summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hieradata/common.yaml10
-rw-r--r--hieradata/nodes/authserver.yaml16
-rw-r--r--hieradata/nodes/community.yaml30
-rw-r--r--hieradata/nodes/idp.yaml16
-rw-r--r--hieradata/nodes/infra03.yaml11
-rw-r--r--hieradata/nodes/proxyout.yaml3
-rw-r--r--hieradata/nodes/web.yaml34
-rw-r--r--hieradata/nodes/webstatic.yaml12
-rw-r--r--sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py66
-rw-r--r--sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook16
-rw-r--r--sitemodules/profiles/manifests/gitea.pp4
-rw-r--r--sitemodules/profiles/manifests/icinga2_common.pp25
-rw-r--r--sitemodules/profiles/manifests/icinga2_master.pp76
-rw-r--r--sitemodules/profiles/manifests/icinga2_satellite.pp11
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp2
-rwxr-xr-xsitemodules/profiles/templates/base/update-crls.epp12
-rw-r--r--sitemodules/roles/manifests/authserver.pp29
-rw-r--r--sitemodules/roles/manifests/idp.pp29
-rw-r--r--sitemodules/roles/manifests/infra03.pp4
19 files changed, 322 insertions, 84 deletions
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 2fb3a69..10d1188 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -184,6 +184,16 @@ profiles::base::users:
- name: default
type: ssh-rsa
key: ENC[PKCS7,MIIDnQYJKoZIhvcNAQcDoIIDjjCCA4oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAistES1GTDLBO7nex3K/G8qWA3VOFRibcSp5uRCyBrudPZk4EKcyzZuFz55vDoXJXywjfg3mye0vIfA87JtFAfNmUrwZ17Ez9kP6W6wrPzpc6VblnAgItFklnvInScgXGKxK1HtY4G3AUS3Ixswcmsh5AdRPM7jlGShhAB19MYhBSHVgStZX8EDBRA+Kw2pLi95ZqNTZY3QOIPmsMgEU9rp8JWZ+kjJ9rwHjVN9XxcqCagPNXFYmMwTw5OtvO82a/EOJQvuZAuqtNtdwHvpHKMujPowF+DBTXpHwhhpiEmDZfRF29Yfjt8KlqiPjKoDBmPedoQ62gS3pa4BRLtfaVdjCCAl4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEENUUBENShmXQitBNmpkVdDmAggIwpJ0LnU7ef+6gynNYQR3thmHveyNyQ3Eu7MynJ9Y7O7i9BHDTN19KEi1L1Iim1FcLrgt1p9X9pjZv/5kXCdf2x8qAu7HSgiONEdLWionV0wriD8eFrbVJn3GfBCdC7aN5L0wT7xFsm4MD1yB1CHUgXQR+srRO77+iuDTnm4gfVah+oo+PS/9vqw7LF4jmps8L8DelXYTjBuoM3GnY7tJbTiUPV5/rLhpq+hRIvR8zxytvjaE+kOk8lt0qM185YrXWGUCjnrgSs+xKQvPuGTNIBN6bXATptA0u4okGxOE8glTBuuL3y3nnsI1rLuoJFNVNCGVj92DaohnLoJrJ44jmsv2QVEOXR8fd5Hg2CsV5/pmZPciHaEFEN31fmiLvpaJe7wG0vq1kri0Dk31ghISNJsRTgYO+yW/xI1jmSHiGttAMhlRUcQqNDN3Bdsn32vHE0vHphlRHfDFuqX54iP9jSnQMAsHS8O7gNovslu2TLKxtcjQOpha1iDqFGdg4QyqF2jmNnR9rHhCbF44uaTadefzMWE0Gya/UoRv3j4EWrsWwXd28tTOXGF/yxZEXfUo3y3F6DwIb1ko11M6Z3FE8Ya8BQp09FCAmYT/KLFe0KMUU9f84JuxE8dxY2QBlYBzq+oO3wnRAVmPGBTcQ5+8VNlzpSssal6Up5vAX6bNnmeBJUka1QHvdNFBsdY4+mHicAmznHRaE48ipSxmoLovqBzpzM1bVtsd19xs9HT637Kk=]
+ kim:
+ username: kim
+ fullname: Kim Nilsson
+ uid: 1017
+ shell: /bin/bash
+ password: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAniMvqpW3QESL5lVRrM0TBGv1Y+KxUdCAVdkmvAz1BOoLtBrH9ce1bGu8Vc26IYKjeUdocD8i18uLuAqumosEQPjtMROSqiYQps2lUFs5oZSZ+l6FlS6QNrppQiPrv4F0MEbr/mkdPsNI+FR1FvNnV+UjUnOt0byFj3JNQa0v6qpSGmMaAOwBh8athJwFggok2gjku/IxCeruSsgYw9VQOywY4u6GZcTLXhQ9ndJqV6G/Sau2IizEVAfMI7DW1YauVdV/SjsT7eYRjZ93V++Cg+iDdWvCUYAx0c1Q768xTkc8JTEq9Unca4Ox6F2xej+9PtC9RJwTl44gLGbhzU2i9DCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQhJhROlF+O8YDQSGhy7RRI4Bwj2x7TI9bE4mF9fsHJSStiMGciLyBvsJU+wTVpb0xYwlDJjHb/UdL91h385KmIHX/W7L5EdhUiZIiEe/tZ3zny1/Ain+FmlblXELLjJWq+SkG4eWrwXHlfknF+7VAeSfHbaw1MkCDBDmONebJhdtq2g==]
+ ssh_keys:
+ - name: default
+ type: ssh-rsa
+ key: ENC[PKCS7,MIIDrQYJKoZIhvcNAQcDoIIDnjCCA5oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAARaQNN0Ob5c52Plwu964s7oaYVstGId7NGWbSbq7ztxOGsueozE5jUx779xrZ+Cwgqg8ciEsdQMc+3YwE8pJqsVwIUfNkmVLNzdXFcelfUG2AaHTCC54BdlHDid1N+yZA9iA1384s6S3/1b+utqwrOo80GK5RSM9n6vKx+RZc9gDw0hXgbIfGf3VUzB5I8jtGQy8ogqd0pBIJEjaEO3YmbfoKQ3ZhhoaQWs+EXdXX9QEp9azxtDQ2u7B8Uq++8PmURIkwJ/o1194IhBvxTYXOEMzxsFodsNGgnlkBHq3FNzV2TRi8CjllM1rORIXe9IqAZTUtD3VAP34BN6qqlndJDCCAm4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEIgmS7F3nZn/xQYI3ZPw/3KAggJANEs8cZnNr91lLtVs9/IkpDumtgBP8zWo/ftMDXI6ABwVsoqkkmSv8Brdkj/RFl9Ifmeb/kivucwkq/FB27IcgRLLbb281Bi/UjHl0JG8A127Rnu1duNwTPFohxrm+0g0GyNCxZOOHVpkpcpaOPxO3+sA+J4eV+/97V9na0n0kPJ1MbH72gGi5snQFZgIqHVbHSrHLGVtjZutfzvulLTMYR7upPkAyIWiLgMr2zlOlpP4+OS1HFLKrGs/bv6j7E02z8CfXRp8eUOWI/CNV4KrB1sJDCZoV4RUCaXbv3lLAaqLNyqaEx012p6jkwMsEKwk9ILavfT9Qt3mc5RDooN5KFMzca6GQS7wARgUcyAs6hqAg2Xi4bBdDVd7QOmKExUpXTjZfuEi6y3chmJCSZ3TBzZkjMNg+/xwUwl9hKj9+UJHvlKz3bvfCy6JlBrkoCVNN0ax2cHiP7btJ6LoSQKqLnj4d3Z+GNMN2ROVPVUSRUY3WPdONiJhJ0yi5eOmAPoqWL/9ncVoWWmGpMwQEd9cCydhxd5mhtLlZxN1UjCLlSCjVRv2lvW7xciaoufgoeBSSL4CHzuHHP9jNv48T0q3YwGEr7sZIHh5cud5dUYtZb3yzzqMPoY0jM/bBiX9teDGNQHbWW1Sj2CuFBEYHr6KQVtxsGehcRYV7lg5/OPB0Q61LKpUzmLw2Joi8AWYVCRqBa9ZNuUeongm999UtgVxyCfk9GCuDsOM6OPDbrdFvyUJ3CAavNSwpDOv7lt1NsGx]
profiles::nrpe_agent::allowed_hosts:
- 172.16.2.18
diff --git a/hieradata/nodes/authserver.yaml b/hieradata/nodes/authserver.yaml
new file mode 100644
index 0000000..3cba665
--- /dev/null
+++ b/hieradata/nodes/authserver.yaml
@@ -0,0 +1,16 @@
+---
+classes:
+ - roles::authserver
+profiles::base::admins:
+ - jandd
+profiles::icinga2_agent::pki_ticket: >
+ ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBAD
+ AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMuwyVWL3VEdgAS5HvM+RltOUGC
+ hPe27Eahu1zUxp7f48aJ/VOsmgHm8F1YftyC1AndzrJ8T84Lm6Ur/NZ2RkoV
+ ZUhEGf6r2eYb51NejOwCaZOvVODXfl0dqhUloU3Ro1PtH8uAsaYdouYdpnqD
+ bIjDpornfsT4T7djqYOfchUbXM7A3u7pPRpukpUHFiPeAb/nRHvKH/xJvWXG
+ 7BzehEJNGERQ5DERTJ83Y4yjZ3V4mtTbMk5GpZ3SgHtui5XigCSJoeyhcX5o
+ Z/zBH1fRe7iO0f1QCIR1gZEB4T54KXGFy4WXEUuulBO8h0BdkM2aGQ+Cgw0X
+ L0YPzwDKzt4kSl4DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDIBlhjSM
+ DvwLO0SRosvFN9gDD+lGsBsFLvo8ll60Nl5FxYEW160kr+PTvxBCu/2R435b
+ IRkWxuqR7qkTpqnVizUao=]
diff --git a/hieradata/nodes/community.yaml b/hieradata/nodes/community.yaml
index 7dc88c6..1f18b4c 100644
--- a/hieradata/nodes/community.yaml
+++ b/hieradata/nodes/community.yaml
@@ -222,10 +222,10 @@ profiles::x509cert_common::certificates:
'webmail.cacert.org':
certificate: |
-----BEGIN CERTIFICATE-----
- MIIGdDCCBFygAwIBAgIDAuN8MA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
+ MIIGdDCCBFygAwIBAgIDAvroMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
- BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMjAwNjA2MTExMDQxWhcNMjIwNjA2
- MTExMDQxWjBfMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
+ BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMjIwNzE2MDkwODM1WhcNMjQwNzE1
+ MDkwODM1WjBfMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
eWRuZXkxFDASBgNVBAoTC0NBY2VydCBJbmMuMRswGQYDVQQDExJ3ZWJtYWlsLmNh
Y2VydC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCspKMHnd/Y
xvVqB7B/3bXfg7nReRR6WsP0xFzharKLkymoh3cMoFZU6gW/AyLPq2wicjJPtEUi
@@ -245,18 +245,18 @@ profiles::x509cert_common::certificates:
hidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3MzLXJldm9rZS5jcmwweQYDVR0R
BHIwcIISd2VibWFpbC5jYWNlcnQub3JnoCAGCCsGAQUFBwgFoBQMEndlYm1haWwu
Y2FjZXJ0Lm9yZ4IUY29tbXVuaXR5LmNhY2VydC5vcmegIgYIKwYBBQUHCAWgFgwU
- Y29tbXVuaXR5LmNhY2VydC5vcmcwDQYJKoZIhvcNAQELBQADggIBAAStZDsACPPf
- /4NhO2O8ANSAOH6hIHFaxEbB4+aEY7an7rB/84Dis6O8xfh/K9Z+M9uob/jIfhEd
- 2bJdufSDbp3OkrhQj9/Acz2o0xettiFgJAh0SNf8/dH9U1cqRPCK3dNna6z8vOJJ
- XJJlyzTVli3N4AZOycmD3XNpC3INiEFOFRwfJLR7I4Nlv8YylmSc+BpnYlYQOWii
- TXfNWcmojuW/JHJT0xmMz0gpJOCbvjrd0MHVj8ygEP2u9a7kHMAE7o1Wc/P2KsqA
- +l1011KpjVNhO4Lln54ziWQ2F2x/R1dHNk5WrV9Y4J06drx1/UDR7QyLQ99II4YV
- qC+C/DYkwOzvBrWOWpoOov3PmrDEpsbVoWvIDyb0+G7xgm6nGSexaGbVxmXj07/o
- 7cW81GwohK29n6MXtVFcILAOHl5xyRH4f0PqRYx9WAu+pxpH8E423dnMpTNurkYS
- e5yNfo4tL+Fl91RcanwcVA0lFff07GsfFQn1ksgIMFvEVsVaK8OYHiOIgfr1eLUW
- DsCt63P8dEQf38vKlWD2XO7yD1jgjBOsFFbb/Eq8fGx8KiCGknNPZ2y2F4rhHew5
- od2HHMh61oL7n90kHdheFiPPwf8MtDb89yhPLPEKSLmVYB0NjhygOERwgZvix6Rm
- 49YgOhuoXJwGGiBI222zx/q/k6eI0wpB
+ Y29tbXVuaXR5LmNhY2VydC5vcmcwDQYJKoZIhvcNAQENBQADggIBAJI4h/417PFk
+ Ds/Q2v0regpEiIaXggnFLs3L3x58RP6uE4tAMTBiGrxbpytXxlIPLWdvBtxiJbQu
+ JycMKZ/ZvUUfHABKmVPpLMc1110CkDH4wnTH1/wdu/g35YrY91lI3ukVfhH+FCru
+ kL4vfS6CTYPf3rlJOf63FD/XdIJ3YtF1KVNwAoSoKrhU5+UJul+uY+30ghhsnrx/
+ gXuyoDr+/Qakz8WqYjVMe+gWqIVhabq/1UzIbNBb2Upc7o+9uoIw32sxQJPz8mxs
+ RlQdUd4XJLis/ZJIxGE7Ii8Fpyy7RxsSl7XDXlda9HNquf7gJP2bWaLje5RKBzzK
+ 2YM6goGKcbTvdhsBeRJRvmixeXcqEVqXUUtBvuDMsp1geDZag0PitvriedjB5zXd
+ DHg4F0mh6gV2MsMjhCzKvMY6nx8nf1GVZeQX0Me4c4W4gSUnXLmmUarmi0vg1OJ+
+ 61FLwxtCPyZAxlwnpMSCaT0KD8jzLz9fArv5dN2O0EqRHFzYQpVEAlHvfECA6FtR
+ ZcTGUPxat8auCOf5lVjHflCFdaGx5o483TqrATzQFfOZWzxtTrZ6H8BH6kRB0XSg
+ IeRxyzEqfD/IW+cJtKZplAJEzlv48BZImumLLQY+ROFryONYbLP3kIBsBsYelqNi
+ UtWEx9lSBrDbaHQNDUuH6yJmHZWYjgTg
-----END CERTIFICATE-----
private_key: >
ENC[PKCS7,MIIOPQYJKoZIhvcNAQcDoIIOLjCCDioCAQAxggEhMIIBHQIBADAFMAACAQEw
diff --git a/hieradata/nodes/idp.yaml b/hieradata/nodes/idp.yaml
new file mode 100644
index 0000000..8cdc0a2
--- /dev/null
+++ b/hieradata/nodes/idp.yaml
@@ -0,0 +1,16 @@
+---
+classes:
+ - roles::idp
+profiles::base::admins:
+ - jandd
+profiles::icinga2_agent::pki_ticket: >
+ ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBAD
+ AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASfyW90GZx59x9n47HHlEnkdZ+i
+ niLnTLC+oI8gfFPIH3Tcv15144flW2i0yZGezOrx7u45TB5Etat1xQHikWej
+ AIZnIOJ5EQSNbpz13tGFscC8jdt3r0MzCzdy9S/feyY7hy7Rp5e660ihBJYT
+ eLy+FbR+w3HQ7wBlpXaKB2qXHqBW2dap8iWAVFSqZLm0doZ6NY6vhhFi6JnI
+ gFj6QmUJuE2YyfsJBTl3+u+U8CaIVHwM2NnOXqNys57LUgfCWe3vEKn09tS+
+ 4lCT/2nuMykMjtSHnMG3JwhsrHs9it44sqRF4iviuYOx9hjRjt+oAqe0P8ed
+ kdo3U37c2JsLdLvTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAcAkuhaq
+ iY0ptYro2vaoRbgDC5RScVpxR1ZhQKA2jU9b7RcuV44fADXtPnWDhFt7wwNc
+ kM75ghXXnTtSsfA5gqsLo=]
diff --git a/hieradata/nodes/infra03.yaml b/hieradata/nodes/infra03.yaml
index b66befa..7452172 100644
--- a/hieradata/nodes/infra03.yaml
+++ b/hieradata/nodes/infra03.yaml
@@ -5,3 +5,14 @@ profiles::base::admins:
- jandd
- dirk
profiles::base::is_external: true
+profiles::icinga2_agent::pki_ticket: >
+ ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBAD
+ AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAooC0Ys7yF7XmdU3gzQQ766/GiN
+ GLulXOVHtr4cEbHSx0eiVtqzADHwSyfzyQNQJVD9p86iwLDlHN9zFfe/Hz4m
+ JnxJgbZe6CqfB/O5qfv2HivSfroPN4EQBJWRRy0JLX9KlAbSNq+PGuJrdLa6
+ EdH/kzLs7giCIy/jDEqDsvqeHiLOoq2W3667piDiIUxqbBuiKkxfKxY3q6Ps
+ Z5Qir81jns727Xn+XNPw/20z6KUj9waKHam5lqssHRqWbfdbSr9bdscDknzl
+ chnSMcioKSrFslI9r8r01+fSDQ6mvlONhpMysbjcF2mZlgpDkejspSTLf0lA
+ OKXjOEuOz+tE3a/DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDsDlK8TG
+ zoLZzcGo+qqbhIgDCmkGuHUCKK6fFdfjBpiPUfQLFKJCXmwcS/8scuPsYQty
+ JK1sacuClUt9YhD2I4UO0=]
diff --git a/hieradata/nodes/proxyout.yaml b/hieradata/nodes/proxyout.yaml
index ee11778..7489edd 100644
--- a/hieradata/nodes/proxyout.yaml
+++ b/hieradata/nodes/proxyout.yaml
@@ -39,6 +39,9 @@ profiles::squid::acls:
- "debpuppet dstdomain apt.puppetlabs.com"
- "gitea dstdomain .gitea.io"
- "github dstdomain github.com"
+ - "github dstdomain raw.githubusercontent.com"
+ - "puppetforge dstdomain forgeapi-cdn.puppet.com"
+ - "puppetforge dstdomain forgeapi.puppet.com"
- "puppetforge dstdomain forgeapi.puppetlabs.com"
- "pypi dstdomain .pythonhosted.org"
- "pypi dstdomain pypi.org"
diff --git a/hieradata/nodes/web.yaml b/hieradata/nodes/web.yaml
index ce804ae..2987021 100644
--- a/hieradata/nodes/web.yaml
+++ b/hieradata/nodes/web.yaml
@@ -222,10 +222,10 @@ profiles::web_proxy::ssl_certificates:
jkpGlA==]
certificate: |
-----BEGIN CERTIFICATE-----
- MIIGPTCCBCWgAwIBAgIDAudeMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
+ MIIGPTCCBCWgAwIBAgIDAvtcMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
- BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMjAxMDAyMTUzODQyWhcNMjIxMDAy
- MTUzODQyWjBgMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
+ BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMjIwOTAxMTU1NzAyWhcNMjQwODMx
+ MTU1NzAyWjBgMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
eWRuZXkxFDASBgNVBAoTC0NBY2VydCBJbmMuMRwwGgYDVQQDExNjb2RlZG9jcy5j
YWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9y+uLMOT
WB8okSFW9A7/62mogifOBHZ9hlpgAozeyeREhWjZ7oGNot3F6GNjQAA5Xh2TaD4a
@@ -244,18 +244,18 @@ profiles::web_proxy::ssl_certificates:
BgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wOAYDVR0fBDEwLzAtoCug
KYYnaHR0cDovL2NybC5jYWNlcnQub3JnL2NsYXNzMy1yZXZva2UuY3JsMEEGA1Ud
EQQ6MDiCE2NvZGVkb2NzLmNhY2VydC5vcmegIQYIKwYBBQUHCAWgFQwTY29kZWRv
- Y3MuY2FjZXJ0Lm9yZzANBgkqhkiG9w0BAQ0FAAOCAgEAM2Y0mjhkyhZKLz4imIOv
- /fb6ybSchNLDk/nyrETTTARLqo8Q5+VHnKFNi+7Gx8H+TeVTRxXGRkMTmDC3EXPW
- yB4JECcjdMv7/ZYbkrIgpy4IKnzn+3xSfll9WXU0ubOMnFS1d+A8vIaOeYcuGOEW
- QpaSCKTFDy/R7KypxspirI5TtlLu0iOr8MuwwzXNOXIjf9HhW7dCSIRCz//3CsTQ
- qULnlr+JvoY5fznvAoopF+4ipwJ3AQFOeXol8VHQbwMgkxN0eNd3THnORmOWVKrQ
- 5XaYDDWpDRVTbuLAS3OpZmPEMRWlQgPHpb0kBFUlmmoCedgEdvgEHqY1896omVJ/
- 1OahCzbSutHirglsHqQPTKxTWB9flDiR6JuGZOyyw1I3FJJXZ/KNMqUL3PCanc6M
- jLtYov3BYGDr9rummjnsGj3GqqaJeqk09DcfJ72HR5CQ2w5JXMSA2OnBWyDw0wJG
- +89vupFzPeXo18ICVdY6yzL7mTO9HxDlmXoL5IfH9TniL9U1ijCgyIecMrykHMDF
- KXdYwApYZ86wbHLr0c/fW4R66yhLCYRpaBji87qDp5qzDn1KdglBVESa3WRBNu6E
- J99sOFDEQXU1iS141lMrIHHCVsQUSYYPF03X4+EgcyhI6uLU9a6rIYG+idHIeod8
- KxlE15huNRuCqBg5d4M/mfM=
+ Y3MuY2FjZXJ0Lm9yZzANBgkqhkiG9w0BAQ0FAAOCAgEATAlcw6eN/Cm003SYIF+n
+ h1LYKOTh2Ll5Id/KoBO/hmzQvpxnAixPAWoo5/Qj50qBLKw9dVn693p6E0eFnjfH
+ H7DB5Kp0adPgAK1KeZoyCQtnMStwEcrdXoTk+RXelZ2p4uFTDuxu/3Ucb9VWa4of
+ sTLmPTOThh46/RL3agWB0XNaQuPIs3E+1aEraSDKiIR+45ySDhFflANWZTur/Elg
+ SeoVynXdOjwf0sMv2uL08YD/xm0OTXnxVXEiJJNXgS7Emiay784t+7qiTH9jNex6
+ CvGpHh7T8FS1bkCe5lX/Sxqf4U51QUxt6jXu1qkK0tBiqnsLQuJoEJHPdDrLkTFc
+ Cja3eeILRvqVPqGY8oL5HYr+LgXeRN4+NhE8L8Q4fvRx8pkNoPxGRy9npoFboNZI
+ Z7BULpwtIobHYHtowlyKpiNbgwe4iK44VrVmPDNQaCha0D2P/4TZtZNgajcvybtv
+ Caw2MaAPg/jsch7QLD54cCFD3RjoYMLD0kTphSUAmD1doCaPp3M9ZnXDcuGjYGDC
+ wMMwmJ9IkLGmsC75ytRBBZH5SItV3S8sa63DwhaRCJSKEC5yIUto82Mfa0MujxUt
+ J1E08Kg/VX0ca7l3aAFORBXSvle7XmFDzfq87sgbF9ZvzEmk6uMtc3ydpTGxvW+I
+ uBDpBqkvq+//lKzww7J7NAk=
-----END CERTIFICATE-----
'funding.cacert.org':
key: >
@@ -730,7 +730,7 @@ profiles::web_proxy::apache_vhosts:
manage_docroot: false
ssl: true
ssl_cert: "/etc/ssl/certs/infradocs.cacert.org.crt"
- ssl_chain: "/usr/share/ca-certificates/CAcert/class3_X0E.crt"
+ ssl_chain: "/usr/local/share/ca-certificates/cacert_class3_2021.crt"
ssl_key: "/etc/ssl/private/infradocs.cacert.org.key"
proxy_pass:
- path: /
@@ -760,7 +760,7 @@ profiles::web_proxy::apache_vhosts:
manage_docroot: false
ssl: true
ssl_cert: "/etc/ssl/certs/jenkins.cacert.org.crt"
- ssl_chain: "/usr/share/ca-certificates/CAcert/class3_X0E.crt"
+ ssl_chain: "/usr/local/share/ca-certificates/cacert_class3_2021.crt"
ssl_key: "/etc/ssl/private/jenkins.cacert.org.key"
proxy_pass:
- path: /
diff --git a/hieradata/nodes/webstatic.yaml b/hieradata/nodes/webstatic.yaml
index 27223ba..cd5f1d8 100644
--- a/hieradata/nodes/webstatic.yaml
+++ b/hieradata/nodes/webstatic.yaml
@@ -94,8 +94,7 @@ profiles::static_websites::apache_vhosts:
docroot: "/var/www/funding.cacert.org"
docroot_owner: "git"
docroot_mode: "0755"
- directoryindex:
- - "index.html"
+ directoryindex: "index.html"
directories:
- path: "/var/www/funding.cacert.org"
options:
@@ -123,8 +122,7 @@ profiles::static_websites::apache_vhosts:
docroot_owner: "jenkins-infradocs"
docroot_group: "upload"
docroot_mode: "0755"
- directoryindex:
- - "index.html"
+ directoryindex: "index.html"
directories:
- path: "/var/www/codedocs.cacert.org/html"
options:
@@ -150,8 +148,7 @@ profiles::static_websites::apache_vhosts:
docroot: "/var/www/community.cacert.org"
docroot_owner: "git"
docroot_mode: "0755"
- directoryindex:
- - "index.html"
+ directoryindex: "index.html"
directories:
- path: "/var/www/community.cacert.org"
options:
@@ -179,8 +176,7 @@ profiles::static_websites::apache_vhosts:
docroot_owner: "jenkins-infradocs"
docroot_group: "upload"
docroot_mode: "0755"
- directoryindex:
- - "index.html"
+ directoryindex: "index.html"
directories:
- path: "/var/www/infradocs.cacert.org/html"
options:
diff --git a/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py b/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py
new file mode 100644
index 0000000..9236c9a
--- /dev/null
+++ b/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+
+from apt import cache
+import argparse
+import nagiosplugin
+import logging
+
+_log = logging.getLogger("nagiosplugin")
+
+
+def get_running_kernel_version() -> str:
+ with open("/proc/version", "r") as proc_version:
+ return proc_version.read().split()[2]
+
+
+def get_installed_kernels() -> list[str]:
+ try:
+ pkg_cache = cache.FilteredCache()
+ pkg_cache.set_filter(cache.InstalledFilter())
+ pkg_cache.open()
+
+ return [
+ v
+ for v in [
+ k.name[len("linux-image-") :]
+ for k in pkg_cache
+ if k.name.startswith("linux-image")
+ ]
+ if "-" in v
+ ]
+ finally:
+ pkg_cache.close()
+
+
+class VersionsContext(nagiosplugin.ScalarContext):
+ def evaluate(self, metric, resource):
+ installed = get_installed_kernels()
+ latest = sorted(installed)[-1]
+ _log.info("current kernel version is %s", metric.value)
+ _log.info("installed kernel versions: %s", ",".join(installed))
+ _log.info("latest kernel version: %s", latest)
+
+ if latest == metric.value:
+ return self.result_cls(nagiosplugin.Ok)
+
+ return self.result_cls(nagiosplugin.Critical)
+
+
+class KernelVersion(nagiosplugin.Resource):
+ def probe(self):
+ current = get_running_kernel_version()
+ return [nagiosplugin.Metric("kernel version", current)]
+
+
+def main():
+ argp = argparse.ArgumentParser()
+ argp.add_argument(
+ "-v", "--verbose", action="count", default=0, help="verbose output"
+ )
+ args = argp.parse_args()
+ check = nagiosplugin.Check(KernelVersion(), VersionsContext("kernel version"))
+ check.main(args.verbose)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook b/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook
index a0d3711..c786017 100644
--- a/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook
+++ b/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook
@@ -88,6 +88,17 @@ class GitHookRequestHandler(BaseHTTPRequestHandler):
self.wfile.write(("%s\r\n" % message).encode("UTF-8"))
def _handle_pull(self):
+ args = [
+ "sshpass",
+ "-e",
+ "-P",
+ "passphrase",
+ "git",
+ "pull",
+ GIT_REPOSITORY,
+ GIT_BRANCH,
+ ]
+ self.log.info("running '%s'", " ".join(args))
try:
git_proc = subprocess.run(
[
@@ -96,15 +107,12 @@ class GitHookRequestHandler(BaseHTTPRequestHandler):
"-P",
"passphrase",
"git",
- "subtree",
"pull",
- "--prefix",
- "icinga2/conf.d",
GIT_REPOSITORY,
GIT_BRANCH,
],
env=ENV_FOR_GIT,
- cwd="/etc",
+ cwd=GIT_DIRECTORY,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
check=True,
diff --git a/sitemodules/profiles/manifests/gitea.pp b/sitemodules/profiles/manifests/gitea.pp
index 27a882e..9b91c0c 100644
--- a/sitemodules/profiles/manifests/gitea.pp
+++ b/sitemodules/profiles/manifests/gitea.pp
@@ -49,8 +49,8 @@ class profiles::gitea (
String $gitea_fqdn = 'code.cacert.org',
String $gitea_socket = '/run/gitea/gitea.sock',
) {
- $gitea_version = '1.16.6'
- $gitea_checksum = 'a96751af12d5e96301a97c280bafb92782e0e9b7a0bbe8960c704c0c0361e576'
+ $gitea_version = '1.17.2'
+ $gitea_checksum = 'd0e903671ae04007c5956beb65985825795c1d9b24c9f354b48008fd44db1b57'
$gitea_url = "https://dl.gitea.io/gitea/${gitea_version}/gitea-${gitea_version}-linux-amd64"
$gitea_service = '/etc/systemd/system/gitea.service'
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
index e0c204a..66c946f 100644
--- a/sitemodules/profiles/manifests/icinga2_common.pp
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -19,7 +19,7 @@
# Copyright
# ---------
#
-# Copyright 2019-2021 Jan Dittberner
+# Copyright 2019-2022 Jan Dittberner
class profiles::icinga2_common (
) {
include profiles::icinga2_certificates
@@ -47,4 +47,27 @@ class profiles::icinga2_common (
ensure => latest,
}
}
+
+ file { ['/usr/local/lib/nagios', '/usr/local/lib/nagios/plugins']:
+ ensure => directory,
+ owner => 'root',
+ group => 'staff',
+ mode => '0755',
+ }
+
+ if Integer($facts['os']['release']['major']) >= 9 {
+ package { ['python3-nagiosplugin', 'python3-apt' ]:
+ ensure => present,
+ }
+ }
+
+ if $facts['virtual'] in ['physical', 'kvm'] {
+ file { '/usr/local/lib/nagios/plugins/check_kernel_status':
+ ensure => file,
+ owner => 'root',
+ group => 'staff',
+ mode => '0755',
+ source => 'puppet:///modules/profiles/icinga2_external_commands/check_kernel_status.py',
+ }
+ }
}
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index e8f4968..221a3cb 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -50,7 +50,7 @@
# Copyright
# ---------
#
-# Copyright 2019-2021 Jan Dittberner
+# Copyright 2019-2022 Jan Dittberner
class profiles::icinga2_master (
String $ido_database_password,
String $web2_database_password,
@@ -69,7 +69,7 @@ class profiles::icinga2_master (
include profiles::systemd_reload
include postgresql::server
- class { '::icinga2':
+ class { 'icinga2':
manage_repo => false,
features => ['mainlog', 'checker', 'notification'],
constants => {
@@ -78,7 +78,7 @@ class profiles::icinga2_master (
},
}
- class { '::icinga2::pki::ca':
+ class { 'icinga2::pki::ca':
ca_cert => $ca_certificate,
ca_key => $ca_key,
}
@@ -88,7 +88,7 @@ class profiles::icinga2_master (
password => postgresql_password('icinga2', $ido_database_password),
}
- class { '::icinga2::feature::idopgsql':
+ class { 'icinga2::feature::idopgsql':
user => 'icinga2',
password => $ido_database_password,
database => 'icinga2',
@@ -96,7 +96,7 @@ class profiles::icinga2_master (
require => Postgresql::Server::Db['icinga2'],
}
- class { '::icinga2::feature::api':
+ class { 'icinga2::feature::api':
pki => 'none',
}
@@ -123,7 +123,7 @@ class profiles::icinga2_master (
),
}
- class { '::icingaweb2':
+ class { 'icingaweb2':
manage_repo => false,
import_schema => true,
db_type => 'pgsql',
@@ -134,7 +134,7 @@ class profiles::icinga2_master (
require => Postgresql::Server::Db['icingaweb2'],
}
- class { '::icingaweb2::module::monitoring':
+ class { 'icingaweb2::module::monitoring':
ido_type => 'pgsql',
ido_host => 'localhost',
ido_port => 5432,
@@ -146,19 +146,19 @@ class profiles::icinga2_master (
transport => 'api',
username => 'root',
password => $api_users['root']['password'],
- }
- }
+ },
+ },
}
icingaweb2::config::authmethod { 'external-authentication':
backend => 'external',
- require => Class['::icingaweb2'],
+ require => Class['icingaweb2'],
}
icingaweb2::config::role { 'admin':
users => join($icingaweb_admins, ','),
permissions => '*',
- require => Class['::icingaweb2'],
+ require => Class['icingaweb2'],
}
package { ['sshpass', 'git']:
@@ -206,14 +206,7 @@ class profiles::icinga2_master (
notify => Exec['reload systemd configuration'],
}
- file { '/usr/local/lib/nagios-plugins':
- ensure => directory,
- owner => 'root',
- group => 'staff',
- mode => '0755'
- }
-
- file { '/usr/local/lib/nagios-plugins/check_puppetdb_nodes':
+ file { '/usr/local/lib/nagios/plugins/check_puppetdb_nodes':
ensure => file,
owner => 'root',
group => 'staff',
@@ -221,6 +214,19 @@ class profiles::icinga2_master (
source => 'puppet:///modules/profiles/icinga2_master/check_puppetdb_nodes',
}
+ package {['rsync', 'python3-cryptography']:
+ ensure => present,
+ }
+
+ file { '/usr/local/lib/nagios/plugins/check_cacert_crl':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ source => 'puppet:///modules/profiles/icinga2_external_commands/cacert_check_crl.py',
+ require => [Package['rsync'], Package['python3-nagiosplugin'], Package['python3-cryptography']],
+ }
+
service { 'icinga2-git-pull-hook':
ensure => running,
enable => true,
@@ -231,7 +237,7 @@ class profiles::icinga2_master (
],
}
- include ::icinga2
+ include icinga2
file { '/etc/icinga2/zones.d/global-templates':
ensure => directory,
@@ -262,12 +268,38 @@ class profiles::icinga2_master (
target => '/etc/icinga2/zones.d/global-templates/ocsp-command.conf',
}
::icinga2::object::checkcommand { 'cacert_crl':
- ensure => present,
- command => [
+ ensure => present,
+ command => [
'/usr/local/lib/nagios/plugins/check_cacert_crl',
],
+ arguments => {
+ '--rsync-url' => {
+ 'value' => '$cacert_crl_rsync_url$',
+ 'description' => 'rsync URL to check',
+ },
+ '--warning-last-age' => {
+ 'value' => '$cacert_crl_warning_last_age$',
+ 'description' => 'warning if last age is more than that many minutes',
+ },
+ '--critical-last-age' => {
+ 'value' => '$cacert_crl_critical_last_age$',
+ 'description' => 'critical if last age is more than that many minutes',
+ },
+ },
+ vars => {
+ 'cacert_crl_rsync_url' => 'rsync://crl.cacert.org/crl/',
+ 'cacert_crl_warning_last_age' => '1500', # 25h
+ 'cacert_crl_critical_last_age' => '2160', # 36h
+ },
target => '/etc/icinga2/zones.d/global-templates/cacert_crl-command.conf',
}
+ ::icinga2::object::checkcommand { 'kernel_status':
+ ensure => present,
+ command => [
+ '/usr/local/lib/nagios/plugins/check_kernel_status',
+ ],
+ target => '/etc/icinga2/zones.d/global-templates/kernel-status-command.conf',
+ }
file { '/etc/icinga2/zones.d/global-templates/ssl_cert-cacert-command.conf':
ensure => file,
diff --git a/sitemodules/profiles/manifests/icinga2_satellite.pp b/sitemodules/profiles/manifests/icinga2_satellite.pp
index 2dea62b..5c6df6f 100644
--- a/sitemodules/profiles/manifests/icinga2_satellite.pp
+++ b/sitemodules/profiles/manifests/icinga2_satellite.pp
@@ -24,18 +24,11 @@
# Copyright
# ---------
#
-# Copyright 2021 Jan Dittberner
+# Copyright 2021-2022 Jan Dittberner
class profiles::icinga2_satellite {
include 'profiles::icinga2_common'
include 'profiles::icinga2_agent'
- file { ['/usr/local/lib/nagios', '/usr/local/lib/nagios/plugins']:
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- }
-
$cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
$cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
@@ -52,7 +45,7 @@ class profiles::icinga2_satellite {
],
}
- package {['rsync', 'python3-nagiosplugin', 'python3-cryptography']:
+ package {['rsync', 'python3-cryptography']:
ensure => present,
}
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
index 935d44c..88edace 100644
--- a/sitemodules/profiles/manifests/x509cert_common.pp
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -62,7 +62,7 @@ class profiles::x509cert_common (
file { "/etc/ssl/private/${name}.key.pem":
ensure => file,
owner => pick($cert_info['key_owner'], 'root'),
- group => pick($cert_info['key_group'], 'root'),
+ group => pick($cert_info['key_group'], 'ssl-cert'),
mode => pick($cert_info['key_mode'], '0640'),
content => $cert_info['private_key'],
}
diff --git a/sitemodules/profiles/templates/base/update-crls.epp b/sitemodules/profiles/templates/base/update-crls.epp
index f03c9ff..def45ab 100755
--- a/sitemodules/profiles/templates/base/update-crls.epp
+++ b/sitemodules/profiles/templates/base/update-crls.epp
@@ -14,12 +14,13 @@ import glob
import subprocess
import sys
from datetime import datetime
+from os import path
import requests
CRL_PATH = "/var/local/ssl/crls/"
CA_CERT = "/etc/ssl/certs/ca-certificates.crt"
-RSYNC_LOCATION = "crl.cacert.org::crl"
+RSYNC_LOCATION = "crl2.intra.cacert.org::crl"
ICINGA_CA = "/var/lib/icinga2/certs/ca.crt"
@@ -55,7 +56,12 @@ def report_result(success, output, start):
def run_command(args, timeout=10):
- res = subprocess.run(args, capture_output=True, timeout=timeout, text=True)
+ try:
+ res = subprocess.run(args, capture_output=True, timeout=timeout, text=True)
+ except subprocess.TimeoutExpired:
+ return False, "timeout of {} expired running '{}'".format(
+ timeout, " ".join(args)
+ )
return res.returncode == 0, res.stderr
@@ -104,7 +110,7 @@ def main():
error_output = []
- for crl in glob.glob("*.crl", root_dir=CRL_PATH):
+ for crl in glob.glob(path.join(CRL_PATH, "*.crl")):
ok, output = verify_crl(crl)
if not ok:
error_output.append(f"crl validation for {crl} failed:\n{output}")
diff --git a/sitemodules/roles/manifests/authserver.pp b/sitemodules/roles/manifests/authserver.pp
new file mode 100644
index 0000000..792bc71
--- /dev/null
+++ b/sitemodules/roles/manifests/authserver.pp
@@ -0,0 +1,29 @@
+# Class: roles::authserver
+# ========================
+#
+# This class defines the authserver role for a Hydra OAuth2/OpenID connect API
+# server used for authentication/authorization.
+# You should assign this class using hiera or via an ENC.
+#
+# Examples
+# --------
+#
+# @example
+# class { 'roles::authserver': }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2022 Jan Dittberner
+#
+class roles::authserver {
+ include profiles::base
+ include profiles::rsyslog
+ include profiles::icinga2_agent
+}
+
diff --git a/sitemodules/roles/manifests/idp.pp b/sitemodules/roles/manifests/idp.pp
new file mode 100644
index 0000000..2878931
--- /dev/null
+++ b/sitemodules/roles/manifests/idp.pp
@@ -0,0 +1,29 @@
+# Class: roles::idp
+# ========================
+#
+# This class defines the idp role for an OAuth2/OpenID identity provider
+# used for authentication/authorization.
+# You should assign this class using hiera or via an ENC.
+#
+# Examples
+# --------
+#
+# @example
+# class { 'roles::idp': }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2022 Jan Dittberner
+#
+class roles::idp {
+ include profiles::base
+ include profiles::rsyslog
+ include profiles::icinga2_agent
+}
+
diff --git a/sitemodules/roles/manifests/infra03.pp b/sitemodules/roles/manifests/infra03.pp
index f1f6fe7..6ceb0d6 100644
--- a/sitemodules/roles/manifests/infra03.pp
+++ b/sitemodules/roles/manifests/infra03.pp
@@ -18,10 +18,10 @@
# Copyright
# ---------
#
-# Copyright 2021 Jan Dittberner
+# Copyright 2021-2022 Jan Dittberner
#
class roles::infra03 {
include profiles::base
include profiles::lxc_host
- #include profiles::icinga2_satellite
+ include profiles::icinga2_agent
}