--- # ============================================================================ # Package Installation Tasks # ============================================================================ - name: "{{ ansible_os_family }} Derivatives: Install host-specific {{ checkmk_agent_edition | upper }} Agent." become: true ansible.builtin.apt: deb: "{{ __checkmk_agent_agent.file.host }}" force: "{{ checkmk_agent_force_install | bool }}" state: present when: | checkmk_agent_edition | lower != "cre" and checkmk_agent_host_specific | bool failed_when: false # Ignore if a newer version is already installed tags: - install-package - name: "{{ ansible_os_family }} Derivatives: Install GENERIC or folder-specific {{ checkmk_agent_edition | upper }} Agent." become: true ansible.builtin.apt: deb: "{{ __checkmk_agent_agent.file.cee }}" force: "{{ checkmk_agent_force_install | bool }}" state: present when: | checkmk_agent_edition | lower != "cre" and not checkmk_agent_host_specific | bool failed_when: false # Ignore if a newer version is already installed tags: - install-package - name: "{{ ansible_os_family }} Derivatives: Transfer Vanilla agent." ansible.builtin.copy: src: "{{ __checkmk_agent_agent.file.cre }}" dest: "{{ __checkmk_agent_agent.file.cre }}" mode: "0644" when: | checkmk_agent_edition | lower == "cre" and checkmk_agent_delegate_download != inventory_hostname tags: - download-package - name: "{{ ansible_os_family }} Derivatives: Install Vanilla agent." become: true ansible.builtin.apt: deb: "{{ __checkmk_agent_agent.file.cre }}" force: "{{ checkmk_agent_force_install | bool }}" state: present when: checkmk_agent_edition | lower == "cre" failed_when: false # Ignore if a newer version is already installed tags: - install-package # ============================================================================ # Firewall Configuration Tasks # ============================================================================ # These tasks only run if UFW is installed, enabled in config, AND already active. # We don't want to accidentally enable UFW if it's not currently running. # ============================================================================ - name: "{{ ansible_os_family }}: Check if UFW is active." become: true ansible.builtin.command: ufw status register: __checkmk_agent_ufw_status changed_when: false # Status check should never report as changed failed_when: false # Don't fail if UFW is not installed when: checkmk_agent_configure_firewall | bool and "ufw" in ansible_facts.services tags: - configure-firewall - name: "{{ ansible_os_family }} Configure Firewall for Agent." # Opens port 6556/tcp for CheckMK agent communication # Only runs if UFW is already active to avoid accidentally enabling firewall become: true ansible.builtin.raw: | ufw allow 6556/tcp ufw reload args: executable: /bin/bash register: __checkmk_agent_ufw_result changed_when: "'Skipping' not in __checkmk_agent_ufw_result.stdout" when: | checkmk_agent_configure_firewall | bool and "ufw" in ansible_facts.services and __checkmk_agent_ufw_status is defined and 'Status: active' in __checkmk_agent_ufw_status.stdout tags: - configure-firewall - name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent with IP restrictions." # This block adds IP-specific firewall rules for the CheckMK server # It handles both direct IP addresses and hostnames (which get resolved via DNS) when: | checkmk_agent_configure_firewall | bool and "ufw" in ansible_facts.services and __checkmk_agent_ufw_status is defined and 'Status: active' in __checkmk_agent_ufw_status.stdout block: - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address." # Uses regex to detect if checkmk_agent_server is already an IP (IPv4 or IPv6) # Regex pattern matches: IPv4 (x.x.x.x) or IPv6 (xxxx:xxxx:...) when: checkmk_agent_server | regex_search('^([0-9]{1,3}\.){3}[0-9]{1,3}$|^([0-9a-fA-F:]+:+)+[0-9a-fA-F]+$') ansible.builtin.set_fact: checkmk_agent_server_ips: "{{ checkmk_agent_server_ips | default([]) + [checkmk_agent_server] }}" - name: "{{ ansible_os_family }} Derivatives: Resolve Checkmk Server hostname to IPs if it's not an IP." # If checkmk_agent_server is a hostname (e.g., monitoring.gc-gruppe.net), # resolve it to IP address(es) via getent (standard Linux tool, no extra dependencies) # This ensures firewall rules work even when using hostnames when: not (checkmk_agent_server | regex_search('^([0-9]{1,3}\.){3}[0-9]{1,3}$|^([0-9a-fA-F:]+:+)+[0-9a-fA-F]+$')) become: true ansible.builtin.shell: "getent hosts {{ checkmk_agent_server }} | awk '{ print $1 }' | head -n1" register: __checkmk_agent_server_resolved changed_when: false - name: "{{ ansible_os_family }} Derivatives: Set resolved IP as fact." # Store the resolved IP address for use in firewall rules when: - __checkmk_agent_server_resolved is defined - __checkmk_agent_server_resolved.stdout | length > 0 ansible.builtin.set_fact: checkmk_agent_server_ips: "{{ checkmk_agent_server_ips | default([]) + [__checkmk_agent_server_resolved.stdout] }}" - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." # Creates UFW rules allowing each CheckMK server IP to connect to port 6556 # Loops through all resolved/provided IPs and adds individual rules # Each rule gets a comment for easy identification in 'ufw status' when: checkmk_agent_server_ips is defined and checkmk_agent_server_ips | length > 0 become: true ansible.builtin.raw: | ufw allow from {{ item }} to any port 6556 proto tcp comment 'Allow Checkmk' ufw reload args: executable: /bin/bash loop: "{{ checkmk_agent_server_ips }}" register: __checkmk_agent_ufw_rich_result changed_when: "'Skipping' not in __checkmk_agent_ufw_rich_result.stdout" tags: - configure-firewall