From 80322f255030846d27a2997807046fdbe1ffbb2a Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 15 Jul 2013 09:27:27 +0200
Subject: ssh support for agent

---
 README.md                          |  7 +++++++
 manifests/agent.pp                 | 13 ++++++++++--
 manifests/agent/config.pp          | 35 ++++++++++++++++++-------------
 manifests/agent/generate_sshkey.pp | 42 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 81 insertions(+), 16 deletions(-)
 create mode 100644 manifests/agent/generate_sshkey.pp

diff --git a/README.md b/README.md
index 6c2876f..0ef7920 100644
--- a/README.md
+++ b/README.md
@@ -67,6 +67,9 @@ created making the URL http://hostname/acme/check_mk/ running as the 'acme' user
 
 *workspace*: The directory to use to store files used during installation.  Default: '/root/check_mk'
 
+*omdadmin_htpasswd*: changes the htpasswd of the amdadmin user (requires apache module from i.e. 
+                     https://labs.riseup.net/code/projects/shared-apache)
+
 ### Notes
 
 * A user and group with the same value as the site parameter is created.  By default this is 'monitoring'.
@@ -131,6 +134,10 @@ Only required if a filestore is used.
 *workspace*: The directory to use to store files used during installation.
 Default: '/root/check_mk'
 
+*use_ssh*: Use ssh instead of the tcp wrapper. Deploys ssh keypair on server and 
+           allows the server to execute the agent on the client.
+           Default: false.
+
 ## Host groups and tags
 
 By default check_mk puts all hosts into a group called 'check_mk' but where you
diff --git a/manifests/agent.pp b/manifests/agent.pp
index e3442f0..5a7eaf8 100644
--- a/manifests/agent.pp
+++ b/manifests/agent.pp
@@ -10,8 +10,16 @@ class check_mk::agent (
   $workspace    = '/root/check_mk',
   $agent_package_name           = 'check_mk-agent',
   $agent_logwatch_package_name  = 'check_mk-agent-logwatch',
-
+  $use_ssh                      = false,
+  $use_ssh_tag                  = 'ssh'
 ) {
+
+  if ( $use_ssh == true ) {
+    $tags = "$host_tags|$use_ssh_tag"
+  } else {
+    $tags = $host_tags
+  }
+
   class { 'check_mk::agent::install':
     version                     => $version,
     filestore                   => $filestore,
@@ -25,10 +33,11 @@ class check_mk::agent (
     server_dir   => $server_dir,
     use_cache    => $use_cache,
     user         => $user,
+    use_ssh      => $use_ssh,
     require      => Class['check_mk::agent::install'],
   }
   include check_mk::agent::service
   @@check_mk::host { $::fqdn:
-    host_tags => $host_tags,
+    host_tags => $tags,
   }
 }
diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp
index dc6808a..c73341f 100644
--- a/manifests/agent/config.pp
+++ b/manifests/agent/config.pp
@@ -4,6 +4,7 @@ class check_mk::agent::config (
   $server_dir,
   $use_cache,
   $user,
+  $use_ssh = false
 ) {
   if $use_cache {
     $server = "${server_dir}/check_mk_caching_agent"
@@ -11,19 +12,25 @@ class check_mk::agent::config (
   else {
     $server = "${server_dir}/check_mk_agent"
   }
-  if $ip_whitelist {
-    $only_from = join($ip_whitelist, ' ')
-  }
-  else {
-    $only_from = undef
-  }
-  file { '/etc/xinetd.d/check_mk':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0444',
-    content => template('check_mk/agent/check_mk.erb'),
-    require => Package['check_mk-agent','check_mk-agent-logwatch'],
-    notify  => Class['check_mk::agent::service'],
+
+  if ( $use_ssh == true ){
+    check_mk::agent::generate_sshkey { 'check_mk_key': }
+  } else {
+
+    if $ip_whitelist {
+      $only_from = join($ip_whitelist, ' ')
+    }
+    else {
+      $only_from = undef
+    }
+    file { '/etc/xinetd.d/check_mk':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0444',
+      content => template('check_mk/agent/check_mk.erb'),
+      require => Package['check_mk-agent','check_mk-agent-logwatch'],
+      notify  => Class['check_mk::agent::service'],
+    }
   }
 }
diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp
new file mode 100644
index 0000000..72dcb25
--- /dev/null
+++ b/manifests/agent/generate_sshkey.pp
@@ -0,0 +1,42 @@
+define check_mk::agent::client::generate_sshkey(
+  $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys',
+  $user             = 'monitoring',
+  $group            = 'monitoring',
+  $homedir          = '/omd/sites/monitoring',
+  $check_mk_tag     = 'check_mk_sshkey'
+){
+
+  # generate backupninja ssh keypair
+  $ssh_key_name = "monitoring_${::fqdn}_id_rsa"
+  $ssh_keys     = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}")
+  $public       = split($ssh_keys[1],' ')
+  $public_type  = $public[0]
+  $public_key   = $public[1]
+  $secret_key   = $ssh_keys[0]
+
+  sshd::ssh_authorized_key { $ssh_key_name:
+      type    => 'ssh-rsa',
+      key     => $public_key,
+      user    => 'root',
+      options => 'command="/usr/bin/check_mk_agent"';
+  }
+
+  @@file { "${homedir}/.ssh/${ssh_key_name}":
+    content => $secret_key,
+    owner   => $user,
+    group   => $group,
+    mode    => '0600',
+    tag     => $check_mk_tag;
+  }
+
+
+  @@file { "${homedir}/.ssh/${ssh_key_name}.pub":
+    content => $public_key,
+    owner   => $user,
+    group   => $group,
+    mode    => '0666',
+    tag     => $check_mk_tag;
+  }
+
+
+}
-- 
cgit v1.2.3