Allow SSH keys as strings or filenames ("*.pub")

README.md

@@ -0,0 +1,59 @@
+monitored
+=========
+
+Prepare remote machine for monitoring with Naemon/Nagios/Icinga via NRPE and/or SSH
+
+Requirements
+------------
+
+- Role "epel" for RedHat-like systems
+- Role "prepare-dnf5" for RedHat-like system with DNF version 5
+
+Role Variables
+--------------
+
+Defaults (config/overwrite required):
+- `monitored_by_nrpe` (defaults: `false`): install/configure NRPE
+- `monitored_by_ssh` (defaults: `false`): install/configure SSH incl. wrapper
+  script
+- `monitored_server_ips` (defaults: `[127.0.0.1,]`: list(!) of monitoring server
+  ips
+
+Required for SSH:
+- `monitored_ssh_key_files` (defaults: `[]`): list(!) of SSH key strings or filenames (ending with `.pub`)
+
+Common variables:
+- `monitored_packages_install` (defaults: `true`): install plugings
+- `monitored_sudo_file` (defaults: `/etc/sudoers.d/monitored`): sudoers file
+- `monitored_sudo_commands`: list of `sudoers` config lines
+- `monitored_packages_additional(_nrpe|_ssh)`: additional packages to install
+- `monitored_plugins_custom`: additional plugin scripts to copy
+- `monitored_plugins_custom_path` (defaults: `/usr/local/plugins/`): path for
+  additional plugins
+
+NRPE:
+- `monitored_nrpe_*`: NRPE config variables
+
+SSH:
+- `monitored_ssh_key_wrapper`: local path/filename of wrapper
+- `monitored_ssh_key_wrapper_src`: remote path and filename of wrapper
+- `monitored_ssh_key_wrapper_*`: file attributes of wrapper
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - role: monitored
+          when: monitored_dont|default(false) != true
+
+License
+-------
+
+GPL-2.0-or-later
+
+Author Information
+------------------
+
+Sven Velt - <sven-ansiblerole@velt.biz>
+https://git.velt.biz/velt.biz/

defaults/main.yml

@@ -1,16 +1,17 @@
 ---
-monitored_by_nrpe: False
+monitored_by_nrpe: false
-monitored_by_ssh: False
+monitored_by_ssh: false
 
 monitored_user: nagios
 monitored_group: nagios
 monitored_homedir: /var/lib/nagios
 monitored_shell: /bin/bash
+monitored_password: null
 
 monitored_sudo_file: /etc/sudoers.d/monitored
 monitored_sudo_commands: []
 
-monitored_packages_install: True
+monitored_packages_install: true
 monitored_packages_predepends: []
 monitored_packages_additional: []
 monitored_packages_additional_nrpe: []

meta/main.yml

@@ -0,0 +1,7 @@
+---
+dependencies:
+  - role: epel
+    when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora"
+
+  - role: prepare-dnf5
+    when: ansible_pkg_mgr == "dnf5"

monitored.yml

@@ -2,9 +2,6 @@
 - hosts: all
   roles:
 
-          - role: epel
-            when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora"
-
     - role: monitored
-            when: monitored_dont|default(False) != True
+      when: monitored_dont|default(false) != true
 

tasks/main.yml

@@ -1,9 +1,16 @@
 ---
+- debug:
+    msg:
+      - "SSH:  {{ monitored_by_ssh }}"
+      - "NRPE: {{ monitored_by_nrpe }}"
+
 - name: Sanity checks
   assert:
     that:
-      - monitored_dont|default(False) != True
+      - monitored_dont|default(false) != true
-      - monitored_by_nrpe == True or monitored_by_ssh == True
+      - monitored_by_nrpe == true or monitored_by_ssh == true
+      - monitored_by_ssh != true or monitored_ssh_key_files != []
+    fail_msg: "Sanity checks failed"
 
 - name: Gather OS Specific Variables
   include_vars: "{{ item }}"
@@ -17,14 +24,14 @@
   package:
     name: "{{ monitored_packages_predepends }}"
     state: latest
-  when: monitored_packages_predepends|default(False)
+  when: monitored_packages_predepends|default(false)
 
 - name: "INCLUDE: Create monitoring user"
   import_tasks: user.yml
 
 - name: "INCLUDE: Install always necessary packages"
   include_tasks: packages.yml
-  when: monitored_packages_install != False
+  when: monitored_packages_install != false
 
 - name: "INCLUDE: Copy custom plugins"
   include_tasks: plugins_custom.yml
@@ -32,9 +39,9 @@
 
 - name: "INCLUDE: Monitoring by NRPE"
   include_tasks: nrpe.yml
-  when: monitored_by_nrpe == True
+  when: monitored_by_nrpe == true
 
 - name: "INCLUDE: Monitoring by SSH"
   include_tasks: ssh.yml
-  when: monitored_by_ssh == True
+  when: monitored_by_ssh == true
 

tasks/nrpe.yml

@@ -23,7 +23,7 @@
   loop: "{{ monitored_nrpe_include_dirs }}"
 
 - name: "INCLUDE: Migrate custom NRPE files"
-  include: nrpe_migrate.yml
+  import_tasks: nrpe_migrate.yml
 
 - name: Enable NRPE
   service:

tasks/packages.yml

@@ -4,7 +4,7 @@
     name: "{{ monitored_packages_mp }}"
     state: latest
   register: monitoringplugins
-  ignore_errors: True
+  ignore_errors: true
 
 - name: Install Nagios-Plugins
   package:

tasks/ssh.yml

@@ -1,8 +1,14 @@
 ---
+- name: Sanity check
+  assert:
+    that:
+      - monitored_ssh_key_files|length > 0
+    fail_msg: "List of SSH keys ('monitored_ssh_key_files') is empty!"
+
 - name: Copy SSH authorized_keys for monitoring user
   authorized_key:
     user: "{{ monitored_user }}"
-    key: "{{ lookup('file', item) }}"
+    key: "{{ lookup('template', 'ssh-key.j2') }}"
     key_options: '{{ lookup("template", "ssh-key-options.j2") }}'
     manage_dir: yes
   loop: "{{ monitored_ssh_key_files }}"
@@ -15,9 +21,9 @@
     group: "{{ monitored_group }}"
     mode: "{{ monitored_ssh_key_wrapper_mode }}"
     backup: yes
-  when: monitored_ssh_key_wrapper_src|default(False) and monitored_ssh_key_wrapper|default(False)
+  when: monitored_ssh_key_wrapper_src|default(false) and monitored_ssh_key_wrapper|default(false)
 
-- name: Instal additional packages for SSH monitoring
+- name: Install additional packages for SSH monitoring
   package:
     name: "{{ monitored_packages_additional_ssh }}"
     state: latest

tasks/user.yml

@@ -13,6 +13,7 @@
     home: "{{ monitored_homedir }}"
     move_home: yes
     shell: "{{ monitored_shell }}"
+    password: "{{ monitored_password }}"
     state: present
 
 - name: "Install sudo (if required)"

templates/nrpe.cfg.j2

@@ -1,7 +1,9 @@
 ### {{ ansible_managed }}
 
 log_facility=daemon
-pid_file={{ monitored_nrpe_pidfile }}
+{% if monitored_nrpe_pidfile %}pid_file={{ monitored_nrpe_pidfile }}
+{% else %}# pid_file=
+{% endif %}
 debug=0
 
 {% if monitored_nrpe_server_address %}server_address={{ monitored_nrpe_server_address }}

templates/ssh-key-options.j2

@@ -1 +1 @@
-no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty{% if monitored_ssh_key_wrapper %},command="{{ monitored_ssh_key_wrapper }}"{% endif %}
+no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,from="{{ monitored_server_ips|join(",") }}"{% if monitored_ssh_key_wrapper %},command="{{ monitored_ssh_key_wrapper }}"{% endif %}

templates/ssh-key.j2

@@ -0,0 +1 @@
+{% if item.endswith('.pub') %}{{ lookup('file', item) }}{% else %}{{ item }}{% endif %}

vars/alpine.yml

@@ -1,4 +1,7 @@
 ---
+monitored_shell: /bin/ash
+monitored_password: '*'
+
 monitored_packages_mp:
   - monitoring-plugins
 monitored_packages_np:
@@ -19,5 +22,5 @@ monitored_packages_nrpe:
   - nrpe
 
 monitored_nrpe_basedir: /etc
-monitored_nrpe_pidfile: /var/run/nrpe.pid
+monitored_nrpe_pidfile: false
 

vars/void.yml

@@ -1,10 +1,15 @@
 ---
-monitored_by_nrpe: False
+monitored_user: _nagios
-
+monitored_group: _nagios
-monitored_packages_nrpe: null
 
 monitored_packages_mp:
   - monitoring-plugins
 monitored_packages_np:
   - nagios-plugins
 
+monitored_packages_nrpe:
+  - nrpe
+
+monitored_nrpe_basedir: /etc/nagios
+monitored_nrpe_pidfile: /run/nrpe.pid
+