Prepare for icinga2_agent manifest

- move installation of Icinga2 and apt-pinnig to profiles::icinga2_common
- define a new API user for getting a PKI ticket

3 files changed, 52 insertions, 19 deletions

diff --git a/hieradata/nodes/monitor.yaml b/hieradata/nodes/monitor.yaml
index e130454..7f95c82 100644
--- a/hieradata/nodes/monitor.yaml
+++ b/hieradata/nodes/monitor.yaml
@@ -58,6 +58,21 @@ profiles::icinga2_master::api_users:
         m6FAgCANdUSEzaa11dqzqKjYFQaOYamtjsYL36wa/PXdit5lhQ==]
       permissions:
         - "*"
+    -
+      username: client-pki-ticket
+      password: >
+        ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+        DQYJKoZIhvcNAQEBBQAEggEAjrore6zK7GJXbP9FZ6ORUWvpt7FS2fXHiwB+
+        ocTcmP7F8SnyCjYZ/a6S7eXPJVffZ6pZazozfUmW6HXOVFcSrZZdccEcZbFt
+        ZnQb9tp63BCHHGwqI/oj0jVdInaTXE1i4yQTjev/twzblmHIrEndfZnZzyAd
+        61cnYuv8og5p5pccGYYoXBcPcguB9KtspfYL/eEwD4xNvqF/QlkAEXKZ5o39
+        p9j24ao57Iwzy4o/dgI+MOr9NIMEtmXoIb3Ake3J7CaN26IuP22MTivFWf5p
+        1vlMA69snYOifTKIw76eNACYCz+KA87dWDNEsR2OtCCbQ2EA1nrAXTdlYWdE
+        RmIpGTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAs0An2QOnxac51GTU
+        gCG3gDAX0FOzW/oWi8c1PDIFb+0B4cTQRi9gP2fzugKu0bp0FBB7akZV6Zx0
+        T5GP0WQAzU0=]
+      permissions:
+        - "actions/generate-ticket"
 profiles::icinga2_master::ca_key: >
     ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEw
     DQYJKoZIhvcNAQEBBQAEggEAndhxooQI/m9cfD6jfWVHSce7ePzRwpt8F4qy
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
new file mode 100644
index 0000000..ac4001b
--- /dev/null
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -0,0 +1,35 @@
+# Class: profiles::icinga2_common
+# ===============================
+#
+# Common configuration code for Icinga2 agent and master setups.
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2019 Jan Dittberner
+class profiles::icinga2_common (
+) {
+  if $::lsbdistcodename == 'stretch' {
+    apt::pin { 'icinga2_backports':
+      packages => [
+        'icinga2',
+        'icinga2-bin',
+        'icinga2-common',
+        'icinga2-doc',
+        'icinga2-ido-pgsql',
+        'libicinga2',
+      ],
+      priority => 500,
+      release  => 'stretch-backports',
+      before   => Package['icinga2', 'icinga2-ido-pgsql'],
+    }
+    package { 'icinga2':
+      ensure => latest,
+    }
+  }
+}
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index e4f98cd..d1c26e7 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -55,6 +55,8 @@ class profiles::icinga2_master (
   String $host_certificate,
   String $host_csr,
 ) {
+  include 'profiles::icinga2_common'
+
   debconf { 'icinga2-ido-pgsql/pgsql/app-pass':
     package => 'icinga2-ido-pgsql',
     type    => 'password',
@@ -103,28 +105,9 @@ class profiles::icinga2_master (
     value   => 'true', # lint:ignore:quoted_booleans
     seen    => true,
   }
-  if $facts['os']['distro']['codename'] == 'stretch' {
-    apt::pin { 'icinga2_backports':
-      packages => [
-        'icinga2',
-        'icinga2-bin',
-        'icinga2-common',
-        'icinga2-doc',
-        'icinga2-ido-pgsql',
-        'libicinga2',
-      ],
-      priority => 500,
-      release  => 'stretch-backports',
-    }
-  }
-  package { 'icinga2':
-    ensure  => latest,
-    require => Apt::Pin['icinga2_backports'],
-  }
   package { 'icinga2-ido-pgsql':
     ensure  => latest,
     require => [
-      Apt::Pin['icinga2_backports'],
       Debconf['icinga2-ido-pgsql/pgsql/app-pass'],
       Debconf['icinga2-ido-pgsql/app-password-confirm'],
       Debconf['icinga2-ido-pgsql/remote/host'],