self-hosting/roles/icinga2_agent/tasks/main.yml

---

- name: Gather Icinga2 Master facts
  delegate_to: "{{ icinga2_master }}"
  delegate_facts: true
  ansible.builtin.setup:
    gather_subset: default_ipv4
  register: i2_master

- name: Allow outgoing icinga2
  become: true
  ansible.builtin.template:
    src: nftables/output.d/icinga2.conf.j2
    dest: /etc/nftables/output.d/icinga2.conf
    mode: 0640
  notify: Reload nftables service

- name: Make sure /var/lib/icinga2/certs directory exists
  become: true
  ansible.builtin.file:
    path: /var/lib/icinga2/certs
    state: directory
    owner: nagios
    group: nagios
    mode: 0700

- name: Create local self-signed certificate
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - pki
      - new-cert
      - --cn
      - "{{ ansible_hostname }}"
      - --key
      - "/var/lib/icinga2/certs/{{ ansible_hostname }}.key"
      - --cert
      - "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"
    creates: "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"

- name: Request the master certificate
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - pki
      - save-cert
      - --trustedcert
      - /var/lib/icinga2/certs/trusted-master.crt
      - --host
      - "{{ icinga2_master }}"
    creates: /var/lib/icinga2/certs/trusted-master.crt

- name: Generate ticket
  delegate_to: "{{ icinga2_master }}"
  become: true
  ansible.builtin.command:
    cmd: icinga2 pki ticket --cn {{ ansible_hostname }}
  changed_when: false
  register: ticketsalt

- name: Setup agent node
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - node
      - setup
      - --ticket
      - "{{ ticketsalt.stdout }}"
      - --cn
      - "{{ ansible_hostname }}"
      - --trustedcert
      - /var/lib/icinga2/certs/trusted-master.crt
      - --parent_host
      - "{{ icinga2_master }}"
      - --endpoint
      - "{{ icinga2_master }}"
      - --zone
      - "{{ ansible_hostname }}"
      - --parent_zone
      - master
      - --accept-config
      - --accept-commands
      - --disable-confd
    creates: /var/lib/icinga2/certs/ticket
  notify: Restart icinga2 service