2.conf
echo "object Endpoint \"$nodename\" {}
object Zone \"$nodename\" {
parent = \"$master_fqdn\"
endpoints = [ \"$nodename\" ]
}
object Zone \"$master_fqdn\" {
endpoints = [ \"$master_fqdn\" ]
}
object Endpoint \"$master_fqdn\" {
host = \"$master_fqdn\"
}
object Zone \"$global_zone\" {
global = true
}" > /etc/icinga2/zones.conf
echo "object ApiListener \"api\" {
accept_commands = true
accept_config = true
}" > /etc/icinga2/features-available/api.conf
# Enable API
icinga2 feature enable api
mkdir -p $api_certdir
cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/
chown -R $icingauser:$icingauser $api_certdir/
# Next step
echo "
NOW
Run the following on the Icinga master:
fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\"
icinga2 ca sign \$fpr
THEN
Restart icinga2 on the agent:
\"systemctl restart icinga2\"
"
|
