feat: Add sudo to NRPE commands

Signed-off-by: Julien Riou <julien@riou.xyz>

group_vars/README.md

@@ -548,6 +548,7 @@ nrpe_commands:
     line: >-
       /opt/check_ssl_cert/check_ssl_cert -f /etc/openvpn/client.crt --ignore-maximum-validity
       --ignore-incomplete-chain  --allow-empty-san --ignore-sct --warning 15 --critical 1
+    sudo: true
 ```
 
 ## nrpe_opts

tasks/nrpe.yml

@@ -18,6 +18,20 @@
     dest: /etc/nagios/nrpe_local.cfg
     mode: "0644"
 
+- name: List sudo commands
+  ansible.builtin.set_fact:
+    nrpe_sudo_commands: "{{ nrpe_sudo_commands | default([]) + [item.line] }}"
+  loop: "{{ nrpe_commands }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: '"sudo" in item and item.sudo is truthy'
+
+- name: Setup sudoers
+  community.general.sudoers:
+    name: nagios_nrpe
+    user: nagios
+    commands: "{{ nrpe_sudo_commands | default([]) }}"
+
 - name: Manage daemon settings
   ansible.builtin.template:
     src: nrpe/nagios-nrpe-server.j2

templates/nrpe/nrpe_local.cfg.j2

@@ -1,5 +1,5 @@
 {{ ansible_managed | comment }}
 
 {% for command in nrpe_commands | default([]) %}
-command[{{ command['name'] }}]={{ command['line'] }}
+command[{{ command['name'] }}]={% if 'sudo' in command and command['sudo'] is truthy %}sudo {% endif %}{{ command['line'] }}
 {% endfor %}