From 6efcdbf337a5c343f7d255c8769911e96c20e8b7 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Thu, 9 Apr 2026 12:07:14 +0200 Subject: [PATCH] feat: Add SSL to nagios and NRPE Signed-off-by: Julien Riou --- group_vars/README.md | 67 ++++++++++++++++++++++++++++++++++++++ tasks/nagios.yml | 30 +++++++++++++++++ tasks/nrpe.yml | 37 +++++++++++++++++++++ templates/nrpe/nrpe.cfg.j2 | 15 +++++++++ 4 files changed, 149 insertions(+) diff --git a/group_vars/README.md b/group_vars/README.md index e8d19dd..5234460 100644 --- a/group_vars/README.md +++ b/group_vars/README.md @@ -343,6 +343,35 @@ mosquitto_passwords: See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html) command to generate the hash file. +## nagios_ssl_remote_ca_file + +If a SSL certificate is managed by a third party tool (like certbot), define +the path to the CA file on the remote host. This file will be copied to +`/etc/nagios4/ca.crt`. + +```yaml +nagios_ssl_remote_ca_file: /usr/local/share/ca-certificates/homelab.crt +``` +## nagios_ssl_remote_cert_file + +If a SSL certificate is managed by a third party tool (like certbot), define +the path to the cert file on the remote host. This file will be copied to +`/etc/nagios4/client.crt`. + +```yaml +nagios_ssl_remote_cert_file: /etc/letsencrypt/live/pilote.fqdn/fullchain.pem +``` + +## nagios_ssl_remote_key_file + +If a SSL certificate is managed by a third party tool (like certbot), define +the path to the key file on the remote host. This file will be copied to +`/etc/nagios4/client.key`. + +```yaml +nagios_ssl_remote_key_file: /etc/letsencrypt/live/pilote.fqdn/privkey.pem +``` + ## nagios_commands List of Nagios commands. @@ -559,6 +588,44 @@ Options for the NRPE daemon. nrpe_opts: '-n' # Disable TLS ``` +## nrpe_enable_ssl + +True to enable SSL settings. Requires `nrpe_ssl_remote_cert_file` and +`nrpe_ssl_remote_key_file` to be defined. + +```yaml +nrpe_enable_ssl: false +``` + +## nrpe_ssl_remote_ca_file + +If a SSL certificate is managed by a third party tool (like certbot), define +the path to the CA file on the remote host. This file will be copied to +`/etc/nagios/ca.crt`. + +```yaml +nrpe_ssl_remote_ca_file: /usr/local/share/ca-certificates/homelab.crt +``` +## nrpe_ssl_remote_cert_file + +If a SSL certificate is managed by a third party tool (like certbot), define +the path to the cert file on the remote host. This file will be copied to +`/etc/nagios/server.crt`. + +```yaml +nrpe_ssl_remote_cert_file: /etc/letsencrypt/live/pilote.fqdn/fullchain.pem +``` + +## nrpe_ssl_remote_key_file + +If a SSL certificate is managed by a third party tool (like certbot), define +the path to the key file on the remote host. This file will be copied to +`/etc/nagios/server.key`. + +```yaml +nrpe_ssl_remote_key_file: /etc/letsencrypt/live/pilote.fqdn/privkey.pem +``` + ## openvpn_ca Content of the certificate of the Certificate Authority (CA) used to certify diff --git a/tasks/nagios.yml b/tasks/nagios.yml index c8c2756..7fa80f4 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -22,6 +22,36 @@ - services - templates +- name: Copy SSL CA file + ansible.builtin.copy: + remote_src: true + src: "{{ nagios_ssl_remote_ca_file }}" + dest: /etc/nagios4/ca.crt + owner: nagios + group: nagios + mode: "0644" + when: nagios_ssl_remote_ca_file is defined + +- name: Copy SSL cert file + ansible.builtin.copy: + remote_src: true + src: "{{ nagios_ssl_remote_cert_file }}" + dest: /etc/nagios4/client.crt + owner: nagios + group: nagios + mode: "0644" + when: nagios_ssl_remote_cert_file is defined + +- name: Copy SSL key file + ansible.builtin.copy: + remote_src: true + src: "{{ nagios_ssl_remote_key_file }}" + dest: /etc/nagios4/client.key + owner: nagios + group: nagios + mode: "0600" + when: nagios_ssl_remote_key_file is defined + - name: Copy nagios contacts configuration ansible.builtin.template: src: nagios/contacts.cfg.j2 diff --git a/tasks/nrpe.yml b/tasks/nrpe.yml index 2b6657e..811640d 100644 --- a/tasks/nrpe.yml +++ b/tasks/nrpe.yml @@ -1,4 +1,11 @@ --- +- name: Check SSL requirements + ansible.builtin.assert: + that: + - nrpe_remote_ssl_cert_file is defined + - nrpe_remote_ssl_key_file is defined + when: nrpe_enable_ssl is truthy + - name: Install NRPE ansible.builtin.apt: name: @@ -38,6 +45,36 @@ dest: /etc/default/nagios-nrpe-server mode: "0644" +- name: Copy SSL CA + ansible.builtin.copy: + remote_src: true + src: "{{ nrpe_remote_ssl_ca_file }}" + dest: /etc/nagios/ca.crt + owner: nagios + group: nagios + mode: "0644" + when: nrpe_remote_ssl_ca_file is defined + +- name: Copy SSL cert + ansible.builtin.copy: + remote_src: true + src: "{{ nrpe_remote_ssl_cert_file }}" + dest: /etc/nagios/server.crt + owner: nagios + group: nagios + mode: "0644" + when: nrpe_remote_ssl_cert_file is defined + +- name: Copy SSL key + ansible.builtin.copy: + remote_src: true + src: "{{ nrpe_remote_ssl_key_file }}" + dest: /etc/nagios/server.key + owner: nagios + group: nagios + mode: "0600" + when: nrpe_remote_ssl_key_file is defined + - name: Clone check-mqtt source code ansible.builtin.git: repo: https://github.com/jpmens/check-mqtt.git diff --git a/templates/nrpe/nrpe.cfg.j2 b/templates/nrpe/nrpe.cfg.j2 index 9511b62..e9e96c5 100644 --- a/templates/nrpe/nrpe.cfg.j2 +++ b/templates/nrpe/nrpe.cfg.j2 @@ -11,4 +11,19 @@ dont_blame_nrpe=0 allow_bash_command_substitution=0 command_timeout=60 connection_timeout=300 + +{% if nrpe_enable_ssl %} +ssl_client_certs=2 +{% if nrpe_remote_ssl_ca_file is defined %} +ssl_cacert_file=/etc/nagios/ca.crt +{% endif %} +{% if nrpe_remote_ssl_cert_file is defined %} +ssl_cert_file=/etc/nagios/server.crt +{% endif %} +{% if nrpe_remote_ssl_key_file %} +ssl_privatekey_file=/etc/nagios/server.key +{% endif %} +ssl_logging=2 +{% endif %} + include=/etc/nagios/nrpe_local.cfg