summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-05-22 17:00:58 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-05-22 17:53:58 +0200
commit82d27fabc7becba1d1ee7c24b331522f2330cae6 (patch)
treee2c2ecccedfb5a340144f36605f07669b7d6059b
parentb331c2f99c1217c6f4208159c64ca6a5b0053bc7 (diff)
Tunnel munin-update traffic through IPSec.
-rw-r--r--certs/munin/antilop.fripost.org.pem32
-rw-r--r--certs/munin/benjamin.skangas.se.pem32
-rw-r--r--certs/munin/civett.friprogramvarusyndikatet.se.pem33
-rw-r--r--certs/munin/elefant.fripost.org.pem32
-rw-r--r--certs/munin/giraff.fripost.org.pem32
-rw-r--r--certs/munin/mistral.fripost.org.pem32
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/main.yml5
-rw-r--r--roles/common/tasks/munin-node-ssl.yml57
-rw-r--r--roles/common/tasks/munin-node.yml2
-rw-r--r--roles/common/templates/etc/iptables/services.j26
-rw-r--r--roles/common/templates/etc/munin/munin-node.conf.j29
-rw-r--r--roles/common/templates/etc/stunnel/munin-node.conf.j256
-rw-r--r--roles/munin-master/handlers/main.yml3
-rw-r--r--roles/munin-master/tasks/main.yml29
-rw-r--r--roles/munin-master/templates/etc/munin/munin.conf.j210
-rw-r--r--roles/munin-master/templates/etc/stunnel/munin-master.conf.j265
17 files changed, 7 insertions, 431 deletions
diff --git a/certs/munin/antilop.fripost.org.pem b/certs/munin/antilop.fripost.org.pem
deleted file mode 100644
index d523dc4..0000000
--- a/certs/munin/antilop.fripost.org.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFmzCCA4OgAwIBAgIJALo1zxDUUlypMA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
-MBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMTQ4NTlaFw0y
-NTA2MDQyMTQ4NTlaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
-cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9y
-ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK8ZSjXPp/xqd0LQp3hN
-rH2fH3Ya7qDPpGehNB9iLt00Ctln6rQG9XBUMtDHApVbWjXSDLEzrmvsKr9HWKNy
-vieMcASJmtDiteyorGofyTN72/9AgRzn1Qnd1tOejWPGcuyk+pyhL8XX5CzZz7bB
-mFPMWlKlGNGbSC2zrwGJjXiql74u5dMhaI6UeGDh+zDHiu1n6VOtHBGC49noQQYI
-Opnsiy6DqKytRbxVIr+QPgP0GnJyq1c6HD90O0ygGkc0Mk/Lve/tqhg9x4SNszsj
-FOXfwUln3WWu669dOD1bMoOQDMOIsG7gfksWUkXaD5GeGtGtjJ+yAtX31XYqnYzD
-EeSZPfiB9lofPziHsjkQGCfhyXBrgadUMpmEjCQCLe6OcMVTASwYt3DAADhyOGhP
-CIEKoa6fe2fSppiApqwF5qJraP0QoNIcyjRumHgZCOZb1SO1Co7SoywW91QbGn5S
-pafEjzWBm0x7Tcwb3Ez5yS7a9n31m0sCSkgu02a4gNzttilss53J+Ey6sQR2I36m
-022YlNbP6VoBjsUoHJ5bBh8BnkHkrPqm6L1t3flS307Op15DGigfgz8aLcKM+kU7
-2/NFnhF+9uXS6RI8NT8Fx/SndMSHFkXiq/3icp+q+8tGKBpC9yhM2rZELqf00KI3
-1ZL1q+XJq0yUgr+0zBxpswmBAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
-aXBvc3Qub3JnghNhbnRpbG9wLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBS+XRcfpHDEicAMDsev525N7Ny7JTANBgkq
-hkiG9w0BAQ0FAAOCAgEAO2rPII3Y+yBOOT3NR5SNLlyoVFmuTBwrfustlyytCgkY
-tB9RTgi3JJLIN40YoHsCXzVQTLn7kwSEx/NMCCZekJo4mzBQfM9CmhEO8mAPQXnp
-pyEQVc6PcUu3Wd6S5VDy6HpPPA+HWc0pVFEgVQoyR8Hk/U5dPNfRzUGLdJZJNUxf
-SAbQg8pdeQApVHAsBexY7E8YvVcHoBvkVa9lmI9JwbCWwTzWh+KapgzgnYJAt9lK
-GUAdAdvrFV0/YN2kcDKeCjqzcNi4U3MU7zh1CnSkoeLPYXfXPTNcsXKwsHx8OPqf
-CAasB2104NAVygk6Syd1Sejwxs0q8JKxu62yCplorW1r1W1F2HyrkkivdF1/ueLS
-aU2oIBmBaPFZPtyjE+bmjrM8RQhEkd7gD7wj2X2mi69dUWVfElNHGoPoQPvNqj5o
-iDfRfX2gyGSpeqNdHk0E+vjCmaH7WiWyk0VbLdyHwrGb1vMrg7/qg3OXBTCaTJaa
-9RG3uJ64wB9cVTuaDNZOLSpsDlfbCzXfPT3LyI3JMuqaFaBVwJ1DhJ6HFpPjB6wT
-F32MyabrN7+4Un/KB69wbJpjLweBZk19UbKZ70erzMECpTfx7CekaFCraQ61yo5L
-FXNvp+Hnf8oWb1mp/j4HbxC/RrxTk+FFFXN/WOb9CZuf6z2NjzoLfguKONO7YFE=
------END CERTIFICATE-----
diff --git a/certs/munin/benjamin.skangas.se.pem b/certs/munin/benjamin.skangas.se.pem
deleted file mode 100644
index c8187b4..0000000
--- a/certs/munin/benjamin.skangas.se.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFmzCCA4OgAwIBAgIJAOEeSKT/8HACMA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
-MBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5zZTAeFw0xNTA2MDcyMTI5MDBaFw0y
-NTA2MDQyMTI5MDBaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
-cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5z
-ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEylnjWaCkttJmUbO+j
-AirK17RcdSLo+AADCEfgfjjS7LgXI7LwWC7y8TB1N+mktOJQp2S8wQdJJovb08KX
-NTgIpBGqzn3eTKy2Tp27o/D4cWmdadb99rWbSJOZ5eXUcUtg25OpgZCXCEqOwpBC
-zH2wrzi5xmX10d4DfUsl6QV5vgCSWsoPTr/m6s01aARmZRfFq8OjR1R+E1NpTp0K
-O9v0dMrDtWsMwOoCXiHgcUYfZPTSwJvqoCWOSYFl6Hj25Ef2SNzVQWtoDliMfndN
-a+aLW7DAs2Y5jrC0V8+ar5AqBtFm1L10wLZeL6AXgmLYooH9VmHprqQXQqWsb8tc
-BVGCSdIemrNEtC1KVAljM3EwlnDm3ALEl1DbOlnvh2arM7uvWPQNEsEy/k3uvlI3
-4Q8c8jn7CO5ceTe/TgJA5ANJZ5SRz6cUqKX4aF79H/7Xbd2iDtTsEFNMABz23Fn8
-rW7DLdEyRbUV0upbleLXUB3gEaNm7gAeSKjOdv40snz1glCgMlw8zxcp+33aNxos
-cKkMauWs1WqPH9egEHj3AiPrLnMHHm0VFfWjEmdeAacNGZ3o66wOchmWuWh1R1ef
-Ab2LdCBlkKSRlZK+wu+/ZnJvadYM3oXKbYCsRYqcEgWiO52nJ/GRDV3xPbNnTu7J
-tRQLIASfRI7shTNofrAkXGELAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
-aXBvc3Qub3JnghNiZW5qYW1pbi5tYXJ4aXN0LnNlMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQGvGSnh/caV1KzV8LlnmlXlOiaCzANBgkq
-hkiG9w0BAQ0FAAOCAgEABRcJzubuY1dh8YBfnkMbRK7Pao3jlb0+mLOJEdeWddu2
-KrrCUMMtRHeoNXeTCXwWkhXr6P8wkLuIlqt7U+f1nzyFVj1yyDye88GZopl/lAMr
-j380VEd/XE4xcWYq/9krKoEUdGEwduy3cDwsUwy4KZ287YutObVZkXszCuPGD7d3
-tbRQkJnHL2VvwBOrYrimzMx4L9dl6Vz/BR+sn+aIbx3PeO/R14/7DCFdnbmXzHjH
-mO57lrN5BrGZWqYiEonj77d7UBQuDmUlX7VOHrfcBh+2PUCtuPB+s2DOwPKyepo2
-UehZBSGEkhx6wT2NBrR1aEm3mfDmPzUBoK8VJpQsVUWWCD889zn/6tCoTGwoQ+n5
-gBGxk2DRXikYc4UMLJr7nDudzQI+/T0+ehrYno77EynRqNzaAY54gDiLEG07OAq2
-DWnM/Hf4QNG/ggLORJfCHcgpckaOs9HKxs23vGfrwCVTrIYmQ+IEZxicFkiemRfz
-zIGeITvFCv06ri0kYSI3v6mT7LJzidngd7otFIlxJPUU2j0UqMNOZ/WAhf3HXAGK
-uJw3a/amnxWJY30ZZ/zQmLa3CWC5oYZzypwlrrCZm0ccVNO8KZ1YVrjZ/AfSO9US
-hROIcXPzX9fr7IdBgQ44j7WQ7rm+k9JHsJs/C5gwnM5iYPJTz76Lm6yhBVlBkyQ=
------END CERTIFICATE-----
diff --git a/certs/munin/civett.friprogramvarusyndikatet.se.pem b/certs/munin/civett.friprogramvarusyndikatet.se.pem
deleted file mode 100644
index c19e431..0000000
--- a/certs/munin/civett.friprogramvarusyndikatet.se.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFyTCCA7GgAwIBAgIJAMiyPdV6HtyYMA0GCSqGSIb3DQEBDQUAMGIxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEr
-MCkGA1UEAwwiY2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAeFw0x
-NTA2MDcyMjAxNDhaFw0yNTA2MDQyMjAxNDhaMGIxEDAOBgNVBAoMB0ZyaXBvc3Qx
-ETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjErMCkGA1UEAwwiY2l2
-ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTCCAiIwDQYJKoZIhvcNAQEB
-BQADggIPADCCAgoCggIBALCTTQEtoLENRnxuHzoRLqu7YQQZUvmPrHfOvSpkl1Lc
-mbmuHmnLcecTClT8Usyt/bUhkejnAU+QJYhPToaglwbsj12Qi15kl+WfiDv1GC09
-A/XsTbMvpNbHb23jc7YHrLKviHLbgOOzjpUKNjIR/IvMpjc3y2MB12RQ/YvjOqt1
-7RyL5rYR5c0FGTjEGkBd0diGZdTsbid6+0+NWqpQIDbvc1Cfmt8ppsGAY9jvxavq
-pzkOYaTr76nZM0L6hxYsEz7tcNGL2Ep9y01tReBBwfY1/Y67Vzo7l9sAz0Vo4Ar5
-iF9uRKyncG421Afq6IFUbOJYUHIWRYX7nfglQ5kWoXwjpIOBwDW8ObFBGJKHx0jW
-Br7rQ0G8UjyK9wg8CR+E26+hC4dhB5sUwwvv+1U/hXcC4DreAoTquOnATIY1e6cf
-d9optFmix5g3MV5d6I24zZrNGHeXRKHuwwt7vq+sxlWPYrSLogx3wm3VpullPvX4
-8Btpq1S++DUSpRiEZZAf7AmMaVQ5j4Obs2BCItT1IQBv71rPE3d76CezPsa/qWiL
-33VOkVXPZVSCP5heqrb1C5sXU6IHC0S6jdBWK/Qy7jS3cGmohoCY/980ymytQ23e
-J5wdzdebkAXKaxRBROZ8LCTQZRL9jlao/IWPMvDZMrsCfE9EtmHYb/oLxgRAGl5P
-AgMBAAGjgYEwfzBABgNVHREEOTA3gRFhZG1pbkBmcmlwb3N0Lm9yZ4IiY2l2ZXR0
-LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAMBgNVHRMBAf8EAjAAMA4GA1Ud
-DwEB/wQEAwICpDAdBgNVHQ4EFgQUVCK81aQ1dTq4CxwtM7ytG0WiUTYwDQYJKoZI
-hvcNAQENBQADggIBAK58LrTia7MisnwJWEvaH7gSO4M4BEu6fA+gBXUqkej6QWPe
-iENebekWTwdnA9yjxdOzgIdjzACFDeASHpyey4mvc91cwxNf5ivoCXG3ZuyTgMBL
-mzWnDbGxxybGUDU865eVWKpaoL0orDw3BldxZQfJ8HORAWXno7UKMwdPfhE8eQB4
-2SBYNKpmJDQZ5GiIgrDLrr0DwzsPnF5HEujAN1R8muD9yel1tVKGXA3qhg3NLhjB
-YGM12876KTn8qEm5bGBxYFJZrUnM+C7/feeyPHS48XmjopBmolcwzAzSgOPq4kiO
-keE5sdcOEocJQNO0Oh8dEXbjM9zIyf+xFBH8ov57g2Hr8XyavkRplGR/DNn2h6d/
-ZqszTYToM54zcWBSlg42SVBqMiJTkYSDLT4h8k649jLlmFzB/7DlEQMQrk4ayOKF
-y32A6+LGczcBxHB8Lc8fRiMzytcK5NncFbhJYgcdn88uZApUpWKFT5e6ZcIwyfKS
-cZNj6EKY3HcPDPt5yXNMH1fP/SkUeAfLq9JsEzGjGboxQmuG55ryeyP0i6ZZr4uA
-rEK+kT3i5CekZBgbRDNX0OZwU9JGlYKBR2UhH1uGTeqK/7Kn1pToUJbOCBWhT38A
-KNPGRDQlAIHBvtEBejrBNBgSVPkYhbegXRnP6xMrjSW3S+Z5SRUxUhizbBTc
------END CERTIFICATE-----
diff --git a/certs/munin/elefant.fripost.org.pem b/certs/munin/elefant.fripost.org.pem
deleted file mode 100644
index 52f00a6..0000000
--- a/certs/munin/elefant.fripost.org.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFmzCCA4OgAwIBAgIJAM/f4YZpd7G6MA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
-MBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMjA1MjJaFw0y
-NTA2MDQyMjA1MjJaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
-cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9y
-ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEbZntqTM32vQHJO182
-5UWfLRBBiOD/WySkSHd0Ugfxrvl2ZBw4cXv3gA6THYUwzKJ/wBR0huDcqVj7Ufz5
-18m7Kf4QCyjDlnOJ47lgizGhwk+GRxgz6xSnTJWt2cP7I57ec/x4YPjxEZL09O9N
-QBZ9alFQBeLYWR2OhhzhV+u45AIDeH4ZPUretGVGocv4H7qTW/NGlGJxolAA+lqk
-3Eg6HAziaNESOVXtmQLuRvd8bkyfksSIUXK0uTPgHRPIjDgUAGHrHmKADLivnew2
-yOt3PW6weNphQaixmMF5no3hjS7wqWD/+PVnmKmRhbp6Icek3+iMtaSDopYD060Z
-cL3vxm+Im2chaa8dYZ2qDt4ij0tTeRF9zEhYvnvuJA4tdP7VLJjQDb0N51SKG27i
-gwCQNQs9LwFyvyNckc7K4f5ztnffO+FwNlGJFzwVzmQ++oUL7DjlsxsmNlKZiHQ6
-/QE1j3VBZlh7XYCcHxxFJEB4Tq0Y+Jyrto8G73iHa+rJUnDuA6prqzqdPIGjHL7p
-onx+0SdbD37TqT/dvsMAbWnmivuQY4Y3jVZrZ1bTuOpUBU7K42ThBcioTT63sp+3
-+d+gmxT57wPJyQDt94KecWcKt88qgZ93pKJZfO8SYkUR17cIdOqsu845G0QA973U
-rk0T8z3JLV6oJvlfpfI61NRrAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
-aXBvc3Qub3JnghNlbGVmYW50LmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBTpY3697NTeGIyhSSvGXMrZK3pxLjANBgkq
-hkiG9w0BAQ0FAAOCAgEAK0FFduIr7GSD8j2NIwiCdQkIoPcgsq2ok+Ge50QwZXyY
-mMRqSygblXhxPt8lQKYkBYPYcp//VoGkGgyl7ALvA4SJIU1zk6PK7vsa7TRe7nCU
-oVCJHCqXSM0t+WH9Huai23T3uE9oTNQSHQSRbnIoTwiEjexXAtizKs0+ZSkQTUrV
-ZntsPgwZVM67cOkxvbbgtDtMRr40tFqWUWT6QIlu5bVLnCDwxX3jRFv6r+efCfTe
-fwZjJGPdXzRAUNNDG6gZCxpAGpRjYmNNwCAQVZmJ8NJnVPyH+GYE4Urb6Ce3q939
-pZZrlFHIplhqiEAL7AE2GBZdI3UoklMgG5P3PGkTLcerY5fSAfG3DcGNtWn7bZdM
-AuGdmf8lVpr/InFP/Ke8sUxc5sBDl9vwndEX57EW8QALyL+S5XMZKlWtJAY3v1+6
-vGuvAwuUsTn2QZyfhP5MK2URNP1FAxIBqEWkG4UVp1RupRBKThwAUeTAGyExMbBD
-2EDDgOZonrl8nbLsc4mXH7CFIakzm0dEnwaQVpNtzFSNMQ+uxQF07rlgwaOrDUu1
-qk3PZDMqDio00f12GpJbmxMUTXjKzVWx62fE+YJ+vc34kLzBluerQn96yT1+BvT0
-Zq/c1/esKLDaWDHKVmS0mgrRRTi2k08Hh7Cove6CcSlqiH0ljFe2goDhaJsXQYc=
------END CERTIFICATE-----
diff --git a/certs/munin/giraff.fripost.org.pem b/certs/munin/giraff.fripost.org.pem
deleted file mode 100644
index c1aab21..0000000
--- a/certs/munin/giraff.fripost.org.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFmDCCA4CgAwIBAgIJANQpG6iifrkuMA0GCSqGSIb3DQEBDQUAMFIxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEb
-MBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qub3JnMB4XDTE1MDYwNzIyMDgzNFoXDTI1
-MDYwNDIyMDgzNFowUjEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2Vy
-dHMxDjAMBgNVBAsMBU11bmluMRswGQYDVQQDDBJnaXJhZmYuZnJpcG9zdC5vcmcw
-ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgu7/OtgeU7nQzt2qeFyGL
-46S9nR/jGCeLysL1ZbGFfOjr19D1bxjl+gLCLaIa77oY+1Ke8JoJQCe1DKTZxY0Z
-XLoOrOYQQLDN2dZJQ9NEtrR/qwGtxb13eAWra+aA/S1MXpOnB4aDTNCPwl5IA6BG
-1iuhgn/NgNjVaZjtlkCoRvwCC515UT1Us/1q2fk8jvVBQheZ5uwFr7M6RUTN+vFw
-MuQrqeDDGpJcyXQsXuWqjfYdcpR+GU53qsRY1zBfpCvsooxJU7HjzfGMV4dZoZg2
-N3gPVJ7u8u3rIGKaRQbKM5o8YWqECiTOxlEYpalUq8mNgBRAwo84Y5vnDnoTNdQF
-gY2dAOmbEsu2ywZ/DDt9yuGxtUOQyqG7PtzvAlbPf2/5m79KfzgYVK1rTfVxQRI+
-dbVbqaIYpAEWO5FeOOXyGcbX3xTkqUwskUsgWiR5RRifEuN76HUsKifwk6goRyhR
-gANO10aEX9484jt2HXPahrcyQ4LvSOV9TVRA6N27A1kGoX/zp6X0mGU/4B2Fo5KO
-lhcfOHP9tU+S9MSxTU90vGusrH/63tz4Q4LKK0QNtr8TdnhH4Q1x1a3UPyRcTauu
-+DDQNQWbhWn18I1nSHbBRB8VUu6SOmHDVjITcddh85CzR3ugHHO91ykCgO1k1g3h
-68j5QT7jL09FSOZblxSRawIDAQABo3EwbzAwBgNVHREEKTAngRFhZG1pbkBmcmlw
-b3N0Lm9yZ4ISZ2lyYWZmLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYDVR0P
-AQH/BAQDAgKkMB0GA1UdDgQWBBT0vMjrt5EL+bQp3Wbp52qCVvsoJTANBgkqhkiG
-9w0BAQ0FAAOCAgEAMe6BM9wjqgY3KPuOacoEJZCA41+4QiU42DuYKhwYJAvLD2rs
-AutbZbR6rbBf6+3WqMIkCH09CBiD0TOnpm83VlPorg0ZBandxQdtdc+2Wt5RPA3E
-sgWsKoTXqbuwcyWub324Z3IhcEzjRnX+kL+d+a8m9jqVzWZhyZGJwbbX2UGGEA+e
-fRAg8fTc21jLqmj2Ea6L35IPFcH5ZPMLnwuqZQWAlIOU/aiyCz+skCti3L25Y02L
-yCFqiZ6PpG0hVAsBfQ210Vws1Sb1VqLaUBTXCL1WzfwcLbKCZhZ1o08wmOn3VGN5
-GTqKI8qhg1qmvqGnaECy55cb0oXhzYXcin6gO672MPSDOtnEbRg9tyPxcPVaU8QF
-qcVXCZjyuyLDr5BrSd4FC5abP4NXWNqheX2jIU0kuypNniOe8rJLNT/S88PnQHRW
-Bnyl+TvAlFS1ITKJQu4xc7A8whDd6/RxT8NMKKtGNxZxtfuefULNAsnvUdQpt6tO
-61DM13X1c5IPg121de6qjj+mkKRLAEaPGO8d+c6Zw7MNzZhZYJj+ttaSThJCJWzl
-qA8v4FpMDTnIjs/3S+gAvvNDjFk4hN2Daic+3STJPyScv5OC0u6/EIa/pRp0GcMP
-tGsTtFpfm6QICndQWPMrAz7Dab3VLfuPOvOE0g+n/kGX0IoIoirbKstgPlo=
------END CERTIFICATE-----
diff --git a/certs/munin/mistral.fripost.org.pem b/certs/munin/mistral.fripost.org.pem
deleted file mode 100644
index a08af7a..0000000
--- a/certs/munin/mistral.fripost.org.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFmzCCA4OgAwIBAgIJALWXwKMVhp52MA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc
-MBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMjEwNTRaFw0y
-NTA2MDQyMjEwNTRaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl
-cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9y
-ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOf0+etigx5G6GHtRs4Q
-E3zhuEoMS6SL4hG+s7Y6hszDUDDNWqGylv7WfrmtzsjVhADLFtjzdaDhncDwWEKx
-rLBFm6PSDQLYwjmlDz0EckwkYuXxeRS5RO1jhFK+3h0LpJkXUaLDcmaXq7zWSIht
-ZA86vQlEWarmPhva6mv67SyzAkQRSM3pOjahEKy600MwMvccuiyAVbyKeI/hS1E3
-GUivOMOEUHl/h1O2GiX8QYJuAqaJmebMhfGMA3Orv6nM54Fmo1yQEI6pTckOet4K
-Sy8XZBeNcBfrXM2ImxbQo69eWSGzMINt5I1SNaixCyGo0jIfQK8yK7tV69lz9RSu
-1krsSfv+6wEUHdyi1UpA8eJTdakj9+TLZOss3ClLZOyGIRgRe8vZIibwRlL60Bun
-X2f18sTouBUp+OJ4dyd4HQmD1c1rNV/kSBvLV9YFXjJrwNXmdRh2cG3y3gXN/Prg
-jd28sRLh4tPtv4vOYZPQKjS+dj+rHiFDtN/b1z35Cz1Kw1dwvDz/AQqGoJAwzPUQ
-hvnHIl2sXX+lcSSEBtciUSu6aEDQlZ2UUcVBJUKzUKa1jLlVhYCVBpaQfdgW/f9B
-4XfnzV3jyfnplhqZV6ZVhA4Qf231mcVY1vR1oRKrG5UEi0KZy2oHayAp6DQYXT1L
-QQ0yHoNZCyG4BEbKypl3IOzxAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy
-aXBvc3Qub3JnghNtaXN0cmFsLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBRbW9iAccDKxxaWN8edaSuComhkdTANBgkq
-hkiG9w0BAQ0FAAOCAgEAX16xCNpR6msKvlNzPO4CZGB2+j6V5lj6CaSn5YNHB9fV
-Zi2qhHst16Ccnp4eHDwzgcMqz+GU31YAWK7t/4NykaCeOra3nG2BIEHoA09DjxIy
-qPJRePNaxfUk1H9ZRGqupjhthPT+h83oAhLwnqQ4vEO+J5H9FNt+1w29Znx7gwl6
-sRNQ2xJB0ko7KTrPNAiysWM7b48SOs83L/IOvT2g9/VQI3pPuGyLEIbYCYCKUO/+
-A92cCxFBoKoNZUtMoE3SKpccl1PO9/RtP80fC87rGg7rsaisy6jwUqDiN+00SEoR
-9ns92GB/8WxE5KwTufQcJ9RrmCU15Osk4qkgN1COV25bYnd4hrc8iZb52xkSRzvy
-BmJh3grm9nircacPK3Tw4EnKxXA+/0l5lW8n19fvGteph+JyXeKrMmMcCRKD+wau
-8oUFGTHymeJbHS4PXV1NcG8Rie3YPGu9EUkTJurrbRuVwWC/1s1RxHiMESYOlbPV
-J1J++bB21lva6thFNeJmBvf3rTI4qPfEnv6X2QMm8VUfBlmuTHb5W84qLegkKyqF
-iITAFz5KNntuyIIATeTe9iArtjzJav0irHNU29PTio6ljJLFg3pGPUR6hCEGohMT
-LNeTF6RczyxJhvZQcuzTxBeZRPC3e5lc1x9qdl9tnYqwwOSBCoNk0xIkcRjF2gM=
------END CERTIFICATE-----
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 6ca53be..efab81b 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -47,9 +47,6 @@
- name: Restart stunnel@bacula-fd
service: name=stunnel4@bacula-fd state=restarted
-- name: Restart stunnel@munin-node
- service: name=stunnel4@munin-node state=restarted
-
- name: Restart bacula-fd
service: name=bacula-fd state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 88d44f3..04681bd 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -68,11 +68,6 @@
tags:
- munin-node
- munin
-- include: munin-node-ssl.yml
- when: "'munin-master' not in group_names"
- tags:
- - munin-node
- - munin
- name: Install common packages
apt: pkg={{ item }}
diff --git a/roles/common/tasks/munin-node-ssl.yml b/roles/common/tasks/munin-node-ssl.yml
deleted file mode 100644
index e0b1d8c..0000000
--- a/roles/common/tasks/munin-node-ssl.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for munin-node
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
- --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
- --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@munin-node
- tags:
- - genkey
-
-- name: Fetch Munin X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
- dest=certs/munin/{{ inventory_hostname }}.pem
- tags:
- - genkey
-
-- name: Copy munin-master X.509 certificates
- assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no
- dest=/etc/stunnel/certs/munin-master.pem
- owner=root group=root
- mode=0644
- register: r2
- when: "'munin-master' not in group_names"
- notify:
- - Restart stunnel@munin-node
-
-- name: Configure stunnel
- template: src=etc/stunnel/munin-node.conf.j2
- dest=/etc/stunnel/munin-node.conf
- owner=root group=root
- mode=0644
- register: r3
- when: "'munin-master' not in group_names"
- notify:
- - Restart stunnel@munin-node
-
-- name: Enable stunnel@munin-node
- service: name=stunnel4@munin-node enabled=yes
-
-- name: Start stunnel@munin-node
- service: name=stunnel4@munin-node state=started
- when: not (r1.changed or r2.changed or r3.changed)
-
-- meta: flush_handlers
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index e1a931a..d4f8d95 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -77,7 +77,7 @@
notify:
- Restart munin-node
-- name: Delete Munin plugins
+- name: Delete unnecessary Munin plugins
file: path=/etc/munin/plugins/{{ item }}
state=absent
register: r3
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 8450f00..953cea5 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -71,12 +71,6 @@ in tcp 9103 # BACULA-SD
{% elif groups['bacula-sd'] | difference([inventory_hostname]) %}
out tcp 9103 # BACULA-SD
{% endif %}
-{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %}
-out tcp 4949 # MUNIN
-{% endif %}
-{% if groups['munin-master'] | difference([inventory_hostname]) %}
-in tcp 4949 # MUNIN
-{% endif %}
{% if 'LDAP-provider' in group_names %}
out tcp 11371 # HKP
out tcp 43 # WHOIS
diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2
index de4098a..d0004b7 100644
--- a/roles/common/templates/etc/munin/munin-node.conf.j2
+++ b/roles/common/templates/etc/munin/munin-node.conf.j2
@@ -32,7 +32,7 @@ ignore_file \.rpm(save|new)$
ignore_file \.pod$
# Set this if the client doesn't report the correct hostname when
-# telnetting to localhost, port 4949
+# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949
#
host_name {{ inventory_hostname_short }}
@@ -41,11 +41,12 @@ host_name {{ inventory_hostname_short }}
# network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like
-allow ^127\.0\.0\.1$
-allow ^::1$
+{% for host in groups['munin-master'] %}
+allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$
+{% endfor %}
# Which address to bind to;
-host 127.0.0.1
+host {{ ipsec[inventory_hostname_short] }}
# And which port
port 4994
diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2
deleted file mode 100644
index 229def0..0000000
--- a/roles/common/templates/etc/stunnel/munin-node.conf.j2
+++ /dev/null
@@ -1,56 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[munin-node]
-client = no
-accept = 4949
-connect = 127.0.0.1:4994
-CAfile = /etc/stunnel/certs/munin-master.pem
-
-; vim:ft=dosini
diff --git a/roles/munin-master/handlers/main.yml b/roles/munin-master/handlers/main.yml
index f65376c..518a875 100644
--- a/roles/munin-master/handlers/main.yml
+++ b/roles/munin-master/handlers/main.yml
@@ -19,6 +19,3 @@
- name: Restart Nginx
service: name=nginx state=restarted
-
-- name: Restart stunnel@munin-master
- service: name=stunnel4@munin-master state=restarted
diff --git a/roles/munin-master/tasks/main.yml b/roles/munin-master/tasks/main.yml
index 1580197..64e697e 100644
--- a/roles/munin-master/tasks/main.yml
+++ b/roles/munin-master/tasks/main.yml
@@ -95,35 +95,6 @@
- meta: flush_handlers
-- name: Copy munin-node X.509 certificates
- copy: src=certs/munin/{{ item }}.pem
- dest=/etc/stunnel/certs/munin-{{ hostvars[item].inventory_hostname_short }}.pem
- owner=root group=root
- mode=0644
- with_items: "{{ groups.all | difference([inventory_hostname]) }}"
- register: r1
- notify:
- - Restart stunnel@munin-master
-
-- name: Configure stunnel
- template: src=etc/stunnel/munin-master.conf.j2
- dest=/etc/stunnel/munin-master.conf
- owner=root group=root
- mode=0644
- register: r2
- notify:
- - Restart stunnel@munin-master
-
-- name: Enable stunnel@munin-master
- service: name=stunnel4@munin-master enabled=yes
-
-- name: Start stunnel@munin-master
- service: name=stunnel4@munin-master state=started
- when: not (r1.changed or r2.changed)
-
-- meta: flush_handlers
-
-
- name: Install 'munin_stats' and 'munin_update' plugins
file: src=/usr/share/munin/plugins/{{ item }}
dest=/etc/munin/plugins/{{ item }}
diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2
index 8273a83..401094a 100644
--- a/roles/munin-master/templates/etc/munin/munin.conf.j2
+++ b/roles/munin-master/templates/etc/munin/munin.conf.j2
@@ -93,17 +93,9 @@ contact.admin.command mail -s "Munin notification" admin@fripost.org
# the services must be defined in the Nagios server as well.
#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
-local_address 127.0.0.1
-
-{% set n = 0 %}
{% for node in groups.all | sort %}
-{% set n = n + 1 %}
[all;{{ hostvars[node].inventory_hostname_short }}]
-{% if node == inventory_hostname %}
- address 127.0.0.1
-{% else %}
- address 127.0.{{ n }}.1
-{% endif %}
+ address {{ ipsec[ hostvars[node].inventory_hostname_short ] }}
port 4994
{% for g in hostvars[node].group_names | sort %}
diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
deleted file mode 100644
index ffc7d0d..0000000
--- a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
+++ /dev/null
@@ -1,65 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-{% set n = 0 %}
-{% for node in groups.all | sort %}
-{% set n = n + 1 %}
-{% if node != inventory_hostname %}
-[{{ hostvars[node].inventory_hostname_short }}]
-accept = 127.0.{{ n }}.1:4994
-connect = {{ node }}:4949
-delay = yes
-CAfile = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem
-{% endif %}
-
-{% endfor %}
-
-; vim:ft=dosini