summaryrefslogtreecommitdiff
path: root/sitemodules
diff options
context:
space:
mode:
Diffstat (limited to 'sitemodules')
-rw-r--r--sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py66
-rw-r--r--sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook16
-rw-r--r--sitemodules/profiles/manifests/gitea.pp4
-rw-r--r--sitemodules/profiles/manifests/icinga2_common.pp25
-rw-r--r--sitemodules/profiles/manifests/icinga2_master.pp76
-rw-r--r--sitemodules/profiles/manifests/icinga2_satellite.pp11
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp2
-rwxr-xr-xsitemodules/profiles/templates/base/update-crls.epp12
-rw-r--r--sitemodules/roles/manifests/authserver.pp29
-rw-r--r--sitemodules/roles/manifests/idp.pp29
-rw-r--r--sitemodules/roles/manifests/infra03.pp4
11 files changed, 230 insertions, 44 deletions
diff --git a/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py b/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py
new file mode 100644
index 0000000..9236c9a
--- /dev/null
+++ b/sitemodules/profiles/files/icinga2_external_commands/check_kernel_status.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+
+from apt import cache
+import argparse
+import nagiosplugin
+import logging
+
+_log = logging.getLogger("nagiosplugin")
+
+
+def get_running_kernel_version() -> str:
+ with open("/proc/version", "r") as proc_version:
+ return proc_version.read().split()[2]
+
+
+def get_installed_kernels() -> list[str]:
+ try:
+ pkg_cache = cache.FilteredCache()
+ pkg_cache.set_filter(cache.InstalledFilter())
+ pkg_cache.open()
+
+ return [
+ v
+ for v in [
+ k.name[len("linux-image-") :]
+ for k in pkg_cache
+ if k.name.startswith("linux-image")
+ ]
+ if "-" in v
+ ]
+ finally:
+ pkg_cache.close()
+
+
+class VersionsContext(nagiosplugin.ScalarContext):
+ def evaluate(self, metric, resource):
+ installed = get_installed_kernels()
+ latest = sorted(installed)[-1]
+ _log.info("current kernel version is %s", metric.value)
+ _log.info("installed kernel versions: %s", ",".join(installed))
+ _log.info("latest kernel version: %s", latest)
+
+ if latest == metric.value:
+ return self.result_cls(nagiosplugin.Ok)
+
+ return self.result_cls(nagiosplugin.Critical)
+
+
+class KernelVersion(nagiosplugin.Resource):
+ def probe(self):
+ current = get_running_kernel_version()
+ return [nagiosplugin.Metric("kernel version", current)]
+
+
+def main():
+ argp = argparse.ArgumentParser()
+ argp.add_argument(
+ "-v", "--verbose", action="count", default=0, help="verbose output"
+ )
+ args = argp.parse_args()
+ check = nagiosplugin.Check(KernelVersion(), VersionsContext("kernel version"))
+ check.main(args.verbose)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook b/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook
index a0d3711..c786017 100644
--- a/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook
+++ b/sitemodules/profiles/files/icinga2_master/icinga2-git-pull-hook
@@ -88,6 +88,17 @@ class GitHookRequestHandler(BaseHTTPRequestHandler):
self.wfile.write(("%s\r\n" % message).encode("UTF-8"))
def _handle_pull(self):
+ args = [
+ "sshpass",
+ "-e",
+ "-P",
+ "passphrase",
+ "git",
+ "pull",
+ GIT_REPOSITORY,
+ GIT_BRANCH,
+ ]
+ self.log.info("running '%s'", " ".join(args))
try:
git_proc = subprocess.run(
[
@@ -96,15 +107,12 @@ class GitHookRequestHandler(BaseHTTPRequestHandler):
"-P",
"passphrase",
"git",
- "subtree",
"pull",
- "--prefix",
- "icinga2/conf.d",
GIT_REPOSITORY,
GIT_BRANCH,
],
env=ENV_FOR_GIT,
- cwd="/etc",
+ cwd=GIT_DIRECTORY,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
check=True,
diff --git a/sitemodules/profiles/manifests/gitea.pp b/sitemodules/profiles/manifests/gitea.pp
index 27a882e..9b91c0c 100644
--- a/sitemodules/profiles/manifests/gitea.pp
+++ b/sitemodules/profiles/manifests/gitea.pp
@@ -49,8 +49,8 @@ class profiles::gitea (
String $gitea_fqdn = 'code.cacert.org',
String $gitea_socket = '/run/gitea/gitea.sock',
) {
- $gitea_version = '1.16.6'
- $gitea_checksum = 'a96751af12d5e96301a97c280bafb92782e0e9b7a0bbe8960c704c0c0361e576'
+ $gitea_version = '1.17.2'
+ $gitea_checksum = 'd0e903671ae04007c5956beb65985825795c1d9b24c9f354b48008fd44db1b57'
$gitea_url = "https://dl.gitea.io/gitea/${gitea_version}/gitea-${gitea_version}-linux-amd64"
$gitea_service = '/etc/systemd/system/gitea.service'
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
index e0c204a..66c946f 100644
--- a/sitemodules/profiles/manifests/icinga2_common.pp
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -19,7 +19,7 @@
# Copyright
# ---------
#
-# Copyright 2019-2021 Jan Dittberner
+# Copyright 2019-2022 Jan Dittberner
class profiles::icinga2_common (
) {
include profiles::icinga2_certificates
@@ -47,4 +47,27 @@ class profiles::icinga2_common (
ensure => latest,
}
}
+
+ file { ['/usr/local/lib/nagios', '/usr/local/lib/nagios/plugins']:
+ ensure => directory,
+ owner => 'root',
+ group => 'staff',
+ mode => '0755',
+ }
+
+ if Integer($facts['os']['release']['major']) >= 9 {
+ package { ['python3-nagiosplugin', 'python3-apt' ]:
+ ensure => present,
+ }
+ }
+
+ if $facts['virtual'] in ['physical', 'kvm'] {
+ file { '/usr/local/lib/nagios/plugins/check_kernel_status':
+ ensure => file,
+ owner => 'root',
+ group => 'staff',
+ mode => '0755',
+ source => 'puppet:///modules/profiles/icinga2_external_commands/check_kernel_status.py',
+ }
+ }
}
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index e8f4968..221a3cb 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -50,7 +50,7 @@
# Copyright
# ---------
#
-# Copyright 2019-2021 Jan Dittberner
+# Copyright 2019-2022 Jan Dittberner
class profiles::icinga2_master (
String $ido_database_password,
String $web2_database_password,
@@ -69,7 +69,7 @@ class profiles::icinga2_master (
include profiles::systemd_reload
include postgresql::server
- class { '::icinga2':
+ class { 'icinga2':
manage_repo => false,
features => ['mainlog', 'checker', 'notification'],
constants => {
@@ -78,7 +78,7 @@ class profiles::icinga2_master (
},
}
- class { '::icinga2::pki::ca':
+ class { 'icinga2::pki::ca':
ca_cert => $ca_certificate,
ca_key => $ca_key,
}
@@ -88,7 +88,7 @@ class profiles::icinga2_master (
password => postgresql_password('icinga2', $ido_database_password),
}
- class { '::icinga2::feature::idopgsql':
+ class { 'icinga2::feature::idopgsql':
user => 'icinga2',
password => $ido_database_password,
database => 'icinga2',
@@ -96,7 +96,7 @@ class profiles::icinga2_master (
require => Postgresql::Server::Db['icinga2'],
}
- class { '::icinga2::feature::api':
+ class { 'icinga2::feature::api':
pki => 'none',
}
@@ -123,7 +123,7 @@ class profiles::icinga2_master (
),
}
- class { '::icingaweb2':
+ class { 'icingaweb2':
manage_repo => false,
import_schema => true,
db_type => 'pgsql',
@@ -134,7 +134,7 @@ class profiles::icinga2_master (
require => Postgresql::Server::Db['icingaweb2'],
}
- class { '::icingaweb2::module::monitoring':
+ class { 'icingaweb2::module::monitoring':
ido_type => 'pgsql',
ido_host => 'localhost',
ido_port => 5432,
@@ -146,19 +146,19 @@ class profiles::icinga2_master (
transport => 'api',
username => 'root',
password => $api_users['root']['password'],
- }
- }
+ },
+ },
}
icingaweb2::config::authmethod { 'external-authentication':
backend => 'external',
- require => Class['::icingaweb2'],
+ require => Class['icingaweb2'],
}
icingaweb2::config::role { 'admin':
users => join($icingaweb_admins, ','),
permissions => '*',
- require => Class['::icingaweb2'],
+ require => Class['icingaweb2'],
}
package { ['sshpass', 'git']:
@@ -206,14 +206,7 @@ class profiles::icinga2_master (
notify => Exec['reload systemd configuration'],
}
- file { '/usr/local/lib/nagios-plugins':
- ensure => directory,
- owner => 'root',
- group => 'staff',
- mode => '0755'
- }
-
- file { '/usr/local/lib/nagios-plugins/check_puppetdb_nodes':
+ file { '/usr/local/lib/nagios/plugins/check_puppetdb_nodes':
ensure => file,
owner => 'root',
group => 'staff',
@@ -221,6 +214,19 @@ class profiles::icinga2_master (
source => 'puppet:///modules/profiles/icinga2_master/check_puppetdb_nodes',
}
+ package {['rsync', 'python3-cryptography']:
+ ensure => present,
+ }
+
+ file { '/usr/local/lib/nagios/plugins/check_cacert_crl':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ source => 'puppet:///modules/profiles/icinga2_external_commands/cacert_check_crl.py',
+ require => [Package['rsync'], Package['python3-nagiosplugin'], Package['python3-cryptography']],
+ }
+
service { 'icinga2-git-pull-hook':
ensure => running,
enable => true,
@@ -231,7 +237,7 @@ class profiles::icinga2_master (
],
}
- include ::icinga2
+ include icinga2
file { '/etc/icinga2/zones.d/global-templates':
ensure => directory,
@@ -262,12 +268,38 @@ class profiles::icinga2_master (
target => '/etc/icinga2/zones.d/global-templates/ocsp-command.conf',
}
::icinga2::object::checkcommand { 'cacert_crl':
- ensure => present,
- command => [
+ ensure => present,
+ command => [
'/usr/local/lib/nagios/plugins/check_cacert_crl',
],
+ arguments => {
+ '--rsync-url' => {
+ 'value' => '$cacert_crl_rsync_url$',
+ 'description' => 'rsync URL to check',
+ },
+ '--warning-last-age' => {
+ 'value' => '$cacert_crl_warning_last_age$',
+ 'description' => 'warning if last age is more than that many minutes',
+ },
+ '--critical-last-age' => {
+ 'value' => '$cacert_crl_critical_last_age$',
+ 'description' => 'critical if last age is more than that many minutes',
+ },
+ },
+ vars => {
+ 'cacert_crl_rsync_url' => 'rsync://crl.cacert.org/crl/',
+ 'cacert_crl_warning_last_age' => '1500', # 25h
+ 'cacert_crl_critical_last_age' => '2160', # 36h
+ },
target => '/etc/icinga2/zones.d/global-templates/cacert_crl-command.conf',
}
+ ::icinga2::object::checkcommand { 'kernel_status':
+ ensure => present,
+ command => [
+ '/usr/local/lib/nagios/plugins/check_kernel_status',
+ ],
+ target => '/etc/icinga2/zones.d/global-templates/kernel-status-command.conf',
+ }
file { '/etc/icinga2/zones.d/global-templates/ssl_cert-cacert-command.conf':
ensure => file,
diff --git a/sitemodules/profiles/manifests/icinga2_satellite.pp b/sitemodules/profiles/manifests/icinga2_satellite.pp
index 2dea62b..5c6df6f 100644
--- a/sitemodules/profiles/manifests/icinga2_satellite.pp
+++ b/sitemodules/profiles/manifests/icinga2_satellite.pp
@@ -24,18 +24,11 @@
# Copyright
# ---------
#
-# Copyright 2021 Jan Dittberner
+# Copyright 2021-2022 Jan Dittberner
class profiles::icinga2_satellite {
include 'profiles::icinga2_common'
include 'profiles::icinga2_agent'
- file { ['/usr/local/lib/nagios', '/usr/local/lib/nagios/plugins']:
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- }
-
$cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
$cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
@@ -52,7 +45,7 @@ class profiles::icinga2_satellite {
],
}
- package {['rsync', 'python3-nagiosplugin', 'python3-cryptography']:
+ package {['rsync', 'python3-cryptography']:
ensure => present,
}
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
index 935d44c..88edace 100644
--- a/sitemodules/profiles/manifests/x509cert_common.pp
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -62,7 +62,7 @@ class profiles::x509cert_common (
file { "/etc/ssl/private/${name}.key.pem":
ensure => file,
owner => pick($cert_info['key_owner'], 'root'),
- group => pick($cert_info['key_group'], 'root'),
+ group => pick($cert_info['key_group'], 'ssl-cert'),
mode => pick($cert_info['key_mode'], '0640'),
content => $cert_info['private_key'],
}
diff --git a/sitemodules/profiles/templates/base/update-crls.epp b/sitemodules/profiles/templates/base/update-crls.epp
index f03c9ff..def45ab 100755
--- a/sitemodules/profiles/templates/base/update-crls.epp
+++ b/sitemodules/profiles/templates/base/update-crls.epp
@@ -14,12 +14,13 @@ import glob
import subprocess
import sys
from datetime import datetime
+from os import path
import requests
CRL_PATH = "/var/local/ssl/crls/"
CA_CERT = "/etc/ssl/certs/ca-certificates.crt"
-RSYNC_LOCATION = "crl.cacert.org::crl"
+RSYNC_LOCATION = "crl2.intra.cacert.org::crl"
ICINGA_CA = "/var/lib/icinga2/certs/ca.crt"
@@ -55,7 +56,12 @@ def report_result(success, output, start):
def run_command(args, timeout=10):
- res = subprocess.run(args, capture_output=True, timeout=timeout, text=True)
+ try:
+ res = subprocess.run(args, capture_output=True, timeout=timeout, text=True)
+ except subprocess.TimeoutExpired:
+ return False, "timeout of {} expired running '{}'".format(
+ timeout, " ".join(args)
+ )
return res.returncode == 0, res.stderr
@@ -104,7 +110,7 @@ def main():
error_output = []
- for crl in glob.glob("*.crl", root_dir=CRL_PATH):
+ for crl in glob.glob(path.join(CRL_PATH, "*.crl")):
ok, output = verify_crl(crl)
if not ok:
error_output.append(f"crl validation for {crl} failed:\n{output}")
diff --git a/sitemodules/roles/manifests/authserver.pp b/sitemodules/roles/manifests/authserver.pp
new file mode 100644
index 0000000..792bc71
--- /dev/null
+++ b/sitemodules/roles/manifests/authserver.pp
@@ -0,0 +1,29 @@
+# Class: roles::authserver
+# ========================
+#
+# This class defines the authserver role for a Hydra OAuth2/OpenID connect API
+# server used for authentication/authorization.
+# You should assign this class using hiera or via an ENC.
+#
+# Examples
+# --------
+#
+# @example
+# class { 'roles::authserver': }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2022 Jan Dittberner
+#
+class roles::authserver {
+ include profiles::base
+ include profiles::rsyslog
+ include profiles::icinga2_agent
+}
+
diff --git a/sitemodules/roles/manifests/idp.pp b/sitemodules/roles/manifests/idp.pp
new file mode 100644
index 0000000..2878931
--- /dev/null
+++ b/sitemodules/roles/manifests/idp.pp
@@ -0,0 +1,29 @@
+# Class: roles::idp
+# ========================
+#
+# This class defines the idp role for an OAuth2/OpenID identity provider
+# used for authentication/authorization.
+# You should assign this class using hiera or via an ENC.
+#
+# Examples
+# --------
+#
+# @example
+# class { 'roles::idp': }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2022 Jan Dittberner
+#
+class roles::idp {
+ include profiles::base
+ include profiles::rsyslog
+ include profiles::icinga2_agent
+}
+
diff --git a/sitemodules/roles/manifests/infra03.pp b/sitemodules/roles/manifests/infra03.pp
index f1f6fe7..6ceb0d6 100644
--- a/sitemodules/roles/manifests/infra03.pp
+++ b/sitemodules/roles/manifests/infra03.pp
@@ -18,10 +18,10 @@
# Copyright
# ---------
#
-# Copyright 2021 Jan Dittberner
+# Copyright 2021-2022 Jan Dittberner
#
class roles::infra03 {
include profiles::base
include profiles::lxc_host
- #include profiles::icinga2_satellite
+ include profiles::icinga2_agent
}