Add choice of service user (1/2)

Donien · Donien · commit 406260d278ec · 2025-10-22T21:55:49.000+02:00
Password in case of non-service account still needed
diff --git a/roles/ifw/README.md b/roles/ifw/README.md
@@ -56,6 +56,10 @@ Table of contents:
   Components installed but not present within this list will be removed.  
   Default: `[ { name: "plugins", state: "present" }, { name: "agent", state: "present" } ]`
 
+- `ifw_icinga2_user: string`  
+   The user Icinga 2 runs as. This user is only used if `ifw_jea_managed_user=false`.  
+   Default: `NT Authority\NetworkService`
+
 - `ifw_icinga2_ca_host: string`  
   The Ansible inventory hostname of your Icinga 2 CA host (master).  
   This variable is used to sign the certificate for your Windows host using delegated tasks.  
@@ -112,6 +116,7 @@ Table of contents:
   Whether to install the Icinga for Windows JEA profile.  
   If `ifw_jea_managed_user=false`, the JEA will profile will be created and registered.  
   If `ifw_jea_managed_user=true`, the service user 'icinga' will also be created to run Icinga for Windows as.  
+  If both `ifw_jea_install=true` and `ifw_jea_managed_user=true`, `ifw_icinga2_user` will essentially be ignored.  
   [Read more about Icinga for Windows and JEA](https://icinga.com/docs/icinga-for-windows/latest/doc/130-JEA/01-JEA-Profiles/).  
   Default: `true`
 
diff --git a/roles/ifw/defaults/main.yml b/roles/ifw/defaults/main.yml
@@ -14,13 +14,15 @@ ifw_components:
   - name: "agent"
     state: "present"
 
+ifw_icinga2_user: "NT Authority\\NetworkService"
 ifw_icinga2_ca_host:
 ifw_connection_direction: "fromagent"
 ifw_force_newcert: false
 ifw_icinga2_cn: "{{ inventory_hostname }}"
 ifw_icinga2_port: 5665
 ifw_icinga2_global_zones: []
 
+
 ifw_jea_install: true
 ifw_jea_managed_user: true
 
diff --git a/roles/ifw/meta/argument_specs.yml b/roles/ifw/meta/argument_specs.yml
@@ -89,6 +89,12 @@ argument_specs:
               - The version of the component to be installed / removed.
             type: str
             required: false
+      ifw_icinga2_user:
+        description:
+          - The user Icinga 2 runs as. This user is only used if O(ifw_jea_managed_user=false).
+        type: str
+        required: false
+        default: "NT Authority\\NetworkService"
       ifw_icinga2_ca_host:
         description:
           - The Ansible C(inventory_hostname) of your Icinga 2 CA host (master).
@@ -168,8 +174,9 @@ argument_specs:
       ifw_jea_install:
         description:
           - Whether to install the Icinga for Windows JEA profile.
-            If O(ifw_jea_managed_user=false), the JEA will profile will be created and registered.
+            If O(ifw_jea_managed_user=false), the JEA will profile will be created and registered for the user running Icinga for Windows (O(ifw_icinga2_user) by default).
             If O(ifw_jea_managed_user=true), the service user 'icinga' will also be created to run Icinga for Windows as.
+            If both O(ifw_jea_install=true) and O(ifw_jea_managed_user=true), O(ifw_icinga2_user) will essentially be ignored.
             L(Read more about Icinga for Windows and JEA, https://icinga.com/docs/icinga-for-windows/latest/doc/130-JEA/01-JEA-Profiles/).
         type: bool
         required: false
diff --git a/roles/ifw/tasks/configure_icinga2.yml b/roles/ifw/tasks/configure_icinga2.yml
@@ -102,6 +102,7 @@
     _current_ca_server: "{{ _framework_config_live['IfW-CAServer']['Values'][0] | default(none) }}"
     _current_global_zones: "{{ _framework_config_live['IfW-CustomZones']['Values'] }}"
     _current_cn: "{{ _framework_config_live['IfW-CustomHostname']['Values'][0] }}"
+    _current_agent_user: "{{ _framework_config_live['IfW-AgentUser']['Values'][0] }}"
     _current_port: "{{ _framework_config_live['IfW-Port']['Values'][0] | default(none) }}"
     _current_parent_zone: "{{ _framework_config_live['IfW-ParentZone']['Values'][0] | default(none) }}"
     _current_parents: "{{ _framework_config_live['IfW-ParentNodes']['Values'] }}"
@@ -122,6 +123,7 @@
       - (_current_ca_server | default(true, true)) == (_ifw_ca_server)
       - _current_global_zones == ifw_icinga2_global_zones
       - _current_cn == ifw_icinga2_cn
+      - _current_agent_user == ifw_icinga2_user
       - (_current_port | int) == (ifw_icinga2_port | int)
       - _current_parent_zone == ifw_icinga2_parent_zone
       - _current_parents == (ifw_icinga2_parents | map(attribute='cn'))
diff --git a/roles/ifw/templates/windows/icinga_install_command.j2 b/roles/ifw/templates/windows/icinga_install_command.j2
@@ -90,6 +90,12 @@
       "{{ ifw_icinga2_cn }}"
     ]
   },
+  "IfW-AgentUser": {
+    "Values": [
+      {# Ensure single backslash becomes double backslash. InstallCommand fails otherwise #}
+      "{{ ifw_icinga2_user | replace('\\', '\\\\') }}"
+    ]
+  },
   "IfW-InstallApiChecks": {
     {# 0 -> Don't install IfW Api Check Forwarder #}
     "Selection": "0"
