From 1032c4aec76c211b935cb21642bebaffeda3ae5d Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Fri, 9 Jun 2017 12:37:58 +0200
Subject: [PATCH] ipsec: add nrpe check

---
 ipsec/files/check_ipsecctl.sh       | 23 +++++++++++++++++++++++
 ipsec/files/check_ipsecctl_multi.sh | 29 +++++++++++++++++++++++++++++
 ipsec/tasks/main.yml                | 23 +++++++++++++++++++++++
 3 files changed, 75 insertions(+)
 create mode 100644 ipsec/files/check_ipsecctl.sh
 create mode 100644 ipsec/files/check_ipsecctl_multi.sh

diff --git a/ipsec/files/check_ipsecctl.sh b/ipsec/files/check_ipsecctl.sh
new file mode 100644
index 00000000..4cdeaa94
--- /dev/null
+++ b/ipsec/files/check_ipsecctl.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+IPSECCTL="/sbin/ipsecctl -s sa"
+STATUS=0
+
+LINE1=`$IPSECCTL | grep "from $1 to $2" `
+if [ $? -eq 1 ]; then
+        STATUS=2;
+        OUTPUT1="No VPN from $1 to $2 "
+fi
+
+LINE2=`$IPSECCTL | grep "from $2 to $1" `
+if [ $? -eq 1 ]; then
+        STATUS=2;
+        OUTPUT2="No VPN from $2 to $1"
+fi
+
+if [ $STATUS -eq 0 ]; then
+        echo "VPN OK - $3 is up"
+        exit $STATUS
+else
+        echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)"
+        exit $STATUS
+fi
diff --git a/ipsec/files/check_ipsecctl_multi.sh b/ipsec/files/check_ipsecctl_multi.sh
new file mode 100644
index 00000000..09cf6aa2
--- /dev/null
+++ b/ipsec/files/check_ipsecctl_multi.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh"
+STATUS=0
+VPN_KO=""
+
+default_int=$(route -n show|grep default|awk '{ print $8 }')
+default_ip=$(ifconfig $default_int|grep inet|awk '{ print $2 }')
+
+for vpn in $(ls /etc/ipsec/); do
+        vpn=$(basename $vpn .conf)
+        local_ip=$(grep -E "local_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
+        ifconfig|grep -q $local_ip
+        [ $? -ne 0 ] && local_ip=$default_ip
+        remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
+        $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null
+        if [ $? -ne 0 ]; then
+            STATUS=2
+            VPN_KO="$VPN_KO $vpn"
+        fi
+done
+
+if [ $STATUS -eq 0 ]; then
+    echo "ALL VPN(s) UP(s)"
+    exit 0
+else
+    echo "VPN(s) down(s) :$VPN_KO"
+    exit 2
+fi
diff --git a/ipsec/tasks/main.yml b/ipsec/tasks/main.yml
index 2445529b..e69f3b1a 100644
--- a/ipsec/tasks/main.yml
+++ b/ipsec/tasks/main.yml
@@ -18,6 +18,29 @@
   tags:
   - ipsec
 
+- name: Deploy nrpe scripts
+  copy:
+    src: "{{ item }}"
+    dest: /usr/local/libexec/nagios/
+    mode: "0755" 
+  with_items:
+  - 'check_ipsecctl.sh'
+  - 'check_ipsecctl_multi.sh'
+  tags:
+  - ipsec
+
+- name: Add sudo right to _nrpe for check ipsecctl
+  lineinfile:
+    dest: /etc/sudoers
+    line: "{{ item }}"
+    state: present
+    validate: "visudo -cf %s" 
+  with_items:
+  - "_nrpe  ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh"
+  - "_nrpe  ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh"
+  tags:
+  - ipsec
+
 - name: "Copy /etc/ipsec/{{ ipsec_name }}.conf"
   template:
     src: ipsec.conf.j2