Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production
++Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production
+
It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.
+All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
diff --git a/doc/index.html b/doc/index.html index 231eb78..61f9ed0 100644 --- a/doc/index.html +++ b/doc/index.html @@ -78,6 +78,8 @@Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production
++Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production
+
It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.
+All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
diff --git a/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html index c211ec4..dd9f2bd 100644 --- a/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html +++ b/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html @@ -168,7 +168,35 @@ 70 71 72 -73 +73 +74 +75 +76 +77 +78 +79 +80 +81 +82 +83 +84 +85 +86 +87 +88 +89 +90 +91 +92 +93 +94 +95 +96 +97 +98 +99 +100 +101# File 'manifests/main/files.pp', line 6
@@ -239,6 +267,34 @@ class confdroid_nrpe::main::files (
content => template($ne_nrpe_te_erb),
notify => Exec['create_nrpe_pp'],
}
+
+ # file for ssl certificate
+ if $ne_enable_ssl == true {
+ file { $ne_ssl_cert_file:
+ ensure => file,
+ path => $ne_ssl_cert_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ selrange => s0,
+ selrole => object_r,
+ seltype => cert_t,
+ seluser => system_u,
+ content => template($ne_ssl_cert_erb),
+ }
+ file { $ne_ssl_privatekey_file:
+ ensure => file,
+ path => $ne_ssl_privatekey_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ selrange => s0,
+ selrole => object_r,
+ seltype => cert_t,
+ seluser => system_u,
+ content => template($ne_ssl_privatekey_erb),
+ }
+ }
}
}
Whether to manage command rules for NRPE checks, to allow dynamic check & command rules.
+Optional parameter to specify the content of the nagios server ssl certificate. This is used for the nagios server certificate and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.
+Optional parameter to specify the content of the nagios server ssl private key. This is used for the nagios server private key and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.
-78 -79 -80 -81 -82 -83 -84 -85 86 87 88 @@ -850,59 +878,73 @@ inherited by all classes except defines. 162 163 164 -165+165 +166 +167 +168 +169 +170 +171 +172 +173 +174 +175 +176 +177
# File 'manifests/params.pp', line 78
+ # File 'manifests/params.pp', line 86
class confdroid_nrpe::params (
- String $pkg_ensure = 'present',
- Array $reqpackages = ['nrpe','nrpe-selinux','selinux-policy-devel'],
+ String $pkg_ensure = 'present',
+ Array $reqpackages = ['nrpe','nrpe-selinux','selinux-policy-devel'],
- Boolean $ne_manage_cmds = true,
+ Boolean $ne_manage_cmds = true,
# NRPE user settings
- String $ne_user = 'nrpe',
- String $ne_user_comment = 'NRPE service user',
- String $ne_user_uid = '1005',
- String $ne_user_home = '/var/run/nrpe',
- Optional[String] $ne_user_groups = undef,
- String $ne_user_shell = '/sbin/nologin',
+ String $ne_user = 'nrpe',
+ String $ne_user_comment = 'NRPE service user',
+ String $ne_user_uid = '1005',
+ String $ne_user_home = '/var/run/nrpe',
+ Optional[String] $ne_user_groups = undef,
+ String $ne_user_shell = '/sbin/nologin',
# nrpe.cfg
- String $ne_log_facility = 'daemon',
- String $ne_log_file = '',
- String $ne_debug = '0',
- String $ne_nrpe_port = '5666',
- String $ne_server_address = '0.0.0.0',
- String $ne_listen_queue_size = '5',
- String $ne_dont_blame_nrpe = '1',
- String $ne_allow_bash_cmd_subst = '1',
- Boolean $ne_allow_sudo = true,
- String $ne_command_prefix = '/usr/bin/sudo',
- String $ne_command_timeout = '60',
- String $ne_connection_timeout = '300',
- String $ne_allow_weak_rnd_seed = '1',
- Boolean $ne_enable_ssl = false,
- String $ne_ssl_version = 'TLSv2+',
- String $ne_ssl_use_adh = '1',
- String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
- String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
- String $ne_ssl_client_certs = '2',
- String $ne_ssl_logging = '0x00',
- Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
- String $ne_include_file = '',
+ String $ne_log_facility = 'daemon',
+ String $ne_log_file = '',
+ String $ne_debug = '0',
+ String $ne_nrpe_port = '5666',
+ String $ne_server_address = '0.0.0.0',
+ String $ne_listen_queue_size = '5',
+ String $ne_dont_blame_nrpe = '1',
+ String $ne_allow_bash_cmd_subst = '1',
+ Boolean $ne_allow_sudo = true,
+ String $ne_command_prefix = '/usr/bin/sudo',
+ String $ne_command_timeout = '60',
+ String $ne_connection_timeout = '300',
+ String $ne_allow_weak_rnd_seed = '1',
+ Boolean $ne_enable_ssl = false,
+ String $ne_ssl_version = 'TLSv2+',
+ String $ne_ssl_use_adh = '1',
+ String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
+ String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
+ String $ne_ssl_client_certs = '2',
+ String $ne_ssl_logging = '0x00',
+ Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
+ String $ne_include_file = '',
+ Optional[String] $ne_ssl_cert_pem = undef,
+ Optional[String] $ne_ssl_privatekey_pem = undef,
# nrpe.conf
- String $ne_ssl_opts = '',
+ String $ne_ssl_opts = '',
# firewall
- Boolean $ne_incl_fw = true,
- String $ne_fw_order_no = '50',
+ Boolean $ne_incl_fw = true,
+ String $ne_fw_order_no = '50',
# selinux
- Boolean $ne_include_selinux = true,
+ Boolean $ne_include_selinux = true,
) {
# Default facts
@@ -938,7 +980,9 @@ class confdroid_nrpe::params (
$ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp"
$ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb'
$ne_ssl_cert_file = "/etc/pki/tls/certs/${fqdn}.crt.pem"
+ $ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb'
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem"
+ $ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb'
# includes must be last
include confdroid_nrpe::main::config