munin: Add TLS support

Closes #1.
2013-06-13 15:18:26 +03:00 · 2013-06-13 15:18:26 +03:00 · 6efac4de21
commit 6efac4de21
parent 28055dcea7
3 changed files with 74 additions and 1 deletions
--- a/munin/manifests/init.pp
+++ b/munin/manifests/init.pp
@ -1,12 +1,40 @@

 # Install and configure munin node.
 #
+# === Global variables
+#
+#   $munin_tls:
+#       Enable and require TLS if set to "true".
+#
 class munin::node {

    package { "munin-node":
        ensure => installed,
    }

+    if $munin_tls == "true" {
+        case $::operatingsystem {
+            "centos", "redhat", "fedora": {
+                package { "perl-Net-SSLeay":
+                    ensure => installed,
+                    before => Service["munin-node"],
+                }
+            }
+            "debian", "ubuntu": {
+                package { "libnet-ssleay-perl":
+                    ensure => installed,
+                    before => Service["munin-node"],
+                }
+            }
+            "openbsd": {
+                package { "p5-Net-SSLeay":
+                    ensure => installed,
+                    before => Service["munin-node"],
+                }
+            }
+        }
+    }
+
    service { "munin-node":
        name    => $::operatingsystem ? {
            "openbsd" => "munin_node",
@ -197,6 +225,11 @@ define munin::plugin($config = "") {
 #
 #  * Storedconfigs
 #
+# === Global variables
+#
+#   $munin_tls:
+#       Enable and require TLS if set to "true".
+#
 class munin::server {

    package { [ "munin", "munin-cgi" ] :
@ -299,6 +332,26 @@ class munin::server {
        require => File["/var/www/html/munin/cgi"],
    }

+    if $munin_tls == "true" {
+        include ssl
+        file { "${ssl::certs}/munin.crt":
+            ensure  => present,
+            source  => "${puppet_ssldir}/certs/${homename}.pem",
+            mode    => "0640",
+            owner   => "root",
+            group   => "munin",
+            require => Package["munin"],
+        }
+        file { "${ssl::private}/munin.key":
+            ensure  => present,
+            source  => "${puppet_ssldir}/private_keys/${homename}.pem",
+            mode    => "0640",
+            owner   => "root",
+            group   => "munin",
+            require => Package["munin"],
+        }
+    }
+
    file { "/etc/munin/conf.d":
        ensure  => directory,
        purge   => true,
@ -316,7 +369,7 @@ class munin::server {
        owner   => "root",
        group   => "root",
        mode    => "0644",
-        source  => "puppet:///modules/munin/munin.conf",
+        content => template("munin/munin.conf.erb"),
        require => Package["munin"],
    }

--- a/munin/templates/munin-node.conf.erb
+++ b/munin/templates/munin-node.conf.erb
@ -45,3 +45,13 @@ host <%= @ipaddress %>

 # And which port
 port 4949
+<% if @munin_tls == "true" -%>
+
+# Require TLS
+tls paranoid
+tls_verify_certificate yes
+tls_ca_certificate <%= @puppet_ssldir %>/certs/ca.pem
+tls_certificate <%= @puppet_ssldir %>/certs/<%= @homename %>.pem
+tls_private_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem
+tls_verify_depth 5
+<% end -%>
--- a/munin/templates/munin.conf.erb
+++ b/munin/templates/munin.conf.erb
@ -14,6 +14,16 @@ tmpldir /etc/munin/templates
 html_strategy cgi
 graph_strategy cgi
 cgiurl_graph /munin/cgi/munin-cgi-graph
+<% if @munin_tls == "true" -%>
+
+# Require TLS
+tls paranoid
+tls_verify_certificate yes
+tls_ca_certificate <%= @puppet_ssldir %>/certs/ca.pem
+tls_certificate <%= scope.lookupvar('ssl::certs') %>/munin.crt
+tls_private_key <%= scope.lookupvar('ssl::private') %>/munin.key
+tls_verify_depth 5
+<% end -%>

 # Include nodes
 includedir /etc/munin/conf.d