X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fnagios%2Fmanifests%2Fserver.pp;h=a67e17edd43bad2a6da8131f0f3d1b792bd23c4a;hb=6605aa629b31ed231c2dbf29c8b2f4c8585e2de7;hp=e91f7f217934f5c92d2df09fb750c40c8e75c1dd;hpb=10dbfda20c40728071bd1cd3d76b32ae326ce445;p=mirror%2Fdsa-puppet.git

diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index e91f7f217..a67e17edd 100644
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -1,97 +1,179 @@
+# our nagios server class
+#
+# it includes stored ferm configs for all the things it needs to access
+# which are then collected by the monitored services
 class nagios::server {
+  include apache2
+  include apache2::ssl
+  include apache2::authn_anon
 
-	package { [
-			'nagios3',
-			'nagios-nrpe-plugin',
-			'nagios-plugins',
-			'nagios-images'
-		]:
-		ensure => installed
-	}
+  ssl::service { 'nagios.debian.org':
+    notify => Exec['service apache2 reload'],
+    key    => true,
+  }
+  apache2::site { '10-nagios.debian.org':
+    site    => 'nagios.debian.org',
+    content => template('nagios/nagios.debian.org.conf.erb'),
+  }
 
-	service { 'nagios3':
-		ensure => running,
-	}
+  ensure_packages( [
+    'icinga',
+    'make',
+    'monitoring-plugins',
+    'nagios-nrpe-plugin',
+    ], { ensure => 'installed' })
 
-	file { '/etc/nagios-plugins/config':
-		ensure  => directory,
-		recurse => remote,
-		source  => 'puppet:///files/empty/',
-		require => Package['nagios3'],
-		notify  => Service['nagios3'],
-	}
-	file { '/etc/nagios3':
-		ensure  => directory,
-		recurse => remote,
-		source  => 'puppet:///files/empty/',
-		require => Package['nagios3'],
-		notify  => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d':
-		ensure => directory,
-		recurse => remote,
-		source  => 'puppet:///files/empty/',
-		require => Package['nagios3'],
-		notify  => Service['nagios3'],
-	}
-	file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/cgi.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/cgi.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/nagios.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/nagios.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/contacts.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/generic-host.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/generic-service.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/timeperiods.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/auto-dependencies.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/auto-hostgroups.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/auto-hosts.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/auto-servicegroups.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg',
-		notify => Service['nagios3'],
-	}
-	file { '/etc/nagios3/puppetconf.d/auto-services.cfg':
-		source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg',
-		notify => Service['nagios3'],
-	}
+  service { 'icinga':
+    ensure  => running,
+    require => Package['icinga'],
+  }
+
+  file { '/etc/icinga/apache2.conf':
+    content => template('nagios/icinga-apache2.conf.erb'),
+    notify  => Exec['service apache2 reload'],
+  }
+  file { '/srv/nagios.debian.org/htpasswd':
+    mode  => '0640',
+    owner => 'root',
+    group => 'www-data',
+  }
+  file { '/etc/icinga/cgi.cfg':
+    ensure => symlink,
+    target => 'config-pushed/static/cgi.cfg',
+    notify => Exec['service apache2 reload'],
+  }
+  file { '/etc/icinga/icinga.cfg':
+    ensure => symlink,
+    target => 'config-pushed/static/icinga.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects':
+    ensure  => directory,
+    mode    => '0755',
+    purge   => true,
+    recurse => true,
+    force   => true,
+    source  => 'puppet:///files/empty/',
+    notify  => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/contacts.cfg':
+    ensure => symlink,
+    target => '../config-pushed/static/objects/contacts.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/generic-host.cfg':
+    ensure => symlink,
+    target => '../config-pushed/static/objects/generic-host.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/generic-service.cfg':
+    ensure => symlink,
+    target => '../config-pushed/static/objects/generic-service.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/timeperiods.cfg':
+    ensure => symlink,
+    target => '../config-pushed/static/objects/timeperiods.cfg',
+    notify => Service['icinga'],
+  }
+
+  file { '/etc/icinga/objects/xauto-dependencies.cfg':
+    ensure => symlink,
+    target => '../config-pushed/generated/auto-dependencies.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/xauto-hostgroups.cfg':
+    ensure => symlink,
+    target => '../config-pushed/generated/auto-hostgroups.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/xauto-hosts.cfg':
+    ensure => symlink,
+    target => '../config-pushed/generated/auto-hosts.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/xauto-servicegroups.cfg':
+    ensure => symlink,
+    target => '../config-pushed/generated/auto-servicegroups.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/icinga/objects/xauto-services.cfg':
+    ensure => symlink,
+    target => '../config-pushed/generated/auto-services.cfg',
+    notify => Service['icinga'],
+  }
+
+  file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg':
+    ensure => symlink,
+    target => '../../icinga/config-pushed/static/checkcommands.cfg',
+    notify => Service['icinga'],
+  }
+  file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg':
+    ensure => symlink,
+    target => '../../icinga/config-pushed/static/eventhandlers.cfg',
+    notify => Service['icinga'],
+  }
+
+  file { '/etc/icinga/config-pushed':
+    ensure => symlink,
+    target => '/srv/nagios.debian.org/config-pushed'
+  }
+
+  file { '/srv/nagios.debian.org':
+    ensure => directory,
+    mode   => '0755',
+  }
+  file { '/srv/nagios.debian.org/config-pushed':
+    ensure => directory,
+    mode   => '0755',
+    owner  => 'nagiosadm',
+    group  => 'nagiosadm',
+  }
+
+  concat::fragment { 'puppet-crontab--nagios--restart-stale-icinga':
+    target  => '/etc/cron.d/puppet-crontab',
+    order   => '010',
+    content => @(EOF)
+      */15 * * * * root find /var/lib/icinga/status.dat -mmin +20 | grep -q . && service icinga restart
+      | EOF
+  }
+
+  # The nagios server wants to do DNS queries on the primaries
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => [
+                    'named::primary::ferm',
+                    'named::keyring::ferm',
+    ],
+    description => 'Allow nagios master access to the primary for checks',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
+
+  # The nagios server wants to connect to the NRPE server on all the hosts
+  @@ferm::rule::simple { "dsa-nrpe-from-${::fqdn}":
+    tag         => 'nagios-nrpe::server',
+    description => 'Allow nagios master access to the nrpe daemon',
+    port        => '5666',
+    saddr       => $base::public_addresses,
+  }
+  @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
+    tag     => 'nagios-nrpe::server::debianorg.cfg',
+    target  => '/etc/nagios/nrpe.d/debianorg.cfg',
+    content => "allowed_hosts=${ $base::public_addresses.join(', ') }",
+  }
+  # and we want to monitor smtp servers
+  @@ferm::rule::simple { "dsa-smtp-from-nagios-${::fqdn}":
+    tag         => 'smtp::server::to::mail-satellite',
+    description => 'Allow smtp access from the nagios server',
+    port        => '7', # will be overwritten on collection
+    saddr       => $base::public_addresses,
+  }
+  # and we want to monitor ssh
+  @@ferm::rule::simple { "dsa-ssh-from-nagios-${::fqdn}":
+    tag         => 'ssh::server::from::nagios',
+    description => 'Allow ssh access from the nagios server',
+    chain       => 'ssh',
+    saddr       => $base::public_addresses,
+  }
 }