self-hosting/roles/icinga2_agent/tasks/main.yml

---

- name: Allow icinga2 to/from Master
  become: true
  ansible.builtin.template:
    src: "nftables/{{ item }}.d/icinga2.conf.j2"
    dest: "/etc/nftables/{{ item }}.d/icinga2.conf"
    mode: 0640
  loop:
    - input
    - output
  notify: Reload nftables service

- name: Add Icinga2 Master to /etc/hosts
  become: true
  ansible.builtin.lineinfile:
    path: /etc/hosts
    line: "{{ hostvars[icinga2_master].ipv4_addr }}\t{{ icinga2_master }}"

- name: Make sure nftables rules are reloaded
  ansible.builtin.meta: flush_handlers

- name: Make sure /var/lib/icinga2/certs directory exists
  become: true
  ansible.builtin.file:
    path: /var/lib/icinga2/certs
    state: directory
    owner: nagios
    group: nagios
    mode: 0700

- name: Create local self-signed certificate
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - pki
      - new-cert
      - --cn
      - "{{ ansible_hostname }}"
      - --key
      - "/var/lib/icinga2/certs/{{ ansible_hostname }}.key"
      - --cert
      - "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"
    creates: "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"

- name: Request the master certificate
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - pki
      - save-cert
      - --trustedcert
      - /var/lib/icinga2/certs/trusted-master.crt
      - --host
      - "{{ icinga2_master }}"
    creates: /var/lib/icinga2/certs/trusted-master.crt

- name: Generate ticket
  delegate_to: "{{ icinga2_master }}"
  become: true
  ansible.builtin.command:
    cmd: icinga2 pki ticket --cn {{ ansible_hostname }}
  changed_when: false
  register: ticketsalt

- name: Setup agent node
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - node
      - setup
      - --ticket
      - "{{ ticketsalt.stdout }}"
      - --cn
      - "{{ ansible_hostname }}"
      - --trustedcert
      - /var/lib/icinga2/certs/trusted-master.crt
      - --parent_host
      - "{{ icinga2_master }}"
      - --endpoint
      - "{{ icinga2_master }}"
      - --zone
      - "{{ ansible_hostname }}"
      - --parent_zone
      - master
      - --accept-config
      - --accept-commands
      - --disable-confd
    creates: /var/lib/icinga2/certs/ticket
  notify: Restart icinga2 service

- name: Copy zones.conf file
  become: true
  ansible.builtin.template:
    src: zones.conf.j2
    dest: /etc/icinga2/zones.conf
    owner: nagios
    group: nagios
    mode: 0644
  notify: Reload icinga2 service
Create local cert for icinga2 agent 2025-01-12 11:38:58 +01:00			`---`

Allow icinga2 connections in both directions 2025-01-19 19:23:40 +01:00			`- name: Allow icinga2 to/from Master`
Create local cert for icinga2 agent 2025-01-12 11:38:58 +01:00			`become: true`
Restrict nftables icinga2 master/agent rules to each other 2025-01-14 11:07:46 +01:00			`ansible.builtin.template:`
Allow icinga2 connections in both directions 2025-01-19 19:23:40 +01:00			`src: "nftables/{{ item }}.d/icinga2.conf.j2"`
			`dest: "/etc/nftables/{{ item }}.d/icinga2.conf"`
Create local cert for icinga2 agent 2025-01-12 11:38:58 +01:00			`mode: 0640`
Allow icinga2 connections in both directions 2025-01-19 19:23:40 +01:00			`loop:`
			`- input`
			`- output`
Create local cert for icinga2 agent 2025-01-12 11:38:58 +01:00			`notify: Reload nftables service`

Icinga2: Add each other to /etc/hosts 2025-01-14 11:25:27 +01:00			`- name: Add Icinga2 Master to /etc/hosts`
			`become: true`
			`ansible.builtin.lineinfile:`
			`path: /etc/hosts`
Use fixed addresses for accessing each host No need for ansible_facts.default_ipv4 which yields errors 2025-01-24 10:14:47 +01:00			`line: "{{ hostvars[icinga2_master].ipv4_addr }}\t{{ icinga2_master }}"`
Icinga2: Add each other to /etc/hosts 2025-01-14 11:25:27 +01:00
Need to reload nftables before requesting master cert 2025-01-24 10:43:19 +01:00			`- name: Make sure nftables rules are reloaded`
			`ansible.builtin.meta: flush_handlers`

Create local cert for icinga2 agent 2025-01-12 11:38:58 +01:00			`- name: Make sure /var/lib/icinga2/certs directory exists`
			`become: true`
			`ansible.builtin.file:`
			`path: /var/lib/icinga2/certs`
			`state: directory`
			`owner: nagios`
			`group: nagios`
			`mode: 0700`

			`- name: Create local self-signed certificate`
			`become: true`
			`ansible.builtin.command:`
Setup agent node 2025-01-12 12:20:14 +01:00			`argv:`
			`- icinga2`
			`- pki`
			`- new-cert`
			`- --cn`
			`- "{{ ansible_hostname }}"`
			`- --key`
			`- "/var/lib/icinga2/certs/{{ ansible_hostname }}.key"`
			`- --cert`
			`- "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"`
Create local cert for icinga2 agent 2025-01-12 11:38:58 +01:00			`creates: "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"`
Request master cert 2025-01-12 11:42:20 +01:00
			`- name: Request the master certificate`
			`become: true`
			`ansible.builtin.command:`
Setup agent node 2025-01-12 12:20:14 +01:00			`argv:`
			`- icinga2`
			`- pki`
			`- save-cert`
			`- --trustedcert`
			`- /var/lib/icinga2/certs/trusted-master.crt`
			`- --host`
			`- "{{ icinga2_master }}"`
Request master cert 2025-01-12 11:42:20 +01:00			`creates: /var/lib/icinga2/certs/trusted-master.crt`
Setup agent node 2025-01-12 12:20:14 +01:00
			`- name: Generate ticket`
			`delegate_to: "{{ icinga2_master }}"`
			`become: true`
			`ansible.builtin.command:`
			`cmd: icinga2 pki ticket --cn {{ ansible_hostname }}`
			`changed_when: false`
			`register: ticketsalt`

			`- name: Setup agent node`
			`become: true`
			`ansible.builtin.command:`
			`argv:`
			`- icinga2`
			`- node`
			`- setup`
			`- --ticket`
			`- "{{ ticketsalt.stdout }}"`
			`- --cn`
			`- "{{ ansible_hostname }}"`
			`- --trustedcert`
			`- /var/lib/icinga2/certs/trusted-master.crt`
			`- --parent_host`
			`- "{{ icinga2_master }}"`
			`- --endpoint`
			`- "{{ icinga2_master }}"`
			`- --zone`
			`- "{{ ansible_hostname }}"`
			`- --parent_zone`
			`- master`
			`- --accept-config`
			`- --accept-commands`
			`- --disable-confd`
			`creates: /var/lib/icinga2/certs/ticket`
			`notify: Restart icinga2 service`
Copy zones.conf with to connect endpoints of master/agent 2025-01-16 22:23:32 +01:00
			`- name: Copy zones.conf file`
			`become: true`
			`ansible.builtin.template:`
			`src: zones.conf.j2`
			`dest: /etc/icinga2/zones.conf`
			`owner: nagios`
			`group: nagios`
			`mode: 0644`
			`notify: Reload icinga2 service`