add crl check to nagios + nrpe + facl perms for nrpe

Signed-off-by: Rick Elrod <relrod@redhat.com>

roles/nagios_client/tasks/main.yml

@@ -49,6 +49,7 @@
   - check_ipa_replication
   - check_redis_queue.sh
   - check_timestamp_from_file
+  - check_crl_next_update
   when: not inventory_hostname.startswith('noc')
   tags:
   - nagios_client
@@ -239,6 +240,22 @@
   tags:
   - nagios_client
 
+- name: install CRL check for bastions
+  when: inventory_hostname.startswith('bastion')
+  tags:
+  - nagios_client
+  block:
+  - name: Install the nrpe template
+    template: src=check_crl_next_update.cfg.j2 dest=/etc/nrpe.d/check_crl_next_update.cfg owner=root group=root mode=0644
+    notify:
+    - restart nrpe
+
+  - name: Set facls so nrpe can check the crl (dir)
+    acl: default=no etype=user entity=nrpe permissions="rx" name=/etc/openvpn/server state=present
+
+  - name: Set facls so nrpe can check the crl (file)
+    acl: default=no etype=user entity=nrpe permissions="r" name=/etc/openvpn/server/crl.pem state=present
+
 - name: install nrpe config for the RabbitMQ checks
   template:
     src: "rabbitmq_args.ini.j2"

roles/nagios_client/templates/check_crl_next_update.cfg.j2

@@ -0,0 +1,4 @@
+# Alert if CRL expires soon.
+# Usage is: /path/to/crl.pem <warn days> <crit days>
+# So here we warn at 7 days, crit at 2
+command[check_crl_next_update]={{ libdir }}/nagios/plugins/check_crl_next_update /etc/openvpn/server/crl.pem 7 2

roles/nagios_server/files/nagios/services/vpn_server.cfg

@@ -0,0 +1,6 @@
+define service {
+  hostgroup             bastion
+  service_description   openvpn CRL expiry
+  check_command         check_by_nrpe!check_crl_next_update
+  use                   defaulttemplate
+}

roles/nagios_server/tasks/main.yml

@@ -238,6 +238,7 @@
     - templates.cfg
     - unbound.cfg
     - vpnclients.cfg
+    - vpn_server.cfg
   tags:
   - nagios_config
   - nagios_server