summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/templates/etc')
-rw-r--r--roles/common/templates/etc/iptables/services.j26
-rw-r--r--roles/common/templates/etc/munin/munin-node.conf.j29
-rw-r--r--roles/common/templates/etc/stunnel/munin-node.conf.j256
3 files changed, 5 insertions, 66 deletions
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 8450f00..953cea5 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -71,12 +71,6 @@ in tcp 9103 # BACULA-SD
{% elif groups['bacula-sd'] | difference([inventory_hostname]) %}
out tcp 9103 # BACULA-SD
{% endif %}
-{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %}
-out tcp 4949 # MUNIN
-{% endif %}
-{% if groups['munin-master'] | difference([inventory_hostname]) %}
-in tcp 4949 # MUNIN
-{% endif %}
{% if 'LDAP-provider' in group_names %}
out tcp 11371 # HKP
out tcp 43 # WHOIS
diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2
index de4098a..d0004b7 100644
--- a/roles/common/templates/etc/munin/munin-node.conf.j2
+++ b/roles/common/templates/etc/munin/munin-node.conf.j2
@@ -32,7 +32,7 @@ ignore_file \.rpm(save|new)$
ignore_file \.pod$
# Set this if the client doesn't report the correct hostname when
-# telnetting to localhost, port 4949
+# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949
#
host_name {{ inventory_hostname_short }}
@@ -41,11 +41,12 @@ host_name {{ inventory_hostname_short }}
# network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like
-allow ^127\.0\.0\.1$
-allow ^::1$
+{% for host in groups['munin-master'] %}
+allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$
+{% endfor %}
# Which address to bind to;
-host 127.0.0.1
+host {{ ipsec[inventory_hostname_short] }}
# And which port
port 4994
diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2
deleted file mode 100644
index 229def0..0000000
--- a/roles/common/templates/etc/stunnel/munin-node.conf.j2
+++ /dev/null
@@ -1,56 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[munin-node]
-client = no
-accept = 4949
-connect = 127.0.0.1:4994
-CAfile = /etc/stunnel/certs/munin-master.pem
-
-; vim:ft=dosini