use fetch_secret for ceph secret

conf/includes/gl.conf.sh

@@ -24,16 +24,19 @@ export CEPHIP_mayon="192.168.1.254"
 export CEPHIP_pinatubo="192.168.1.253"
 export CEPHIP_ragang="192.168.1.252"
 export CEPHIP_taal="192.168.1.251"
-export CEPH_SECRET="AQAxSf5c2A/CMxAAnOu1RrSf7Yr2h60CLttq4g=="
+export CEPH_SECRET="file:/share/services/gestparc/ceph_secret"
 export SHARED_HOME="false"
 
 # SSH
 export SSHD_PERMITROOT_RANGE="192.168.1.0/24"
 
 # Check MK
-export MK_VERSION="2.3.0p27-1"
+#export MK_VERSION="2.3.0p27-1" No longer needed
-export MK_URL="http://10.250.42.20/check_mk/check_mk/agents/check-mk-agent_${MK_VERSION}_all.deb"
 export MK_SERVER_IP="10.250.42.20"
+export MK_SITE="check_mk"
+export MK_URL="http://$MK_SERVER_IP/$MK_SITE/check_mk/agents/check-mk-agent_latest_all.deb"
+export MK_SECRET="file:/share/services/gestparc/mk_secret"
+
 
 # Samba
 export SMBSRV="silay.$REALM"

init.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # ------------------------------------------------------------------------------
 # Init.sh: initialise a computer and conform it
-# Copyright (c) 2019-2023 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# Copyright (c) 2019-2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
 # ------------------------------------------------------------------------------
 # This file is distributed under 3-clause BSD license.
 # The complete license agreement can be obtained at:
@@ -36,7 +36,7 @@ export LC_ALL=C
 export LANG=C
 
 # Version of init
-export VERSION="0.99.22"
+export VERSION="0.99.23"
 
 # Store script's path (realpath -s resolve symlinks if init.sh is a symlink)
 export MYPATH=$(dirname "$(realpath -s "$0")")

lib/secret.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+# ------------------------------------------------------------------------------
+# Secret management functions
+# This file is part of the init.sh project
+# Copyright (c) 2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# ------------------------------------------------------------------------------
+# This file is distributed under 3-clause BSD license.
+# The complete license agreement can be obtained at:
+# https://opensource.org/licenses/BSD-3-Clause
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Passbolt
+get_passbolt_secret() {
+    local name="$1" secret
+
+    if ! command -v passbolt >/dev/null 2>&1; then
+        prnt E "Passbolt CLI not found (required to fetch passbolt:$name)."
+        return 3
+    fi
+
+    # Exemple basé sur CLI Passbolt + jq
+    secret=$(passbolt secret list --json 2>/dev/null | jq -r --arg NAME "$name" \
+        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
+
+    if [[ -z "$secret" || "$secret" == "null" ]]; then
+        prnt E "Secret '$name' not found in Passbolt."
+        return 4
+    fi
+
+    printf '%s' "$secret"
+}
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# File
+get_file_secret() {
+    local path="$1" secret
+
+    if [[ -z "$path" ]]; then
+        prnt E "get_file_secret: missing path"
+        return 5
+    fi
+    if [[ ! -r "$path" ]]; then
+        prnt E "get_file_secret: '$path' not readable"
+        return 6
+    fi
+
+    secret=$(<"$path")
+    secret="${secret%$'\r'}"
+    secret="${secret%$'\n'}"
+    printf '%s' "$secret"
+}
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Environment variable
+get_var_secret() {
+    local var="$1" secret
+
+    if [[ -z "$var" ]]; then
+        prnt E "get_var_secret: missing variable name"
+        return 7
+    fi
+    if ! printenv "$var" >/dev/null 2>&1; then
+        prnt E "get_var_secret: variable '$var' not set"
+        return 8
+    fi
+
+    secret="$(printenv "$var")"
+    secret="${secret%$'\r'}"
+    secret="${secret%$'\n'}"
+    printf '%s' "$secret"
+}
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+# Main dispatcher
+# Usage: fetch_secret "scheme:identifier"
+fetch_secret() {
+    local ref="$1"
+    local scheme identifier func
+
+    if [[ -z "$ref" ]]; then
+        prnt E "fetch_secret: no reference provided"
+        return 1
+    fi
+
+    # par défaut, si pas de scheme -> "file"
+    if [[ "$ref" != *:* ]]; then
+        scheme="file"
+        identifier="$ref"
+    else
+        scheme="${ref%%:*}"
+        identifier="${ref#*:}"
+    fi
+
+    func="get_${scheme}_secret"
+
+    if ! declare -f "$func" >/dev/null 2>&1; then
+        prnt E "fetch_secret: unsupported scheme '$scheme' (no function $func)"
+        return 2
+    fi
+
+    "$func" "$identifier"
+}
+export -f fetch_secret
+# ------------------------------------------------------------------------------
+
+
+# EOF

modules/conf_ceph.sh

@@ -68,11 +68,12 @@ conf_ceph()
         tag_file /etc/fstab
         echo >> /etc/fstab
         local srvlist=$(echo $CEPH_SRV_NAMES | sed "s/ /,/g")
+        local secret=$(fetch_secret "$CEPH_SECRET")
         if [[ -z $(grep $srvlist /etc/fstab) ]]; then
             echo "# Ceph :" >> /etc/fstab
             for mnt in $CEPH_MOUNTS; do
                 mkdir -pv $mnt
-                echo "$srvlist:/    $(eval echo \$CEPH_MP_$mnt)       ceph    defaults,_netdev,name=admin,secret=$CEPH_SECRET,id=$mnt  0 0" >> /etc/fstab
+                echo "$srvlist:/    $(eval echo \$CEPH_MP_$mnt)       ceph    defaults,_netdev,name=admin,secret=$secret,id=$mnt  0 0" >> /etc/fstab
             done
         else
             prnt W "Ceph entry already in /etc/fstab, nothing to do"

modules/install_mkagent.sh

@@ -9,43 +9,67 @@
 # ------------------------------------------------------------------------------
 # Variable:
 #  * MK_SERVER: Server IP address
-#  * MK_PORT: Port check_mk agent will use to communicate with server
+#  * MK_SITE: The check_mk site (or instance) to use
+#  * MK_URL: The URL to use to download the agent
+#  * MK_SECRET: The secret to use to register the agent
+#  * MK_USER: The user to use to register
 # ------------------------------------------------------------------------------
 
-export VER_install_mkagent="0.0.7"
+export VER_install_mkagent="0.1.0"
 export DEP_install_mkagent=""
 
 install_mkagent()
 {
-    wget $MK_URL -O /tmp/check-mk-agent_${MK_VERSION}_all.deb
+    # Download and install agent
-    pkginst xinetd /tmp/check-mk-agent_${MK_VERSION}_all.deb
+    wget "$MK_URL" -O /tmp/check-mk-agent_latest_all.deb
-    rm /tmp/check-mk-agent_${MK_VERSION}_all.deb
+    pkginst /tmp/check-mk-agent_latest_all.deb
+    rm /tmp/check-mk-agent_latest_all.deb
 
-    backup_dist /etc/xinetd.d/check_mk
+    # Activate correct service depending on system configuration
-    install_file cmk/check_mk /etc/xinetd.d/check_mk
+    if pidof systemd >/dev/null; then
-    tag_file /etc/xinetd.d/check_mk
+        systemctl enable --now check-mk-agent.socket
-    sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check_mk
+    else
+        pkginst xinetd
+        backup_dist /etc/xinetd.d/check-mk-agent
+        install_file cmk/check_mk /etc/xinetd.d/check-mk-agent
+        tag_file /etc/xinetd.d/check-mk-agent
+        sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check-mk-agent
+        svc_restart xinetd
+    fi
 
-    mkdir -pv /usr/lib/check_mk_agent/plugins/7200
+    # Install apt plugin (for Debian)
-    install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/7200/mk_apt
+    if [[ $PKG_MAN == "apt-get" ]]; then
+        mkdir -pv /usr/lib/check_mk_agent/plugins/3600
+        install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/3600/mk_apt
+    fi
 
     # Cmk > 2.1, configure agent
+    if [[ -n $MK_SECRET ]]; then
+        local secret
+        secret=$(fetch_secret "$MK_SECRET")
+
         if [[ -e /var/lib/cmk-agent/cmk-agent-ctl.gz ]]; then
-        gunzip /var/lib/cmk-agent/cmk-agent-ctl.gz
+            gunzip -f /var/lib/cmk-agent/cmk-agent-ctl.gz
             chmod +x /var/lib/cmk-agent/cmk-agent-ctl
-        scp -O $MK_SERVER_IP:/etc/check_mk/agentpwd /tmp/mk-pwd
-	sleep 1 # Some execution of cmk-agent-ctl have failed with file not found without that line
-        /var/lib/cmk-agent/cmk-agent-ctl register --hostname $HOSTNAME \
-            --server $MK_SERVER_IP --site check_mk --user check_mk --password \
-            "$(read /tmp/mk-pwd)"
         fi
-    svc_restart xinetd
+        if [[ -e /var/lib/cmk-agent/cmk-agent-ctl ]]; then
+            /var/lib/cmk-agent/cmk-agent-ctl register \
+                --hostname "$HOSTNAME" \
+                --server "$MK_SERVER_IP" \
+                --site "$MK_SITE" \
+                --user "$MK_USER" \
+                --password "$secret"
+        fi
+        unset secret
+    else
+        prnt W "No secret configured, agent cannot be registered."
+    fi
 }
 
 precheck_install_mkagent()
 {
-    if [[ -z $MK_VERSION ]]; then
+    if [[ -z $MK_SITE ]]; then
-	prnt E "Undeclared check_mk version of the agent to install."
+        prnt E "Undeclared check_mk site to use."
         die 162
     fi
     if [[ -z $MK_URL ]]; then
@@ -56,7 +80,16 @@ precheck_install_mkagent()
         prnt E "Undeclared check_mk server."
         die 162
     fi
+    if [[ $PKG_MAN == "apt-get" ]]; then
         file_must_exists cmk/check_mk cmk/mk_apt
+    fi
+    if [[ -z $MK_SECRET ]]; then
+        prnt W "No secret set for CheckMK, registration won't be possible."
+        if [[ -z $MK_USER ]]; then
+            prnt E "A CheckMK user is required to register."
+            die 162
+        fi
+    fi
 }
 
 export -f install_mkagent

repo/hosts/cagua/ntp.conf

@@ -1,22 +1,27 @@
-*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
+# State files
 driftfile /var/lib/ntp/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
-# Enable this if you want statistics to be logged.
+# Statistics
-#statsdir /var/log/ntpstats/
 
-statistics loopstats peerstats clockstats
+statistics loopstats peerstats clockstats sysstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
+filegen sysstats file sysstats type day enable
 
+# Interfaces to listen on:
+interface listen 192.168.1.0/24
+interface listen 10.250.42.0/24
+interface listen 10.42.250.0/16
+interface ignore wildcard
 
-# You do need to talk to an NTP server or two (or three).
+# NTP sources
-#server ntp.your-provider.example
+# Our other NTP server, to have consistant REFID
+server didicas prefer                   iburst
 
-# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
-# pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
 server ntp.laas.fr                      iburst
 server ntp.sophia.cnrs.fr               iburst
 server ntp2.emn.fr                      iburst
@@ -33,32 +38,11 @@ server time.resolvlab.com		iburst
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
-# Note that "restrict" applies to both servers and clients, so a configuration
+restrict default limited nomodify notrap nopeer noquery
-# that might be intended to block requests from certain clients could also end
-# up blocking replies from your own upstream servers.
-
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
-
-# Local users may interrogate the ntp server more closely.
-restrict 192.168.1.0/24
-restrict 127.0.0.1
-restrict ::1
-
-# Needed for adding pool entries
 restrict source notrap nomodify noquery
 
-# Clients from this (example!) subnet have unlimited access, but only if
+restrict 192.168.1.0/24
-# cryptographically authenticated.
+restrict 10.250.42.0/24
-restrict 192.168.0.0 mask 255.255.0.0 trust
+restrict 10.42.250.0/16
-
+restrict 127.0.0.1
-
+restrict ::1
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-broadcast 192.168.1.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient

repo/hosts/didicas/ntp.conf

@@ -1,22 +1,27 @@
-*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
+# State files
 driftfile /var/lib/ntp/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
-# Enable this if you want statistics to be logged.
+# Statistics
-#statsdir /var/log/ntpstats/
 
-statistics loopstats peerstats clockstats
+statistics loopstats peerstats clockstats sysstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
+filegen sysstats file sysstats type day enable
 
+# Interfaces to listen on:
+interface listen 192.168.1.0/24
+interface listen 10.250.42.0/24
+interface listen 10.42.250.0/16
+interface ignore wildcard
 
-# You do need to talk to an NTP server or two (or three).
+# NTP sources
-#server ntp.your-provider.example
+# Our other NTP server, to have consistant REFID
+server cagua prefer                     iburst
 
-# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
-# pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
 server ntp.laas.fr                      iburst
 server ntp.sophia.cnrs.fr               iburst
 server ntp2.emn.fr                      iburst
@@ -33,32 +38,11 @@ server time.resolvlab.com		iburst
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
-# Note that "restrict" applies to both servers and clients, so a configuration
+restrict default limited nomodify notrap nopeer noquery
-# that might be intended to block requests from certain clients could also end
-# up blocking replies from your own upstream servers.
-
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
-
-# Local users may interrogate the ntp server more closely.
-restrict 192.168.1.0/24
-restrict 127.0.0.1
-restrict ::1
-
-# Needed for adding pool entries
 restrict source notrap nomodify noquery
 
-# Clients from this (example!) subnet have unlimited access, but only if
+restrict 192.168.1.0/24
-# cryptographically authenticated.
+restrict 10.250.42.0/24
-restrict 192.168.0.0 mask 255.255.0.0 trust
+restrict 10.42.250.0/16
-
+restrict 127.0.0.1
-
+restrict ::1
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-broadcast 192.168.1.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient