Compare commits
34 Commits
6f291e48f8
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
18543aec3d | ||
|
|
ef06b4691b | ||
| 4a7d06d0ca | |||
|
|
3cdb09827d | ||
|
|
fd84c389aa | ||
| 95d2344f7f | |||
|
|
b655cb4c56 | ||
|
|
f928537e34 | ||
| b7036ae8e7 | |||
|
|
ae13e6fde5 | ||
|
|
25b4221bea | ||
| 7313416419 | |||
|
|
0de9773a43 | ||
|
|
e60e0ea9b9 | ||
| 9c891f058b | |||
|
|
e69d85103f | ||
|
|
adec28aaba | ||
| 474ef8af50 | |||
|
|
ba76a55819 | ||
| 1bd00403fc | |||
|
|
6d7de77573 | ||
|
|
9559afd271 | ||
| cd1f12713b | |||
|
|
b072b05d47 | ||
|
|
24e7156d93 | ||
| 8d50f454c7 | |||
|
|
3b89f52ca3 | ||
|
|
438967b04f | ||
| ddfb05f836 | |||
|
|
353140d6a3 | ||
| cd15c69197 | |||
|
|
f4f0d957fb | ||
| c5ddc3d578 | |||
|
|
34c682d3b4 |
124
Jenkinsfile
vendored
124
Jenkinsfile
vendored
@@ -1,124 +0,0 @@
|
||||
pipeline {
|
||||
agent any
|
||||
|
||||
post {
|
||||
always {
|
||||
deleteDir() /* clean up our workspace */
|
||||
}
|
||||
success {
|
||||
updateGitlabCommitStatus state: 'success'
|
||||
}
|
||||
failure {
|
||||
updateGitlabCommitStatus state: 'failed'
|
||||
step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
|
||||
}
|
||||
}
|
||||
|
||||
options {
|
||||
gitLabConnection('gitlab.confdroid.com')
|
||||
}
|
||||
|
||||
stages {
|
||||
|
||||
stage('pull master') {
|
||||
steps {
|
||||
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
|
||||
sh '''
|
||||
git config user.name "Jenkins Server"
|
||||
git config user.email jenkins@confdroid.com
|
||||
# Ensure we're on the development branch (triggered by push)
|
||||
git checkout development
|
||||
# Create jenkins branch from development
|
||||
git checkout -b jenkins-build-$BUILD_NUMBER
|
||||
# Optionally merge master into jenkins to ensure compatibility
|
||||
git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage('puppet parser') {
|
||||
steps {
|
||||
sh '''for file in $(find . -iname \'*.pp\'); do
|
||||
/opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
|
||||
done;'''
|
||||
}
|
||||
}
|
||||
|
||||
stage('check templates') {
|
||||
steps{
|
||||
sh '''for file in $(find . -iname \'*.erb\');
|
||||
do erb -P -x -T "-" $file | ruby -c || exit 1;
|
||||
done;'''
|
||||
}
|
||||
}
|
||||
|
||||
stage('puppet-lint') {
|
||||
steps {
|
||||
sh '''/usr/local/bin/puppet-lint . \\
|
||||
--no-variable_scope-check \\
|
||||
|| { echo "Puppet lint failed"; exit 1; }
|
||||
'''
|
||||
}
|
||||
}
|
||||
|
||||
stage('SonarScan') {
|
||||
steps {
|
||||
withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
|
||||
sh '''
|
||||
/opt/sonar-scanner/bin/sonar-scanner \
|
||||
-Dsonar.projectKey=confdroid_nrpe \
|
||||
-Dsonar.sources=. \
|
||||
-Dsonar.host.url=https://sonarqube.confdroid.com \
|
||||
-Dsonar.token=$SONAR_TOKEN
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage('create Puppet documentation') {
|
||||
steps {
|
||||
sh '/opt/puppetlabs/bin/puppet strings'
|
||||
}
|
||||
}
|
||||
|
||||
stage('update repo') {
|
||||
steps {
|
||||
sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
|
||||
sh '''
|
||||
git config user.name "Jenkins Server"
|
||||
git config user.email jenkins@confdroid.com
|
||||
git rm -r --cached .vscode || echo "No .vscode to remove from git"
|
||||
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
|
||||
git push origin HEAD:master
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage('Mirror to Gitea') {
|
||||
steps {
|
||||
withCredentials([usernamePassword(
|
||||
credentialsId: 'Jenkins-gitea',
|
||||
usernameVariable: 'GITEA_USER',
|
||||
passwordVariable: 'GITEA_TOKEN')]) {
|
||||
script {
|
||||
// Checkout from GitLab (already done implicitly)
|
||||
sh '''
|
||||
git checkout master
|
||||
git pull origin master
|
||||
git branch -D development
|
||||
git branch -D jenkins-build-$BUILD_NUMBER
|
||||
git rm -f Jenkinsfile
|
||||
git rm -r --cached .vscode || echo "No .vscode to remove from git"
|
||||
git commit --amend --no-edit --allow-empty
|
||||
git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_nrpe.git
|
||||
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
|
||||
push master --mirror
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -102,13 +102,15 @@ It is very recommendable to define such commands directly within Puppet modules
|
||||
|
||||
## managing TLS certificates
|
||||
|
||||
When `ne_enable_ssl` is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
|
||||
When `ne_enable_ssl` is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
|
||||
|
||||
- `ne_ssl_ca_cert_pem`
|
||||
- `ne_ssl_cert_pem`
|
||||
- `ne_ssl_privatekey_pem`
|
||||
|
||||
via Hiera (if you use it) or ENC.
|
||||
via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.
|
||||
|
||||
If you don't need TLS encryption, leave `ne_enable_ssl` to the default value of `false`.
|
||||
|
||||
## SELINUX
|
||||
|
||||
|
||||
@@ -193,14 +193,24 @@
|
||||
|
||||
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
|
||||
|
||||
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
|
||||
<ul><li>
|
||||
<p><code>ne_ssl_ca_cert_pem</code></p>
|
||||
</li><li>
|
||||
<p><code>ne_ssl_cert_pem</code></p>
|
||||
</li><li>
|
||||
<p><code>ne_ssl_privatekey_pem</code></p>
|
||||
</li></ul>
|
||||
|
||||
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
|
||||
|
||||
<p>If you don’t need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
|
||||
|
||||
<h2 id="label-SELINUX">SELINUX</h2>
|
||||
|
||||
<p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
|
||||
|
||||
<h2 id="label-Known+Problems">Known Problems</h2>
|
||||
<ul><li>
|
||||
<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
|
||||
</li></ul>
|
||||
|
||||
<h2 id="label-Troubleshooting">Troubleshooting</h2>
|
||||
<ul><li>
|
||||
|
||||
@@ -193,14 +193,24 @@
|
||||
|
||||
<h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
|
||||
|
||||
<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
|
||||
<ul><li>
|
||||
<p><code>ne_ssl_ca_cert_pem</code></p>
|
||||
</li><li>
|
||||
<p><code>ne_ssl_cert_pem</code></p>
|
||||
</li><li>
|
||||
<p><code>ne_ssl_privatekey_pem</code></p>
|
||||
</li></ul>
|
||||
|
||||
<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
|
||||
|
||||
<p>If you don’t need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
|
||||
|
||||
<h2 id="label-SELINUX">SELINUX</h2>
|
||||
|
||||
<p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
|
||||
|
||||
<h2 id="label-Known+Problems">Known Problems</h2>
|
||||
<ul><li>
|
||||
<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
|
||||
</li></ul>
|
||||
|
||||
<h2 id="label-Troubleshooting">Troubleshooting</h2>
|
||||
<ul><li>
|
||||
|
||||
@@ -131,7 +131,21 @@
|
||||
33
|
||||
34
|
||||
35
|
||||
36</pre>
|
||||
36
|
||||
37
|
||||
38
|
||||
39
|
||||
40
|
||||
41
|
||||
42
|
||||
43
|
||||
44
|
||||
45
|
||||
46
|
||||
47
|
||||
48
|
||||
49
|
||||
50</pre>
|
||||
</td>
|
||||
<td>
|
||||
<pre class="code"><span class="info file"># File 'manifests/main/dirs.pp', line 6</span>
|
||||
@@ -166,6 +180,20 @@ class confdroid_nrpe::main::dirs (
|
||||
seltype => var_run_t,
|
||||
seluser => system_u,
|
||||
}
|
||||
|
||||
if $ne_enable_ssl {
|
||||
file { $ne_servercert_dir:
|
||||
ensure => directory,
|
||||
path => $ne_servercert_dir,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
}
|
||||
}
|
||||
}</pre>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@@ -206,9 +206,7 @@
|
||||
108
|
||||
109
|
||||
110
|
||||
111
|
||||
112
|
||||
113</pre>
|
||||
111</pre>
|
||||
</td>
|
||||
<td>
|
||||
<pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
|
||||
@@ -251,7 +249,6 @@ class confdroid_nrpe::main::files (
|
||||
}
|
||||
|
||||
if $ne_allow_sudo == true {
|
||||
|
||||
file { $ne_sudo_file:
|
||||
ensure => file,
|
||||
path => $ne_sudo_file,
|
||||
@@ -279,45 +276,44 @@ class confdroid_nrpe::main::files (
|
||||
content => template($ne_nrpe_te_erb),
|
||||
notify => Exec['create_nrpe_pp'],
|
||||
}
|
||||
|
||||
# file for ssl certificate
|
||||
if $ne_enable_ssl == true {
|
||||
file { $ne_ssl_cert_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_cert_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
content => template($ne_ssl_cert_erb),
|
||||
}
|
||||
file { $ne_ssl_privatekey_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_privatekey_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
content => template($ne_ssl_privatekey_erb),
|
||||
}
|
||||
file { $ne_ssl_ca_cert_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_ca_cert_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
content => template($ne_ssl_ca_cert_erb),
|
||||
}
|
||||
}
|
||||
# file for ssl certificate
|
||||
if $ne_enable_ssl == true {
|
||||
file { $ne_ssl_cert_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_cert_file,
|
||||
owner => $ne_user,
|
||||
group => $ne_user,
|
||||
mode => '0440',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
content => template($ne_ssl_cert_erb),
|
||||
}
|
||||
file { $ne_ssl_privatekey_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_privatekey_file,
|
||||
owner => $ne_user,
|
||||
group => $ne_user,
|
||||
mode => '0400',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
content => template($ne_ssl_privatekey_erb),
|
||||
}
|
||||
file { $ne_ssl_ca_cert_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_ca_cert_file,
|
||||
owner => $ne_user,
|
||||
group => $ne_user,
|
||||
mode => '0440',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
content => template($ne_ssl_ca_cert_erb),
|
||||
}
|
||||
}
|
||||
}</pre>
|
||||
|
||||
@@ -349,42 +349,6 @@ inherited by all classes except defines.
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ne_ssl_version</span>
|
||||
|
||||
|
||||
<span class='type'>(<tt>String</tt>)</span>
|
||||
|
||||
|
||||
<em class="default">(defaults to: <tt>'TLSv2+'</tt>)</em>
|
||||
|
||||
|
||||
—
|
||||
<div class='inline'>
|
||||
<p>These directives allow you to specify how to use SSL/TLS.</p>
|
||||
</div>
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ne_ssl_use_adh</span>
|
||||
|
||||
|
||||
<span class='type'>(<tt>String</tt>)</span>
|
||||
|
||||
|
||||
<em class="default">(defaults to: <tt>'1'</tt>)</em>
|
||||
|
||||
|
||||
—
|
||||
<div class='inline'>
|
||||
<p>This is for backward compatibility and is DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the default but will be changed in a later version.</p>
|
||||
</div>
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ne_ssl_cipher_list</span>
|
||||
@@ -403,24 +367,6 @@ inherited by all classes except defines.
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ne_ssl_cacert_file</span>
|
||||
|
||||
|
||||
<span class='type'>(<tt>String</tt>)</span>
|
||||
|
||||
|
||||
<em class="default">(defaults to: <tt>'/etc/pki/tls/certs/ca-chain.crt.pem'</tt>)</em>
|
||||
|
||||
|
||||
—
|
||||
<div class='inline'>
|
||||
<p>path and name of the ssl certificate authority (ca) file / chain. must be full path.</p>
|
||||
</div>
|
||||
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<span class='name'>ne_ssl_client_certs</span>
|
||||
@@ -429,7 +375,7 @@ inherited by all classes except defines.
|
||||
<span class='type'>(<tt>String</tt>)</span>
|
||||
|
||||
|
||||
<em class="default">(defaults to: <tt>'2'</tt>)</em>
|
||||
<em class="default">(defaults to: <tt>'0'</tt>)</em>
|
||||
|
||||
|
||||
—
|
||||
@@ -817,6 +763,13 @@ inherited by all classes except defines.
|
||||
<pre class="lines">
|
||||
|
||||
|
||||
82
|
||||
83
|
||||
84
|
||||
85
|
||||
86
|
||||
87
|
||||
88
|
||||
89
|
||||
90
|
||||
91
|
||||
@@ -902,19 +855,10 @@ inherited by all classes except defines.
|
||||
171
|
||||
172
|
||||
173
|
||||
174
|
||||
175
|
||||
176
|
||||
177
|
||||
178
|
||||
179
|
||||
180
|
||||
181
|
||||
182
|
||||
183</pre>
|
||||
174</pre>
|
||||
</td>
|
||||
<td>
|
||||
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 89</span>
|
||||
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 82</span>
|
||||
|
||||
class confdroid_nrpe::params (
|
||||
|
||||
@@ -946,11 +890,8 @@ class confdroid_nrpe::params (
|
||||
String $ne_connection_timeout = '300',
|
||||
String $ne_allow_weak_rnd_seed = '1',
|
||||
Boolean $ne_enable_ssl = false,
|
||||
String $ne_ssl_version = 'TLSv2+',
|
||||
String $ne_ssl_use_adh = '1',
|
||||
String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
|
||||
String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
|
||||
String $ne_ssl_client_certs = '2',
|
||||
String $ne_ssl_client_certs = '0',
|
||||
String $ne_ssl_logging = '0x00',
|
||||
Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
|
||||
String $ne_include_file = '',
|
||||
@@ -983,6 +924,7 @@ class confdroid_nrpe::params (
|
||||
# directories
|
||||
$ne_main_conf_d_dir = '/etc/nrpe.d'
|
||||
$ne_run_dir = '/var/run/nrpe'
|
||||
$ne_servercert_dir = '/etc/pki/tls/servercerts'
|
||||
|
||||
# files
|
||||
$ne_main_conf_file = '/etc/nagios/nrpe.cfg'
|
||||
@@ -1001,11 +943,11 @@ class confdroid_nrpe::params (
|
||||
$ne_checkmodule_nrpe_erb = 'confdroid_nrpe/checkmodule_nrpe.erb'
|
||||
$ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp"
|
||||
$ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb'
|
||||
$ne_ssl_cert_file = "/etc/pki/tls/certs/${fqdn}.crt.pem"
|
||||
$ne_ssl_cert_file = "${ne_servercert_dir}/nagios-cert.pem"
|
||||
$ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb'
|
||||
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem"
|
||||
$ne_ssl_privatekey_file = "${ne_servercert_dir}/nagios-key.pem"
|
||||
$ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb'
|
||||
$ne_ssl_ca_cert_file = "/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem"
|
||||
$ne_ssl_ca_cert_file = "${ne_servercert_dir}/ca-cert.pem"
|
||||
$ne_ssl_ca_cert_erb = 'confdroid_nrpe/ssl_ca_cert.erb'
|
||||
|
||||
# includes must be last
|
||||
|
||||
@@ -33,4 +33,18 @@ class confdroid_nrpe::main::dirs (
|
||||
seltype => var_run_t,
|
||||
seluser => system_u,
|
||||
}
|
||||
|
||||
if $ne_enable_ssl {
|
||||
file { $ne_servercert_dir:
|
||||
ensure => directory,
|
||||
path => $ne_servercert_dir,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
seluser => system_u,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -69,15 +69,14 @@ class confdroid_nrpe::main::files (
|
||||
notify => Exec['create_nrpe_pp'],
|
||||
}
|
||||
}
|
||||
|
||||
# file for ssl certificate
|
||||
if $ne_enable_ssl == true {
|
||||
file { $ne_ssl_cert_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_cert_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
owner => $ne_user,
|
||||
group => $ne_user,
|
||||
mode => '0440',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
@@ -87,9 +86,9 @@ class confdroid_nrpe::main::files (
|
||||
file { $ne_ssl_privatekey_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_privatekey_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
owner => $ne_user,
|
||||
group => $ne_user,
|
||||
mode => '0400',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
@@ -99,9 +98,9 @@ class confdroid_nrpe::main::files (
|
||||
file { $ne_ssl_ca_cert_file:
|
||||
ensure => file,
|
||||
path => $ne_ssl_ca_cert_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
owner => $ne_user,
|
||||
group => $ne_user,
|
||||
mode => '0440',
|
||||
selrange => s0,
|
||||
selrole => object_r,
|
||||
seltype => cert_t,
|
||||
|
||||
@@ -30,16 +30,9 @@
|
||||
# daemon will allow plugins to finish executing before killing them off.
|
||||
# @param [String] ne_connection_timeout maximum number of seconds that the
|
||||
# NRPE daemon will wait for a connection to be established before exiting.
|
||||
# @param [String] ne_ssl_version These directives allow you to specify how to
|
||||
# use SSL/TLS.
|
||||
# @param [String] ne_ssl_use_adh This is for backward compatibility and is
|
||||
# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
|
||||
# default but will be changed in a later version.
|
||||
# @param [String] ne_ssl_cipher_list ciphers can be used. For backward
|
||||
# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
|
||||
# this version but will be changed in a later version of NRPE.
|
||||
# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
|
||||
# authority (ca) file / chain. must be full path.
|
||||
# @param [String] ne_ssl_client_certs determines client certificate usage.
|
||||
# Values: 0 = Don't ask for or require client certificates
|
||||
# 1 = Ask for client certificates
|
||||
@@ -115,12 +108,9 @@ class confdroid_nrpe::params (
|
||||
String $ne_command_timeout = '60',
|
||||
String $ne_connection_timeout = '300',
|
||||
String $ne_allow_weak_rnd_seed = '1',
|
||||
Boolean $ne_enable_ssl = true,
|
||||
String $ne_ssl_version = 'TLSv2+',
|
||||
String $ne_ssl_use_adh = '1',
|
||||
Boolean $ne_enable_ssl = false,
|
||||
String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
|
||||
String $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
|
||||
String $ne_ssl_client_certs = '2',
|
||||
String $ne_ssl_client_certs = '0',
|
||||
String $ne_ssl_logging = '0x00',
|
||||
Array $ne_nasty_metachars = ["|`&><'\\[]{};\r\n"],
|
||||
String $ne_include_file = '',
|
||||
@@ -153,6 +143,7 @@ class confdroid_nrpe::params (
|
||||
# directories
|
||||
$ne_main_conf_d_dir = '/etc/nrpe.d'
|
||||
$ne_run_dir = '/var/run/nrpe'
|
||||
$ne_servercert_dir = '/etc/pki/tls/servercerts'
|
||||
|
||||
# files
|
||||
$ne_main_conf_file = '/etc/nagios/nrpe.cfg'
|
||||
@@ -171,11 +162,11 @@ class confdroid_nrpe::params (
|
||||
$ne_checkmodule_nrpe_erb = 'confdroid_nrpe/checkmodule_nrpe.erb'
|
||||
$ne_nrpe_pp_file = "${ne_main_conf_d_dir}/nrpe.pp"
|
||||
$ne_semodule_erb = 'confdroid_nrpe/semodule_nrpe.erb'
|
||||
$ne_ssl_cert_file = "/etc/pki/tls/certs/${fqdn}.crt.pem"
|
||||
$ne_ssl_cert_file = "${ne_servercert_dir}/nagios-cert.pem"
|
||||
$ne_ssl_cert_erb = 'confdroid_nrpe/ssl_cert.erb'
|
||||
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${fqdn}.key.pem"
|
||||
$ne_ssl_privatekey_file = "${ne_servercert_dir}/nagios-key.pem"
|
||||
$ne_ssl_privatekey_erb = 'confdroid_nrpe/ssl_privatekey.erb'
|
||||
$ne_ssl_ca_cert_file = "/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem"
|
||||
$ne_ssl_ca_cert_file = "${ne_servercert_dir}/ca-cert.pem"
|
||||
$ne_ssl_ca_cert_erb = 'confdroid_nrpe/ssl_ca_cert.erb'
|
||||
|
||||
# includes must be last
|
||||
|
||||
@@ -33,11 +33,9 @@ connection_timeout=<%= @ne_connection_timeout %>
|
||||
|
||||
allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
|
||||
|
||||
<% if $ne_enable_ssl == true -%>
|
||||
ssl_version=<%= @ne_ssl_version %>
|
||||
ssl_use_adh=<%= @ne_ssl_use_adh %>
|
||||
<% if @ne_enable_ssl == true -%>
|
||||
ssl_cipher_list=<%= @ne_ssl_cipher_list %>
|
||||
ssl_cacert_file=<%= @ne_ssl_cacert_file %>
|
||||
ssl_cacert_file=<%= @ne_ssl_ca_cert_file %>
|
||||
ssl_cert_file=<%= @ne_ssl_cert_file %>
|
||||
ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
|
||||
ssl_client_certs=<%= @ne_ssl_client_certs %>
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
<% unless @ne_ssl_ca_cert_pem.nil -%>
|
||||
<% unless @ne_ssl_ca_cert_pem.nil? || @ne_ssl_ca_cert_pem.empty? -%>
|
||||
<%= @ne_ssl_ca_cert_pem %>
|
||||
<% end -%>
|
||||
@@ -1,3 +1,3 @@
|
||||
<% unless @ne_ssl_cert_pem.nil -%>
|
||||
<% unless @ne_ssl_cert_pem.nil? || @ne_ssl_cert_pem.empty? -%>
|
||||
<%= @ne_ssl_cert_pem %>
|
||||
<% end -%>
|
||||
@@ -1,3 +1,3 @@
|
||||
<% unless @ne_ssl_privatekey_pem.nil -%>
|
||||
<% unless @ne_ssl_privatekey_pem.nil? || @ne_ssl_privatekey_pem.empty? -%>
|
||||
<%= @ne_ssl_privatekey_pem %>
|
||||
<% end -%>
|
||||
Reference in New Issue
Block a user