confdroid/confdroid_nrpe
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: confdroid:62208f1f4f5ed2a76c8d8fe44a8ad06b5a31e788
Branches Tags
confdroid:master
...
compare: confdroid:dcdbccc3cbc6caf209804e7736c46e77df5e4615
Branches Tags
confdroid:master

4 Commits
62208f1f4f ... dcdbccc3cb

Author SHA1 Message Date
Jenkins Server
dcdbccc3cb Recommit for updates in build 42 2026-03-15 15:05:53 +01:00
Jenkins Server
0a31c8297e Merge remote-tracking branch 'origin/master' into jenkins-build-42 2026-03-15 15:04:48 +01:00
12ww1160
f0edc10d45 OP#501 adding variables and place holders for certs 2026-03-15 15:04:31 +01:00
Jenkins Server
f56c1c9279 Recommit for updates in build 41 2026-03-15 14:51:10 +01:00
9 changed files with 238 additions and 181 deletions
Expand all files Collapse all files

124
Jenkinsfile vendored
View File

@@ -1,124 +0,0 @@
pipeline {
agent any
post {
always {
deleteDir() /* clean up our workspace */
}
success {
updateGitlabCommitStatus state: 'success'
}
failure {
updateGitlabCommitStatus state: 'failed'
step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
}
}
options {
gitLabConnection('gitlab.confdroid.com')
}
stages {
stage('pull master') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
# Ensure we're on the development branch (triggered by push)
git checkout development
# Create jenkins branch from development
git checkout -b jenkins-build-$BUILD_NUMBER
# Optionally merge master into jenkins to ensure compatibility
git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
'''
}
}
}
stage('puppet parser') {
steps {
sh '''for file in $(find . -iname \'*.pp\'); do
/opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
done;'''
}
}
stage('check templates') {
steps{
sh '''for file in $(find . -iname \'*.erb\');
do erb -P -x -T "-" $file | ruby -c || exit 1;
done;'''
}
}
stage('puppet-lint') {
steps {
sh '''/usr/local/bin/puppet-lint . \\
--no-variable_scope-check \\
|| { echo "Puppet lint failed"; exit 1; }
'''
}
}
stage('SonarScan') {
steps {
withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
sh '''
/opt/sonar-scanner/bin/sonar-scanner \
-Dsonar.projectKey=confdroid_nrpe \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarqube.confdroid.com \
-Dsonar.token=$SONAR_TOKEN
'''
}
}
}
stage('create Puppet documentation') {
steps {
sh '/opt/puppetlabs/bin/puppet strings'
}
}
stage('update repo') {
steps {
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
sh '''
git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com
git rm -r --cached .vscode || echo "No .vscode to remove from git"
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
git push origin HEAD:master
'''
}
}
}
stage('Mirror to Gitea') {
steps {
withCredentials([usernamePassword(
credentialsId: 'Jenkins-gitea',
usernameVariable: 'GITEA_USER',
passwordVariable: 'GITEA_TOKEN')]) {
script {
// Checkout from GitLab (already done implicitly)
sh '''
git checkout master
git pull origin master
git branch -D development
git branch -D jenkins-build-$BUILD_NUMBER
git rm -f Jenkinsfile
git rm -r --cached .vscode || echo "No .vscode to remove from git"
git commit --amend --no-edit --allow-empty
git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_nrpe.git
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
push master --mirror
'''
}
}
}
}
}
}

4
README.md
View File

@@ -12,7 +12,7 @@
- [Dependencies](#dependencies)
- [Deployment](#deployment)
- [Managing Check Commands](#managing-check-commands)
- [managing TLS serts](#managing-tls-serts)
- [managing TLS certificates](#managing-tls-certificates)
- [SELINUX](#selinux)
- [Known Problems](#known-problems)
- [Troubleshooting](#troubleshooting)
@@ -100,7 +100,7 @@ A: Sometimes the name of the check is different, like this:
It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.
## managing TLS serts
## managing TLS certificates
## SELINUX

8
doc/file.README.html
View File

@@ -78,6 +78,8 @@
</li><li>
<p><a href="#managing-check-commands">Managing Check Commands</a></p>
</li><li>
<p><a href="#managing-tls-certificates">managing TLS certificates</a></p>
</li><li>
<p><a href="#selinux">SELINUX</a></p>
</li><li>
<p><a href="#known-problems">Known Problems</a></p>
@@ -101,7 +103,9 @@
<h2 id="label-WARNING">WARNING</h2>
<p><strong><em>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</em></strong></p>
<blockquote>
<p><strong>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</strong></p>
</blockquote>
<h2 id="label-Features">Features</h2>
<ul><li>
@@ -187,6 +191,8 @@
<p>It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.</p>
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<h2 id="label-SELINUX">SELINUX</h2>
<p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>

8
doc/index.html
View File

@@ -78,6 +78,8 @@
</li><li>
<p><a href="#managing-check-commands">Managing Check Commands</a></p>
</li><li>
<p><a href="#managing-tls-certificates">managing TLS certificates</a></p>
</li><li>
<p><a href="#selinux">SELINUX</a></p>
</li><li>
<p><a href="#known-problems">Known Problems</a></p>
@@ -101,7 +103,9 @@
<h2 id="label-WARNING">WARNING</h2>
<p><strong><em>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</em></strong></p>
<blockquote>
<p><strong>Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production</strong></p>
</blockquote>
<h2 id="label-Features">Features</h2>
<ul><li>
@@ -187,6 +191,8 @@
<p>It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.</p>
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
<h2 id="label-SELINUX">SELINUX</h2>
<p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>

82
doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
View File

@@ -168,7 +168,47 @@
70
71
72
73</pre>
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -239,6 +279,46 @@ class confdroid_nrpe::main::files (
content =&gt; template($ne_nrpe_te_erb),
notify =&gt; Exec[&#39;create_nrpe_pp&#39;],
}
# file for ssl certificate
if $ne_enable_ssl == true {
file { $ne_ssl_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_cert_file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0644&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
content =&gt; template($ne_ssl_cert_erb),
}
file { $ne_ssl_privatekey_file:
ensure =&gt; file,
path =&gt; $ne_ssl_privatekey_file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0600&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
content =&gt; template($ne_ssl_privatekey_erb),
}
file { $ne_ssl_ca_cert_file:
ensure =&gt; file,
path =&gt; $ne_ssl_ca_cert_file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0644&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; cert_t,
seluser =&gt; system_u,
content =&gt; template($ne_ssl_ca_cert_erb),
}
}
}
}</pre>
</td>

164
doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
View File

@@ -741,6 +741,60 @@ inherited by all classes except defines.
&mdash;
<div class='inline'>
<p>Whether to manage command rules for NRPE checks, to allow dynamic check &amp; command rules.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_cert_pem</span>
<span class='type'>(<tt>Optional[String]</tt>)</span>
<em class="default">(defaults to: <tt>undef</tt>)</em>
&mdash;
<div class='inline'>
<p>Optional parameter to specify the content of the nagios server ssl certificate. This is used for the nagios server certificate and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_privatekey_pem</span>
<span class='type'>(<tt>Optional[String]</tt>)</span>
<em class="default">(defaults to: <tt>undef</tt>)</em>
&mdash;
<div class='inline'>
<p>Optional parameter to specify the content of the nagios server ssl private key. This is used for the nagios server private key and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.</p>
</div>
</li>
<li>
<span class='name'>ne_ssl_ca_cert_pem</span>
<span class='type'>(<tt>Optional[String]</tt>)</span>
<em class="default">(defaults to: <tt>undef</tt>)</em>
&mdash;
<div class='inline'>
<p>Optional parameter to specify the content of the CA certificate. This is used for the CA certificate and has to be provided via Hiera or ENC. Must be specified if SSL is enabled.</p>
</div>
</li>
@@ -763,17 +817,6 @@ inherited by all classes except defines.
<pre class="lines">
78
79
80
81
82
83
84
85
86
87
88
89
90
91
@@ -850,59 +893,80 @@ inherited by all classes except defines.
162
163
164
165</pre>
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 78</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 89</span>
class confdroid_nrpe::params (
String $pkg_ensure = &#39;present&#39;,
Array $reqpackages = [&#39;nrpe&#39;,&#39;nrpe-selinux&#39;,&#39;selinux-policy-devel&#39;],
String $pkg_ensure = &#39;present&#39;,
Array $reqpackages = [&#39;nrpe&#39;,&#39;nrpe-selinux&#39;,&#39;selinux-policy-devel&#39;],
Boolean $ne_manage_cmds = true,
Boolean $ne_manage_cmds = true,
# NRPE user settings
String $ne_user = &#39;nrpe&#39;,
String $ne_user_comment = &#39;NRPE service user&#39;,
String $ne_user_uid = &#39;1005&#39;,
String $ne_user_home = &#39;/var/run/nrpe&#39;,
Optional[String] $ne_user_groups = undef,
String $ne_user_shell = &#39;/sbin/nologin&#39;,
String $ne_user = &#39;nrpe&#39;,
String $ne_user_comment = &#39;NRPE service user&#39;,
String $ne_user_uid = &#39;1005&#39;,
String $ne_user_home = &#39;/var/run/nrpe&#39;,
Optional[String] $ne_user_groups = undef,
String $ne_user_shell = &#39;/sbin/nologin&#39;,
# nrpe.cfg
String $ne_log_facility = &#39;daemon&#39;,
String $ne_log_file = &#39;&#39;,
String $ne_debug = &#39;0&#39;,
String $ne_nrpe_port = &#39;5666&#39;,
String $ne_server_address = &#39;0.0.0.0&#39;,
String $ne_listen_queue_size = &#39;5&#39;,
String $ne_dont_blame_nrpe = &#39;1&#39;,
String $ne_allow_bash_cmd_subst = &#39;1&#39;,
Boolean $ne_allow_sudo = true,
String $ne_command_prefix = &#39;/usr/bin/sudo&#39;,
String $ne_command_timeout = &#39;60&#39;,
String $ne_connection_timeout = &#39;300&#39;,
String $ne_allow_weak_rnd_seed = &#39;1&#39;,
Boolean $ne_enable_ssl = false,
String $ne_ssl_version = &#39;TLSv2+&#39;,
String $ne_ssl_use_adh = &#39;1&#39;,
String $ne_ssl_cipher_list = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
String $ne_ssl_cacert_file = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;,
String $ne_ssl_client_certs = &#39;2&#39;,
String $ne_ssl_logging = &#39;0x00&#39;,
Array $ne_nasty_metachars = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
String $ne_include_file = &#39;&#39;,
String $ne_log_facility = &#39;daemon&#39;,
String $ne_log_file = &#39;&#39;,
String $ne_debug = &#39;0&#39;,
String $ne_nrpe_port = &#39;5666&#39;,
String $ne_server_address = &#39;0.0.0.0&#39;,
String $ne_listen_queue_size = &#39;5&#39;,
String $ne_dont_blame_nrpe = &#39;1&#39;,
String $ne_allow_bash_cmd_subst = &#39;1&#39;,
Boolean $ne_allow_sudo = true,
String $ne_command_prefix = &#39;/usr/bin/sudo&#39;,
String $ne_command_timeout = &#39;60&#39;,
String $ne_connection_timeout = &#39;300&#39;,
String $ne_allow_weak_rnd_seed = &#39;1&#39;,
Boolean $ne_enable_ssl = false,
String $ne_ssl_version = &#39;TLSv2+&#39;,
String $ne_ssl_use_adh = &#39;1&#39;,
String $ne_ssl_cipher_list = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
String $ne_ssl_cacert_file = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;,
String $ne_ssl_client_certs = &#39;2&#39;,
String $ne_ssl_logging = &#39;0x00&#39;,
Array $ne_nasty_metachars = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
String $ne_include_file = &#39;&#39;,
Optional[String] $ne_ssl_cert_pem = undef,
Optional[String] $ne_ssl_privatekey_pem = undef,
Optional[String] $ne_ssl_ca_cert_pem = undef,
# nrpe.conf
String $ne_ssl_opts = &#39;&#39;,
String $ne_ssl_opts = &#39;&#39;,
# firewall
Boolean $ne_incl_fw = true,
String $ne_fw_order_no = &#39;50&#39;,
Boolean $ne_incl_fw = true,
String $ne_fw_order_no = &#39;50&#39;,
# selinux
Boolean $ne_include_selinux = true,
Boolean $ne_include_selinux = true,
) {
# Default facts
@@ -938,7 +1002,11 @@ class confdroid_nrpe::params (
$ne_nrpe_pp_file = &quot;${ne_main_conf_d_dir}/nrpe.pp&quot;
$ne_semodule_erb = &#39;confdroid_nrpe/semodule_nrpe.erb&#39;
$ne_ssl_cert_file = &quot;/etc/pki/tls/certs/${fqdn}.crt.pem&quot;
$ne_ssl_cert_erb = &#39;confdroid_nrpe/ssl_cert.erb&#39;
$ne_ssl_privatekey_file = &quot;/etc/pki/tls/private/${fqdn}.key.pem&quot;
$ne_ssl_privatekey_erb = &#39;confdroid_nrpe/ssl_privatekey.erb&#39;
$ne_ssl_ca_cert_file = &quot;/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem&quot;
$ne_ssl_ca_cert_erb = &#39;confdroid_nrpe/ssl_ca_cert.erb&#39;
# includes must be last
include confdroid_nrpe::main::config

12
manifests/main/files.pp
View File

@@ -96,6 +96,18 @@ class confdroid_nrpe::main::files (
seluser => system_u,
content => template($ne_ssl_privatekey_erb),
}
file { $ne_ssl_ca_cert_file:
ensure => file,
path => $ne_ssl_ca_cert_file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => cert_t,
seluser => system_u,
content => template($ne_ssl_ca_cert_erb),
}
}
}
}

14
manifests/params.pp
View File

@@ -78,10 +78,13 @@
# the nagios server ssl certificate. This is used for the nagios server
# certificate and has to be provided via Hiera or ENC. Must be specified if
# SSL is enabled.
# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the content of
# the nagios server ssl private key. This is used for the nagios server
# private key and has to be provided via Hiera or ENC. Must be specified if
# SSL is enabled.
# @param [String] ne_ssl_privatekey_pem Optional parameter to specify the
# content of the nagios server ssl private key. This is used for the nagios
# server private key and has to be provided via Hiera or ENC. Must be specified
# if SSL is enabled.
# @param [String] ne_ssl_ca_cert_pem Optional parameter to specify the content of
# the CA certificate. This is used for the CA certificate and has to be
# provided via Hiera or ENC. Must be specified if SSL is enabled.
###############################################################################
class confdroid_nrpe::params (
@@ -123,6 +126,7 @@ class confdroid_nrpe::params (
String $ne_include_file = '',
Optional[String] $ne_ssl_cert_pem = undef,
Optional[String] $ne_ssl_privatekey_pem = undef,
Optional[String] $ne_ssl_ca_cert_pem = undef,
# nrpe.conf
String $ne_ssl_opts = '',
@@ -171,6 +175,8 @@ class confdroid_nrpe::params (
$ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb'
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem"
$ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb'
$ne_ssl_ca_cert_file = "/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem"
$ne_ssl_ca_cert_erb = 'confdroid_nrpe/ssl_ca_cert.erb'
# includes must be last
include confdroid_nrpe::main::config

3
templates/ssl_ca_cert.erb Normal file
View File

@@ -0,0 +1,3 @@
<% unless @ne_ssl_ca_cert_pem.nil -%>
<%= @ne_ssl_ca_cert_pem %>
<% end -%>