11 files changed, 89 insertions, 142 deletions
diff --git a/roles/munin-master/files/etc/nginx/sites-available/munin b/roles/munin-master/files/etc/nginx/sites-available/munin
index ade1888..2f681fb 100644
--- a/roles/munin-master/files/etc/nginx/sites-available/munin
+++ b/roles/munin-master/files/etc/nginx/sites-available/munin
@@ -1,31 +1,37 @@
 server {
     listen 127.0.0.1:80;
     listen [::1]:80;
 
     server_name munin.fripost.org;
 
+    allow 127.0.0.0/8;
+    allow ::1/128;
+    deny all;
+
     access_log /var/log/nginx/munin.access.log;
     error_log  /var/log/nginx/munin.error.log info;
 
+    include snippets/headers.conf;
+
     location = / {
         return 302 /munin$args;
     }
 
     location /munin/static/ {
         alias /etc/munin/static/;
     }
 
     location /munin-cgi/munin-cgi-graph/ {
         fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
-        include fastcgi/params;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        include snippets/fastcgi.conf;
         fastcgi_pass unix:/run/munin/cgi-graph.socket;
-        gzip off;
     }
 
     location /munin/ {
         fastcgi_split_path_info ^(/munin)(.*);
-        include fastcgi/params;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        include snippets/fastcgi.conf;
         fastcgi_pass unix:/run/munin/cgi-html.socket;
-        gzip off;
     }
 }
diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service
new file mode 100644
index 0000000..b8e6012
--- /dev/null
+++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=Munin CGI Graph Service
+After=network.target
+PartOf=munin.service
+Requires=munin-cgi-graph.socket
+
+[Service]
+StandardInput=socket
+User=www-data
+Group=munin
+ExecStart=/usr/lib/munin/cgi/munin-cgi-graph
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWriteDirectories=-/var/log/munin
+ReadWriteDirectories=-/var/lib/munin/cgi-tmp/munin-cgi-graph
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.socket
index d4d2e27..d4d2e27 100644
--- a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket
+++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.socket
diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service
new file mode 100644
index 0000000..0e66b3f
--- /dev/null
+++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=Munin CGI HTML Service
+After=network.target
+PartOf=munin.service
+Requires=munin-cgi-html.socket
+
+[Service]
+StandardInput=socket
+User=www-data
+Group=munin
+ExecStart=/usr/lib/munin/cgi/munin-cgi-html
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWriteDirectories=-/var/log/munin
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.socket
index 77be2cf..77be2cf 100644
--- a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket
+++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.socket
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service
deleted file mode 100644
index 9e4d820..0000000
--- a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Munin CGI Graph Service
-After=network.target
-PartOf=munin.service
-Requires=munin-cgi-graph.socket
-
-[Service]
-StandardInput=socket
-User=www-data
-Group=munin
-ExecStart=/usr/lib/munin/cgi/munin-cgi-graph
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service b/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service
deleted file mode 100644
index 11a7470..0000000
--- a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Munin CGI HTML Service
-After=network.target
-PartOf=munin.service
-Requires=munin-cgi-html.socket
-
-[Service]
-StandardInput=socket
-User=www-data
-Group=munin
-ExecStart=/usr/lib/munin/cgi/munin-cgi-html
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/munin-master/handlers/main.yml b/roles/munin-master/handlers/main.yml
index 4c41033..518a875 100644
--- a/roles/munin-master/handlers/main.yml
+++ b/roles/munin-master/handlers/main.yml
@@ -2,23 +2,20 @@
 - name: systemctl daemon-reload
   command: /bin/systemctl daemon-reload
 
 - name: Restart rrdcached
   service: name=rrdcached state=restarted
 
 - name: Restart munin
   service: name=munin state=restarted
 
 - name: Restart munin-node
   service: name=munin-node state=restarted
 
 - name: Restart munin-cgi-graph
   service: name=munin-cgi-graph state=restarted
 
 - name: Restart munin-cgi-html
   service: name=munin-cgi-html state=restarted
 
 - name: Restart Nginx
   service: name=nginx state=restarted
-
-- name: Restart stunnel
-  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted
diff --git a/roles/munin-master/tasks/main.yml b/roles/munin-master/tasks/main.yml
index 5dd1151..6dad93b 100644
--- a/roles/munin-master/tasks/main.yml
+++ b/roles/munin-master/tasks/main.yml
@@ -1,74 +1,87 @@
 - name: Install munin
-  apt: pkg={{ item }}
-  with_items:
+  apt: pkg={{ packages }}
+  vars:
+    packages:
     - munin
     - rrdcached
     - libcgi-fast-perl
 
 - name: Configure rrdcached
   lineinfile: "dest=/etc/default/rrdcached
-               regexp='^#?OPTS='
-               line='OPTS=\"-s munin -m 660 -l unix:/var/run/rrdcached.sock -w 1800 -z 1800 -f 3600 -j /var/lib/rrdcached/journal -F -b /var/lib/munin -B\"'"
+               regexp='^#?{{ item.name }}='
+               line='{{ item.name }}=\"{{ item.value }}\"'"
+  with_items:
+    - { name: 'BASE_OPTIONS',  value: '-B -F'               }
+    - { name: 'BASE_PATH',     value: '/var/lib/munin'      }
+    - { name: 'SOCKFILE',      value: '/run/rrdcached.sock' }
+    - { name: 'SOCKGROUP',     value: 'munin'               }
+    - { name: 'SOCKMODE',      value: '0660'                }
+    - { name: 'WRITE_TIMEOUT', value: '1800'                }
   register: r
   notify:
     - Restart rrdcached
 
 - name: Start rrdcached
   service: name=rrdcached state=started
   when: not r.changed
 
 - meta: flush_handlers
 
+- name: Create directory /var/lib/munin/cgi-tmp/munin-cgi-graph
+  file: path=/var/lib/munin/cgi-tmp/munin-cgi-graph
+        state=directory
+        owner=www-data group=www-data
+        mode=0755
 
 - name: Configure munin
   template: src=etc/munin/munin.conf.j2
             dest=/etc/munin/munin.conf
             owner=root group=root
             mode=0644
   notify:
     - Restart munin-cgi-graph
     - Restart munin-cgi-html
 
 - name: chown www-data:adm /var/log/munin/munin-cgi-{graph,html}.log
   file: path=/var/log/munin/{{ item }}
         owner=www-data group=adm
         mode=0640
   with_items:
     - munin-cgi-graph.log
     - munin-cgi-html.log
 
 - name: Copy munin-cgi-graph.{service,socket}
-  copy: src=lib/systemd/system/{{ item }}
-        dest=/lib/systemd/system/{{ item }}
+  copy: src=etc/systemd/system/{{ item }}
+        dest=/etc/systemd/system/{{ item }}
         owner=root group=root
         mode=0644
   notify:
     - systemctl daemon-reload
     - Restart munin-cgi-graph
   with_items:
     - munin-cgi-graph.service
     - munin-cgi-graph.socket
 
 - name: Copy munin-cgi-html.{service,socket}
-  copy: src=lib/systemd/system/{{ item }}
-        dest=/lib/systemd/system/{{ item }}
+  copy: src=etc/systemd/system/{{ item }}
+        dest=/etc/systemd/system/{{ item }}
         owner=root group=root
         mode=0644
   notify:
     - systemctl daemon-reload
     - Restart munin-cgi-html
   with_items:
     - munin-cgi-html.service
     - munin-cgi-html.socket
 
 - meta: flush_handlers
 
 - name: Start munin-cgi-{graph,html}
   service: name={{ item }} state=started enabled=yes
   with_items:
     - munin-cgi-graph
     - munin-cgi-html
 
 
 - name: Copy /etc/nginx/sites-available/munin
   copy: src=etc/nginx/sites-available/munin
@@ -78,59 +91,33 @@
   register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/munin
   file: src=../sites-available/munin
         dest=/etc/nginx/sites-enabled/munin
         owner=root group=root
         state=link force=yes
   register: r2
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
   when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 
-- name: Copy munin-node X.509 certificates
-  copy: src=certs/munin/{{ item }}.pem
-        dest=/etc/stunnel/certs/munin-{{ hostvars[item].inventory_hostname_short }}.pem
-        owner=root group=root
-        mode=0644
-  with_items: groups.all | difference([inventory_hostname])
-  register: r1
-  notify:
-    - Restart stunnel
-
-- name: Configure stunnel
-  template: src=etc/stunnel/munin-master.conf.j2
-            dest=/etc/stunnel/munin-master.conf
-            owner=root group=root
-            mode=0644
-  register: r2
-  notify:
-    - Restart stunnel
-
-- name: Start stunnel
-  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
-  when: not (r1.changed or r2.changed)
-
-- meta: flush_handlers
-
-
 - name: Install 'munin_stats' and 'munin_update' plugins
   file: src=/usr/share/munin/plugins/{{ item }}
         dest=/etc/munin/plugins/{{ item }}
         owner=root group=root
         state=link force=yes
   with_items:
     - munin_stats
     - munin_update
   tags:
     - munin-node
     - munin
   notify:
     - Restart munin-node
diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2
index 8273a83..b53ef0e 100644
--- a/roles/munin-master/templates/etc/munin/munin.conf.j2
+++ b/roles/munin-master/templates/etc/munin/munin.conf.j2
@@ -1,31 +1,31 @@
 # Example configuration file for Munin, generated by 'make build'
 
 # The next three variables specifies where the location of the RRD
 # databases, the HTML output, logs and the lock/pid files.  They all
 # must be writable by the user running munin-cron.  They are all
 # defaulted to the values you see here.
 #
 #dbdir	/var/lib/munin
 #htmldir /var/cache/munin/www
 #logdir /var/log/munin
-#rundir  /var/run/munin
+#rundir  /run/munin
 
 # Where to look for the HTML templates
 #
 #tmpldir	/etc/munin/templates
 
 # Where to look for the static www files
 #
 #staticdir /etc/munin/static
 
 # temporary cgi files are here. note that it has to be writable by 
 # the cgi user (usually nobody or httpd).
 #
 # cgitmpdir /var/lib/munin/cgi-tmp
 
 # (Exactly one) directory to include all files from.
 includedir /etc/munin/munin-conf.d
 
 # You can choose the time reference for "DERIVE" like graphs, and show
 # "per minute", "per hour" values instead of the default "per second"
 #
@@ -66,50 +66,42 @@ graph_strategy cgi
 # - moving to CGI for HTML means you cannot have graph generated by cron.
 # - cgi html has some bugs, mostly you still have to launch munin-html by hand
 # 
 html_strategy cgi
 
 # munin-update runs in parallel.
 #
 # The default max number of processes is 16, and is probably ok for you.
 #
 # If set too high, it might hit some process/ram/filedesc limits.
 # If set too low, munin-update might take more than 5 min.
 #
 # If you want munin-update to not be parallel set it to 0.
 #
 #max_processes 16
 
 # RRD updates are per default, performed directly on the rrd files.
 # To reduce IO and enable the use of the rrdcached, uncomment it and set it to
 # the location of the socket that rrdcached uses.
 #
-rrdcached_socket /var/run/rrdcached.sock
+rrdcached_socket /run/rrdcached.sock
 
 # Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime
 # something changes (OK -> WARNING, CRITICAL -> OK, etc)
 contact.admin.command mail -s "Munin notification" admin@fripost.org
 #
 # For those with Nagios, the following might come in handy. In addition,
 # the services must be defined in the Nagios server as well.
 #contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
 
-local_address 127.0.0.1
-
-{% set n = 0 %}
 {% for node in groups.all | sort %}
-{% set n = n + 1 %}
 [all;{{ hostvars[node].inventory_hostname_short }}]
-{% if node == inventory_hostname %}
-    address 127.0.0.1
-{% else %}
-    address 127.0.{{ n }}.1
-{% endif %}
+    address {{ ipsec[ hostvars[node].inventory_hostname_short ] }}
     port 4994
 
 {% for g in hostvars[node].group_names | sort %}
 [{{ g }};{{ hostvars[node].inventory_hostname_short }}]
     update no
 
 {% endfor %}
 
 {% endfor %}
diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
deleted file mode 100644
index c025183..0000000
--- a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2
+++ /dev/null
@@ -1,62 +0,0 @@
-; **************************************************************************
-; * Global options                                                         *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid = /var/run/stunnel4/munin-master.pid
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections  *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
-key  = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode)               *
-; **************************************************************************
-
-{% set n = 0 %}
-{% for node in groups.all | sort %}
-{% set n = n + 1 %}
-{% if node != inventory_hostname %}
-[{{ hostvars[node].inventory_hostname_short }}]
-accept  = 127.0.{{ n }}.1:4994
-connect = {{ node }}:4949
-delay   = yes
-CAfile  = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem
-{% endif %}
-
-{% endfor %}
-
-; vim:ft=dosini