feat: Add SSL to nagios and NRPE

Signed-off-by: Julien Riou <julien@riou.xyz>

group_vars/README.md

@@ -343,6 +343,35 @@ mosquitto_passwords:
 See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html)
 command to generate the hash file.
 
+## nagios_ssl_remote_ca_file
+
+If a SSL certificate is managed by a third party tool (like certbot), define
+the path to the CA file on the remote host. This file will be copied to
+`/etc/nagios4/ca.crt`.
+
+```yaml
+nagios_ssl_remote_ca_file: /usr/local/share/ca-certificates/homelab.crt
+```
+## nagios_ssl_remote_cert_file
+
+If a SSL certificate is managed by a third party tool (like certbot), define
+the path to the cert file on the remote host. This file will be copied to
+`/etc/nagios4/client.crt`.
+
+```yaml
+nagios_ssl_remote_cert_file: /etc/letsencrypt/live/pilote.fqdn/fullchain.pem
+```
+
+## nagios_ssl_remote_key_file
+
+If a SSL certificate is managed by a third party tool (like certbot), define
+the path to the key file on the remote host. This file will be copied to
+`/etc/nagios4/client.key`.
+
+```yaml
+nagios_ssl_remote_key_file: /etc/letsencrypt/live/pilote.fqdn/privkey.pem
+```
+
 ## nagios_commands
 
 List of Nagios commands.
@@ -559,6 +588,44 @@ Options for the NRPE daemon.
 nrpe_opts: '-n'  # Disable TLS
 ```
 
+## nrpe_enable_ssl
+
+True to enable SSL settings. Requires `nrpe_ssl_remote_cert_file` and
+`nrpe_ssl_remote_key_file` to be defined.
+
+```yaml
+nrpe_enable_ssl: false
+```
+
+## nrpe_ssl_remote_ca_file
+
+If a SSL certificate is managed by a third party tool (like certbot), define
+the path to the CA file on the remote host. This file will be copied to
+`/etc/nagios/ca.crt`.
+
+```yaml
+nrpe_ssl_remote_ca_file: /usr/local/share/ca-certificates/homelab.crt
+```
+## nrpe_ssl_remote_cert_file
+
+If a SSL certificate is managed by a third party tool (like certbot), define
+the path to the cert file on the remote host. This file will be copied to
+`/etc/nagios/server.crt`.
+
+```yaml
+nrpe_ssl_remote_cert_file: /etc/letsencrypt/live/pilote.fqdn/fullchain.pem
+```
+
+## nrpe_ssl_remote_key_file
+
+If a SSL certificate is managed by a third party tool (like certbot), define
+the path to the key file on the remote host. This file will be copied to
+`/etc/nagios/server.key`.
+
+```yaml
+nrpe_ssl_remote_key_file: /etc/letsencrypt/live/pilote.fqdn/privkey.pem
+```
+
 ## openvpn_ca
 
 Content of the certificate of the Certificate Authority (CA) used to certify

tasks/nagios.yml

@@ -22,6 +22,36 @@
     - services
     - templates
 
+- name: Copy SSL CA file
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ nagios_ssl_remote_ca_file }}"
+    dest: /etc/nagios4/ca.crt
+    owner: nagios
+    group: nagios
+    mode: "0644"
+  when: nagios_ssl_remote_ca_file is defined
+
+- name: Copy SSL cert file
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ nagios_ssl_remote_cert_file }}"
+    dest: /etc/nagios4/client.crt
+    owner: nagios
+    group: nagios
+    mode: "0644"
+  when: nagios_ssl_remote_cert_file is defined
+
+- name: Copy SSL key file
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ nagios_ssl_remote_key_file }}"
+    dest: /etc/nagios4/client.key
+    owner: nagios
+    group: nagios
+    mode: "0600"
+  when: nagios_ssl_remote_key_file is defined
+
 - name: Copy nagios contacts configuration
   ansible.builtin.template:
     src: nagios/contacts.cfg.j2

tasks/nrpe.yml

@@ -1,4 +1,11 @@
 ---
+- name: Check SSL requirements
+  ansible.builtin.assert:
+    that:
+      - nrpe_remote_ssl_cert_file is defined
+      - nrpe_remote_ssl_key_file is defined
+  when: nrpe_enable_ssl is truthy
+
 - name: Install NRPE
   ansible.builtin.apt:
     name:
@@ -38,6 +45,36 @@
     dest: /etc/default/nagios-nrpe-server
     mode: "0644"
 
+- name: Copy SSL CA
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ nrpe_remote_ssl_ca_file }}"
+    dest: /etc/nagios/ca.crt
+    owner: nagios
+    group: nagios
+    mode: "0644"
+  when: nrpe_remote_ssl_ca_file is defined
+
+- name: Copy SSL cert
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ nrpe_remote_ssl_cert_file }}"
+    dest: /etc/nagios/server.crt
+    owner: nagios
+    group: nagios
+    mode: "0644"
+  when: nrpe_remote_ssl_cert_file is defined
+
+- name: Copy SSL key
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ nrpe_remote_ssl_key_file }}"
+    dest: /etc/nagios/server.key
+    owner: nagios
+    group: nagios
+    mode: "0600"
+  when: nrpe_remote_ssl_key_file is defined
+
 - name: Clone check-mqtt source code
   ansible.builtin.git:
     repo: https://github.com/jpmens/check-mqtt.git

templates/nrpe/nrpe.cfg.j2

@@ -11,4 +11,19 @@ dont_blame_nrpe=0
 allow_bash_command_substitution=0
 command_timeout=60
 connection_timeout=300
+
+{% if nrpe_enable_ssl %}
+ssl_client_certs=2
+{% if nrpe_remote_ssl_ca_file is defined %}
+ssl_cacert_file=/etc/nagios/ca.crt
+{% endif %}
+{% if nrpe_remote_ssl_cert_file is defined %}
+ssl_cert_file=/etc/nagios/server.crt
+{% endif %}
+{% if nrpe_remote_ssl_key_file %}
+ssl_privatekey_file=/etc/nagios/server.key
+{% endif %}
+ssl_logging=2
+{% endif %}
+
 include=/etc/nagios/nrpe_local.cfg