+# our nagios server class
+#
+# it includes stored ferm configs for all the things it needs to access
+# which are then collected by the monitored services
class nagios::server {
+ include apache2
+ include apache2::ssl
+ include apache2::authn_anon
- package { [
- 'nagios3',
- 'nagios-nrpe-plugin',
- 'nagios-plugins',
- 'nagios-images'
- ]:
- ensure => installed
- }
+ ssl::service { 'nagios.debian.org':
+ notify => Exec['service apache2 reload'],
+ key => true,
+ }
+ apache2::site { '10-nagios.debian.org':
+ site => 'nagios.debian.org',
+ content => template('nagios/nagios.debian.org.conf.erb'),
+ }
- file { '/etc/init.d/nagios3':
- source => 'puppet:///modules/nagios/nagios3.init',
- mode => '0755',
- require => Package['nagios3'],
- before => Service['nagios3'],
- }
+ ensure_packages( [
+ 'icinga',
+ 'make',
+ 'monitoring-plugins',
+ 'nagios-nrpe-plugin',
+ ], { ensure => 'installed' })
- service { 'nagios3':
- ensure => running,
- require => Package['nagios3'],
- }
+ service { 'icinga':
+ ensure => running,
+ require => Package['icinga'],
+ }
- file { '/etc/nagios-plugins/config':
- ensure => directory,
- recurse => remote,
- source => 'puppet:///files/empty/',
- require => Package['nagios3'],
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3':
- ensure => directory,
- recurse => remote,
- source => 'puppet:///files/empty/',
- require => Package['nagios3'],
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d':
- ensure => directory,
- recurse => remote,
- source => 'puppet:///files/empty/',
- require => Package['nagios3'],
- notify => Service['nagios3'],
- }
- file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/cgi.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/cgi.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/nagios.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/nagios.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/contacts.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/generic-host.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/generic-service.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/timeperiods.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/auto-dependencies.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/auto-hostgroups.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/auto-hosts.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/auto-servicegroups.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg',
- notify => Service['nagios3'],
- }
- file { '/etc/nagios3/puppetconf.d/auto-services.cfg':
- source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg',
- notify => Service['nagios3'],
- }
+ file { '/etc/icinga/apache2.conf':
+ content => template('nagios/icinga-apache2.conf.erb'),
+ notify => Exec['service apache2 reload'],
+ }
+ file { '/srv/nagios.debian.org/htpasswd':
+ mode => '0640',
+ owner => 'root',
+ group => 'www-data',
+ }
+ file { '/etc/icinga/cgi.cfg':
+ ensure => symlink,
+ target => 'config-pushed/static/cgi.cfg',
+ notify => Exec['service apache2 reload'],
+ }
+ file { '/etc/icinga/icinga.cfg':
+ ensure => symlink,
+ target => 'config-pushed/static/icinga.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects':
+ ensure => directory,
+ mode => '0755',
+ purge => true,
+ recurse => true,
+ force => true,
+ source => 'puppet:///files/empty/',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/contacts.cfg':
+ ensure => symlink,
+ target => '../config-pushed/static/objects/contacts.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/generic-host.cfg':
+ ensure => symlink,
+ target => '../config-pushed/static/objects/generic-host.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/generic-service.cfg':
+ ensure => symlink,
+ target => '../config-pushed/static/objects/generic-service.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/timeperiods.cfg':
+ ensure => symlink,
+ target => '../config-pushed/static/objects/timeperiods.cfg',
+ notify => Service['icinga'],
+ }
- concat::fragment { 'dsa-puppet-stuff--nagios--restart-stale-icinga':
- target => '/etc/cron.d/dsa-puppet-stuff',
- order => '010',
- content => @(EOF)
- */15 * * * * root find /var/lib/icinga/status.dat -mmin +20 | grep -q . && service icinga restart
- | EOF
- }
+ file { '/etc/icinga/objects/xauto-dependencies.cfg':
+ ensure => symlink,
+ target => '../config-pushed/generated/auto-dependencies.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/xauto-hostgroups.cfg':
+ ensure => symlink,
+ target => '../config-pushed/generated/auto-hostgroups.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/xauto-hosts.cfg':
+ ensure => symlink,
+ target => '../config-pushed/generated/auto-hosts.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/xauto-servicegroups.cfg':
+ ensure => symlink,
+ target => '../config-pushed/generated/auto-servicegroups.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/icinga/objects/xauto-services.cfg':
+ ensure => symlink,
+ target => '../config-pushed/generated/auto-services.cfg',
+ notify => Service['icinga'],
+ }
+
+ file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg':
+ ensure => symlink,
+ target => '../../icinga/config-pushed/static/checkcommands.cfg',
+ notify => Service['icinga'],
+ }
+ file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg':
+ ensure => symlink,
+ target => '../../icinga/config-pushed/static/eventhandlers.cfg',
+ notify => Service['icinga'],
+ }
+
+ file { '/etc/icinga/config-pushed':
+ ensure => symlink,
+ target => '/srv/nagios.debian.org/config-pushed'
+ }
+
+ file { '/srv/nagios.debian.org':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/srv/nagios.debian.org/config-pushed':
+ ensure => directory,
+ mode => '0755',
+ owner => 'nagiosadm',
+ group => 'nagiosadm',
+ }
+
+ concat::fragment { 'puppet-crontab--nagios--restart-stale-icinga':
+ target => '/etc/cron.d/puppet-crontab',
+ order => '010',
+ content => @(EOF)
+ */15 * * * * root find /var/lib/icinga/status.dat -mmin +20 | grep -q . && service icinga restart
+ | EOF
+ }
+
+ # The nagios server wants to do DNS queries on the primaries
+ @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+ tag => [
+ 'named::primary::ferm',
+ 'named::keyring::ferm',
+ ],
+ description => 'Allow nagios master access to the primary for checks',
+ proto => ['udp', 'tcp'],
+ port => 'domain',
+ saddr => $base::public_addresses,
+ }
+
+ # The nagios server wants to connect to the NRPE server on all the hosts
+ @@ferm::rule::simple { "dsa-nrpe-from-${::fqdn}":
+ tag => 'nagios-nrpe::server',
+ description => 'Allow nagios master access to the nrpe daemon',
+ port => '5666',
+ saddr => $base::public_addresses,
+ }
+ @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
+ tag => 'nagios-nrpe::server::debianorg.cfg',
+ target => '/etc/nagios/nrpe.d/debianorg.cfg',
+ content => "allowed_hosts=${ $base::public_addresses.join(', ') }",
+ }
+ # and we want to monitor smtp servers
+ @@ferm::rule::simple { "dsa-smtp-from-nagios-${::fqdn}":
+ tag => 'smtp::server::to::mail-satellite',
+ description => 'Allow smtp access from the nagios server',
+ port => '7', # will be overwritten on collection
+ saddr => $base::public_addresses,
+ }
}