From 1852b6cf92e0b08db26d3398faf41b2c8a20b400 Mon Sep 17 00:00:00 2001
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Fri, 24 Jan 2025 16:29:30 +0100
Subject: sbin/*puppet*: Rework puppet client/ca maintenance scripts.

---
 bin/itzks-puppet-list-known-hosts                  |  21 ----
 sbin/itzks-prepare-reinstall                       |  77 --------------
 sbin/itzks-puppet-autosign-new-host-certificates   |  92 -----------------
 sbin/itzks-puppet-refresh-ssl                      |   8 --
 sbin/itzks-puppet-renew-ssl                        |  40 ++++++++
 sbin/itzks-puppet-reset-ssl                        |  30 ++++++
 ...zks-puppetserver-autosign-new-host-certificates | 111 +++++++++++++++++++++
 sbin/itzks-puppetserver-clean-hosts-from-ca        |  77 ++++++++++++++
 sbin/itzks-puppetserver-detect-broken-hosts        |  84 ++++++++++++++++
 sbin/itzks-puppetserver-list-known-hosts           |  49 +++++++++
 10 files changed, 391 insertions(+), 198 deletions(-)
 delete mode 100755 bin/itzks-puppet-list-known-hosts
 delete mode 100755 sbin/itzks-prepare-reinstall
 delete mode 100755 sbin/itzks-puppet-autosign-new-host-certificates
 delete mode 100755 sbin/itzks-puppet-refresh-ssl
 create mode 100755 sbin/itzks-puppet-renew-ssl
 create mode 100755 sbin/itzks-puppet-reset-ssl
 create mode 100755 sbin/itzks-puppetserver-autosign-new-host-certificates
 create mode 100755 sbin/itzks-puppetserver-clean-hosts-from-ca
 create mode 100755 sbin/itzks-puppetserver-detect-broken-hosts
 create mode 100755 sbin/itzks-puppetserver-list-known-hosts

diff --git a/bin/itzks-puppet-list-known-hosts b/bin/itzks-puppet-list-known-hosts
deleted file mode 100755
index 5ca8b8f..0000000
--- a/bin/itzks-puppet-list-known-hosts
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-ls /var/lib/puppet/ssl/ca/signed | cut -d "." -f1-2 | while read host;
-    do getent hosts $host
-done  | grep 10.
diff --git a/sbin/itzks-prepare-reinstall b/sbin/itzks-prepare-reinstall
deleted file mode 100755
index 4e7945f..0000000
--- a/sbin/itzks-prepare-reinstall
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2023 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-unset http_proxy
-unset https_proxy
-
-DOMAIN="intern"
-HOSTNAME="$(hostname -f)"
-PUPPET_SERVER="puppetserver.intern"
-TJENER_SERVER="tjener.intern"
-
-PUPPET_CLIENT_CN="${1}"
-if [ -z "${PUPPET_CLIENT_CN}" ]; then
-	echo "usage: $(basename $0) <computer>"
-	exit -2
-fi
-
-if [ "${HOSTNAME}" != "${PUPPET_SERVER}" ] && [ "${HOSTNAME}" != "${TJENER_SERVER}" ]; then
-	echo "$(basename $0): Error: This script may only be run on 'tjener.intern' or 'puppetserver.intern'."
-	exit -1
-fi
-
-if ! echo ${PUPPET_CLIENT_CN} | grep -qE "\."; then
-	PUPPET_CLIENT_CN="${PUPPET_CLIENT_CN}.${DOMAIN}"
-elif ! echo ${PUPPET_CLIENT_CN} | grep -qE "^[-_a-z0-9]+\.${DOMAIN}\$"; then
-	echo "$(basename $0): Error: Hostname '${PUPPET_CLIENT_CN}' is not in domain .${DOMAIN}."
-	exit -3
-fi
-
-if [ -z "$(dig ${PUPPET_CLIENT_CN} +short | head -n1)" ]; then
-	echo "$(basename $0): Error: Hostname '${PUPPET_CLIENT_CN}' unknown. Mistyped the hostname?"
-	exit -4
-fi
-
-### Puppet 5.x et al. (until Debian 11)
-
-# strip domain name
-hostname_short="$(echo ${PUPPET_CLIENT_CN} | cut -d '.' -f1)"
-
-## lookup host and see if it exists in LDAP:
-ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
-
-if [ -n "${ldapsystem}" ]; then
-
-	source /etc/os-release
-
-	if [ "${ID}" = "debian" ] && \
-	   ([ "${VERSION_CODENAME}" == "stretch" ] || \
-	    [ "${VERSION_CODENAME}" == "buster" ] || \
-	    [ "${VERSION_CODENAME}" == "bullseye" ]); then
-
-		# yes, we should clean this host CRT/KEY, but the puppet 5.x way
-		puppet cert clean "${PUPPET_CLIENT_CN}"
-
-	else
-
-		# yes, we should clean this host CRT/KEY, but the puppet 7++ way
-		puppetserver ca clean --certname "${PUPPET_CLIENT_CN}"
-
-	fi
-
-fi
diff --git a/sbin/itzks-puppet-autosign-new-host-certificates b/sbin/itzks-puppet-autosign-new-host-certificates
deleted file mode 100755
index 4fbf678..0000000
--- a/sbin/itzks-puppet-autosign-new-host-certificates
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-unset http_proxy
-unset https_proxy
-
-HOSTNAME="$(hostname -f)"
-PUPPET_SERVER="$(dig puppet.intern +short | head -n1)"
-
-if [ "${HOSTNAME}." != "${PUPPET_SERVER}" ]; then
-	exit 0
-fi
-
-source /etc/os-release
-
-if [ "${ID}" = "debian" ] && \
-   ([ "${VERSION_CODENAME}" == "stretch" ] || \
-    [ "${VERSION_CODENAME}" == "buster" ] || \
-    [ "${VERSION_CODENAME}" == "bullseye" ]); then
-
-	### Puppet 5.x et al. (until Debian 11)
-
-	# obtain list of puppet host certificate signing requests
-	NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
-
-	# if any, iterate over them individually
-	if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
-
-		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
-
-			# strip domain name
-			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
-
-			## lookup host and see if it exists in LDAP:
-			ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
-
-			if [ -n "${ldapsystem}" ]; then
-
-				# yes, we should sign this host CSR
-				puppet cert sign "${host_csr}"
-
-			fi
-
-		done
-
-	fi
-
-else
-
-	# Puppet 7.x and newer... (Debian 12 and beyond)
-
-	# obtain list of puppet host certificate signing requests
-	NEW_PUPPET_SIGNING_REQUESTS="$(puppetserver ca list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
-
-	# if any, iterate over them individually
-	if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
-
-		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
-
-			# strip domain name
-			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
-
-			## lookup host and see if it exists in LDAP:
-			ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
-
-			if [ -n "${ldapsystem}" ]; then
-
-				# yes, we should sign this host CSR
-				puppetserver ca sign --certname "${host_csr}"
-
-			fi
-
-		done
-
-	fi
-
-fi
diff --git a/sbin/itzks-puppet-refresh-ssl b/sbin/itzks-puppet-refresh-ssl
deleted file mode 100755
index babebfb..0000000
--- a/sbin/itzks-puppet-refresh-ssl
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-rm /var/lib/puppet/ssl/certs/ca.pem
-find /var/lib/puppet/ssl/ -name "$HOSTNAME.pem" -delete
-puppet agent --test
-puppet agent --enable
-systemctl enable puppet
-systemctl start puppet
diff --git a/sbin/itzks-puppet-renew-ssl b/sbin/itzks-puppet-renew-ssl
new file mode 100755
index 0000000..3b2dcbf
--- /dev/null
+++ b/sbin/itzks-puppet-renew-ssl
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+if [[ -z "${HOSTNAME}" ]]; then
+	echo "HOSTNAME environment variable is not set... Exiting!"
+	exit 1
+fi
+
+itzks-puppet-reset-ssl
+
+ssh puppetserver itzks-puppetserver-clean-hosts-from-ca "${HOSTNAME}"
+
+puppet agent --test --waitforcert 0
+
+ssh puppetserver itzks-puppetserver-autosign-new-hosts-certificates "${HOSTNAME}"
+
+puppet agent --test
+puppet agent --enable
+systemctl enable puppet
+systemctl start puppet
diff --git a/sbin/itzks-puppet-reset-ssl b/sbin/itzks-puppet-reset-ssl
new file mode 100755
index 0000000..7ef6298
--- /dev/null
+++ b/sbin/itzks-puppet-reset-ssl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+if [[ -z "${HOSTNAME}" ]]; then
+	echo "HOSTNAME environment variable is not set... Exiting!"
+	exit 1
+fi
+
+rm /var/lib/puppet/ssl/certs/ca.pem
+find /var/lib/puppet/ssl/ -name "${HOSTNAME}.pem" -delete
diff --git a/sbin/itzks-puppetserver-autosign-new-host-certificates b/sbin/itzks-puppetserver-autosign-new-host-certificates
new file mode 100755
index 0000000..56dc9bf
--- /dev/null
+++ b/sbin/itzks-puppetserver-autosign-new-host-certificates
@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+unset http_proxy
+unset https_proxy
+
+HOSTNAME="$(hostname -f)"
+PUPPET_SERVER="$(dig puppet.intern +short | head -n1)"
+
+if [ "${HOSTNAME}." != "${PUPPET_SERVER}" ]; then
+	exit 0
+fi
+
+if [[ -n "${1}" ]]; then
+	ONLY_PUPPET_CLIENT="${1}"
+fi
+
+source /etc/os-release
+
+if [ "${ID}" = "debian" ] && \
+   ([ "${VERSION_CODENAME}" == "stretch" ] || \
+    [ "${VERSION_CODENAME}" == "buster" ] || \
+    [ "${VERSION_CODENAME}" == "bullseye" ]); then
+
+	### Puppet 5.x et al. (until Debian 11)
+
+	# obtain list of puppet host certificate signing requests
+	NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
+
+	# if any, iterate over them individually
+	if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
+
+		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
+
+			# Only process one specific client...
+			if [ -n "${ONLY_PUPPET_CLIENT}" ] && [ "${ONLY_PUPPET_CLIENT}" != "${host_csr}" ]; then
+				continue
+			fi
+
+			# strip domain name
+			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
+
+			## lookup host and see if it exists in LDAP:
+			ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
+
+			if [ -n "${ldapsystem}" ]; then
+
+				# yes, we should sign this host CSR
+				puppet cert sign "${host_csr}"
+
+			fi
+
+		done
+
+	fi
+
+else
+
+	# Puppet 7.x and newer... (Debian 12 and beyond)
+
+	# obtain list of puppet host certificate signing requests
+	NEW_PUPPET_SIGNING_REQUESTS="$(puppetserver ca list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
+
+	# if any, iterate over them individually
+	if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
+
+		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
+
+			# Only process one specific client...
+			if [ -n "${ONLY_PUPPET_CLIENT}" ] && [ "${ONLY_PUPPET_CLIENT}" != "${host_csr}" ]; then
+				continue
+			fi
+
+			# strip domain name
+			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
+
+			## lookup host and see if it exists in LDAP:
+			ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
+
+			if [ -n "${ldapsystem}" ]; then
+
+				# yes, we should sign this host CSR
+				puppetserver ca sign --certname "${host_csr}"
+
+			fi
+
+		done
+
+	fi
+
+fi
diff --git a/sbin/itzks-puppetserver-clean-hosts-from-ca b/sbin/itzks-puppetserver-clean-hosts-from-ca
new file mode 100755
index 0000000..a269ac9
--- /dev/null
+++ b/sbin/itzks-puppetserver-clean-hosts-from-ca
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Copyright (C) 2023-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+unset http_proxy
+unset https_proxy
+
+DOMAIN="intern"
+HOSTNAME="$(hostname -f)"
+PUPPET_SERVER="puppetserver.intern"
+TJENER_SERVER="tjener.intern"
+
+PUPPET_CLIENT_CN="${1}"
+if [ -z "${PUPPET_CLIENT_CN}" ]; then
+	echo "usage: $(basename $0) <computer>"
+	exit -2
+fi
+
+if [ "${HOSTNAME}" != "${PUPPET_SERVER}" ] && [ "${HOSTNAME}" != "${TJENER_SERVER}" ]; then
+	echo "$(basename $0): Error: This script may only be run on 'tjener.intern' or 'puppetserver.intern'."
+	exit -1
+fi
+
+if ! echo ${PUPPET_CLIENT_CN} | grep -qE "\."; then
+	PUPPET_CLIENT_CN="${PUPPET_CLIENT_CN}.${DOMAIN}"
+elif ! echo ${PUPPET_CLIENT_CN} | grep -qE "^[-_a-z0-9]+\.${DOMAIN}\$"; then
+	echo "$(basename $0): Error: Hostname '${PUPPET_CLIENT_CN}' is not in domain .${DOMAIN}."
+	exit -3
+fi
+
+if [ -z "$(dig ${PUPPET_CLIENT_CN} +short | head -n1)" ]; then
+	echo "$(basename $0): Error: Hostname '${PUPPET_CLIENT_CN}' unknown. Mistyped the hostname?"
+	exit -4
+fi
+
+### Puppet 5.x et al. (until Debian 11)
+
+# strip domain name
+hostname_short="$(echo ${PUPPET_CLIENT_CN} | cut -d '.' -f1)"
+
+## lookup host and see if it exists in LDAP:
+ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
+
+if [ -n "${ldapsystem}" ]; then
+
+	source /etc/os-release
+
+	if [ "${ID}" = "debian" ] && \
+	   ([ "${VERSION_CODENAME}" == "stretch" ] || \
+	    [ "${VERSION_CODENAME}" == "buster" ] || \
+	    [ "${VERSION_CODENAME}" == "bullseye" ]); then
+
+		# yes, we should clean this host CRT/KEY, but the puppet 5.x way
+		puppet cert clean "${PUPPET_CLIENT_CN}"
+
+	else
+
+		# yes, we should clean this host CRT/KEY, but the puppet 7++ way
+		puppetserver ca clean --certname "${PUPPET_CLIENT_CN}"
+
+	fi
+
+fi
diff --git a/sbin/itzks-puppetserver-detect-broken-hosts b/sbin/itzks-puppetserver-detect-broken-hosts
new file mode 100755
index 0000000..ad13ea7
--- /dev/null
+++ b/sbin/itzks-puppetserver-detect-broken-hosts
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+# Copyright (C) 2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+	echo "ERROR: This script has to run as super-user root."
+	exit 1
+fi
+
+usage() {
+	echo "$(basename ${0}) [-t|--today] [--exclude=<regexp>] [--include=<regexp>]"
+	exit 1
+}
+
+for arg in "$@"; do
+	case "${arg}" in
+		-t|--today)
+			TODAY=true
+			;;
+		--exclude=*)
+			EXCLUDE="${arg#*=}"
+			;;
+		--include=*)
+			INCLUDE="${arg#*=}"
+			;;
+		--include|--exclude)
+			# options used in wrong way
+			usage
+			;;
+		*)
+			# unknown option
+			usage
+			;;
+	esac
+done
+
+TMPFILE=$(mktemp)
+
+if [[ ! $TODAY ]]; then
+	ls  /var/log/puppetserver/puppetserver-access-*.log.gz | sort | while read file; do
+		zcat $file >> "${TMPFILE}"
+	done
+fi
+cat /var/log/puppetserver/puppetserver-access.log >> "${TMPFILE}"
+
+iplist_with_puppeterrors=$(cat ${TMPFILE} | grep -v ' 200 ' | awk '{ print $1 }' | sort | uniq)
+
+for ip in ${iplist_with_puppeterrors}; do
+	fqdn=$(dig +short -x "${ip}" | sed -e "s/.\$//g")
+
+	if [ "${fqdn}" = "${HOSTNAME}" ]; then
+		continue
+	fi
+
+	if [[ -n "${INCLUDE}" ]] && ! echo "${ip} ${fqdn}" | grep -q -E "${INCLUDE}"; then
+		continue
+	fi
+
+	if [[ -n "${EXCLUDE}" ]] && ! echo "${ip} ${fqdn}" | grep -v -q -E "${EXCLUDE}"; then
+		continue
+	fi
+
+	if [[ -n "$fqdn" ]]; then
+		echo -e "$fqdn\t-\t$ip"
+	else
+		echo -e "(unknown)\t-\t$ip"
+	fi
+done
+
+rm "${TMPFILE}"
diff --git a/sbin/itzks-puppetserver-list-known-hosts b/sbin/itzks-puppetserver-list-known-hosts
new file mode 100755
index 0000000..49d63d7
--- /dev/null
+++ b/sbin/itzks-puppetserver-list-known-hosts
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [ $(id -u) -gt 0 ]; then
+        echo "ERROR: This script has to run as super-user root."
+        exit 1
+fi
+
+PUPPET_SERVER="puppetserver.intern"
+TJENER_SERVER="tjener.intern"
+
+if [ "${HOSTNAME}" != "${PUPPET_SERVER}" ] && [ "${HOSTNAME}" != "${TJENER_SERVER}" ]; then
+        echo "$(basename $0): Error: This script may only be run on 'tjener.intern' or 'puppetserver.intern'."
+        exit -1
+fi
+
+source /etc/os-release
+
+if [ "${ID}" = "debian" ] && \
+   ([ "${VERSION_CODENAME}" == "stretch" ] || \
+    [ "${VERSION_CODENAME}" == "buster" ] || \
+    [ "${VERSION_CODENAME}" == "bullseye" ]); then
+
+	SIGNED_CERTS_PATH="/var/lib/puppet/ssl/ca/signed"
+
+else
+
+	SIGNED_CERTS_PATH="/etc/puppet/puppetserver/ca/signed"
+
+}
+
+ls "${SIGNED_CERTS_PATH}" | cut -d "." -f1-2 | while read host; do
+	getent hosts $host
+done  | grep 10.
-- 
cgit v1.2.3