Tunnel munin-update traffic through IPSec.

11 files changed, 7 insertions, 238 deletions

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 6ca53be..efab81b 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -30,31 +30,28 @@
   # /etc/init.d/networking doesn't answer the status command; but since
   # it should be "up" whenever ansible has access to the machine, we use
   # pattern=init as a dummy assumption.
   service: name=networking pattern=init state=reloaded
 
 - name: Restart rsyslog
   service: name=rsyslog state=restarted
 
 - name: Restart ntp
   service: name=ntp state=restarted
 
 - name: Restart Postfix
   service: name=postfix state=restarted
 
 - name: Reload Postfix
   service: name=postfix state=reloaded
 
 - name: Restart stunnel@bacula-fd
   service: name=stunnel4@bacula-fd state=restarted
 
-- name: Restart stunnel@munin-node
-  service: name=stunnel4@munin-node state=restarted
-
 - name: Restart bacula-fd
   service: name=bacula-fd state=restarted
 
 - name: Restart munin-node
   service: name=munin-node state=restarted
 
 - name: Restart freshclam
   service: name=clamav-freshclam state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 88d44f3..04681bd 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -51,38 +51,33 @@
   tags:
     - strongswan
     - ipsec
   when: "groups.all | length > 1"
 - include: logging.yml
   tags: logging
 - include: ntp.yml
   tags: ntp
 - include: mail.yml
   tags:
     - mail
     - postfix
 - include: bacula.yml
   tags:
     - bacula-fd
     - bacula
 - include: munin-node.yml
   tags:
     - munin-node
     - munin
-- include: munin-node-ssl.yml
-  when: "'munin-master' not in group_names"
-  tags:
-    - munin-node
-    - munin
 
 - name: Install common packages
   apt: pkg={{ item }}
   with_items:
     - ca-certificates
     - etckeeper
     - ethtool
     - git
     - htop
     - molly-guard
     - rsync
     - screen
     - telnet-ssl
diff --git a/roles/common/tasks/munin-node-ssl.yml b/roles/common/tasks/munin-node-ssl.yml
deleted file mode 100644
index e0b1d8c..0000000
--- a/roles/common/tasks/munin-node-ssl.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-- name: Create /etc/stunnel/certs
-  file: path=/etc/stunnel/certs
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Generate a private key and a X.509 certificate for munin-node
-  command: genkeypair.sh x509
-                         --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-                         --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-                         --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart stunnel@munin-node
-  tags:
-    - genkey
-
-- name: Fetch Munin X.509 certificate
-  # Ensure we don't fetch private data
-  become: False
-  fetch_cmd: cmd="openssl x509"
-             stdin=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-             dest=certs/munin/{{ inventory_hostname }}.pem
-  tags:
-    - genkey
-
-- name: Copy munin-master X.509 certificates
-  assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no
-            dest=/etc/stunnel/certs/munin-master.pem
-            owner=root group=root
-            mode=0644
-  register: r2
-  when: "'munin-master' not in group_names"
-  notify:
-    - Restart stunnel@munin-node
-
-- name: Configure stunnel
-  template: src=etc/stunnel/munin-node.conf.j2
-            dest=/etc/stunnel/munin-node.conf
-            owner=root group=root
-            mode=0644
-  register: r3
-  when: "'munin-master' not in group_names"
-  notify:
-    - Restart stunnel@munin-node
-
-- name: Enable stunnel@munin-node
-  service: name=stunnel4@munin-node enabled=yes
-
-- name: Start stunnel@munin-node
-  service: name=stunnel4@munin-node state=started
-  when: not (r1.changed or r2.changed or r3.changed)
-
-- meta: flush_handlers
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index e1a931a..d4f8d95 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -60,41 +60,41 @@
     - irqstats
     - load
     - memory
     - netstat
     - ntp_kernel_err
     - ntp_kernel_pll_freq
     - ntp_kernel_pll_off
     - ntp_offset
     - open_files
     - open_inodes
     - processes
     - proc_pri
     - swap
     - threads
     - uptime
     - users
     - vmstat
   notify:
     - Restart munin-node
 
-- name: Delete Munin plugins
+- name: Delete unnecessary Munin plugins
   file: path=/etc/munin/plugins/{{ item }}
         state=absent
   register: r3
   with_items:
     - http_loadtime
     - ip_255.255.255.255
     - postfix_mailqueue
     - postfix_mailvolume
   notify:
     - Restart munin-node
 
 - name: Install 'if_' Munin wildcard plugin
   file: src=/usr/share/munin/plugins/{{ item.0 }}_
         dest=/etc/munin/plugins/{{ item.0 }}_{{ item.1 }}
         owner=root group=root
         state=link force=yes
   register: r4
   with_nested:
     - [ if, if_err ]
     - [ lo, "{{ ansible_default_ipv4.interface }}" ]
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 8450f00..953cea5 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -54,30 +54,24 @@ in      tcp     {{ postfix_instance.lists.port }}
 {% if 'MSA' in group_names %}
 in      tcp     587                                     # SMTP-AUTH
 {% endif %}
 {% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names %}
 in      tcp     80,443                                  # HTTP/HTTPS
 {% endif %}
 {% if 'webmail' in group_names and 'IMAP' not in group_names %}
 out     tcp     993                                     # IMAP
 out     tcp     4190                                    # MANAGESIEVE
 {% endif %}
 {% if 'bacula-dir' in group_names and groups.all | difference(groups['bacula-dir']) %}
 out     tcp     9102                                    # BACULA-FD
 {% elif groups['bacula-dir'] | difference([inventory_hostname]) %}
 in      tcp     9102                                    # BACULA-FD
 {% endif %}
 {% if 'bacula-sd' in group_names and groups.all | difference(groups['bacula-sd']) %}
 in      tcp     9103                                    # BACULA-SD
 {% elif groups['bacula-sd'] | difference([inventory_hostname]) %}
 out     tcp     9103                                    # BACULA-SD
 {% endif %}
-{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %}
-out     tcp     4949                                    # MUNIN
-{% endif %}
-{% if groups['munin-master'] | difference([inventory_hostname]) %}
-in      tcp     4949                                    # MUNIN
-{% endif %}
 {% if 'LDAP-provider' in group_names %}
 out     tcp     11371                                   # HKP
 out     tcp     43                                      # WHOIS
 {% endif %}
diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2
index de4098a..d0004b7 100644
--- a/roles/common/templates/etc/munin/munin-node.conf.j2
+++ b/roles/common/templates/etc/munin/munin-node.conf.j2
@@ -15,37 +15,38 @@ group root
 # This is the timeout for the whole transaction.
 # Units are in sec. Default is 15 min
 #
 # global_timeout 900
 
 # This is the timeout for each plugin.
 # Units are in sec. Default is 1 min
 #
 # timeout 60
 
 # Regexps for files to ignore
 ignore_file [\#~]$
 ignore_file DEADJOE$
 ignore_file \.bak$
 ignore_file %$
 ignore_file \.dpkg-(tmp|new|old|dist)$
 ignore_file \.rpm(save|new)$
 ignore_file \.pod$
 
 # Set this if the client doesn't report the correct hostname when
-# telnetting to localhost, port 4949
+# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949
 #
 host_name {{ inventory_hostname_short }}
 
 # A list of addresses that are allowed to connect.  This must be a
 # regular expression, since Net::Server does not understand CIDR-style
 # network notation unless the perl module Net::CIDR is installed.  You
 # may repeat the allow line as many times as you'd like
 
-allow ^127\.0\.0\.1$
-allow ^::1$
+{% for host in groups['munin-master'] %}
+allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$
+{% endfor %}
 
 # Which address to bind to;
-host 127.0.0.1
+host {{ ipsec[inventory_hostname_short] }}
 
 # And which port
 port 4994
diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2
deleted file mode 100644
index 229def0..0000000
--- a/roles/common/templates/etc/stunnel/munin-node.conf.j2
+++ /dev/null
@@ -1,56 +0,0 @@
-; **************************************************************************
-; * Global options                                                         *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections  *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-key  = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode)               *
-; **************************************************************************
-
-[munin-node]
-client  = no
-accept  = 4949
-connect = 127.0.0.1:4994
-CAfile  = /etc/stunnel/certs/munin-master.pem
-
-; vim:ft=dosini
diff --git a/roles/munin-master/handlers/main.yml b/roles/munin-master/handlers/main.yml
index f65376c..518a875 100644
--- a/roles/munin-master/handlers/main.yml
+++ b/roles/munin-master/handlers/main.yml
@@ -2,23 +2,20 @@
 - name: systemctl daemon-reload
   command: /bin/systemctl daemon-reload
 
 - name: Restart rrdcached
   service: name=rrdcached state=restarted
 
 - name: Restart munin
   service: name=munin state=restarted
 
 - name: Restart munin-node
   service: name=munin-node state=restarted
 
 - name: Restart munin-cgi-graph
   service: name=munin-cgi-graph state=restarted
 
 - name: Restart munin-cgi-html
   service: name=munin-cgi-html state=restarted
 
 - name: Restart Nginx
   service: name=nginx state=restarted
-
-- name: Restart stunnel@munin-master
-  service: name=stunnel4@munin-master state=restarted
diff --git a/roles/munin-master/tasks/main.yml b/roles/munin-master/tasks/main.yml
index 1580197..64e697e 100644
--- a/roles/munin-master/tasks/main.yml
+++ b/roles/munin-master/tasks/main.yml
@@ -78,62 +78,33 @@
   register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/munin
   file: src=../sites-available/munin
         dest=/etc/nginx/sites-enabled/munin
         owner=root group=root
         state=link force=yes
   register: r2
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
   when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 
-- name: Copy munin-node X.509 certificates
-  copy: src=certs/munin/{{ item }}.pem
-        dest=/etc/stunnel/certs/munin-{{ hostvars[item].inventory_hostname_short }}.pem
-        owner=root group=root
-        mode=0644
-  with_items: "{{ groups.all | difference([inventory_hostname]) }}"
-  register: r1
-  notify:
-    - Restart stunnel@munin-master
-
-- name: Configure stunnel
-  template: src=etc/stunnel/munin-master.conf.j2
-            dest=/etc/stunnel/munin-master.conf
-            owner=root group=root
-            mode=0644
-  register: r2
-  notify:
-    - Restart stunnel@munin-master
-
-- name: Enable stunnel@munin-master
-  service: name=stunnel4@munin-master enabled=yes
-
-- name: Start stunnel@munin-master
-  service: name=stunnel4@munin-master state=started
-  when: not (r1.changed or r2.changed)
-
-- meta: flush_handlers
-
-
 - name: Install 'munin_stats' and 'munin_update' plugins
   file: src=/usr/share/munin/plugins/{{ item }}
         dest=/etc/munin/plugins/{{ item }}
         owner=root group=root
         state=link force=yes
   with_items:
     - munin_stats
     - munin_update
   tags:
     - munin-node
     - munin
   notify:
     - Restart munin-node
diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2
index 8273a83..401094a 100644
--- a/roles/munin-master/templates/etc/munin/munin.conf.j2
+++ b/roles/munin-master/templates/etc/munin/munin.conf.j2
@@ -76,40 +76,32 @@ html_strategy cgi
 # If set too low, munin-update might take more than 5 min.
 #
 # If you want munin-update to not be parallel set it to 0.
 #
 #max_processes 16
 
 # RRD updates are per default, performed directly on the rrd files.
 # To reduce IO and enable the use of the rrdcached, uncomment it and set it to
 # the location of the socket that rrdcached uses.
 #
 rrdcached_socket /var/run/rrdcached.sock
 
 # Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime
 # something changes (OK -> WARNING, CRITICAL -> OK, etc)
 contact.admin.command mail -s "Munin notification" admin@fripost.org
 #
 # For those with Nagios, the following might come in handy. In addition,
 # the services must be defined in the Nagios server as well.
 #contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
 
-local_address 127.0.0.1
-
-{% set n = 0 %}
 {% for node in groups.all | sort %}
-{% set n = n + 1 %}
 [all;{{ hostvars[node].inventory_hostname_short }}]
-{% if node == inventory_hostname %}
-    address 127.0.0.1
-{% else %}
-    address 127.0.{{ n }}.1
-{% endif %}
+    address {{ ipsec[ hostvars[node].inventory_hostname_short ] }}
     port 4994
 
 {% for g in hostvars[node].group_names | sort %}
 [{{ g }};{{ hostvars[node].inventory_hostname_short }}]
     update no
 
 {% endfor %}
 
 {% endfor %}
diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
deleted file mode 100644
index ffc7d0d..0000000
--- a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
+++ /dev/null
@@ -1,65 +0,0 @@
-; **************************************************************************
-; * Global options                                                         *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections  *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-key  = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode)               *
-; **************************************************************************
-
-{% set n = 0 %}
-{% for node in groups.all | sort %}
-{% set n = n + 1 %}
-{% if node != inventory_hostname %}
-[{{ hostvars[node].inventory_hostname_short }}]
-accept  = 127.0.{{ n }}.1:4994
-connect = {{ node }}:4949
-delay   = yes
-CAfile  = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem
-{% endif %}
-
-{% endfor %}
-
-; vim:ft=dosini