From 6efac4de21089114cf06778d311a7e5dd43319e3 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 13 Jun 2013 15:18:26 +0300 Subject: [PATCH] munin: Add TLS support Closes #1. --- munin/manifests/init.pp | 55 ++++++++++++++++++- munin/templates/munin-node.conf.erb | 10 ++++ .../munin.conf => templates/munin.conf.erb} | 10 ++++ 3 files changed, 74 insertions(+), 1 deletion(-) rename munin/{files/munin.conf => templates/munin.conf.erb} (64%) diff --git a/munin/manifests/init.pp b/munin/manifests/init.pp index 57b478b..9442d76 100644 --- a/munin/manifests/init.pp +++ b/munin/manifests/init.pp @@ -1,12 +1,40 @@ # Install and configure munin node. # +# === Global variables +# +# $munin_tls: +# Enable and require TLS if set to "true". +# class munin::node { package { "munin-node": ensure => installed, } + if $munin_tls == "true" { + case $::operatingsystem { + "centos", "redhat", "fedora": { + package { "perl-Net-SSLeay": + ensure => installed, + before => Service["munin-node"], + } + } + "debian", "ubuntu": { + package { "libnet-ssleay-perl": + ensure => installed, + before => Service["munin-node"], + } + } + "openbsd": { + package { "p5-Net-SSLeay": + ensure => installed, + before => Service["munin-node"], + } + } + } + } + service { "munin-node": name => $::operatingsystem ? { "openbsd" => "munin_node", @@ -197,6 +225,11 @@ define munin::plugin($config = "") { # # * Storedconfigs # +# === Global variables +# +# $munin_tls: +# Enable and require TLS if set to "true". +# class munin::server { package { [ "munin", "munin-cgi" ] : @@ -299,6 +332,26 @@ class munin::server { require => File["/var/www/html/munin/cgi"], } + if $munin_tls == "true" { + include ssl + file { "${ssl::certs}/munin.crt": + ensure => present, + source => "${puppet_ssldir}/certs/${homename}.pem", + mode => "0640", + owner => "root", + group => "munin", + require => Package["munin"], + } + file { "${ssl::private}/munin.key": + ensure => present, + source => "${puppet_ssldir}/private_keys/${homename}.pem", + mode => "0640", + owner => "root", + group => "munin", + require => Package["munin"], + } + } + file { "/etc/munin/conf.d": ensure => directory, purge => true, @@ -316,7 +369,7 @@ class munin::server { owner => "root", group => "root", mode => "0644", - source => "puppet:///modules/munin/munin.conf", + content => template("munin/munin.conf.erb"), require => Package["munin"], } diff --git a/munin/templates/munin-node.conf.erb b/munin/templates/munin-node.conf.erb index 1dc9365..d5ff1c0 100644 --- a/munin/templates/munin-node.conf.erb +++ b/munin/templates/munin-node.conf.erb @@ -45,3 +45,13 @@ host <%= @ipaddress %> # And which port port 4949 +<% if @munin_tls == "true" -%> + +# Require TLS +tls paranoid +tls_verify_certificate yes +tls_ca_certificate <%= @puppet_ssldir %>/certs/ca.pem +tls_certificate <%= @puppet_ssldir %>/certs/<%= @homename %>.pem +tls_private_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem +tls_verify_depth 5 +<% end -%> diff --git a/munin/files/munin.conf b/munin/templates/munin.conf.erb similarity index 64% rename from munin/files/munin.conf rename to munin/templates/munin.conf.erb index 9f615f9..3b4fe35 100644 --- a/munin/files/munin.conf +++ b/munin/templates/munin.conf.erb @@ -14,6 +14,16 @@ tmpldir /etc/munin/templates html_strategy cgi graph_strategy cgi cgiurl_graph /munin/cgi/munin-cgi-graph +<% if @munin_tls == "true" -%> + +# Require TLS +tls paranoid +tls_verify_certificate yes +tls_ca_certificate <%= @puppet_ssldir %>/certs/ca.pem +tls_certificate <%= scope.lookupvar('ssl::certs') %>/munin.crt +tls_private_key <%= scope.lookupvar('ssl::private') %>/munin.key +tls_verify_depth 5 +<% end -%> # Include nodes includedir /etc/munin/conf.d