From 5aee050c5dbff5f54dd0d0e74bb6db3516783a56 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sat, 21 Nov 2020 16:15:34 +0100
Subject: [PATCH] bundles/wireguard: add icinga check

---
 .../wireguard/files/check_wireguard_connected | 55 +++++++++++++++++++
 bundles/wireguard/items.py                    |  3 +
 bundles/wireguard/metadata.py                 |  9 +++
 3 files changed, 67 insertions(+)
 create mode 100644 bundles/wireguard/files/check_wireguard_connected

diff --git a/bundles/wireguard/files/check_wireguard_connected b/bundles/wireguard/files/check_wireguard_connected
new file mode 100644
index 0000000..25dd3bd
--- /dev/null
+++ b/bundles/wireguard/files/check_wireguard_connected
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+from datetime import datetime
+from subprocess import check_output
+from sys import exit
+
+# get wireguard interface names
+try:
+    interfaces = check_output(['wg', 'show', 'interfaces']).split()
+except Exception as e:
+    print('UNKNOWN: ' + repr(e))
+    exit(3)
+
+if len(interfaces) == 0:
+    print('CRITICAL: no wireguard interfaces found!')
+    exit(0)
+
+now = datetime.timestamp(datetime.now())
+warn = set()
+critical = set()
+
+for interface in interfaces:
+    try:
+        result = check_output(['wg', 'show', interface, 'latest-handshakes']).decode('utf-8').split('\n')
+    except Exception as e:
+        critical.add('{}: {}'.format(interface, repr(e)))
+        continue
+
+    for line in result:
+        if len(line) == 0:
+            continue
+
+        pubkey, last_handshake = line.split()
+        overdue = now - int(last_handshake) - 120
+
+        if overdue > 15:
+            critical.add('{}: {} is more than 120 seconds late'.format(interface, pubkey))
+        elif overdue > 120:
+            warn.add('{}: {} is more than 15 seconds late'.format(interface, pubkey))
+
+
+for line in sorted(critical):
+    print(line)
+
+for line in sorted(warn):
+    print(line)
+
+
+if len(critical):
+    exit(2)
+elif len(warn):
+    exit(1)
+else:
+    print('OK')
+    exit(0)
diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py
index 9ef7df2..0b44ee0 100644
--- a/bundles/wireguard/items.py
+++ b/bundles/wireguard/items.py
@@ -23,4 +23,7 @@ files = {
             'svc_systemd:systemd-networkd:restart',
         },
     },
+    '/usr/local/share/icinga/plugins/check_wireguard_connected': {
+        'mode': '0755',
+    },
 }
diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py
index 8c08bd0..beed5ae 100644
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@@ -12,6 +12,15 @@ defaults = {
             },
         },
     },
+    'icinga2_api': {
+        'wireguard': {
+            'services': {
+                'WIREGUARD CONNECTED': {
+                    'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected',
+                },
+            },
+        },
+    },
     'iptables': {
         'bundle_rules': {
             'wireguard': [