From 3da3099c18259b8a9a13fdaa3653cf7e88ae09fc Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 20 Sep 2019 20:33:19 +0200
Subject: [PATCH] Switch nrpe firewalling to store/collect

---
 modules/nagios/manifests/client.pp     | 12 +-----------
 modules/nagios/manifests/server.pp     |  8 ++++++++
 modules/roles/manifests/dns_primary.pp |  7 +++++++
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp
index 710378c5a..a2a7c24d8 100644
--- a/modules/nagios/manifests/client.pp
+++ b/modules/nagios/manifests/client.pp
@@ -13,17 +13,7 @@ class nagios::client inherits nagios {
     pattern   => 'nrpe',
   }
 
-  ferm::rule { 'dsa-nagios-v4':
-    description => 'Allow nrpe from nagios master',
-    rule        => 'proto tcp mod state state (NEW) dport (5666) @subchain \'nagios\' { saddr ($HOST_NAGIOS_V4) ACCEPT; }',
-    notarule    => true,
-  }
-  ferm::rule { 'dsa-nagios-v6':
-    description => 'Allow nrpe from nagios master',
-    domain      => 'ip6',
-    rule        => 'proto tcp mod state state (NEW) dport (5666) @subchain \'nagios\' { saddr ($HOST_NAGIOS_V6) ACCEPT; }',
-    notarule    => true,
-  }
+  Ferm::Rule::Simple <<| tag == 'nagios-nrpe::server' |>>
 
   file { '/etc/default/nagios-nrpe-server':
     source  => 'puppet:///modules/nagios/common/default',
diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index dbd47f949..fc222ae81 100644
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -145,4 +145,12 @@ class nagios::server {
     port        => 'domain',
     saddr       => $base::public_addresses,
   }
+
+  # The nagios server wants to connect to the NRPE server on all the hosts
+  @@ferm::rule::simple { "dsa-nrpe-from-${::fqdn}":
+    tag         => 'nagios-nrpe::server',
+    description => 'Allow nagios master access to the nrpe daemon',
+    port        => '5666',
+    saddr       => $base::public_addresses,
+  }
 }
diff --git a/modules/roles/manifests/dns_primary.pp b/modules/roles/manifests/dns_primary.pp
index d846c1b1f..422db0df8 100644
--- a/modules/roles/manifests/dns_primary.pp
+++ b/modules/roles/manifests/dns_primary.pp
@@ -51,4 +51,11 @@ class roles::dns_primary(
   }
   Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
 
+  # mini-nag does nrpe queries to check if hosts are still up
+  @@ferm::rule::simple { "dsa-nrpe-from-dnsprimary-${::fqdn}":
+    tag         => 'nagios-nrpe::server',
+    description => 'Allow dns primary running mini-nag access to the nrpe daemon',
+    port        => '5666',
+    saddr       => $base::public_addresses,
+  }
 }
-- 
2.20.1