mag/checkmk_deploy_agent
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
checkmk_deploy_agent/tasks/Debian.yml
mag 6bc699f99c Upload files to "tasks"
2025-12-01 11:50:28 +01:00

139 lines
6.1 KiB
YAML
Raw Blame History

---
# ============================================================================
# Package Installation Tasks
# ============================================================================
- name: "{{ ansible_os_family }} Derivatives: Install host-specific {{ checkmk_agent_edition | upper }} Agent."
become: true
ansible.builtin.apt:
deb: "{{ __checkmk_agent_agent.file.host }}"
force: "{{ checkmk_agent_force_install | bool }}"
state: present
when: |
checkmk_agent_edition | lower != "cre"
and checkmk_agent_host_specific | bool
failed_when: false # Ignore if a newer version is already installed
tags:
- install-package
- name: "{{ ansible_os_family }} Derivatives: Install GENERIC or folder-specific {{ checkmk_agent_edition | upper }} Agent."
become: true
ansible.builtin.apt:
deb: "{{ __checkmk_agent_agent.file.cee }}"
force: "{{ checkmk_agent_force_install | bool }}"
state: present
when: |
checkmk_agent_edition | lower != "cre"
and not checkmk_agent_host_specific | bool
failed_when: false # Ignore if a newer version is already installed
tags:
- install-package
- name: "{{ ansible_os_family }} Derivatives: Transfer Vanilla agent."
ansible.builtin.copy:
src: "{{ __checkmk_agent_agent.file.cre }}"
dest: "{{ __checkmk_agent_agent.file.cre }}"
mode: "0644"
when: |
checkmk_agent_edition | lower == "cre"
and checkmk_agent_delegate_download != inventory_hostname
tags:
- download-package
- name: "{{ ansible_os_family }} Derivatives: Install Vanilla agent."
become: true
ansible.builtin.apt:
deb: "{{ __checkmk_agent_agent.file.cre }}"
force: "{{ checkmk_agent_force_install | bool }}"
state: present
when: checkmk_agent_edition | lower == "cre"
failed_when: false # Ignore if a newer version is already installed
tags:
- install-package
# ============================================================================
# Firewall Configuration Tasks
# ============================================================================
# These tasks only run if UFW is installed, enabled in config, AND already active.
# We don't want to accidentally enable UFW if it's not currently running.
# ============================================================================
- name: "{{ ansible_os_family }}: Check if UFW is active."
become: true
ansible.builtin.command: ufw status
register: __checkmk_agent_ufw_status
changed_when: false # Status check should never report as changed
failed_when: false # Don't fail if UFW is not installed
when: checkmk_agent_configure_firewall | bool and "ufw" in ansible_facts.services
tags:
- configure-firewall
- name: "{{ ansible_os_family }} Configure Firewall for Agent."
# Opens port 6556/tcp for CheckMK agent communication
# Only runs if UFW is already active to avoid accidentally enabling firewall
become: true
ansible.builtin.raw: |
ufw allow 6556/tcp
ufw reload
args:
executable: /bin/bash
register: __checkmk_agent_ufw_result
changed_when: "'Skipping' not in __checkmk_agent_ufw_result.stdout"
when: |
checkmk_agent_configure_firewall | bool
and "ufw" in ansible_facts.services
and __checkmk_agent_ufw_status is defined
and 'Status: active' in __checkmk_agent_ufw_status.stdout
tags:
- configure-firewall
- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent with IP restrictions."
# This block adds IP-specific firewall rules for the CheckMK server
# It handles both direct IP addresses and hostnames (which get resolved via DNS)
when: |
checkmk_agent_configure_firewall | bool
and "ufw" in ansible_facts.services
and __checkmk_agent_ufw_status is defined
and 'Status: active' in __checkmk_agent_ufw_status.stdout
block:
- name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address."
# Uses regex to detect if checkmk_agent_server is already an IP (IPv4 or IPv6)
# Regex pattern matches: IPv4 (x.x.x.x) or IPv6 (xxxx:xxxx:...)
when: checkmk_agent_server | regex_search('^([0-9]{1,3}\.){3}[0-9]{1,3}$|^([0-9a-fA-F:]+:+)+[0-9a-fA-F]+$')
ansible.builtin.set_fact:
checkmk_agent_server_ips: "{{ checkmk_agent_server_ips | default([]) + [checkmk_agent_server] }}"
- name: "{{ ansible_os_family }} Derivatives: Resolve Checkmk Server hostname to IPs if it's not an IP."
# If checkmk_agent_server is a hostname (e.g., monitoring.gc-gruppe.net),
# resolve it to IP address(es) via getent (standard Linux tool, no extra dependencies)
# This ensures firewall rules work even when using hostnames
when: not (checkmk_agent_server | regex_search('^([0-9]{1,3}\.){3}[0-9]{1,3}$|^([0-9a-fA-F:]+:+)+[0-9a-fA-F]+$'))
become: true
ansible.builtin.shell: "getent hosts {{ checkmk_agent_server }} | awk '{ print $1 }' | head -n1"
register: __checkmk_agent_server_resolved
changed_when: false
- name: "{{ ansible_os_family }} Derivatives: Set resolved IP as fact."
# Store the resolved IP address for use in firewall rules
when:
- __checkmk_agent_server_resolved is defined
- __checkmk_agent_server_resolved.stdout | length > 0
ansible.builtin.set_fact:
checkmk_agent_server_ips: "{{ checkmk_agent_server_ips | default([]) + [__checkmk_agent_server_resolved.stdout] }}"
- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
# Creates UFW rules allowing each CheckMK server IP to connect to port 6556
# Loops through all resolved/provided IPs and adds individual rules
# Each rule gets a comment for easy identification in 'ufw status'
when: checkmk_agent_server_ips is defined and checkmk_agent_server_ips | length > 0
become: true
ansible.builtin.raw: |
ufw allow from {{ item }} to any port 6556 proto tcp comment 'Allow Checkmk'
ufw reload
args:
executable: /bin/bash
loop: "{{ checkmk_agent_server_ips }}"
register: __checkmk_agent_ufw_rich_result
changed_when: "'Skipping' not in __checkmk_agent_ufw_rich_result.stdout"
tags:
- configure-firewall
Reference in a new issue View git blame Copy permalink