bundles/wireguard: add icinga check

2020-11-21 16:15:34 +01:00 · 2020-11-21 16:15:34 +01:00 · 5aee050c5d
parent 58ca3fa9ae
commit 5aee050c5d
3 changed files with 67 additions and 0 deletions
--- a/bundles/wireguard/files/check_wireguard_connected
+++ b/bundles/wireguard/files/check_wireguard_connected
@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+from datetime import datetime
+from subprocess import check_output
+from sys import exit
+
+# get wireguard interface names
+try:
+    interfaces = check_output(['wg', 'show', 'interfaces']).split()
+except Exception as e:
+    print('UNKNOWN: ' + repr(e))
+    exit(3)
+
+if len(interfaces) == 0:
+    print('CRITICAL: no wireguard interfaces found!')
+    exit(0)
+
+now = datetime.timestamp(datetime.now())
+warn = set()
+critical = set()
+
+for interface in interfaces:
+    try:
+        result = check_output(['wg', 'show', interface, 'latest-handshakes']).decode('utf-8').split('\n')
+    except Exception as e:
+        critical.add('{}: {}'.format(interface, repr(e)))
+        continue
+
+    for line in result:
+        if len(line) == 0:
+            continue
+
+        pubkey, last_handshake = line.split()
+        overdue = now - int(last_handshake) - 120
+
+        if overdue > 15:
+            critical.add('{}: {} is more than 120 seconds late'.format(interface, pubkey))
+        elif overdue > 120:
+            warn.add('{}: {} is more than 15 seconds late'.format(interface, pubkey))
+
+
+for line in sorted(critical):
+    print(line)
+
+for line in sorted(warn):
+    print(line)
+
+
+if len(critical):
+    exit(2)
+elif len(warn):
+    exit(1)
+else:
+    print('OK')
+    exit(0)
--- a/bundles/wireguard/items.py
+++ b/bundles/wireguard/items.py
@ -23,4 +23,7 @@ files = {
            'svc_systemd:systemd-networkd:restart',
        },
    },
+    '/usr/local/share/icinga/plugins/check_wireguard_connected': {
+        'mode': '0755',
+    },
 }
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -12,6 +12,15 @@ defaults = {
            },
        },
    },
+    'icinga2_api': {
+        'wireguard': {
+            'services': {
+                'WIREGUARD CONNECTED': {
+                    'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected',
+                },
+            },
+        },
+    },
    'iptables': {
        'bundle_rules': {
            'wireguard': [