blob: 328d65bff13f6154ce094064227f3237a143424e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
#!/bin/sh
#
# Configirues an icinga2 agent (with on-demand csr signing)
icingauser="nagios"
certdir="/etc/icinga2/pki"
api_certdir="/var/lib/icinga2/certs"
nodename="$(hostname)"
global_zone="director-global"
master_fqdn=""
# Install packages
apt install -y icinga2 monitoring-plugins monitoring-plugins-contrib
# Register with master via self-service API
apikey=""
displayname=""
# Not pretty but gets the job done
dev="$(ip link | grep ^2: | head -1 | cut -d':' -f 2 | tr -d ' ')"
ipv4="$(ip addr show $dev | grep "inet " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
ipv6="$(ip addr show $dev | grep "inet6 " | sed "s/^\s*//;s/\// /" | cut -d ' ' -f 2)"
result=$(curl -i "http://$master_fqdn/icingaweb2/director/self-service/register-host?name=$nodename&key=$apikey" \
-H "Accept: application/json" \
-X "POST" \
-d "{\"display_name\":\"$displayname\",\"address\":\"$ipv4\",\"address6\":\"$ipv6\"}")
echo $result | grep -q error && \
echo "error: unable to register with master (is the api key correct?)" && \
exit 2
# Initialize PKI with master
icinga2 pki new-cert \
--cn "pbs.home.local" \
--cert "$certdir/$nodename.crt" \
--csr "$certdir/$nodename.csr" \
--key "$certdir/$nodename.key"
icinga2 pki save-cert \
--host "$master_fqdn" \
--port 5665 \
--key "$certdir/$nodename.key" \
--trustedcert "$certdir/trusted-master.crt"
icinga2 pki request \
--host "$master_fqdn" \
--port 5665 \
--key "$certdir/$nodename.key" \
--cert "$certdir/$nodename.crt" \
--trustedcert "$certdir/trusted-master.crt" \
--ca "$certdir/ca.crt"
# Deploy config files
echo "include \"constants.conf\"
const NodeName = \"$nodename\"
include \"zones.conf\"
include \"features-enabled/*.conf\"
include <itl>
include <plugins>
include <plugins-contrib>
include <manubulon>
include <windows-plugins>
include <nscp>" > /etc/icinga2/icinga2.conf
echo "object Endpoint \"$nodename\" {}
object Zone \"$nodename\" {
parent = \"$master_fqdn\"
endpoints = [ \"$nodename\" ]
}
object Zone \"$master_fqdn\" {
endpoints = [ \"$master_fqdn\" ]
}
object Endpoint \"$master_fqdn\" {
host = \"$master_fqdn\"
}
object Zone \"$global_zone\" {
global = true
}" > /etc/icinga2/zones.conf
echo "object ApiListener \"api\" {
accept_commands = true
accept_config = true
}" > /etc/icinga2/features-available/api.conf
# Enable API
icinga2 feature enable api
mkdir -p $api_certdir
cp $certdir/$nodename.crt $certdir/$nodename.key $certdir/ca.crt $api_certdir/
chown -R $icingauser:$icingauser $api_certdir/
# Next step
echo "
NOW
Run the following on the Icinga master:
fpr=\"\$(icinga2 ca list | tail -1 | cut -d '|' -f 1)\"
icinga2 ca sign \$fpr
THEN
Restart icinga2 on the agent:
\"systemctl restart icinga2\"
"
|
