From e89482d9a2e34253bc7b781deca31bef08247965 Mon Sep 17 00:00:00 2001
From: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Date: Fri, 29 Jul 2016 18:25:38 +0200
Subject: [PATCH 1/5] Set default user to 'checkmk'

---
 defaults/main.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2c5b0a8..91d9f10 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -188,19 +188,19 @@ checkmk_agent__etc_services__dependent_list:
 # .. envvar:: checkmk_agent__ssh_user
 #
 # SSH user to query Check_MK agent.
-checkmk_agent__ssh_user: 'nagios'
+checkmk_agent__ssh_user: 'checkmk'
 
 
 # .. envvar:: checkmk_agent__ssh_group
 #
 # Primary group of SSH user querying Check_MK agent.
-checkmk_agent__ssh_group: 'nagios'
+checkmk_agent__ssh_group: 'checkmk'
 
 
 # .. envvar:: checkmk_agent__user_home
 #
 # Home directory of SSH user querying Check_MK agent.
-checkmk_agent__user_home: '/var/lib/nagios'
+checkmk_agent__user_home: '/var/lib/check_mk_agent'
 
 
 # .. envvar:: checkmk_agent__user_key

From 7e049a021e8729a99fe656972b8891da3a50a5ff Mon Sep 17 00:00:00 2001
From: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Date: Sat, 30 Jul 2016 00:15:54 +0200
Subject: [PATCH 2/5] Make sure the group is created if it doesn't exist yet

This will make sure, that the ``authorized_keys`` file which
is created with permissions 0640 and owner root can be read
by the user.
---
 defaults/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 91d9f10..9443722 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -223,6 +223,7 @@ checkmk_agent__user_key: '{{ hostvars[checkmk_agent__server].ansible_local.check
 # Authorized key configuration for the ``debops.authorized_keys`` role.
 checkmk_agent__authorized_keys__dependent_list:
   - name: '{{ checkmk_agent__ssh_user }}'
+    group: '{{ checkmk_agent__ssh_group }}'
     sshkeys:
       - '{{ checkmk_agent__user_key }}'
     options: '{{ authorized_keys__options_map.strict }}'

From 2a205da87c79653695241dc9983b5cee6b86cbd9 Mon Sep 17 00:00:00 2001
From: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Date: Sat, 30 Jul 2016 00:46:08 +0200
Subject: [PATCH 3/5] Rename 'checkmk_agent' var to 'checkmk_agent__type',
 default to SSH

---
 defaults/main.yml                |  8 ++++----
 docs/playbooks/checkmk_agent.yml |  6 +++---
 tasks/main.yml                   | 13 +++++--------
 3 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 9443722..8a29465 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -29,11 +29,11 @@ checkmk_agent__apt_preferences__dependent_list:
     by_role: 'debops-contrib.checkmk_agent'
 
 
-# .. envvar:: checkmk_agent
+# .. envvar:: checkmk_agent__type
 #
-# Check_MK agent query protocol. Set to ``False`` to disable agent setup.
-# Valid options are ``ssh`` and ``xinetd``.
-checkmk_agent: [ 'xinetd' ]
+# List of Check_MK agent query protocols. Valid options are ``ssh`` and
+# ``xinetd``.
+checkmk_agent__type: [ 'ssh' ]
 
 
 # .. envvar:: checkmk_agent__allow
diff --git a/docs/playbooks/checkmk_agent.yml b/docs/playbooks/checkmk_agent.yml
index 951ea13..6da04b6 100644
--- a/docs/playbooks/checkmk_agent.yml
+++ b/docs/playbooks/checkmk_agent.yml
@@ -16,21 +16,21 @@
               'depend-of::checkmk_agent', 'type::dependency' ]
       etc_services__dependent_list:
         - '{{ checkmk_agent__etc_services__dependent_list }}'
-      when: (checkmk_agent|d() and 'xinetd' in checkmk_agent)
+      when: ('xinetd' in checkmk_agent__type|d(['ssh']))
 
     - role: debops.ferm
       tags: [ 'depend::ferm', 'depend::ferm:checkmk_agent',
               'depend-of::checkmk_agent', 'type::dependency' ]
       ferm__dependent_rules:
         - '{{ checkmk_agent__ferm__dependent_rules }}'
-      when: (checkmk_agent|d() and 'xinetd' in checkmk_agent)
+      when: ('xinetd' in checkmk_agent__type|d(['ssh']))
 
     - role: debops.authorized_keys
       tags: [ 'depend::authorized_keys', 'depend::authorized_keys:checkmk_agent',
               'depend-of::checkmk_agent', 'type::dependency' ]
       authorized_keys__dependent_list:
         - '{{ checkmk_agent__authorized_keys__dependent_list }}'
-      when: (checkmk_agent|d() and 'ssh' in checkmk_agent)
+      when: ('ssh' in checkmk_agent__type|d(['ssh']))
 
     - role: debops.mariadb
       tags: [ 'depend::mariadb', 'depend::mariadb:checkmk_agent',
diff --git a/tasks/main.yml b/tasks/main.yml
index 3d5a2a6..ed9cf5d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -29,7 +29,6 @@
     name: '{{ item }}'
     state: 'present'
     install_recommends: False
-  when: checkmk_agent|d()
   with_items: '{{ checkmk_agent__base_packages }}'
 
 - name: Ensure the /etc/check_mk directory does exist
@@ -41,22 +40,20 @@
     mode: '0755'
 
 - include: ssh_user.yml
-  when: ((checkmk_agent|d() and 'ssh' in checkmk_agent) and
-         (not checkmk_agent__ssh_user == "root"))
+  when: ('ssh' in checkmk_agent__type|d(['ssh'])) and
+        (not checkmk_agent__ssh_user == "root")
 
 - include: xinetd.yml
-  when: (checkmk_agent|d() and 'xinetd' in checkmk_agent)
+  when: ('xinetd' in checkmk_agent__type|d(['ssh']))
 
 - include: setup_plugins.yml
   tags: [ 'role::checkmk_agent:plugins' ]
-  when: (checkmk_agent|d() and
-         ansible_local|d() and ansible_local.checkmk_agent|d() and
+  when: (ansible_local|d() and ansible_local.checkmk_agent|d() and
          ansible_local.checkmk_agent.checkmk_agent__plugin_list|d())
 
 - include: autojoin.yml
   tags: [ 'role::checkmk_agent:autojoin' ]
-  when: (checkmk_agent|d() and
-         checkmk_agent__autojoin|d())
+  when: (checkmk_agent__autojoin|d())
 
 - name: DebOps post_tasks hook
   include: "{{ lookup('task_src', 'checkmk_agent/post_main.yml') }}"

From e54600718e274a4611889395f34d025e19092480 Mon Sep 17 00:00:00 2001
From: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Date: Sat, 30 Jul 2016 13:49:33 +0200
Subject: [PATCH 4/5] Fix 'sshuser' membership if debops.sshd is not used

---
 defaults/main.yml  | 12 ++++++++++++
 tasks/ssh_user.yml |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 8a29465..fa7a045 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -197,6 +197,18 @@ checkmk_agent__ssh_user: 'checkmk'
 checkmk_agent__ssh_group: 'checkmk'
 
 
+# .. envvar:: checkmk_agent__ssh_allow_group
+#
+# Group membership required to access the system by SSH. If the ``AllowGroups``
+# :file:`sshd_config` option is not managed by ``debops.sshd`` this variable
+# might need to be defined accordingly in the Ansible inventory.
+checkmk_agent__ssh_allow_group: '{{ "sshusers"
+                                    if ("sshd" in ansible_local) and
+                                       ("allow_groups" in ansible_local.sshd) and
+                                       ("sshusers" in ansible_local.sshd.allow_groups)
+                                    else "" }}'
+
+
 # .. envvar:: checkmk_agent__user_home
 #
 # Home directory of SSH user querying Check_MK agent.
diff --git a/tasks/ssh_user.yml b/tasks/ssh_user.yml
index a3de153..aa41544 100644
--- a/tasks/ssh_user.yml
+++ b/tasks/ssh_user.yml
@@ -9,7 +9,7 @@
   user:
     name: '{{ checkmk_agent__ssh_user }}'
     group: '{{ checkmk_agent__ssh_group }}'
-    groups: 'sshusers'
+    groups: '{{ checkmk_agent__ssh_allow_group|d(omit) }}'
     system: 'yes'
     shell: '/bin/sh'
     home: '{{ checkmk_agent__user_home }}'

From 0a043ccb568182ac16e6a383ac82a5d08bf20373 Mon Sep 17 00:00:00 2001
From: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Date: Sat, 30 Jul 2016 17:37:18 +0200
Subject: [PATCH 5/5] Fix sudoers file permission

---
 tasks/ssh_user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/ssh_user.yml b/tasks/ssh_user.yml
index aa41544..ad86493 100644
--- a/tasks/ssh_user.yml
+++ b/tasks/ssh_user.yml
@@ -21,4 +21,4 @@
     dest: '/etc/sudoers.d/check-mk-agent'
     owner: 'root'
     group: 'root'
-    mode: '0644'
+    mode: '0440'