From 001ab5edef3bd6545b317cc02858afdf6d7b3d18 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Wed, 17 Aug 2022 23:47:11 +0200
Subject: [PATCH] wip

---
 bundles/icinga2/files/conf.d/templates.conf |  2 ++
 bundles/icinga2/items.py                    | 32 ++++++++++++++++++++-
 bundles/icinga2/metadata.py                 | 20 +++++++++++++
 bundles/letsencrypt/files/hook.sh           | 16 +++++++----
 4 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/bundles/icinga2/files/conf.d/templates.conf b/bundles/icinga2/files/conf.d/templates.conf
index 10769fe..d3e1147 100644
--- a/bundles/icinga2/files/conf.d/templates.conf
+++ b/bundles/icinga2/files/conf.d/templates.conf
@@ -11,3 +11,5 @@ template Service "generic-service" {
   check_interval = 1m
   retry_interval = 30s
 }
+
+template User "generic-user" {}
diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py
index 3b379f0..2ab16a8 100644
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@@ -45,6 +45,22 @@ directories = {
             'svc_systemd:icinga2.service:restart',
         ],
     },
+    '/var/lib/icinga2': {
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/var/lib/icinga2/certs': {
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0700',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
 }
 
 files = {
@@ -62,7 +78,7 @@ files = {
         'group': 'nagios',
         'mode': '0640',
         'context': {
-            'hostname': node.metadata.get('hostname')
+            'hostname': node.metadata.get('icinga2/hostname')
         },
         'triggers': [
             'svc_systemd:icinga2.service:restart',
@@ -157,6 +173,7 @@ files = {
         'source': 'features/ido-pgsql.conf',
         'content_type': 'mako',
         'owner': 'nagios',
+        'group': 'nagios',
         'context': {
             'db_password': node.metadata.get('postgresql/roles/icinga2/password')
         },
@@ -167,6 +184,7 @@ files = {
     '/etc/icinga2/features.d/syslog.conf': {
         'source': 'features/syslog.conf',
         'owner': 'nagios',
+        'group': 'nagios',
         'triggers': [
             'svc_systemd:icinga2.service:restart',
         ],
@@ -174,6 +192,7 @@ files = {
     '/etc/icinga2/features.d/notification.conf': {
         'source': 'features/notification.conf',
         'owner': 'nagios',
+        'group': 'nagios',
         'triggers': [
             'svc_systemd:icinga2.service:restart',
         ],
@@ -181,6 +200,7 @@ files = {
     '/etc/icinga2/features.d/checker.conf': {
         'source': 'features/checker.conf',
         'owner': 'nagios',
+        'group': 'nagios',
         'triggers': [
             'svc_systemd:icinga2.service:restart',
         ],
@@ -188,6 +208,16 @@ files = {
     '/etc/icinga2/features.d/api.conf': {
         'source': 'features/api.conf',
         'owner': 'nagios',
+        'group': 'nagios',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/var/lib/icinga2/certs/ca.crt': {
+        'content_type': 'download',
+        'source': f'https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem',
+        'owner': 'nagios',
+        'group': 'nagios',
         'triggers': [
             'svc_systemd:icinga2.service:restart',
         ],
diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py
index e73ae8d..37a9198 100644
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@@ -45,3 +45,23 @@ defaults = {
         },
     },
 }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def letsencrypt(metadata):
+    return {
+        'letsencrypt': {
+            'domains': {
+                metadata.get('icingaweb2/hostname'): {
+                    'reload': {'icinga2'},
+                    'owner': 'nagios',
+                    'group': 'nagios',
+                    'location': '/var/lib/icinga2/certs',
+                    'privkey_name': metadata.get('hostname') + '.key',
+                    'cert_name': metadata.get('hostname') + '.crt',
+                },
+            },
+        },
+    }
diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh
index ca33f8a..f1d00e7 100644
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@@ -26,19 +26,23 @@ deploy_cert() {
   CERTFILE="$3"
   FULLCHAINFILE="$4"
   CHAINFILE="$5"
-  
+
   case $DOMAIN in
   % for domain, conf in sorted(domains.items()):
 <%   if not conf: continue %>\
     ${domain})
       % if conf.get('location', None):
-      cat "$KEYFILE" > "${conf['location']}/privkey.pem"
-      cat "$CERTFILE" > "${conf['location']}/cert.pem"
-      cat "$FULLCHAINFILE" > "${conf['location']}/fullchain.pem"
-      cat "$CHAINFILE" > "${conf['location']}/chain.pem"
+      cat "$KEYFILE" > "${conf['location']}/${conf.get('privkey_name', 'privkey.pem')}"
+      cat "$CERTFILE" > "${conf['location']}/${conf.get('cert_name', 'cert.pem')}"
+      cat "$FULLCHAINFILE" > "${conf['location']}/${conf.get('fullchain_name', 'fullchain.pem')}"
+      cat "$CHAINFILE" > "${conf['location']}/${conf.get('chain_name', 'chain.pem')}"
       % endif
       % if conf.get('owner', None):
-      chown ${conf['owner']} "${conf['location']}/privkey.pem" "${conf['location']}/cert.pem" "${conf['location']}/fullchain.pem" "${conf['location']}/chain.pem"
+      chown ${conf['owner']}:${conf.get('group', '')} \
+        "${conf['location']}/${conf.get('privkey_name', 'privkey.pem')}" \
+        "${conf['location']}/${conf.get('cert_name', 'cert.pem')}" \
+        "${conf['location']}/${conf.get('fullchain_name', 'fullchain.pem')}" \
+        "${conf['location']}/${conf.get('chain_name', 'chain.pem')}"
       % endif
       % for service in sorted(conf.get('reload', [])):
       systemctl reload-or-restart ${service}