diff options
Diffstat (limited to 'roles/common')
-rw-r--r-- | roles/common/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/common/tasks/main.yml | 5 | ||||
-rw-r--r-- | roles/common/tasks/munin-node-ssl.yml | 57 | ||||
-rw-r--r-- | roles/common/tasks/munin-node.yml | 2 | ||||
-rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 6 | ||||
-rw-r--r-- | roles/common/templates/etc/munin/munin-node.conf.j2 | 9 | ||||
-rw-r--r-- | roles/common/templates/etc/stunnel/munin-node.conf.j2 | 56 |
7 files changed, 6 insertions, 132 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 6ca53be..efab81b 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -47,9 +47,6 @@ - name: Restart stunnel@bacula-fd service: name=stunnel4@bacula-fd state=restarted -- name: Restart stunnel@munin-node - service: name=stunnel4@munin-node state=restarted - - name: Restart bacula-fd service: name=bacula-fd state=restarted diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 88d44f3..04681bd 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -68,11 +68,6 @@ tags: - munin-node - munin -- include: munin-node-ssl.yml - when: "'munin-master' not in group_names" - tags: - - munin-node - - munin - name: Install common packages apt: pkg={{ item }} diff --git a/roles/common/tasks/munin-node-ssl.yml b/roles/common/tasks/munin-node-ssl.yml deleted file mode 100644 index e0b1d8c..0000000 --- a/roles/common/tasks/munin-node-ssl.yml +++ /dev/null @@ -1,57 +0,0 @@ -- name: Create /etc/stunnel/certs - file: path=/etc/stunnel/certs - state=directory - owner=root group=root - mode=0755 - -- name: Generate a private key and a X.509 certificate for munin-node - command: genkeypair.sh x509 - --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem - --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key - --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart stunnel@munin-node - tags: - - genkey - -- name: Fetch Munin X.509 certificate - # Ensure we don't fetch private data - become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem - dest=certs/munin/{{ inventory_hostname }}.pem - tags: - - genkey - -- name: Copy munin-master X.509 certificates - assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no - dest=/etc/stunnel/certs/munin-master.pem - owner=root group=root - mode=0644 - register: r2 - when: "'munin-master' not in group_names" - notify: - - Restart stunnel@munin-node - -- name: Configure stunnel - template: src=etc/stunnel/munin-node.conf.j2 - dest=/etc/stunnel/munin-node.conf - owner=root group=root - mode=0644 - register: r3 - when: "'munin-master' not in group_names" - notify: - - Restart stunnel@munin-node - -- name: Enable stunnel@munin-node - service: name=stunnel4@munin-node enabled=yes - -- name: Start stunnel@munin-node - service: name=stunnel4@munin-node state=started - when: not (r1.changed or r2.changed or r3.changed) - -- meta: flush_handlers diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index e1a931a..d4f8d95 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -77,7 +77,7 @@ notify: - Restart munin-node -- name: Delete Munin plugins +- name: Delete unnecessary Munin plugins file: path=/etc/munin/plugins/{{ item }} state=absent register: r3 diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 8450f00..953cea5 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -71,12 +71,6 @@ in tcp 9103 # BACULA-SD {% elif groups['bacula-sd'] | difference([inventory_hostname]) %} out tcp 9103 # BACULA-SD {% endif %} -{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %} -out tcp 4949 # MUNIN -{% endif %} -{% if groups['munin-master'] | difference([inventory_hostname]) %} -in tcp 4949 # MUNIN -{% endif %} {% if 'LDAP-provider' in group_names %} out tcp 11371 # HKP out tcp 43 # WHOIS diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2 index de4098a..d0004b7 100644 --- a/roles/common/templates/etc/munin/munin-node.conf.j2 +++ b/roles/common/templates/etc/munin/munin-node.conf.j2 @@ -32,7 +32,7 @@ ignore_file \.rpm(save|new)$ ignore_file \.pod$ # Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 +# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949 # host_name {{ inventory_hostname_short }} @@ -41,11 +41,12 @@ host_name {{ inventory_hostname_short }} # network notation unless the perl module Net::CIDR is installed. You # may repeat the allow line as many times as you'd like -allow ^127\.0\.0\.1$ -allow ^::1$ +{% for host in groups['munin-master'] %} +allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$ +{% endfor %} # Which address to bind to; -host 127.0.0.1 +host {{ ipsec[inventory_hostname_short] }} # And which port port 4994 diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2 deleted file mode 100644 index 229def0..0000000 --- a/roles/common/templates/etc/stunnel/munin-node.conf.j2 +++ /dev/null @@ -1,56 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem -key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[munin-node] -client = no -accept = 4949 -connect = 127.0.0.1:4994 -CAfile = /etc/stunnel/certs/munin-master.pem - -; vim:ft=dosini |