confdroid/confdroid_nrpe
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: confdroid:369f1c7b935302c12357ced6017dec1877c02fe0
Branches Tags
confdroid:master
..
compare: confdroid:master
Branches Tags
confdroid:master

30 Commits
369f1c7b93 ... master

Author SHA1 Message Date
Jenkins Server
18543aec3d Recommit for updates in build 55 2026-03-15 17:08:15 +01:00
Jenkins Server
ef06b4691b Merge remote-tracking branch 'origin/master' into jenkins-build-55 2026-03-15 17:07:13 +01:00
12ww1160
4a7d06d0ca OP#501 finalize SSL settings 2026-03-15 17:06:52 +01:00
Jenkins Server
3cdb09827d Recommit for updates in build 54 2026-03-15 17:00:32 +01:00
Jenkins Server
fd84c389aa Merge remote-tracking branch 'origin/master' into jenkins-build-54 2026-03-15 16:59:33 +01:00
12ww1160
95d2344f7f OP#501 finalize SSL settings 2026-03-15 16:59:12 +01:00
Jenkins Server
b655cb4c56 Recommit for updates in build 53 2026-03-15 16:44:21 +01:00
Jenkins Server
f928537e34 Merge remote-tracking branch 'origin/master' into jenkins-build-53 2026-03-15 16:43:23 +01:00
12ww1160
b7036ae8e7 OP#501 fix parameter 2026-03-15 16:43:07 +01:00
Jenkins Server
ae13e6fde5 Recommit for updates in build 52 2026-03-15 16:36:25 +01:00
Jenkins Server
25b4221bea Merge remote-tracking branch 'origin/master' into jenkins-build-52 2026-03-15 16:35:28 +01:00
12ww1160
7313416419 OP#501 fix parameter 2026-03-15 16:35:08 +01:00
Jenkins Server
0de9773a43 Recommit for updates in build 51 2026-03-15 16:30:53 +01:00
Jenkins Server
e60e0ea9b9 Merge remote-tracking branch 'origin/master' into jenkins-build-51 2026-03-15 16:29:53 +01:00
12ww1160
9c891f058b OP#501 update template 2026-03-15 16:29:32 +01:00
Jenkins Server
e69d85103f Recommit for updates in build 50 2026-03-15 16:02:49 +01:00
Jenkins Server
adec28aaba Merge remote-tracking branch 'origin/master' into jenkins-build-50 2026-03-15 16:01:48 +01:00
12ww1160
474ef8af50 OP#501 update template 2026-03-15 16:01:32 +01:00
Jenkins Server
ba76a55819 Merge remote-tracking branch 'origin/master' into jenkins-build-49 2026-03-15 15:54:33 +01:00
12ww1160
1bd00403fc OP#501 update template 2026-03-15 15:54:13 +01:00
Jenkins Server
6d7de77573 Recommit for updates in build 48 2026-03-15 15:47:02 +01:00
Jenkins Server
9559afd271 Merge remote-tracking branch 'origin/master' into jenkins-build-48 2026-03-15 15:46:02 +01:00
12ww1160
cd1f12713b OP#501 update Readme 2026-03-15 15:45:45 +01:00
Jenkins Server
b072b05d47 Recommit for updates in build 47 2026-03-15 15:44:22 +01:00
Jenkins Server
24e7156d93 Merge remote-tracking branch 'origin/master' into jenkins-build-47 2026-03-15 15:43:23 +01:00
12ww1160
8d50f454c7 OP#501 adding variables and place holders for certs 2026-03-15 15:42:59 +01:00
Jenkins Server
3b89f52ca3 Recommit for updates in build 46 2026-03-15 15:32:55 +01:00
Jenkins Server
438967b04f Merge remote-tracking branch 'origin/master' into jenkins-build-46 2026-03-15 15:31:57 +01:00
12ww1160
ddfb05f836 OP#501 adding variables and place holders for certs 2026-03-15 15:31:41 +01:00
Jenkins Server
353140d6a3 Merge remote-tracking branch 'origin/master' into jenkins-build-45 2026-03-15 15:24:47 +01:00
10 changed files with 99 additions and 123 deletions
Expand all files Collapse all files

6
README.md
View File

@@ -102,13 +102,15 @@ It is very recommendable to define such commands directly within Puppet modules
## managing TLS certificates
When `ne_enable_ssl` is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
When `ne_enable_ssl` is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
- `ne_ssl_ca_cert_pem`
- `ne_ssl_cert_pem`
- `ne_ssl_privatekey_pem`
via Hiera (if you use it) or ENC.
via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.
If you don't need TLS encryption, leave `ne_enable_ssl` to the default value of `false`.
## SELINUX

6
doc/file.README.html
View File

@@ -193,7 +193,7 @@
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<ul><li>
<p><code>ne_ssl_ca_cert_pem</code></p>
</li><li>
@@ -202,7 +202,9 @@
<p><code>ne_ssl_privatekey_pem</code></p>
</li></ul>
<p>via Hiera (if you use it) or ENC.</p>
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
<p>If you dont need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
<h2 id="label-SELINUX">SELINUX</h2>

6
doc/index.html
View File

@@ -193,7 +193,7 @@
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
<ul><li>
<p><code>ne_ssl_ca_cert_pem</code></p>
</li><li>
@@ -202,7 +202,9 @@
<p><code>ne_ssl_privatekey_pem</code></p>
</li></ul>
<p>via Hiera (if you use it) or ENC.</p>
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
<p>If you dont need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
<h2 id="label-SELINUX">SELINUX</h2>

30
doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Adirs.html
View File

@@ -131,7 +131,21 @@
33
34
35
36</pre>
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/dirs.pp', line 6</span>
@@ -166,6 +180,20 @@ class confdroid_nrpe::main::dirs (
seltype =&gt; var_run_t,
seluser =&gt; system_u,
}
if $ne_enable_ssl {
file { $ne_servercert_dir:
ensure =&gt; directory,
path =&gt; $ne_servercert_dir,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0755&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
}
}
}</pre>
</td>
</tr>

22
doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
View File

@@ -206,8 +206,7 @@
108
109
110
111
112</pre>
111</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -278,15 +277,14 @@ class confdroid_nrpe::main::files (
notify =&gt; Exec[&#39;create_nrpe_pp&#39;],
}
}
# file for ssl certificate
if $ne_enable_ssl == true {
file { $ne_ssl_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_cert_file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0644&#39;,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0440&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
@@ -296,9 +294,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_privatekey_file:
ensure =&gt; file,
path =&gt; $ne_ssl_privatekey_file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0600&#39;,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0400&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
@@ -308,9 +306,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_ca_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_ca_cert_file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0644&#39;,
owner =&gt; $ne_user,
group =&gt; $ne_user,
mode =&gt; &#39;0440&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,

92
doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
View File

@@ -349,42 +349,6 @@ inherited by all classes except defines.
</li>
<li>
<span class='name'>ne_ssl_version</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;TLSv2+&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>These directives allow you to specify how to use SSL/TLS.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_use_adh</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;1&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>This is for backward compatibility and is DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the default but will be changed in a later version.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_cipher_list</span>
@@ -403,24 +367,6 @@ inherited by all classes except defines.
</li>
<li>
<span class='name'>ne_ssl_cacert_file</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>path and name of the ssl certificate authority (ca) file / chain. must be full path.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_client_certs</span>
@@ -429,7 +375,7 @@ inherited by all classes except defines.
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;2&#39;</tt>)</em>
<em class="default">(defaults to: <tt>&#39;0&#39;</tt>)</em>
&mdash;
@@ -699,7 +645,7 @@ inherited by all classes except defines.
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>true</tt>)</em>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
@@ -817,6 +763,13 @@ inherited by all classes except defines.
<pre class="lines">
82
83
84
85
86
87
88
89
90
91
@@ -902,19 +855,10 @@ inherited by all classes except defines.
171
172
173
174
175
176
177
178
179
180
181
182
183</pre>
174</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 89</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 82</span>
class confdroid_nrpe::params (
@@ -945,12 +889,9 @@ class confdroid_nrpe::params (
String $ne_command_timeout = &#39;60&#39;,
String $ne_connection_timeout = &#39;300&#39;,
String $ne_allow_weak_rnd_seed = &#39;1&#39;,
Boolean $ne_enable_ssl = true,
String $ne_ssl_version = &#39;TLSv2+&#39;,
String $ne_ssl_use_adh = &#39;1&#39;,
Boolean $ne_enable_ssl = false,
String $ne_ssl_cipher_list = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
String $ne_ssl_cacert_file = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;,
String $ne_ssl_client_certs = &#39;2&#39;,
String $ne_ssl_client_certs = &#39;0&#39;,
String $ne_ssl_logging = &#39;0x00&#39;,
Array $ne_nasty_metachars = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
String $ne_include_file = &#39;&#39;,
@@ -983,6 +924,7 @@ class confdroid_nrpe::params (
# directories
$ne_main_conf_d_dir = &#39;/etc/nrpe.d&#39;
$ne_run_dir = &#39;/var/run/nrpe&#39;
$ne_servercert_dir = &#39;/etc/pki/tls/servercerts&#39;
# files
$ne_main_conf_file = &#39;/etc/nagios/nrpe.cfg&#39;
@@ -1001,11 +943,11 @@ class confdroid_nrpe::params (
$ne_checkmodule_nrpe_erb = &#39;confdroid_nrpe/checkmodule_nrpe.erb&#39;
$ne_nrpe_pp_file = &quot;${ne_main_conf_d_dir}/nrpe.pp&quot;
$ne_semodule_erb = &#39;confdroid_nrpe/semodule_nrpe.erb&#39;
$ne_ssl_cert_file = &quot;/etc/pki/tls/certs/${fqdn}.crt.pem&quot;
$ne_ssl_cert_file = &quot;${ne_servercert_dir}/nagios-cert.pem&quot;
$ne_ssl_cert_erb = &#39;confdroid_nrpe/ssl_cert.erb&#39;
$ne_ssl_privatekey_file = &quot;/etc/pki/tls/private/${fqdn}.key.pem&quot;
$ne_ssl_privatekey_file = &quot;${ne_servercert_dir}/nagios-key.pem&quot;
$ne_ssl_privatekey_erb = &#39;confdroid_nrpe/ssl_privatekey.erb&#39;
$ne_ssl_ca_cert_file = &quot;/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem&quot;
$ne_ssl_ca_cert_file = &quot;${ne_servercert_dir}/ca-cert.pem&quot;
$ne_ssl_ca_cert_erb = &#39;confdroid_nrpe/ssl_ca_cert.erb&#39;
# includes must be last

14
manifests/main/dirs.pp
View File

@@ -33,4 +33,18 @@ class confdroid_nrpe::main::dirs (
seltype => var_run_t,
seluser => system_u,
}
if $ne_enable_ssl {
file { $ne_servercert_dir:
ensure => directory,
path => $ne_servercert_dir,
owner => 'root',
group => 'root',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => cert_t,
seluser => system_u,
}
}
}

19
manifests/main/files.pp
View File

@@ -69,15 +69,14 @@ class confdroid_nrpe::main::files (
notify => Exec['create_nrpe_pp'],
}
}
# file for ssl certificate
if $ne_enable_ssl == true {
file { $ne_ssl_cert_file:
ensure => file,
path => $ne_ssl_cert_file,
owner => 'root',
group => 'root',
mode => '0644',
owner => $ne_user,
group => $ne_user,
mode => '0440',
selrange => s0,
selrole => object_r,
seltype => cert_t,
@@ -87,9 +86,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_privatekey_file:
ensure => file,
path => $ne_ssl_privatekey_file,
owner => 'root',
group => 'root',
mode => '0600',
owner => $ne_user,
group => $ne_user,
mode => '0400',
selrange => s0,
selrole => object_r,
seltype => cert_t,
@@ -99,9 +98,9 @@ class confdroid_nrpe::main::files (
file { $ne_ssl_ca_cert_file:
ensure => file,
path => $ne_ssl_ca_cert_file,
owner => 'root',
group => 'root',
mode => '0644',
owner => $ne_user,
group => $ne_user,
mode => '0440',
selrange => s0,
selrole => object_r,
seltype => cert_t,

21
manifests/params.pp
View File

@@ -30,16 +30,9 @@
# daemon will allow plugins to finish executing before killing them off.
# @param [String] ne_connection_timeout maximum number of seconds that the
# NRPE daemon will wait for a connection to be established before exiting.
# @param [String] ne_ssl_version These directives allow you to specify how to
# use SSL/TLS.
# @param [String] ne_ssl_use_adh This is for backward compatibility and is
# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
# default but will be changed in a later version.
# @param [String] ne_ssl_cipher_list ciphers can be used. For backward
# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
# this version but will be changed in a later version of NRPE.
# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
# authority (ca) file / chain. must be full path.
# @param [String] ne_ssl_client_certs determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
# 1 = Ask for client certificates
@@ -115,12 +108,9 @@ class confdroid_nrpe::params (
String $ne_command_timeout = '60',
String $ne_connection_timeout = '300',
String $ne_allow_weak_rnd_seed = '1',
Boolean $ne_enable_ssl = true,
String $ne_ssl_version = 'TLSv2+',
String $ne_ssl_use_adh = '1',
Boolean $ne_enable_ssl = false,
String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
String $ne_ssl_client_certs = '2',
String $ne_ssl_client_certs = '0',
String $ne_ssl_logging = '0x00',
Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
String $ne_include_file = '',
@@ -153,6 +143,7 @@ class confdroid_nrpe::params (
# directories
$ne_main_conf_d_dir = '/etc/nrpe.d'
$ne_run_dir = '/var/run/nrpe'
$ne_servercert_dir = '/etc/pki/tls/servercerts'
# files
$ne_main_conf_file = '/etc/nagios/nrpe.cfg'
@@ -171,11 +162,11 @@ class confdroid_nrpe::params (
$ne_checkmodule_nrpe_erb = 'confdroid_nrpe/checkmodule_nrpe.erb'
$ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp"
$ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb'
$ne_ssl_cert_file = "/etc/pki/tls/certs/${fqdn}.crt.pem"
$ne_ssl_cert_file = "${ne_servercert_dir}/nagios-cert.pem"
$ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb'
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem"
$ne_ssl_privatekey_file = "${ne_servercert_dir}/nagios-key.pem"
$ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb'
$ne_ssl_ca_cert_file = "/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem"
$ne_ssl_ca_cert_file = "${ne_servercert_dir}/ca-cert.pem"
$ne_ssl_ca_cert_erb = 'confdroid_nrpe/ssl_ca_cert.erb'
# includes must be last

6
templates/nrpe_cfg.erb
View File

@@ -33,11 +33,9 @@ connection_timeout=<%= @ne_connection_timeout %>
allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
<% if $ne_enable_ssl == true -%>
ssl_version=<%= @ne_ssl_version %>
ssl_use_adh=<%= @ne_ssl_use_adh %>
<% if @ne_enable_ssl == true -%>
ssl_cipher_list=<%= @ne_ssl_cipher_list %>
ssl_cacert_file=<%= @ne_ssl_cacert_file %>
ssl_cacert_file=<%= @ne_ssl_ca_cert_file %>
ssl_cert_file=<%= @ne_ssl_cert_file %>
ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
ssl_client_certs=<%= @ne_ssl_client_certs %>