## confdroid_nrpe::params.pp
# Module name: confdroid_nrpe
# Author: 12ww1160 (12ww1160@ConfDroid.com)
# @summary  Class holds all parameters for the confdroid_nrpe module and is
#   inherited by all classes except defines.
# @see https://www.nagios.org/documentation/
# @param [String] pkg_ensure
#   which [package type](https://confdroid.com/2017/05/puppet-type-package/)
#   to choose, i.e. `latest` or `present`.
# @param [String] ne_log_facility the log facility to use.
# @param [String] ne_log_file If a log file is specified in this option,
#   nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log
# @param [String] ne_debug Whether debugging messages are logged to the
#   syslog facility.
# @param [String] ne_nrpe_port the NRPE port. used in firewall ( optional)
#   and configuration file.
# @param [String] ne_listen_queue_size  Listen queue size (backlog) for
#   serving incoming connections.
# @param [String] ne_dont_blame_nrpe whether or not the NRPE daemon will
#   allow clients to specify arguments to commands that are executed.
# @param [String] ne_allow_bash_cmd_subst whether or not the NRPE daemon will
#   allow clients to specify arguments that contain bash command substitutions
#   of the form $(...).
# @param [Boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg
#   as well as for creating a sudo role.
# @param [String] ne_command_prefix allows you to prefix all commands with a
#   user-defined String.
# @param [String] ne_incl_fw Whether to include firewall rules
# @param [String] ne_command_timeout maximum number of seconds that the NRPE
#   daemon will allow plugins to finish executing before killing them off.
# @param [String] ne_connection_timeout maximum number of seconds that the
#   NRPE daemon will wait for a connection to be established before exiting.
# @param [String] ne_ssl_version These directives allow you to specify how to
#   use SSL/TLS.
# @param [String] ne_ssl_use_adh This is for backward compatibility and is
#   DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
#   default but will be changed in a later version.
# @param [String] ne_ssl_cipher_list ciphers can be used. For backward
#   compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
#   this version but will be changed in a later version of NRPE.
# @param [String] ne_ssl_cacert_file path and name of the ssl certificate
#   authority  (ca) file / chain. must be full path.
# @param [String] ne_ssl_client_certs determines client certificate usage.
#   Values: 0 = Don't ask for or require client certificates
#   1 = Ask for client certificates
#   2 = Require client certificates
# @param [String] ne_ssl_logging determines which SSL messages are send to
#   syslog. OR values together to specify multiple options.
#   Values: 0x00 (0) = No additional logging (default)
#   0x01 (1) = Log startup SSL/TLS parameters
#   0x02 (2) = Log remote IP address
#   0x04 (4) = Log SSL/TLS version of connections
#   0x08 (8) = Log which cipher is being used for the connection
#   0x10 (16) = Log if client has a certificate
#   0x20 (32) = Log details of client's certificate if it has one
#   -1 or 0xff or 0x2f = All of the above
# @param [Array] ne_nasty_metachars  list of characters that cannot
# be passed to the NRPE daemon.
# @param [String] ne_include_file include definitions from an external
#   config file.
# @param [String] ne_fw_order_no ordering prefix for he firewall rules. Adjust
#   to your environment if needed.
# @param [String] ne_ssl_opts Specify additional SSL options.
# @param [String] ne_user the NRPE service user
# @param [String] ne_user_comment The comment for the service user /etc/passwd
# @param [String] ne_user_uid the UID for the service user
# @param [String] ne_user_home the home for the service user
# @param [String] ne_user_shell the shell for the service user.
# @param [String] ne_user_groups additional groups for the service user.
# @param [String] ne_server_address the network interfaces to listen on
# @param [String] ne_allow_weak_rnd_seed Whether to allow weak random seeds
# @param [String] ne_include_selinux Whether to manage selinux
# @param [Boolean] ne_enable_ssl Whether to enable SSL certificates.
# @param [Array] reqpackages which packages to install
# @param [Boolean] ne_manage_cmds Whether to manage command rules for NRPE
#   checks, to allow dynamic check & command rules.
###############################################################################
class confdroid_nrpe::params (

  String $pkg_ensure                 = 'present',
  Array $reqpackages                 = ['nrpe','nrpe-selinux','selinux-policy-devel'],

  Boolean $ne_manage_cmds            = true,

# NRPE user settings
  String $ne_user                    = 'nrpe',
  String $ne_user_comment            = 'NRPE service user',
  String $ne_user_uid                = '1005',
  String $ne_user_home               = '/var/run/nrpe',
  Optional[String] $ne_user_groups   = undef,
  String $ne_user_shell              = '/sbin/nologin',

# nrpe.cfg
  String $ne_log_facility            = 'daemon',
  String $ne_log_file                = '',
  String $ne_debug                   = '0',
  String $ne_nrpe_port               = '5666',
  String $ne_server_address          = '0.0.0.0',
  String $ne_listen_queue_size       = '5',
  String $ne_dont_blame_nrpe         = '1',
  String $ne_allow_bash_cmd_subst    = '1',
  Boolean $ne_allow_sudo             = true,
  String $ne_command_prefix          = '/usr/bin/sudo',
  String $ne_command_timeout         = '60',
  String $ne_connection_timeout      = '300',
  String $ne_allow_weak_rnd_seed     = '1',
  Boolean $ne_enable_ssl             = false,
  String $ne_ssl_version             = 'TLSv2+',
  String $ne_ssl_use_adh             = '1',
  String $ne_ssl_cipher_list         = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
  String $ne_ssl_cacert_file         = '/etc/pki/tls/certs/ca-chain.crt.pem',
  String $ne_ssl_client_certs        = '2',
  String $ne_ssl_logging             = '0x00',
  Array $ne_nasty_metachars          = ["|`&><'\\[]{};\r\n"],
  String $ne_include_file            = '',

# nrpe.conf
  String $ne_ssl_opts                = '',

# firewall
  Boolean $ne_incl_fw                = true,
  String $ne_fw_order_no             = '50',

# selinux
  Boolean $ne_include_selinux        = true,

) {
# Default facts
  $fqdn                     = $facts['networking']['fqdn']
  $domain                   = $facts['networking']['domain']
  $os_name                  = $facts['os']['name']
  $os_release               = $facts['os']['release']['major']
  $nagios_source            = $::nagios_source

# service
  $ne_service                 = 'nrpe'

# directories
  $ne_main_conf_d_dir         = '/etc/nrpe.d'
  $ne_run_dir                 = '/var/run/nrpe'

# files
  $ne_main_conf_file          = '/etc/nagios/nrpe.cfg'
  $ne_main_conf_erb           = 'confdroid_nrpe/nrpe_cfg.erb'
  $ne_nrpe_pid_file           = "${ne_run_dir}/nrpe.pid"
  $ne_nrpe_conf_file          = '/etc/sysconfig/nrpe'
  $ne_nrpe_conf_erb           = 'confdroid_nrpe/nrpe_conf.erb'
  $ne_cmd_file                = "${ne_main_conf_d_dir}/commands.cfg"
  $ne_cmd_head_erb            = 'confdroid_nrpe/cmd_head.erb'
  $ne_cmd_rule_erb            = 'confdroid_nrpe/cmd_rule.erb'
  $ne_sudo_file               = '/etc/sudoers.d/nagios_sudo'
  $ne_sudo_rule_erb           = 'confdroid_nrpe/sudo_rule.erb'
  $ne_nrpe_te_file            = "${ne_main_conf_d_dir}/nrpe.te"
  $ne_nrpe_te_erb             = 'confdroid_nrpe/nrpe.te.erb'
  $ne_nrpe_mod_file           = "${ne_main_conf_d_dir}/nrpe.mod"
  $ne_checkmodule_nrpe_erb    = 'confdroid_nrpe/checkmodule_nrpe.erb'
  $ne_nrpe_pp_file            = "${ne_main_conf_d_dir}/nrpe.pp"
  $ne_semodule_erb            =  'confdroid_nrpe/semodule_nrpe.erb'
  $ne_ssl_cert_file           = "/etc/pki/tls/certs/${fqdn}.crt.pem"
  $ne_ssl_privatekey_file     = "/etc/pki/tls/private/${fqdn}.key.pem"

# includes must be last
  include confdroid_nrpe::main::config
}