Recommit for updates in build 55

Jenkinsfile

@@ -1,124 +0,0 @@
-pipeline {
-    agent any
-
-    post {
-        always {
-            deleteDir() /* clean up our workspace */
-        }
-        success {
-            updateGitlabCommitStatus state: 'success'
-        }
-        failure {
-            updateGitlabCommitStatus state: 'failed'
-            step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
-        }
-    }
-
-    options {
-          gitLabConnection('gitlab.confdroid.com')
-    }
-
-    stages {
-
-      stage('pull master') {
-        steps {
-          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''
-                git config user.name "Jenkins Server"
-                git config user.email jenkins@confdroid.com
-                # Ensure we're on the development branch (triggered by push)
-                git checkout development
-                # Create jenkins branch from development
-                git checkout -b jenkins-build-$BUILD_NUMBER
-                # Optionally merge master into jenkins to ensure compatibility
-                git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
-            '''
-        }
-      }
-    }
-
-      stage('puppet parser') {
-        steps {
-          sh '''for file in $(find . -iname \'*.pp\'); do
-            /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
-            done;'''
-          }
-        }
-
-      stage('check templates') {
-        steps{
-          sh '''for file in $(find . -iname \'*.erb\');
-            do erb -P -x -T "-" $file | ruby -c || exit 1;
-            done;'''
-        }
-      }
-
-      stage('puppet-lint') {
-        steps {
-          sh '''/usr/local/bin/puppet-lint . \\
-                --no-variable_scope-check \\
-                || { echo "Puppet lint failed"; exit 1; }
-            '''
-          }
-        }
-
-      stage('SonarScan') {
-         steps {
-            withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
-              sh '''
-              /opt/sonar-scanner/bin/sonar-scanner \
-                -Dsonar.projectKey=confdroid_nrpe \
-                -Dsonar.sources=. \
-                -Dsonar.host.url=https://sonarqube.confdroid.com \
-                -Dsonar.token=$SONAR_TOKEN
-                '''
-              }
-            }
-          }
-
-      stage('create Puppet documentation') {
-        steps {
-          sh '/opt/puppetlabs/bin/puppet strings'
-        }
-      }
-
-      stage('update repo') {
-        steps {
-          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''
-                git config user.name "Jenkins Server"
-                git config user.email jenkins@confdroid.com
-                git rm -r --cached .vscode || echo "No .vscode to remove from git"
-                git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
-                git push origin HEAD:master
-            '''
-        }
-      }
-    }
-
-      stage('Mirror to Gitea') {
-        steps {
-          withCredentials([usernamePassword(
-            credentialsId: 'Jenkins-gitea',
-            usernameVariable: 'GITEA_USER',
-            passwordVariable: 'GITEA_TOKEN')]) {
-            script {
-              // Checkout from GitLab (already done implicitly)
-                sh '''
-                  git checkout master
-                  git pull origin master
-                  git branch -D development
-                  git branch -D jenkins-build-$BUILD_NUMBER
-                  git rm -f Jenkinsfile
-                  git rm -r --cached .vscode || echo "No .vscode to remove from git"
-                  git commit --amend --no-edit --allow-empty
-                  git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_nrpe.git
-                  git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
-                  push master --mirror
-                  '''
-          }
-        }
-      }
-    }
-  }
-}

README.md

@@ -102,13 +102,15 @@ It is very recommendable to define such commands directly within Puppet modules
 
 ## managing TLS certificates
 
-When `ne_enable_ssl` is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
+When `ne_enable_ssl` is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
 
 - `ne_ssl_ca_cert_pem`
 - `ne_ssl_cert_pem`
 - `ne_ssl_privatekey_pem`
 
-via Hiera (if you use it) or ENC.
+via Hiera (if you use it) or ENC. At the ENC need  to add confdroid_nrpe::params and set those values.
+
+If you don't need TLS encryption, leave `ne_enable_ssl` to the default value of `false`.
 
 ## SELINUX
 

doc/file.README.html

@@ -193,7 +193,7 @@
 
 <h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
 
-<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
+<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
 <ul><li>
 <p><code>ne_ssl_ca_cert_pem</code></p>
 </li><li>
@@ -202,7 +202,9 @@
 <p><code>ne_ssl_privatekey_pem</code></p>
 </li></ul>
 
-<p>via Hiera (if you use it) or ENC.</p>
+<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
+
+<p>If you don’t need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
 
 <h2 id="label-SELINUX">SELINUX</h2>
 

doc/index.html

@@ -193,7 +193,7 @@
 
 <h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
 
-<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
+<p>When <code>ne_enable_ssl</code> is enabled, the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
 <ul><li>
 <p><code>ne_ssl_ca_cert_pem</code></p>
 </li><li>
@@ -202,7 +202,9 @@
 <p><code>ne_ssl_privatekey_pem</code></p>
 </li></ul>
 
-<p>via Hiera (if you use it) or ENC.</p>
+<p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
+
+<p>If you don’t need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
 
 <h2 id="label-SELINUX">SELINUX</h2>
 

doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Adirs.html

@@ -131,7 +131,21 @@
 33
 34
 35
-36</pre>
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/main/dirs.pp', line 6</span>
@@ -166,6 +180,20 @@ class confdroid_nrpe::main::dirs (
     seltype  =&gt; var_run_t,
     seluser  =&gt; system_u,
   }
+
+  if $ne_enable_ssl {
+    file { $ne_servercert_dir:
+      ensure   =&gt; directory,
+      path     =&gt; $ne_servercert_dir,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0755&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; cert_t,
+      seluser  =&gt; system_u,
+    }
+  }
 }</pre>
       </td>
     </tr>

doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html

@@ -206,8 +206,7 @@
 108
 109
 110
-111
+111</pre>
-112</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -278,15 +277,14 @@ class confdroid_nrpe::main::files (
       notify   =&gt; Exec[&#39;create_nrpe_pp&#39;],
     }
   }
-
   # file for ssl certificate
   if $ne_enable_ssl == true {
     file { $ne_ssl_cert_file:
       ensure   =&gt; file,
       path     =&gt; $ne_ssl_cert_file,
-      owner    =&gt; &#39;root&#39;,
+      owner    =&gt; $ne_user,
-      group    =&gt; &#39;root&#39;,
+      group    =&gt; $ne_user,
-      mode     =&gt; &#39;0644&#39;,
+      mode     =&gt; &#39;0440&#39;,
       selrange =&gt; s0,
       selrole  =&gt; object_r,
       seltype  =&gt; cert_t,
@@ -296,9 +294,9 @@ class confdroid_nrpe::main::files (
     file { $ne_ssl_privatekey_file:
       ensure   =&gt; file,
       path     =&gt; $ne_ssl_privatekey_file,
-      owner    =&gt; &#39;root&#39;,
+      owner    =&gt; $ne_user,
-      group    =&gt; &#39;root&#39;,
+      group    =&gt; $ne_user,
-      mode     =&gt; &#39;0600&#39;,
+      mode     =&gt; &#39;0400&#39;,
       selrange =&gt; s0,
       selrole  =&gt; object_r,
       seltype  =&gt; cert_t,
@@ -308,9 +306,9 @@ class confdroid_nrpe::main::files (
     file { $ne_ssl_ca_cert_file:
       ensure   =&gt; file,
       path     =&gt; $ne_ssl_ca_cert_file,
-      owner    =&gt; &#39;root&#39;,
+      owner    =&gt; $ne_user,
-      group    =&gt; &#39;root&#39;,
+      group    =&gt; $ne_user,
-      mode     =&gt; &#39;0644&#39;,
+      mode     =&gt; &#39;0440&#39;,
       selrange =&gt; s0,
       selrole  =&gt; object_r,
       seltype  =&gt; cert_t,

doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html

@@ -349,42 +349,6 @@ inherited by all classes except defines.
       
     </li>
   
-    <li>
-      
-        <span class='name'>ne_ssl_version</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;TLSv2+&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>These directives allow you to specify how to use SSL/TLS.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ne_ssl_use_adh</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;1&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>This is for backward compatibility and is DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the default but will be changed in a later version.</p>
-</div>
-      
-    </li>
-  
     <li>
       
         <span class='name'>ne_ssl_cipher_list</span>
@@ -403,24 +367,6 @@ inherited by all classes except defines.
       
     </li>
   
-    <li>
-      
-        <span class='name'>ne_ssl_cacert_file</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-        <em class="default">(defaults to: <tt>&#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;</tt>)</em>
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>path and name of the ssl certificate authority (ca) file / chain. must be full path.</p>
-</div>
-      
-    </li>
-  
     <li>
       
         <span class='name'>ne_ssl_client_certs</span>
@@ -429,7 +375,7 @@ inherited by all classes except defines.
         <span class='type'>(<tt>String</tt>)</span>
       
       
-        <em class="default">(defaults to: <tt>&#39;2&#39;</tt>)</em>
+        <em class="default">(defaults to: <tt>&#39;0&#39;</tt>)</em>
       
       
         &mdash;
@@ -699,7 +645,7 @@ inherited by all classes except defines.
         <span class='type'>(<tt>Boolean</tt>)</span>
       
       
-        <em class="default">(defaults to: <tt>true</tt>)</em>
+        <em class="default">(defaults to: <tt>false</tt>)</em>
       
       
         &mdash;
@@ -817,6 +763,13 @@ inherited by all classes except defines.
         <pre class="lines">
 
 
+82
+83
+84
+85
+86
+87
+88
 89
 90
 91
@@ -902,19 +855,10 @@ inherited by all classes except defines.
 171
 172
 173
-174
+174</pre>
-175
-176
-177
-178
-179
-180
-181
-182
-183</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 89</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 82</span>
 
 class confdroid_nrpe::params (
 
@@ -945,12 +889,9 @@ class confdroid_nrpe::params (
   String $ne_command_timeout              = &#39;60&#39;,
   String $ne_connection_timeout           = &#39;300&#39;,
   String $ne_allow_weak_rnd_seed          = &#39;1&#39;,
-  Boolean $ne_enable_ssl                  = true,
+  Boolean $ne_enable_ssl                  = false,
-  String $ne_ssl_version                  = &#39;TLSv2+&#39;,
-  String $ne_ssl_use_adh                  = &#39;1&#39;,
   String $ne_ssl_cipher_list              = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
-  String $ne_ssl_cacert_file              = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;,
+  String $ne_ssl_client_certs             = &#39;0&#39;,
-  String $ne_ssl_client_certs             = &#39;2&#39;,
   String $ne_ssl_logging                  = &#39;0x00&#39;,
   Array $ne_nasty_metachars               = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
   String $ne_include_file                 = &#39;&#39;,
@@ -983,6 +924,7 @@ class confdroid_nrpe::params (
 # directories
   $ne_main_conf_d_dir         = &#39;/etc/nrpe.d&#39;
   $ne_run_dir                 = &#39;/var/run/nrpe&#39;
+  $ne_servercert_dir          = &#39;/etc/pki/tls/servercerts&#39;
 
 # files
   $ne_main_conf_file          = &#39;/etc/nagios/nrpe.cfg&#39;
@@ -1001,11 +943,11 @@ class confdroid_nrpe::params (
   $ne_checkmodule_nrpe_erb    = &#39;confdroid_nrpe/checkmodule_nrpe.erb&#39;
   $ne_nrpe_pp_file            = &quot;${ne_main_conf_d_dir}/nrpe.pp&quot;
   $ne_semodule_erb            =  &#39;confdroid_nrpe/semodule_nrpe.erb&#39;
-  $ne_ssl_cert_file           = &quot;/etc/pki/tls/certs/${fqdn}.crt.pem&quot;
+  $ne_ssl_cert_file           = &quot;${ne_servercert_dir}/nagios-cert.pem&quot;
   $ne_ssl_cert_erb            = &#39;confdroid_nrpe/ssl_cert.erb&#39;
-  $ne_ssl_privatekey_file     = &quot;/etc/pki/tls/private/${fqdn}.key.pem&quot;
+  $ne_ssl_privatekey_file     = &quot;${ne_servercert_dir}/nagios-key.pem&quot;
   $ne_ssl_privatekey_erb      = &#39;confdroid_nrpe/ssl_privatekey.erb&#39;
-  $ne_ssl_ca_cert_file        = &quot;/etc/pki/tls/certs/${fqdn}-ca-chain.crt.pem&quot;
+  $ne_ssl_ca_cert_file        = &quot;${ne_servercert_dir}/ca-cert.pem&quot;
   $ne_ssl_ca_cert_erb         = &#39;confdroid_nrpe/ssl_ca_cert.erb&#39;
 
 # includes must be last

manifests/main/dirs.pp

@@ -33,4 +33,18 @@ class confdroid_nrpe::main::dirs (
     seltype  => var_run_t,
     seluser  => system_u,
   }
+
+  if $ne_enable_ssl {
+    file { $ne_servercert_dir:
+      ensure   => directory,
+      path     => $ne_servercert_dir,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => cert_t,
+      seluser  => system_u,
+    }
+  }
 }

manifests/main/files.pp

@@ -69,15 +69,14 @@ class confdroid_nrpe::main::files (
       notify   => Exec['create_nrpe_pp'],
     }
   }
-
   # file for ssl certificate
   if $ne_enable_ssl == true {
     file { $ne_ssl_cert_file:
       ensure   => file,
       path     => $ne_ssl_cert_file,
-      owner    => 'root',
+      owner    => $ne_user,
-      group    => 'root',
+      group    => $ne_user,
-      mode     => '0644',
+      mode     => '0440',
       selrange => s0,
       selrole  => object_r,
       seltype  => cert_t,
@@ -87,9 +86,9 @@ class confdroid_nrpe::main::files (
     file { $ne_ssl_privatekey_file:
       ensure   => file,
       path     => $ne_ssl_privatekey_file,
-      owner    => 'root',
+      owner    => $ne_user,
-      group    => 'root',
+      group    => $ne_user,
-      mode     => '0600',
+      mode     => '0400',
       selrange => s0,
       selrole  => object_r,
       seltype  => cert_t,
@@ -99,9 +98,9 @@ class confdroid_nrpe::main::files (
     file { $ne_ssl_ca_cert_file:
       ensure   => file,
       path     => $ne_ssl_ca_cert_file,
-      owner    => 'root',
+      owner    => $ne_user,
-      group    => 'root',
+      group    => $ne_user,
-      mode     => '0644',
+      mode     => '0440',
       selrange => s0,
       selrole  => object_r,
       seltype  => cert_t,

manifests/params.pp

@@ -30,16 +30,9 @@
 #   daemon will allow plugins to finish executing before killing them off.
 # @param [String] ne_connection_timeout maximum number of seconds that the
 #   NRPE daemon will wait for a connection to be established before exiting.
-# @param [String] ne_ssl_version These directives allow you to specify how to
-#   use SSL/TLS.
-# @param [String] ne_ssl_use_adh This is for backward compatibility and is
-#   DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
-#   default but will be changed in a later version.
 # @param [String] ne_ssl_cipher_list ciphers can be used. For backward
 #   compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
 #   this version but will be changed in a later version of NRPE.
-# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
-#   authority  (ca) file / chain. must be full path.
 # @param [String] ne_ssl_client_certs determines client certificate usage.
 #   Values: 0 = Don't ask for or require client certificates
 #   1 = Ask for client certificates
@@ -115,12 +108,9 @@ class confdroid_nrpe::params (
   String $ne_command_timeout              = '60',
   String $ne_connection_timeout           = '300',
   String $ne_allow_weak_rnd_seed          = '1',
-  Boolean $ne_enable_ssl                  = true,
+  Boolean $ne_enable_ssl                  = false,
-  String $ne_ssl_version                  = 'TLSv2+',
-  String $ne_ssl_use_adh                  = '1',
   String $ne_ssl_cipher_list              = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
-  String $ne_ssl_cacert_file              = '/etc/pki/tls/certs/ca-chain.crt.pem',
+  String $ne_ssl_client_certs             = '0',
-  String $ne_ssl_client_certs             = '2',
   String $ne_ssl_logging                  = '0x00',
   Array $ne_nasty_metachars               = ["|`&><'\\[]{};\r\n"],
   String $ne_include_file                 = '',
@@ -153,6 +143,7 @@ class confdroid_nrpe::params (
 # directories
   $ne_main_conf_d_dir         = '/etc/nrpe.d'
   $ne_run_dir                 = '/var/run/nrpe'
+  $ne_servercert_dir          = '/etc/pki/tls/servercerts'
 
 # files
   $ne_main_conf_file          = '/etc/nagios/nrpe.cfg'
@@ -171,11 +162,11 @@ class confdroid_nrpe::params (
   $ne_checkmodule_nrpe_erb    = 'confdroid_nrpe/checkmodule_nrpe.erb'
   $ne_nrpe_pp_file            = "${ne_main_conf_d_dir}/nrpe.pp"
   $ne_semodule_erb            =  'confdroid_nrpe/semodule_nrpe.erb'
-  $ne_ssl_cert_file           = '/etc/pki/tls/certs/nagios.crt.pem'
+  $ne_ssl_cert_file           = "${ne_servercert_dir}/nagios-cert.pem"
   $ne_ssl_cert_erb            = 'confdroid_nrpe/ssl_cert.erb'
-  $ne_ssl_privatekey_file     = '/etc/pki/tls/private/nagios.key.pem'
+  $ne_ssl_privatekey_file     = "${ne_servercert_dir}/nagios-key.pem"
   $ne_ssl_privatekey_erb      = 'confdroid_nrpe/ssl_privatekey.erb'
-  $ne_ssl_ca_cert_file        = '/etc/pki/tls/certs/ca-chain.crt.pem'
+  $ne_ssl_ca_cert_file        = "${ne_servercert_dir}/ca-cert.pem"
   $ne_ssl_ca_cert_erb         = 'confdroid_nrpe/ssl_ca_cert.erb'
 
 # includes must be last

templates/nrpe_cfg.erb

@@ -33,11 +33,9 @@ connection_timeout=<%= @ne_connection_timeout %>
 
 allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
 
-<% if $ne_enable_ssl == true -%>
+<% if @ne_enable_ssl == true -%>
-ssl_version=<%= @ne_ssl_version %>
-ssl_use_adh=<%= @ne_ssl_use_adh %>
 ssl_cipher_list=<%= @ne_ssl_cipher_list %>
-ssl_cacert_file=<%= @ne_ssl_cacert_file %>
+ssl_cacert_file=<%= @ne_ssl_ca_cert_file %>
 ssl_cert_file=<%= @ne_ssl_cert_file %>
 ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
 ssl_client_certs=<%= @ne_ssl_client_certs %>