diff options
Diffstat (limited to 'roles/common/templates/etc')
| -rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 6 | ||||
| -rw-r--r-- | roles/common/templates/etc/munin/munin-node.conf.j2 | 9 | ||||
| -rw-r--r-- | roles/common/templates/etc/stunnel/munin-node.conf.j2 | 56 |
3 files changed, 5 insertions, 66 deletions
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 8450f00..953cea5 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -54,30 +54,24 @@ in tcp {{ postfix_instance.lists.port }} {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH {% endif %} {% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names %} in tcp 80,443 # HTTP/HTTPS {% endif %} {% if 'webmail' in group_names and 'IMAP' not in group_names %} out tcp 993 # IMAP out tcp 4190 # MANAGESIEVE {% endif %} {% if 'bacula-dir' in group_names and groups.all | difference(groups['bacula-dir']) %} out tcp 9102 # BACULA-FD {% elif groups['bacula-dir'] | difference([inventory_hostname]) %} in tcp 9102 # BACULA-FD {% endif %} {% if 'bacula-sd' in group_names and groups.all | difference(groups['bacula-sd']) %} in tcp 9103 # BACULA-SD {% elif groups['bacula-sd'] | difference([inventory_hostname]) %} out tcp 9103 # BACULA-SD {% endif %} -{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %} -out tcp 4949 # MUNIN -{% endif %} -{% if groups['munin-master'] | difference([inventory_hostname]) %} -in tcp 4949 # MUNIN -{% endif %} {% if 'LDAP-provider' in group_names %} out tcp 11371 # HKP out tcp 43 # WHOIS {% endif %} diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2 index de4098a..d0004b7 100644 --- a/roles/common/templates/etc/munin/munin-node.conf.j2 +++ b/roles/common/templates/etc/munin/munin-node.conf.j2 @@ -15,37 +15,38 @@ group root # This is the timeout for the whole transaction. # Units are in sec. Default is 15 min # # global_timeout 900 # This is the timeout for each plugin. # Units are in sec. Default is 1 min # # timeout 60 # Regexps for files to ignore ignore_file [\#~]$ ignore_file DEADJOE$ ignore_file \.bak$ ignore_file %$ ignore_file \.dpkg-(tmp|new|old|dist)$ ignore_file \.rpm(save|new)$ ignore_file \.pod$ # Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 +# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949 # host_name {{ inventory_hostname_short }} # A list of addresses that are allowed to connect. This must be a # regular expression, since Net::Server does not understand CIDR-style # network notation unless the perl module Net::CIDR is installed. You # may repeat the allow line as many times as you'd like -allow ^127\.0\.0\.1$ -allow ^::1$ +{% for host in groups['munin-master'] %} +allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$ +{% endfor %} # Which address to bind to; -host 127.0.0.1 +host {{ ipsec[inventory_hostname_short] }} # And which port port 4994 diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2 deleted file mode 100644 index 229def0..0000000 --- a/roles/common/templates/etc/stunnel/munin-node.conf.j2 +++ /dev/null @@ -1,56 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem -key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[munin-node] -client = no -accept = 4949 -connect = 127.0.0.1:4994 -CAfile = /etc/stunnel/certs/munin-master.pem - -; vim:ft=dosini |