173 lines
7.6 KiB
Puppet
173 lines
7.6 KiB
Puppet
## cd_nrpe::params.pp
|
|
# Module name: cd_nrpe
|
|
# Author: Arne Teuke (arne_teuke@ConfDroid.com)
|
|
# # License:
|
|
# This file is part of cd_nrpe.
|
|
#
|
|
# cd_nrpe is used for providing automatic configuration of NRPE.
|
|
# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com)
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
# @summary Class holds all parameters for the cd_nrpe module and is
|
|
# inherited by all classes except defines.
|
|
# @see https://www.nagios.org/documentation/
|
|
# @param [string] pkg_ensure
|
|
# which [package type](https://confdroid.com/2017/05/puppet-type-package/)
|
|
# to choose, i.e. `latest` or `present`.
|
|
# @param [string] ne_log_facility the log facility to use.
|
|
# @param [string] ne_log_file If a log file is specified in this option,
|
|
# nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log
|
|
# @param [string] ne_debug Whether debugging messages are logged to the
|
|
# syslog facility.
|
|
# @param [string] ne_nrpe_port the NRPE port. used in firewall ( optional)
|
|
# and configuration file.
|
|
# @param [string] ne_listen_queue_size Listen queue size (backlog) for
|
|
# serving incoming connections.
|
|
# @param [string] ne_nagios_server ipaddress of the nagios server to be allowed
|
|
# to connect to NRPE service. Default is to look up a global parameter from
|
|
# ENC.
|
|
# @param [string] ne_dont_blame_nrpe whether or not the NRPE daemon will
|
|
# allow clients to specify arguments to commands that are executed.
|
|
# @param [string] ne_allow_bash_cmd_subst whether or not the NRPE daemon will
|
|
# allow clients to specify arguments that contain bash command substitutions
|
|
# of the form $(...).
|
|
# @param [boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg
|
|
# as well as for creating a sudo role.
|
|
# @param [string] ne_command_prefix allows you to prefix all commands with a
|
|
# user-defined string.
|
|
# @param [string] ne_incl_fw Whether to include firewall rules
|
|
# @param [string] ne_command_timeout maximum number of seconds that the NRPE
|
|
# daemon will allow plugins to finish executing before killing them off.
|
|
# @param [string] ne_connection_timeout maximum number of seconds that the
|
|
# NRPE daemon will wait for a connection to be established before exiting.
|
|
# @param [string] ne_ssl_version These directives allow you to specify how to
|
|
# use SSL/TLS.
|
|
# @param [string] ne_ssl_use_adh This is for backward compatibility and is
|
|
# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
|
|
# default but will be changed in a later version.
|
|
# @param [string] ne_ssl_cipher_list ciphers can be used. For backward
|
|
# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
|
|
# this version but will be changed in a later version of NRPE.
|
|
# @param [string] ne_ssl_cacert_file path and name of the ssl certificate
|
|
# authority ( ca) file / chain. must be full path.
|
|
# @param [string] ne_ssl_cert_file path and name of the server ssl certificate.
|
|
# must include full path.
|
|
# @param [string] ne_ssl_privatekey_file path and name of the server ssl
|
|
# private key. Must include full path.
|
|
# @param [string] ne_ssl_client_certs determines client certificate usage.
|
|
# Values: 0 = Don't ask for or require client certificates
|
|
# 1 = Ask for client certificates
|
|
# 2 = Require client certificates
|
|
# @param [string] ne_ssl_logging determines which SSL messages are send to
|
|
# syslog. OR values together to specify multiple options.
|
|
# Values: 0x00 (0) = No additional logging (default)
|
|
# 0x01 (1) = Log startup SSL/TLS parameters
|
|
# 0x02 (2) = Log remote IP address
|
|
# 0x04 (4) = Log SSL/TLS version of connections
|
|
# 0x08 (8) = Log which cipher is being used for the connection
|
|
# 0x10 (16) = Log if client has a certificate
|
|
# 0x20 (32) = Log details of client's certificate if it has one
|
|
# -1 or 0xff or 0x2f = All of the above
|
|
# @param [string] ne_nasty_metachars list of characters that cannot
|
|
# be passed to the NRPE daemon.
|
|
# @param [string] ne_include_file include definitions from an external
|
|
# config file.
|
|
# @param [string] ne_fw_order_no ordering prefix for he firewall rules. Adjust
|
|
# to your environment if needed.
|
|
# @param [string] ne_ssl_opts Specify additional SSL options.
|
|
# @param [string] ne_user the NRPE service user
|
|
# @param [string] ne_user_comment The comment for the service user /etc/passwd
|
|
# @param [string] ne_user_uid the UID for the service user
|
|
# @param [string] ne_user_home the home for the service user
|
|
# @param [string] ne_user_shell the shell for the service user.
|
|
# @param [string] ne_user_groups additional groups for the service user.
|
|
# @param [string] ne_server_address the network interfaces to listen on
|
|
# @param [string] ne_allow_weak_rnd_seed Whether to allow weak random seeds
|
|
# @param [string] ne_include_selinux Whether to manage selinux
|
|
###############################################################################
|
|
class cd_nrpe::params (
|
|
|
|
$pkg_ensure = 'latest',
|
|
|
|
# user settings
|
|
$ne_user = 'nrpe',
|
|
$ne_user_comment = 'NRPE service user',
|
|
$ne_user_uid = '1005',
|
|
$ne_user_home = '/var/run/nrpe',
|
|
$ne_user_groups = undef,
|
|
$ne_user_shell = '/sbin/nologin',
|
|
|
|
# nrpe.cfg
|
|
$ne_log_facility = 'daemon',
|
|
$ne_log_file = '',
|
|
$ne_debug = '0',
|
|
$ne_nrpe_port = '5666',
|
|
$ne_server_address = '127.0.0.1',
|
|
$ne_listen_queue_size = '5',
|
|
$ne_nagios_server = $::nagios_server,
|
|
$ne_dont_blame_nrpe = '1',
|
|
$ne_allow_bash_cmd_subst = '1',
|
|
$ne_allow_sudo = true,
|
|
$ne_command_prefix = '/usr/bin/sudo',
|
|
$ne_command_timeout = '60',
|
|
$ne_connection_timeout = '300',
|
|
$ne_allow_weak_rnd_seed = '1',
|
|
$ne_ssl_version = 'TLSv1.1+',
|
|
$ne_ssl_use_adh = '1',
|
|
$ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
|
|
$ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
|
|
$ne_ssl_cert_file = "/etc/pki/tls/certs/${::fqdn}.crt.pem",
|
|
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${::fqdn}.key.pem",
|
|
$ne_ssl_client_certs = '2',
|
|
$ne_ssl_logging = '0x00',
|
|
$ne_nasty_metachars = '"|`&><\'\\[]{};\r\n\"',
|
|
$ne_include_file = '',
|
|
|
|
# nrpe.conf
|
|
$ne_ssl_opts = '',
|
|
|
|
# firewall
|
|
$ne_incl_fw = true,
|
|
$ne_fw_order_no = '50',
|
|
|
|
# selinux
|
|
$ne_include_selinux = true,
|
|
|
|
|
|
) {
|
|
|
|
# installation section
|
|
$reqpackages = $::operatingsystem ? {
|
|
/(?i-mx:centos|fedora|redhat)/ => ['nrpe','nrpe-selinux'],
|
|
}
|
|
|
|
# service
|
|
$ne_service = 'nrpe'
|
|
|
|
# directories
|
|
$ne_main_conf_d_dir = '/etc/nrpe.d'
|
|
$ne_run_dir = '/var/run/nrpe'
|
|
|
|
# files
|
|
$ne_main_conf_file = '/etc/nagios/nrpe.cfg'
|
|
$ne_main_conf_erb = 'cd_nrpe/nrpe_cfg.erb'
|
|
$ne_nrpe_pid_file = "${ne_run_dir}/nrpe.pid"
|
|
$ne_nrpe_conf_file = '/etc/sysconfig/nrpe'
|
|
$ne_nrpe_conf_erb = 'cd_nrpe/nrpe_conf.erb'
|
|
|
|
# includes must be last
|
|
|
|
include cd_nrpe::main::config
|
|
|
|
}
|