Recommit for updates in build 47

2026-03-15 15:44:25 +01:00
10 changed files with 114 additions and 90 deletions
--- a/README.md
+++ b/README.md
@@ -110,8 +110,6 @@ When `ne_enable_ssl` is enabled, the certificates for the ca (root if standalone
 via Hiera (if you use it) or ENC. At the ENC need  to add confdroid_nrpe::params and set those values.
 If you don't need TLS encryption, leave `ne_enable_ssl` to the default value of `false`.
 ## SELINUX
 All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
--- a/doc/file.README.html
+++ b/doc/file.README.html
@@ -204,8 +204,6 @@
 <p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
 <p>If you don’t need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
 <h2 id="label-SELINUX">SELINUX</h2>
 <p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
--- a/doc/index.html
+++ b/doc/index.html
@@ -204,8 +204,6 @@
 <p>via Hiera (if you use it) or ENC. At the ENC need to add confdroid_nrpe::params and set those values.</p>
 <p>If you don’t need TLS encryption, leave <code>ne_enable_ssl</code> to the default value of <code>false</code>.</p>
 <h2 id="label-SELINUX">SELINUX</h2>
 <p>All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.</p>
--- a/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Adirs.html
+++ b/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Adirs.html
@@ -131,21 +131,7 @@
 33
 34
 35
-36
+36</pre>
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50</pre>
      </td>
      <td>
        <pre class="code"><span class="info file"># File 'manifests/main/dirs.pp', line 6</span>
@@ -180,20 +166,6 @@ class confdroid_nrpe::main::dirs (
    seltype  =&gt; var_run_t,
    seluser  =&gt; system_u,
  }
  if $ne_enable_ssl {
    file { $ne_servercert_dir:
      ensure   =&gt; directory,
      path     =&gt; $ne_servercert_dir,
      owner    =&gt; &#39;root&#39;,
      group    =&gt; &#39;root&#39;,
      mode     =&gt; &#39;0755&#39;,
      selrange =&gt; s0,
      selrole  =&gt; object_r,
      seltype  =&gt; cert_t,
      seluser  =&gt; system_u,
    }
  }
 }</pre>
      </td>
    </tr>
--- a/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
+++ b/doc/puppet_classes/confdroid_nrpe_3A_3Amain_3A_3Afiles.html
@@ -206,7 +206,8 @@
 108
 109
 110
-111</pre>
+111
 112</pre>
      </td>
      <td>
        <pre class="code"><span class="info file"># File 'manifests/main/files.pp', line 6</span>
@@ -277,14 +278,15 @@ class confdroid_nrpe::main::files (
      notify   =&gt; Exec[&#39;create_nrpe_pp&#39;],
    }
  }
  # file for ssl certificate
  if $ne_enable_ssl == true {
    file { $ne_ssl_cert_file:
      ensure   =&gt; file,
      path     =&gt; $ne_ssl_cert_file,
-      owner    =&gt; $ne_user,
+      owner    =&gt; &#39;root&#39;,
-      group    =&gt; $ne_user,
+      group    =&gt; &#39;root&#39;,
-      mode     =&gt; &#39;0440&#39;,
+      mode     =&gt; &#39;0644&#39;,
      selrange =&gt; s0,
      selrole  =&gt; object_r,
      seltype  =&gt; cert_t,
@@ -294,9 +296,9 @@ class confdroid_nrpe::main::files (
    file { $ne_ssl_privatekey_file:
      ensure   =&gt; file,
      path     =&gt; $ne_ssl_privatekey_file,
-      owner    =&gt; $ne_user,
+      owner    =&gt; &#39;root&#39;,
-      group    =&gt; $ne_user,
+      group    =&gt; &#39;root&#39;,
-      mode     =&gt; &#39;0400&#39;,
+      mode     =&gt; &#39;0600&#39;,
      selrange =&gt; s0,
      selrole  =&gt; object_r,
      seltype  =&gt; cert_t,
@@ -306,9 +308,9 @@ class confdroid_nrpe::main::files (
    file { $ne_ssl_ca_cert_file:
      ensure   =&gt; file,
      path     =&gt; $ne_ssl_ca_cert_file,
-      owner    =&gt; $ne_user,
+      owner    =&gt; &#39;root&#39;,
-      group    =&gt; $ne_user,
+      group    =&gt; &#39;root&#39;,
-      mode     =&gt; &#39;0440&#39;,
+      mode     =&gt; &#39;0644&#39;,
      selrange =&gt; s0,
      selrole  =&gt; object_r,
      seltype  =&gt; cert_t,
--- a/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
+++ b/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
@@ -349,6 +349,42 @@ inherited by all classes except defines.
    </li>
    <li>
        <span class='name'>ne_ssl_version</span>
        <span class='type'>(<tt>String</tt>)</span>
        <em class="default">(defaults to: <tt>&#39;TLSv2+&#39;</tt>)</em>
        &mdash;
        <div class='inline'>
 <p>These directives allow you to specify how to use SSL/TLS.</p>
 </div>
    </li>
    <li>
        <span class='name'>ne_ssl_use_adh</span>
        <span class='type'>(<tt>String</tt>)</span>
        <em class="default">(defaults to: <tt>&#39;1&#39;</tt>)</em>
        &mdash;
        <div class='inline'>
 <p>This is for backward compatibility and is DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the default but will be changed in a later version.</p>
 </div>
    </li>
    <li>
        <span class='name'>ne_ssl_cipher_list</span>
@@ -367,6 +403,24 @@ inherited by all classes except defines.
    </li>
    <li>
        <span class='name'>ne_ssl_cacert_file</span>
        <span class='type'>(<tt>String</tt>)</span>
        <em class="default">(defaults to: <tt>&#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;</tt>)</em>
        &mdash;
        <div class='inline'>
 <p>path and name of the ssl certificate authority (ca) file / chain. must be full path.</p>
 </div>
    </li>
    <li>
        <span class='name'>ne_ssl_client_certs</span>
@@ -375,7 +429,7 @@ inherited by all classes except defines.
        <span class='type'>(<tt>String</tt>)</span>
-        <em class="default">(defaults to: <tt>&#39;0&#39;</tt>)</em>
+        <em class="default">(defaults to: <tt>&#39;2&#39;</tt>)</em>
        &mdash;
@@ -763,13 +817,6 @@ inherited by all classes except defines.
        <pre class="lines">
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
@@ -855,10 +902,19 @@ inherited by all classes except defines.
 171
 172
 173
-174</pre>
+174
 175
 176
 177
 178
 179
 180
 181
 182
 183</pre>
      </td>
      <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 82</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 89</span>
 class confdroid_nrpe::params (
@@ -890,8 +946,11 @@ class confdroid_nrpe::params (
  String $ne_connection_timeout           = &#39;300&#39;,
  String $ne_allow_weak_rnd_seed          = &#39;1&#39;,
  Boolean $ne_enable_ssl                  = false,
  String $ne_ssl_version                  = &#39;TLSv2+&#39;,
  String $ne_ssl_use_adh                  = &#39;1&#39;,
  String $ne_ssl_cipher_list              = &#39;ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH&#39;,
-  String $ne_ssl_client_certs             = &#39;0&#39;,
+  String $ne_ssl_cacert_file              = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;,
  String $ne_ssl_client_certs             = &#39;2&#39;,
  String $ne_ssl_logging                  = &#39;0x00&#39;,
  Array $ne_nasty_metachars               = [&quot;|`&amp;&gt;&lt;&#39;\\[]{};\r\n&quot;],
  String $ne_include_file                 = &#39;&#39;,
@@ -924,7 +983,6 @@ class confdroid_nrpe::params (
 # directories
  $ne_main_conf_d_dir         = &#39;/etc/nrpe.d&#39;
  $ne_run_dir                 = &#39;/var/run/nrpe&#39;
  $ne_servercert_dir          = &#39;/etc/pki/tls/servercerts&#39;
 # files
  $ne_main_conf_file          = &#39;/etc/nagios/nrpe.cfg&#39;
@@ -943,11 +1001,11 @@ class confdroid_nrpe::params (
  $ne_checkmodule_nrpe_erb    = &#39;confdroid_nrpe/checkmodule_nrpe.erb&#39;
  $ne_nrpe_pp_file            = &quot;${ne_main_conf_d_dir}/nrpe.pp&quot;
  $ne_semodule_erb            =  &#39;confdroid_nrpe/semodule_nrpe.erb&#39;
-  $ne_ssl_cert_file           = &quot;${ne_servercert_dir}/nagios-cert.pem&quot;
+  $ne_ssl_cert_file           = &#39;/etc/pki/tls/certs/nagios.crt.pem&#39;
  $ne_ssl_cert_erb            = &#39;confdroid_nrpe/ssl_cert.erb&#39;
-  $ne_ssl_privatekey_file     = &quot;${ne_servercert_dir}/nagios-key.pem&quot;
+  $ne_ssl_privatekey_file     = &#39;/etc/pki/tls/private/nagios.key.pem&#39;
  $ne_ssl_privatekey_erb      = &#39;confdroid_nrpe/ssl_privatekey.erb&#39;
-  $ne_ssl_ca_cert_file        = &quot;${ne_servercert_dir}/ca-cert.pem&quot;
+  $ne_ssl_ca_cert_file        = &#39;/etc/pki/tls/certs/ca-chain.crt.pem&#39;
  $ne_ssl_ca_cert_erb         = &#39;confdroid_nrpe/ssl_ca_cert.erb&#39;
 # includes must be last
--- a/manifests/main/dirs.pp
+++ b/manifests/main/dirs.pp
@@ -33,18 +33,4 @@ class confdroid_nrpe::main::dirs (
    seltype  => var_run_t,
    seluser  => system_u,
  }
  if $ne_enable_ssl {
    file { $ne_servercert_dir:
      ensure   => directory,
      path     => $ne_servercert_dir,
      owner    => 'root',
      group    => 'root',
      mode     => '0755',
      selrange => s0,
      selrole  => object_r,
      seltype  => cert_t,
      seluser  => system_u,
    }
  }
 }
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -69,14 +69,15 @@ class confdroid_nrpe::main::files (
      notify   => Exec['create_nrpe_pp'],
    }
  }
  # file for ssl certificate
  if $ne_enable_ssl == true {
    file { $ne_ssl_cert_file:
      ensure   => file,
      path     => $ne_ssl_cert_file,
-      owner    => $ne_user,
+      owner    => 'root',
-      group    => $ne_user,
+      group    => 'root',
-      mode     => '0440',
+      mode     => '0644',
      selrange => s0,
      selrole  => object_r,
      seltype  => cert_t,
@@ -86,9 +87,9 @@ class confdroid_nrpe::main::files (
    file { $ne_ssl_privatekey_file:
      ensure   => file,
      path     => $ne_ssl_privatekey_file,
-      owner    => $ne_user,
+      owner    => 'root',
-      group    => $ne_user,
+      group    => 'root',
-      mode     => '0400',
+      mode     => '0600',
      selrange => s0,
      selrole  => object_r,
      seltype  => cert_t,
@@ -98,9 +99,9 @@ class confdroid_nrpe::main::files (
    file { $ne_ssl_ca_cert_file:
      ensure   => file,
      path     => $ne_ssl_ca_cert_file,
-      owner    => $ne_user,
+      owner    => 'root',
-      group    => $ne_user,
+      group    => 'root',
-      mode     => '0440',
+      mode     => '0644',
      selrange => s0,
      selrole  => object_r,
      seltype  => cert_t,
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -30,9 +30,16 @@
 #   daemon will allow plugins to finish executing before killing them off.
 # @param [String] ne_connection_timeout maximum number of seconds that the
 #   NRPE daemon will wait for a connection to be established before exiting.
 # @param [String] ne_ssl_version These directives allow you to specify how to
 #   use SSL/TLS.
 # @param [String] ne_ssl_use_adh This is for backward compatibility and is
 #   DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
 #   default but will be changed in a later version.
 # @param [String] ne_ssl_cipher_list ciphers can be used. For backward
 #   compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
 #   this version but will be changed in a later version of NRPE.
 # @param [String] ne_ssl_cacert_file path and name of the ssl certificate
 #   authority  (ca) file / chain. must be full path.
 # @param [String] ne_ssl_client_certs determines client certificate usage.
 #   Values: 0 = Don't ask for or require client certificates
 #   1 = Ask for client certificates
@@ -109,8 +116,11 @@ class confdroid_nrpe::params (
  String $ne_connection_timeout           = '300',
  String $ne_allow_weak_rnd_seed          = '1',
  Boolean $ne_enable_ssl                  = false,
  String $ne_ssl_version                  = 'TLSv2+',
  String $ne_ssl_use_adh                  = '1',
  String $ne_ssl_cipher_list              = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
-  String $ne_ssl_client_certs             = '0',
+  String $ne_ssl_cacert_file              = '/etc/pki/tls/certs/ca-chain.crt.pem',
  String $ne_ssl_client_certs             = '2',
  String $ne_ssl_logging                  = '0x00',
  Array $ne_nasty_metachars               = ["|`&><'\\[]{};\r\n"],
  String $ne_include_file                 = '',
@@ -143,7 +153,6 @@ class confdroid_nrpe::params (
 # directories
  $ne_main_conf_d_dir         = '/etc/nrpe.d'
  $ne_run_dir                 = '/var/run/nrpe'
  $ne_servercert_dir          = '/etc/pki/tls/servercerts'
 # files
  $ne_main_conf_file          = '/etc/nagios/nrpe.cfg'
@@ -162,11 +171,11 @@ class confdroid_nrpe::params (
  $ne_checkmodule_nrpe_erb    = 'confdroid_nrpe/checkmodule_nrpe.erb'
  $ne_nrpe_pp_file            = "${ne_main_conf_d_dir}/nrpe.pp"
  $ne_semodule_erb            =  'confdroid_nrpe/semodule_nrpe.erb'
-  $ne_ssl_cert_file           = "${ne_servercert_dir}/nagios-cert.pem"
+  $ne_ssl_cert_file           = '/etc/pki/tls/certs/nagios.crt.pem'
  $ne_ssl_cert_erb            = 'confdroid_nrpe/ssl_cert.erb'
-  $ne_ssl_privatekey_file     = "${ne_servercert_dir}/nagios-key.pem"
+  $ne_ssl_privatekey_file     = '/etc/pki/tls/private/nagios.key.pem'
  $ne_ssl_privatekey_erb      = 'confdroid_nrpe/ssl_privatekey.erb'
-  $ne_ssl_ca_cert_file        = "${ne_servercert_dir}/ca-cert.pem"
+  $ne_ssl_ca_cert_file        = '/etc/pki/tls/certs/ca-chain.crt.pem'
  $ne_ssl_ca_cert_erb         = 'confdroid_nrpe/ssl_ca_cert.erb'
 # includes must be last
--- a/templates/nrpe_cfg.erb
+++ b/templates/nrpe_cfg.erb
@@ -33,9 +33,11 @@ connection_timeout=<%= @ne_connection_timeout %>
 allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
-<% if @ne_enable_ssl == true -%>
+<% if $ne_enable_ssl == true -%>
 ssl_version=<%= @ne_ssl_version %>
 ssl_use_adh=<%= @ne_ssl_use_adh %>
 ssl_cipher_list=<%= @ne_ssl_cipher_list %>
-ssl_cacert_file=<%= @ne_ssl_ca_cert_file %>
+ssl_cacert_file=<%= @ne_ssl_cacert_file %>
 ssl_cert_file=<%= @ne_ssl_cert_file %>
 ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
 ssl_client_certs=<%= @ne_ssl_client_certs %>