+ file { '/etc/icinga/config-pushed':
+ ensure => symlink,
+ target => '/srv/nagios.debian.org/config-pushed'
+ }
+
+ file { '/srv/nagios.debian.org':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/srv/nagios.debian.org/config-pushed':
+ ensure => directory,
+ mode => '0755',
+ owner => 'nagiosadm',
+ group => 'nagiosadm',
+ }
+
+ concat::fragment { 'puppet-crontab--nagios--restart-stale-icinga':
+ target => '/etc/cron.d/puppet-crontab',
+ order => '010',
+ content => @(EOF)
+ */15 * * * * root find /var/lib/icinga/status.dat -mmin +20 | grep -q . && service icinga restart
+ | EOF
+ }
+
+ # The nagios server wants to do DNS queries on the primaries
+ @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+ tag => [
+ 'named::primary::ferm',
+ 'named::keyring::ferm',
+ ],
+ description => 'Allow nagios master access to the primary for checks',
+ proto => ['udp', 'tcp'],
+ port => 'domain',
+ saddr => $base::public_addresses,
+ }
+
+ # The nagios server wants to connect to the NRPE server on all the hosts
+ @@ferm::rule::simple { "dsa-nrpe-from-${::fqdn}":
+ tag => 'nagios-nrpe::server',
+ description => 'Allow nagios master access to the nrpe daemon',
+ port => '5666',
+ saddr => $base::public_addresses,
+ }
+ @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
+ tag => 'nagios-nrpe::server::debianorg.cfg',
+ target => '/etc/nagios/nrpe.d/debianorg.cfg',
+ content => "allowed_hosts=${ $base::public_addresses.join(', ') }",
+ }
+ # and we want to monitor smtp servers
+ @@ferm::rule::simple { "dsa-smtp-from-nagios-${::fqdn}":
+ tag => 'smtp::server::to::mail-satellite',
+ description => 'Allow smtp access from the nagios server',
+ port => '7', # will be overwritten on collection
+ saddr => $base::public_addresses,
+ }