included service and pointed to files

README.md

@@ -30,10 +30,12 @@ NRPE allows monitoring tools like NAGIOS or ICINGA to connect to clients for mon
 
 ### Features
 INSTALLATION
-* install binaries
+* install nrpe binaries
 
 CONFIGURATION
+* manage NRPE service user properties
 * manage directory structure (file system permissions, selinux context)
+*
 
 SERVICE
 
@@ -44,8 +46,11 @@ Repostructure has moved to REPOSTRUCTURE.md in repo.
 All dependencies must be included in the catalogue.
 
 * [cd_resources](https://gitlab.puppetsoft.com/12WW1160/cd_resources) to manage YUM repositories.
+* [cd_stdlib](https://gitlab.puppetsoft.com/12WW1160/cd_stdlib) or [puppetlabs stdlib](https://github.com/puppetlabs/puppetlabs-stdlib) to facilitate concat
+* [cd_concat](https://gitlab.puppetsoft.com/12WW1160/cd_stdlib)  or [puppetlabs concat](https://github.com/puppetlabs/puppetlabs-concat) for concatenating files
 
 ### Deployment
+`cd_nrpe` does typically not need to be specifically declared. It will be auto-required by `cd_nagios` with default settings. Only if you want to override settings declare it specifically.
 
 ##### native Puppet deployment
 
@@ -57,7 +62,7 @@ node 'example.example.net' {
 }
 ```
 #### through Foreman:
-In order to apply parameters through Foreman, **__cd_nrpe::params__** must be added to the host or hostgroup in question.
+In order to apply parameters through Foreman, **__cd_nrpe::params__** must be added to the host or hostgroup in question, unless the defaults are fully acceptable across the estate.
 
 See [more details about class deployment on Confdroid.com](https://confdroid.com/2017/05/deploying-our-puppet-modules/).
 

manifests/main/config.pp

@@ -26,6 +26,6 @@ class cd_nrpe::main::config (
 
 ) inherits cd_nrpe::params {
 
-  include cd_nrpe::main::user
+  include cd_nrpe::main::service
 
 }

manifests/main/dirs.pp

@@ -0,0 +1,56 @@
+## cd_nrpe::main::dirs.pp
+# Module name: cd_nrpe
+# Author: Arne Teuke (arne_teuke@ConfDroid.com)
+# # License:
+#    This file is part of cd_nrpe.
+#
+#    cd_nrpe is used for providing automatic configuration of
+#    <service / purpose>
+#    Copyright (C) 2016  ConfDroid (copyright@ConfDroid.com)
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# @summary Class manages all directories required for cd_nrpe.
+###############################################################################
+class cd_nrpe::main::dirs (
+
+) inherits cd_nrpe::params {
+
+  require cd_nrpe::main::user
+
+  # manage main conf_d_dir
+
+  file { $ne_main_conf_d_dir:
+    ensure    =>  directory,
+    path      =>  $ne_main_conf_d_dir,
+    owner     =>  'root',
+    group     =>  'root',
+    mode      =>  '0755',
+    selrange  =>  s0,
+    selrole   =>  object_r,
+    seltype   =>  etc_t,
+    seluser   =>  system_u,
+  }
+
+  file { $ne_run_dir:
+    ensure    =>  directory,
+    path      =>  $ne_run_dir,
+    owner     =>  $ne_user,
+    group     =>  $ne_user,
+    mode      =>  '0755',
+    selrange  =>  s0,
+    selrole   =>  object_r,
+    seltype   =>  var_run_t,
+    seluser   =>  system_u,
+  }
+
+}

manifests/main/files.pp

@@ -0,0 +1,44 @@
+## cd_nrpe::main::files.pp
+# Module name: cd_nrpe
+# Author: Arne Teuke (arne_teuke@ConfDroid.com)
+# # License:
+#    This file is part of cd_nrpe.
+#
+#    cd_nrpe is used for providing automatic configuration of
+#    <service / purpose>
+#    Copyright (C) 2016  ConfDroid (copyright@ConfDroid.com)
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# @summary  Class manages all configuration files required for cd_nrpe.
+##############################################################################
+class cd_nrpe::main::files (
+
+) inherits cd_nrpe::params {
+
+  require cd_nrpe::main::dirs
+
+  file { $ne_main_conf_file:
+    ensure    =>  file,
+    path      =>  ne_main_conf_file,
+    owner     =>  'root',
+    group     =>  'root',
+    mode      =>  '0640',
+    selrange  =>  s0,
+    selrole   =>  object_r,
+    seltype   =>  nrpe_etc_t,
+    seluser   =>  system_u,
+    content   =>  template($ne_main_conf_file),
+    notify    =>  Service[$ne_service],
+  }
+
+}

manifests/main/service.pp

@@ -0,0 +1,37 @@
+## cd_nrpe::main::service.pp
+# Module name: cd_nrpe
+# Author: Arne Teuke (arne_teuke@ConfDroid.com)
+# # License:
+#    This file is part of cd_nrpe.
+#
+#    cd_nrpe is used for providing automatic configuration of
+#    <service / purpose>
+#    Copyright (C) 2016  ConfDroid (copyright@ConfDroid.com)
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# @summary  Class manages the service(s) for cd_nrpe.
+#############################################################################
+class cd_nrpe::main::service (
+
+) inherits cd_nrpe::params {
+
+  require cd_nrpe::main::files
+
+  service { $ne_service:
+    ensure      => running,
+    hasstatus   => true,
+    hasrestart  => true,
+    enable      => true,
+  }
+
+}

manifests/params.pp

@@ -24,7 +24,66 @@
 # @param  [string] pkg_ensure
 #   which [package type](https://confdroid.com/2017/05/puppet-type-package/)
 #   to choose, i.e. `latest` or `present`.
-##############################################################################
+# @param  [string] ne_log_facility the log facility to use.
+# @param  [string] ne_log_file If a log file is specified in this option,
+#   nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log
+# @param  [string] ne_debug Whether debugging messages are logged to the
+#   syslog facility.
+# @param  [string]  ne_nrpe_port the NRPE port. used in firewall ( optional)
+#   and configuration file.
+# @param  [string] ne_listen_queue_size  Listen queue size (backlog) for
+#   serving incoming connections.
+# @param  [string] ne_nagios_server ipaddress of the nagios server to be allowed
+#   to connect to NRPE service. Default is to look up a global parameter from
+#   ENC.
+# @param  [string]  ne_dont_blame_nrpe whether or not the NRPE daemon will
+#   allow clients to specify arguments to commands that are executed.
+# @param  [string] ne_allow_bash_cmd_subst whether or not the NRPE daemon will
+#   allow clients to specify arguments that contain bash command substitutions
+#   of the form $(...).
+# @param  [boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg
+#   as well as for creating a sudo role.
+# @param  [string] command_prefix allows you to prefix all commands with a
+#   user-defined string.
+# @param  [string]  ne_incl_fw Whether to include firewall rules
+# @param  [string] ne_command_timeout maximum number of seconds that the NRPE
+#   daemon will allow plugins to finish executing before killing them off.
+# @param  [string] ne_connection_timeout maximum number of seconds that the
+#   NRPE daemon will wait for a connection to be established before exiting.
+# @param  [string] ne_ssl_version These directives allow you to specify how to
+#   use SSL/TLS.
+# @param  [string] ne_ssl_use_adh This is for backward compatibility and is
+#   DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
+#   default but will be changed in a later version.
+# @param  [string] ne_ssl_cipher_list ciphers can be used. For backward
+#   compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
+#   this version but will be changed in a later version of NRPE.
+# @param  [string] ne_ssl_cacert_file path and name of the ssl certificate
+#   authority  ( ca) file / chain. must be full path.
+# @param  [string] ne_ssl_cert_file path and name of the server ssl certificate.
+#   must include full path.
+# @param  [string] ne_ssl_privatekey_filepath and name of the server ssl
+#   private key.  Must include full path.
+# @param  [string] ne_ssl_client_certs determines client certificate usage.
+#   Values: 0 = Don't ask for or require client certificates
+#   1 = Ask for client certificates
+#   2 = Require client certificates
+# @param  [string] ne_ssl_logging determines which SSL messages are send to
+#   syslog. OR values together to specify multiple options.
+#   Values: 0x00 (0) = No additional logging (default)
+#   0x01 (1) = Log startup SSL/TLS parameters
+#   0x02 (2) = Log remote IP address
+#   0x04 (4) = Log SSL/TLS version of connections
+#   0x08 (8) = Log which cipher is being used for the connection
+#   0x10 (16) = Log if client has a certificate
+#   0x20 (32) = Log details of client's certificate if it has one
+#   -1 or 0xff or 0x2f = All of the above
+# @param  [string] ne_nasty_metachars  list of characters that cannot
+# be passed to the NRPE daemon.
+# @param  [string] ne_include_file include definitions from an external
+#   config file.
+# @param  [string] ne_include_dir
+###############################################################################
 class cd_nrpe::params (
 
 $pkg_ensure                 = 'latest',
@@ -33,10 +92,42 @@ $pkg_ensure                 = 'latest',
 $ne_user                    = 'nrpe',
 $ne_user_comment            = 'NRPE service user',
 $ne_user_uid                = '1005',
-$ne_user_home               = '/var/run/nagios',
+$ne_user_home               = '/var/run/nrpe',
 $ne_user_groups             = undef,
 $ne_user_shell              = '/sbin/nologin',
 
+# nrpe.cfg
+$ne_log_facility            = 'daemon'
+$ne_log_file                = '',
+$ne_debug                   = '0',
+$ne_nrpe_port               = '5666',
+$ne_server_address          = '127.0.0.1',
+$ne_listen_queue_size       = '5',
+$ne_nagios_server           = $::nagios_server,
+$ne_dont_blame_nrpe         = '1',
+$ne_allow_bash_cmd_subst    = '1',
+$ne_allow_sudo              = true,
+$ne_command_prefix          = '/usr/bin/sudo',
+$ne_command_timeout         = '60',
+$ne_connection_timeout      = '300',
+$ne_allow_weak_rnd_seed     = '1',
+$ne_ssl_version             = 'TLSv1.1+',
+$ne_ssl_use_adh             = '1',
+$ne_ssl_cipher_list         = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
+$ne_ssl_cacert_file         = '/etc/pki/tls/certs/ca-chain.crt.pem',
+$ne_ssl_cert_file           = "/etc/pki/tls/certs/${::fqdn}.crt.pem",
+$ne_ssl_privatekey_file     = "/etc/pki/tls/private/${::fqdn}.key.pem",
+$ne_ssl_client_certs        = '2',
+$ne_ssl_logging             = '0x00',
+$ne_nasty_metachars         = '\"|`&><\'\\[]{};\r\n\"',
+$ne_include_file            = '',
+
+
+# firewall
+$ne_incl_fw                 = true,
+
+
+
 ) {
 
 # installation section
@@ -44,6 +135,18 @@ $reqpackages  = $::operatingsystem ? {
     /(?i-mx:centos|fedora|redhat)/ => ['nrpe'],
   }
 
+# service
+$ne_service                 = 'nrpe'
+
+# directories
+$ne_main_conf_d_dir         = '/etc/nrpe.d'
+$ne_run_dir                 = '/var/run/nrpe'
+
+# files
+$ne_main_conf_file          = '/etc/nagios/nrpe.cfg'
+$ne_nrpe_conf_head_erb      = 'cd_nrpe/nrpe_cfg_head.erb'
+$ne_nrpe_pid_file           = "${ne_run_dir}/nrpe.pid"
+
 # includes must be last
 
   include cd_nrpe::main::config

templates/nrpe_cfg_head.erb

@@ -0,0 +1,59 @@
+################################################################################
+##########                nrpe.cfg managed by Puppet                  ##########
+##########            manual changes will be overwritten !!!          ##########
+################################################################################
+##########          full reference is available at                    ##########
+##########      https://confdroid.com/2017/07/nrpe-nrpe-cfg/          ##########
+################################################################################
+
+log_facility=<%= @ne_log_facility %>
+
+<% unless @ne_log_file.empty ? %>
+log_file=<%= @ne_log_file %>
+<% end %>
+
+debug=<%= @ne_debug %>
+
+pid_file=<% @ne_nrpe_pid_file %>
+server_port=<%= @ne_nrpe_port %>
+
+server_address=<%= @ne_server_address %>
+listen_queue_size=<%= @ne_listen_queue_size %>
+
+nrpe_user=<%= @ne_user %>
+nrpe_group=<%= @ne_user %>
+
+allowed_hosts=127.0.0.1,::1,<%= @ne_nagios_server %>
+dont_blame_nrpe=<%= @ne_dont_blame_nrpe %>
+allow_bash_command_substitution=<%= @ne_allow_bash_cmd_subst %>
+
+<%= if @$ne_allow_sudo == true %>
+command_prefix=<%= @ne_command_prefix %>
+<% end %>
+
+command_timeout=<%= @ne_command_timeout %>
+connection_timeout=<%= @ne_connection_timeout %>
+
+allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
+
+ssl_version=<%= @ne_ssl_version %>
+ssl_use_adh=<%= @ne_ssl_use_adh %>
+ssl_cipher_list=<%= @ne_ssl_cipher_list %>
+
+ssl_cacert_file=<%= @ne_ssl_cacert_file %>
+ssl_cert_file=<%= @ne_ssl_cert_file %>
+ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
+
+ssl_client_certs=<%= @ne_ssl_client_certs %>
+ssl_logging=<%= @ne_ssl_logging %>
+
+nasty_metachars=<$= @ne_nasty_metachars  %>
+
+<% unless @ne_include_file.empty? %>
+include=<%= @ne_include_file %>
+<% end %>
+
+include_dir=<%= @ne_main_conf_d_dir  %>
+
+### command definitions have been moved to include_dir for easier external
+#   management