From b408390ae9311b7d703ce57c25a78dce23c31b16 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 10 Jun 2015 15:35:13 +0200 Subject: Configure munin nodes & master. Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. --- .../templates/etc/stunnel/munin-node.conf.j2 | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 roles/common/templates/etc/stunnel/munin-node.conf.j2 (limited to 'roles/common/templates/etc/stunnel') diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2 new file mode 100644 index 0000000..de6c156 --- /dev/null +++ b/roles/common/templates/etc/stunnel/munin-node.conf.j2 @@ -0,0 +1,53 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; setuid()/setgid() to the specified user/group in daemon mode +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/munin-node.pid + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem +key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verify = 4 + +; Disable support for insecure protocols +options = NO_SSLv2 +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 + +; These options provide additional security at some performance degradation +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +; Select permitted SSL ciphers +ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[munin-node] +client = no +accept = 4949 +connect = 127.0.0.1:4994 +CAfile = /etc/stunnel/certs/munin-master.pem + +; vim:ft=dosini -- cgit v1.2.3