diff options
Diffstat (limited to 'scripts/hostclass/icinga_server')
-rw-r--r-- | scripts/hostclass/icinga_server | 281 | ||||
-rw-r--r-- | scripts/hostclass/icinga_server/10-icingadb | 81 | ||||
-rw-r--r-- | scripts/hostclass/icinga_server/20-icinga2 | 96 | ||||
-rw-r--r-- | scripts/hostclass/icinga_server/30-icingaweb2 | 96 | ||||
-rw-r--r-- | scripts/hostclass/icinga_server/40-plugins | 36 |
5 files changed, 309 insertions, 281 deletions
diff --git a/scripts/hostclass/icinga_server b/scripts/hostclass/icinga_server deleted file mode 100644 index 2f13e82..0000000 --- a/scripts/hostclass/icinga_server +++ /dev/null @@ -1,281 +0,0 @@ -#!/bin/sh - -: ${icinga_threads:="$nproc"} -: ${icinga_dbname:='icinga'} -: ${icinga_dbhost:="$postgres_host"} -: ${icinga_password:='changeme'} -: ${icinga_ticket_salt:='changeme'} -: ${icingaweb_api_password:='changeme'} -: ${icingaweb_dbhost:="$postgres_host"} -: ${icingaweb_dbname:='icingaweb'} -: ${icingaweb_access_role:='icinga-access'} -# Note that icinga does not support nested groups. -: ${icingaweb_admin_groups:=''} -: ${icinga_fqdn:="$fqdn"} -: ${icinga_notification_mail_from:="Icinga <icinga-noreply@${email_domain}>"} -: ${icinga_notification_mail_to:="changeme@${email_domain}"} - -: ${icinga_smtp_mail_from:="${icinga_username}@${fqdn}"} -: ${icinga_smtp_rcpt_to:="someuser@${email_domain}"} -: ${icinga_lmtp_rcpt_to:='someuser'} -: ${icinga_upstream_ping_address:='8.8.8.8'} -: ${icinga_upstream_packet_loss_warn:='5'} -: ${icinga_upstream_packet_loss_crit:='15'} -: ${icinga_upstream_latency_warn:='250'} -: ${icinga_upstream_latency_crit:='500'} -: ${icinga_upstream_packet_count:='5'} -: ${icinga_mailq_warn:='1'} -: ${icinga_mailq_crit:='5'} -: ${icinga_cert_days_warn:='30'} -: ${icinga_cert_days_crit:='20'} -: ${icinga_response_time_warn:='0.5'} -: ${icinga_response_time_crit:='1.0'} - -icinga_dn="uid=${icinga_username},${robots_basedn}" -icinga_conf_dir=/usr/local/etc/icinga2 -icinga_data_dir=/var/lib/icinga2 -icinga_cert_dir="${icinga_data_dir}/certs" -icinga_ca_dir="${icinga_data_dir}/ca" -icinga_tls_client_cert="${icinga_home_dir}/${icinga_username}.crt" -icinga_tls_client_key="${icinga_home_dir}/${icinga_username}.key" -icingadb_conf_dir=/usr/local/etc/icingadb -icingaweb_api_username=icingaweb2 -icingaweb_https_cert="${nginx_conf_dir}/icingaweb.crt" -icingaweb_https_key="${nginx_conf_dir}/icingaweb.key" -icingaweb_install_dir=/usr/local/www/icingaweb2 -icingaweb_webroot="${icingaweb_install_dir}/public" -icingaweb_conf_dir=/usr/local/etc/icingaweb2 -icingaweb_fpm_socket=/var/run/fpm-icingaweb.sock -icingaweb_client_keytab="${keytab_dir}/icingaweb.client.keytab" -nginx_keytab="${keytab_dir}/nginx.keytab" -redis_user=redis -redis_data_dir=/var/db/redis -redis_sock=/var/run/redis/redis.sock -redis_port=6379 -redis_data_dir=/var/db/redis - -icinga_psql(){ - KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME="$icingaweb_client_keytab" \ - psql \ - --quiet --no-align --tuples-only --echo-all \ - --host="$icinga_dbhost" \ - --dbname="$icinga_dbname" \ - --username="$icinga_username" \ - --no-password \ - "$@" -} - -icingaweb_psql(){ - KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME="$icingaweb_client_keytab" \ - psql \ - --quiet --no-align --tuples-only --echo-all \ - --host="$icingaweb_dbhost" \ - --dbname="$icingaweb_dbname" \ - --username="$icinga_username" \ - --no-password \ - "$@" -} - -# Install packages. -pkg install -y \ - icinga2 \ - icingadb \ - icingaweb2-php${php_version} \ - icingaweb2-module-icingadb-php${php_version} \ - nginx \ - redis \ - wpa_supplicant - -# Fix icinga's home directory. ports/UIDs file is wrong. -pw user mod "$icinga_local_user" -d "$icinga_home_dir" -rm -rf /var/spool/icinga - -# Create dataset for icinga state directory -create_dataset -o "mountpoint=${icinga_data_dir}" "${state_dataset}/icinga" -install_directory -m 0755 -o "$icinga_local_user" -g "$icinga_local_user" "$icinga_data_dir" - -# Create icinga LDAP user, principal, and keytab. -# Note that we have a separate userPassword attribute in LDAP because icingadb is -# written in golang, and it's pq library does not build with GSSAPI support. -# GSSAPI is supported by icingaweb2 via PHP's PDO, however, so we use it there. -# We also need a userPassword attribute for icingaweb2 authn/authz. -ldap_add "$icinga_dn" <<EOF -objectClass: account -objectClass: simpleSecurityObject -uid: ${icinga_username} -userPassword: {SSHA-512} -EOF -ldap_passwd "$icinga_dn" "$icinga_password" - -add_principal -nokey -x "dn=${icinga_dn}" "$icinga_username" -ktadd -k "$icingaweb_client_keytab" "$icinga_username" -chgrp "$nginx_user" "$icingaweb_client_keytab" -chmod 640 "$icingaweb_client_keytab" -nginx_uid=$(id -u "$nginx_user") -install_directory -o "$nginx_user" -m 0700 "/var/krb5/user/${nginx_uid}" -ln -snfv "$icingaweb_client_keytab" "/var/krb5/user/${nginx_uid}/client.keytab" - -# Create icinga postgres user and database. -postgres_create_role "$icinga_dbhost" "$icinga_username" -postgres_create_database "$icinga_dbhost" "$icinga_dbname" "$icinga_username" - -# Apply icinga database schema. -if ! icinga_psql -c 'SELECT 1 FROM icingadb_schema'; then - icinga_psql -f /usr/local/share/examples/icingadb/schema/pgsql/schema.sql -fi - -# Generate icinga database configuration. -install_template -g "${icinga_local_user}" -m 0640 "${icingadb_conf_dir}/config.yml" - -# Create ZFS dataset for Redis DBs. -create_dataset -o "mountpoint=${redis_data_dir}" "${state_dataset}/redis" -install_directory -m 0700 -o "$redis_user" "$redis_data_dir" - -# Generate redis configuration -install_template -m 0644 /usr/local/etc/redis.conf - -# Add icinga user to redis group, so it can write to the redis unix socket. -pw groupmod "$redis_user" -m "$icinga_local_user" - -# Generate icinga PKI. -install_directory -m 0700 -o "$icinga_local_user" -g "$icinga_local_user" \ - "$icinga_cert_dir" \ - "$icinga_ca_dir" -[ -f "${icinga_ca_dir}/ca.crt" ] \ - || icinga2 pki new-ca -[ -f "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" ] \ - || icinga2 pki new-cert --cn "$BOXCONF_HOSTNAME" --key "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.key" --csr "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" -[ -f "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.crt" ] \ - || icinga2 pki sign-csr --csr "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" --cert "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.crt" -ln -snfv "${icinga_ca_dir}/ca.crt" "${icinga_cert_dir}/ca.crt" - -# Enable icinga modules. -for module in api icingadb notification; do - ln -snfv "../features-available/${module}.conf" "${icinga_conf_dir}/features-enabled/${module}.conf" -done - -# Generate icinga configuration. -install_template -m 0640 -g "$icinga_local_user" \ - "${icinga_conf_dir}/api-users.conf" \ - "${icinga_conf_dir}/constants.conf" \ - "${icinga_conf_dir}/icinga2.conf" \ - "${icinga_conf_dir}/zones.conf" \ - "${icinga_conf_dir}/features-available/icingadb.conf" \ - "${icinga_conf_dir}/conf.d/users.conf" \ - "${icinga_conf_dir}/conf.d/services.conf" \ - "${icinga_conf_dir}/conf.d/notifications.conf" \ - "${icinga_conf_dir}/conf.d/hosts.conf" -install_file -m 0640 -g "$icinga_local_user" \ - "${icinga_conf_dir}/conf.d/app.conf" \ - "${icinga_conf_dir}/conf.d/commands.conf" \ - "${icinga_conf_dir}/conf.d/downtimes.conf" \ - "${icinga_conf_dir}/conf.d/groups.conf" \ - "${icinga_conf_dir}/conf.d/templates.conf" \ - "${icinga_conf_dir}/conf.d/timeperiods.conf" - -# Create icingaweb postgres user and database. -postgres_create_database "$icingaweb_dbhost" "$icingaweb_dbname" "$icinga_username" - -# Apply icingaweb database schema. -if ! icingaweb_psql -c 'SELECT 1 FROM icingaweb_schema'; then - icingaweb_psql -f /usr/local/www/icingaweb2/schema/pgsql.schema.sql -fi - -# Generate icingaweb configuration. -find "$icinga_conf_dir" -name '*.sample' -delete -install_directory -m 2770 -g "$nginx_user" \ - "$icingaweb_conf_dir" \ - "${icingaweb_conf_dir}/enabledModules" \ - "${icingaweb_conf_dir}/modules" \ - "${icingaweb_conf_dir}/modules/icingadb" -install_template -m 0660 -g "$nginx_user" \ - "${icingaweb_conf_dir}/modules/icingadb/commandtransports.ini" \ - "${icingaweb_conf_dir}/modules/icingadb/config.ini" \ - "${icingaweb_conf_dir}/modules/icingadb/redis.ini" \ - "${icingaweb_conf_dir}/config.ini" \ - "${icingaweb_conf_dir}/resources.ini" \ - "${icingaweb_conf_dir}/authentication.ini" \ - "${icingaweb_conf_dir}/groups.ini" \ - "${icingaweb_conf_dir}/roles.ini" -ln -snfv "${icingaweb_install_dir}/modules/icingadb" "${icingaweb_conf_dir}/enabledModules/icingadb" - -# Generate nginx configuration. -install_file -m 0644 /usr/local/etc/nginx/fastcgi_params -install_template -m 0644 \ - /usr/local/etc/nginx/nginx.conf \ - /usr/local/etc/nginx/vhosts.conf - -# Create HTTP service principal and keytab. -add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}" -ktadd -k "$nginx_keytab" "HTTP/${fqdn}" -chgrp "$nginx_user" "$nginx_keytab" -chmod 640 "$nginx_keytab" - -# Generate php-fpm configuration. -install_file -m 0644 \ - /usr/local/etc/php.ini \ - /usr/local/etc/php-fpm.conf -install_template -m 0644 \ - /usr/local/etc/php-fpm.d/icingaweb.conf -> /usr/local/etc/php-fpm.d/www.conf - -# Copy TLS certificate for nginx. -install_certificate nginx "$icingaweb_https_cert" -install_certificate_key nginx "$icingaweb_https_key" - -# Icinga spawns a number of threads based on the core count of the machine. On machines -# with a large number of CPU cores, this can be undesirable (especially if run from a jail -# with cpuset()). -# -# The thread count can be overriden with the -DConcurrency=N argument to icinga2. -# Unfortunately, icinga2 rc script from ports does not have a way to override the -# daemon arguments. So we have to copy over a custom one ("myicinga2"). -# -# https://icinga.com/docs/icinga-2/latest/doc/15-troubleshooting/#try-reducing-concurrency-threads -install_file -m 0555 /usr/local/etc/rc.d/myicinga2 - -# Enable and start daemons. -sysrc -v \ - nginx_enable=YES \ - php_fpm_enable=YES \ - redis_enable=YES \ - icingadb_enable=YES \ - myicinga2_enable=YES \ - icinga2_flags="-DConfiguration.Concurrency=${icinga_threads}" -service nginx restart -service php_fpm restart -service redis restart -service icingadb restart > /dev/null 2>&1 -service myicinga2 restart - -# Create icingaweb access role. -ldap_add "cn=${icingaweb_access_role},${roles_basedn}" <<EOF -objectClass: groupOfMembers -cn: ${icingaweb_access_role} -EOF - -# Copy custom plugins. -install_file -m 0555 /usr/local/libexec/nagios/check_eapol - -# Create wpa_supplicant file for radius checks. -install_template -m 0640 -g "$icinga_local_user" "${icinga_home_dir}/eap-ttls-pap.conf" -install_template -m 0640 -g "$icinga_local_user" "${icinga_home_dir}/eap-tls.conf" - -# Add icinga user to wifi access role. -ldap_add "cn=${wifi_access_role},${roles_basedn}" <<EOF -objectClass: groupOfMembers -cn: ${wifi_access_role} -EOF -ldap_add_attribute "cn=${wifi_access_role},${roles_basedn}" member "$icinga_dn" - -# Copy icinga client certificate. -install_certificate -g "$icinga_local_user" icinga "$icinga_tls_client_cert" -install_certificate_key -m 0640 -g "$icinga_local_user" icinga "$icinga_tls_client_key" - -# Copy icinga ssh key. -install_directory -m 0755 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh" -install_directory -m 0700 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/sockets" -install_file -m 0600 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/id_ed25519" - -# Generate ssh client configuration. -install_file -m 0600 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/config" diff --git a/scripts/hostclass/icinga_server/10-icingadb b/scripts/hostclass/icinga_server/10-icingadb new file mode 100644 index 0000000..624ae58 --- /dev/null +++ b/scripts/hostclass/icinga_server/10-icingadb @@ -0,0 +1,81 @@ +#!/bin/sh + +: ${icinga_password:='changeme'} +: ${icinga_dbhost:="$postgres_host"} +: ${icinga_dbname:='icinga'} + +icinga_dn="uid=${icinga_username},${robots_basedn}" +icingaweb_client_keytab="${keytab_dir}/icingaweb.client.keytab" +icingadb_conf_dir=/usr/local/etc/icingadb +redis_user=redis +redis_data_dir=/var/db/redis +redis_sock=/var/run/redis/redis.sock +redis_port=6379 +redis_data_dir=/var/db/redis + +icinga_psql(){ + KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME="$icingaweb_client_keytab" \ + psql \ + --quiet --no-align --tuples-only --echo-all \ + --host="$icinga_dbhost" \ + --dbname="$icinga_dbname" \ + --username="$icinga_username" \ + --no-password \ + "$@" +} + +# Install packages. +pkg install -y \ + icingadb \ + redis + +# Create icinga LDAP user, principal, and keytab. +# Note that we have a separate userPassword attribute in LDAP because icingadb is +# written in golang, and its pq library is not built with GSSAPI support. +# GSSAPI *is* supported by icingaweb2 via PHP's PDO, however, so we use it there. +# We also need a userPassword attribute for icingaweb2 LDAP binds. +ldap_add "$icinga_dn" <<EOF +objectClass: account +objectClass: simpleSecurityObject +uid: ${icinga_username} +userPassword: {SSHA-512} +EOF +ldap_passwd "$icinga_dn" "$icinga_password" +add_principal -nokey -x "dn=${icinga_dn}" "$icinga_username" + +ktadd -k "$icingaweb_client_keytab" "$icinga_username" +chgrp "$nginx_user" "$icingaweb_client_keytab" +chmod 640 "$icingaweb_client_keytab" +nginx_uid=$(id -u "$nginx_user") +install_directory -o "$nginx_user" -m 0700 "/var/krb5/user/${nginx_uid}" +ln -snfv "$icingaweb_client_keytab" "/var/krb5/user/${nginx_uid}/client.keytab" + +# Create icinga postgres user and database. +postgres_create_role "$icinga_dbhost" "$icinga_username" +postgres_create_database "$icinga_dbhost" "$icinga_dbname" "$icinga_username" + +# Apply icinga database schema. +if ! icinga_psql -c 'SELECT 1 FROM icingadb_schema'; then + icinga_psql -f /usr/local/share/examples/icingadb/schema/pgsql/schema.sql +fi + +# Generate icinga database configuration. +install_template -g "${icinga_local_user}" -m 0640 "${icingadb_conf_dir}/config.yml" + +# Create ZFS dataset for Redis DBs. +create_dataset -o "mountpoint=${redis_data_dir}" "${state_dataset}/redis" +install_directory -m 0700 -o "$redis_user" "$redis_data_dir" + +# Generate redis configuration +install_template -m 0644 /usr/local/etc/redis.conf + +# Add icinga user to redis group, so it can write to the redis unix socket. +pw groupmod "$redis_user" -m "$icinga_local_user" + +# Enable and start daemons for icingadb. +sysrc -v \ + redis_enable=YES \ + icingadb_enable=YES + +service redis restart +service icingadb restart > /dev/null 2>&1 diff --git a/scripts/hostclass/icinga_server/20-icinga2 b/scripts/hostclass/icinga_server/20-icinga2 new file mode 100644 index 0000000..19800e2 --- /dev/null +++ b/scripts/hostclass/icinga_server/20-icinga2 @@ -0,0 +1,96 @@ +#!/bin/sh + +: ${icinga_threads:="$nproc"} +: ${icinga_ticket_salt:='changeme'} + +# Check thresholds +: ${icinga_fqdn:="$fqdn"} +: ${icinga_notification_mail_from:="Icinga <icinga-noreply@${email_domain}>"} +: ${icinga_notification_mail_to:="changeme@${email_domain}"} +: ${icinga_smtp_mail_from:="${icinga_username}@${fqdn}"} +: ${icinga_smtp_rcpt_to:="someuser@${email_domain}"} +: ${icinga_lmtp_rcpt_to:='someuser'} +: ${icinga_upstream_ping_address:='8.8.8.8'} +: ${icinga_upstream_packet_loss_warn:='5'} +: ${icinga_upstream_packet_loss_crit:='15'} +: ${icinga_upstream_latency_warn:='250'} +: ${icinga_upstream_latency_crit:='500'} +: ${icinga_upstream_packet_count:='5'} +: ${icinga_mailq_warn:='1'} +: ${icinga_mailq_crit:='5'} +: ${icinga_cert_days_warn:='30'} +: ${icinga_cert_days_crit:='20'} +: ${icinga_response_time_warn:='0.5'} +: ${icinga_response_time_crit:='1.0'} + +icinga_conf_dir=/usr/local/etc/icinga2 +icinga_data_dir=/var/lib/icinga2 +icinga_cert_dir="${icinga_data_dir}/certs" +icinga_ca_dir="${icinga_data_dir}/ca" +icinga_plugin_dir=/usr/local/libexec/nagios +icingaweb_api_username=icingaweb2 + +# Install packages. +pkg install -y icinga2 + +# Fix icinga's home directory. ports/UIDs file is wrong. +pw user mod "$icinga_local_user" -d "$icinga_home_dir" +rm -rf /var/spool/icinga + +# Create dataset for icinga state directory. +create_dataset -o "mountpoint=${icinga_data_dir}" "${state_dataset}/icinga" +install_directory -m 0755 -o "$icinga_local_user" -g "$icinga_local_user" "$icinga_data_dir" + +# Generate icinga PKI. +install_directory -m 0700 -o "$icinga_local_user" -g "$icinga_local_user" \ + "$icinga_cert_dir" \ + "$icinga_ca_dir" +[ -f "${icinga_ca_dir}/ca.crt" ] \ + || icinga2 pki new-ca +[ -f "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" ] \ + || icinga2 pki new-cert --cn "$BOXCONF_HOSTNAME" --key "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.key" --csr "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" +[ -f "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.crt" ] \ + || icinga2 pki sign-csr --csr "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.csr" --cert "${icinga_cert_dir}/${BOXCONF_HOSTNAME}.crt" +ln -snfv "${icinga_ca_dir}/ca.crt" "${icinga_cert_dir}/ca.crt" + +# Enable icinga modules. +for module in api icingadb notification; do + ln -snfv "../features-available/${module}.conf" "${icinga_conf_dir}/features-enabled/${module}.conf" +done + +# Generate icinga configuration. +find "$icinga_conf_dir" -name '*.sample' -delete +install_template -m 0640 -g "$icinga_local_user" \ + "${icinga_conf_dir}/api-users.conf" \ + "${icinga_conf_dir}/constants.conf" \ + "${icinga_conf_dir}/icinga2.conf" \ + "${icinga_conf_dir}/zones.conf" \ + "${icinga_conf_dir}/features-available/icingadb.conf" \ + "${icinga_conf_dir}/conf.d/users.conf" \ + "${icinga_conf_dir}/conf.d/services.conf" \ + "${icinga_conf_dir}/conf.d/notifications.conf" \ + "${icinga_conf_dir}/conf.d/hosts.conf" +install_file -m 0640 -g "$icinga_local_user" \ + "${icinga_conf_dir}/conf.d/app.conf" \ + "${icinga_conf_dir}/conf.d/commands.conf" \ + "${icinga_conf_dir}/conf.d/downtimes.conf" \ + "${icinga_conf_dir}/conf.d/groups.conf" \ + "${icinga_conf_dir}/conf.d/templates.conf" \ + "${icinga_conf_dir}/conf.d/timeperiods.conf" + +# Icinga spawns a number of threads based on the core count of the machine. On machines +# with a large number of CPU cores, this can be undesirable (especially if run from a jail +# with cpuset()). +# +# The thread count can be overriden with the -DConcurrency=N argument to icinga2. +# Unfortunately, icinga2 rc script from ports does not have a way to override the +# daemon arguments. So we have to copy over a custom one ("myicinga2"). +# +# https://icinga.com/docs/icinga-2/latest/doc/15-troubleshooting/#try-reducing-concurrency-threads +install_file -m 0555 /usr/local/etc/rc.d/myicinga2 + +# Enable and start icinga. +sysrc -v \ + myicinga2_enable=YES \ + icinga2_flags="-DConfiguration.Concurrency=${icinga_threads}" +service myicinga2 restart diff --git a/scripts/hostclass/icinga_server/30-icingaweb2 b/scripts/hostclass/icinga_server/30-icingaweb2 new file mode 100644 index 0000000..6700d3e --- /dev/null +++ b/scripts/hostclass/icinga_server/30-icingaweb2 @@ -0,0 +1,96 @@ +#!/bin/sh + +: ${icingaweb_api_password:='changeme'} +: ${icingaweb_dbhost:="$postgres_host"} +: ${icingaweb_dbname:='icingaweb'} +: ${icingaweb_access_role:='icinga-access'} + +# Note that icingaweb2 does not support nested groups. +: ${icingaweb_admin_groups:=''} + +icingaweb_https_cert="${nginx_conf_dir}/icingaweb.crt" +icingaweb_https_key="${nginx_conf_dir}/icingaweb.key" +icingaweb_install_dir=/usr/local/www/icingaweb2 +icingaweb_webroot="${icingaweb_install_dir}/public" +icingaweb_conf_dir=/usr/local/etc/icingaweb2 +icingaweb_fpm_socket=/var/run/fpm-icingaweb.sock +nginx_keytab="${keytab_dir}/nginx.keytab" + +icingaweb_psql(){ + KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME="$icingaweb_client_keytab" \ + psql \ + --quiet --no-align --tuples-only --echo-all \ + --host="$icingaweb_dbhost" \ + --dbname="$icingaweb_dbname" \ + --username="$icinga_username" \ + --no-password \ + "$@" +} + +# Install packages. +pkg install -y \ + icingaweb2-php${php_version} \ + icingaweb2-module-icingadb-php${php_version} \ + nginx + +# Create icingaweb postgres user and database. +postgres_create_database "$icingaweb_dbhost" "$icingaweb_dbname" "$icinga_username" + +# Apply icingaweb database schema. +if ! icingaweb_psql -c 'SELECT 1 FROM icingaweb_schema'; then + icingaweb_psql -f /usr/local/www/icingaweb2/schema/pgsql.schema.sql +fi + +# Generate icingaweb configuration. +install_directory -m 2770 -g "$nginx_user" \ + "$icingaweb_conf_dir" \ + "${icingaweb_conf_dir}/enabledModules" \ + "${icingaweb_conf_dir}/modules" \ + "${icingaweb_conf_dir}/modules/icingadb" +install_template -m 0660 -g "$nginx_user" \ + "${icingaweb_conf_dir}/modules/icingadb/commandtransports.ini" \ + "${icingaweb_conf_dir}/modules/icingadb/config.ini" \ + "${icingaweb_conf_dir}/modules/icingadb/redis.ini" \ + "${icingaweb_conf_dir}/config.ini" \ + "${icingaweb_conf_dir}/resources.ini" \ + "${icingaweb_conf_dir}/authentication.ini" \ + "${icingaweb_conf_dir}/groups.ini" \ + "${icingaweb_conf_dir}/roles.ini" +ln -snfv "${icingaweb_install_dir}/modules/icingadb" "${icingaweb_conf_dir}/enabledModules/icingadb" + +# Generate nginx configuration. +install_file -m 0644 /usr/local/etc/nginx/fastcgi_params +install_template -m 0644 \ + /usr/local/etc/nginx/nginx.conf \ + /usr/local/etc/nginx/vhosts.conf + +# Create HTTP service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}" +ktadd -k "$nginx_keytab" "HTTP/${fqdn}" +chgrp "$nginx_user" "$nginx_keytab" +chmod 640 "$nginx_keytab" + +# Generate php-fpm configuration. +install_file -m 0644 \ + /usr/local/etc/php.ini \ + /usr/local/etc/php-fpm.conf +install_template -m 0644 \ + /usr/local/etc/php-fpm.d/icingaweb.conf +> /usr/local/etc/php-fpm.d/www.conf + +# Copy TLS certificate for nginx. +install_certificate nginx "$icingaweb_https_cert" +install_certificate_key nginx "$icingaweb_https_key" + +# Enable and start daemons. +sysrc -v \ + nginx_enable=YES \ + php_fpm_enable=YES +service nginx restart +service php_fpm restart + +# Create icingaweb access role. +ldap_add "cn=${icingaweb_access_role},${roles_basedn}" <<EOF +objectClass: groupOfMembers +cn: ${icingaweb_access_role} +EOF diff --git a/scripts/hostclass/icinga_server/40-plugins b/scripts/hostclass/icinga_server/40-plugins new file mode 100644 index 0000000..a0fb36a --- /dev/null +++ b/scripts/hostclass/icinga_server/40-plugins @@ -0,0 +1,36 @@ +#!/bin/sh + +# These are used for RADIUS authentication checks. +icinga_tls_client_cert="${icinga_home_dir}/${icinga_username}.crt" +icinga_tls_client_key="${icinga_home_dir}/${icinga_username}.key" + +# Install package dependencies for custom plugins. +pkg install -y \ + wpa_supplicant + +# Copy custom plugins. +install_file -m 0555 \ + "${icinga_plugin_dir}/check_eapol" + +# Create wpa_supplicant file for radius checks. +install_template -m 0640 -g "$icinga_local_user" "${icinga_home_dir}/eap-ttls-pap.conf" +install_template -m 0640 -g "$icinga_local_user" "${icinga_home_dir}/eap-tls.conf" + +# Add icinga user to wifi access role. +ldap_add "cn=${wifi_access_role},${roles_basedn}" <<EOF +objectClass: groupOfMembers +cn: ${wifi_access_role} +EOF +ldap_add_attribute "cn=${wifi_access_role},${roles_basedn}" member "$icinga_dn" + +# Copy icinga client certificate. +install_certificate -g "$icinga_local_user" icinga "$icinga_tls_client_cert" +install_certificate_key -m 0640 -g "$icinga_local_user" icinga "$icinga_tls_client_key" + +# Copy icinga ssh key. +install_directory -m 0755 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh" +install_directory -m 0700 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/sockets" +install_file -m 0600 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/id_ed25519" + +# Generate ssh client configuration. +install_file -m 0600 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/config" |