From c2ed10e2e44fda8859655ad486aa92502a882130 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 6 Apr 2018 09:26:51 +0200
Subject: [PATCH 1/5] CHANGELOG cleanup

---
 CHANGELOG.md | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 54807d8d..979021e9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,38 +11,38 @@ The **patch** part changes incrementally at each release.
 ## [Unreleased]
 
 ### Added
-* postfix: add lines in /etc/.gitignore
-* nagios-nrpe: add "check_open_files" plugin
-* nagios-nrpe: mark plugins as executable
-* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
-* mysql: remount /usr before creating scripts directory
-* packweb-apache: choose mysql variant (default: `debian`)
-* haproxy: install Munin plugins
-* proftpd: use proftpd_accounts list for manage ftp accounts
+* added a few become attributes where missing
 * etc-git: add tags for Ansible
 * evolinux-base: install ncurses-term package
-* added a few become attributes where missing
-* redmine: added missing tags
+* haproxy: install Munin plugins
+* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
+* mysql: remount /usr before creating scripts directory
+* nagios-nrpe: add "check_open_files" plugin
+* nagios-nrpe: mark plugins as executable
 * nodejs: Yarn package manager can be installed (default: `false`)
+* packweb-apache: choose mysql variant (default: `debian`)
+* postfix: add lines in /etc/.gitignore
+* proftpd: use "proftpd_accounts" list to manage ftp accounts
+* redmine: added missing tags
 
 ### Changed
-* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
 * elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
-* nagios-nrpe: mark plugins as executable
-* mongodb: configuration is forced by default but it's configurable (default: `false`)
-* mongodb: allow unauthenticated packages for Jessie
-* mongodb: rename logrotate script
-* nginx: package name can be specified (default: `nginx-full`)
+* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
 * evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
-* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
+* mongodb: allow unauthenticated packages for Jessie
+* mongodb: configuration is forced by default but it's configurable (default: `false`)
+* mongodb: rename logrotate script
+* nagios-nrpe: mark plugins as executable
+* nginx: don't debug variables in verbosity 0
+* nginx: package name can be specified (default: `nginx-full`)
 * php: fix FPM custom file permissions
 * php: more tasks notify FPM handler to restart if needed
-* nginx: don't debug variables in verbosity 0
+* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
 
 ### Fixed
-* nginx: fix basic auth for default vhost
 * dovecot: fix support of plus sign
 * mysql/mysql-oracle: mysqltuner cron task is executable
+* nginx: fix basic auth for default vhost
 * rbenv: fix become user issue with copy tasks
 
 ## [9.1.6] - 2018-02-02

From 03c53433d68039797d0b128b2b448686fea4ca25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Mon, 2 Apr 2018 21:04:26 +0200
Subject: [PATCH 2/5] Add minifirewal_status and check_minifirewall

minifirewall_status returns "started" on stdout and exit code 0,
or "stopped" on stdout and exit code 1. The state of minifirewall
is determined by looking for common iptables rules applied by
minifirewall.

check_minifirewall is an NRPE plugin for minifirewall. It returns:
* 0 (OK) if the firewall state is consistent with its configuration
(from the alert5 script)
* 1 (WARNING) if the firewall is started but alert5 is not configured
properly
* 2 (CRITICAL) if the firewall is not running but it should be.
---
 minifirewall/files/check_minifirewall  | 78 ++++++++++++++++++++++++++
 minifirewall/files/minifirewall_status | 16 ++++++
 minifirewall/handlers/main.yml         |  6 ++
 minifirewall/tasks/main.yml            |  2 +
 minifirewall/tasks/nrpe.yml            | 56 ++++++++++++++++++
 5 files changed, 158 insertions(+)
 create mode 100644 minifirewall/files/check_minifirewall
 create mode 100644 minifirewall/files/minifirewall_status
 create mode 100644 minifirewall/handlers/main.yml
 create mode 100644 minifirewall/tasks/nrpe.yml

diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall
new file mode 100644
index 00000000..632f3e8a
--- /dev/null
+++ b/minifirewall/files/check_minifirewall
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+is_alert5_enabled() {
+  # It's not very clear how to reliably detect if a SysVinit script
+  # wrapped in a systemd unit is enabled or not.
+  # Even when the script is not started in any run level, systemd says "active".
+  # So we test the SysVinit script path:
+  # if present, we test for an rc2.d symlink
+  # if missing, we ask systemd if a unit is active or not.
+  if test -f /etc/init.d/alert5; then
+    test -f /etc/rc2.d/S*alert5
+  else
+    systemctl is-active alert5 | grep -q "^active$"
+  fi
+}
+
+is_minifirewall_enabled() {
+  # TODO: instead of nested conditionals, we could loop with many possible paths
+  # and grep the first found, or error if none is found
+  if test -f /etc/rc2.d/S*alert5; then
+    grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
+  else
+    if test -f /usr/share/scripts/alert5.sh; then
+      grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
+    else
+      return_critical "No Alert5 scripts has been found."
+    fi
+  fi
+}
+
+is_minifirewall_started() {
+  if test -x /usr/share/scripts/minifirewall_status; then
+    /usr/share/scripts/minifirewall_status > /dev/null
+  else
+    /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+  fi
+}
+
+return_critical() {
+  echo "CRITICAL: $1"
+  exit 2
+}
+
+return_warning() {
+  echo "WARNING: $1"
+  exit 1
+}
+
+return_ok() {
+  echo "OK: $1"
+  exit 0
+}
+
+main() {
+  if is_alert5_enabled; then
+    if  is_minifirewall_enabled; then
+      if is_minifirewall_started; then
+        return_ok "Minifirewall is started."
+      else
+        return_critical "Minifirewall is not started."
+      fi
+    else
+      if is_minifirewall_started; then
+        return_warning "Minifirewall is started, but disabled in alert5."
+      else
+        return_ok "Minifirewall is not started, but disabled in alert5."
+      fi
+    fi
+  else
+    if is_minifirewall_started; then
+      return_warning "Minifirewall is started, but Alert5 script is not enabled."
+    else
+      return_ok "Minifirewall is not started and Alert5 script is not enabled."
+    fi
+  fi
+}
+
+main
diff --git a/minifirewall/files/minifirewall_status b/minifirewall/files/minifirewall_status
new file mode 100644
index 00000000..7bf09285
--- /dev/null
+++ b/minifirewall/files/minifirewall_status
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+is_started() {
+  /sbin/iptables -L -n \
+    | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+}
+return_started() {
+  echo "started"
+  exit 0
+}
+return_stopped() {
+  echo "stopped"
+  exit 1
+}
+
+is_started && return_started || return_stopped
diff --git a/minifirewall/handlers/main.yml b/minifirewall/handlers/main.yml
new file mode 100644
index 00000000..5ba1926c
--- /dev/null
+++ b/minifirewall/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart nagios-nrpe-server
+  service:
+    name: nagios-nrpe-server
+    state: restarted
diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml
index 851d1917..1e135780 100644
--- a/minifirewall/tasks/main.yml
+++ b/minifirewall/tasks/main.yml
@@ -4,6 +4,8 @@
 
 - include: config.yml
 
+- include: nrpe.yml
+
 - include: activate.yml
 
 - include: tail.yml
diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml
new file mode 100644
index 00000000..bb92553e
--- /dev/null
+++ b/minifirewall/tasks/nrpe.yml
@@ -0,0 +1,56 @@
+---
+
+- include_role:
+    name: remount-usr
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+
+- name: minifirewall_status is installed
+  copy:
+    src: minifirewall_status
+    dest: /usr/share/scripts/minifirewall_status
+    force: no
+    mode: "0700"
+    owner: root
+    group: root
+
+- name: /usr/local/lib/nagios/plugins/ exists
+  file:
+    dest: "{{ item }}"
+    mode: "02755"
+    owner: root
+    group: staff
+    state: directory
+  with_items:
+    - /usr/local/lib/nagios
+    - /usr/local/lib/nagios/plugins
+
+- name: check_minifirewall is installed
+  copy:
+    src: check_minifirewall
+    dest: /usr/local/lib/nagios/plugins/check_minifirewall
+    force: no
+    mode: "0755"
+    owner: root
+    group: staff
+
+- name: check_minifirewall is available for NRPE
+  lineinfile:
+    dest: /etc/nagios/nrpe.d/evolix.cfg
+    regexp: 'command\[check_minifirewall\]'
+    line: 'command[check_minifirewall]=sudo /usr/local/lib/nagios/plugins/check_minifirewall'
+  notify: restart nagios-nrpe-server
+
+- name: sudo without password for nagios
+  lineinfile:
+    dest: /etc/sudoers.d/evolinux
+    regexp: 'check_minifirewall'
+    line: 'nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall'
+    insertafter: '^nagios'
+    validate: "visudo -cf %s"

From e984e46b83a46e428a1c010d297e707d06ea9674 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 6 Apr 2018 09:40:38 +0200
Subject: [PATCH 3/5] minifirewall: nagios plugins directory is configurable

---
 minifirewall/defaults/main.yml |  2 ++
 minifirewall/tasks/nrpe.yml    | 11 ++++-------
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml
index 4f82138d..a6eaa2fc 100644
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@@ -25,3 +25,5 @@ minifirewall_private_ports_udp: []
 minifirewall_autostart: "no"
 
 evomaintenance_hosts: []
+
+nagios_plugins_directory: "/usr/local/lib/nagios/plugins"
diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml
index bb92553e..2e8569f8 100644
--- a/minifirewall/tasks/nrpe.yml
+++ b/minifirewall/tasks/nrpe.yml
@@ -22,19 +22,16 @@
 
 - name: /usr/local/lib/nagios/plugins/ exists
   file:
-    dest: "{{ item }}"
+    dest: "{{ nagios_plugins_directory }}"
     mode: "02755"
     owner: root
     group: staff
     state: directory
-  with_items:
-    - /usr/local/lib/nagios
-    - /usr/local/lib/nagios/plugins
 
 - name: check_minifirewall is installed
   copy:
     src: check_minifirewall
-    dest: /usr/local/lib/nagios/plugins/check_minifirewall
+    dest: "{{ nagios_plugins_directory }}/check_minifirewall"
     force: no
     mode: "0755"
     owner: root
@@ -44,13 +41,13 @@
   lineinfile:
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: 'command\[check_minifirewall\]'
-    line: 'command[check_minifirewall]=sudo /usr/local/lib/nagios/plugins/check_minifirewall'
+    line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
   notify: restart nagios-nrpe-server
 
 - name: sudo without password for nagios
   lineinfile:
     dest: /etc/sudoers.d/evolinux
     regexp: 'check_minifirewall'
-    line: 'nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall'
+    line: 'nagios          ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall'
     insertafter: '^nagios'
     validate: "visudo -cf %s"

From 61c268b39554d7ef11a28c3242204d80d8dcf92a Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 6 Apr 2018 09:41:46 +0200
Subject: [PATCH 4/5] nagios-nrpe: add check_minifirewall by default

---
 nagios-nrpe/templates/evolix.cfg.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 3d07600e..0be4e38e 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -66,6 +66,7 @@ command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -
 command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
 command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
 command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
+command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
 
 # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
 # Beware! All checks must not take more than 10s!

From 654c0a261fab70cacf48041ca7295684548030fe Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 6 Apr 2018 09:45:10 +0200
Subject: [PATCH 5/5] update CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 979021e9..60d262e8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * etc-git: add tags for Ansible
 * evolinux-base: install ncurses-term package
 * haproxy: install Munin plugins
+* minifirewall: add "check_minifirewall" Nagios plugin (and `minifirewall_status` script)
 * mysql-oracle: new role to install MySQL 5.7 with Oracle packages
 * mysql: remount /usr before creating scripts directory
 * nagios-nrpe: add "check_open_files" plugin