self-hosting/roles/icinga2_agent/tasks/main.yml

---

- name: Allow icinga2 to/from Master
  become: true
  ansible.builtin.template:
    src: "nftables/{{ item }}.d/icinga2.conf.j2"
    dest: "/etc/nftables/{{ item }}.d/icinga2.conf"
    mode: 0640
  loop:
    - input
    - output
  notify: Reload nftables service

- name: Add Icinga2 Master to /etc/hosts
  become: true
  ansible.builtin.lineinfile:
    path: /etc/hosts
    line: "{{ hostvars[icinga2_master].ipv4_addr }}\t{{ icinga2_master }}"

- name: Make sure nftables rules are reloaded
  ansible.builtin.meta: flush_handlers

- name: Make sure /var/lib/icinga2/certs directory exists
  become: true
  ansible.builtin.file:
    path: /var/lib/icinga2/certs
    state: directory
    owner: nagios
    group: nagios
    mode: 0700

- name: Create local self-signed certificate
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - pki
      - new-cert
      - --cn
      - "{{ ansible_hostname }}"
      - --key
      - "/var/lib/icinga2/certs/{{ ansible_hostname }}.key"
      - --cert
      - "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"
    creates: "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"

- name: Request the master certificate
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - pki
      - save-cert
      - --trustedcert
      - /var/lib/icinga2/certs/trusted-master.crt
      - --host
      - "{{ icinga2_master }}"
    creates: /var/lib/icinga2/certs/trusted-master.crt

- name: Generate ticket
  delegate_to: "{{ icinga2_master }}"
  become: true
  ansible.builtin.command:
    cmd: icinga2 pki ticket --cn {{ ansible_hostname }}
  changed_when: false
  register: ticketsalt

- name: Setup agent node
  become: true
  ansible.builtin.command:
    argv:
      - icinga2
      - node
      - setup
      - --ticket
      - "{{ ticketsalt.stdout }}"
      - --cn
      - "{{ ansible_hostname }}"
      - --trustedcert
      - /var/lib/icinga2/certs/trusted-master.crt
      - --parent_host
      - "{{ icinga2_master }}"
      - --endpoint
      - "{{ icinga2_master }}"
      - --zone
      - "{{ ansible_hostname }}"
      - --parent_zone
      - master
      - --accept-config
      - --accept-commands
      - --disable-confd
    creates: /var/lib/icinga2/certs/ticket
  notify: Restart icinga2 service

- name: Copy zones.conf file
  become: true
  ansible.builtin.template:
    src: zones.conf.j2
    dest: /etc/icinga2/zones.conf
    owner: nagios
    group: nagios
    mode: 0644
  notify: Reload icinga2 service