X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fnagios%2Fmanifests%2Fserver.pp;h=a67e17edd43bad2a6da8131f0f3d1b792bd23c4a;hb=84ae359a4dd89da06aa33e2e75d62476d7b6ea82;hp=c40c1b9e0573e1ea70f26704196d9acaa5ddf383;hpb=06636b29ab22582ac3a830674a51a4e5e641858d;p=mirror%2Fdsa-puppet.git

diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index c40c1b9e0..a67e17edd 100644
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -1,3 +1,7 @@
+# our nagios server class
+#
+# it includes stored ferm configs for all the things it needs to access
+# which are then collected by the monitored services
 class nagios::server {
   include apache2
   include apache2::ssl
@@ -133,4 +137,43 @@ class nagios::server {
       */15 * * * * root find /var/lib/icinga/status.dat -mmin +20 | grep -q . && service icinga restart
       | EOF
   }
+
+  # The nagios server wants to do DNS queries on the primaries
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => [
+                    'named::primary::ferm',
+                    'named::keyring::ferm',
+    ],
+    description => 'Allow nagios master access to the primary for checks',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
+
+  # The nagios server wants to connect to the NRPE server on all the hosts
+  @@ferm::rule::simple { "dsa-nrpe-from-${::fqdn}":
+    tag         => 'nagios-nrpe::server',
+    description => 'Allow nagios master access to the nrpe daemon',
+    port        => '5666',
+    saddr       => $base::public_addresses,
+  }
+  @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
+    tag     => 'nagios-nrpe::server::debianorg.cfg',
+    target  => '/etc/nagios/nrpe.d/debianorg.cfg',
+    content => "allowed_hosts=${ $base::public_addresses.join(', ') }",
+  }
+  # and we want to monitor smtp servers
+  @@ferm::rule::simple { "dsa-smtp-from-nagios-${::fqdn}":
+    tag         => 'smtp::server::to::mail-satellite',
+    description => 'Allow smtp access from the nagios server',
+    port        => '7', # will be overwritten on collection
+    saddr       => $base::public_addresses,
+  }
+  # and we want to monitor ssh
+  @@ferm::rule::simple { "dsa-ssh-from-nagios-${::fqdn}":
+    tag         => 'ssh::server::from::nagios',
+    description => 'Allow ssh access from the nagios server',
+    chain       => 'ssh',
+    saddr       => $base::public_addresses,
+  }
 }