manifests/params.pp

## confdroid_nrpe::params.pp
# Module name: confdroid_nrpe
# Author: 12ww1160 (12ww1160@ConfDroid.com)
# @summary  Class holds all parameters for the confdroid_nrpe module and is
#   inherited by all classes except defines.
# @see https://www.nagios.org/documentation/
# @param [String] pkg_ensure
#   which [package type](https://confdroid.com/2017/05/puppet-type-package/)
#   to choose, i.e. `latest` or `present`.
# @param [String] ne_log_facility the log facility to use.
# @param [String] ne_log_file If a log file is specified in this option,
#   nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log
# @param [String] ne_debug Whether debugging messages are logged to the
#   syslog facility.
# @param [String] ne_nrpe_port the NRPE port. used in firewall ( optional)
#   and configuration file.
# @param [String] ne_listen_queue_size  Listen queue size (backlog) for
#   serving incoming connections.
# @param [String] ne_nagios_server ipaddress of the nagios server to be allowed
#   to connect to NRPE service. Default is to look up a global parameter from
#   ENC.
# @param [String] ne_dont_blame_nrpe whether or not the NRPE daemon will
#   allow clients to specify arguments to commands that are executed.
# @param [String] ne_allow_bash_cmd_subst whether or not the NRPE daemon will
#   allow clients to specify arguments that contain bash command substitutions
#   of the form $(...).
# @param [Boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg
#   as well as for creating a sudo role.
# @param [String] ne_command_prefix allows you to prefix all commands with a
#   user-defined String.
# @param [String] ne_incl_fw Whether to include firewall rules
# @param [String] ne_command_timeout maximum number of seconds that the NRPE
#   daemon will allow plugins to finish executing before killing them off.
# @param [String] ne_connection_timeout maximum number of seconds that the
#   NRPE daemon will wait for a connection to be established before exiting.
# @param [String] ne_ssl_version These directives allow you to specify how to
#   use SSL/TLS.
# @param [String] ne_ssl_use_adh This is for backward compatibility and is
#   DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
#   default but will be changed in a later version.
# @param [String] ne_ssl_cipher_list ciphers can be used. For backward
#   compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
#   this version but will be changed in a later version of NRPE.
# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
#   authority  (ca) file / chain. must be full path.
# @param [String] ne_ssl_client_certs determines client certificate usage.
#   Values: 0 = Don't ask for or require client certificates
#   1 = Ask for client certificates
#   2 = Require client certificates
# @param [String] ne_ssl_logging determines which SSL messages are send to
#   syslog. OR values together to specify multiple options.
#   Values: 0x00 (0) = No additional logging (default)
#   0x01 (1) = Log startup SSL/TLS parameters
#   0x02 (2) = Log remote IP address
#   0x04 (4) = Log SSL/TLS version of connections
#   0x08 (8) = Log which cipher is being used for the connection
#   0x10 (16) = Log if client has a certificate
#   0x20 (32) = Log details of client's certificate if it has one
#   -1 or 0xff or 0x2f = All of the above
# @param [Array] ne_nasty_metachars  list of characters that cannot
# be passed to the NRPE daemon.
# @param [String] ne_include_file include definitions from an external
#   config file.
# @param [String] ne_fw_order_no ordering prefix for he firewall rules. Adjust
#   to your environment if needed.
# @param [String] ne_ssl_opts Specify additional SSL options.
# @param [String] ne_user the NRPE service user
# @param [String] ne_user_comment The comment for the service user /etc/passwd
# @param [String] ne_user_uid the UID for the service user
# @param [String] ne_user_home the home for the service user
# @param [String] ne_user_shell the shell for the service user.
# @param [String] ne_user_groups additional groups for the service user.
# @param [String] ne_server_address the network interfaces to listen on
# @param [String] ne_allow_weak_rnd_seed Whether to allow weak random seeds
# @param [String] ne_include_selinux Whether to manage selinux
# @param [Boolean] ne_enable_ssl Whether to enable SSL certificates.
# @param [Array] reqpackages which packages to install
# @param [Boolean] ne_manage_cmds Whether to manage command rules for NRPE
#   checks, to allow dynamic check & command rules.
###############################################################################
class confdroid_nrpe::params (

  String $pkg_ensure                 = 'present',
  Array $reqpackages                 = ['nrpe','nrpe-selinux','selinux-policy-devel'],

  Boolean $ne_manage_cmds            = true,

# NRPE user settings
  String $ne_user                    = 'nrpe',
  String $ne_user_comment            = 'NRPE service user',
  String $ne_user_uid                = '1005',
  String $ne_user_home               = '/var/run/nrpe',
  Optional[String] $ne_user_groups   = undef,
  String $ne_user_shell              = '/sbin/nologin',

# nrpe.cfg
  String $ne_log_facility            = 'daemon',
  String $ne_log_file                = '',
  String $ne_debug                   = '0',
  String $ne_nrpe_port               = '5666',
  String $ne_server_address          = '0.0.0.0',
  String $ne_listen_queue_size       = '5',
  String $ne_nagios_server           = 'nagios.example.net',
  String $ne_dont_blame_nrpe         = '1',
  String $ne_allow_bash_cmd_subst    = '1',
  Boolean $ne_allow_sudo             = true,
  String $ne_command_prefix          = '/usr/bin/sudo',
  String $ne_command_timeout         = '60',
  String $ne_connection_timeout      = '300',
  String $ne_allow_weak_rnd_seed     = '1',
  Boolean $ne_enable_ssl             = false,
  String $ne_ssl_version             = 'TLSv2+',
  String $ne_ssl_use_adh             = '1',
  String $ne_ssl_cipher_list         = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
  String $ne_ssl_cacert_file         = '/etc/pki/tls/certs/ca-chain.crt.pem',
  String $ne_ssl_client_certs        = '2',
  String $ne_ssl_logging             = '0x00',
  Array $ne_nasty_metachars          = ["|`&><'\\[]{};\r\n"],
  String $ne_include_file            = '',

# nrpe.conf
  String $ne_ssl_opts                = '',

# firewall
  Boolean $ne_incl_fw                = true,
  String $ne_fw_order_no             = '50',

# selinux
  Boolean $ne_include_selinux        = true,

) {
# Default facts
  $fqdn                     = $facts['networking']['fqdn']
  $domain                   = $facts['networking']['domain']
  $os_name                  = $facts['os']['name']
  $os_release               = $facts['os']['release']['major']

# service
  $ne_service                 = 'nrpe'

# directories
  $ne_main_conf_d_dir         = '/etc/nrpe.d'
  $ne_run_dir                 = '/var/run/nrpe'

# files
  $ne_main_conf_file          = '/etc/nagios/nrpe.cfg'
  $ne_main_conf_erb           = 'confdroid_nrpe/nrpe_cfg.erb'
  $ne_nrpe_pid_file           = "${ne_run_dir}/nrpe.pid"
  $ne_nrpe_conf_file          = '/etc/sysconfig/nrpe'
  $ne_nrpe_conf_erb           = 'confdroid_nrpe/nrpe_conf.erb'
  $ne_cmd_file                = "${ne_main_conf_d_dir}/commands.cfg"
  $ne_cmd_head_erb            = 'confdroid_nrpe/cmd_head.erb'
  $ne_cmd_rule_erb            = 'confdroid_nrpe/cmd_rule.erb'
  $ne_sudo_file               = '/etc/sudoers.d/nagios_sudo'
  $ne_sudo_rule_erb           = 'confdroid_nrpe/sudo_rule.erb'
  $ne_nrpe_te_file            = "${ne_main_conf_d_dir}/nrpe.te"
  $ne_nrpe_te_erb             = 'confdroid_nrpe/nrpe.te.erb'
  $ne_nrpe_mod_file           = "${ne_main_conf_d_dir}/nrpe.mod"
  $ne_checkmodule_nrpe_erb    = 'confdroid_nrpe/checkmodule_nrpe.erb'
  $ne_nrpe_pp_file            = "${ne_main_conf_d_dir}/nrpe.pp"
  $ne_semodule_erb            =  'confdroid_nrpe/semodule_nrpe.erb'
  $ne_ssl_cert_file           = "/etc/pki/tls/certs/${fqdn}.crt.pem"
  $ne_ssl_privatekey_file     = "/etc/pki/tls/private/${fqdn}.key.pem"

# includes must be last
  include confdroid_nrpe::main::config
}
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`## confdroid_nrpe::params.pp`
			`# Module name: confdroid_nrpe`
			`# Author: 12ww1160 (12ww1160@ConfDroid.com)`
			`# @summary Class holds all parameters for the confdroid_nrpe module and is`
initial commit 2017-07-28 14:08:13 +01:00			`# inherited by all classes except defines.`
fixed teh right file this time 2017-07-28 17:41:54 +01:00			`# @see https://www.nagios.org/documentation/`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] pkg_ensure`
initial commit 2017-07-28 14:08:13 +01:00			`# which [package type](https://confdroid.com/2017/05/puppet-type-package/)`
			# to choose, i.e. `latest` or `present`.
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_log_facility the log facility to use.`
			`# @param [String] ne_log_file If a log file is specified in this option,`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_debug Whether debugging messages are logged to the`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# syslog facility.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_nrpe_port the NRPE port. used in firewall ( optional)`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# and configuration file.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_listen_queue_size Listen queue size (backlog) for`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# serving incoming connections.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_nagios_server ipaddress of the nagios server to be allowed`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# to connect to NRPE service. Default is to look up a global parameter from`
			`# ENC.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_dont_blame_nrpe whether or not the NRPE daemon will`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# allow clients to specify arguments to commands that are executed.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_allow_bash_cmd_subst whether or not the NRPE daemon will`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# allow clients to specify arguments that contain bash command substitutions`
			`# of the form $(...).`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [Boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# as well as for creating a sudo role.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_command_prefix allows you to prefix all commands with a`
			`# user-defined String.`
			`# @param [String] ne_incl_fw Whether to include firewall rules`
			`# @param [String] ne_command_timeout maximum number of seconds that the NRPE`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# daemon will allow plugins to finish executing before killing them off.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_connection_timeout maximum number of seconds that the`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# NRPE daemon will wait for a connection to be established before exiting.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_ssl_version These directives allow you to specify how to`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# use SSL/TLS.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_ssl_use_adh This is for backward compatibility and is`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the`
			`# default but will be changed in a later version.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_ssl_cipher_list ciphers can be used. For backward`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in`
			`# this version but will be changed in a later version of NRPE.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_ssl_cacert_file path and name of the ssl certificate`
fixed permissions on command.cfg file 2017-07-30 13:32:50 +01:00			`# authority (ca) file / chain. must be full path.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_ssl_client_certs determines client certificate usage.`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# Values: 0 = Don't ask for or require client certificates`
			`# 1 = Ask for client certificates`
			`# 2 = Require client certificates`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_ssl_logging determines which SSL messages are send to`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# syslog. OR values together to specify multiple options.`
			`# Values: 0x00 (0) = No additional logging (default)`
			`# 0x01 (1) = Log startup SSL/TLS parameters`
			`# 0x02 (2) = Log remote IP address`
			`# 0x04 (4) = Log SSL/TLS version of connections`
			`# 0x08 (8) = Log which cipher is being used for the connection`
			`# 0x10 (16) = Log if client has a certificate`
			`# 0x20 (32) = Log details of client's certificate if it has one`
			`# -1 or 0xff or 0x2f = All of the above`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [Array] ne_nasty_metachars list of characters that cannot`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# be passed to the NRPE daemon.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_include_file include definitions from an external`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# config file.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_fw_order_no ordering prefix for he firewall rules. Adjust`
fixed teh right file this time 2017-07-28 17:41:54 +01:00			`# to your environment if needed.`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`# @param [String] ne_ssl_opts Specify additional SSL options.`
			`# @param [String] ne_user the NRPE service user`
			`# @param [String] ne_user_comment The comment for the service user /etc/passwd`
			`# @param [String] ne_user_uid the UID for the service user`
			`# @param [String] ne_user_home the home for the service user`
			`# @param [String] ne_user_shell the shell for the service user.`
			`# @param [String] ne_user_groups additional groups for the service user.`
			`# @param [String] ne_server_address the network interfaces to listen on`
			`# @param [String] ne_allow_weak_rnd_seed Whether to allow weak random seeds`
			`# @param [String] ne_include_selinux Whether to manage selinux`
			`# @param [Boolean] ne_enable_ssl Whether to enable SSL certificates.`
			`# @param [Array] reqpackages which packages to install`
			`# @param [Boolean] ne_manage_cmds Whether to manage command rules for NRPE`
updated README, added defintions 2017-07-30 12:32:29 +01:00			`# checks, to allow dynamic check & command rules.`
included service and pointed to files 2017-07-28 16:42:50 +01:00			`###############################################################################`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`class confdroid_nrpe::params (`
initial commit 2017-07-28 14:08:13 +01:00
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`String $pkg_ensure = 'present',`
OP#429 initial commit after fork 2026-02-10 18:16:02 +01:00			`Array $reqpackages = ['nrpe','nrpe-selinux','selinux-policy-devel'],`
fixed typo 2017-07-28 14:35:33 +01:00
OP#429 initial commit after fork 2026-02-10 18:16:02 +01:00			`Boolean $ne_manage_cmds = true,`
updated README, added defintions 2017-07-30 12:32:29 +01:00
fixed permissions on command.cfg file 2017-07-30 15:01:52 +01:00			`# NRPE user settings`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`String $ne_user = 'nrpe',`
			`String $ne_user_comment = 'NRPE service user',`
			`String $ne_user_uid = '1005',`
			`String $ne_user_home = '/var/run/nrpe',`
			`Optional[String] $ne_user_groups = undef,`
			`String $ne_user_shell = '/sbin/nologin',`
fixed permissions on command.cfg file 2017-07-30 15:01:52 +01:00
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# nrpe.cfg`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`String $ne_log_facility = 'daemon',`
			`String $ne_log_file = '',`
			`String $ne_debug = '0',`
			`String $ne_nrpe_port = '5666',`
			`String $ne_server_address = '0.0.0.0',`
			`String $ne_listen_queue_size = '5',`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`String $ne_nagios_server = 'nagios.example.net',`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`String $ne_dont_blame_nrpe = '1',`
			`String $ne_allow_bash_cmd_subst = '1',`
			`Boolean $ne_allow_sudo = true,`
			`String $ne_command_prefix = '/usr/bin/sudo',`
			`String $ne_command_timeout = '60',`
			`String $ne_connection_timeout = '300',`
			`String $ne_allow_weak_rnd_seed = '1',`
			`Boolean $ne_enable_ssl = false,`
			`String $ne_ssl_version = 'TLSv2+',`
			`String $ne_ssl_use_adh = '1',`
			`String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',`
			`String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',`
			`String $ne_ssl_client_certs = '2',`
			`String $ne_ssl_logging = '0x00',`
			Array $ne_nasty_metachars = ["\|`&><'\\[]{};\r\n"],
			`String $ne_include_file = '',`
included service and pointed to files 2017-07-28 16:42:50 +01:00
fixed teh right file this time 2017-07-28 17:41:54 +01:00			`# nrpe.conf`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`String $ne_ssl_opts = '',`
fixed teh right file this time 2017-07-28 17:41:54 +01:00
included service and pointed to files 2017-07-28 16:42:50 +01:00			`# firewall`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`Boolean $ne_incl_fw = true,`
			`String $ne_fw_order_no = '50',`
included service and pointed to files 2017-07-28 16:42:50 +01:00
syntax 2017-07-28 16:58:16 +01:00			`# selinux`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`Boolean $ne_include_selinux = true,`
syntax 2017-07-28 16:58:16 +01:00
initial commit 2017-07-28 14:08:13 +01:00			`) {`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`# Default facts`
			`$fqdn = $facts['networking']['fqdn']`
			`$domain = $facts['networking']['domain']`
			`$os_name = $facts['os']['name']`
			`$os_release = $facts['os']['release']['major']`

included service and pointed to files 2017-07-28 16:42:50 +01:00			`# service`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_service = 'nrpe'`
included service and pointed to files 2017-07-28 16:42:50 +01:00
			`# directories`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_main_conf_d_dir = '/etc/nrpe.d'`
			`$ne_run_dir = '/var/run/nrpe'`
included service and pointed to files 2017-07-28 16:42:50 +01:00
			`# files`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_main_conf_file = '/etc/nagios/nrpe.cfg'`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`$ne_main_conf_erb = 'confdroid_nrpe/nrpe_cfg.erb'`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_nrpe_pid_file = "${ne_run_dir}/nrpe.pid"`
			`$ne_nrpe_conf_file = '/etc/sysconfig/nrpe'`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`$ne_nrpe_conf_erb = 'confdroid_nrpe/nrpe_conf.erb'`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_cmd_file = "${ne_main_conf_d_dir}/commands.cfg"`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`$ne_cmd_head_erb = 'confdroid_nrpe/cmd_head.erb'`
			`$ne_cmd_rule_erb = 'confdroid_nrpe/cmd_rule.erb'`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_sudo_file = '/etc/sudoers.d/nagios_sudo'`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`$ne_sudo_rule_erb = 'confdroid_nrpe/sudo_rule.erb'`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_nrpe_te_file = "${ne_main_conf_d_dir}/nrpe.te"`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`$ne_nrpe_te_erb = 'confdroid_nrpe/nrpe.te.erb'`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_nrpe_mod_file = "${ne_main_conf_d_dir}/nrpe.mod"`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`$ne_checkmodule_nrpe_erb = 'confdroid_nrpe/checkmodule_nrpe.erb'`
adjusted for puppet-lint compliance 2025-05-12 16:58:52 +02:00			`$ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp"`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`$ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb'`
			`$ne_ssl_cert_file = "/etc/pki/tls/certs/${fqdn}.crt.pem"`
			`$ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem"`
included service and pointed to files 2017-07-28 16:42:50 +01:00
initial commit 2017-07-28 14:08:13 +01:00			`# includes must be last`
OP#429 initial commit after fork 2026-02-10 17:43:42 +01:00			`include confdroid_nrpe::main::config`
initial commit 2017-07-28 14:08:13 +01:00			`}`