jriou/ansible-pilote
1
0
Fork 0
Code Issues Pull requests Activity

feat: Add SSL to nagios and NRPE

Browse source 
Signed-off-by: Julien Riou <julien@riou.xyz>
This commit is contained in:
Julien Riou 2026-04-09 12:07:14 +02:00
commit 6efcdbf337
Signed by: jriou
GPG key ID: 9A099EDA51316854
4 changed files with 149 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

67
group_vars/README.md
View file

@ -343,6 +343,35 @@ mosquitto_passwords:
See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html) See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html)
command to generate the hash file. command to generate the hash file.
## nagios_ssl_remote_ca_file
If a SSL certificate is managed by a third party tool (like certbot), define
the path to the CA file on the remote host. This file will be copied to
`/etc/nagios4/ca.crt`.
```yaml
nagios_ssl_remote_ca_file: /usr/local/share/ca-certificates/homelab.crt
```
## nagios_ssl_remote_cert_file
If a SSL certificate is managed by a third party tool (like certbot), define
the path to the cert file on the remote host. This file will be copied to
`/etc/nagios4/client.crt`.
```yaml
nagios_ssl_remote_cert_file: /etc/letsencrypt/live/pilote.fqdn/fullchain.pem
```
## nagios_ssl_remote_key_file
If a SSL certificate is managed by a third party tool (like certbot), define
the path to the key file on the remote host. This file will be copied to
`/etc/nagios4/client.key`.
```yaml
nagios_ssl_remote_key_file: /etc/letsencrypt/live/pilote.fqdn/privkey.pem
```
## nagios_commands ## nagios_commands
List of Nagios commands. List of Nagios commands.
@ -559,6 +588,44 @@ Options for the NRPE daemon.
nrpe_opts: '-n' # Disable TLS nrpe_opts: '-n' # Disable TLS
``` ```
## nrpe_enable_ssl
True to enable SSL settings. Requires `nrpe_ssl_remote_cert_file` and
`nrpe_ssl_remote_key_file` to be defined.
```yaml
nrpe_enable_ssl: false
```
## nrpe_ssl_remote_ca_file
If a SSL certificate is managed by a third party tool (like certbot), define
the path to the CA file on the remote host. This file will be copied to
`/etc/nagios/ca.crt`.
```yaml
nrpe_ssl_remote_ca_file: /usr/local/share/ca-certificates/homelab.crt
```
## nrpe_ssl_remote_cert_file
If a SSL certificate is managed by a third party tool (like certbot), define
the path to the cert file on the remote host. This file will be copied to
`/etc/nagios/server.crt`.
```yaml
nrpe_ssl_remote_cert_file: /etc/letsencrypt/live/pilote.fqdn/fullchain.pem
```
## nrpe_ssl_remote_key_file
If a SSL certificate is managed by a third party tool (like certbot), define
the path to the key file on the remote host. This file will be copied to
`/etc/nagios/server.key`.
```yaml
nrpe_ssl_remote_key_file: /etc/letsencrypt/live/pilote.fqdn/privkey.pem
```
## openvpn_ca ## openvpn_ca
Content of the certificate of the Certificate Authority (CA) used to certify Content of the certificate of the Certificate Authority (CA) used to certify

30
tasks/nagios.yml
View file

@ -22,6 +22,36 @@
- services - services
- templates - templates
- name: Copy SSL CA file
ansible.builtin.copy:
remote_src: true
src: "{{ nagios_ssl_remote_ca_file }}"
dest: /etc/nagios4/ca.crt
owner: nagios
group: nagios
mode: "0644"
when: nagios_ssl_remote_ca_file is defined
- name: Copy SSL cert file
ansible.builtin.copy:
remote_src: true
src: "{{ nagios_ssl_remote_cert_file }}"
dest: /etc/nagios4/client.crt
owner: nagios
group: nagios
mode: "0644"
when: nagios_ssl_remote_cert_file is defined
- name: Copy SSL key file
ansible.builtin.copy:
remote_src: true
src: "{{ nagios_ssl_remote_key_file }}"
dest: /etc/nagios4/client.key
owner: nagios
group: nagios
mode: "0600"
when: nagios_ssl_remote_key_file is defined
- name: Copy nagios contacts configuration - name: Copy nagios contacts configuration
ansible.builtin.template: ansible.builtin.template:
src: nagios/contacts.cfg.j2 src: nagios/contacts.cfg.j2

37
tasks/nrpe.yml
View file

@ -1,4 +1,11 @@
--- ---
- name: Check SSL requirements
ansible.builtin.assert:
that:
- nrpe_remote_ssl_cert_file is defined
- nrpe_remote_ssl_key_file is defined
when: nrpe_enable_ssl is truthy
- name: Install NRPE - name: Install NRPE
ansible.builtin.apt: ansible.builtin.apt:
name: name:
@ -38,6 +45,36 @@
dest: /etc/default/nagios-nrpe-server dest: /etc/default/nagios-nrpe-server
mode: "0644" mode: "0644"
- name: Copy SSL CA
ansible.builtin.copy:
remote_src: true
src: "{{ nrpe_remote_ssl_ca_file }}"
dest: /etc/nagios/ca.crt
owner: nagios
group: nagios
mode: "0644"
when: nrpe_remote_ssl_ca_file is defined
- name: Copy SSL cert
ansible.builtin.copy:
remote_src: true
src: "{{ nrpe_remote_ssl_cert_file }}"
dest: /etc/nagios/server.crt
owner: nagios
group: nagios
mode: "0644"
when: nrpe_remote_ssl_cert_file is defined
- name: Copy SSL key
ansible.builtin.copy:
remote_src: true
src: "{{ nrpe_remote_ssl_key_file }}"
dest: /etc/nagios/server.key
owner: nagios
group: nagios
mode: "0600"
when: nrpe_remote_ssl_key_file is defined
- name: Clone check-mqtt source code - name: Clone check-mqtt source code
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/jpmens/check-mqtt.git repo: https://github.com/jpmens/check-mqtt.git

15
templates/nrpe/nrpe.cfg.j2
View file

@ -11,4 +11,19 @@ dont_blame_nrpe=0
allow_bash_command_substitution=0 allow_bash_command_substitution=0
command_timeout=60 command_timeout=60
connection_timeout=300 connection_timeout=300
{% if nrpe_enable_ssl %}
ssl_client_certs=2
{% if nrpe_remote_ssl_ca_file is defined %}
ssl_cacert_file=/etc/nagios/ca.crt
{% endif %}
{% if nrpe_remote_ssl_cert_file is defined %}
ssl_cert_file=/etc/nagios/server.crt
{% endif %}
{% if nrpe_remote_ssl_key_file %}
ssl_privatekey_file=/etc/nagios/server.key
{% endif %}
ssl_logging=2
{% endif %}
include=/etc/nagios/nrpe_local.cfg include=/etc/nagios/nrpe_local.cfg