From 5958936a9b7238c24383cebff5a6bf288bce7a07 Mon Sep 17 00:00:00 2001
From: lucagubler <32480007+lucagubler@users.noreply.github.com>
Date: Mon, 18 Nov 2024 12:57:40 +0100
Subject: [PATCH] Validate config before restarting icinga (#349)

* Only reload icinga2 if config validation is ok

* Remove unused handler

* Fix ansible lint issues (FQCN and uppercase name)

* Fixes #347
---
 roles/icinga2/handlers/main.yml      | 17 +++++++++++------
 roles/icinga2/tasks/configure.yml    | 10 +++++-----
 roles/icinga2/tasks/features.yml     |  2 +-
 roles/icinga2/tasks/features/api.yml |  4 ++--
 4 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/roles/icinga2/handlers/main.yml b/roles/icinga2/handlers/main.yml
index c9bbfbdd..c51b417d 100644
--- a/roles/icinga2/handlers/main.yml
+++ b/roles/icinga2/handlers/main.yml
@@ -1,10 +1,15 @@
 ---
-- name: restart icinga2 service
-  service:
-    name: icinga2
-    state: restarted
+- name: Check icinga2 configuration
+  ansible.builtin.command:
+    cmd: icinga2 daemon --validate
+  register: icinga2_check
+  changed_when: true
+  failed_when: icinga2_check.rc != 0
+  listen: check-and-reload-icinga2-service
+  notify: reload-icinga2
 
-- name: reload icinga2 service
-  service:
+- name: Reload icinga2 service
+  ansible.builtin.service:
     name: icinga2
     state: reloaded
+  listen: reload-icinga2
diff --git a/roles/icinga2/tasks/configure.yml b/roles/icinga2/tasks/configure.yml
index 5efb46ab..a4b70af7 100644
--- a/roles/icinga2/tasks/configure.yml
+++ b/roles/icinga2/tasks/configure.yml
@@ -10,7 +10,7 @@
     dest: "{{ icinga2_config_path + '/icinga2.conf' }}"
     owner: "{{ icinga2_user }}"
     group: "{{ icinga2_group }}"
-  notify: reload icinga2 service
+  notify: check-and-reload-icinga2-service
 
 - name: merge defaults and user specified constants (set_fact icinga2_combined_constants)
   set_fact:
@@ -22,7 +22,7 @@
     dest: "{{ icinga2_config_path + '/constants.conf' }}"
     owner: "{{ icinga2_user }}"
     group: "{{ icinga2_group }}"
-  notify: reload icinga2 service
+  notify: check-and-reload-icinga2-service
 
 - name: features
   include_tasks: features.yml
@@ -94,7 +94,7 @@
     group: "{{ icinga2_group }}"
     mode: 0644
   loop: "{{ result.files }}"
-  notify: reload icinga2 service
+  notify: check-and-reload-icinga2-service
 
 - name: enable features
   file:
@@ -102,7 +102,7 @@
     path: "{{ '/etc/icinga2/features-enabled/' + icinga2_feature_realname[item.name]|default(item.name) + '.conf' }}"
     src: "{{ '../features-available/' + icinga2_feature_realname[item.name]|default(item.name) + '.conf' if (item.state is undefined or item.state != 'absent') else omit }}"
   loop: "{{ icinga2_features }}"
-  notify: reload icinga2 service
+  notify: check-and-reload-icinga2-service
 
 - name: remove empty config files
   ansible.builtin.file:
@@ -110,4 +110,4 @@
     path: "{{ item |regex_replace('^'+icinga2_fragments_path, '/etc/icinga2') }}"
   when: item.split('/')[icinga2_fragments_path.split('/')|length] == 'conf.d' or item.split('/')[icinga2_fragments_path.split('/')|length] == 'zones.d'
   loop: "{{ _empty_result.stdout_lines }}"
-  notify: reload icinga2 service
+  notify: check-and-reload-icinga2-service
diff --git a/roles/icinga2/tasks/features.yml b/roles/icinga2/tasks/features.yml
index 76aa72c3..a5986d07 100644
--- a/roles/icinga2/tasks/features.yml
+++ b/roles/icinga2/tasks/features.yml
@@ -19,7 +19,7 @@
     state: absent
     path: "{{ '/etc/icinga2/features-enabled/' + icinga2_feature_realname[item]|default(item) + '.conf' }}"
   loop: "{{ features_enabled | default([]) | difference(icinga2_features| map(attribute='name')|list) }}"
-  notify: reload icinga2 service
+  notify: check-and-reload-icinga2-service
   when: icinga2_purge_features
 
 - name: configure features
diff --git a/roles/icinga2/tasks/features/api.yml b/roles/icinga2/tasks/features/api.yml
index 46656eda..ec68f063 100644
--- a/roles/icinga2/tasks/features/api.yml
+++ b/roles/icinga2/tasks/features/api.yml
@@ -152,7 +152,7 @@
         --trustedcert "{{ icinga2_cert_path }}/trusted-master.crt"
         {% else %} sign-csr --csr "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.csr" {%- endif %}
         --cert "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
-      notify: reload icinga2 service
+      notify: check-and-reload-icinga2-service
 
     - name: copy CA root certificate
       copy:
@@ -189,7 +189,7 @@
         dest: "{{ _crt.dest }}"
         owner: "{{ icinga2_user }}"
         group: "{{ icinga2_group }}"
-      notify: reload icinga2 service
+      notify: check-and-reload-icinga2-service
       loop: "{{ _tmp_crt }}"
       loop_control:
         loop_var: _crt