add support for check_mk agent via xinetd or ssh

README.md

@@ -0,0 +1,40 @@
+This [Ansible](http://ansible.com/) role allows you to install and manage
+the [Check_MK](https://mathias-kettner.com/check_mk.html) agent. It is the
+client component of the nagios-based Check_MK monitoring suite.
+
+Because the `check-mk-agent` package is missing in the Debian Jessie
+release, this role depends on the [debops.backporter](http://github.com/debops/ansible-backporter)
+role to rebuild the Stretch sources for Jessie.
+
+
+### Installation
+
+This role requires at least Ansible `v1.7.0`. To install it, clone it
+to your [DebOps](http://debops.org) project roles directory:
+
+    git clone http://github.com/ganto/ansible-checkmk_agent.git
+
+
+### Role dependencies
+
+- `debops.apt_preferences`
+- `debops.backporter`
+- `debops.etc_services`
+- `debops.ferm`
+
+### Are you using this as a standalone role without DebOps?
+
+You may need to include missing roles from the [DebOps common
+playbook](https://github.com/debops/debops-playbooks/blob/master/playbooks/common.yml)
+into your playbook.
+
+[Try DebOps now](https://github.com/debops/debops) for a complete solution to run your Debian-based infrastructure.
+
+
+
+### Authors and license
+
+`dovecot` role was written by:
+- Reto Gantenbein | [e-mail](mailto:[email protected]) | [GitHub](https://github.com/ganto)
+
+License: [GPLv3](https://tldrlegal.com/license/gnu-general-public-license-v3-%28gpl-3%29)

defaults/main.yml

@@ -0,0 +1,63 @@
+---
+# Default variables
+# =================
+
+# .. contents:: Sections
+#    :local:
+#
+# -------------------------------
+#   Basic configuration options
+# -------------------------------
+
+# .. envvar:: checkmk_agent
+#
+# Check_MK agent query protocol. Set to ``False`` to disable agent setup.
+# Valid options are ``ssh`` and ``xinetd``.
+checkmk_agent: [ 'xinetd' ]
+
+# .. envvar:: checkmk_agent_allow
+#
+# Lists of IP addresses or network CIDR ranges allowed to connect to the
+# Check_MK agent through the firewall. If lists are empty, anyone can connect.
+checkmk_agent_allow: []
+
+
+# ------------------------
+#   Agent xinetd options
+# ------------------------
+
+# .. envvar:: checkmk_agent_exec
+#
+# Check_MK agent executable path. If you query the agent from multiple
+# servers, you may want to set this to ``/usr/bin/check_mk_caching_agent``.
+checkmk_agent_exec: '/usr/bin/check_mk_agent'
+
+# .. envvar:: checkmk_agent_port
+#
+# Listen port for Check_MK agent
+checkmk_agent_port: '6556'
+
+
+# --------------------------
+#   Agent SSH user options
+# --------------------------
+
+# .. envvar:: checkmk_agent_ssh_user
+#
+# SSH user to query Check_MK agent.
+checkmk_agent_ssh_user: 'nagios'
+
+# .. envvar:: checkmk_agent_ssh_group
+#
+# Primary group of SSH user querying Check_MK agent.
+checkmk_agent_ssh_group: 'nagios'
+
+# .. envvar:: checkmk_agent_user_home
+#
+# Home directory of SSH user querying Check_MK agent.
+checkmk_agent_user_home: '/var/lib/nagios'
+
+# .. envvar:: checkmk_agent_user_key
+#
+# SSH Public key for logging in with SSH user.
+checkmk_agent_user_key: ''

docs/copyright.rst

@@ -0,0 +1,20 @@
+Copyright
+=========
+
+::
+
+    Copyright (C) 2015 Reto Gantenbein <[email protected]>
+    [see Credits for more details]
+
+    his program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License version 3, as
+    published by the Free Software Foundation.
+
+    This program is distributed in the hope that it will be useful, but
+    WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+    General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program. If not, see http://www.gnu.org/licenses/
+

docs/credits.rst

@@ -0,0 +1,6 @@
+Credits
+=======
+
+* Reto Gantenbein <reto.gantenbein_at_linuxmonk_ch>
+
+  * author of the Ansible Check_MK client role

docs/index.rst

@@ -0,0 +1,22 @@
+.. _debops.dovecot:
+
+Ansible role: debops.dovecot
+============================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   installation
+   getting-started
+   defaults
+   guides
+   copyright
+   credits
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:

docs/installation.rst

@@ -0,0 +1,17 @@
+Installation
+============
+
+This role requires at least Ansible ``v1.7.0``. To install it, clone it
+to your `DebOps`_ project roles directory::
+
+    git clone http://github.com/ganto/ansible-checkmk_agent.git
+
+:: _DebOps: http://debops.org/
+
+Role dependencies
+~~~~~~~~~~~~~~~~~
+
+- ``debops.apt_preferences``
+- ``debops.backporter``
+- ``debops.etc_services``
+- ``debops.ferm``

docs/introduction.rst

@@ -0,0 +1,20 @@
+Introduction
+============
+
+This `Ansible`_ role allows you to install and manage the `Check_MK`_
+agent. It is the client component of the nagios-based Check_MK monitoring
+suite.
+
+Because the ``check-mk-agent`` package is missing in the Debian Jessie
+release, this role depends on the `debops.backporter`_ role to rebuild
+the Stretch sources for Jessie.
+
+.. _Ansible: http://ansible.com/
+.. _Check_MK: https://mathias-kettner.com/check_mk.html
+.. _debops.backporter: http://github.com/debops/ansible-backporter
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:

handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Restart xinetd
+  service:
+    name: 'xinetd'
+    state: 'restarted'

meta/main.yml

@@ -0,0 +1,54 @@
+---
+
+dependencies:
+  - role: debops.apt_preferences
+    tags: apt_preferences
+    apt_preferences_dependent_list:
+      - package: 'check-mk'
+        backports: [ 'jessie' ]
+        reason: 'Package not available in upstream Debian Jessie'
+        by_role: 'ansible-checkmk_agent'
+
+  # Make sure that check-mk-agent is available in Debian Jessie
+  - role: debops.backporter
+    backporter_package: 'check-mk'
+    backporter_release: '{{ ansible_distribution_release }}'
+    backporter_version: '1.2.6'
+    backporter_source_version: '1.2.6p4-1'
+    backporter_source_orig: '.orig.tar.gz'
+    backporter_fake_version: '1.0'
+    backporter_command_dget: 'dget --allow-unauthenticated'
+    backporter_skip_builddep: True
+    backporter_prerequisites: [ 'dpatch' ]
+    backporter_install: False
+
+  - role: debops.etc_services
+    etc_services_dependent_list:
+      - name: 'check-mk-agent'
+        port: '{{ checkmk_agent_port }}'
+        comment: 'Check_MK agent (via xinetd)'
+    when: (checkmk_agent is defined and checkmk_agent) and
+          ('xinetd' in checkmk_agent)
+
+  - role: debops.ferm
+    ferm_input_list:
+      - type: 'dport_accept'
+        dport: [ 'check-mk-agent' ]
+        saddr: '{{ checkmk_agent_allow }}'
+        accept_any: True
+        filename: 'checkmk_agent_dependency_accept'
+        weight: '20'
+    when: (checkmk_agent is defined and checkmk_agent) and
+          ('xinetd' in checkmk_agent)
+
+
+galaxy_info:
+  author: 'Reto Gantenbein'
+  description: 'Install Check_MK Agent'
+  license: 'GNU General Public License v3'
+  min_ansible_version: '1.7.0'
+  platforms:
+  - name: Debian
+    versions:
+    - wheezy
+    - jessie

tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Install Check_MK Agent
+  apt:
+    name: 'check-mk-agent'
+    state: 'present'
+    install_recommends: False
+  when: checkmk_agent is defined and checkmk_agent
+
+- include: ssh_user.yml
+  when: (checkmk_agent is defined and checkmk_agent) and
+        ('ssh' in checkmk_agent)
+
+- include: xinetd.yml
+  when: (checkmk_agent is defined and checkmk_agent) and
+        ('xinetd' in checkmk_agent)

tasks/ssh_user.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Create Check_MK SSH user group
+  group:
+    name: '{{ checkmk_agent_ssh_group }}'
+    system: 'yes'
+
+- name: Create Check_MK SSH user
+  user:
+    name: '{{ checkmk_agent_ssh_user }}'
+    group: '{{ checkmk_agent_ssh_group }}'
+    groups: 'sshusers'
+    system: 'yes'
+    shell: '/bin/sh'
+    home: '{{ checkmk_agent_user_home }}'
+    createhome: 'yes'
+
+- name: Create SSH authorized_keys directory
+  file:
+    name: '/etc/ssh/authorized_keys'
+    owner: 'root'
+    group: 'root'
+    mode: '755'
+    state: 'directory'
+
+- name: Set SSH key for public key login
+  template:
+    src: '{{ lookup("template_src", "etc/ssh/authorized_keys/nagios.j2") }}'
+    dest: '/etc/ssh/authorized_keys/{{ checkmk_agent_ssh_user }}'
+    owner: 'root'
+    group: 'root'
+    mode: '644'
+
+- name: Enable sudo rule for Check_MK SSH user
+  template:
+    src: '{{ lookup("template_src", "etc/sudoers.d/check-mk-agent.j2") }}'
+    dest: '/etc/sudoers.d/check-mk-agent'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'

tasks/xinetd.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Install xinetd package
+  apt:
+    name: 'xinetd'
+    state: 'present'
+    install_recommends: False
+
+- name: Divert original /etc/xinetd.d/check_mk
+  command: dpkg-divert --quiet --local --divert /etc/xinetd.d/check_mk.dpkg-divert --rename /etc/xinetd.d/check_mk
+  args:
+    creates: '/etc/xinetd.d/check_mk.dpkg-divert'
+
+- name: Configure Check_MK service
+  template:
+    src: '{{ lookup("template_src", "etc/xinetd.d/check_mk.j2") }}'
+    dest: '/etc/xinetd.d/check_mk'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ Restart xinetd ]

templates/etc/ssh/authorized_keys/nagios.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+command="/usr/bin/sudo {{ checkmk_agent_exec }}"{% if checkmk_agent_allow is defined and checkmk_agent_allow | length > 0 %},from="{{ checkmk_agent_allow | join(',')}}"{% endif %} {{ checkmk_agent_user_key }}

templates/etc/sudoers.d/check-mk-agent.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+Defaults: {{ checkmk_agent_ssh_user }} !requiretty
+{{ checkmk_agent_ssh_user }} ALL=(root) NOPASSWD: {{ checkmk_agent_exec }}

templates/etc/xinetd.d/check_mk.j2

@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+service check_mk
+{
+    type           = UNLISTED
+    port           = {{ checkmk_agent_port }}
+    socket_type    = stream
+    protocol       = tcp
+    wait           = no
+    user           = root
+    server         = {{ checkmk_agent_exec }}
+
+{#  # If you use fully redundant monitoring and poll the client
+    # from more then one monitoring servers in parallel you might
+    # want to use the agent cache wrapper:
+    #server         = /usr/bin/check_mk_caching_agent
+#}
+    # configure the IP address(es) of your Nagios server here:
+{% if checkmk_agent_allow is defined and checkmk_agent_allow | length > 0 %}
+    only_from      = {{ checkmk_agent_allow | join(' ') }}
+{% else %}
+    #only_from      = 127.0.0.1 10.0.20.1 10.0.20.2
+{% endif %}
+
+    # Don't be too verbose. Don't log every check. This might be
+    # commented out for debugging. If this option is commented out
+    # the default options will be used for this service.
+    log_on_success =
+
+    disable        = no
+}