Created
October 29, 2018 16:11
-
-
Save nbuchwitz/913001a35b911a22b584503b69db765b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Setup Icinga2 Client | |
| hosts: all | |
| vars: | |
| icinga2_pki_path: /var/lib/icinga2/certs | |
| icinga2_master: "icinga-master.fqdn" | |
| icinga2_cn: "{{ inventory_hostname }}" | |
| icinga2_zone: "{{ inventory_hostname }}" | |
| # connection direction: master <- client | |
| icinga2_endpoint: "icinga-satellite-or-master.fqdn,icinga-satellite-or-master.fqdn,5665" | |
| # or with master -> client | |
| # icinga2_endpoint: "icinga-satellite-or-master.fqdn" | |
| icinga2_parent_zone: "icinga-satellite-or-master.zone" | |
| icinga2_parent_host: "icinga-satellite-or-master.fqdn" | |
| icinga2_accept_commands: yes | |
| icinga2_accept_config: yes | |
| icinga2_disable_confd: yes | |
| # Additional global zones | |
| icinga2_global_zones: | |
| - commands-linux | |
| icinga2_user: icinga | |
| icinga2_group: icinga | |
| # Set to yes to purge existing certificates | |
| icinga2_rebuild_certificates: no | |
| tasks: | |
| - name: Remove existing certificates | |
| file: | |
| name: "{{ item }}" | |
| state: absent | |
| with_items: | |
| - "{{ icinga2_pki_path }}/trusted-master.crt" | |
| - "{{ icinga2_pki_path }}/{{ icinga2_cn }}.key" | |
| - "{{ icinga2_pki_path }}/{{ icinga2_cn }}.crt" | |
| when: icinga2_rebuild_certificates | |
| - name: Fetch ticket from master | |
| shell: | | |
| icinga2 pki ticket --cn {{ icinga2_cn }} | |
| register: icinga2_ticket | |
| delegate_to: "{{ icinga2_master }}" | |
| changed_when: false | |
| - name: Fetch trusted master certificate | |
| shell: | | |
| icinga2 pki save-cert --trustedcert {{ icinga2_pki_path }}/trusted-master.crt --host {{ icinga2_parent_host }} | |
| args: | |
| creates: "{{ icinga2_pki_path }}/trusted-master.crt" | |
| - name: Run node setup | |
| shell: | | |
| icinga2 node setup --ticket {{ icinga2_ticket.stdout_lines[0] }} \ | |
| --cn {{ icinga2_cn }} \ | |
| --zone {{ icinga2_zone }} \ | |
| --endpoint {{ icinga2_endpoint }} \ | |
| --parent_host {{ icinga2_parent_host }} \ | |
| --parent_zone {{ icinga2_parent_zone }} \ | |
| --trustedcert {{ icinga2_pki_path }}/trusted-master.crt \ | |
| {{ '--accept-config' if icinga2_accept_config }} \ | |
| {{ '--accept-commands' if icinga2_accept_commands }} \ | |
| {{ '--disable-confd' if icinga2_disable_confd }} \ | |
| {% for zone in icinga2_global_zones | default([]) %}--global_zones {{ zone }}{% endfor %} | |
| args: | |
| creates: "{{ icinga2_pki_path }}/{{ icinga2_cn }}.crt" | |
| notify: Restart Icinga2 | |
| - name: Ensure that Icinga2 is enabled and running | |
| service: | |
| name: icinga2 | |
| enabled: true | |
| state: started | |
| handlers: | |
| - name: Restart Icinga2 | |
| service: | |
| name: icinga2 | |
| state: restarted |
Thanks for the feedback. I have created a ansible role for this:
https://github.com/nbuchwitz/ansible-icinga2/
For now this role only installs the icinga2 client and configure the satellite / client like this gist, but I plan to extend the role for other features like director integration etc.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I really thank you for this work. Works like a charm. I only added a task for creating the icinga2_pki_path, because /var/lib/icinga2/certs is not created with the icinga installation and a task for installing apt-transport-https.