diff options
Diffstat (limited to 'roles/common/templates/etc')
| -rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 6 | ||||
| -rw-r--r-- | roles/common/templates/etc/munin/munin-node.conf.j2 | 9 | ||||
| -rw-r--r-- | roles/common/templates/etc/stunnel/munin-node.conf.j2 | 56 |
3 files changed, 5 insertions, 66 deletions
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 8450f00..953cea5 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -71,12 +71,6 @@ in tcp 9103 # BACULA-SD {% elif groups['bacula-sd'] | difference([inventory_hostname]) %} out tcp 9103 # BACULA-SD {% endif %} -{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %} -out tcp 4949 # MUNIN -{% endif %} -{% if groups['munin-master'] | difference([inventory_hostname]) %} -in tcp 4949 # MUNIN -{% endif %} {% if 'LDAP-provider' in group_names %} out tcp 11371 # HKP out tcp 43 # WHOIS diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2 index de4098a..d0004b7 100644 --- a/roles/common/templates/etc/munin/munin-node.conf.j2 +++ b/roles/common/templates/etc/munin/munin-node.conf.j2 @@ -32,7 +32,7 @@ ignore_file \.rpm(save|new)$ ignore_file \.pod$ # Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 +# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949 # host_name {{ inventory_hostname_short }} @@ -41,11 +41,12 @@ host_name {{ inventory_hostname_short }} # network notation unless the perl module Net::CIDR is installed. You # may repeat the allow line as many times as you'd like -allow ^127\.0\.0\.1$ -allow ^::1$ +{% for host in groups['munin-master'] %} +allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$ +{% endfor %} # Which address to bind to; -host 127.0.0.1 +host {{ ipsec[inventory_hostname_short] }} # And which port port 4994 diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2 deleted file mode 100644 index 229def0..0000000 --- a/roles/common/templates/etc/stunnel/munin-node.conf.j2 +++ /dev/null @@ -1,56 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem -key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[munin-node] -client = no -accept = 4949 -connect = 127.0.0.1:4994 -CAfile = /etc/stunnel/certs/munin-master.pem - -; vim:ft=dosini |