From 6f10c816da4e6a1b8e917214f0bcb9001602523c Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 15:23:54 +0200
Subject: [PATCH] muninmaster -> hiera role, new ssh store/collect, no more
 plain text munin fetching firewall rules (it is all async via ssh these days)

---
 data/nodes/menotti.debian.org.yaml       |  3 +++
 modules/ferm/templates/defs.conf.erb     |  6 +-----
 modules/ferm/templates/me.conf.erb       |  4 ++--
 modules/munin/files/munin-async-authkeys |  1 -
 modules/munin/manifests/init.pp          | 19 +++++--------------
 modules/munin/manifests/master.pp        |  9 +++++++++
 modules/roles/manifests/init.pp          |  4 ----
 modules/roles/manifests/munin_master.pp  |  3 +++
 modules/samhain/templates/samhainrc.erb  |  2 +-
 9 files changed, 24 insertions(+), 27 deletions(-)
 create mode 100644 data/nodes/menotti.debian.org.yaml
 delete mode 100644 modules/munin/files/munin-async-authkeys
 create mode 100644 modules/roles/manifests/munin_master.pp

diff --git a/data/nodes/menotti.debian.org.yaml b/data/nodes/menotti.debian.org.yaml
new file mode 100644
index 000000000..941d63cde
--- /dev/null
+++ b/data/nodes/menotti.debian.org.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  - roles::munin_master
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index ef96c5758..de43f7634 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -24,7 +24,7 @@
   allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
   roles = scope.lookupvar('deprecated::roles')
 
-  %w{nagiosmaster  muninmaster postgres_backup_server}.each do |role|
+  %w{nagiosmaster postgres_backup_server}.each do |role|
     rolehost[role] = []
     roles[role].each do |node|
         next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@@ -45,10 +45,6 @@
 @def $HOST_NAGIOS_V6 = (<%= scope.function_filter_ipv6([rolehost['nagiosmaster']]).uniq.join(' ') %>);
 @def $HOST_NAGIOS = ( $HOST_NAGIOS_V4 $HOST_NAGIOS_V6 );
 
-@def $HOST_MUNIN_V4 = (<%= scope.function_filter_ipv4([rolehost['muninmaster']]).uniq.join(' ') %>);
-@def $HOST_MUNIN_V6 = (<%= scope.function_filter_ipv6([rolehost['muninmaster']]).uniq.join(' ') %>);
-@def $HOST_MUNIN = ( $HOST_MUNIN_V4 $HOST_MUNIN_V6 );
-
 @def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
 @def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
 @def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 );
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index f070aabf9..33d0335e7 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -26,8 +26,8 @@ should_restrict = restrict_ssh.include?(@hostname)
 
 if should_restrict then
 	# draghi makes for a nice jumphost
-	ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4  82.195.75.106}
-	ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6  2001:41b8:202:deb:1a1a:0:52c3:4b6a}
+	ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4   82.195.75.106}
+	ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6   2001:41b8:202:deb:1a1a:0:52c3:4b6a}
 
 	if %w{draghi}.include?(@hostname) then
 		ssh4allowed << '$HOST_DEBIAN_V4'
diff --git a/modules/munin/files/munin-async-authkeys b/modules/munin/files/munin-async-authkeys
deleted file mode 100644
index 2e2f992cc..000000000
--- a/modules/munin/files/munin-async-authkeys
+++ /dev/null
@@ -1 +0,0 @@
-command="/usr/share/munin/munin-async --spoolfetch",from="209.87.16.29,2607:f8f0:614:1::1274:29",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDABeQNPz9HqeTgDxA7SnVHn/km+0stmAPCT2fXJxtraK0tsULiBmnNznDpVmI6zdIjX6PQGhE4QZUaCj+5GGVmrfUE/txXPpVA4ViFqZitbTcg+6j30G4kJck+Z1mlOJ0pTEKGOXzdbsci7c9WatKq/iLiXmcJzlrcBo7jaaeartsFIVaKqEwR0cxASCh0QCs8jbuM1viJHHMPAIeWqbkLpCGe0BDktW8+Rfp6lwk0aoii6IosnllfRIyVxw21V5wob3DmsY/iSFKkGaia3X1FBdJo60FQWfPFlBI1YQZZanc1NR93ncYh22PUtndPeJYM52gDGQXblzNf1D6QfwzT munin@menotti (2013-05-31)
diff --git a/modules/munin/manifests/init.pp b/modules/munin/manifests/init.pp
index 736fd0d21..87ba74884 100644
--- a/modules/munin/manifests/init.pp
+++ b/modules/munin/manifests/init.pp
@@ -55,19 +55,6 @@ class munin {
     notify  => Service['munin-node'],
   }
 
-  ferm::rule { 'dsa-munin-v4':
-    description => 'Allow munin from munin master',
-    rule        => 'proto tcp mod state state (NEW) dport (munin) @subchain \'munin\' { saddr ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) ACCEPT; }',
-    notarule    => true,
-  }
-
-  ferm::rule { 'dsa-munin-v6':
-    description => 'Allow munin from munin master',
-    domain      => 'ip6',
-    rule        => 'proto tcp mod state state (NEW) dport (munin) @subchain \'munin\' { saddr ($HOST_MUNIN_V6 $HOST_NAGIOS_V6) ACCEPT; }',
-    notarule    => true,
-  }
-
   @@munin::master_per_node { $::fqdn: }
 
   package { 'munin-async':
@@ -84,6 +71,10 @@ class munin {
       | EOF
   }
   file { '/etc/ssh/userkeys/munin-async':
-    source => 'puppet:///modules/munin/munin-async-authkeys',
+    ensure => 'absent',
+  }
+  ssh::authorized_key_collect { 'munin-async-fetcher':
+    target_user => 'munin-async',
+    collect_tag => 'munin::munin-async-fetch',
   }
 }
diff --git a/modules/munin/manifests/master.pp b/modules/munin/manifests/master.pp
index e389f534d..7b35b4472 100644
--- a/modules/munin/manifests/master.pp
+++ b/modules/munin/manifests/master.pp
@@ -4,6 +4,15 @@ class munin::master {
     ensure => installed
   }
 
+  ssh::keygen { 'munin' : }
+  ssh::authorized_key_add { 'munin-async-fetcher':
+    target_user => 'munin-async',
+    key         => dig($facts, 'ssh_keys_users', 'munin', 'id_rsa.pub', 'line'),
+    command     => '/usr/share/munin/munin-async --spoolfetch',
+    from        => $base::public_addresses,
+    collect_tag => 'munin::munin-async-fetch'
+  }
+
   file { '/etc/munin/munin.conf':
     content => template('munin/munin.conf.erb'),
     require => Package['munin'];
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index f94ebd2c7..eff82e77d 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -7,10 +7,6 @@
 #   include roles
 #
 class roles {
-	if has_role('muninmaster') {
-		include munin::master
-	}
-
 	if has_role('nagiosmaster') {
 		include nagios::server
 	}
diff --git a/modules/roles/manifests/munin_master.pp b/modules/roles/manifests/munin_master.pp
new file mode 100644
index 000000000..752565edb
--- /dev/null
+++ b/modules/roles/manifests/munin_master.pp
@@ -0,0 +1,3 @@
+class roles::munin_master {
+  include munin::master
+}
diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb
index 13282df11..68ed9a3dc 100644
--- a/modules/samhain/templates/samhainrc.erb
+++ b/modules/samhain/templates/samhainrc.erb
@@ -436,7 +436,7 @@ file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg
 file=/etc/nagios3/puppetconf.d/auto-servicegroups.cfg
 file=/etc/nagios3/puppetconf.d/contacts.cfg
 <% end -%>
-<% if scope.function_has_role(['muninmaster']) -%>
+<% if classes.include?('roles::munin_master') -%>
 file=/etc/munin/munin.conf
 <% end -%>
 <% if classes.include?('roles::puppetmaster') -%>
-- 
2.20.1