17 files changed, 182 insertions, 31 deletions
diff --git a/.gitmodules b/.gitmodules
index cc8afdb5..13b43e88 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -88,3 +88,6 @@
 [submodule "puppet/modules/sysctl"]
 	path = puppet/modules/sysctl
 	url = https://leap.se/git/puppet_sysctl
+[submodule "puppet/modules/check_mk"]
+	path = puppet/modules/check_mk
+	url = https://git.codecoop.org/varacanero/puppet_check_mk.git
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index 53e6b1f1..5656fe80 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -9,5 +9,14 @@
       "username": "= Leap::Platform.monitor_username",
       "private_key": "= file(:monitor_priv_key)"
     }
+  },
+  "x509": {
+    "use": true,
+    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+    "commercial_ca_cert": "= try_file :commercial_ca_cert"
   }
 }
diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk
new file mode 160000
+Subproject 382cb6d2ab5fe05b9db7e4178cd16b71685bef5
diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems
-Subproject 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a
+Subproject 7e0240acce5a338e7cc2b55f1f8ba749634c5da
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
new file mode 100644
index 00000000..72f24838
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -0,0 +1,26 @@
+class site_apache::common {
+  # installs x509 cert + key and common config
+  # that both nagios + leap webapp use
+
+  $web_domain       = hiera('domain')
+  $domain_name      = $web_domain['name']
+
+  include x509::variables
+  include site_config::x509::commercial::cert
+  include site_config::x509::commercial::key
+  include site_config::x509::commercial::ca
+
+  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+  include site_apache::module::rewrite
+
+  class { '::apache': no_default_site => true, ssl => true }
+
+  apache::vhost::file {
+    'common':
+      content => template('site_apache/vhosts.d/common.conf.erb')
+  }
+
+}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index a001552a..30f0a6b1 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -23,13 +23,14 @@
   RequestHeader set X_FORWARDED_PROTO 'https'
 
   <IfModule mod_headers.c>
-<% if @webapp['secure'] -%>
+<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
 <% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
   </IfModule>
 
+<% if (defined? @services) and (@services.include? 'webapp') -%>
   DocumentRoot /srv/leap/webapp/public
 
   RewriteEngine On
@@ -52,16 +53,20 @@
     ExpiresActive On
     ExpiresDefault "access plus 1 year"
   </Location>
+<% end -%>
+
 
- <% if (defined? @services) and (@services.include? 'monitor') -%>
+<% if (defined? @services) and (@services.include? 'monitor') -%>
  <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <% if (defined? @services) and (@services.include? 'webapp') -%>
     PassengerEnabled off
+ <% end -%>
     AllowOverride all
     # Nagios won't work with setting this option to "DENY",
     # as set in conf.d/security (#4169). Therefor we allow
     # it here, only for nagios.
     Header set X-Frame-Options: "ALLOW"
   </DirectoryMatch>
- <% end -%>
+<% end -%>
 </VirtualHost>
 
diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc
index b69251f0..b6b5077b 100644
--- a/puppet/modules/site_apt/files/keys/leap_key.asc
+++ b/puppet/modules/site_apt/files/keys/leap_key.asc
@@ -1,5 +1,5 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.11 (GNU/Linux)
+Version: GnuPG v1.4.14 (GNU/Linux)
 
 mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en
 Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ
@@ -36,7 +36,19 @@ y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp
 F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/
 M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo
 qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw
-F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp
+F5dbD8pcfT/RjYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC
+UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK
+rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5
+a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs
+XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X
+8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt
+MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ
+9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s
+KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7
+lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/
+HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW
+6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR
+Sx/NMHb1/PXQJrkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp
 OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm
 g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT
 q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT
@@ -59,5 +71,5 @@ Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl
 cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP
 Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4
 JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw==
-=4STg
+=Om8x
 -----END PGP PUBLIC KEY BLOCK-----
diff --git a/puppet/modules/site_check_mk/files/use_ssh.mk b/puppet/modules/site_check_mk/files/use_ssh.mk
new file mode 100644
index 00000000..dbdcd4b5
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/use_ssh.mk
@@ -0,0 +1,5 @@
+# http://mathias-kettner.de/checkmk_datasource_programs.html
+datasource_programs = [
+ ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa <IP> check_mk_agent", ALL_HOSTS ),
+]
+
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index d85d9c8f..a09a30d2 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -86,4 +86,6 @@ class site_config::default {
   if defined( '::site_custom') {
     include ::site_custom
   }
+
+  include site_nagios::client
 }
diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
index 753d1610..61d9f2da 100644
--- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
+++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
@@ -25,6 +25,9 @@ log_file=/var/log/nagios3/nagios.log
 # Puppet-managed configuration files
 cfg_dir=/etc/nagios3/conf.d
 
+# check-mk managed configuration files
+cfg_dir=/etc/nagios3/local
+
 # Debian also defaults to using the check commands defined by the debian
 # nagios-plugins package
 cfg_dir=/etc/nagios-plugins/config
diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp
new file mode 100644
index 00000000..ff569142
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/client.pp
@@ -0,0 +1,22 @@
+class site_nagios::client {
+
+  $ssh_hash = hiera('ssh')
+  $pubkey   = $ssh_hash['authorized_keys']['monitor']['key']
+  $type     = $ssh_hash['authorized_keys']['monitor']['type']
+
+  class { 'check_mk::agent':
+    agent_package_name          => 'check-mk-agent',
+    agent_logwatch_package_name => 'check-mk-agent-logwatch',
+    method                      => 'ssh',
+    homedir                     => '/etc/nagios/check_mk',
+    register_agent              => false
+  }
+
+  file { '/root/.ssh/authorized_keys2':
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor"
+  }
+
+}
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index 3e1ef7e7..59a3bbb0 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -11,18 +11,32 @@ class site_nagios::server inherits nagios::base {
 
   include nagios::defaults
   include nagios::base
-  #Class ['nagios'] -> Class ['nagios::defaults']
-  class {'nagios::apache':
+  class {'nagios':
+    # don't manage apache class from nagios, cause we already include
+    # it in site_apache::common
+    httpd              => 'absent',
     allow_external_cmd => true,
     stored_config      => false,
-    #before             => Class ['nagios::defaults']
   }
 
+  # - [monitor2] err: /Stage[main]/Site_nagios::Server/Apache::Config::Global[nagios3.conf]/Apache::Config::File[nagios3.conf]/File[apache_nagios3.conf]/ensure: change from absent to link failed: Cannot create a symlink without a target at /srv/leap/puppet/modules/apache/manifests/config/file.pp:32
+  #apache::config::global { 'nagios3.conf':
+  #  ensure  => link,
+  #  target  => '/usr/share/doc/nagios3-common/examples/apache2.conf',
+  #}
+
+  file { '/etc/apache2/conf.d/nagios3.conf':
+    ensure => link,
+    target => '/usr/share/doc/nagios3-common/examples/apache2.conf',
+    notify => Service['apache']
+  }
+
+  include site_apache::common
   include site_apache::module::headers
 
   File ['nagios_htpasswd'] {
     source  => undef,
-    content => "nagiosadmin:$nagiosadmin_pw",
+    content => "nagiosadmin:${nagiosadmin_pw}",
     mode    => '0640',
   }
 
@@ -37,5 +51,7 @@ class site_nagios::server inherits nagios::base {
 
   create_resources ( site_nagios::add_host, $hosts )
 
+  include site_nagios::server::apache
+  include site_nagios::server::check_mk
   include site_shorewall::monitor
 }
diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp
new file mode 100644
index 00000000..8dbc7e9b
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/server/apache.pp
@@ -0,0 +1,7 @@
+class site_nagios::server::apache {
+  include x509::variables
+  include site_config::x509::commercial::cert
+  include site_config::x509::commercial::key
+  include site_config::x509::commercial::ca
+
+}
diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp
new file mode 100644
index 00000000..02cb8407
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp
@@ -0,0 +1,44 @@
+class site_nagios::server::check_mk {
+
+  $ssh_hash = hiera('ssh')
+  $pubkey   = $ssh_hash['authorized_keys']['monitor']['key']
+  $type     = $ssh_hash['authorized_keys']['monitor']['type']
+  $seckey   = $ssh_hash['monitor']['private_key']
+  $all_hosts = '"localhost", "plain1"'
+
+  package { 'check-mk-server':
+    ensure => installed,
+  }
+
+  # override paths to use the system check_mk rather than OMD
+  class { 'check_mk::config':
+    site          => '',
+    etc_dir       => '/etc',
+    nagios_subdir => 'nagios3',
+    bin_dir       => '/usr/bin',
+    host_groups   => undef,
+    require       => Package['check-mk-server']
+  }
+
+  Exec['check_mk-reload'] -> Service['nagios']
+
+  file {
+    '/etc/check_mk/conf.d/use_ssh.mk':
+      source => 'puppet:///modules/site_check_mk/use_ssh.mk',
+      notify => Exec['check_mk-refresh'];
+    '/etc/check_mk/all_hosts_static':
+      content => $all_hosts,
+      notify  => Exec['check_mk-refresh'];
+    '/etc/check_mk/.ssh':
+      ensure => directory;
+    '/etc/check_mk/.ssh/id_rsa':
+      content => $seckey,
+      owner   => 'nagios',
+      mode    => '0600';
+    '/etc/check_mk/.ssh/id_rsa.pub':
+      content => "${type} ${pubkey} monitor",
+      owner   => 'nagios',
+      mode    => '0644';
+  }
+
+}
diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp
index 39735cd3..18993586 100644
--- a/puppet/modules/site_nagios/manifests/server/purge.pp
+++ b/puppet/modules/site_nagios/manifests/server/purge.pp
@@ -1,7 +1,17 @@
-class site_nagios::server::purge {
-  exec {'purge_conf.d':
-    command => '/bin/rm -rf /etc/nagios3/conf.d/*',
-    onlyif  => 'test -e /etc/nagios3/conf.d'
+class site_nagios::server::purge inherits nagios::base {
+  # we don't want to get /etc/nagios3 and /etc/nagios3/conf.d
+  # purged, cause the check-mk-config-nagios3 package
+  # places its templates in /etc/nagios3/conf.d/check_mk,
+  # and check_mk -O updated it's nagios config in /etc/nagios3/conf.d/check_mk
+  File['nagios_cfgdir'] {
+    purge => false
+  }
+  File['nagios_confd'] {
+    purge => false
   }
 
+  exec {'purge_conf.d':
+    command => '/bin/rm -f /etc/nagios3/conf.d/nagios_*',
+    onlyif  => 'find /etc/nagios3/conf.d/ | grep -q "/etc/nagios3/conf.d/nagios_"'
+  }
 }
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index c18f691c..f36fe20f 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,4 +1,7 @@
 define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
+  # We use a custom define here to deploy the authorized_keys file
+  # cause puppet doesn't allow purgin before populating this file
+  # (see https://tickets.puppetlabs.com/browse/PUP-1174)
   # This line allows default homedir based on $title variable.
   # If $home is empty, the default is used.
   $homedir = $home ? {'' => "/home/${title}", default => $home}
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index d327877a..21243d34 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -7,19 +7,8 @@ class site_webapp::apache {
   $web_domain       = hiera('domain')
   $domain_name      = $web_domain['name']
 
-  include x509::variables
-  include site_config::x509::commercial::cert
-  include site_config::x509::commercial::key
-  include site_config::x509::commercial::ca
-
-  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
-
-  class { '::apache': no_default_site => true, ssl => true }
-
+  include site_apache::common
   include site_apache::module::headers
-  include site_apache::module::rewrite
   include site_apache::module::alias
   include site_apache::module::expires
   include site_apache::module::removeip
@@ -27,11 +16,6 @@ class site_webapp::apache {
   class { 'passenger': use_munin => false }
 
   apache::vhost::file {
-    'leap_webapp':
-      content => template('site_apache/vhosts.d/leap_webapp.conf.erb')
-  }
-
-  apache::vhost::file {
     'api':
       content => template('site_apache/vhosts.d/api.conf.erb')
   }