From 765bf30d2bfb9fdea74617f157f02078c9cbf09e Mon Sep 17 00:00:00 2001
From: Christoph Breit <christoph.breit@netways.de>
Date: Wed, 18 Oct 2023 12:03:29 +0200
Subject: [PATCH 1/8] add installation for vspheredb

---
 ...ture_add_vspheredb_module_installation.yml |  3 +
 doc/role-icingaweb2/module-vspheredb.md       | 55 +++++++++++++++++++
 roles/icingaweb2/defaults/main.yml            |  1 +
 roles/icingaweb2/tasks/modules/vspheredb.yml  | 30 ++++++++++
 roles/icingaweb2/vars/main.yml                |  3 +-
 5 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/feature_add_vspheredb_module_installation.yml
 create mode 100644 doc/role-icingaweb2/module-vspheredb.md
 create mode 100644 roles/icingaweb2/tasks/modules/vspheredb.yml

diff --git a/changelogs/fragments/feature_add_vspheredb_module_installation.yml b/changelogs/fragments/feature_add_vspheredb_module_installation.yml
new file mode 100644
index 00000000..ddc847dd
--- /dev/null
+++ b/changelogs/fragments/feature_add_vspheredb_module_installation.yml
@@ -0,0 +1,3 @@
+---
+major_changes:
+  - Added Installation of Vspheredb Module
diff --git a/doc/role-icingaweb2/module-vspheredb.md b/doc/role-icingaweb2/module-vspheredb.md
new file mode 100644
index 00000000..abc3b851
--- /dev/null
+++ b/doc/role-icingaweb2/module-vspheredb.md
@@ -0,0 +1,55 @@
+## Module Vspheredb
+
+The module Icinga Vspheredb provides 
+
+## Configuration
+
+The general module parameter like `enabled` and `source` can be applied here.
+
+For every config file, create a dictionary with sections as keys and the parameters as values. For all parameters please check the [module documentation](https://icinga.com/docs/icinga-vsphere-integration/latest/doc/01-Installation/)
+
+as Icinga Web 2 resource, please use the `icingaweb2_resources` variable to define
+the resource.
+
+Example:
+
+```
+icingaweb2_resources:
+  vspheredb:
+    type: db
+    db: mysql
+    host: localhost
+    dbname: vspheredb
+    username: vspheredb
+    password: vspheredb
+    charset: utf8mb4
+
+icingaweb2_modules:
+  vspheredb:
+    enabled: true
+    source: package
+    config:
+      db:
+        resource: vspheredb
+```
+
+## Database 
+
+The database can be created using the Geerlingguy mysql role. 
+
+For more parameters please check the [role documentation](https://github.com/geerlingguy/ansible-role-mysql)
+
+Example: 
+
+```
+mysql_databases:
+  - name: vspheredb
+    encoding: utf8mb4
+    collation: utf8mb4_general_ci
+
+pre_tasks:
+  - ansible.builtin.include_role:
+      name: geerlingguy.mysql
+
+
+```
\ No newline at end of file
diff --git a/roles/icingaweb2/defaults/main.yml b/roles/icingaweb2/defaults/main.yml
index e338fe1c..588f6aa5 100644
--- a/roles/icingaweb2/defaults/main.yml
+++ b/roles/icingaweb2/defaults/main.yml
@@ -2,6 +2,7 @@ icingaweb2_config_dir: /etc/icingaweb2
 icingaweb2_group: icingaweb2
 icingaweb2_modules_config_dir: "{{ icingaweb2_config_dir }}/modules"
 icingaweb2_director_service: icinga-director.service
+icingaweb2_vspheredb_service: icinga-vspheredb.service
 
 icingaweb2_groups:
   icingaweb2:
diff --git a/roles/icingaweb2/tasks/modules/vspheredb.yml b/roles/icingaweb2/tasks/modules/vspheredb.yml
new file mode 100644
index 00000000..edaa446f
--- /dev/null
+++ b/roles/icingaweb2/tasks/modules/vspheredb.yml
@@ -0,0 +1,30 @@
+- name: Module Vspheredb | Install
+  debug:
+    msg: Installed VsphereDB Modul
+
+
+
+- name: Module Vspheredb | Ensure config directory
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ icingaweb2_modules_config_dir }}/vspheredb"
+    owner: "{{ icingaweb2_httpd_user }}"
+    group: "{{ icingaweb2_group }}"
+    mode: "2770"
+
+- name: Module Vspheredb | Manage config files
+  ansible.builtin.include_tasks: manage_module_config.yml
+  loop: "{{ _files }}"
+  loop_control:
+    loop_var: _file
+  when: vars['icingaweb2_modules'][_module][_file] is defined
+  vars:
+    _module: "{{ item.key }}"
+    _files:
+      - config
+
+- name: Module Vspheredb | Ensure daemon is running
+  ansible.builtin.service:
+    name: "{{ icingaweb2_vspheredb_service }}"
+    state: started
+    enabled: yes
diff --git a/roles/icingaweb2/vars/main.yml b/roles/icingaweb2/vars/main.yml
index 8092fd97..cb9ef5c8 100644
--- a/roles/icingaweb2/vars/main.yml
+++ b/roles/icingaweb2/vars/main.yml
@@ -2,4 +2,5 @@
 icingaweb2_module_packages:
   icingadb: icingadb-web
   director: icinga-director
-  businessprocess: icinga-businessprocess
\ No newline at end of file
+  businessprocess: icinga-businessprocess
+  vspheredb: icingaweb2-module-vspheredb
\ No newline at end of file

From 068bbb53a1e330b49296b4e0e0663d734e75a67f Mon Sep 17 00:00:00 2001
From: Daniel Bodky <daniel.bodky@netways.de>
Date: Tue, 21 Nov 2023 09:03:46 +0100
Subject: [PATCH 2/8] Finishes vSphereDB module integration

---
 roles/icingaweb2/files/icinga-vspheredb.conf |  1 +
 roles/icingaweb2/tasks/modules/vspheredb.yml | 67 ++++++++++++++++++--
 roles/icingaweb2/vars/main.yml               |  1 -
 3 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 roles/icingaweb2/files/icinga-vspheredb.conf

diff --git a/roles/icingaweb2/files/icinga-vspheredb.conf b/roles/icingaweb2/files/icinga-vspheredb.conf
new file mode 100644
index 00000000..d05ed194
--- /dev/null
+++ b/roles/icingaweb2/files/icinga-vspheredb.conf
@@ -0,0 +1 @@
+d /run/icinga-vspheredb 0755 icingavspheredb icingaweb2 -
diff --git a/roles/icingaweb2/tasks/modules/vspheredb.yml b/roles/icingaweb2/tasks/modules/vspheredb.yml
index edaa446f..f37e6f2b 100644
--- a/roles/icingaweb2/tasks/modules/vspheredb.yml
+++ b/roles/icingaweb2/tasks/modules/vspheredb.yml
@@ -1,10 +1,64 @@
-- name: Module Vspheredb | Install
-  debug:
-    msg: Installed VsphereDB Modul
+---
+# Needed because the role sets different permissions for modules and git fails when checking it in task #2
+- name: Module vSphereDB | Clean up module directory
+  ansible.builtin.file:
+    state: absent
+    path: "{{ icingaweb2_config.global.module_path }}/{{ module }}"
+  loop:
+    - vspheredb
+    - incubator
+  loop_control:
+    loop_var: module  
+
+- name: Module vSphereDB | Install modules from source
+  ansible.builtin.git:
+    name: https://github.com/icinga/icingaweb2-module-{{ repo_info.name }}
+    dest: "{{ icingaweb2_config.global.module_path }}/{{ repo_info.name }}"
+    version: "{{ repo_info.version }}"
+  loop:
+    - name: vspheredb
+      version: v1.7.1
+    - name: incubator
+      version: v0.20.0
+  loop_control:
+    loop_var: repo_info
+
+- name: Module vSphereDB | Ensure incubator is enabled
+  ansible.builtin.command: icingacli module enable incubator
+
+- name: Module vSphereDB | Ensure service user exists
+  ansible.builtin.user:
+    name: icingavspheredb
+    group: icingaweb2
+    system: true
+    home: /var/lib/icingavspheredb
+    shell: /bin/false
+
+- name: Module vSphereDB | Ensure service user home exists
+  ansible.builtin.file:
+    state: directory
+    dest: /var/lib/icingavspheredb
+    owner: icingavspheredb
+    group: icingaweb2
+    mode: "0750"
+
+- name: Module vSphereDB | Ensure service file is installed
+  ansible.builtin.copy:
+    src: "{{ icingaweb2_config.global.module_path }}/vspheredb/contrib/systemd/icinga-vspheredb.service"
+    dest: "/etc/systemd/system/{{ icingaweb2_vspheredb_service }}"
+    remote_src: true
+    mode: "0644"
 
+- name: Module vSphereDB | Ensure socket file is copied
+  ansible.builtin.copy:
+    src: icinga-vspheredb.conf
+    dest: /etc/tmpfiles.d/{{ icingaweb2_vspheredb_service.replace('.service', '') }}.con
+    mode: 0644
 
+- name: Module vSphereDB | Ensure socket file is installed
+  ansible.builtin.command: systemd-tmpfiles --create /etc/tmpfiles.d/{{ icingaweb2_vspheredb_service.replace('.service', '') }}.conf
 
-- name: Module Vspheredb | Ensure config directory
+- name: Module vSphereDB | Ensure config directory
   ansible.builtin.file:
     state: directory
     dest: "{{ icingaweb2_modules_config_dir }}/vspheredb"
@@ -12,7 +66,7 @@
     group: "{{ icingaweb2_group }}"
     mode: "2770"
 
-- name: Module Vspheredb | Manage config files
+- name: Module vSphereDB | Manage config files
   ansible.builtin.include_tasks: manage_module_config.yml
   loop: "{{ _files }}"
   loop_control:
@@ -23,8 +77,9 @@
     _files:
       - config
 
-- name: Module Vspheredb | Ensure daemon is running
+- name: Module vSphereDB | Ensure daemon is running
   ansible.builtin.service:
     name: "{{ icingaweb2_vspheredb_service }}"
     state: started
     enabled: yes
+  failed_when: false  # this is a bit buggy because we only activate the module later in the role
diff --git a/roles/icingaweb2/vars/main.yml b/roles/icingaweb2/vars/main.yml
index cb9ef5c8..3e6106cf 100644
--- a/roles/icingaweb2/vars/main.yml
+++ b/roles/icingaweb2/vars/main.yml
@@ -3,4 +3,3 @@ icingaweb2_module_packages:
   icingadb: icingadb-web
   director: icinga-director
   businessprocess: icinga-businessprocess
-  vspheredb: icingaweb2-module-vspheredb
\ No newline at end of file

From 7a715ef2c54757fa7fd2a0c3173b4afc3f5041b0 Mon Sep 17 00:00:00 2001
From: Daniel Bodky <daniel.bodky@netways.de>
Date: Tue, 21 Nov 2023 09:09:01 +0100
Subject: [PATCH 3/8] Updates docs

---
 .../feature_add_vspheredb_module_installation.yml        | 2 +-
 doc/role-icingaweb2/module-vspheredb.md                  | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/changelogs/fragments/feature_add_vspheredb_module_installation.yml b/changelogs/fragments/feature_add_vspheredb_module_installation.yml
index ddc847dd..63854e4f 100644
--- a/changelogs/fragments/feature_add_vspheredb_module_installation.yml
+++ b/changelogs/fragments/feature_add_vspheredb_module_installation.yml
@@ -1,3 +1,3 @@
 ---
 major_changes:
-  - Added Installation of Vspheredb Module
+  - Added Installation of vSphereDB Module
diff --git a/doc/role-icingaweb2/module-vspheredb.md b/doc/role-icingaweb2/module-vspheredb.md
index abc3b851..a6692636 100644
--- a/doc/role-icingaweb2/module-vspheredb.md
+++ b/doc/role-icingaweb2/module-vspheredb.md
@@ -1,10 +1,13 @@
-## Module Vspheredb
+## Module vSphereDB
 
-The module Icinga Vspheredb provides 
+> [!WARNING]
+> This module can only be installed from source as it has not been packaged yet.
+> Therefore, `git` is a needed dependency to be present on the target system.
+> The role will then install `vspheredb` and its dependency `incubator`.
 
 ## Configuration
 
-The general module parameter like `enabled` and `source` can be applied here.
+The general module parameter like `enabled` can be applied here.
 
 For every config file, create a dictionary with sections as keys and the parameters as values. For all parameters please check the [module documentation](https://icinga.com/docs/icinga-vsphere-integration/latest/doc/01-Installation/)
 

From 637f7cc8e204145582a80f4b713492632f92a2d5 Mon Sep 17 00:00:00 2001
From: Daniel Bodky <daniel.bodky@netways.de>
Date: Tue, 21 Nov 2023 13:23:15 +0100
Subject: [PATCH 4/8] Updates available roles

---
 doc/getting-started.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/doc/getting-started.md b/doc/getting-started.md
index 6fd1ce35..17ab2c68 100644
--- a/doc/getting-started.md
+++ b/doc/getting-started.md
@@ -1,11 +1,19 @@
 ### Getting Started
 
-The collection includes two roles in the current version.
+The collection includes six roles in the current version.
 
 * icinga.repos: Role to manage repositories
   * [Documentation: doc/role-repos](role-repos/role-repos.md)
 * icinga.icinga2: Role to install and manage Icinga 2 instances.
   * [Documentation: doc/role-icinga2](role-icinga2/role-icinga2.md)
+* icinga.icingadb: Role to install and manage IcingaDB, Icinga2's new data backend.
+  * [Documentation: doc/role-icingadb](role-icingadb/role-icingadb.md)
+* icinga.icingadb_redis: Role to install and manage Redis, IcingaDB's cache backend.
+  * [Documentation: doc/role-icingadb_redis](role-icingadb_redis/role-icingadb_redis.md)
+* icinga.icingaweb2: Role to install and manage Icinga Web 2.
+  * [Documentation: doc/role-icingaweb2](role-icingaweb2/role-icingaweb2.md)
+* icinga.monitoring_plugins: Role to install and manage Icinga2 compatible monitoring plugins.
+  * [Documentation: doc/role-monitoring_plugins](role-monitoring_plugins/role-monitoring_plugins.md)
 
 
 ---

From 6ab1d1f20483a1d45c689c82e33a4e30537e18f4 Mon Sep 17 00:00:00 2001
From: Daniel Bodky <daniel.bodky@netways.de>
Date: Tue, 21 Nov 2023 13:39:54 +0100
Subject: [PATCH 5/8] Adds references to the database examples to relevant
 parts of the docs

---
 doc/getting-started.md                 | 30 ++++++++++++++++++++++++++
 doc/role-icingadb/role-icingadb.md     |  7 +++++-
 doc/role-icingaweb2/role-icingaweb2.md |  4 ++++
 3 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/doc/getting-started.md b/doc/getting-started.md
index 17ab2c68..851df2a7 100644
--- a/doc/getting-started.md
+++ b/doc/getting-started.md
@@ -47,6 +47,36 @@ ansible-galaxy collection build ansible-collection-icinga
 ansible-galaxy collection install icinga-icinga-0.3.0.tar.gz
 ```
 
+## Databases
+
+Icinga2 relies on relational databases for many parts of its functionality. **None** of those databases gets installed by the roles. You need to install and configure them yourself. For doing so, there are many ways available, e.g. the Ansible role [geerlingguy.mysql](https://galaxy.ansible.com/geerlingguy/mysql) for MySQL flavour (both MySQL and MariaDB) or [geerlingguy.postgresql](https://galaxy.ansible.com/geerlingguy/postgresql) PostGresQL:
+
+```yaml
+- name: Configure databases for Icinga2
+  hosts: database
+  vars:
+    mysql_databases:
+      - name: icingadb
+      - name: icingaweb
+      - name: vspheredb
+        encoding: utf8mb4
+        collation: utf8mb4_unicode_ci
+      - name: director
+    mysql_users:
+      - name: icingadb-user
+        host: localhost
+        password: icingadb-password
+        priv: "icingadb.*:ALL"
+    [...]
+  roles:
+    - role: geerlingguy.mysql
+```
+
+> [!NOTE]
+> Schema migrations needed for the respective Icinga components to work will be handled either by the respective roles or by the Icinga components themselves.
+
+
+
 ## Example Playbooks
 
 This is an example on how to install an Icinga 2 server/master instance.
diff --git a/doc/role-icingadb/role-icingadb.md b/doc/role-icingadb/role-icingadb.md
index 5d66a32a..e30742ab 100644
--- a/doc/role-icingadb/role-icingadb.md
+++ b/doc/role-icingadb/role-icingadb.md
@@ -5,7 +5,12 @@ This role installs and configures the IcingaDB daemon. In addition it can also i
 It serves as the official, more performant successor to Icinga IDO. More information about its purpose and design can be found [in the official documentation](https://icinga.com/docs/icinga-db/latest/doc/01-About/).
 
 
-> :information_source: In many scenarios you want to install the [icingadb_redis role](../role-icingadb_redis/) together with this role. It is part of this collection, too.
+> [!TIP]
+> In many scenarios you want to install the [icingadb_redis role](../role-icingadb_redis/) together with this role. It is part of this collection, too.
+
+## Database
+
+IcingaDB relies on a relational database to persist received data. This database **won't** be created by this role - you need to deploy and configure one in advance. For more information, see the [Databases](../getting-started.md#databases) section in the getting started guide.
 
 ## Variables
 
diff --git a/doc/role-icingaweb2/role-icingaweb2.md b/doc/role-icingaweb2/role-icingaweb2.md
index 4faf1ae7..bff00b7c 100644
--- a/doc/role-icingaweb2/role-icingaweb2.md
+++ b/doc/role-icingaweb2/role-icingaweb2.md
@@ -7,6 +7,10 @@ The role icingaweb2 installs and configures Icinga Web 2 and its modules.
 * [IcingaDB](./module-icingadb.md)
 * [Monitoring](./module-monitoring.md)
 
+## Databases
+
+Icingaweb2 and some of its modules rely on a relational database to persist data. These databases **won't** be created by this role - you need to deploy and configure them in advance. For more information, see the [Databases](../getting-started.md#databases) section in the getting started guide.
+
 ## Variables
 
 ### Icinga Web 2 DB Configuration

From b96d50d11f907a40aa52855f248ee8e2a18075cb Mon Sep 17 00:00:00 2001
From: Daniel Bodky <daniel.bodky@netways.de>
Date: Tue, 21 Nov 2023 13:40:51 +0100
Subject: [PATCH 6/8] add installation for x509 module (#214)

* add module x509 and mysql imports task

* Add documentation for x509 module

* Add documentation about database imports

* Continues working on x509 module installation

---------

Co-authored-by: Thilo W <mkayontour@gmail.com>
---
 .../feature_add_x509_module_installation.yml  |  3 +
 doc/role-icingaweb2/module-x509.md            | 95 +++++++++++++++++++
 roles/icingaweb2/tasks/main.yml               |  8 ++
 .../icingaweb2/tasks/manage_mysql_imports.yml | 38 ++++++++
 roles/icingaweb2/tasks/modules/x509.yml       | 66 +++++++++++++
 roles/icingaweb2/vars/main.yml                |  3 +-
 6 files changed, 212 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/feature_add_x509_module_installation.yml
 create mode 100644 doc/role-icingaweb2/module-x509.md
 create mode 100644 roles/icingaweb2/tasks/manage_mysql_imports.yml
 create mode 100644 roles/icingaweb2/tasks/modules/x509.yml

diff --git a/changelogs/fragments/feature_add_x509_module_installation.yml b/changelogs/fragments/feature_add_x509_module_installation.yml
new file mode 100644
index 00000000..82c1f981
--- /dev/null
+++ b/changelogs/fragments/feature_add_x509_module_installation.yml
@@ -0,0 +1,3 @@
+---
+major_changes:
+  - Added Installation of x509 certificate monitoring model
diff --git a/doc/role-icingaweb2/module-x509.md b/doc/role-icingaweb2/module-x509.md
new file mode 100644
index 00000000..684000fd
--- /dev/null
+++ b/doc/role-icingaweb2/module-x509.md
@@ -0,0 +1,95 @@
+## Module x509
+
+### Variables and Configuration
+
+The general module parameter like `enabled` and `source` can be applied here.
+
+| Variable | Value      |
+|----------|------------|
+| enabled  | true/false |
+| source   | package    |
+
+#### Section configuration
+
+The backend database for the module needs to be available and configured at the `icingaweb2_resources` variable.
+
+```
+icingaweb2_modules:
+  x509:
+    source: package
+    enabled: true
+    config:
+      backend:
+        resource: x509
+```
+
+#### Configure SNI Names.
+
+To configure SNIs for a IP address, use the dictionary `sni`.
+
+Example:
+
+```
+icingaweb2_modules:
+  x509:
+    source: package
+    enabled: true
+    config:
+      backend:
+        resource: x509
+    sni:
+      192.168.56.213:
+        hostnames:
+          - icinga.com
+          - test2.icinga.com
+```
+
+#### Import Certificates
+
+To import certificates use the **list** `certificate_files` all files need to be
+available locally beforehand.
+
+```
+icingaweb2_modules:
+  x509:
+    source: package
+    enabled: true
+    config:
+      backend:
+        resource: x509
+    certificate_files:
+      - /etc/ssl/certs/ca-certificates.crt
+```
+
+#### Database Schema Setup
+
+To import the database schema use `database` dictionary with the following variables.
+
+| Variable | Type | Description | Default |
+|----------|------|-------------|---------|
+| `import_schema` | `Boolean` | Defines wether the schema will be imported or not. | false |
+| `host` | `String` | Defines database address to connect to. | `localhost` |
+| `port` | `int` | Defines the database port to connect to. | `3306` or `5432` |
+| `user` | `string` | Defines database user | `x509` |
+| `name` | `String` | Defines the database to connect to. | `x509` |
+| `password` | `String` | Defines the database password to connect with. | OMITTED |
+| `ssl_mode` | `String` | Clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established |**n/a** |
+|`ssl_ca`| `String`| Defines the path to the ca certificate for client authentication. | **n/a** |
+|`ssl_cert`|`String`| Defines the path to the certificate for client authentication. | **n/a** |
+|`ssl_key`| `String` | Defines the path to the certificate key for client key authentication. | **n/a** |
+|`ssl_cipher`|`String`| Ciphers for the client authentication. | **n/a** |
+|`ssl_extra_options`|`String`| Extra options for the client authentication. | **n/a** |
+
+
+```
+icingaweb2_modules:
+  x509:
+    source: package
+    enabled: true
+    database:
+      import_schema: true
+      host: localhost
+      port: 3306
+      user: x509
+      password: secret
+```
diff --git a/roles/icingaweb2/tasks/main.yml b/roles/icingaweb2/tasks/main.yml
index e6bd7b6b..a020d4cd 100644
--- a/roles/icingaweb2/tasks/main.yml
+++ b/roles/icingaweb2/tasks/main.yml
@@ -43,3 +43,11 @@
     force: yes
   when: icingaweb2_modules is defined
   loop: "{{ icingaweb2_modules | dict2items }}"
+
+# Many daemons fail before e.g. the resource is set up or the schema hasn't been migrated. This is a workaround.
+- name: Manage enabled module daemons
+  ansible.builtin.service:
+    name: "icinga-{{ item.key }}"
+    state: restarted
+  when: icingaweb2_modules is defined and item.value.enabled|bool == true and item.key in ['vspheredb', 'x509']
+  loop: "{{ icingaweb2_modules | dict2items }}"
diff --git a/roles/icingaweb2/tasks/manage_mysql_imports.yml b/roles/icingaweb2/tasks/manage_mysql_imports.yml
new file mode 100644
index 00000000..676c6df2
--- /dev/null
+++ b/roles/icingaweb2/tasks/manage_mysql_imports.yml
@@ -0,0 +1,38 @@
+---
+- name: Check Database Credentials
+  ansible.builtin.assert:
+    that:
+      - _db['user'] is defined
+      - _db['password'] is defined
+    fail_msg: "No database credentials defined."
+
+- name: Build mysql command
+  ansible.builtin.set_fact:
+    _tmp_mysqlcmd: >-
+      mysql {% if _db['host'] | default('localhost') != 'localhost'  %} -h "{{ _db['host'] }}" {%- endif %}
+      {% if _db['port'] is defined %} -P "{{ _db['port'] }}" {%- endif %}
+      {% if _db['ssl_mode'] is defined %} --ssl-mode "{{ _db['ssl_mode'] }}" {%- endif %}
+      {% if _db['ssl_ca'] is defined %} --ssl-ca "{{ _db['ssl_ca'] }}" {%- endif %}
+      {% if _db['ssl_cert'] is defined %} --ssl-cert "{{ _db['ssl_cert'] }}" {%- endif %}
+      {% if _db['ssl_key'] is defined %} --ssl-key "{{ _db['ssl_key'] }}" {%- endif %}
+      {% if _db['ssl_cipher'] is defined %} --ssl-cipher "{{ _db['ssl_cipher'] }}" {%- endif %}
+      {% if _db['ssl_extra_options'] is defined %} {{ _db['ssl_extra_options'] }} {%- endif %}
+      -u "{{ _db['user'] }}"
+      -p"{{ _db['password'] }}"
+      "{{ _db['name'] }}"
+
+- name: MySQL check for db schema
+  ansible.builtin.shell: >
+    {{ _tmp_mysqlcmd }}
+    -Ns -e "{{ _db['select_query'] }}"
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  register: _db_schema
+
+- name: MySQL import  db schema
+  ansible.builtin.shell: >
+    {{ _tmp_mysqlcmd }}
+    < {{ _db['schema_path'] }}
+  when: _db_schema.rc != 0
+  run_once: yes
diff --git a/roles/icingaweb2/tasks/modules/x509.yml b/roles/icingaweb2/tasks/modules/x509.yml
new file mode 100644
index 00000000..a0bc7e25
--- /dev/null
+++ b/roles/icingaweb2/tasks/modules/x509.yml
@@ -0,0 +1,66 @@
+- name: Module x509 | Ensure config directory
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ icingaweb2_modules_config_dir }}/{{ _module }}"
+    owner: "{{ icingaweb2_httpd_user }}"
+    group: "{{ icingaweb2_group }}"
+    mode: "2770"
+  vars:
+    _module: "{{ item.key }}"
+
+- name: Module x509 | Manage config files
+  ansible.builtin.include_tasks: manage_module_config.yml
+  loop: "{{ _files }}"
+  loop_control:
+    loop_var: _file
+  when: vars['icingaweb2_modules'][_module][_file] is defined
+  vars:
+    _module: "{{ item.key }}"
+    _files:
+      - config
+      - sni
+
+- name: Module x509 | Manage Schema
+  block:
+    - name: Module x509 | Prepare _db informations
+      ansible.builtin.set_fact:
+        _db:
+          host: "{{ vars['icingaweb2_modules'][_module]['database']['host'] | default('localhost') }}"
+          port: "{{ vars['icingaweb2_modules'][_module]['database']['port'] | default('3306') }}"
+          user: "{{ vars['icingaweb2_modules'][_module]['database']['user'] | default('x509') }}"
+          password: "{{ vars['icingaweb2_modules'][_module]['database']['password'] | default(omit) }}"
+          name: "{{ vars['icingaweb2_modules'][_module]['database']['name'] | default('x509') }}"
+          ssl_mode: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_mode'] | default(omit) }}"
+          ssl_ca: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_ca'] | default(omit) }}"
+          ssl_cert: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_cert'] | default(omit) }}"
+          ssl_key: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_key'] | default(omit) }}"
+          ssl_cipher: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_cipher'] | default(omit) }}"
+          ssl_extra_options: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_extra_options'] | default(omit) }}"
+          schema_path: /usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql
+          select_query: "select * from x509_certificate"
+      when: vars['icingaweb2_modules'][_module]['database']['type'] | default('mysql') == 'mysql'
+
+    - ansible.builtin.fail:
+        fail_msg: "The Database type select is not supported, {{ vars['icingaweb2_modules'][_module]['database']['type'] }} [Supported=mysql]"
+      when: vars['icingaweb2_modules'][_module]['database']['type'] is defined and vars['icingaweb2_modules'][_module]['database']['type'] != 'mysql'
+
+    - name: Module x509 | Import Schema
+      ansible.builtin.include_tasks: ../manage_mysql_imports.yml
+
+    - name: Module x509 | empty _db var
+      ansible.builtin.set_fact:
+        _db: {}
+  when: vars['icingaweb2_modules'][_module]['database']['import_schema'] | default(false)
+  vars:
+    _module: "{{ item.key }}"
+
+- name: Module x509 | Import Certificates
+  ansible.builtin.shell: >
+    icingacli {{ _module }} import --file {{ _file }}
+  loop: "{{ vars['icingaweb2_modules'][_module]['certificate_files'] }}"
+  loop_control:
+    loop_var: _file
+  vars:
+    _module: "{{ item.key }}"
+  when: vars['icingaweb2_modules'][_module]['certificate_files'] is defined
+  changed_when: false
diff --git a/roles/icingaweb2/vars/main.yml b/roles/icingaweb2/vars/main.yml
index 8092fd97..588f0d6d 100644
--- a/roles/icingaweb2/vars/main.yml
+++ b/roles/icingaweb2/vars/main.yml
@@ -2,4 +2,5 @@
 icingaweb2_module_packages:
   icingadb: icingadb-web
   director: icinga-director
-  businessprocess: icinga-businessprocess
\ No newline at end of file
+  x509: icinga-x509
+  businessprocess: icinga-businessprocess

From 0a37c99bf2d264e0b71ac7d9efb09d9457baeea4 Mon Sep 17 00:00:00 2001
From: Daniel Bodky <daniel.bodky@netways.de>
Date: Tue, 21 Nov 2023 13:52:59 +0100
Subject: [PATCH 7/8] Fixes typos

---
 doc/getting-started.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/getting-started.md b/doc/getting-started.md
index 851df2a7..8a5b6767 100644
--- a/doc/getting-started.md
+++ b/doc/getting-started.md
@@ -49,7 +49,7 @@ ansible-galaxy collection install icinga-icinga-0.3.0.tar.gz
 
 ## Databases
 
-Icinga2 relies on relational databases for many parts of its functionality. **None** of those databases gets installed by the roles. You need to install and configure them yourself. For doing so, there are many ways available, e.g. the Ansible role [geerlingguy.mysql](https://galaxy.ansible.com/geerlingguy/mysql) for MySQL flavour (both MySQL and MariaDB) or [geerlingguy.postgresql](https://galaxy.ansible.com/geerlingguy/postgresql) PostGresQL:
+Icinga2 relies on relational databases for many parts of its functionality. **None** of those databases get installed by the roles. You need to install and configure them yourself. For doing so, there are many ways available, e.g. the Ansible role [geerlingguy.mysql](https://galaxy.ansible.com/geerlingguy/mysql) for MySQL flavours (both MySQL and MariaDB) or [geerlingguy.postgresql](https://galaxy.ansible.com/geerlingguy/postgresql) for PostGresQL:
 
 ```yaml
 - name: Configure databases for Icinga2

From c5671bfd7c9556ab1b437941c4d81327a70f832f Mon Sep 17 00:00:00 2001
From: Daniel Bodky <daniel.bodky@netways.de>
Date: Wed, 22 Nov 2023 17:35:26 +0100
Subject: [PATCH 8/8] Adjusts installation procedure if installing from source

---
 roles/icingaweb2/tasks/modules/vspheredb.yml | 108 ++++++++-----------
 1 file changed, 43 insertions(+), 65 deletions(-)

diff --git a/roles/icingaweb2/tasks/modules/vspheredb.yml b/roles/icingaweb2/tasks/modules/vspheredb.yml
index f37e6f2b..9ac966b2 100644
--- a/roles/icingaweb2/tasks/modules/vspheredb.yml
+++ b/roles/icingaweb2/tasks/modules/vspheredb.yml
@@ -1,63 +1,4 @@
 ---
-# Needed because the role sets different permissions for modules and git fails when checking it in task #2
-- name: Module vSphereDB | Clean up module directory
-  ansible.builtin.file:
-    state: absent
-    path: "{{ icingaweb2_config.global.module_path }}/{{ module }}"
-  loop:
-    - vspheredb
-    - incubator
-  loop_control:
-    loop_var: module  
-
-- name: Module vSphereDB | Install modules from source
-  ansible.builtin.git:
-    name: https://github.com/icinga/icingaweb2-module-{{ repo_info.name }}
-    dest: "{{ icingaweb2_config.global.module_path }}/{{ repo_info.name }}"
-    version: "{{ repo_info.version }}"
-  loop:
-    - name: vspheredb
-      version: v1.7.1
-    - name: incubator
-      version: v0.20.0
-  loop_control:
-    loop_var: repo_info
-
-- name: Module vSphereDB | Ensure incubator is enabled
-  ansible.builtin.command: icingacli module enable incubator
-
-- name: Module vSphereDB | Ensure service user exists
-  ansible.builtin.user:
-    name: icingavspheredb
-    group: icingaweb2
-    system: true
-    home: /var/lib/icingavspheredb
-    shell: /bin/false
-
-- name: Module vSphereDB | Ensure service user home exists
-  ansible.builtin.file:
-    state: directory
-    dest: /var/lib/icingavspheredb
-    owner: icingavspheredb
-    group: icingaweb2
-    mode: "0750"
-
-- name: Module vSphereDB | Ensure service file is installed
-  ansible.builtin.copy:
-    src: "{{ icingaweb2_config.global.module_path }}/vspheredb/contrib/systemd/icinga-vspheredb.service"
-    dest: "/etc/systemd/system/{{ icingaweb2_vspheredb_service }}"
-    remote_src: true
-    mode: "0644"
-
-- name: Module vSphereDB | Ensure socket file is copied
-  ansible.builtin.copy:
-    src: icinga-vspheredb.conf
-    dest: /etc/tmpfiles.d/{{ icingaweb2_vspheredb_service.replace('.service', '') }}.con
-    mode: 0644
-
-- name: Module vSphereDB | Ensure socket file is installed
-  ansible.builtin.command: systemd-tmpfiles --create /etc/tmpfiles.d/{{ icingaweb2_vspheredb_service.replace('.service', '') }}.conf
-
 - name: Module vSphereDB | Ensure config directory
   ansible.builtin.file:
     state: directory
@@ -77,9 +18,46 @@
     _files:
       - config
 
-- name: Module vSphereDB | Ensure daemon is running
-  ansible.builtin.service:
-    name: "{{ icingaweb2_vspheredb_service }}"
-    state: started
-    enabled: yes
-  failed_when: false  # this is a bit buggy because we only activate the module later in the role
+- name: Module vSphereDB | Check for pending migrations
+  ansible.builtin.shell:
+    cmd: icingacli vspheredb migration pending
+  register: _pending
+  changed_when: _pending.rc|int == 0
+  failed_when: _pending.stdout|length > 0
+  when: vars['icingaweb2_modules']['vspheredb']['import_schema'] is defined and vars['icingaweb2_modules']['vspheredb']['import_schema'] and vars['icingaweb2_modules']['vspheredb']['config'] is defined
+
+- name: Module vSphereDB | Ensure installation from source is complete
+  when: icingaweb2_modules['vspheredb']['source'] == 'git'
+  block:
+    - name: Module vSphereDB | Ensure service user exists
+      ansible.builtin.user:
+        name: icingavspheredb
+        group: icingaweb2
+        system: true
+        home: /var/lib/icingavspheredb
+        shell: /bin/false
+
+    - name: Module vSphereDB | Ensure service user home exists
+      ansible.builtin.file:
+        state: directory
+        dest: /var/lib/icingavspheredb
+        owner: icingavspheredb
+        group: icingaweb2
+        mode: "0750"
+
+    - name: Module vSphereDB | Ensure service file is installed
+      ansible.builtin.copy:
+        src: "{{ icingaweb2_config.global.module_path }}/vspheredb/contrib/systemd/icinga-vspheredb.service"
+        dest: "/etc/systemd/system/icinga-vspheredb.service"
+        remote_src: true
+        mode: "0644"
+
+    - name: Module vSphereDB | Ensure socket file is copied
+      ansible.builtin.copy:
+        src: icinga-vspheredb.conf
+        dest: /etc/tmpfiles.d/icinga-vspheredb.conf
+        mode: 0644
+
+    - name: Module vSphereDB | Ensure socket file is installed
+      ansible.builtin.command: systemd-tmpfiles --create /etc/tmpfiles.d/icinga-vspheredb.conf
+