bundles/wireguard: one icinga2 check per peer

2020-11-30 06:43:35 +01:00 · 2020-11-30 06:43:35 +01:00 · 67d8293201
parent 3ab39f9ede
commit 67d8293201
2 changed files with 44 additions and 52 deletions
--- a/bundles/wireguard/files/check_wireguard_connected
+++ b/bundles/wireguard/files/check_wireguard_connected
@ -2,54 +2,35 @@

 from datetime import datetime
 from subprocess import check_output
-from sys import exit
+from sys import argv, exit
+
+INTERFACE = argv[1]
+PUBKEY = argv[2]
+
+NOW = datetime.timestamp(datetime.now())

-# get wireguard interface names
 try:
-    interfaces = check_output(['wg', 'show', 'interfaces']).split()
+    result = check_output(['wg', 'show', INTERFACE, 'latest-handshakes']).decode('utf-8').splitlines()
 except Exception as e:
-    print('UNKNOWN: ' + repr(e))
+    print('UNKNOWN: {}'.format(repr(e)))
    exit(3)

-if len(interfaces) == 0:
-    print('CRITICAL: no wireguard interfaces found!')
-    exit(0)
+found_key = False
+for line in result:
+    pubkey, last_handshake = line.split()

-now = datetime.timestamp(datetime.now())
-warn = set()
-critical = set()
+    if pubkey == PUBKEY:
+        overdue = NOW - int(last_handshake) - 120

-for interface in interfaces:
-    try:
-        result = check_output(['wg', 'show', interface, 'latest-handshakes']).decode('utf-8').split('\n')
-    except Exception as e:
-        critical.add('{}: {}'.format(interface, repr(e)))
-        continue
+        if overdue > 120:
+            print('handshake is more than 120 seconds late!')
+            exit(2)
+        elif overdue > 15:
+            print('handshake is more than 15 seconds late.')
+            exit(1)
+        else:
+            print('received handshake a couple seconds ago')
+            exit(0)

-    for line in result:
-        if len(line) == 0:
-            continue
-
-        pubkey, last_handshake = line.split()
-        overdue = now - int(last_handshake) - 120
-
-        if overdue > 15:
-            critical.add('{}: {} is more than 120 seconds late'.format(interface, pubkey))
-        elif overdue > 120:
-            warn.add('{}: {} is more than 15 seconds late'.format(interface, pubkey))
-
-
-for line in sorted(critical):
-    print(line)
-
-for line in sorted(warn):
-    print(line)
-
-
-if len(critical):
-    exit(2)
-elif len(warn):
-    exit(1)
-else:
-    print('OK')
-    exit(0)
+print('CRITICAL: {} not found in latest handshakes for {}'.format(PUBKEY, INTERFACE))
+exit(2)
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -12,15 +12,6 @@ defaults = {
            },
        },
    },
-    'icinga2_api': {
-        'wireguard': {
-            'services': {
-                'WIREGUARD CONNECTED': {
-                    'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected',
-                },
-            },
-        },
-    },
    'iptables': {
        'bundle_rules': {
            'wireguard': [
@ -83,3 +74,23 @@ def get_my_wireguard_peers(metadata):
            'peers': peers,
        },
    }
+
+
+@metadata_reactor
+def icinga2(metadata):
+    services = {}
+
+    for peer, config in metadata.get('wireguard/peers', {}).items():
+        services[f'WIREGUARD CONNECTION {peer}'] = {
+            'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg0 {}'.format(
+                config['pubkey'],
+            ),
+        }
+
+    return {
+        'icinga2_api': {
+            'wireguard': {
+                'services': services,
+            },
+        },
+    }