diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-22 17:00:58 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-22 17:53:58 +0200 |
commit | 82d27fabc7becba1d1ee7c24b331522f2330cae6 (patch) | |
tree | e2c2ecccedfb5a340144f36605f07669b7d6059b | |
parent | b331c2f99c1217c6f4208159c64ca6a5b0053bc7 (diff) |
Tunnel munin-update traffic through IPSec.
-rw-r--r-- | certs/munin/antilop.fripost.org.pem | 32 | ||||
-rw-r--r-- | certs/munin/benjamin.skangas.se.pem | 32 | ||||
-rw-r--r-- | certs/munin/civett.friprogramvarusyndikatet.se.pem | 33 | ||||
-rw-r--r-- | certs/munin/elefant.fripost.org.pem | 32 | ||||
-rw-r--r-- | certs/munin/giraff.fripost.org.pem | 32 | ||||
-rw-r--r-- | certs/munin/mistral.fripost.org.pem | 32 | ||||
-rw-r--r-- | roles/common/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/common/tasks/main.yml | 5 | ||||
-rw-r--r-- | roles/common/tasks/munin-node-ssl.yml | 57 | ||||
-rw-r--r-- | roles/common/tasks/munin-node.yml | 2 | ||||
-rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 6 | ||||
-rw-r--r-- | roles/common/templates/etc/munin/munin-node.conf.j2 | 9 | ||||
-rw-r--r-- | roles/common/templates/etc/stunnel/munin-node.conf.j2 | 56 | ||||
-rw-r--r-- | roles/munin-master/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/munin-master/tasks/main.yml | 29 | ||||
-rw-r--r-- | roles/munin-master/templates/etc/munin/munin.conf.j2 | 10 | ||||
-rw-r--r-- | roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 | 65 |
17 files changed, 7 insertions, 431 deletions
diff --git a/certs/munin/antilop.fripost.org.pem b/certs/munin/antilop.fripost.org.pem deleted file mode 100644 index d523dc4..0000000 --- a/certs/munin/antilop.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFmzCCA4OgAwIBAgIJALo1zxDUUlypMA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc -MBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMTQ4NTlaFw0y -NTA2MDQyMTQ4NTlaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl -cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9y -ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK8ZSjXPp/xqd0LQp3hN -rH2fH3Ya7qDPpGehNB9iLt00Ctln6rQG9XBUMtDHApVbWjXSDLEzrmvsKr9HWKNy -vieMcASJmtDiteyorGofyTN72/9AgRzn1Qnd1tOejWPGcuyk+pyhL8XX5CzZz7bB -mFPMWlKlGNGbSC2zrwGJjXiql74u5dMhaI6UeGDh+zDHiu1n6VOtHBGC49noQQYI -Opnsiy6DqKytRbxVIr+QPgP0GnJyq1c6HD90O0ygGkc0Mk/Lve/tqhg9x4SNszsj -FOXfwUln3WWu669dOD1bMoOQDMOIsG7gfksWUkXaD5GeGtGtjJ+yAtX31XYqnYzD -EeSZPfiB9lofPziHsjkQGCfhyXBrgadUMpmEjCQCLe6OcMVTASwYt3DAADhyOGhP -CIEKoa6fe2fSppiApqwF5qJraP0QoNIcyjRumHgZCOZb1SO1Co7SoywW91QbGn5S -pafEjzWBm0x7Tcwb3Ez5yS7a9n31m0sCSkgu02a4gNzttilss53J+Ey6sQR2I36m -022YlNbP6VoBjsUoHJ5bBh8BnkHkrPqm6L1t3flS307Op15DGigfgz8aLcKM+kU7 -2/NFnhF+9uXS6RI8NT8Fx/SndMSHFkXiq/3icp+q+8tGKBpC9yhM2rZELqf00KI3 -1ZL1q+XJq0yUgr+0zBxpswmBAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy -aXBvc3Qub3JnghNhbnRpbG9wLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBS+XRcfpHDEicAMDsev525N7Ny7JTANBgkq -hkiG9w0BAQ0FAAOCAgEAO2rPII3Y+yBOOT3NR5SNLlyoVFmuTBwrfustlyytCgkY -tB9RTgi3JJLIN40YoHsCXzVQTLn7kwSEx/NMCCZekJo4mzBQfM9CmhEO8mAPQXnp -pyEQVc6PcUu3Wd6S5VDy6HpPPA+HWc0pVFEgVQoyR8Hk/U5dPNfRzUGLdJZJNUxf -SAbQg8pdeQApVHAsBexY7E8YvVcHoBvkVa9lmI9JwbCWwTzWh+KapgzgnYJAt9lK -GUAdAdvrFV0/YN2kcDKeCjqzcNi4U3MU7zh1CnSkoeLPYXfXPTNcsXKwsHx8OPqf -CAasB2104NAVygk6Syd1Sejwxs0q8JKxu62yCplorW1r1W1F2HyrkkivdF1/ueLS -aU2oIBmBaPFZPtyjE+bmjrM8RQhEkd7gD7wj2X2mi69dUWVfElNHGoPoQPvNqj5o -iDfRfX2gyGSpeqNdHk0E+vjCmaH7WiWyk0VbLdyHwrGb1vMrg7/qg3OXBTCaTJaa -9RG3uJ64wB9cVTuaDNZOLSpsDlfbCzXfPT3LyI3JMuqaFaBVwJ1DhJ6HFpPjB6wT -F32MyabrN7+4Un/KB69wbJpjLweBZk19UbKZ70erzMECpTfx7CekaFCraQ61yo5L -FXNvp+Hnf8oWb1mp/j4HbxC/RrxTk+FFFXN/WOb9CZuf6z2NjzoLfguKONO7YFE= ------END CERTIFICATE----- diff --git a/certs/munin/benjamin.skangas.se.pem b/certs/munin/benjamin.skangas.se.pem deleted file mode 100644 index c8187b4..0000000 --- a/certs/munin/benjamin.skangas.se.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFmzCCA4OgAwIBAgIJAOEeSKT/8HACMA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc -MBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5zZTAeFw0xNTA2MDcyMTI5MDBaFw0y -NTA2MDQyMTI5MDBaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl -cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5z -ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEylnjWaCkttJmUbO+j -AirK17RcdSLo+AADCEfgfjjS7LgXI7LwWC7y8TB1N+mktOJQp2S8wQdJJovb08KX -NTgIpBGqzn3eTKy2Tp27o/D4cWmdadb99rWbSJOZ5eXUcUtg25OpgZCXCEqOwpBC -zH2wrzi5xmX10d4DfUsl6QV5vgCSWsoPTr/m6s01aARmZRfFq8OjR1R+E1NpTp0K -O9v0dMrDtWsMwOoCXiHgcUYfZPTSwJvqoCWOSYFl6Hj25Ef2SNzVQWtoDliMfndN -a+aLW7DAs2Y5jrC0V8+ar5AqBtFm1L10wLZeL6AXgmLYooH9VmHprqQXQqWsb8tc -BVGCSdIemrNEtC1KVAljM3EwlnDm3ALEl1DbOlnvh2arM7uvWPQNEsEy/k3uvlI3 -4Q8c8jn7CO5ceTe/TgJA5ANJZ5SRz6cUqKX4aF79H/7Xbd2iDtTsEFNMABz23Fn8 -rW7DLdEyRbUV0upbleLXUB3gEaNm7gAeSKjOdv40snz1glCgMlw8zxcp+33aNxos -cKkMauWs1WqPH9egEHj3AiPrLnMHHm0VFfWjEmdeAacNGZ3o66wOchmWuWh1R1ef -Ab2LdCBlkKSRlZK+wu+/ZnJvadYM3oXKbYCsRYqcEgWiO52nJ/GRDV3xPbNnTu7J -tRQLIASfRI7shTNofrAkXGELAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy -aXBvc3Qub3JnghNiZW5qYW1pbi5tYXJ4aXN0LnNlMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQGvGSnh/caV1KzV8LlnmlXlOiaCzANBgkq -hkiG9w0BAQ0FAAOCAgEABRcJzubuY1dh8YBfnkMbRK7Pao3jlb0+mLOJEdeWddu2 -KrrCUMMtRHeoNXeTCXwWkhXr6P8wkLuIlqt7U+f1nzyFVj1yyDye88GZopl/lAMr -j380VEd/XE4xcWYq/9krKoEUdGEwduy3cDwsUwy4KZ287YutObVZkXszCuPGD7d3 -tbRQkJnHL2VvwBOrYrimzMx4L9dl6Vz/BR+sn+aIbx3PeO/R14/7DCFdnbmXzHjH -mO57lrN5BrGZWqYiEonj77d7UBQuDmUlX7VOHrfcBh+2PUCtuPB+s2DOwPKyepo2 -UehZBSGEkhx6wT2NBrR1aEm3mfDmPzUBoK8VJpQsVUWWCD889zn/6tCoTGwoQ+n5 -gBGxk2DRXikYc4UMLJr7nDudzQI+/T0+ehrYno77EynRqNzaAY54gDiLEG07OAq2 -DWnM/Hf4QNG/ggLORJfCHcgpckaOs9HKxs23vGfrwCVTrIYmQ+IEZxicFkiemRfz -zIGeITvFCv06ri0kYSI3v6mT7LJzidngd7otFIlxJPUU2j0UqMNOZ/WAhf3HXAGK -uJw3a/amnxWJY30ZZ/zQmLa3CWC5oYZzypwlrrCZm0ccVNO8KZ1YVrjZ/AfSO9US -hROIcXPzX9fr7IdBgQ44j7WQ7rm+k9JHsJs/C5gwnM5iYPJTz76Lm6yhBVlBkyQ= ------END CERTIFICATE----- diff --git a/certs/munin/civett.friprogramvarusyndikatet.se.pem b/certs/munin/civett.friprogramvarusyndikatet.se.pem deleted file mode 100644 index c19e431..0000000 --- a/certs/munin/civett.friprogramvarusyndikatet.se.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFyTCCA7GgAwIBAgIJAMiyPdV6HtyYMA0GCSqGSIb3DQEBDQUAMGIxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEr -MCkGA1UEAwwiY2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAeFw0x -NTA2MDcyMjAxNDhaFw0yNTA2MDQyMjAxNDhaMGIxEDAOBgNVBAoMB0ZyaXBvc3Qx -ETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjErMCkGA1UEAwwiY2l2 -ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTCCAiIwDQYJKoZIhvcNAQEB -BQADggIPADCCAgoCggIBALCTTQEtoLENRnxuHzoRLqu7YQQZUvmPrHfOvSpkl1Lc -mbmuHmnLcecTClT8Usyt/bUhkejnAU+QJYhPToaglwbsj12Qi15kl+WfiDv1GC09 -A/XsTbMvpNbHb23jc7YHrLKviHLbgOOzjpUKNjIR/IvMpjc3y2MB12RQ/YvjOqt1 -7RyL5rYR5c0FGTjEGkBd0diGZdTsbid6+0+NWqpQIDbvc1Cfmt8ppsGAY9jvxavq -pzkOYaTr76nZM0L6hxYsEz7tcNGL2Ep9y01tReBBwfY1/Y67Vzo7l9sAz0Vo4Ar5 -iF9uRKyncG421Afq6IFUbOJYUHIWRYX7nfglQ5kWoXwjpIOBwDW8ObFBGJKHx0jW -Br7rQ0G8UjyK9wg8CR+E26+hC4dhB5sUwwvv+1U/hXcC4DreAoTquOnATIY1e6cf -d9optFmix5g3MV5d6I24zZrNGHeXRKHuwwt7vq+sxlWPYrSLogx3wm3VpullPvX4 -8Btpq1S++DUSpRiEZZAf7AmMaVQ5j4Obs2BCItT1IQBv71rPE3d76CezPsa/qWiL -33VOkVXPZVSCP5heqrb1C5sXU6IHC0S6jdBWK/Qy7jS3cGmohoCY/980ymytQ23e -J5wdzdebkAXKaxRBROZ8LCTQZRL9jlao/IWPMvDZMrsCfE9EtmHYb/oLxgRAGl5P -AgMBAAGjgYEwfzBABgNVHREEOTA3gRFhZG1pbkBmcmlwb3N0Lm9yZ4IiY2l2ZXR0 -LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAMBgNVHRMBAf8EAjAAMA4GA1Ud -DwEB/wQEAwICpDAdBgNVHQ4EFgQUVCK81aQ1dTq4CxwtM7ytG0WiUTYwDQYJKoZI -hvcNAQENBQADggIBAK58LrTia7MisnwJWEvaH7gSO4M4BEu6fA+gBXUqkej6QWPe -iENebekWTwdnA9yjxdOzgIdjzACFDeASHpyey4mvc91cwxNf5ivoCXG3ZuyTgMBL -mzWnDbGxxybGUDU865eVWKpaoL0orDw3BldxZQfJ8HORAWXno7UKMwdPfhE8eQB4 -2SBYNKpmJDQZ5GiIgrDLrr0DwzsPnF5HEujAN1R8muD9yel1tVKGXA3qhg3NLhjB -YGM12876KTn8qEm5bGBxYFJZrUnM+C7/feeyPHS48XmjopBmolcwzAzSgOPq4kiO -keE5sdcOEocJQNO0Oh8dEXbjM9zIyf+xFBH8ov57g2Hr8XyavkRplGR/DNn2h6d/ -ZqszTYToM54zcWBSlg42SVBqMiJTkYSDLT4h8k649jLlmFzB/7DlEQMQrk4ayOKF -y32A6+LGczcBxHB8Lc8fRiMzytcK5NncFbhJYgcdn88uZApUpWKFT5e6ZcIwyfKS -cZNj6EKY3HcPDPt5yXNMH1fP/SkUeAfLq9JsEzGjGboxQmuG55ryeyP0i6ZZr4uA -rEK+kT3i5CekZBgbRDNX0OZwU9JGlYKBR2UhH1uGTeqK/7Kn1pToUJbOCBWhT38A -KNPGRDQlAIHBvtEBejrBNBgSVPkYhbegXRnP6xMrjSW3S+Z5SRUxUhizbBTc ------END CERTIFICATE----- diff --git a/certs/munin/elefant.fripost.org.pem b/certs/munin/elefant.fripost.org.pem deleted file mode 100644 index 52f00a6..0000000 --- a/certs/munin/elefant.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFmzCCA4OgAwIBAgIJAM/f4YZpd7G6MA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc -MBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMjA1MjJaFw0y -NTA2MDQyMjA1MjJaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl -cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9y -ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMEbZntqTM32vQHJO182 -5UWfLRBBiOD/WySkSHd0Ugfxrvl2ZBw4cXv3gA6THYUwzKJ/wBR0huDcqVj7Ufz5 -18m7Kf4QCyjDlnOJ47lgizGhwk+GRxgz6xSnTJWt2cP7I57ec/x4YPjxEZL09O9N -QBZ9alFQBeLYWR2OhhzhV+u45AIDeH4ZPUretGVGocv4H7qTW/NGlGJxolAA+lqk -3Eg6HAziaNESOVXtmQLuRvd8bkyfksSIUXK0uTPgHRPIjDgUAGHrHmKADLivnew2 -yOt3PW6weNphQaixmMF5no3hjS7wqWD/+PVnmKmRhbp6Icek3+iMtaSDopYD060Z -cL3vxm+Im2chaa8dYZ2qDt4ij0tTeRF9zEhYvnvuJA4tdP7VLJjQDb0N51SKG27i -gwCQNQs9LwFyvyNckc7K4f5ztnffO+FwNlGJFzwVzmQ++oUL7DjlsxsmNlKZiHQ6 -/QE1j3VBZlh7XYCcHxxFJEB4Tq0Y+Jyrto8G73iHa+rJUnDuA6prqzqdPIGjHL7p -onx+0SdbD37TqT/dvsMAbWnmivuQY4Y3jVZrZ1bTuOpUBU7K42ThBcioTT63sp+3 -+d+gmxT57wPJyQDt94KecWcKt88qgZ93pKJZfO8SYkUR17cIdOqsu845G0QA973U -rk0T8z3JLV6oJvlfpfI61NRrAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy -aXBvc3Qub3JnghNlbGVmYW50LmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBTpY3697NTeGIyhSSvGXMrZK3pxLjANBgkq -hkiG9w0BAQ0FAAOCAgEAK0FFduIr7GSD8j2NIwiCdQkIoPcgsq2ok+Ge50QwZXyY -mMRqSygblXhxPt8lQKYkBYPYcp//VoGkGgyl7ALvA4SJIU1zk6PK7vsa7TRe7nCU -oVCJHCqXSM0t+WH9Huai23T3uE9oTNQSHQSRbnIoTwiEjexXAtizKs0+ZSkQTUrV -ZntsPgwZVM67cOkxvbbgtDtMRr40tFqWUWT6QIlu5bVLnCDwxX3jRFv6r+efCfTe -fwZjJGPdXzRAUNNDG6gZCxpAGpRjYmNNwCAQVZmJ8NJnVPyH+GYE4Urb6Ce3q939 -pZZrlFHIplhqiEAL7AE2GBZdI3UoklMgG5P3PGkTLcerY5fSAfG3DcGNtWn7bZdM -AuGdmf8lVpr/InFP/Ke8sUxc5sBDl9vwndEX57EW8QALyL+S5XMZKlWtJAY3v1+6 -vGuvAwuUsTn2QZyfhP5MK2URNP1FAxIBqEWkG4UVp1RupRBKThwAUeTAGyExMbBD -2EDDgOZonrl8nbLsc4mXH7CFIakzm0dEnwaQVpNtzFSNMQ+uxQF07rlgwaOrDUu1 -qk3PZDMqDio00f12GpJbmxMUTXjKzVWx62fE+YJ+vc34kLzBluerQn96yT1+BvT0 -Zq/c1/esKLDaWDHKVmS0mgrRRTi2k08Hh7Cove6CcSlqiH0ljFe2goDhaJsXQYc= ------END CERTIFICATE----- diff --git a/certs/munin/giraff.fripost.org.pem b/certs/munin/giraff.fripost.org.pem deleted file mode 100644 index c1aab21..0000000 --- a/certs/munin/giraff.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFmDCCA4CgAwIBAgIJANQpG6iifrkuMA0GCSqGSIb3DQEBDQUAMFIxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEb -MBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qub3JnMB4XDTE1MDYwNzIyMDgzNFoXDTI1 -MDYwNDIyMDgzNFowUjEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2Vy -dHMxDjAMBgNVBAsMBU11bmluMRswGQYDVQQDDBJnaXJhZmYuZnJpcG9zdC5vcmcw -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgu7/OtgeU7nQzt2qeFyGL -46S9nR/jGCeLysL1ZbGFfOjr19D1bxjl+gLCLaIa77oY+1Ke8JoJQCe1DKTZxY0Z -XLoOrOYQQLDN2dZJQ9NEtrR/qwGtxb13eAWra+aA/S1MXpOnB4aDTNCPwl5IA6BG -1iuhgn/NgNjVaZjtlkCoRvwCC515UT1Us/1q2fk8jvVBQheZ5uwFr7M6RUTN+vFw -MuQrqeDDGpJcyXQsXuWqjfYdcpR+GU53qsRY1zBfpCvsooxJU7HjzfGMV4dZoZg2 -N3gPVJ7u8u3rIGKaRQbKM5o8YWqECiTOxlEYpalUq8mNgBRAwo84Y5vnDnoTNdQF -gY2dAOmbEsu2ywZ/DDt9yuGxtUOQyqG7PtzvAlbPf2/5m79KfzgYVK1rTfVxQRI+ -dbVbqaIYpAEWO5FeOOXyGcbX3xTkqUwskUsgWiR5RRifEuN76HUsKifwk6goRyhR -gANO10aEX9484jt2HXPahrcyQ4LvSOV9TVRA6N27A1kGoX/zp6X0mGU/4B2Fo5KO -lhcfOHP9tU+S9MSxTU90vGusrH/63tz4Q4LKK0QNtr8TdnhH4Q1x1a3UPyRcTauu -+DDQNQWbhWn18I1nSHbBRB8VUu6SOmHDVjITcddh85CzR3ugHHO91ykCgO1k1g3h -68j5QT7jL09FSOZblxSRawIDAQABo3EwbzAwBgNVHREEKTAngRFhZG1pbkBmcmlw -b3N0Lm9yZ4ISZ2lyYWZmLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYDVR0P -AQH/BAQDAgKkMB0GA1UdDgQWBBT0vMjrt5EL+bQp3Wbp52qCVvsoJTANBgkqhkiG -9w0BAQ0FAAOCAgEAMe6BM9wjqgY3KPuOacoEJZCA41+4QiU42DuYKhwYJAvLD2rs -AutbZbR6rbBf6+3WqMIkCH09CBiD0TOnpm83VlPorg0ZBandxQdtdc+2Wt5RPA3E -sgWsKoTXqbuwcyWub324Z3IhcEzjRnX+kL+d+a8m9jqVzWZhyZGJwbbX2UGGEA+e -fRAg8fTc21jLqmj2Ea6L35IPFcH5ZPMLnwuqZQWAlIOU/aiyCz+skCti3L25Y02L -yCFqiZ6PpG0hVAsBfQ210Vws1Sb1VqLaUBTXCL1WzfwcLbKCZhZ1o08wmOn3VGN5 -GTqKI8qhg1qmvqGnaECy55cb0oXhzYXcin6gO672MPSDOtnEbRg9tyPxcPVaU8QF -qcVXCZjyuyLDr5BrSd4FC5abP4NXWNqheX2jIU0kuypNniOe8rJLNT/S88PnQHRW -Bnyl+TvAlFS1ITKJQu4xc7A8whDd6/RxT8NMKKtGNxZxtfuefULNAsnvUdQpt6tO -61DM13X1c5IPg121de6qjj+mkKRLAEaPGO8d+c6Zw7MNzZhZYJj+ttaSThJCJWzl -qA8v4FpMDTnIjs/3S+gAvvNDjFk4hN2Daic+3STJPyScv5OC0u6/EIa/pRp0GcMP -tGsTtFpfm6QICndQWPMrAz7Dab3VLfuPOvOE0g+n/kGX0IoIoirbKstgPlo= ------END CERTIFICATE----- diff --git a/certs/munin/mistral.fripost.org.pem b/certs/munin/mistral.fripost.org.pem deleted file mode 100644 index a08af7a..0000000 --- a/certs/munin/mistral.fripost.org.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFmzCCA4OgAwIBAgIJALWXwKMVhp52MA0GCSqGSIb3DQEBDQUAMFMxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVNdW5pbjEc -MBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDcyMjEwNTRaFw0y -NTA2MDQyMjEwNTRaMFMxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNl -cnRzMQ4wDAYDVQQLDAVNdW5pbjEcMBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9y -ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOf0+etigx5G6GHtRs4Q -E3zhuEoMS6SL4hG+s7Y6hszDUDDNWqGylv7WfrmtzsjVhADLFtjzdaDhncDwWEKx -rLBFm6PSDQLYwjmlDz0EckwkYuXxeRS5RO1jhFK+3h0LpJkXUaLDcmaXq7zWSIht -ZA86vQlEWarmPhva6mv67SyzAkQRSM3pOjahEKy600MwMvccuiyAVbyKeI/hS1E3 -GUivOMOEUHl/h1O2GiX8QYJuAqaJmebMhfGMA3Orv6nM54Fmo1yQEI6pTckOet4K -Sy8XZBeNcBfrXM2ImxbQo69eWSGzMINt5I1SNaixCyGo0jIfQK8yK7tV69lz9RSu -1krsSfv+6wEUHdyi1UpA8eJTdakj9+TLZOss3ClLZOyGIRgRe8vZIibwRlL60Bun -X2f18sTouBUp+OJ4dyd4HQmD1c1rNV/kSBvLV9YFXjJrwNXmdRh2cG3y3gXN/Prg -jd28sRLh4tPtv4vOYZPQKjS+dj+rHiFDtN/b1z35Cz1Kw1dwvDz/AQqGoJAwzPUQ -hvnHIl2sXX+lcSSEBtciUSu6aEDQlZ2UUcVBJUKzUKa1jLlVhYCVBpaQfdgW/f9B -4XfnzV3jyfnplhqZV6ZVhA4Qf231mcVY1vR1oRKrG5UEi0KZy2oHayAp6DQYXT1L -QQ0yHoNZCyG4BEbKypl3IOzxAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFkbWluQGZy -aXBvc3Qub3JnghNtaXN0cmFsLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgKkMB0GA1UdDgQWBBRbW9iAccDKxxaWN8edaSuComhkdTANBgkq -hkiG9w0BAQ0FAAOCAgEAX16xCNpR6msKvlNzPO4CZGB2+j6V5lj6CaSn5YNHB9fV -Zi2qhHst16Ccnp4eHDwzgcMqz+GU31YAWK7t/4NykaCeOra3nG2BIEHoA09DjxIy -qPJRePNaxfUk1H9ZRGqupjhthPT+h83oAhLwnqQ4vEO+J5H9FNt+1w29Znx7gwl6 -sRNQ2xJB0ko7KTrPNAiysWM7b48SOs83L/IOvT2g9/VQI3pPuGyLEIbYCYCKUO/+ -A92cCxFBoKoNZUtMoE3SKpccl1PO9/RtP80fC87rGg7rsaisy6jwUqDiN+00SEoR -9ns92GB/8WxE5KwTufQcJ9RrmCU15Osk4qkgN1COV25bYnd4hrc8iZb52xkSRzvy -BmJh3grm9nircacPK3Tw4EnKxXA+/0l5lW8n19fvGteph+JyXeKrMmMcCRKD+wau -8oUFGTHymeJbHS4PXV1NcG8Rie3YPGu9EUkTJurrbRuVwWC/1s1RxHiMESYOlbPV -J1J++bB21lva6thFNeJmBvf3rTI4qPfEnv6X2QMm8VUfBlmuTHb5W84qLegkKyqF -iITAFz5KNntuyIIATeTe9iArtjzJav0irHNU29PTio6ljJLFg3pGPUR6hCEGohMT -LNeTF6RczyxJhvZQcuzTxBeZRPC3e5lc1x9qdl9tnYqwwOSBCoNk0xIkcRjF2gM= ------END CERTIFICATE----- diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 6ca53be..efab81b 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -47,9 +47,6 @@ - name: Restart stunnel@bacula-fd service: name=stunnel4@bacula-fd state=restarted -- name: Restart stunnel@munin-node - service: name=stunnel4@munin-node state=restarted - - name: Restart bacula-fd service: name=bacula-fd state=restarted diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 88d44f3..04681bd 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -68,11 +68,6 @@ tags: - munin-node - munin -- include: munin-node-ssl.yml - when: "'munin-master' not in group_names" - tags: - - munin-node - - munin - name: Install common packages apt: pkg={{ item }} diff --git a/roles/common/tasks/munin-node-ssl.yml b/roles/common/tasks/munin-node-ssl.yml deleted file mode 100644 index e0b1d8c..0000000 --- a/roles/common/tasks/munin-node-ssl.yml +++ /dev/null @@ -1,57 +0,0 @@ -- name: Create /etc/stunnel/certs - file: path=/etc/stunnel/certs - state=directory - owner=root group=root - mode=0755 - -- name: Generate a private key and a X.509 certificate for munin-node - command: genkeypair.sh x509 - --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem - --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key - --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart stunnel@munin-node - tags: - - genkey - -- name: Fetch Munin X.509 certificate - # Ensure we don't fetch private data - become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem - dest=certs/munin/{{ inventory_hostname }}.pem - tags: - - genkey - -- name: Copy munin-master X.509 certificates - assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no - dest=/etc/stunnel/certs/munin-master.pem - owner=root group=root - mode=0644 - register: r2 - when: "'munin-master' not in group_names" - notify: - - Restart stunnel@munin-node - -- name: Configure stunnel - template: src=etc/stunnel/munin-node.conf.j2 - dest=/etc/stunnel/munin-node.conf - owner=root group=root - mode=0644 - register: r3 - when: "'munin-master' not in group_names" - notify: - - Restart stunnel@munin-node - -- name: Enable stunnel@munin-node - service: name=stunnel4@munin-node enabled=yes - -- name: Start stunnel@munin-node - service: name=stunnel4@munin-node state=started - when: not (r1.changed or r2.changed or r3.changed) - -- meta: flush_handlers diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index e1a931a..d4f8d95 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -77,7 +77,7 @@ notify: - Restart munin-node -- name: Delete Munin plugins +- name: Delete unnecessary Munin plugins file: path=/etc/munin/plugins/{{ item }} state=absent register: r3 diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 8450f00..953cea5 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -71,12 +71,6 @@ in tcp 9103 # BACULA-SD {% elif groups['bacula-sd'] | difference([inventory_hostname]) %} out tcp 9103 # BACULA-SD {% endif %} -{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %} -out tcp 4949 # MUNIN -{% endif %} -{% if groups['munin-master'] | difference([inventory_hostname]) %} -in tcp 4949 # MUNIN -{% endif %} {% if 'LDAP-provider' in group_names %} out tcp 11371 # HKP out tcp 43 # WHOIS diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2 index de4098a..d0004b7 100644 --- a/roles/common/templates/etc/munin/munin-node.conf.j2 +++ b/roles/common/templates/etc/munin/munin-node.conf.j2 @@ -32,7 +32,7 @@ ignore_file \.rpm(save|new)$ ignore_file \.pod$ # Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 +# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949 # host_name {{ inventory_hostname_short }} @@ -41,11 +41,12 @@ host_name {{ inventory_hostname_short }} # network notation unless the perl module Net::CIDR is installed. You # may repeat the allow line as many times as you'd like -allow ^127\.0\.0\.1$ -allow ^::1$ +{% for host in groups['munin-master'] %} +allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$ +{% endfor %} # Which address to bind to; -host 127.0.0.1 +host {{ ipsec[inventory_hostname_short] }} # And which port port 4994 diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2 deleted file mode 100644 index 229def0..0000000 --- a/roles/common/templates/etc/stunnel/munin-node.conf.j2 +++ /dev/null @@ -1,56 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem -key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[munin-node] -client = no -accept = 4949 -connect = 127.0.0.1:4994 -CAfile = /etc/stunnel/certs/munin-master.pem - -; vim:ft=dosini diff --git a/roles/munin-master/handlers/main.yml b/roles/munin-master/handlers/main.yml index f65376c..518a875 100644 --- a/roles/munin-master/handlers/main.yml +++ b/roles/munin-master/handlers/main.yml @@ -19,6 +19,3 @@ - name: Restart Nginx service: name=nginx state=restarted - -- name: Restart stunnel@munin-master - service: name=stunnel4@munin-master state=restarted diff --git a/roles/munin-master/tasks/main.yml b/roles/munin-master/tasks/main.yml index 1580197..64e697e 100644 --- a/roles/munin-master/tasks/main.yml +++ b/roles/munin-master/tasks/main.yml @@ -95,35 +95,6 @@ - meta: flush_handlers -- name: Copy munin-node X.509 certificates - copy: src=certs/munin/{{ item }}.pem - dest=/etc/stunnel/certs/munin-{{ hostvars[item].inventory_hostname_short }}.pem - owner=root group=root - mode=0644 - with_items: "{{ groups.all | difference([inventory_hostname]) }}" - register: r1 - notify: - - Restart stunnel@munin-master - -- name: Configure stunnel - template: src=etc/stunnel/munin-master.conf.j2 - dest=/etc/stunnel/munin-master.conf - owner=root group=root - mode=0644 - register: r2 - notify: - - Restart stunnel@munin-master - -- name: Enable stunnel@munin-master - service: name=stunnel4@munin-master enabled=yes - -- name: Start stunnel@munin-master - service: name=stunnel4@munin-master state=started - when: not (r1.changed or r2.changed) - -- meta: flush_handlers - - - name: Install 'munin_stats' and 'munin_update' plugins file: src=/usr/share/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2 index 8273a83..401094a 100644 --- a/roles/munin-master/templates/etc/munin/munin.conf.j2 +++ b/roles/munin-master/templates/etc/munin/munin.conf.j2 @@ -93,17 +93,9 @@ contact.admin.command mail -s "Munin notification" admin@fripost.org # the services must be defined in the Nagios server as well. #contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf -local_address 127.0.0.1 - -{% set n = 0 %} {% for node in groups.all | sort %} -{% set n = n + 1 %} [all;{{ hostvars[node].inventory_hostname_short }}] -{% if node == inventory_hostname %} - address 127.0.0.1 -{% else %} - address 127.0.{{ n }}.1 -{% endif %} + address {{ ipsec[ hostvars[node].inventory_hostname_short ] }} port 4994 {% for g in hostvars[node].group_names | sort %} diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 deleted file mode 100644 index ffc7d0d..0000000 --- a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 +++ /dev/null @@ -1,65 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem -key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key -client = yes -socket = a:SO_BINDTODEVICE=lo - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -{% set n = 0 %} -{% for node in groups.all | sort %} -{% set n = n + 1 %} -{% if node != inventory_hostname %} -[{{ hostvars[node].inventory_hostname_short }}] -accept = 127.0.{{ n }}.1:4994 -connect = {{ node }}:4949 -delay = yes -CAfile = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem -{% endif %} - -{% endfor %} - -; vim:ft=dosini |