You could create a script that automates several steps that are needed to add new hosts like the old and deprecated powershell-modul.
Or you could DevOps tools e.g. ansible, puppet, saltstack to do the same via e.g. playbook. You’ll find many of this approaches in the net e.g. blog or other blog or Telekom.
# 2. install icinga and plugins
# refresh repos
apt-get update
# make packages installable
apt-mark unhold icinga2
apt-mark unhold linuxfabrik-monitoring-plugins
# install packages
apt-get install \
curl \
icinga2=${ICINGA_VERSION}${VERSION_ID} \
linuxfabrik-monitoring-plugins=${MONITORING_PLUGINS_VERSION} -y
# prevent updates to incompatible versions
apt-mark hold icinga2
apt-mark hold linuxfabrik-monitoring-plugins
# 3. get key from director
# use HOST Template API Key to create host and get self-service Host API Key
HOST_KEY=$(curl --request POST \
--url $ICINGA_URL'/icingaweb2/director/self-service/register-host?name='$FQDN'&key='$DIRECTOR_KEY \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"display_name": "'"$DISPLAY_NAME"'",
"address": "'"$IP"'"
}'
)
# remove surrounding double quotes
HOST_KEY="${HOST_KEY%\"}"
HOST_KEY="${HOST_KEY#\"}"
# if error in HOST_KEY try to find key in /var/lib/icinga2/certs/ticket
if [[ $HOST_KEY == *"error"* ]]; then
if [ -f "${HOST_KEY_FILE}" ]; then
HOST_KEY=$(<"${HOST_KEY_FILE}")
else
echo -e '\033[0;31mError: could not create or load host key for self service ticket API to get Cert signed by Icinga PKI!'
echo -e 'Remove host from director or check self service token of director host-template.\033[0m'
exit 1
fi
fi
# use Host API Key to get Icinga2 PKI ticket
ICINGA_TICKET=$(curl --request GET \
--url $ICINGA_URL'/icingaweb2/director/self-service/ticket?key='$HOST_KEY \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
)
# remove surrounding double quotes
ICINGA_TICKET="${ICINGA_TICKET%\"}"
ICINGA_TICKET="${ICINGA_TICKET#\"}"
# if error in HOST_KEY try to find key in /var/lib/icinga2/certs/ticket
if [[ $ICINGA_TICKET == *"error"* ]]; then
if [ -f "${TICKET_FILE}" ]; then
ICINGA_TICKET=$(<"${TICKET_FILE}")
else
echo -e '\033[0;31mError: could not create or load ticket to get Cert signed by Icinga PKI!'
echo -e 'Remove host from director or check self service token of director host-template.\033[0m'
exit 1
fi
fi
# 4. Setup Icinga2 Agent
#make sure the directory /var/lib/icinga2/certs exists and has the correct permissions
install --owner=nagios \
--group=nagios \
--mode=700 \
--directory /var/lib/icinga2/certs
#save host key
echo "$HOST_KEY" > $HOST_KEY_FILE
#save PKI cert from Icinga config master while still
#fd3 will preserve output to stdout while capturing stdout for later checking of fingerprint
{ PKI_OUTPUT=$(icinga2 pki save-cert \
--host $ICINGA_MASTER1 \
--port 5665 \
--key local.key \
--cert local.crt \
--trustedcert /var/lib/icinga2/certs/master.crt | tee /dev/fd/3 ); } 3>&1
if [[ $PKI_OUTPUT = *${FINGERPRINT}* ]]; then
echo "Icinga PKI: fingerprint matched"
else
echo -e "\033[0;31mError: Icinga PKI fingerprint didn't match! Man in the middle attack?\033[0m"
exit 1
fi
# execute icinga2 node setup
icinga2 node setup --zone $ICINGA_MASTER1 \
--endpoint ${ICINGA_MASTER1},${ICINGA_MASTER1},5665 \
--endpoint ${ICINGA_MASTER2},${ICINGA_MASTER2},5665 \
--parent_host ${ICINGA_MASTER1},5665 \
--parent_zone master \
--cn $FQDN \
--accept-config \
--accept-commands \
--disable-confd \
--trustedcert /var/lib/icinga2/certs/master.crt \
--ticket $ICINGA_TICKET
# enable the icinga2 service
systemctl enable --now icinga2.service
# restart the icinga2 service to ensure new configuration is enabled
systemctl restart icinga2.service
# 5. Install sudoers file for monitoring-plugins
echo "$LINUXFABRIK_SUDOERS" > $LINUXFABRIK_SUDOERS_PATH
chmod 0640 $LINUXFABRIK_SUDOERS_PATH