voxpupuli · lbetz · Feb 25, 2024 · Feb 25, 2024
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -8,7 +8,8 @@
 
 #### Public Classes
 
-* [`icinga::agent`](#icinga--agent): Setup a Icinga agent.
+* [`icinga::agent`](#icinga--agent): Setup an Icinga agent.
+* [`icinga::agentless`](#icinga--agentless): Setup an agentless monitoring via SSH.
 * [`icinga::db`](#icinga--db)
 * [`icinga::db::database`](#icinga--db--database): Setup database for IcingaDB.
 * [`icinga::ido`](#icinga--ido): Configure IDO Backend.
@@ -67,7 +68,7 @@ with or without TLS information.
 
 ### <a name="icinga--agent"></a>`icinga::agent`
 
-Setup a Icinga agent.
+Setup an Icinga agent.
 
 #### Parameters
 
@@ -139,6 +140,52 @@ and add the Icinga user to this group.
 
 Default value: `false`
 
+### <a name="icinga--agentless"></a>`icinga::agentless`
+
+Setup an agentless monitoring via SSH.
+
+#### Parameters
+
+The following parameters are available in the `icinga::agentless` class:
+
+* [`user`](#-icinga--agentless--user)
+* [`manage_user`](#-icinga--agentless--manage_user)
+* [`ssh_key_type`](#-icinga--agentless--ssh_key_type)
+* [`ssh_public_key`](#-icinga--agentless--ssh_public_key)
+* [`extra_packages`](#-icinga--agentless--extra_packages)
+
+##### <a name="-icinga--agentless--user"></a>`user`
+
+Data type: `String`
+
+User name to login.
+
+##### <a name="-icinga--agentless--manage_user"></a>`manage_user`
+
+Data type: `Boolean`
+
+Wether or not to manage user.
+
+##### <a name="-icinga--agentless--ssh_key_type"></a>`ssh_key_type`
+
+Data type: `Enum['ecdsa','ed25519','rsa']`
+
+SSH key type.
+
+##### <a name="-icinga--agentless--ssh_public_key"></a>`ssh_public_key`
+
+Data type: `String`
+
+Public SSH key of ´ssh_key_type´ for ´user´.
+
+##### <a name="-icinga--agentless--extra_packages"></a>`extra_packages`
+
+Data type: `Array[String]`
+
+Install extra packages such as plugins.
+
+Default value: `[]`
+
 ### <a name="icinga--db"></a>`icinga::db`
 
 The icinga::db class.
@@ -602,6 +649,8 @@ The following parameters are available in the `icinga::server` class:
 * [`logging_type`](#-icinga--server--logging_type)
 * [`logging_level`](#-icinga--server--logging_level)
 * [`run_web`](#-icinga--server--run_web)
+* [`ssh_private_key`](#-icinga--server--ssh_private_key)
+* [`ssh_key_type`](#-icinga--server--ssh_key_type)
 
 ##### <a name="-icinga--server--ca"></a>`ca`
 
@@ -721,6 +770,22 @@ and add the Icinga user to this group.
 
 Default value: `false`
 
+##### <a name="-icinga--server--ssh_private_key"></a>`ssh_private_key`
+
+Data type: `Optional[Icinga::Secret]`
+
+The private key to install.
+
+Default value: `undef`
+
+##### <a name="-icinga--server--ssh_key_type"></a>`ssh_key_type`
+
+Data type: `Enum['ecdsa','ed25519','rsa']`
+
+SSH key type.
+
+Default value: `rsa`
+
 ### <a name="icinga--web"></a>`icinga::web`
 
 Setup Icinga Web 2 including a database backend for user settings,
@@ -1769,6 +1834,8 @@ The following parameters are available in the `icinga::worker` class:
 * [`logging_type`](#-icinga--worker--logging_type)
 * [`logging_level`](#-icinga--worker--logging_level)
 * [`run_web`](#-icinga--worker--run_web)
+* [`ssh_private_key`](#-icinga--worker--ssh_private_key)
+* [`ssh_key_type`](#-icinga--worker--ssh_key_type)
 
 ##### <a name="-icinga--worker--ca_server"></a>`ca_server`
 
@@ -1842,6 +1909,22 @@ and add the Icinga user to this group.
 
 Default value: `false`
 
+##### <a name="-icinga--worker--ssh_private_key"></a>`ssh_private_key`
+
+Data type: `Optional[Icinga::Secret]`
+
+The private key to install.
+
+Default value: `undef`
+
+##### <a name="-icinga--worker--ssh_key_type"></a>`ssh_key_type`
+
+Data type: `Enum['ecdsa','ed25519','rsa']`
+
+SSH key type.
+
+Default value: `rsa`
+
 ## Defined types
 
 ### <a name="icinga--cert"></a>`icinga::cert`

diff --git a/data/common.yaml b/data/common.yaml
@@ -18,3 +18,7 @@ icinga::worker::logging_level: warning
 
 icinga::agent::logging_type: file
 icinga::agent::logging_level: warning
+
+icinga::agentless::user: icinga
+icinga::agentless::manage_user: true
+icinga::agentless::ssh_key_type: rsa
diff --git a/manifests/agent.pp b/manifests/agent.pp
@@ -1,5 +1,5 @@
 # @summary
-#   Setup a Icinga agent.
+#   Setup an Icinga agent.
 #
 # @param ca_server
 #   The CA to send the certificate request to.

diff --git a/manifests/agentless.pp b/manifests/agentless.pp
@@ -0,0 +1,80 @@
+# @summary
+#   Setup an agentless monitoring via SSH.
+#
+# @param user
+#   User name to login.
+#
+# @param manage_user
+#   Wether or not to manage user.
+#
+# @param ssh_key_type
+#   SSH key type.
+#
+# @param ssh_public_key
+#   Public SSH key of ´ssh_key_type´ for ´user´.
+#
+# @param extra_packages
+#   Install extra packages such as plugins.
+#
+class icinga::agentless (
+  String                        $user,
+  Boolean                       $manage_user,
+  Enum['ecdsa','ed25519','rsa'] $ssh_key_type,
+  String                        $ssh_public_key,
+  Array[String]                 $extra_packages = [],
+) {
+  if defined(Class['icinga']) {
+    if $user != $icinga2::globals::user {
+      $user_name  = $user
+      $user_group = undef
+      $user_home  = "/home/${user}"
+    } else {
+      $user_name  = $icinga2::globals::user
+      $user_group = $icinga2::globals::group
+      $user_home  = $icinga::icinga_user_homedir
+
+      file { "/home/${user}":
+        ensure  => absent,
+        recurse => true,
+        force   => true,
+      }
+    }
+
+    if $manage_user { User[$user_name] -> Package[$icinga2::globals::package_name] }
+    Package[$icinga2::globals::package_name] -> Ssh_authorized_key["${user_name}@${$facts['networking']['fqdn']}"]
+  } else {
+    $user_name  = $user
+    $user_group = if $facts['os']['family'] != 'suse' { undef } else { $user }
+    $user_home  = "/home/${user}"
+  }
+
+  if $manage_user {
+    if $facts['os']['family'] == 'suse' {
+      group { $user_group:
+        system => true,
+      }
+    }
+
+    user { $user_name:
+      ensure     => present,
+      gid        => $user_group,
+      system     => true,
+      managehome => true,
+      home       => $user_home,
+      shell      => '/bin/bash',
+    }
+  }
+
+  ssh_authorized_key { "${user_name}@${$facts['networking']['fqdn']}":
+    ensure => present,
+    user   => $user_name,
+    key    => $ssh_public_key,
+    type   => $ssh_key_type,
+  }
+
+  if versioncmp(load_module_metadata('stdlib')['version'], '9.0.0') < 0 {
+    ensure_packages($extra_packages, { 'ensure' => 'present' })
+  } else {
+    stdlib::ensure_packages($extra_packages, { 'ensure' => 'present' })
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -19,12 +19,21 @@
 #   Set the constants `TicketSalt` if `ca` is set to `true`. Otherwise the set value is used
 #   to authenticate the certificate request againt the CA on host `ca_server`.
 #
+# @param extra_packages
+#   Install extra packages such as plugins.
+#
 # @param logging_type
 #   Switch the log target. On Windows `syslog` is ignored, `eventlog` on all other platforms.
 #
 # @param logging_level
 #   Set the log level.
 #
+# @param ssh_private_key
+#   The private key to install.
+#
+# @param ssh_key_type
+#   SSH key type.
+#
 # @param cert_name
 #   The certificate name to set as constant NodeName.
 #
@@ -38,17 +47,19 @@
 #   managed outside of this module as file resource with tag icinga2::config::file.
 #
 class icinga (
-  Boolean                              $ca,
-  String                               $this_zone,
-  Hash[String, Hash]                   $zones,
-  Optional[Stdlib::Host]               $ca_server       = undef,
-  Optional[Icinga::Secret]             $ticket_salt     = undef,
-  Array[String]                        $extra_packages  = [],
-  Enum['file', 'syslog', 'eventlog']   $logging_type    = 'file',
-  Optional[Icinga::LogLevel]           $logging_level   = undef,
-  String                               $cert_name       = $facts['networking']['fqdn'],
-  Boolean                              $prepare_web     = false,
-  Variant[Boolean, String]             $confd           = false,
+  Boolean                                 $ca,
+  String                                  $this_zone,
+  Hash[String, Hash]                      $zones,
+  Optional[Stdlib::Host]                  $ca_server       = undef,
+  Optional[Icinga::Secret]                $ticket_salt     = undef,
+  Array[String]                           $extra_packages  = [],
+  Enum['file', 'syslog', 'eventlog']      $logging_type    = 'file',
+  Optional[Icinga::LogLevel]              $logging_level   = undef,
+  Optional[Icinga::Secret]                $ssh_private_key = undef,
+  Optional[Enum['ecdsa','ed25519','rsa']] $ssh_key_type    = undef,
+  String                                  $cert_name       = $facts['networking']['fqdn'],
+  Boolean                                 $prepare_web     = false,
+  Variant[Boolean, String]                $confd           = false,
 ) {
   assert_private()
 
@@ -115,13 +126,17 @@
   case $facts['kernel'] {
     'linux': {
       $icinga_user    = $icinga2::globals::user
+      $icinga_group   = $icinga2::globals::group
       $icinga_package = $icinga2::globals::package_name
       $icinga_service = $icinga2::globals::service_name
 
       case $facts['os']['family'] {
         'redhat': {
+          $icinga_user_homedir = $icinga2::globals::spool_dir
+
           package { ['nagios-common', $icinga_package] + $extra_packages:
             ensure => installed,
+            before => Class['icinga2'],
           }
 
           -> group { 'nagios':
@@ -130,21 +145,27 @@
         }
 
         'debian': {
+          $icinga_user_homedir = '/var/lib/nagios'
+
           package { [$icinga_package] + $extra_packages:
             ensure => installed,
+            before => Class['icinga2'],
           }
         }
 
         'suse': {
+          $icinga_user_homedir = $icinga2::globals::spool_dir
+
           package { [$icinga_package] + $extra_packages:
             ensure => installed,
+            before => Class['icinga2'],
           }
         }
 
         default: {
           fail("'Your operatingssystem ${::facts['os']['name']} is not supported'")
         }
-      }
+      } # osfamily
 
       if $prepare_web {
         Package['icinga2'] -> Exec['restarting icinga2'] -> Class['icinga2']
@@ -160,7 +181,28 @@
           onlyif      => "service ${icinga_service} status",
           refreshonly => true,
         }
-      }
+      } # prepare_web
+
+      if $ssh_private_key {
+        unless $ssh_key_type { fail('parameter ssh_key_typ must set') }
+
+        file {
+          default:
+            ensure  => file,
+            owner   => $icinga_user,
+            group   => $icinga_group,
+            require => Package[$icinga_package];
+          ["${icinga_user_homedir}/.ssh", "${icinga_user_homedir}/.ssh/controlmasters"]:
+            ensure => directory,
+            mode   => '0700';
+          "${icinga_user_homedir}/.ssh/id_${ssh_key_type}":
+            mode      => '0600',
+            show_diff => false,
+            content   => unwrap($ssh_private_key);
+          "${icinga_user_homedir}/.ssh/config":
+            content => "Host *\n  StrictHostKeyChecking no\n  ControlPath ~${icinga_user}/.ssh/controlmasters/%r@%h:%p.socket\n  ControlMaster auto\n  ControlPersist 5m";
+        }
+      } # privkey
     } # Linux
 
     'windows': {