aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/hostclass')
-rw-r--r--scripts/hostclass/icinga_server63
-rw-r--r--scripts/hostclass/radius_server28
2 files changed, 68 insertions, 23 deletions
diff --git a/scripts/hostclass/icinga_server b/scripts/hostclass/icinga_server
index 75ef7b8..2f13e82 100644
--- a/scripts/hostclass/icinga_server
+++ b/scripts/hostclass/icinga_server
@@ -9,16 +9,35 @@
: ${icingaweb_dbhost:="$postgres_host"}
: ${icingaweb_dbname:='icingaweb'}
: ${icingaweb_access_role:='icinga-access'}
-
# Note that icinga does not support nested groups.
: ${icingaweb_admin_groups:=''}
+: ${icinga_fqdn:="$fqdn"}
+: ${icinga_notification_mail_from:="Icinga <icinga-noreply@${email_domain}>"}
+: ${icinga_notification_mail_to:="changeme@${email_domain}"}
+
+: ${icinga_smtp_mail_from:="${icinga_username}@${fqdn}"}
+: ${icinga_smtp_rcpt_to:="someuser@${email_domain}"}
+: ${icinga_lmtp_rcpt_to:='someuser'}
+: ${icinga_upstream_ping_address:='8.8.8.8'}
+: ${icinga_upstream_packet_loss_warn:='5'}
+: ${icinga_upstream_packet_loss_crit:='15'}
+: ${icinga_upstream_latency_warn:='250'}
+: ${icinga_upstream_latency_crit:='500'}
+: ${icinga_upstream_packet_count:='5'}
+: ${icinga_mailq_warn:='1'}
+: ${icinga_mailq_crit:='5'}
+: ${icinga_cert_days_warn:='30'}
+: ${icinga_cert_days_crit:='20'}
+: ${icinga_response_time_warn:='0.5'}
+: ${icinga_response_time_crit:='1.0'}
-icinga_local_user=icinga
icinga_dn="uid=${icinga_username},${robots_basedn}"
icinga_conf_dir=/usr/local/etc/icinga2
icinga_data_dir=/var/lib/icinga2
icinga_cert_dir="${icinga_data_dir}/certs"
icinga_ca_dir="${icinga_data_dir}/ca"
+icinga_tls_client_cert="${icinga_home_dir}/${icinga_username}.crt"
+icinga_tls_client_key="${icinga_home_dir}/${icinga_username}.key"
icingadb_conf_dir=/usr/local/etc/icingadb
icingaweb_api_username=icingaweb2
icingaweb_https_cert="${nginx_conf_dir}/icingaweb.crt"
@@ -64,7 +83,12 @@ pkg install -y \
icingaweb2-php${php_version} \
icingaweb2-module-icingadb-php${php_version} \
nginx \
- redis
+ redis \
+ wpa_supplicant
+
+# Fix icinga's home directory. ports/UIDs file is wrong.
+pw user mod "$icinga_local_user" -d "$icinga_home_dir"
+rm -rf /var/spool/icinga
# Create dataset for icinga state directory
create_dataset -o "mountpoint=${icinga_data_dir}" "${state_dataset}/icinga"
@@ -138,14 +162,14 @@ install_template -m 0640 -g "$icinga_local_user" \
"${icinga_conf_dir}/zones.conf" \
"${icinga_conf_dir}/features-available/icingadb.conf" \
"${icinga_conf_dir}/conf.d/users.conf" \
+ "${icinga_conf_dir}/conf.d/services.conf" \
+ "${icinga_conf_dir}/conf.d/notifications.conf" \
"${icinga_conf_dir}/conf.d/hosts.conf"
install_file -m 0640 -g "$icinga_local_user" \
"${icinga_conf_dir}/conf.d/app.conf" \
"${icinga_conf_dir}/conf.d/commands.conf" \
"${icinga_conf_dir}/conf.d/downtimes.conf" \
"${icinga_conf_dir}/conf.d/groups.conf" \
- "${icinga_conf_dir}/conf.d/notifications.conf" \
- "${icinga_conf_dir}/conf.d/services.conf" \
"${icinga_conf_dir}/conf.d/templates.conf" \
"${icinga_conf_dir}/conf.d/timeperiods.conf"
@@ -220,13 +244,38 @@ sysrc -v \
icinga2_flags="-DConfiguration.Concurrency=${icinga_threads}"
service nginx restart
service php_fpm restart
-
service redis restart
service icingadb restart > /dev/null 2>&1
service myicinga2 restart
-# Create access role.
+# Create icingaweb access role.
ldap_add "cn=${icingaweb_access_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${icingaweb_access_role}
EOF
+
+# Copy custom plugins.
+install_file -m 0555 /usr/local/libexec/nagios/check_eapol
+
+# Create wpa_supplicant file for radius checks.
+install_template -m 0640 -g "$icinga_local_user" "${icinga_home_dir}/eap-ttls-pap.conf"
+install_template -m 0640 -g "$icinga_local_user" "${icinga_home_dir}/eap-tls.conf"
+
+# Add icinga user to wifi access role.
+ldap_add "cn=${wifi_access_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${wifi_access_role}
+EOF
+ldap_add_attribute "cn=${wifi_access_role},${roles_basedn}" member "$icinga_dn"
+
+# Copy icinga client certificate.
+install_certificate -g "$icinga_local_user" icinga "$icinga_tls_client_cert"
+install_certificate_key -m 0640 -g "$icinga_local_user" icinga "$icinga_tls_client_key"
+
+# Copy icinga ssh key.
+install_directory -m 0755 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh"
+install_directory -m 0700 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/sockets"
+install_file -m 0600 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/id_ed25519"
+
+# Generate ssh client configuration.
+install_file -m 0600 -o "$icinga_local_user" -g "$icinga_local_user" "${icinga_home_dir}/.ssh/config"
diff --git a/scripts/hostclass/radius_server b/scripts/hostclass/radius_server
index bde1be2..842926a 100644
--- a/scripts/hostclass/radius_server
+++ b/scripts/hostclass/radius_server
@@ -22,27 +22,17 @@ freeradius_version=$(pkg info freeradius3 | awk '$1 == "Version" { print $3 }')
install_directory -m 0755 "${freeradius_conf_dir}/certs"
install_template -o "$freeradius_user" -g "$freeradius_user" -m 0640 \
"${freeradius_conf_dir}/radiusd.conf" \
- "${freeradius_conf_dir}/mods-available/eap"
-rm -f "${freeradius_conf_dir}/sites-enabled/inner-tunnel"
+ "${freeradius_conf_dir}/mods-available/eap" \
+ "${freeradius_conf_dir}/mods-available/ldap" \
+ "${freeradius_conf_dir}/sites-available/inner-tunnel" \
+ "${freeradius_conf_dir}/clients.conf"
+ln -snfv '../mods-available/ldap' "${freeradius_conf_dir}/mods-enabled/ldap"
+ln -snfv '../sites-available/inner-tunnel' "${freeradius_conf_dir}/sites-enabled/inner-tunnel"
# Copy TLS certificate for freeradius.
install_certificate -g "$freeradius_user" freeradius "$freeradius_tls_cert"
install_certificate_key -g "$freeradius_user" freeradius "$freeradius_tls_key"
-# Generate clients.conf.
-install -Cv -o "$freeradius_user" -g "$freeradius_user" -m 0660 /dev/null "${freeradius_conf_dir}/clients.conf"
-for client_name in $radius_clients; do
- eval "client_address=\$radius_${client_name}_address"
- eval "client_secret=\$radius_${client_name}_secret"
- cat <<EOF >> "${freeradius_conf_dir}/clients.conf"
-client ${client_name} {
- ipaddr = ${client_address}
- secret = ${client_secret}
-}
-
-EOF
-done
-
# Create cache directories.
install_directory -o "$freeradius_user" -g "$freeradius_user" -m 700 \
"$freeradius_cache_dir" \
@@ -54,3 +44,9 @@ install_template -m 0644 /etc/cron.d/freeradius
# Enable and start daemons.
sysrc -v radiusd_enable=YES
service radiusd restart
+
+# Create wifi access role.
+ldap_add "cn=${wifi_access_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${wifi_access_role}
+EOF
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-31 20:18:01 -0500