evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 17 Releases 34 Wiki Activity

Revert "evolinux-users, nagios-nrpe: sudoers conf for nagios splitted and moved from evolinux-users to nagios-nrpe"
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2746|0|2746|0|:zzz:
Details
gitea/ansible-roles/pipeline/head This commit looks good
Details

Browse source 
This reverts commit adc79e0d8d.
This commit is contained in:
William Hirigoyen 2024-06-12 11:07:04 +02:00
parent d55da041ae
commit e93a68d27a
10 changed files with 43 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -25,7 +25,6 @@ The **patch** part is incremented if multiple releases happen the same month
* log2mail: task log2mail.yml of evolinux-base converted to a role
* lxc-solr: update solr9 version + fix URL in README
* evolinux-users, nagios-nrpe: sudoers conf for nagios splitted and moved from evolinux-users to nagios-nrpe
* evolinux-base: Customize logcheck recipient when serveur-base is installed
### Fixed

28
evolinux-users/templates/sudoers.j2
View file

@ -2,5 +2,33 @@ Defaults umask=0077
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush
nagios ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/ssacli controller all show status
nagios ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
nagios ALL = NOPASSWD: /usr/local/bin/mvcli info -o blk
nagios ALL = NOPASSWD: /usr/local/bin/mvcli info -o vd
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_gluster.rb
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL
%{{ evolinux_sudo_group }} ALL = NOPASSWD: MAINT

8
evolinux-users/templates/sudoers_jessie.j2
View file

@ -3,5 +3,13 @@ Defaults umask=0077
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
User_Alias ADMINS = {{ user.name }}
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
ADMINS ALL = (ALL:ALL) ALL
ADMINS ALL = NOPASSWD: MAINT

11
minifirewall/tasks/nrpe.yml
View file

@ -50,21 +50,16 @@
notify: restart nagios-nrpe-server
when: nrpe_evolix_cfg.stat.exists
- name: Is evolinux sudoers installed? (old way)
- name: Is evolinux sudoers installed?
ansible.builtin.stat:
path: /etc/sudoers.d/evolinux
register: sudoers_evolinux
- name: Is nagios sudoers installed?
ansible.builtin.stat:
path: /etc/sudoers.d/nagios
register: sudoers_nagios
- name: sudo without password for nagios
ansible.builtin.lineinfile:
dest: /etc/sudoers.d/nagios
dest: /etc/sudoers.d/evolinux
regexp: 'check_minifirewall'
line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall'
insertafter: '^nagios'
validate: "visudo -cf %s"
when: sudoers_evolinux.stat.exists or sudoers_nagios.stat.exists
when: sudoers_evolinux.stat.exists

27
nagios-nrpe/files/sudoers
View file

@ -1,27 +0,0 @@
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush
nagios ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/ssacli controller all show status
nagios ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
nagios ALL = NOPASSWD: /usr/local/bin/mvcli info -o blk
nagios ALL = NOPASSWD: /usr/local/bin/mvcli info -o vd
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_gluster.rb
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt

7
nagios-nrpe/files/sudoers_jessie
View file

@ -1,7 +0,0 @@
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt

2
nagios-nrpe/tasks/main.yml
View file

@ -91,8 +91,6 @@
tags:
- nagios-nrpe
- ansible.builtin.include_tasks: sudoers.yml
- ansible.builtin.include_tasks: wrapper.yml
- ansible.builtin.include_tasks: check-local.yml

28
nagios-nrpe/tasks/sudoers.yml
View file

@ -1,28 +0,0 @@
---
- name: "/etc/sudoers.d presence and permissions"
ansible.builtin.file:
path: /etc/sudoers.d
owner: root
group: root
mode: "0750"
state: directory
- name: "Copy nagios sudoers conf (Debian 9 Stretch and later)"
ansible.builtin.copy:
src: sudoers
dest: /etc/sudoers.d/nagios
mode: "0440"
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
when:
- ansible_distribution_major_version is defined
- ansible_distribution_major_version is version('9', '>=')
- name: "Copy nagios sudoers conf (Debian 8 Jessie) "
ansible.builtin.copy:
src: sudoers_jessie
dest: /etc/sudoers.d/nagios
mode: "0440"
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
when: ansible_distribution_release == "jessie"

2
rabbitmq/tasks/nrpe.yml
View file

@ -45,7 +45,7 @@
- name: sudo without password for nagios
ansible.builtin.lineinfile:
dest: /etc/sudoers.d/nagios
dest: /etc/sudoers.d/evolinux
regexp: 'check_rabbitmq'
line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_rabbitmq'
insertafter: '^nagios'

6
redis/tasks/nrpe.yml
View file

@ -45,7 +45,7 @@
- name: sudo without password for nagios
ansible.builtin.lineinfile:
dest: /etc/sudoers.d/nagios
dest: /etc/sudoers.d/evolinux
regexp: 'check_redis$'
line: 'nagios ALL = NOPASSWD: {{ redis_check_redis_path }}'
insertafter: '^nagios'
@ -69,7 +69,7 @@
- name: sudo without password for nagios
ansible.builtin.lineinfile:
dest: /etc/sudoers.d/nagios
dest: /etc/sudoers.d/evolinux
regexp: 'check_redis$'
line: 'nagios ALL = NOPASSWD: {{ redis_check_redis_path }}'
insertafter: '^nagios'
@ -108,7 +108,7 @@
- name: sudo without password for nagios
ansible.builtin.lineinfile:
dest: /etc/sudoers.d/nagios
dest: /etc/sudoers.d/evolinux
regexp: 'check_redis_instances$'
line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_redis_instances'
insertafter: '^nagios'