summaryrefslogtreecommitdiffstats
path: root/roles/common
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common')
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/main.yml5
-rw-r--r--roles/common/tasks/munin-node-ssl.yml57
-rw-r--r--roles/common/tasks/munin-node.yml2
-rw-r--r--roles/common/templates/etc/iptables/services.j26
-rw-r--r--roles/common/templates/etc/munin/munin-node.conf.j29
-rw-r--r--roles/common/templates/etc/stunnel/munin-node.conf.j256
7 files changed, 6 insertions, 132 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 6ca53be..efab81b 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -47,9 +47,6 @@
- name: Restart stunnel@bacula-fd
service: name=stunnel4@bacula-fd state=restarted
-- name: Restart stunnel@munin-node
- service: name=stunnel4@munin-node state=restarted
-
- name: Restart bacula-fd
service: name=bacula-fd state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 88d44f3..04681bd 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -68,11 +68,6 @@
tags:
- munin-node
- munin
-- include: munin-node-ssl.yml
- when: "'munin-master' not in group_names"
- tags:
- - munin-node
- - munin
- name: Install common packages
apt: pkg={{ item }}
diff --git a/roles/common/tasks/munin-node-ssl.yml b/roles/common/tasks/munin-node-ssl.yml
deleted file mode 100644
index e0b1d8c..0000000
--- a/roles/common/tasks/munin-node-ssl.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for munin-node
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
- --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
- --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@munin-node
- tags:
- - genkey
-
-- name: Fetch Munin X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
- dest=certs/munin/{{ inventory_hostname }}.pem
- tags:
- - genkey
-
-- name: Copy munin-master X.509 certificates
- assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no
- dest=/etc/stunnel/certs/munin-master.pem
- owner=root group=root
- mode=0644
- register: r2
- when: "'munin-master' not in group_names"
- notify:
- - Restart stunnel@munin-node
-
-- name: Configure stunnel
- template: src=etc/stunnel/munin-node.conf.j2
- dest=/etc/stunnel/munin-node.conf
- owner=root group=root
- mode=0644
- register: r3
- when: "'munin-master' not in group_names"
- notify:
- - Restart stunnel@munin-node
-
-- name: Enable stunnel@munin-node
- service: name=stunnel4@munin-node enabled=yes
-
-- name: Start stunnel@munin-node
- service: name=stunnel4@munin-node state=started
- when: not (r1.changed or r2.changed or r3.changed)
-
-- meta: flush_handlers
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index e1a931a..d4f8d95 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -77,7 +77,7 @@
notify:
- Restart munin-node
-- name: Delete Munin plugins
+- name: Delete unnecessary Munin plugins
file: path=/etc/munin/plugins/{{ item }}
state=absent
register: r3
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 8450f00..953cea5 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -71,12 +71,6 @@ in tcp 9103 # BACULA-SD
{% elif groups['bacula-sd'] | difference([inventory_hostname]) %}
out tcp 9103 # BACULA-SD
{% endif %}
-{% if 'munin-master' in group_names and groups.all | difference([inventory_hostname]) %}
-out tcp 4949 # MUNIN
-{% endif %}
-{% if groups['munin-master'] | difference([inventory_hostname]) %}
-in tcp 4949 # MUNIN
-{% endif %}
{% if 'LDAP-provider' in group_names %}
out tcp 11371 # HKP
out tcp 43 # WHOIS
diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2
index de4098a..d0004b7 100644
--- a/roles/common/templates/etc/munin/munin-node.conf.j2
+++ b/roles/common/templates/etc/munin/munin-node.conf.j2
@@ -32,7 +32,7 @@ ignore_file \.rpm(save|new)$
ignore_file \.pod$
# Set this if the client doesn't report the correct hostname when
-# telnetting to localhost, port 4949
+# telnetting to {{ ipsec[inventory_hostname_short] }}, port 4949
#
host_name {{ inventory_hostname_short }}
@@ -41,11 +41,12 @@ host_name {{ inventory_hostname_short }}
# network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like
-allow ^127\.0\.0\.1$
-allow ^::1$
+{% for host in groups['munin-master'] %}
+allow ^{{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 | replace(".","\.") }}$
+{% endfor %}
# Which address to bind to;
-host 127.0.0.1
+host {{ ipsec[inventory_hostname_short] }}
# And which port
port 4994
diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2
deleted file mode 100644
index 229def0..0000000
--- a/roles/common/templates/etc/stunnel/munin-node.conf.j2
+++ /dev/null
@@ -1,56 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[munin-node]
-client = no
-accept = 4949
-connect = 127.0.0.1:4994
-CAfile = /etc/stunnel/certs/munin-master.pem
-
-; vim:ft=dosini