Recommit for updates in build 43

2026-03-15 15:15:13 +01:00
parent 422acc22ca
commit 6f291e48f8
5 changed files with 63 additions and 173 deletions
--- a/doc/file.README.html
+++ b/doc/file.README.html
@@ -193,14 +193,22 @@

 <h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>

+<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
+<ul><li>
+<p><code>ne_ssl_ca_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_privatekey_pem</code></p>
+</li></ul>
+
+<p>via Hiera (if you use it) or ENC.</p>
+
 <h2 id="label-SELINUX">SELINUX</h2>

 <p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>

 <h2 id="label-Known+Problems">Known Problems</h2>
-<ul><li>
-<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
-</li></ul>

 <h2 id="label-Troubleshooting">Troubleshooting</h2>
 <ul><li>
--- a/doc/index.html
+++ b/doc/index.html
@@ -193,14 +193,22 @@

 <h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>

+<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
+<ul><li>
+<p><code>ne_ssl_ca_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_privatekey_pem</code></p>
+</li></ul>
+
+<p>via Hiera (if you use it) or ENC.</p>
+
 <h2 id="label-SELINUX">SELINUX</h2>

 <p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>

 <h2 id="label-Known+Problems">Known Problems</h2>
-<ul><li>
-<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
-</li></ul>

 <h2 id="label-Troubleshooting">Troubleshooting</h2>
 <ul><li>
--- a/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
+++ b/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
@@ -207,8 +207,7 @@
 109
 110
 111
-112
-113</pre>
+112</pre>
      </td>
      <td>
        <pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -251,7 +250,6 @@ class confdroid_nrpe::main::files (
  }

  if $ne_allow_sudo == true {
-
    file { $ne_sudo_file:
      ensure   =&gt; file,
      path     =&gt; $ne_sudo_file,
@@ -279,45 +277,45 @@ class confdroid_nrpe::main::files (
      content  =&gt; template($ne_nrpe_te_erb),
      notify   =&gt; Exec[&#39;create_nrpe_pp&#39;],
    }
+  }

-    # file for ssl certificate
-    if $ne_enable_ssl == true {
-      file { $ne_ssl_cert_file:
-        ensure   =&gt; file,
-        path     =&gt; $ne_ssl_cert_file,
-        owner    =&gt; &#39;root&#39;,
-        group    =&gt; &#39;root&#39;,
-        mode     =&gt; &#39;0644&#39;,
-        selrange =&gt; s0,
-        selrole  =&gt; object_r,
-        seltype  =&gt; cert_t,
-        seluser  =&gt; system_u,
-        content  =&gt; template($ne_ssl_cert_erb),
-      }
-      file { $ne_ssl_privatekey_file:
-        ensure   =&gt; file,
-        path     =&gt; $ne_ssl_privatekey_file,
-        owner    =&gt; &#39;root&#39;,
-        group    =&gt; &#39;root&#39;,
-        mode     =&gt; &#39;0600&#39;,
-        selrange =&gt; s0,
-        selrole  =&gt; object_r,
-        seltype  =&gt; cert_t,
-        seluser  =&gt; system_u,
-        content  =&gt; template($ne_ssl_privatekey_erb),
-      }
-      file { $ne_ssl_ca_cert_file:
-        ensure   =&gt; file,
-        path     =&gt; $ne_ssl_ca_cert_file,
-        owner    =&gt; &#39;root&#39;,
-        group    =&gt; &#39;root&#39;,
-        mode     =&gt; &#39;0644&#39;,
-        selrange =&gt; s0,
-        selrole  =&gt; object_r,
-        seltype  =&gt; cert_t,
-        seluser  =&gt; system_u,
-        content  =&gt; template($ne_ssl_ca_cert_erb),
-      }
+  # file for ssl certificate
+  if $ne_enable_ssl == true {
+    file { $ne_ssl_cert_file:
+      ensure   =&gt; file,
+      path     =&gt; $ne_ssl_cert_file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; cert_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($ne_ssl_cert_erb),
+    }
+    file { $ne_ssl_privatekey_file:
+      ensure   =&gt; file,
+      path     =&gt; $ne_ssl_privatekey_file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0600&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; cert_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($ne_ssl_privatekey_erb),
+    }
+    file { $ne_ssl_ca_cert_file:
+      ensure   =&gt; file,
+      path     =&gt; $ne_ssl_ca_cert_file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; cert_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($ne_ssl_ca_cert_erb),
    }
  }
 }</pre>
--- a/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
+++ b/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
@@ -699,7 +699,7 @@ inherited by all classes except defines.
        <span class='type'>(<tt>Boolean</tt>)</span>
      
      
-        <em class="default">(defaults to: <tt>false</tt>)</em>
+        <em class="default">(defaults to: <tt>true</tt>)</em>
      
      
        &mdash;
@@ -945,7 +945,7 @@ class confdroid_nrpe::params (
  String $ne_command_timeout              = &#39;60&#39;,
  String $ne_connection_timeout           = &#39;300&#39;,
  String $ne_allow_weak_rnd_seed          = &#39;1&#39;,
-  Boolean $ne_enable_ssl                  = false,
+  Boolean $ne_enable_ssl                  = true,
  String $ne_ssl_version                  = &#39;TLSv2+&#39;,
  String $ne_ssl_use_adh                  = &#39;1&#39;,
  String $ne_ssl_cipher_list              = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,