diff --git a/README.md b/README.md index 397e536..c6d990f 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ - [Dependencies](#dependencies) - [Deployment](#deployment) - [Managing Check Commands](#managing-check-commands) - - [managing TLS serts](#managing-tls-serts) + - [managing TLS certificates](#managing-tls-certificates) - [SELINUX](#selinux) - [Known Problems](#known-problems) - [Troubleshooting](#troubleshooting) @@ -100,7 +100,7 @@ A: Sometimes the name of the check is different, like this: It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location. -## managing TLS serts +## managing TLS certificates ## SELINUX diff --git a/manifests/main/files.pp b/manifests/main/files.pp index c58b0ba..31704e5 100644 --- a/manifests/main/files.pp +++ b/manifests/main/files.pp @@ -96,6 +96,18 @@ class confdroid_nrpe::main::files ( seluser => system_u, content => template($ne_ssl_privatekey_erb), } + file { $ne_ssl_ca_cert_file: + ensure => file, + path => $ne_ssl_ca_cert_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => cert_t, + seluser => system_u, + content => template($ne_ssl_ca_cert_erb), + } } } } diff --git a/manifests/params.pp b/manifests/params.pp index 9bc3acf..5bcf209 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -78,10 +78,13 @@ # the nagios server ssl certificate. This is used for the nagios server # certificate and has to be provided via Hiera or ENC. Must be specified if # SSL is enabled. -# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the content of -# the nagios server ssl private key. This is used for the nagios server -# private key and has to be provided via Hiera or ENC. Must be specified if -# SSL is enabled. +# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the +# content of the nagios server ssl private key. This is used for the nagios +# server private key and has to be provided via Hiera or ENC. Must be specified +# if SSL is enabled. +# @param [String] ne_ssl_ca_cert_pem Optional parameter to specify the content of +# the CA certificate. This is used for the CA certificate and has to be +# provided via Hiera or ENC. Must be specified if SSL is enabled. ############################################################################### class confdroid_nrpe::params ( @@ -123,6 +126,7 @@ class confdroid_nrpe::params ( String $ne_include_file = '', Optional[String] $ne_ssl_cert_pem = undef, Optional[String] $ne_ssl_privatekey_pem = undef, + Optional[String] $ne_ssl_ca_cert_pem = undef, # nrpe.conf String $ne_ssl_opts = '', @@ -171,6 +175,8 @@ class confdroid_nrpe::params ( $ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb' $ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem" $ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb' + $ne_ssl_ca_cert_file = "/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem" + $ne_ssl_ca_cert_erb = 'confdroid_nrpe/ssl_ca_cert.erb' # includes must be last include confdroid_nrpe::main::config diff --git a/templates/ssl_ca_cert.erb b/templates/ssl_ca_cert.erb new file mode 100644 index 0000000..525efa0 --- /dev/null +++ b/templates/ssl_ca_cert.erb @@ -0,0 +1,3 @@ +<% unless @ne_ssl_ca_cert_pem.nil -%> +<%= @ne_ssl_ca_cert_pem %> +<% end -%> \ No newline at end of file