ok lets try and make the nagios config a bit better

playbooks/include/proxies-redirects.yml

@@ -31,12 +31,6 @@
     path: /nagios
     target: https://nagios.fedoraproject.org/nagios/
 
-  - role: httpd/redirect
-    name: nagios-external
-    website: admin.fedoraproject.org
-    path: /nagios-external
-    target: https://nagios.fedoraproject.org/nagios-external/
-
   - role: httpd/redirect
     name: docs
     website: fedoraproject.org

playbooks/include/proxies-reverseproxy.yml

@@ -44,13 +44,6 @@
     remotepath: /nagios/
     proxyurl: http://noc01.phx2.fedoraproject.org
 
-  - role: httpd/reverseproxy
-    website: nagios.fedoraproject.org
-    destname: nagios-external
-    localpath: /nagios-external
-    remotepath: /nagios-external/
-    proxyurl: http://noc02.fedoraproject.org
-
   - role: httpd/reverseproxy
     website: lists.fedoraproject.org
     destname: mailman3

roles/nagios_server/files/httpd/nagios-new.conf

@@ -1,12 +1,6 @@
 # noc1
 ScriptAlias /nagios/cgi-bin/ /usr/lib64/nagios/cgi-bin/
 
-# noc2
-ScriptAlias /nagios-external/cgi-bin/ /usr/lib64/nagios/cgi-bin/
-
-# test
-ScriptAlias /nagios-just-a-test/cgi-bin/ /usr/lib64/nagios/cgi-bin/
-
 ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
 
 <Location />
@@ -19,7 +13,7 @@ ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
   Require valid-user
 </Location>
 
-<Location ~ "/(nagios|nagios-external|nagios-just-a-test)/cgi-bin/">
+<Location ~ "/(nagios)/cgi-bin/">
   Options ExecCGI
 </Location>
 
@@ -27,10 +21,8 @@ ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
   Options None
 </Directory>
 
+RewriteEngine on
+RewriteRule ^/$ /nagios/ [R]
+
 Alias /nagios /usr/share/nagios/html/
 
-# This will only affect noc2 because the proxies only forward -external to it.
-Alias /nagios-external /usr/share/nagios/html/
-
-# Test
-Alias /nagios-test /usr/share/nagios/html/

roles/nagios_server/files/httpd/nagios.conf

@@ -1,12 +1,6 @@
 # noc1
 ScriptAlias /nagios/cgi-bin/ /usr/lib64/nagios/cgi-bin/
 
-# noc2
-ScriptAlias /nagios-external/cgi-bin/ /usr/lib64/nagios/cgi-bin/
-
-# test
-ScriptAlias /nagios-just-a-test/cgi-bin/ /usr/lib64/nagios/cgi-bin/
-
 ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
 
 <Location />
@@ -19,7 +13,7 @@ ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
   Require valid-user
 </Location>
 
-<Location ~ "/(nagios|nagios-external|nagios-just-a-test)/cgi-bin/">
+<Location ~ "/(nagios)/cgi-bin/">
   Options ExecCGI
 </Location>
 
@@ -32,8 +26,3 @@ RewriteRule ^/$ /nagios/ [R]
 
 Alias /nagios /usr/share/nagios/html/
 
-# This will only affect noc2 because the proxies only forward -external to it.
-Alias /nagios-external /usr/share/nagios/html/
-
-# Test
-Alias /nagios-test /usr/share/nagios/html/

roles/nagios_server/tasks/main.yml

@@ -26,6 +26,8 @@
   with_items:
   - php
   - nagios.x86_64
+  - nagios-selinux
+  - nrpe-selinux
   - nagios-plugins
   - nagios-plugins-dig
   - nagios-plugins-disk
@@ -78,19 +80,6 @@
   - nagios_server
 
 ## Copy over system configs
-# TODO: Make this a template once they're closer together
-- name: Copy httpd config (production)
-  copy: src=httpd/nagios.conf dest=/etc/httpd/conf.d/nagios.conf
-  when: env == "production"
-  tags:
-  - nagios_server
-
-- name: Copy httpd config (staging)
-  copy: src=httpd/nagios-new.conf dest=/etc/httpd/conf.d/nagios.conf
-  when: env == "staging"
-  tags:
-  - nagios_server
-
 - name: Copy specialized nrpe.cfg for nagios server
   copy: src=nrpe/nrpe.cfg dest=/etc/nagios/nrpe.cfg mode=0644 group=root owner=root
   notify:
@@ -265,6 +254,11 @@
 
 ## Build template files
 # This one may go to being just a regular config file if we can make remote monitoring work
+- name: Template out the nagios httpd conf
+  template: src=httpd/nagios.conf.j2 dest=/etc/httpd/conf.d/nagios.conf
+  tags:
+  - nagios_server
+
 - name: Template out the cgi.cfg 
   template: src=nagios/configs/cgi.cfg.j2 dest=/etc/nagios/cgi.cfg mode=0644 owner=root group=root
   tags:

roles/nagios_server/templates/httpd/nagios.conf.j2

@@ -0,0 +1,40 @@
+# noc1
+ScriptAlias /nagios/cgi-bin/ /usr/lib64/nagios/cgi-bin/
+
+ScriptAlias	/tac.cgi	/usr/lib64/nagios/cgi-bin/tac.cgi
+
+<Location />
+  AuthName "Nagios GSSAPI Login"
+{% if env == "production" %}
+{% if vars['nagios_location'] == 'internal' %}
+  GssapiCredStore keytab:/etc/krb5.HTTP_nagios.fedoraproject.org.keytab
+{% else %}
+  GssapiCredStore keytab:/etc/krb5.HTTP_nagios-external.fedoraproject.org.keytab
+{% endif %}
+{% else %}
+{% if vars['nagios_location'] == 'internal' %}
+  GssapiCredStore keytab:/etc/krb5.HTTP_nagios.stg.fedoraproject.org.keytab
+{% else %}
+  GssapiCredStore keytab:/etc/krb5.HTTP_nagios-external.stg.fedoraproject.org.keytab
+{% endif %}
+{% endif %}
+  AuthType GSSAPI
+  # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+  GssapiSSLonly Off
+  GssapiLocalName on
+  Require valid-user
+</Location>
+
+<Location ~ "/(nagios)/cgi-bin/">
+  Options ExecCGI
+</Location>
+
+<Directory "/usr/share/nagios/html">
+  Options None
+</Directory>
+
+RewriteEngine on
+RewriteRule ^/$ /nagios/ [R]
+
+Alias /nagios /usr/share/nagios/html/
+