Add JEA installation

Author: Donien

roles/ifw/README.md

@@ -90,7 +90,7 @@ Table of contents:
   Default: `[]`
 
 - `ifw_icinga2_parents: list of dictionaries`  
-  Here you can specify the parent endpoint(s) of your host's parent zone (O(ifw_icinga2_parent_zone)).  
+  Here you can specify the parent endpoint(s) of your host's parent zone (`ifw_icinga2_parent_zone`).  
   You can specify each parent's `cn`, its `host` attribute and the `port` on which it listens. The `cn` attribute is **required**.  
   Default: `none`  
   Example:
@@ -108,6 +108,17 @@ Table of contents:
   The name of your parent(s) zone.  
   Default: `none`
 
+- `ifw_jea_install: boolean`  
+  Whether to install the Icinga for Windows JEA profile.  
+  If `ifw_jea_managed_user=false`, the JEA will profile will be created and registered.  
+  If `ifw_jea_managed_user=true`, the service user 'icinga' will also be created to run Icinga for Windows as.  
+  [Read more about Icinga for Windows and JEA](https://icinga.com/docs/icinga-for-windows/latest/doc/130-JEA/01-JEA-Profiles/).  
+  Default: `true`
+
+- `ifw_jea_managed_user: boolean`  
+  Whether to use the Icinga for Windows service user 'icinga' when `ifw_jea_install=true`.  
+  Default: `true`
+
 ### Getting a Certificate
 
 If neither `ifw_icinga2_ca_host` nor `ifw_icinga2_ticket` is specified, your target host will connect to the first parent in `ifw_icinga2_parents` and file a CSR. This needs to be signed manually afterwards.

roles/ifw/defaults/main.yml

@@ -7,6 +7,8 @@ ifw_framework_path:
 ifw_repositories: []
 
 ifw_components:
+  - name: "service"
+    state: "present"
   - name: "plugins"
     state: "present"
   - name: "agent"
@@ -18,3 +20,6 @@ ifw_force_newcert: false
 ifw_icinga2_cn: "{{ inventory_hostname }}"
 ifw_icinga2_port: 5665
 ifw_icinga2_global_zones: []
+
+ifw_jea_install: true
+ifw_jea_managed_user: true

roles/ifw/meta/argument_specs.yml

@@ -64,6 +64,8 @@ argument_specs:
         elements: dict
         required: false
         default:
+          - name: "service"
+            state: "present"
           - name: "plugins"
             state: "present"
           - name: "agent"
@@ -163,3 +165,18 @@ argument_specs:
           - The name of the Icinga 2 parent(s) zone.
           - *icinga2_requirements
         type: list
+      ifw_jea_install:
+        description:
+          - Whether to install the Icinga for Windows JEA profile.
+            If O(ifw_jea_managed_user=false), the JEA will profile will be created and registered.
+            If O(ifw_jea_managed_user=true), the service user 'icinga' will also be created to run Icinga for Windows as.
+            L(Read more about Icinga for Windows and JEA, https://icinga.com/docs/icinga-for-windows/latest/doc/130-JEA/01-JEA-Profiles/).
+        type: bool
+        required: false
+        default: true
+      ifw_jea_managed_user:
+        description:
+          - Whether to use the Icinga for Windows service user 'icinga' when O(ifw_jea_install=true).
+        type: bool
+        required: false
+        default: true

roles/ifw/tasks/configure_icinga2.yml

@@ -101,11 +101,13 @@
   ansible.builtin.set_fact:
     _current_ca_server: "{{ _framework_config_live['IfW-CAServer']['Values'][0] | default(none) }}"
     _current_global_zones: "{{ _framework_config_live['IfW-CustomZones']['Values'] }}"
+    _current_cn: "{{ _framework_config_live['IfW-CustomHostname']['Values'][0] }}"
     _current_port: "{{ _framework_config_live['IfW-Port']['Values'][0] | default(none) }}"
     _current_parent_zone: "{{ _framework_config_live['IfW-ParentZone']['Values'][0] | default(none) }}"
     _current_parents: "{{ _framework_config_live['IfW-ParentNodes']['Values'] }}"
     _current_parents0: "{{ _framework_config_live['IfW-ParentAddress:' + ifw_icinga2_parents[0].cn]['Values'][0] | default(none) }}"
     _current_parents1: "{{ (_framework_config_live['IfW-ParentAddress:' + ifw_icinga2_parents[1].cn]['Values'][0] if ifw_icinga2_parents | length > 1 else none) | default(none) }}" # noqa: yaml[line-length]
+    _current_jea: "{{ _framework_config_live['IfW-InstallJEAProfile']['Selection'] }}"
 
 - name: Check whether requested and existing configuration is identical
   failed_when: false
@@ -118,11 +120,15 @@
       - (_current_icinga_configuration.content | b64decode | from_json).Framework.Config.Live is defined
       - (_current_ca_server | default(true, true)) == (_ifw_ca_server)
       - _current_global_zones == ifw_icinga2_global_zones
+      - _current_cn == ifw_icinga2_cn
       - (_current_port | int) == (ifw_icinga2_port | int)
       - _current_parent_zone == ifw_icinga2_parent_zone
       - _current_parents == (ifw_icinga2_parents | map(attribute='cn'))
       - _current_parents0 == _parent0
       - (_current_parents1 == _parent1 if ifw_icinga2_parents | length > 1 else true)
+      - (_current_jea == "0" if (ifw_jea_install and not ifw_jea_managed_user) else true)
+      - (_current_jea == "1" if (ifw_jea_install and ifw_jea_managed_user) else true)
+      - (_current_jea == "2" if not ifw_jea_install else true)
     fail_msg: "Configuration needs an update"
     success_msg: "Configuration needs no update"
   register: _assertion_result

roles/ifw/templates/windows/icinga_install_command.j2

@@ -94,10 +94,18 @@
     {# 0 -> Don't install IfW Api Check Forwarder #}
     "Selection": "0"
   },
-  "IfW-AgentUser": {
-    {# TODO WIP - Define user to run service as #}
-    "Values": [
-      "NT Authority\\NetworkService"
-    ]
+  "IfW-InstallJEAProfile": {
+    {% if ifw_jea_install %}
+    {%   if not ifw_jea_managed_user %}
+    {# 0 Install JEA Profile #}
+    "Selection": "0"
+    {%   else %}
+    {# 1 Install JEA Profile with managed user "icinga" #}
+    "Selection": "1"
+    {%   endif %}
+    {% else %}
+    {# 2 Do not install JEA Profile #}
+    "Selection": "2"
+    {% endif %}
   }
 }