## cd_nrpe::params.pp # Module name: cd_nrpe # Author: Arne Teuke (arne_teuke@ConfDroid.com) # # License: # This file is part of cd_nrpe. # # cd_nrpe is used for providing automatic configuration of NRPE. # Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # @summary Class holds all parameters for the cd_nrpe module and is # inherited by all classes except defines. # @see https://www.nagios.org/documentation/ # @param [string] pkg_ensure # which [package type](https://confdroid.com/2017/05/puppet-type-package/) # to choose, i.e. `latest` or `present`. # @param [string] ne_log_facility the log facility to use. # @param [string] ne_log_file If a log file is specified in this option, # nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log # @param [string] ne_debug Whether debugging messages are logged to the # syslog facility. # @param [string] ne_nrpe_port the NRPE port. used in firewall ( optional) # and configuration file. # @param [string] ne_listen_queue_size Listen queue size (backlog) for # serving incoming connections. # @param [string] ne_nagios_server ipaddress of the nagios server to be allowed # to connect to NRPE service. Default is to look up a global parameter from # ENC. # @param [string] ne_dont_blame_nrpe whether or not the NRPE daemon will # allow clients to specify arguments to commands that are executed. # @param [string] ne_allow_bash_cmd_subst whether or not the NRPE daemon will # allow clients to specify arguments that contain bash command substitutions # of the form $(...). # @param [boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg # as well as for creating a sudo role. # @param [string] ne_command_prefix allows you to prefix all commands with a # user-defined string. # @param [string] ne_incl_fw Whether to include firewall rules # @param [string] ne_command_timeout maximum number of seconds that the NRPE # daemon will allow plugins to finish executing before killing them off. # @param [string] ne_connection_timeout maximum number of seconds that the # NRPE daemon will wait for a connection to be established before exiting. # @param [string] ne_ssl_version These directives allow you to specify how to # use SSL/TLS. # @param [string] ne_ssl_use_adh This is for backward compatibility and is # DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the # default but will be changed in a later version. # @param [string] ne_ssl_cipher_list ciphers can be used. For backward # compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in # this version but will be changed in a later version of NRPE. # @param [string] ne_ssl_cacert_file path and name of the ssl certificate # authority ( ca) file / chain. must be full path. # @param [string] ne_ssl_cert_file path and name of the server ssl certificate. # must include full path. # @param [string] ne_ssl_privatekey_file path and name of the server ssl # private key. Must include full path. # @param [string] ne_ssl_client_certs determines client certificate usage. # Values: 0 = Don't ask for or require client certificates # 1 = Ask for client certificates # 2 = Require client certificates # @param [string] ne_ssl_logging determines which SSL messages are send to # syslog. OR values together to specify multiple options. # Values: 0x00 (0) = No additional logging (default) # 0x01 (1) = Log startup SSL/TLS parameters # 0x02 (2) = Log remote IP address # 0x04 (4) = Log SSL/TLS version of connections # 0x08 (8) = Log which cipher is being used for the connection # 0x10 (16) = Log if client has a certificate # 0x20 (32) = Log details of client's certificate if it has one # -1 or 0xff or 0x2f = All of the above # @param [string] ne_nasty_metachars list of characters that cannot # be passed to the NRPE daemon. # @param [string] ne_include_file include definitions from an external # config file. # @param [string] ne_fw_order_no ordering prefix for he firewall rules. Adjust # to your environment if needed. # @param [string] ne_ssl_opts Specify additional SSL options. # @param [string] ne_user the NRPE service user # @param [string] ne_user_comment The comment for the service user /etc/passwd # @param [string] ne_user_uid the UID for the service user # @param [string] ne_user_home the home for the service user # @param [string] ne_user_shell the shell for the service user. # @param [string] ne_user_groups additional groups for the service user. # @param [string] ne_server_address the network interfaces to listen on # @param [string] ne_allow_weak_rnd_seed Whether to allow weak random seeds # @param [string] ne_include_selinux Whether to manage selinux # @param [boolean] ne_enable_ssl Whether to enable SSL certificates. ############################################################################### class cd_nrpe::params ( $pkg_ensure = 'latest', # user settings $ne_user = 'nrpe', $ne_user_comment = 'NRPE service user', $ne_user_uid = '1005', $ne_user_home = '/var/run/nrpe', $ne_user_groups = undef, $ne_user_shell = '/sbin/nologin', # nrpe.cfg $ne_log_facility = 'daemon', $ne_log_file = '', $ne_debug = '0', $ne_nrpe_port = '5666', $ne_server_address = '127.0.0.1', $ne_listen_queue_size = '5', $ne_nagios_server = $::nagios_server, $ne_dont_blame_nrpe = '1', $ne_allow_bash_cmd_subst = '1', $ne_allow_sudo = true, $ne_command_prefix = '/usr/bin/sudo', $ne_command_timeout = '60', $ne_connection_timeout = '300', $ne_allow_weak_rnd_seed = '1', $ne_enable_ssl = false, $ne_ssl_version = 'TLSv2+', $ne_ssl_use_adh = '1', $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH', $ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem', $ne_ssl_cert_file = "/etc/pki/tls/certs/${::fqdn}.crt.pem", $ne_ssl_privatekey_file = "/etc/pki/tls/private/${::fqdn}.key.pem", $ne_ssl_client_certs = '2', $ne_ssl_logging = '0x00', $ne_nasty_metachars = '"|`&><\'\\[]{};\r\n\"', $ne_include_file = '', # nrpe.conf $ne_ssl_opts = '', # firewall $ne_incl_fw = true, $ne_fw_order_no = '50', # selinux $ne_include_selinux = true, ) { # installation section $reqpackages = $::operatingsystem ? { /(?i-mx:centos|fedora|redhat)/ => ['nrpe','nrpe-selinux'], } # service $ne_service = 'nrpe' # directories $ne_main_conf_d_dir = '/etc/nrpe.d' $ne_run_dir = '/var/run/nrpe' # files $ne_main_conf_file = '/etc/nagios/nrpe.cfg' $ne_main_conf_erb = 'cd_nrpe/nrpe_cfg.erb' $ne_nrpe_pid_file = "${ne_run_dir}/nrpe.pid" $ne_nrpe_conf_file = '/etc/sysconfig/nrpe' $ne_nrpe_conf_erb = 'cd_nrpe/nrpe_conf.erb' # includes must be last include cd_nrpe::main::config }