Puppet Class: nrpe

Inherits:
nrpe::params
Defined in:
manifests/init.pp

Summary

Installs and configures NRPE

Overview

Examples:

Basic usage

class { 'nrpe':
  allowed_hosts => [
    '127.0.0.1',
    'nagios.example.org',
  ],
}

With SSL

class { 'nrpe':
  allowed_hosts               => 'nagios.example.org',
  ssl_cert_file_content       => file('profile/ssl/nagios.example.org.crt'),
  ssl_privatekey_file_content => file('profile/ssl/nagios.example.org.key'),
  ssl_cacert_file_content     => file('profile/ssl/GeoTrust_RSA_CA_2018.crt'),
  ssl_client_certs            => 'require',
}

Parameters:

  • allowed_hosts (Array[Variant[Stdlib::Fqdn,Stdlib::IP::Address]]) (defaults to: ['127.0.0.1'])

    Specifies the hosts that NRPE will accept connections from.

  • server_address (Stdlib::IP::Address) (defaults to: '0.0.0.0')

    Specifies the IP address of the inteface that NRPE should bind to. Useful when the system has more than one interface.

  • commands (Hash) (defaults to: {})

    A Hash of ‘nrpe::command` resources you want to create. Recommended when you want to define `nrpe::command`s in hiera data.

  • plugins (Hash) (defaults to: {})

    A Hash of ‘nrpe::plugin` resources you want to create. Recommended when you want to define `nrpe::plugin`s in hiera data.

  • command_timeout (Integer[0]) (defaults to: 60)

    Specifies the maximum number of seconds that the NRPE daemon will allow plugins to finish executing before killing them off.

  • package_name (Variant[String[1], Array[String[1]]]) (defaults to: $nrpe::params::nrpe_packages)

    The package name or array of package names that will be installed. The default is often fine, but you may wish to set this to install extra packages like ‘nrpe-selinux`.

  • manage_package (Boolean) (defaults to: true)

    By default, set to ‘true` and the `nrpe` class will manage the OS package(s).

  • purge (Boolean) (defaults to: false)

    When set to true, the module will purge any unmanaged commands from the NRPE includedir.

  • dont_blame_nrpe (Boolean) (defaults to: $nrpe::params::dont_blame_nrpe)

    Determines whether or not the NRPE daemon will allow clients to specify arguments to commands that are executed. ENABLING THIS OPTION IS A SECURITY RISK!

  • log_facility (Nrpe::Syslogfacility) (defaults to: $nrpe::params::log_facility)

    The syslog facility that should be used for logging purposes.

  • server_port (Stdlib::Port::Unprivileged) (defaults to: $nrpe::params::server_port)

    The port that NRPE should listen for connections on.

  • command_prefix (Optional[Stdlib::Absolutepath]) (defaults to: $nrpe::params::command_prefix)

    This option allows you to prefix all commands with a user-defined string. Although often used to run all commands with sudo, ‘nrpe::command` has dedicated `sudo` parameters for this.

  • debug (Boolean) (defaults to: $nrpe::params::debug)

    This option determines whether or not debugging messages are logged to the syslog facility.

  • connection_timeout (Integer[0]) (defaults to: $nrpe::params::connection_timeout)

    Specifies the maximum number of seconds that the NRPE daemon will wait for a connection to be established before exiting.

  • allow_weak_random_seed (Boolean) (defaults to: $nrpe::params::allow_weak_random_seed)

    Determines whether or not the NRPE daemon will use weak sources of randomness

  • allow_bash_command_substitution (Optional[Boolean]) (defaults to: $nrpe::params::allow_bash_command_substitution)

    Determines whether or not the NRPE daemon will allow clients to specify arguments that contain bash command substitutions of the form ‘$(…)`. ** ENABLING THIS OPTION IS A HIGH SECURITY RISK! **

  • nrpe_user (String[1]) (defaults to: $nrpe::params::nrpe_user)

    Determines the effective user that the NRPE daemon should run as.

  • nrpe_group (String[1]) (defaults to: $nrpe::params::nrpe_group)

    Determines the effective group that the NRPE daemon should run as.

  • nrpe_pid_file (Stdlib::Absolutepath) (defaults to: $nrpe::params::nrpe_pid_file)

    The name of the file in which the NRPE daemon should write it’s process ID number.

  • command_file_default_mode (Stdlib::Filemode) (defaults to: '0644')

    The default file mode to use when creating NRPE command files in the includedir.

  • supplementary_groups (Array[String[1]]) (defaults to: [])

    If set, the ‘nrpe_user` will be added to these supplementary groups.

  • nrpe_ssl_dir (Stdlib::Absolutepath) (defaults to: $nrpe::params::nrpe_ssl_dir)

    The directory that SSL certificates and keys will be created in.

  • ssl_cert_file_content (Optional[String[1]]) (defaults to: undef)

    A string containing the SSL Certificate.

  • ssl_privatekey_file_content (Optional[String[1]]) (defaults to: undef)

    A string containing the SSL private KEY. It is recommended to source this parameter from hiera and use EYAML or similar to encrypt the data.

  • ssl_cacert_file_content (Optional[String[1]]) (defaults to: undef)

    A string containing the SSL CA Cert file contents.

  • ssl_version (Nrpe::Sslversion) (defaults to: $nrpe::params::ssl_version)

    The SSL Version to use. The default of ‘TLSv1.2+` is the most secure option available at time of writing. Avoid having to set it to a lower value if possible.

  • ssl_ciphers (Array[String[1]]) (defaults to: $nrpe::params::ssl_ciphers)

    An array of ciphers that should be allowed by NRPE. The defaults are for RSA keys and were taken from github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices.

  • ssl_client_certs (Enum['no','ask','require']) (defaults to: $nrpe::params::ssl_client_certs)

    This options determines client certificate usage.

  • ssl_log_startup_params (Boolean) (defaults to: false)

    Whether to log startup SSL/TLS parameters.

  • ssl_log_remote_ip (Boolean) (defaults to: false)

    Whether to log remote IP address of SSL client.

  • ssl_log_protocol_version (Boolean) (defaults to: false)

    Whether to log SSL/TLS version of connections.

  • ssl_log_cipher (Boolean) (defaults to: false)

    Whether to log which encryption cipher is being used for SSL connections.

  • ssl_log_client_cert (Boolean) (defaults to: false)

    Whether to log if an SSL client has presented a certificate.

  • ssl_log_client_cert_details (Boolean) (defaults to: false)

    Whether to log details of client SSL certificates.

  • manage_pid_dir (Boolean) (defaults to: false)

    Whether to manage the directory where the PID file should exist.

  • config (Stdlib::Absolutepath) (defaults to: $nrpe::params::nrpe_config)

    Private You should not need to override this parameter.

  • include_dir (Stdlib::Absolutepath) (defaults to: $nrpe::params::nrpe_include_dir)

    Private You should not need to override this parameter.

  • provider (Optional[String[1]]) (defaults to: $nrpe::params::nrpe_provider)

    Private You should not need to override this parameter.

  • service_name (String[1]) (defaults to: $nrpe::params::nrpe_service)

    Private You should not need to override this parameter.

See Also:



102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
 
# File 'manifests/init.pp', line 102

class nrpe (
  Array[Variant[Stdlib::Fqdn,Stdlib::IP::Address]] $allowed_hosts       = ['127.0.0.1'],
  Stdlib::IP::Address                  $server_address                  = '0.0.0.0',
  Hash                                 $commands                        = {},
  Hash                                 $plugins                         = {},
  Integer[0]                           $command_timeout                 = 60,
  Variant[String[1], Array[String[1]]] $package_name                    = $nrpe::params::nrpe_packages,
  Boolean                              $manage_package                  = true,
  Boolean                              $purge                           = false,
  Boolean                              $dont_blame_nrpe                 = $nrpe::params::dont_blame_nrpe,
  Nrpe::Syslogfacility                 $log_facility                    = $nrpe::params::log_facility,
  Stdlib::Port::Unprivileged           $server_port                     = $nrpe::params::server_port,
  Optional[Stdlib::Absolutepath]       $command_prefix                  = $nrpe::params::command_prefix,
  Boolean                              $debug                           = $nrpe::params::debug,
  Integer[0]                           $connection_timeout              = $nrpe::params::connection_timeout,
  Boolean                              $allow_weak_random_seed          = $nrpe::params::allow_weak_random_seed,
  Optional[Boolean]                    $allow_bash_command_substitution = $nrpe::params::allow_bash_command_substitution,
  String[1]                            $nrpe_user                       = $nrpe::params::nrpe_user,
  String[1]                            $nrpe_group                      = $nrpe::params::nrpe_group,
  Stdlib::Absolutepath                 $nrpe_pid_file                   = $nrpe::params::nrpe_pid_file,
  Stdlib::Absolutepath                 $nrpe_ssl_dir                    = $nrpe::params::nrpe_ssl_dir,
  Optional[String[1]]                  $ssl_cert_file_content           = undef,
  Optional[String[1]]                  $ssl_privatekey_file_content     = undef,
  Optional[String[1]]                  $ssl_cacert_file_content         = undef,
  Nrpe::Sslversion                     $ssl_version                     = $nrpe::params::ssl_version,
  Array[String[1]]                     $ssl_ciphers                     = $nrpe::params::ssl_ciphers,
  Enum['no','ask','require']           $ssl_client_certs                = $nrpe::params::ssl_client_certs,
  Boolean                              $ssl_log_startup_params          = false,
  Boolean                              $ssl_log_remote_ip               = false,
  Boolean                              $ssl_log_protocol_version        = false,
  Boolean                              $ssl_log_cipher                  = false,
  Boolean                              $ssl_log_client_cert             = false,
  Boolean                              $ssl_log_client_cert_details     = false,
  Stdlib::Filemode                     $command_file_default_mode       = '0644',
  Array[String[1]]                     $supplementary_groups            = [],
  Boolean                              $manage_pid_dir                  = false,

  # Private parameters.  You shouldn't need to override these.
  Stdlib::Absolutepath                 $config                          = $nrpe::params::nrpe_config,
  Stdlib::Absolutepath                 $include_dir                     = $nrpe::params::nrpe_include_dir,
  Optional[String[1]]                  $provider                        = $nrpe::params::nrpe_provider,
  String[1]                            $service_name                    = $nrpe::params::nrpe_service,
) inherits nrpe::params {
  # Extra validation
  if $ssl_cert_file_content {
    assert_type(String[1], $ssl_privatekey_file_content)
    assert_type(String[1], $ssl_cacert_file_content)
  }

  contain nrpe::install
  contain nrpe::config
  contain nrpe::service

  Class['nrpe::install']
  -> Class['nrpe::config']
  ~> Class['nrpe::service']

  $commands.each |String $key, Hash $attrs| {
    nrpe::command { $key:
      * => $attrs,
    }
  }
  $plugins.each |String $key, Hash $attrs| {
    nrpe::plugin { $key:
      * => $attrs,
    }
  }

  Class['nrpe::install'] -> Nrpe::Plugin <||>
  Class['nrpe::install'] -> Nrpe::Command <||> ~> Class['nrpe::service']
}