Recommit for updates in build 43

README.md

@@ -102,14 +102,20 @@ It is very recommendable to define such commands directly within Puppet modules
 
 ## managing TLS certificates
 
+When `ne_enable_ssl` is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
+
+- `ne_ssl_ca_cert_pem`
+- `ne_ssl_cert_pem`
+- `ne_ssl_privatekey_pem`
+
+via Hiera (if you use it) or ENC.
+
 ## SELINUX
 
 All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
 
 ## Known Problems
 
-- SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the `ssl_cert_file` line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the `$ne_enable_ssl` boolean parameter, which is set to `false` by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found.  Setting this option  to `true` will include all SSL / TLS settings.
-
 ## Troubleshooting
 
 - `CHECK_NRPE: Unable to read output`: Nagios sudo access also needs Selinux to allow this. Default settings in this module take care for both through `$ne_allow_sudo` and `$ne_include_selinux`.

doc/file.README.html

@@ -193,14 +193,22 @@
 
 <h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
 
+<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
+<ul><li>
+<p><code>ne_ssl_ca_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_privatekey_pem</code></p>
+</li></ul>
+
+<p>via Hiera (if you use it) or ENC.</p>
+
 <h2 id="label-SELINUX">SELINUX</h2>
 
 <p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
 
 <h2 id="label-Known+Problems">Known Problems</h2>
-<ul><li>
-<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
-</li></ul>
 
 <h2 id="label-Troubleshooting">Troubleshooting</h2>
 <ul><li>

doc/index.html

@@ -193,14 +193,22 @@
 
 <h2 id="label-managing+TLS+certificates">managing TLS certificates</h2>
 
+<p>When <code>ne_enable_ssl</code> is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:</p>
+<ul><li>
+<p><code>ne_ssl_ca_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_cert_pem</code></p>
+</li><li>
+<p><code>ne_ssl_privatekey_pem</code></p>
+</li></ul>
+
+<p>via Hiera (if you use it) or ENC.</p>
+
 <h2 id="label-SELINUX">SELINUX</h2>
 
 <p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
 
 <h2 id="label-Known+Problems">Known Problems</h2>
-<ul><li>
-<p>SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the <code>ssl_cert_file</code> line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the <code>$ne_enable_ssl</code> boolean parameter, which is set to <code>false</code> by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to <code>true</code> will include all SSL / TLS settings.</p>
-</li></ul>
 
 <h2 id="label-Troubleshooting">Troubleshooting</h2>
 <ul><li>

doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html

@@ -207,8 +207,7 @@
 109
 110
 111
-112
+112</pre>
-113</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -251,7 +250,6 @@ class confdroid_nrpe::main::files (
   }
 
   if $ne_allow_sudo == true {
-
     file { $ne_sudo_file:
       ensure   =&gt; file,
       path     =&gt; $ne_sudo_file,
@@ -279,45 +277,45 @@ class confdroid_nrpe::main::files (
       content  =&gt; template($ne_nrpe_te_erb),
       notify   =&gt; Exec[&#39;create_nrpe_pp&#39;],
     }
+  }
 
-    # file for ssl certificate
+  # file for ssl certificate
-    if $ne_enable_ssl == true {
+  if $ne_enable_ssl == true {
-      file { $ne_ssl_cert_file:
+    file { $ne_ssl_cert_file:
-        ensure   =&gt; file,
+      ensure   =&gt; file,
-        path     =&gt; $ne_ssl_cert_file,
+      path     =&gt; $ne_ssl_cert_file,
-        owner    =&gt; &#39;root&#39;,
+      owner    =&gt; &#39;root&#39;,
-        group    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
-        mode     =&gt; &#39;0644&#39;,
+      mode     =&gt; &#39;0644&#39;,
-        selrange =&gt; s0,
+      selrange =&gt; s0,
-        selrole  =&gt; object_r,
+      selrole  =&gt; object_r,
-        seltype  =&gt; cert_t,
+      seltype  =&gt; cert_t,
-        seluser  =&gt; system_u,
+      seluser  =&gt; system_u,
-        content  =&gt; template($ne_ssl_cert_erb),
+      content  =&gt; template($ne_ssl_cert_erb),
-      }
+    }
-      file { $ne_ssl_privatekey_file:
+    file { $ne_ssl_privatekey_file:
-        ensure   =&gt; file,
+      ensure   =&gt; file,
-        path     =&gt; $ne_ssl_privatekey_file,
+      path     =&gt; $ne_ssl_privatekey_file,
-        owner    =&gt; &#39;root&#39;,
+      owner    =&gt; &#39;root&#39;,
-        group    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
-        mode     =&gt; &#39;0600&#39;,
+      mode     =&gt; &#39;0600&#39;,
-        selrange =&gt; s0,
+      selrange =&gt; s0,
-        selrole  =&gt; object_r,
+      selrole  =&gt; object_r,
-        seltype  =&gt; cert_t,
+      seltype  =&gt; cert_t,
-        seluser  =&gt; system_u,
+      seluser  =&gt; system_u,
-        content  =&gt; template($ne_ssl_privatekey_erb),
+      content  =&gt; template($ne_ssl_privatekey_erb),
-      }
+    }
-      file { $ne_ssl_ca_cert_file:
+    file { $ne_ssl_ca_cert_file:
-        ensure   =&gt; file,
+      ensure   =&gt; file,
-        path     =&gt; $ne_ssl_ca_cert_file,
+      path     =&gt; $ne_ssl_ca_cert_file,
-        owner    =&gt; &#39;root&#39;,
+      owner    =&gt; &#39;root&#39;,
-        group    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
-        mode     =&gt; &#39;0644&#39;,
+      mode     =&gt; &#39;0644&#39;,
-        selrange =&gt; s0,
+      selrange =&gt; s0,
-        selrole  =&gt; object_r,
+      selrole  =&gt; object_r,
-        seltype  =&gt; cert_t,
+      seltype  =&gt; cert_t,
-        seluser  =&gt; system_u,
+      seluser  =&gt; system_u,
-        content  =&gt; template($ne_ssl_ca_cert_erb),
+      content  =&gt; template($ne_ssl_ca_cert_erb),
-      }
     }
   }
 }</pre>

doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html

@@ -699,7 +699,7 @@ inherited by all classes except defines.
         <span class='type'>(<tt>Boolean</tt>)</span>
       
       
-        <em class="default">(defaults to: <tt>false</tt>)</em>
+        <em class="default">(defaults to: <tt>true</tt>)</em>
       
       
         &mdash;
@@ -945,7 +945,7 @@ class confdroid_nrpe::params (
   String $ne_command_timeout              = &#39;60&#39;,
   String $ne_connection_timeout           = &#39;300&#39;,
   String $ne_allow_weak_rnd_seed          = &#39;1&#39;,
-  Boolean $ne_enable_ssl                  = false,
+  Boolean $ne_enable_ssl                  = true,
   String $ne_ssl_version                  = &#39;TLSv2+&#39;,
   String $ne_ssl_use_adh                  = &#39;1&#39;,
   String $ne_ssl_cipher_list              = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,

manifests/main/files.pp

@@ -41,7 +41,6 @@ class confdroid_nrpe::main::files (
   }
 
   if $ne_allow_sudo == true {
-
     file { $ne_sudo_file:
       ensure   => file,
       path     => $ne_sudo_file,
@@ -69,45 +68,45 @@ class confdroid_nrpe::main::files (
       content  => template($ne_nrpe_te_erb),
       notify   => Exec['create_nrpe_pp'],
     }
+  }
 
-    # file for ssl certificate
+  # file for ssl certificate
-    if $ne_enable_ssl == true {
+  if $ne_enable_ssl == true {
-      file { $ne_ssl_cert_file:
+    file { $ne_ssl_cert_file:
-        ensure   => file,
+      ensure   => file,
-        path     => $ne_ssl_cert_file,
+      path     => $ne_ssl_cert_file,
-        owner    => 'root',
+      owner    => 'root',
-        group    => 'root',
+      group    => 'root',
-        mode     => '0644',
+      mode     => '0644',
-        selrange => s0,
+      selrange => s0,
-        selrole  => object_r,
+      selrole  => object_r,
-        seltype  => cert_t,
+      seltype  => cert_t,
-        seluser  => system_u,
+      seluser  => system_u,
-        content  => template($ne_ssl_cert_erb),
+      content  => template($ne_ssl_cert_erb),
-      }
+    }
-      file { $ne_ssl_privatekey_file:
+    file { $ne_ssl_privatekey_file:
-        ensure   => file,
+      ensure   => file,
-        path     => $ne_ssl_privatekey_file,
+      path     => $ne_ssl_privatekey_file,
-        owner    => 'root',
+      owner    => 'root',
-        group    => 'root',
+      group    => 'root',
-        mode     => '0600',
+      mode     => '0600',
-        selrange => s0,
+      selrange => s0,
-        selrole  => object_r,
+      selrole  => object_r,
-        seltype  => cert_t,
+      seltype  => cert_t,
-        seluser  => system_u,
+      seluser  => system_u,
-        content  => template($ne_ssl_privatekey_erb),
+      content  => template($ne_ssl_privatekey_erb),
-      }
+    }
-      file { $ne_ssl_ca_cert_file:
+    file { $ne_ssl_ca_cert_file:
-        ensure   => file,
+      ensure   => file,
-        path     => $ne_ssl_ca_cert_file,
+      path     => $ne_ssl_ca_cert_file,
-        owner    => 'root',
+      owner    => 'root',
-        group    => 'root',
+      group    => 'root',
-        mode     => '0644',
+      mode     => '0644',
-        selrange => s0,
+      selrange => s0,
-        selrole  => object_r,
+      selrole  => object_r,
-        seltype  => cert_t,
+      seltype  => cert_t,
-        seluser  => system_u,
+      seluser  => system_u,
-        content  => template($ne_ssl_ca_cert_erb),
+      content  => template($ne_ssl_ca_cert_erb),
-      }
     }
   }
 }

manifests/params.pp

@@ -115,7 +115,7 @@ class confdroid_nrpe::params (
   String $ne_command_timeout              = '60',
   String $ne_connection_timeout           = '300',
   String $ne_allow_weak_rnd_seed          = '1',
-  Boolean $ne_enable_ssl                  = false,
+  Boolean $ne_enable_ssl                  = true,
   String $ne_ssl_version                  = 'TLSv2+',
   String $ne_ssl_use_adh                  = '1',
   String $ne_ssl_cipher_list              = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',