From 541884fb00dc0d6b2583b1311c7e7a307f7485c8 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Mon, 9 Jan 2017 21:37:18 +0000
Subject: [PATCH] Fix krb5 for nagios by selecting the right keytab path

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../nagios_server/files/httpd/nagios-new.conf | 36 +++++++++++++++++++
 roles/nagios_server/tasks/main.yml            |  8 +++++
 2 files changed, 44 insertions(+)
 create mode 100644 roles/nagios_server/files/httpd/nagios-new.conf

diff --git a/roles/nagios_server/files/httpd/nagios-new.conf b/roles/nagios_server/files/httpd/nagios-new.conf
new file mode 100644
index 0000000000..e9b31c868f
--- /dev/null
+++ b/roles/nagios_server/files/httpd/nagios-new.conf
@@ -0,0 +1,36 @@
+# noc1
+ScriptAlias /nagios/cgi-bin/ /usr/lib64/nagios/cgi-bin/
+
+# noc2
+ScriptAlias /nagios-external/cgi-bin/ /usr/lib64/nagios/cgi-bin/
+
+# test
+ScriptAlias /nagios-just-a-test/cgi-bin/ /usr/lib64/nagios/cgi-bin/
+
+ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
+
+<Location />
+  AuthName "Nagios GSSAPI Login"
+  GssapiCredStore keytab:/etc/krb5.HTTP_nagios.stg.fedoraproject.org.keytab
+  AuthType GSSAPI
+  # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+  GssapiSSLonly Off
+  GssapiLocalName on
+  Require valid-user
+</Location>
+
+<Location ~ "/(nagios|nagios-external|nagios-just-a-test)/cgi-bin/">
+  Options ExecCGI
+</Location>
+
+<Directory "/usr/share/nagios/html">
+  Options None
+</Directory>
+
+Alias /nagios /usr/share/nagios/html/
+
+# This will only affect noc2 because the proxies only forward -external to it.
+Alias /nagios-external /usr/share/nagios/html/
+
+# Test
+Alias /nagios-test /usr/share/nagios/html/
diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml
index 602ae87bfa..4b344230d5 100644
--- a/roles/nagios_server/tasks/main.yml
+++ b/roles/nagios_server/tasks/main.yml
@@ -78,8 +78,16 @@
   - nagios_server
 
 ## Copy over system configs
+# TODO: Make this a template once they're closer together
 - name: Copy httpd config
   copy: src=httpd/nagios.conf dest=/etc/httpd/conf.d/nagios.conf
+  when: env == "production"
+  tags:
+  - nagios_server
+
+- name: Copy httpd config
+  copy: src=httpd/nagios-new.conf dest=/etc/httpd/conf.d/nagios.conf
+  when: env == "staging"
   tags:
   - nagios_server