From 80dcda911b35ec19de239083b78fb32312f7e2ad Mon Sep 17 00:00:00 2001 From: 12ww1160 <12ww1160@confdroid.com> Date: Sun, 15 Mar 2026 14:46:33 +0100 Subject: [PATCH] adding variables and place holders for certs --- README.md | 2 +- manifests/main/files.pp | 28 ++++++++++++ manifests/params.pp | 82 +++++++++++++++++++++--------------- templates/ssl_cert.erb | 3 ++ templates/ssl_privatekey.erb | 3 ++ 5 files changed, 82 insertions(+), 36 deletions(-) create mode 100644 templates/ssl_cert.erb create mode 100644 templates/ssl_privatekey.erb diff --git a/README.md b/README.md index 1a2cbff..6b17f2c 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ NRPE allows monitoring tools like NAGIOS or ICINGA to connect to clients for mon ## WARNING -***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production*** +> **Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production** ## Features diff --git a/manifests/main/files.pp b/manifests/main/files.pp index c03d198..c58b0ba 100644 --- a/manifests/main/files.pp +++ b/manifests/main/files.pp @@ -69,5 +69,33 @@ class confdroid_nrpe::main::files ( content => template($ne_nrpe_te_erb), notify => Exec['create_nrpe_pp'], } + + # file for ssl certificate + if $ne_enable_ssl == true { + file { $ne_ssl_cert_file: + ensure => file, + path => $ne_ssl_cert_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => cert_t, + seluser => system_u, + content => template($ne_ssl_cert_erb), + } + file { $ne_ssl_privatekey_file: + ensure => file, + path => $ne_ssl_privatekey_file, + owner => 'root', + group => 'root', + mode => '0600', + selrange => s0, + selrole => object_r, + seltype => cert_t, + seluser => system_u, + content => template($ne_ssl_privatekey_erb), + } + } } } diff --git a/manifests/params.pp b/manifests/params.pp index 27d52ef..9bc3acf 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -74,55 +74,65 @@ # @param [Array] reqpackages which packages to install # @param [Boolean] ne_manage_cmds Whether to manage command rules for NRPE # checks, to allow dynamic check & command rules. +# @param [String] ne_ssl_cert_pem Optional parameter to specify the content of +# the nagios server ssl certificate. This is used for the nagios server +# certificate and has to be provided via Hiera or ENC. Must be specified if +# SSL is enabled. +# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the content of +# the nagios server ssl private key. This is used for the nagios server +# private key and has to be provided via Hiera or ENC. Must be specified if +# SSL is enabled. ############################################################################### class confdroid_nrpe::params ( - String $pkg_ensure = 'present', - Array $reqpackages = ['nrpe','nrpe-selinux','selinux-policy-devel'], + String $pkg_ensure = 'present', + Array $reqpackages = ['nrpe','nrpe-selinux','selinux-policy-devel'], - Boolean $ne_manage_cmds = true, + Boolean $ne_manage_cmds = true, # NRPE user settings - String $ne_user = 'nrpe', - String $ne_user_comment = 'NRPE service user', - String $ne_user_uid = '1005', - String $ne_user_home = '/var/run/nrpe', - Optional[String] $ne_user_groups = undef, - String $ne_user_shell = '/sbin/nologin', + String $ne_user = 'nrpe', + String $ne_user_comment = 'NRPE service user', + String $ne_user_uid = '1005', + String $ne_user_home = '/var/run/nrpe', + Optional[String] $ne_user_groups = undef, + String $ne_user_shell = '/sbin/nologin', # nrpe.cfg - String $ne_log_facility = 'daemon', - String $ne_log_file = '', - String $ne_debug = '0', - String $ne_nrpe_port = '5666', - String $ne_server_address = '0.0.0.0', - String $ne_listen_queue_size = '5', - String $ne_dont_blame_nrpe = '1', - String $ne_allow_bash_cmd_subst = '1', - Boolean $ne_allow_sudo = true, - String $ne_command_prefix = '/usr/bin/sudo', - String $ne_command_timeout = '60', - String $ne_connection_timeout = '300', - String $ne_allow_weak_rnd_seed = '1', - Boolean $ne_enable_ssl = false, - String $ne_ssl_version = 'TLSv2+', - String $ne_ssl_use_adh = '1', - String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH', - String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem', - String $ne_ssl_client_certs = '2', - String $ne_ssl_logging = '0x00', - Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"], - String $ne_include_file = '', + String $ne_log_facility = 'daemon', + String $ne_log_file = '', + String $ne_debug = '0', + String $ne_nrpe_port = '5666', + String $ne_server_address = '0.0.0.0', + String $ne_listen_queue_size = '5', + String $ne_dont_blame_nrpe = '1', + String $ne_allow_bash_cmd_subst = '1', + Boolean $ne_allow_sudo = true, + String $ne_command_prefix = '/usr/bin/sudo', + String $ne_command_timeout = '60', + String $ne_connection_timeout = '300', + String $ne_allow_weak_rnd_seed = '1', + Boolean $ne_enable_ssl = false, + String $ne_ssl_version = 'TLSv2+', + String $ne_ssl_use_adh = '1', + String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH', + String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem', + String $ne_ssl_client_certs = '2', + String $ne_ssl_logging = '0x00', + Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"], + String $ne_include_file = '', + Optional[String] $ne_ssl_cert_pem = undef, + Optional[String] $ne_ssl_privatekey_pem = undef, # nrpe.conf - String $ne_ssl_opts = '', + String $ne_ssl_opts = '', # firewall - Boolean $ne_incl_fw = true, - String $ne_fw_order_no = '50', + Boolean $ne_incl_fw = true, + String $ne_fw_order_no = '50', # selinux - Boolean $ne_include_selinux = true, + Boolean $ne_include_selinux = true, ) { # Default facts @@ -158,7 +168,9 @@ class confdroid_nrpe::params ( $ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp" $ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb' $ne_ssl_cert_file = "/etc/pki/tls/certs/${fqdn}.crt.pem" + $ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb' $ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem" + $ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb' # includes must be last include confdroid_nrpe::main::config diff --git a/templates/ssl_cert.erb b/templates/ssl_cert.erb new file mode 100644 index 0000000..a3db546 --- /dev/null +++ b/templates/ssl_cert.erb @@ -0,0 +1,3 @@ +<% unless $ne_ssl_cert_pem == undef -%> +<%= $ne_ssl_cert_pem %> +<% end -%> \ No newline at end of file diff --git a/templates/ssl_privatekey.erb b/templates/ssl_privatekey.erb new file mode 100644 index 0000000..055f5f6 --- /dev/null +++ b/templates/ssl_privatekey.erb @@ -0,0 +1,3 @@ +<% unless $ne_ssl_privatekey_pem == undef -%> +<%= $ne_ssl_privatekey_pem %> +<% end -%> \ No newline at end of file