From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-715-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bjgry6zXzz34Qc
	for <archive@lists.ipfire.org>; Thu, 17 Jul 2025 18:08:18 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bjgrv3TMRz33B0
	for <development@lists.ipfire.org>; Thu, 17 Jul 2025 18:08:15 +0000 (UTC)
Received: from layka.disroot.org (layka.disroot.org [178.21.23.139])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPS id 4bjgrt68bJzsm
	for <development@lists.ipfire.org>; Thu, 17 Jul 2025 18:08:14 +0000 (UTC)
Authentication-Results: mail01.ipfire.org;
	dkim=pass header.d=disroot.org header.s=mail header.b=Lq32qdpr;
	spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org;
	dmarc=pass (policy=reject) header.from=disroot.org
ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1752775694; a=rsa-sha256;
	cv=none;
	b=xPMVFodxFeAQcMHVvbnfq0BRHrV4MCagoj6WMhT4zWHqjo9DDFZWnw8WlSOO61BBKD9KeY
	0FydUk0U4Egn7oYThGnZc/Om6CzACVIC06ac3665jNsOCLEOKCrbRqmXHFYUwoFXrdqLT7
	PtAB66+mfv9aXsLE8NSuD5es5Cz1VGvwdVBlD9kdxKpeW9JTOgD9k6w6VgV04Vu3UIS6F3
	/GjOukeXaAJaSkcO3i4E/UW47BaloHLX8LEyLhPyxfIjEKRarqsDwNPtGqHugfuYYbxEoC
	9g0Hj1QMsDxB1xv5SSK072kmOC4e1/eQwKc2ZIv7XqUdo/KV760QnpXZHKfZig==
ARC-Authentication-Results: i=1;
	mail01.ipfire.org;
	dkim=pass header.d=disroot.org header.s=mail header.b=Lq32qdpr;
	spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org;
	dmarc=pass (policy=reject) header.from=disroot.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org;
	s=202003rsa; t=1752775694;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=tGH5HAxNZGHcIvWLMU+q2t4eI+S8dexTdkgMRSRa68c=;
	b=rBxUs5XPYMMtxDwkhxmfnxsLdZQMMEIVRK5QYfFSgCYEblZ2ez/8S6bI1qHGuet+dr++1D
	81CEQmoOwO0kz6mwbADTkp8/sPKHwwBLQ2+kVX//fQMVck/csW1QRnxG/AE5Ehouz3ZeXb
	SIwJRToxs/JXUzWZ4wqKDr1q8HDxR5lOnwrwfN93l4oYRDXXKdHA+SiUtQS7elA3fV0Ryx
	VZp5aKfVtjNhPVlk1AddLfRll98Mq86PWygykGsAVUoCWA/6HTty3k1u4Q0OR09oKHYvdm
	Ps3pN7+sCzj5vrfpQGVYVFWulvSky9XBZGIXFb/gAksHUanRtOXyDfzoc93xkQ==
Received: from mail01.disroot.lan (localhost [127.0.0.1])
	by disroot.org (Postfix) with ESMTP id 72F2825FA0
	for <development@lists.ipfire.org>; Thu, 17 Jul 2025 20:08:14 +0200 (CEST)
X-Virus-Scanned: SPAM Filter at disroot.org
Received: from layka.disroot.org ([127.0.0.1])
 by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id sLDRhtHwVgQ2 for <development@lists.ipfire.org>;
 Thu, 17 Jul 2025 20:08:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail;
	t=1752775693; bh=jr4c/0m+BBjdmNoAq3f0bfyCdPu0Too/ilErgdjyAck=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=Lq32qdprJoSPVY1ykhtlbNjr0JYrqzaqWolQ4YYcHpT77jvW9XWIr4flYiMZIrl4i
	 XOky0CvzBZhqK1rEe2BifRfG1rtVUtOj1pPT9vzIdA6KJ4p1btseRj87HkG7KFHXLf
	 fA5ZZqnWj835eo3JnTUSK58FxqRjldQvdxOjktNGuvObrawO9kBYcxgF+Ol/JBl9qJ
	 Ss/lXa7mBwjJl8JqSZbd2HOfRCIBUiDsVvp1jzeztQYvLwDIKNJboQ9IQipDswyoGI
	 spp52jm8TKCsBP9gv20Hgj1eawVTZoAFE5L/KZEjREWomDUOxrc4YcIbzNSXvxVOte
	 Kqr5leO6aTIVw==
Received: from chojin.roevenslambrechts.be (chojin.roevenslambrechts.be [192.168.0.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(no client certificate requested)
	(Authenticated sender)
	by hachiman (MailScanner Milter) with SMTP id EAC8F396912;
	Thu, 17 Jul 2025 20:08:10 +0200 (CEST)
From: Robin Roevens <robin.roevens@disroot.org>
To: development@lists.ipfire.org
Cc: Robin Roevens <robin.roevens@disroot.org>
Subject: [PATCH 3/6] zabbix_agentd: Add WireGuard specific monitoring items
Date: Thu, 17 Jul 2025 19:52:02 +0200
Message-ID: <20250717180805.5754-4-robin.roevens@disroot.org>
In-Reply-To: <20250717180805.5754-1-robin.roevens@disroot.org>
References: <20250717180805.5754-1-robin.roevens@disroot.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-RoevensLambrechts-MailScanner-ID: EAC8F396912.AD543
X-RoevensLambrechts-MailScanner: Found to be clean
X-RoevensLambrechts-MailScanner-From: robin.roevens@disroot.org
X-RoevensLambrechts-MailScanner-Watermark: 1753380491.67107@qxCBbTuxc/nSU9XyqUqu7Q
X-Spamd-Result: default: False [-5.35 / 11.00];
	BAYES_HAM(-3.00)[99.99%];
	R_DKIM_ALLOW(-1.70)[disroot.org:s=mail];
	MID_CONTAINS_FROM(1.00)[];
	NEURAL_HAM(-0.98)[-0.977];
	DKIM_REPUTATION(-0.97)[-0.97425615749869];
	SPF_REPUTATION_SPAM(0.62)[0.20691067161651];
	DMARC_POLICY_ALLOW(-0.50)[disroot.org,reject];
	R_MISSING_CHARSET(0.50)[];
	R_SPF_ALLOW(-0.20)[+a:c];
	MIME_GOOD(-0.10)[text/plain];
	MX_GOOD(-0.01)[];
	IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)];
	FUZZY_RATELIMITED(0.00)[rspamd.com];
	ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL];
	ARC_NA(0.00)[];
	TO_DN_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	RCVD_COUNT_THREE(0.00)[3];
	RCVD_TLS_LAST(0.00)[];
	MISSING_XM_UA(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	DKIM_TRACE(0.00)[disroot.org:+];
	ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1];
	PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org];
	FROM_HAS_DN(0.00)[]
X-Rspamd-Action: no action
X-Rspamd-Server: mail01.haj.ipfire.org
X-Rspamd-Queue-Id: 4bjgrt68bJzsm

Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.wireguard.peers.discovery: Discovery of configured WireGuard
  clients. Returns a JSON array.
- ipfire.wireguard.statusreport.get: Parses and returns output of
  `wireguardctrl dump` as a JSON array.

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
---
 config/rootfiles/packages/zabbix_agentd           | 1 +
 config/zabbix_agentd/sudoers                      | 2 +-
 config/zabbix_agentd/userparameter_wireguard.conf | 6 ++++++
 lfs/zabbix_agentd                                 | 2 ++
 4 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 config/zabbix_agentd/userparameter_wireguard.conf

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index cc75a49bd..52cb37e93 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -22,6 +22,7 @@ var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
 var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
 var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
 var/ipfire/zabbix_agentd/userparameters/userparameter_gateway.conf
+var/ipfire/zabbix_agentd/userparameters/userparameter_wireguard.conf
 var/ipfire/zabbix_agentd/scripts
 var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
 var/ipfire/zabbix_agentd/scripts/ipfire_services.pl
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index 921e20c89..57273a2c8 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -9,6 +9,6 @@
 #
 Defaults:zabbix !requiretty
 zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/sbin/arping, /usr/local/bin/getipstat
-zabbix ALL=(ALL) NOPASSWD: /bin/cat /var/run/ovpnserver.log
+zabbix ALL=(ALL) NOPASSWD: /bin/cat /var/run/ovpnserver.log, /usr/local/bin/wireguardctrl dump
 zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
 zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl
diff --git a/config/zabbix_agentd/userparameter_wireguard.conf b/config/zabbix_agentd/userparameter_wireguard.conf
new file mode 100644
index 000000000..b7925288a
--- /dev/null
+++ b/config/zabbix_agentd/userparameter_wireguard.conf
@@ -0,0 +1,6 @@
+# Parameters for monitoring IPFire WireGuard specific metrics
+#
+# Discovery of configured WireGuard peers
+UserParameter=ipfire.wireguard.peers.discovery,cat /var/ipfire/wireguard/peers 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#ID}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK_B64}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $4, $5, $2, $11, $3; separator = ","; } END { print "]" }'
+# Get Wireguard status report
+UserParameter=ipfire.wireguard.statusreport.get,sudo /usr/local/bin/wireguardctrl dump | awk 'BEGIN { ORS = ""; print "[" } NR>1 { printf "%s{\"id\":\"%s\",\"endpoint\":\"%s\",\"allowed_ip\":\"%s\",\"handshake_timestamp\":%s,\"bytes_in\":%s,\"bytes_out\":%s}", separator, $1, $3, $4, $5, $6, $7; separator = ","; } END { print "]" }'
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index ebd184628..6d0a6b4ea 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -114,6 +114,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		/var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_gateway.conf \
 		/var/ipfire/zabbix_agentd/userparameters/userparameter_gateway.conf
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_wireguard.conf \
+		/var/ipfire/zabbix_agentd/userparameters/userparameter_wireguard.conf
 
 	# Install IPFire-specific Zabbix Agent scripts
 	-mkdir -pv /var/ipfire/zabbix_agentd/scripts
-- 
2.50.1


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.