From f0edc10d45d96d4db73c584208ec65145ee5e5ab Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Sun, 15 Mar 2026 15:04:31 +0100
Subject: [PATCH] OP#501 adding variables and place holders for certs

---
 README.md                 |  4 ++--
 manifests/main/files.pp   | 12 ++++++++++++
 manifests/params.pp       | 14 ++++++++++----
 templates/ssl_ca_cert.erb |  3 +++
 4 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100644 templates/ssl_ca_cert.erb

diff --git a/README.md b/README.md
index 397e536..c6d990f 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@
   - [Dependencies](#dependencies)
   - [Deployment](#deployment)
   - [Managing Check Commands](#managing-check-commands)
-  - [managing TLS serts](#managing-tls-serts)
+  - [managing TLS certificates](#managing-tls-certificates)
   - [SELINUX](#selinux)
   - [Known Problems](#known-problems)
   - [Troubleshooting](#troubleshooting)
@@ -100,7 +100,7 @@ A: Sometimes the name of the check is different, like this:
 
 It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.
 
-## managing TLS serts
+## managing TLS certificates
 
 ## SELINUX
 
diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index c58b0ba..31704e5 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -96,6 +96,18 @@ class confdroid_nrpe::main::files (
         seluser  => system_u,
         content  => template($ne_ssl_privatekey_erb),
       }
+      file { $ne_ssl_ca_cert_file:
+        ensure   => file,
+        path     => $ne_ssl_ca_cert_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => cert_t,
+        seluser  => system_u,
+        content  => template($ne_ssl_ca_cert_erb),
+      }
     }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 9bc3acf..5bcf209 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -78,10 +78,13 @@
 #   the nagios server ssl certificate. This is used for the nagios server 
 #   certificate and has to be provided via Hiera or ENC. Must be specified if 
 #   SSL is enabled.
-# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the content of 
-#   the nagios server ssl private key. This is used for the nagios server 
-#   private key and has to be provided via Hiera or ENC. Must be specified if 
-#   SSL is enabled.
+# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the 
+#   content of the nagios server ssl private key. This is used for the nagios 
+#   server private key and has to be provided via Hiera or ENC. Must be specified 
+#   if SSL is enabled. 
+# @param [String] ne_ssl_ca_cert_pem Optional parameter to specify the content of 
+#   the CA certificate. This is used for the CA certificate and has to be 
+#   provided  via Hiera or ENC. Must be specified if SSL is enabled.
 ###############################################################################
 class confdroid_nrpe::params (
 
@@ -123,6 +126,7 @@ class confdroid_nrpe::params (
   String $ne_include_file                 = '',
   Optional[String] $ne_ssl_cert_pem       = undef,
   Optional[String] $ne_ssl_privatekey_pem = undef,
+  Optional[String] $ne_ssl_ca_cert_pem    = undef,
 
 # nrpe.conf
   String $ne_ssl_opts                     = '',
@@ -171,6 +175,8 @@ class confdroid_nrpe::params (
   $ne_ssl_cert_erb            = 'confdroid_nrpe/ssl_cert.erb'
   $ne_ssl_privatekey_file     = "/etc/pki/tls/private/${fqdn}.key.pem"
   $ne_ssl_privatekey_erb      = 'confdroid_nrpe/ssl_privatekey.erb'
+  $ne_ssl_ca_cert_file        = "/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem"
+  $ne_ssl_ca_cert_erb         = 'confdroid_nrpe/ssl_ca_cert.erb'
 
 # includes must be last
   include confdroid_nrpe::main::config
diff --git a/templates/ssl_ca_cert.erb b/templates/ssl_ca_cert.erb
new file mode 100644
index 0000000..525efa0
--- /dev/null
+++ b/templates/ssl_ca_cert.erb
@@ -0,0 +1,3 @@
+<% unless @ne_ssl_ca_cert_pem.nil -%>
+<%= @ne_ssl_ca_cert_pem %>
+<% end -%>
\ No newline at end of file