4 files changed, 103 insertions, 30 deletions

diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp
index 256af8f..36f2910 100644
--- a/manifests/agent/config.pp
+++ b/manifests/agent/config.pp
@@ -1,12 +1,15 @@
 class check_mk::agent::config (
-  $ip_whitelist = '',
+  $ip_whitelist    = '',
   $port,
   $server_dir,
-  $homedir,
+  $keydir,
+  $authdir,
+  $authfile        = undef,
   $use_cache,
   $user,
   $method          = 'xinetd',
   $generate_sshkey = false,
+  $sshuser         = undef
 ) {
   if $use_cache {
     $server = "${server_dir}/check_mk_caching_agent"
@@ -34,10 +37,18 @@ class check_mk::agent::config (
     }
     'ssh'   : {
       if $generate_sshkey {
-        check_mk::agent::generate_sshkey { 'check_mk_key':
-          homedir => $homedir
+        check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}":
+          keydir   => $keydir,
+          authdir  => $authdir,
+          authfile => $authfile,
+          sshuser  => $sshuser
         }
       }
+
+      # make sure the xinetd method is not configured
+      file { '/etc/xinetd.d/check_mk':
+        ensure  => absent;
+      }
     }
     default : {}
   }
diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp
index 3187037..d2d1d39 100644
--- a/manifests/agent/generate_sshkey.pp
+++ b/manifests/agent/generate_sshkey.pp
@@ -1,42 +1,68 @@
-define check_mk::agent::generate_sshkey(
-  $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys',
-  $user             = 'monitoring',
-  $group            = 'monitoring',
-  $homedir,
+define check_mk::agent::generate_sshkey (
+  # dir on the check-mk-server where the collected key pairs are stored
+  $keydir,
+  # user/group the key should be owned by on the check-mk-server
+  $keyuser          = 'nagios',
+  $keygroup         = 'nagios',
+  # dir on the check-mk-agent where the authorized_keys file is stored
+  $authdir,
+  # name of the authorized_keys file
+  $authfile         = undef,
+  # dir on the puppetmaster where keys are stored
+  # FIXME: need a way to ensure this dir is setup on the puppetmaster correctly
+  #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys",
+  #  for now use a dir we know works
+  $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys',
+  # user on the client the check_mk server will ssh to, to run the agent
+  $sshuser          = 'root',
   $check_mk_tag     = 'check_mk_sshkey'
 ){
 
-  # generate backupninja ssh keypair
-  $ssh_key_name = "monitoring_${::fqdn}_id_rsa"
+  # generate check-mk ssh keypair, stored on puppetmaster
+  $ssh_key_name = "${::fqdn}_id_rsa"
   $ssh_keys     = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}")
   $public       = split($ssh_keys[1],' ')
   $public_type  = $public[0]
   $public_key   = $public[1]
   $secret_key   = $ssh_keys[0]
 
-  sshd::ssh_authorized_key { $ssh_key_name:
-      type    => 'ssh-rsa',
-      key     => $public_key,
-      user    => 'root',
-      options => 'command="/usr/bin/check_mk_agent"';
+  # if we're not root we need to use sudo
+  if $sshuser != 'root' {
+    $command = 'sudo /usr/bin/check_mk_agent'
+  } else {
+    $command = '/usr/bin/check_mk_agent'
   }
 
-  @@file { "${homedir}/.ssh/${ssh_key_name}":
-    content => $secret_key,
-    owner   => $user,
-    group   => $group,
-    mode    => '0600',
-    tag     => $check_mk_tag;
+  # setup the public half of the key in authorized_keys on the agent
+  #  and restrict it to running only the agent
+  if $authdir or $authfile {
+    # if $authkey or $authdir are set, override authorized_keys path and file
+    # and also override using the built-in ssh_authorized_key since it may
+    # not be able to write to $authdir
+    sshd::ssh_authorized_key { $ssh_key_name:
+        type             => 'ssh-rsa',
+        key              => $public_key,
+        user             => $sshuser,
+        target           => "${authdir}/${authfile}",
+        override_builtin => true,
+        options          => "command=\"${command}\"";
+  } else {
+    # otherwise use the defaults
+    sshd::ssh_authorized_key { $ssh_key_name:
+        type    => 'ssh-rsa',
+        key     => $public_key,
+        user    => $sshuser,
+        options => "command=\"${command}\"";
+    }
   }
 
-
-  @@file { "${homedir}/.ssh/${ssh_key_name}.pub":
-    content => $public_key,
-    owner   => $user,
-    group   => $group,
-    mode    => '0666',
+  # resource collector for the private half of the keys, these end up on
+  #  the check-mk-server host, and the user running check-mk needs access
+  @@file { "${keydir}/${ssh_key_name}":
+    content => $secret_key,
+    owner   => $keyuser,
+    group   => $keygroup,
+    mode    => '0600',
     tag     => $check_mk_tag;
   }
-
-
 }
diff --git a/manifests/agent/mrpe.pp b/manifests/agent/mrpe.pp
new file mode 100644
index 0000000..5bc5f33
--- /dev/null
+++ b/manifests/agent/mrpe.pp
@@ -0,0 +1,19 @@
+class check_mk::agent::mrpe {
+  # check_mk can use standard nagios plugins using
+  # a wrapper called mrpe
+  # see http://mathias-kettner.de/checkmk_mrpe.html
+  # this subclass is provided to be included by checks that use mrpe
+
+  # FIXME: this is Debian specific and should be made more generic
+  if !defined(Package['nagios-plugins-basic']) {
+    package { 'nagios-plugins-basic':
+      ensure => latest,
+    }
+  }
+
+  # ensure the config file exists, individual checks will add lines to it
+  file { '/etc/check_mk/mrpe.cfg':
+    ensure  => present,
+    require => Package['check-mk-agent']
+  }
+}
diff --git a/manifests/agent/ps.pp b/manifests/agent/ps.pp
new file mode 100644
index 0000000..67a999f
--- /dev/null
+++ b/manifests/agent/ps.pp
@@ -0,0 +1,17 @@
+define check_mk::agent::ps (
+  # procname and levels have defaults in check_mk::ps
+  $procname = undef,
+  $levels = undef,
+  # user is optional
+  $user = undef
+) {
+
+  @@check_mk::ps { "${::fqdn}_${name}":
+    desc     => $name,
+    host     => $::fqdn,
+    procname => $procname,
+    user     => $user,
+    levels   => $levels,
+    tag      => 'check_mk_ps';
+  }
+}