1 files changed, 50 insertions, 71 deletions

diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index 9e5d8f4..2411b59 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -1,23 +1,24 @@
 - name: Install munin-node
-  apt: pkg={{ item }}
-  with_items:
+  apt: pkg={{ packages }}
+  vars:
+    packages:
     - munin-node
     - munin-plugins-extra
     ###
     - acpi
     - lm-sensors
     - ethtool
     - hdparm
     - libwww-perl
     - libxml-simple-perl
     - logtail
 
 - name: Create directory /usr/local/share/munin/plugins
   file: path=/usr/local/share/munin/plugins
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy our own Munin plugins
   copy: src={{ item }}
         dest=/usr/local/share/munin/plugins/
@@ -44,68 +45,90 @@
         owner=root group=root
         state=link force=yes
   register: r2
   with_items:
     - cpu
     - df
     - df_inode
     - diskstats
     - entropy
     - fail2ban
     - forks
     - fw_conntrack
     - fw_forwarded_local
     - fw_packets
     - hddtemp_smartctl
     - interrupts
     - irqstats
     - load
     - memory
     - netstat
-    - ntp_kernel_err
-    - ntp_kernel_pll_freq
-    - ntp_kernel_pll_off
-    - ntp_offset
     - open_files
     - open_inodes
     - processes
     - proc_pri
     - swap
     - threads
     - uptime
     - users
     - vmstat
   notify:
     - Restart munin-node
 
-- name: Delete Munin plugins
+- name: Install Munin plugins
+  file: src=/usr/share/munin/plugins/{{ item }}
+        dest=/etc/munin/plugins/{{ item }}
+        owner=root group=root
+        state=link force=yes
+  with_items:
+    - ntp_kernel_err
+    - ntp_kernel_pll_freq
+    - ntp_kernel_pll_off
+    - ntp_offset
+  when: "'NTP_master' in group_names"
+  notify:
+    - Restart munin-node
+
+- name: Delete unnecessary Munin plugins
   file: path=/etc/munin/plugins/{{ item }}
         state=absent
   register: r3
   with_items:
     - http_loadtime
     - ip_255.255.255.255
     - postfix_mailqueue
     - postfix_mailvolume
   notify:
     - Restart munin-node
 
+- name: Delete unnecessary Munin plugins
+  file: path=/etc/munin/plugins/{{ item }}
+        state=absent
+  with_items:
+    - ntp_kernel_err
+    - ntp_kernel_pll_freq
+    - ntp_kernel_pll_off
+    - ntp_offset
+  when: "'NTP_master' not in group_names"
+  notify:
+    - Restart munin-node
+
 - name: Install 'if_' Munin wildcard plugin
   file: src=/usr/share/munin/plugins/{{ item.0 }}_
         dest=/etc/munin/plugins/{{ item.0 }}_{{ item.1 }}
         owner=root group=root
         state=link force=yes
   register: r4
   with_nested:
     - [ if, if_err ]
     - [ lo, "{{ ansible_default_ipv4.interface }}" ]
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_mailvolume2' Munin plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailvolume2
         dest=/etc/munin/plugins/postfix_mailvolume2
         owner=root group=root
         state=link force=yes
   register: r5
   notify:
     - Restart munin-node
@@ -115,93 +138,49 @@
         dest=/etc/munin/plugins/postfix_mailqueue_postfix
         owner=root group=root
         state=link force=yes
   register: r6
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
         dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix
         owner=root group=root
         state=link force=yes
   register: r7
   with_items:
     - smtpd
     - qmgr
     - smtp
   notify:
     - Restart munin-node
 
-- name: Start munin-node
-  service: name=munin-node state=started
-  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed)
-
-- meta: flush_handlers
-
-
-
-- name: Install stunnel
-  apt: pkg=stunnel4
-
-- name: Auto-enable stunnel
-  lineinfile: dest=/etc/default/stunnel4
-              regexp='^(\s*#)?\s*ENABLED='
-              line='ENABLED=1'
-              owner=root group=root
-              mode=0644
-
-- name: Create /etc/stunnel/certs
-  file: path=/etc/stunnel/certs
+- name: Create directory /etc/systemd/system/munin-node.service.d
+  file: path=/etc/systemd/system/munin-node.service.d
         state=directory
         owner=root group=root
         mode=0755
 
-- name: Generate a private key and a X.509 certificate for munin-node
-  command: genkeypair.sh x509
-                         --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-                         --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-                         --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart stunnel
-  tags:
-    - genkey
-
-- name: Fetch Munin X.509 certificate
-  # Ensure we don't fetch private data
-  sudo: False
-  fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-         dest=certs/munin/{{ inventory_hostname }}.pem
-         fail_on_missing=yes
-         flat=yes
-  tags:
-    - genkey
-
-- name: Copy munin-master X.509 certificates
-  assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no
-            dest=/etc/stunnel/certs/munin-master.pem
-            owner=root group=root
-            mode=0644
-  register: r2
-  when: "'munin-master' not in group_names"
+- name: Copy munin-node.service override
+  copy: src=etc/systemd/system/munin-node.service.d/override.conf
+        dest=/etc/systemd/system/munin-node.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  register: r8
   notify:
-    - Restart stunnel
+    - systemctl daemon-reload
+    - Restart munin-node
 
-- name: Configure stunnel
-  template: src=etc/stunnel/munin-node.conf.j2
-            dest=/etc/stunnel/munin-node.conf
-            owner=root group=root
-            mode=0644
-  register: r3
-  when: "'munin-master' not in group_names"
-  notify:
-    - Restart stunnel
+# We use RuntimeDirectory in our overrride unit to avoid permission
+# issues caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/munin-common.conf
+  file: src=/dev/null
+        dest=/etc/tmpfiles.d/munin-common.conf
+        owner=root group=root
+        state=link
 
-- name: Start stunnel
-  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+- name: Start munin-node
+  service: name=munin-node state=started
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed or r8.changed)
 
 - meta: flush_handlers