deploy-icinga-agent.yml

## deploy-icinga-agent.yml
---
#
# Setting up the Icinga2 PKI is derived from https://monitoring-portal.org/index.php?thread/35989-using-ansible-to-generate-the-icinga-client-certificates/
#
- hosts: MASTERFQDN
  tasks:
   - name: generate ticket on the icinga master and save it as a variable
     shell: /usr/sbin/icinga2 pki ticket --cn {{ hostitem }}
     register: ticket
- hosts: "{{ hostitem }}"
  vars:
   master_hostname: MASTERFQDN
   master_ip: "{{ hostvars[master_hostname]['ansible_default_ipv4']['address'] }}"
   master_port: 5665
  tasks:
    - name: "Deploy icinga.key"
      apt_key:
        url: "https://packages.icinga.com/icinga.key"
        state: present
    - name: "Install Icinga Ubuntu repository"
      apt_repository:
        repo: deb http://packages.icinga.com/{{ hostvars[hostitem]['icinga_distri'] }} icinga-{{ hostvars[hostitem]['icinga_release'] }} main
        state: present
        filename: 'icinga'
    - name: Update repositories cache and install "icinga2" package
      apt:
        name: icinga2
        update_cache: yes
    - name: create pki folder
      file: path=/etc/icinga2/pki state=directory mode=0700 owner=nagios group=nagios
    - name: create cert
      shell: icinga2 pki new-cert --cn {{ hostitem }} --key /etc/icinga2/pki/{{ hostitem }}.key --cert /etc/icinga2/pki/{{ hostitem }}.crt
    - name: save the masters cert as trustedcert
      shell: icinga2 pki save-cert --key /etc/icinga2/pki/{{ hostitem }}.key --cert /etc/icinga2/pki/{{ hostitem }}.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --host {{ master_hostname }}
    - name: request the certificate from the icinga server
      shell: icinga2 pki request --host {{ master_hostname }} --port 5665 --ticket {{ hostvars[master_hostname]['ticket']['stdout'] }} --key /etc/icinga2/pki/{{ hostitem }}.key --cert /etc/icinga2/pki/{{ hostitem }}.crt --trustedcert /etc/icinga2/pki/trusted-master.crt --ca /etc/icinga2/pki/ca.key
    - name: node setup
      shell: icinga2 node setup --ticket {{ hostvars[master_hostname]['ticket']['stdout'] }} --endpoint {{ master_hostname }} --zone {{ hostitem }} --master_host {{ master_hostname }} --trustedcert /etc/icinga2/pki/trusted-master.crt --cn {{ hostitem }}
    - name: Disable icinga2.conf conf.d
      replace:
        destfile: /etc/icinga2/icinga2.conf
        regexp: '^include_recursive "conf.d"$'
        replace: '//include_recursive "conf.d"'
    - name: Setup zones.conf
      template:
        src: templates/zones.conf.j2
        dest: /etc/icinga2/zones.conf
    - name: Accept configuration from master
      replace:
        destfile: /etc/icinga2/features-enabled/api.conf
        regexp: '^(\s+)accept_config = false$'
        replace: '\1accept_config = true'
    - name: Accept commands from master
      replace:
        destfile: /etc/icinga2/features-enabled/api.conf
        regexp: '^(\s*)accept_commands = false$'
        replace: '\1accept_commands = true'
    - name: Reload Icinga configuration
      shell: /etc/init.d/icinga2 reload
- hosts: MASTERFQDN
  tasks:
    - name: Append zones.conf
      blockinfile:
        destfile: /etc/icinga2/zones.conf
        marker: "// {mark} ANSIBLE MANAGED BLOCK {{ hostitem }}"
        block: |
         object Endpoint "{{ hostitem }}" {
           host = "{{ hostitem }}"
         }
         object Zone "{{ hostitem }}" {
           endpoints = [ "{{ hostitem }}" ]
           parent = "MASTERFQDN"
         }
    - name: Create zones.d {{ hostitem }} directory
      file:
        path: /etc/icinga2/zones.d/{{ hostitem }}
        state: directory
        mode: 0755
        owner: nagios
        group: nagios
    - name: Create host.conf
      template:
        src: templates/icinga-host.conf.j2
        dest: /etc/icinga2/zones.d/{{ hostitem }}/host.conf
        force: no
    - name: Create services.conf
      template:
        src: templates/icinga-services.conf.j2
        dest: /etc/icinga2/zones.d/{{ hostitem }}/services.conf
        force: no
    - name: Reload Icinga master configuration
      shell: /etc/init.d/icinga2 reload