Initial project

.ansible-lint

@@ -0,0 +1,10 @@
+# .ansible-lint
+profile: basic
+
+skip_list: # or 'skip_list' to silence them completely
+  - experimental # all rules tagged as experimental
+  - unnamed-task # All tasks should be named
+  - fqcn-builtins
+  - name[casing]
+
+warn_list: []  # or 'skip_list' to silence them completely  

.woodpecker/cron.yml

@@ -0,0 +1,25 @@
+---
+matrix:
+  include:
+    - MOLECULE_DISTRO: centos7
+    - MOLECULE_DISTRO: almalinux8
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      recursive: true
+      submodule_update_remote: true
+when:
+  event: [cron]
+steps:
+  test:
+    name: Test on ${MOLECULE_DISTRO}
+    image: guisea/ansible-molecule
+    pull: true
+    environment:
+      PY_COLORS: '1'
+      ANSIBLE_FORCE_COLOR: '1'
+    volumes: [/var/run/docker.sock:/var/run/docker.sock]
+    commands: ['molecule test --scenario-name ${MOLECULE_SCENARIO:-default}']
+    when:
+      event: [cron]

.woodpecker/lint.yml

@@ -0,0 +1,41 @@
+---
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      recursive: true
+      submodule_update_remote: true
+when:
+  event: [push, manual]
+steps:
+  ansible-lint:
+    group: test
+    name: 'Lint: Ansible-lint'
+    image: guisea/ansible-molecule
+    environment:
+      PY_COLORS: '1'
+      ANSIBLE_FORCE_COLOR: '1'
+    commands: [ansible-lint -c ".ansible-lint"]
+    when:
+      event: [push, manual]
+  yamllint:
+    group: test
+    name: 'Lint: Yamllint'
+    image: guisea/ansible-molecule
+    commands: [yamllint -f colored .]
+    when:
+      event: [push, manual]
+  ntfy:
+    image: codeberg.org/l-x/woodpecker-ntfy
+    settings:
+      url: https://ntfy.cybercinch.nz/ci-status
+      title: Lint failed for ${CI_REPO_NAME}
+      priority: urgent
+      icon: https://woodpecker-ci.org/img/logo.svg
+      tags: robot,warning,rotating_light,${CI_BUILD_EVENT},${CI_REPO_NAME}
+      message: >
+        📝 Commit by ${CI_COMMIT_AUTHOR} on ${CI_COMMIT_BRANCH}:
+              ${CI_COMMIT_MESSAGE}
+    when:
+      event: [push, manual]
+      status: [failure]

.woodpecker/test.yml

@@ -0,0 +1,41 @@
+---
+matrix:
+  include:
+    - MOLECULE_DISTRO: almalinux8
+    - MOLECULE_DISTRO: almalinux9
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      recursive: true
+      submodule_update_remote: true
+when:
+  event: [push, manual]
+steps:
+  test:
+    name: Test on ${MOLECULE_DISTRO}
+    image: guisea/ansible-molecule
+    pull: true
+    environment:
+      PY_COLORS: '1'
+      ANSIBLE_FORCE_COLOR: '1'
+    volumes: [/var/run/docker.sock:/var/run/docker.sock]
+    commands: ['molecule test --scenario-name ${MOLECULE_SCENARIO:-default}']
+    when:
+      event: [push, manual]
+  ntfy:
+    image: codeberg.org/l-x/woodpecker-ntfy
+    settings:
+      url: https://ntfy.cybercinch.nz/ci-status
+      title: 'Test failed for ${CI_REPO_NAME} - Distro: ${MOLECULE_DISTRO} Scenario:
+        ${MOLECULE_SCENARIO:-default}'
+      priority: urgent
+      icon: https://woodpecker-ci.org/img/logo.svg
+      tags: robot,warning,rotating_light,${CI_BUILD_EVENT},${CI_REPO_NAME}
+      message: >
+        📝 Commit by ${CI_COMMIT_AUTHOR} on ${CI_COMMIT_BRANCH}:
+              ${CI_COMMIT_MESSAGE}
+    when:
+      event: [push, manual]
+      status: [failure]
+depends_on: [lint]

.woodpecker/z.ntfy-cron.yml

@@ -0,0 +1,15 @@
+---
+skip_clone: true
+steps:
+  ntfy-success:
+    image: codeberg.org/l-x/woodpecker-ntfy
+    settings:
+      url: https://ntfy.cybercinch.nz/ci-status
+      title: Build succeeded on ${CI_REPO_NAME}
+      priority: urgent
+      icon: https://woodpecker-ci.org/img/logo.svg
+      tags: robot,white_check_mark,${CI_BUILD_EVENT},${CI_REPO_NAME}
+      message: >
+        Test success when run by cron for ${CI_REPO_NAME}.
+depends_on: [cron]
+runs_on: [success]

.woodpecker/z.ntfy.yml

@@ -0,0 +1,18 @@
+---
+skip_clone: true
+steps:
+  ntfy:
+    image: codeberg.org/l-x/woodpecker-ntfy
+    settings:
+      url: https://ntfy.cybercinch.nz/ci-status
+      title: Build completed for ${CI_REPO_NAME}
+      priority: urgent
+      icon: https://woodpecker-ci.org/img/logo.svg
+      tags: robot,tada,white_check_mark,${CI_BUILD_EVENT},${CI_REPO_NAME}
+      message: >
+        📝 Commit by ${CI_COMMIT_AUTHOR} on ${CI_COMMIT_BRANCH}:
+              ${CI_COMMIT_MESSAGE}
+    when:
+      event: [push, manual]
+      status: [success]
+depends_on: [lint, test]

.woodpecker/zz.ntfy-cron-failed.yml

@@ -0,0 +1,15 @@
+---
+skip_clone: true
+steps:
+  ntfy-failed:
+    image: codeberg.org/l-x/woodpecker-ntfy
+    settings:
+      url: https://ntfy.cybercinch.nz/ci-status
+      title: Build failed on ${CI_REPO_NAME}
+      priority: urgent
+      icon: https://woodpecker-ci.org/img/logo.svg
+      tags: robot,rotating_light,no_entry,${CI_BUILD_EVENT},${CI_REPO_NAME}
+      message: >
+        Test failed when run by cron for ${CI_REPO_NAME}.
+depends_on: [cron]
+runs_on: [failure]

.yamllint

@@ -0,0 +1,35 @@
+---
+# Based on ansible-lint config
+extends: default
+
+ignore: |
+  .venv/
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy: disable

Makefile

@@ -0,0 +1,36 @@
+.PHONY: clean virtualenv lint test docker dist dist-upload
+
+clean:
+	find . -name '*.py[co]' -delete
+
+virtualenv:
+	virtualenv --prompt '|> check_mk_agent <| ' .venv
+	.venv/bin/pip install --upgrade pip
+	.venv/bin/pip install -r requirements.txt
+	.venv/bin/ansible-galaxy collection install -r molecule/requirements.yml
+	@echo
+	@echo "VirtualENV Setup Complete. Now run: source .venv/bin/activate"
+	@echo
+
+test: 
+	for distro in almalinux8 ; do \
+		MOLECULE_DISTRO=$$distro molecule test --scenario-name http_direct -- -vvv ; \
+	done
+
+lint:
+	@echo "Linting with Ansible-lint"
+	@echo
+	ansible-lint -c ".ansible-lint" --exclude ".venv"
+	@echo
+	@echo "Linting with Yamllint"
+	@echo
+	yamllint .
+	@echo
+
+dist: clean
+	rm -rf dist/*
+	python setup.py sdist
+	python setup.py bdist_wheel
+
+dist-upload:
+	twine upload dist/*

README.md

@@ -0,0 +1,34 @@
+Check Mk Agent
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+| Name              | Default Value       | Description          |
+|-------------------|---------------------|----------------------|
+| `` | `` |  |
+
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+         - cybercinch.check_mk_agent
+
+License
+-------
+
+Apache 2.0

defaults/main.yml

@@ -0,0 +1,60 @@
+---
+cmk_add_host: false  # Should be true/false whether we should automatically add host for monitoring.
+cmk_omd_protocol: http  # Should be http or https
+cmk_omd_host: your-checkmk-hostname
+cmk_omd_site: your-checkmk-site  # e.g the first piece after the / following your hostname
+
+# If you have created a folder in WATO already you want hosts to be put in when registered
+# uncomment cmk_folder below and specify the folder to use.  Otherwise the role creates and
+# adds new hosts by default to Unsorted folder
+# p.s:  Folders created in the CMK UI are all lower case even if you enter them in capitals :(
+# cmk_folder: your_folder_in_WATO
+cmk_download_mode: samba
+cmk_smb_password:
+cmk_smb_username:
+# If using direct download (http) from CMK set below
+# # Copy paste the link address for rpm agent from CheckMK
+# cmk_rpm_agent_x86_64: http://url-from-your-agent-bakery-in-checkmk.rpm
+# # Copy paste the link address for MSI (Windows) agent from CheckMK
+# cmk_msi_agent_x86_64: http://url-from-your-agent-bakery-in-checkmk.msi
+# # Copy paste from cmk server
+# cmk_deb_agent_x86_64: http://url-from-your-agent-bakery-in-checkmk.deb
+# # Copy paste from cmk server
+# cmk_rpm_agent_aarch64: http://url-from-your-agent-bakery-in-checkmk.rpm
+# # Copy paste from cmk server
+# cmk_deb_agent_aarch64: http://url-from-your-agent-bakery-in-checkmk.deb
+
+# Want to use Samba to download the pre-prepared agents
+cmk_download_path: \\fileserver\Software\checkmk-agents\{{ cmk_os_family }}\{{ ansible_architecture }}\
+cmk_rpm_agent: check-mk-agent-2.0.0p11.noarch.rpm
+cmk_deb_agent: check-mk-agent-2.0.0p11_all.deb
+cmk_msi_agent: check-mk-agent-2.0.0p11.msi
+
+# Check_MK GPG Key
+# Copy paste the link address from Signature Keys for Signing Agents page
+cmk_gpg_key_id: 1
+cmk_gpg_key_url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/wato.py?key={{
+  cmk_gpg_key_id }}&mode=download_signature_key'
+
+# Should be username of an automation user in checkmk
+cmk_username: some-username
+
+# This should be populated with the secret for your automation user
+# I recommend encrypting this with ansible-vault.
+# Example: ansible-vault encrypt_string somesecret_string --name cmk_secret
+cmk_secret: some-secret
+
+# Combined string required for unattended actions
+cmk_auth: '&_username={{ cmk_username }}&_secret={{ cmk_secret }}'
+
+# This variable is used to detect whether this is a fresh install
+# Is changed to true if check-mk-agent gets installed
+cmk_fresh_install: false
+
+# This variable if set to true will force installation to run regardless of whether
+# CheckMK is already installed.
+# Breaks idempotence but allows role to be used to force upgrade agents.
+cmk_force_install: false
+cmk_host_ip: '{{ ansible_host }}'
+cmk_dl_needs_auth: true
+cmk_debug: true

filter_plugins/reslash.py

@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+def filter_reslash(val):
+    return val.replace('\\', '/')
+
+class FilterModule(object):
+    filter_map = {
+        'reslash': filter_reslash
+    }
+
+    def filters(self):
+        return self.filter_map

handlers/main.yml

@@ -0,0 +1,33 @@
+---
+# handlers file for ansible-role-cmk-agent
+- name: restart xinetd
+  service:
+    name: xinetd
+    state: restarted
+    enabled: true
+- name: cmk fresh install
+  set_fact:
+    cmk_fresh_install: true
+- name: ensure firewall open (rhel)
+  firewalld:
+    port: 6556/tcp
+    state: enabled
+    permanent: true
+    immediate: true
+  ignore_errors: true
+  when: ansible_os_family == "RedHat"
+- name: ensure firewall open (debian)
+  ufw:
+    rule: allow
+    port: 6556
+    proto: tcp
+  ignore_errors: true
+  when: ansible_os_family == "Debian"
+- name: remove agent
+  file:
+    path: /tmp/check-mk-agent.rpm
+    state: absent
+- name: remove selinux policy file
+  file:
+    path: /tmp/checkmk-agent-autoupgrade.pp
+    state: absent

meta/main.yml

@@ -0,0 +1,34 @@
+---
+galaxy_info:
+  author: Aaron Guise
+  description: Install checkmk agent with Enterprise Baked Agent
+  role_name: check_mk_agent
+  namespace: cybercinch
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+  license: MIT
+  min_ansible_version: "2.9"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: EL
+      versions:
+       - "7"
+       - "8"
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+dependencies: []

molecule/default/converge.yml

@@ -0,0 +1,11 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    cmk_omd_protocol: "{{ lookup('env', 'CMK_OMD_PROTOCOL')}}"
+    cmk_omd_host: "{{ lookup('env', 'CMK_OMD_HOST')}}"
+    cmk_omd_site: "{{ lookup('env', 'CMK_OMD_SITE')}}"
+  tasks:
+    - name: Include {{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}
+      include_role:
+        name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/default/molecule.yml

@@ -0,0 +1,17 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: check_mk_agent-test-${MOLECULE_DISTRO:-almalinux8}
+    image: cybercinch/docker-${MOLECULE_DISTRO:-almalinux8}-ansible:latest
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes: [/sys/fs/cgroup:/sys/fs/cgroup:rw]
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  env:
+    MOLECULE_NO_LOG: true

molecule/default/verify.yml

@@ -0,0 +1,6 @@
+---
+- name: Verify role
+  hosts: all
+  become: true
+  gather_facts: false
+  tasks: []

molecule/http_direct/converge.yml

@@ -0,0 +1,17 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    cmk_rpm_agent: https://files.cybercinch.nz/agents/check-mk/linux/check-mk-agent-2.2.0p9-1102045deb7cb781.noarch.rpm
+    cmk_dl_needs_auth: false
+    cmk_add_host: false
+    cmk_download_mode: inline
+    cmk_omd_protocol: "{{ lookup('env', 'CMK_OMD_PROTOCOL')}}"
+    cmk_omd_host: "{{ lookup('env', 'CMK_OMD_HOST')}}"
+    cmk_omd_site: "{{ lookup('env', 'CMK_OMD_SITE')}}"
+    cmk_username: "{{ lookup('env', 'CMK_USERNAME')}}"
+    cmk_secret: "{{ lookup('env', 'CMK_SECRET')}}"
+  tasks:
+    - name: Include {{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}
+      include_role:
+        name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/http_direct/molecule.yml

@@ -0,0 +1,24 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: rhel8
+    image: docker.io/cybercinch/docker-almalinux8-ansible
+    command: ${MOLECULE_DOCKER_COMMAND:-"/usr/sbin/init"}
+    volumes: [/sys/fs/cgroup:/sys/fs/cgroup:rw]
+    cgroupns_mode: host
+    privileged: true
+provisioner:
+  name: ansible
+  log: true
+  options:
+    vvv: true
+verifier:
+  name: ansible
+# lint: |
+#   set -e
+#   yamllint .
+#   ansible-lint
+#   flake8

molecule/http_direct/verify.yml

@@ -0,0 +1,9 @@
+---
+# This is an example playbook to execute Ansible tests.
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Example assertion
+      ansible.builtin.assert:
+        that: true

molecule/requirements.yml

@@ -0,0 +1,6 @@
+---
+collections:
+  - name: ansible.posix
+  - name: community.general
+  - name: community.docker
+roles: []

molecule/yamllint.yml

@@ -0,0 +1,16 @@
+---
+extends: default
+ignore: .cache
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  comments-indentation: disable
+  document-start: disable
+  line-length: disable
+  truthy:
+    allowed-values: [yes, on, 'true', 'True', no, off, 'false', 'False']
+    check-keys: false

requirements.txt

@@ -0,0 +1,6 @@
+ansible-core<2.17
+ansible-compat<4
+molecule[docker]<5.0.0
+ansible-lint==6.16.2
+yamllint==1.32.0
+passlib==1.7.4

tasks/Debian-register.yml

@@ -0,0 +1,47 @@
+---
+- block:
+    - name: Register with CheckMK Update Server
+      shell: |
+        cmk-update-agent register -H {{ instance_name | default(inventory_hostname) }} \
+        --user {{ cmk_username }} \
+        --secret {{ cmk_secret }}
+      changed_when: false
+      notify: remove agent
+      tags: cmk_register
+    - name: Check-In with server
+      shell: |
+        cmk-update-agent -v
+      changed_when: false
+      notify: remove agent
+      tags: cmk_register
+  rescue:
+    - name: Gather facts of packages
+      package_facts:
+        manager: auto
+      tags: cmk_register
+    - name: Ensure check_mk_agent installed (again)
+      package:
+        deb: /tmp/check-mk-agent.deb
+        state: present
+        allow_unauthenticated: true
+      notify: [restart xinetd, ensure firewall open]
+      when: "'check-mk-agent' not in ansible_facts.packages"
+      tags: cmk_register
+    - name: Gather facts of packages (again)
+      package_facts:
+        manager: auto
+      tags: cmk_register
+    - name: Register with CheckMK Update Server (retry)
+      shell: |
+        cmk-update-agent register -H {{ instance_name | default(inventory_hostname) }} --user {{ cmk_username }} \
+        --secret {{ cmk_secret }}
+      changed_when: false
+      when: "'check-mk-agent' in ansible_facts.packages"
+      notify: remove agent
+      tags: cmk_register
+    - name: Check-In with server
+      shell: |
+        cmk-update-agent -v
+      changed_when: false
+      notify: remove agent
+      tags: cmk_register

tasks/Debian.yml

@@ -0,0 +1,83 @@
+---
+# Tasks for installation on RedHat Family
+- name: Ensure xinetd installed
+  package:
+    name: xinetd
+    state: present
+  notify: restart xinetd
+- name: Ensure python openssl available
+  package:
+    name: python3-openssl,python3-requests
+    state: present
+- name: Fix SeLinux Auto-Updates
+  when: ansible_selinux|bool
+  tags: selinux-pre
+  block:
+    - name: list installed selinux modules
+      command: /usr/sbin/semodule -l
+      register: installed_mods
+    - name: check_mk_mod_installed
+      set_fact:
+        cmk_mod_installed: true
+      when: '"checkmk-agent-autoupgrade" in installed_mods.stdout'
+    - name: copy file
+      copy:
+        src: files/checkmk-agent-autoupgrade.pp
+        dest: /tmp/checkmk-agent-autoupgrade.pp
+      when: cmk_mod_installed is not defined
+    - name: install the module
+      command: /usr/sbin/semodule -i /tmp/checkmk-agent-autoupgrade.pp
+      when: cmk_mod_installed is not defined
+      notify: remove selinux policy file
+
+- name: Gather facts of packages
+  package_facts:
+    manager: auto
+- name: Remove check-mk if force install
+  package:
+    name: check-mk-agent
+    state: absent
+  when: cmk_force_install and 'check-mk-agent' in ansible_facts.packages
+- name: Re-check check-mk-agent status
+  package_facts:
+    manager: auto
+  when: cmk_force_install
+
+# Download agent by samba share
+- include_tasks: downloads/samba/main.yml
+  when: cmk_download_mode == 'samba'
+
+- name: Copy installer to node
+  copy:
+    src: /tmp/dls/{{ cmk_installer }}
+    dest: /tmp/check-mk-agent.deb
+
+- name: Install check-mk-agent
+  when: "'check-mk-agent' not in ansible_facts.packages or cmk_force_install"
+  tags: [check_mk_agent]
+  block:
+    - name: Check if check-mk-agent is present on server
+      stat:
+        path: /tmp/check-mk-agent.deb
+      register: cmkdeb
+    - name: Download the agent from Server
+      get_url:
+        url: '{{ cmk_deb_agent }}{{ cmk_auth }}'
+        dest: /tmp/check-mk-agent.deb
+        validate_certs: false
+      when: not cmkdeb.stat.exists and cmk_dl_needs_auth|bool
+    - name: Download the agent from Server
+      get_url:
+        url: '{{ cmk_deb_agent }}'
+        dest: /tmp/check-mk-agent.deb
+        validate_certs: false
+      when: not cmkdeb.stat.exists and not cmk_dl_needs_auth|bool
+    - name: Ensure check_mk_agent installed
+      package:
+        deb: /tmp/check-mk-agent.deb
+        state: present
+        allow_unauthenticated: true  # Not gpg signed so bypass the check
+      notify:
+        - restart xinetd
+        - cmk fresh install
+        - ensure firewall open (debian)

tasks/RedHat-register.yml

@@ -0,0 +1,64 @@
+---
+- when: cmk_add_host
+  block:
+    - name: Register with CheckMK Update Server
+      shell: |
+        cmk-update-agent register -H {{ instance_name | default(inventory_hostname) }} \
+        --user {{ cmk_username }} \
+        --secret {{ cmk_secret }}
+      changed_when: false
+      notify: remove agent
+      tags: cmk_register
+    - name: Check-In with server
+      shell: |
+        cmk-update-agent -v
+      changed_when: false
+      notify: remove agent
+      tags: cmk_register
+  rescue:
+    - name: Gather facts of packages
+      package_facts:
+        manager: auto
+      tags: cmk_register
+    - name: Check if dnf package manager is installed
+      command: which dnf
+      register: dnf_check
+      ignore_errors: true
+    - name: Ensure check_mk_agent installed (again) with dnf
+      package:
+        name: /tmp/check-mk-agent.rpm
+        state: latest
+        disable_gpg_check: true
+      notify: [restart xinetd, ensure firewall open]
+      when:
+        - "'check-mk-agent' not in ansible_facts.packages"
+        - dnf_check.rc == 0
+      tags: cmk_register
+    - name: Ensure check_mk_agent installed (again) with yum
+      package:
+        name: /tmp/check-mk-agent.rpm
+        state: latest
+        skip_gpg_check: true
+      notify: [restart xinetd, ensure firewall open]
+      when:
+        - "'check-mk-agent' not in ansible_facts.packages"
+        - dnf_check.rc != 0
+      tags: cmk_register
+    - name: Gather facts of packages (again)
+      package_facts:
+        manager: auto
+      tags: cmk_register
+    - name: Register with CheckMK Update Server (retry)
+      shell: |
+        cmk-update-agent register -H {{ instance_name | default(inventory_hostname) }} --user {{ cmk_username }} \
+        --secret {{ cmk_secret }}
+      changed_when: false
+      when: "'check-mk-agent' in ansible_facts.packages"
+      notify: remove agent
+      tags: cmk_register
+    - name: Check-In with server
+      shell: |
+        cmk-update-agent -v
+      changed_when: false
+      notify: remove agent
+      tags: cmk_register

tasks/RedHat.yml

@@ -0,0 +1,85 @@
+---
+# Tasks for installation on RedHat Family
+- name: Ensure xinetd installed
+  package:
+    name: xinetd
+    state: present
+  notify: restart xinetd
+  when: ansible_distribution_major_version != '9'
+- name: Start xinetd
+  service:
+    name: xinetd
+    state: started
+  when: ansible_distribution_major_version != '9'
+- name: Fix SeLinux Auto-Updates
+  when: ansible_selinux|bool
+  tags: selinux-pre
+  block:
+    - name: list installed selinux modules
+      command: /usr/sbin/semodule -l
+      register: installed_mods
+    - name: check_mk_mod_installed
+      set_fact:
+        cmk_mod_installed: true
+      when: '"checkmk-agent-autoupgrade" in installed_mods.stdout'
+    - name: copy file
+      copy:
+        src: files/checkmk-agent-autoupgrade.pp
+        dest: /tmp/checkmk-agent-autoupgrade.pp
+      when: cmk_mod_installed is not defined
+    - name: install the module
+      command: /usr/sbin/semodule -i /tmp/checkmk-agent-autoupgrade.pp
+      when: cmk_mod_installed is not defined
+      notify: remove selinux policy file
+
+- name: Gather facts of packages
+  package_facts:
+    manager: auto
+- name: Remove check-mk if force install
+  package:
+    name: check-mk-agent
+    state: absent
+  when: cmk_force_install and 'check-mk-agent' in ansible_facts.packages
+- name: Re-check check-mk-agent status
+  package_facts:
+    manager: auto
+  when: cmk_force_install
+
+# Download agent by samba share
+- include_tasks: downloads/samba/main.yml
+  when: cmk_download_mode == 'samba'
+- name: Copy installer to node
+  when: cmk_download_mode == 'samba'
+  copy:
+    src: /tmp/dls/{{ cmk_installer }}
+    dest: /tmp/check-mk-agent.rpm
+
+- name: Install check-mk-agent
+  when: "'check-mk-agent' not in ansible_facts.packages or cmk_force_install"
+  tags: [check_mk_agent]
+  block:
+    - name: Check if check-mk-agent is present on server
+      stat:
+        path: /tmp/check-mk-agent.rpm
+      register: cmkrpm
+    - name: Download the agent from Server
+      get_url:
+        url: '{{ cmk_rpm_agent }}{{ cmk_auth }}'
+        dest: /tmp/check-mk-agent.rpm
+        validate_certs: false
+      when: not cmkrpm.stat.exists and cmk_dl_needs_auth|bool
+    - name: Download the agent from Server
+      get_url:
+        url: '{{ cmk_rpm_agent }}'
+        dest: /tmp/check-mk-agent.rpm
+        validate_certs: false
+      when: not cmkrpm.stat.exists and not cmk_dl_needs_auth|bool
+    - name: Ensure check_mk_agent installed
+      package:
+        name: /tmp/check-mk-agent.rpm
+        state: latest
+        disable_gpg_check: true  # Not gpg signed so bypass the check
+      notify:
+        - restart xinetd
+        - cmk fresh install
+        - ensure firewall open (rhel)

tasks/Windows-register.yml

@@ -0,0 +1,8 @@
+---
+- name: Register with CheckMK Update Server
+  win_shell: |
+    C:\ProgramData\checkmk\agent\plugins\cmk-update-agent.exe register `
+    -H $env:computername `
+    --user {{ cmk_username }} `
+    --secret {{ cmk_secret }}
+  tags: cmk_register

tasks/Windows.yml

@@ -0,0 +1,28 @@
+---
+- name: Ensure temp dir exists
+  win_file:
+    path: c:/temp/
+    state: directory
+- name: Obtain information about a file
+  win_stat:
+    path: c:/temp/check-mk-agent.msi
+  register: cmkmsi
+- name: Retrieve copy of agent
+  win_get_url:
+    url: '{{ cmk_msi_agent }}{{ cmk_auth }}'
+    dest: c:/temp/check-mk-agent.msi
+  changed_when: false
+  when: not cmkmsi.stat.exists
+- name: Ensure agent is installed
+  win_package:
+    path: c:/temp/check-mk-agent.msi
+  ignore_errors: true
+- name: Firewall rule to allow check_mk_agent on TCP port 6556
+  win_firewall_rule:
+    name: check_mk_agent
+    enabled: true
+    state: present
+    localport: 6556
+    action: allow
+    direction: in
+    protocol: tcp

tasks/downloads/samba/main.yml

@@ -0,0 +1,53 @@
+---
+# These tasks will ensure the control node has the correct packages
+# for talking Samba.  And then download the required package files.
+# Note: This is only to pull them to the control node.
+#
+# Still needs to be pushed to the guest
+- name: Ensure Samba-related packages are installed.
+  package:
+    name: '{{ item }}'
+    state: present
+  become: true
+  with_items: [samba-client, cifs-utils]
+  delegate_to: localhost
+- name: Ensure download path is present
+  file:
+    path: /tmp/dls
+    state: directory
+  delegate_to: localhost
+- name: Set Facts
+  set_fact:
+    cmk_download_new: "{{ (cmk_download_path + '/' + cmk_installer) | reslash }}"
+- name: Some Vars for debuggery
+  vars:
+    msg: |
+      CMK Download Path: {{ cmk_download_path }}
+      CMK Download Full: {{ cmk_download_new }}
+      CMK Installer: {{ cmk_installer }}
+      Username: {{ cmk_smb_username }}
+      Password: {{ cmk_smb_password }}
+  debug:
+    msg: "{{ msg.split('\n') }}"
+  when: cmk_debug
+- name: Copy archive from samba_share. (No-Log)
+  command: >
+    smbget 'smb:{{ (cmk_download_path + '/' + cmk_installer) | reslash }}' -U
+    '{{ cmk_smb_username }}%{{ cmk_smb_password }}'
+  args:
+    chdir: /tmp/dls
+    creates: /tmp/dls/{{ cmk_installer }}
+    warn: false  # Don't warn of other modules.  I want to use smbget ;)
+  no_log: true  # Turn off logging due to password exposure
+  when: not cmk_debug | bool
+  delegate_to: localhost
+- name: Copy archive from samba_share. (Debug)
+  command: >
+    smbget 'smb:{{ (cmk_download_path + '/' + cmk_installer) | reslash }}' -U '{{ cmk_smb_username | trim }}%{{ cmk_smb_password | trim }}
+  args:
+    chdir: /tmp/dls
+    creates: /tmp/dls/{{ cmk_installer }}
+    warn: false  # Don't warn of other modules.  I want to use smbget ;)
+  no_log: false  # Turn off logging due to password exposure
+  when: cmk_debug | bool
+  delegate_to: localhost

tasks/host-configure.yml

@@ -0,0 +1,62 @@
+---
+- name: cmk_discovery
+  uri:
+    method: POST
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/webapi.py?action=discover_services&mode=refresh{{
+      cmk_auth }}'
+    body: request={"hostname":"{{ instance_name | default(inventory_hostname) }}"}
+    body_format: raw
+    status_code: 200
+    validate_certs: false
+    follow_redirects: true
+  become: false
+  when: cmk_add_host and output.result_code == 0
+  delegate_to: localhost
+  tags: cmk_register
+- name: cmk_apply
+  uri:
+    method: POST
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/webapi.py?action=activate_changes&mode=specific{{
+      cmk_auth }}'
+    body: request={"sites":["{{ cmk_omd_site }}"]}
+    body_format: raw
+    status_code: 200
+    validate_certs: false
+    follow_redirects: true
+  become: false
+  run_once: true
+  when: cmk_add_host and output.result_code == 0
+  delegate_to: localhost
+  tags: cmk_register
+- name: Wait some time
+  pause:
+    seconds: 10
+- name: cmk_discovery x 2
+  uri:
+    method: POST
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/webapi.py?action=discover_services&mode=refresh{{
+      cmk_auth }}'
+    body: request={"hostname":"{{ instance_name | default(inventory_hostname) }}"}
+    body_format: raw
+    status_code: 200
+    validate_certs: false
+    follow_redirects: true
+  become: false
+  when: cmk_add_host and output.result_code == 0
+  delegate_to: localhost
+  tags: cmk_register
+- name: cmk_apply
+  uri:
+    method: POST
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/webapi.py?action=activate_changes&mode=specific{{
+      cmk_auth }}'
+    body: request={"sites":["{{ cmk_omd_site }}"]}
+    body_format: raw
+    status_code: 200
+    validate_certs: false
+    follow_redirects: true
+  become: false
+  run_once: true
+  when: cmk_add_host and output.result_code == 0
+  delegate_to: localhost
+  tags: cmk_register

tasks/host-management.yml

@@ -0,0 +1,34 @@
+---
+- name: Retrieve checkmk version
+  uri:
+    method: GET
+    headers:
+      Authorization: Bearer {{ cmk_username }} {{ cmk_secret }}
+      Accept: application/json
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/api/1.0/version'
+    return_content: true
+  register: cmk_output
+- name: Set facts # noqa jinja[spacing]
+  set_fact:
+    cmk_major: "{{ cmk_output.json.versions.checkmk | regex_search('(?P<major>\\\
+      d+)\\.(?P<minor>\\d+).(?P<patch>[\\d\\w]+).(?P<edition>[\\d\\w]+)','\\g<major>') | first | int }}"
+    cmk_minor: "{{ cmk_output.json.versions.checkmk |regex_search('(?P<major>\\\
+      d+)\\.(?P<minor>\\d+).(?P<patch>[\\d\\w]+).(?P<edition>[\\d\\w]+)', '\\g<minor>') | first |int }}"
+    cmk_patch: "{{ cmk_output.json.versions.checkmk | regex_search('(?P<major>\\\
+      d+)\\.(?P<minor>\\d+).(?P<patch>[\\d\\w]+).(?P<edition>\\w+)', '\\g<patch>') | first }}"
+    cmk_edition: "{{ cmk_output.json.versions.checkmk | regex_search('(?P<major>\\\
+      d+)\\.(?P<minor>\\d+).(?P<patch>[\\d\\w]+).(?P<edition>\\w+)','\\g<edition>') | first }}"
+- name: Output vars
+  debug:
+    var: '{{ item }}'
+  with_items: [cmk_major, cmk_minor, cmk_patch, cmk_edition]
+- include_tasks: host-management/legacy.yml
+  when: >
+    cmk_add_host and
+    (cmk_major | int <= 2 and
+    cmk_minor | int < 2 or  cmk_force_install)
+- include_tasks: host-management/modern.yml
+  when: >-
+    cmk_add_host and
+    (cmk_major | int >= 2 and
+    cmk_minor | int >= 2 or  cmk_force_install)

tasks/host-management/legacy.yml

@@ -0,0 +1,52 @@
+---
+- name: add host to omd (legacy)
+  uri:
+    method: POST
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/webapi.py?action=add_host{{
+      cmk_auth }}'
+    body: |
+      request={
+        "attributes": {
+        "tag_criticality": "prod",
+        "tag_agent": "cmk-agent",
+        "ipaddress": "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+      },
+      "folder": "{{ cmk_folder | default('Unsorted') }}",
+      "hostname": "{{ inventory_hostname | upper }}"
+      }
+    body_format: raw
+    return_content: true
+  register: res
+  become: false
+  delegate_to: localhost
+  when: >
+    cmk_add_host
+- name: Parse result
+  set_fact:
+    output: '{{ res.content | from_json }}'
+  when: cmk_add_host
+- name: cmk_discovery (legacy)
+  uri:
+    method: POST
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/webapi.py?action=discover_services&mode=refresh{{
+      cmk_auth }}'
+    body: request={"hostname":"{{ inventory_hostname }}"}
+    body_format: raw
+    status_code: 200
+  become: false
+  when: >
+    cmk_add_host and  output.result_code == 0 or  cmk_force_install
+  delegate_to: localhost
+- name: cmk_apply (legacy)
+  uri:
+    method: POST
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/webapi.py?action=activate_changes&mode=specific{{
+      cmk_auth }}'
+    body: request={"sites":["{{ cmk_omd_site }}"]}
+    body_format: raw
+    status_code: 200
+  become: false
+  run_once: true
+  when: >
+    output.result_code == 0 or  cmk_force_install
+  delegate_to: localhost

tasks/host-management/modern.yml

@@ -0,0 +1,115 @@
+---
+- name: add host to omd (new)
+  uri:
+    method: POST
+    headers:
+      Authorization: Bearer {{ cmk_username }} {{ cmk_secret }}
+      Accept: application/json
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/api/1.0/domain-types/host_config/collections/all'
+    body:
+      folder: "{{ cmk_folder | default('~Unsorted') }}"
+      host_name: '{{ inventory_hostname | upper }}'
+      attributes:
+        tag_criticality: prod
+        tag_agent: cmk-agent
+        ipaddress: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+    body_format: json
+    return_content: true
+    status_code: [200, 400]
+  register: res
+  become: false
+  delegate_to: localhost
+  when: >
+    cmk_add_host and  cmk_major | int >= 2 and  cmk_minor | int >= 2
+- name: Parse result
+  set_fact:
+    output: '{{ res.content | from_json }}'
+  when: cmk_add_host
+- name: Host exists fetch etag (new)  # noqa command-instead-of-module
+  shell: |
+    curl \
+    -G \
+    -i \
+    --request GET \
+    --write-out "\nxxx-status_code=%{http_code}\n" \
+    --header "Authorization: Bearer {{ cmk_username }} {{ cmk_secret }}" \
+    --header "Accept: application/json" \
+    "{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/api/v0/objects/host_config/{{ inventory_hostname | upper }}"
+  register: res
+  become: false
+  delegate_to: localhost
+  when: >
+    cmk_add_host and  (cmk_major | int >= 2 and  cmk_minor | int >= 2) and
+    (output.status == 400 and output.fields.host_name | first | regex_search('already
+    exists.$'))
+- debug:
+    var: res
+- name: Unpick response
+  set_fact:
+    etag: "{{ res.stdout | regex_search('.*etag:.\"(?P<etag>.+)\".*', '\\g<etag>') | first }}"
+  when: >
+    cmk_add_host and  (cmk_major | int >= 2 and  cmk_minor | int >= 2) and
+    (output.status == 400 and output.fields.host_name | first | regex_search('already
+    exists.$'))
+- name: Update host as already exists? (new)
+  uri:
+    method: PUT
+    headers:
+      Authorization: Bearer {{ cmk_username }} {{ cmk_secret }}
+      Accept: application/json
+      If-Match: '{{ etag }}'
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/api/v0/objects/host_config/{{
+      inventory_hostname | upper }}'
+    body:
+      update_attributes:
+        ipaddress: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+    body_format: json
+    return_content: true
+    status_code: [200]
+  register: res
+  become: false
+  delegate_to: localhost
+  when: >
+    cmk_add_host and  (cmk_major | int >= 2 and  cmk_minor | int >= 2) and
+    (output.status == 400 and output.fields.host_name | first | regex_search('already
+    exists.$'))
+- name: Parse result
+  set_fact:
+    output: '{{ res.content | from_json }}'
+  when: cmk_add_host
+- name: cmk_discovery (new)
+  uri:
+    method: POST
+    headers:
+      Authorization: Bearer {{ cmk_username }} {{ cmk_secret }}
+      Accept: application/json
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/api/1.0/domain-types/service_discovery_run/actions/start/invoke'
+    body:
+      host_name: '{{ inventory_hostname | upper }}'
+      mode: refresh
+    body_format: json
+    status_code: [200, 302]
+  become: false
+  when: >
+    cmk_add_host and  cmk_major | int >= 2 and
+    cmk_minor | int >= 2 or
+    cmk_force_install
+  delegate_to: localhost
+- name: cmk_apply (new)
+  uri:
+    method: POST
+    headers:
+      Authorization: Bearer {{ cmk_username }} {{ cmk_secret }}
+      Accept: application/json
+    url: '{{ cmk_omd_protocol }}://{{ cmk_omd_host }}/{{ cmk_omd_site }}/check_mk/api/1.0/domain-types/activation_run/actions/activate-changes/invoke'
+    body:
+      redirect: 'False'
+      sites: ['{{ cmk_omd_site }}']
+      force_foreign_changes: 'False'
+    body_format: json
+    status_code: 200
+  become: false
+  run_once: true
+  when: >
+    cmk_add_host and  cmk_major | int >= 2 and  cmk_minor | int >= 2 and  cmk_force_install
+  delegate_to: localhost

tasks/main.yml

@@ -0,0 +1,17 @@
+---
+# tasks file for ansible-role-cmk-agent
+
+# Include OS Variables
+- include_vars: '{{ ansible_os_family }}.yml'
+- include_tasks: '{{ ansible_os_family }}.yml'
+- meta: flush_handlers
+
+# Add host to checkmk
+- include_tasks: host-management.yml
+  when: cmk_fresh_install
+# Register for automatic agent updates
+- include_tasks: '{{ ansible_os_family }}-register.yml'
+  when: cmk_fresh_install
+# Finalize things and collect all available services
+- include_tasks: host-configure.yml
+  when: cmk_fresh_install

vars/Debian.yml

@@ -0,0 +1,3 @@
+---
+cmk_os_family: linux
+cmk_installer: '{{ cmk_deb_agent }}'

vars/RedHat.yml

@@ -0,0 +1,3 @@
+---
+cmk_os_family: linux
+cmk_installer: '{{ cmk_rpm_agent }}'

vars/Windows.yml

@@ -0,0 +1,3 @@
+---
+cmk_os_family: windows
+cmk_installer: '{{ cmk_msi_agent }}'

vars/main.yml

@@ -0,0 +1,2 @@
+---
+...