fetch things over hkps and on every check

4 files changed, 45 insertions, 28 deletions

diff --git a/files/plugin_data/sks-keyservers.netCA.pem b/files/plugin_data/sks-keyservers.netCA.pem
new file mode 100644
index 0000000..24a2ad2
--- /dev/null
+++ b/files/plugin_data/sks-keyservers.netCA.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
+ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
+MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
+c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
+cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
+6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
+MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
+45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
+FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
+Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
+aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
+MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
+u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
+p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
+fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
+A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
+TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
+OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
+gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
+X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
+gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
+UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
+lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
+BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
+cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
+f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
+ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
+WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
+-----END CERTIFICATE-----
diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg
index bf4b930..efc17e3 100644
--- a/files/plugins/check_gpg
+++ b/files/plugins/check_gpg
@@ -84,7 +84,7 @@ key="$1"
 
 # GPG is too stupid to error out when asked to refresh a key that's not in the
 # local keyring so we need to perform another call to verify this first.
-output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 )
+output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 )
 if [ $? -ne 0 ]; then
     echo "UNKNOWN: $output"
     exit 3
diff --git a/manifests/plugins/gpg.pp b/manifests/plugins/gpg.pp
index 632ad1f..a09736a 100644
--- a/manifests/plugins/gpg.pp
+++ b/manifests/plugins/gpg.pp
@@ -1,8 +1,6 @@
 # check_gpg from
 # https://github.com/lelutin/nagios-plugins/blob/master/check_gpg
-class nagios::plugins::gpg(
-  $keyserver = 'hkp://keys.mayfirst.org',
-) {
+class nagios::plugins::gpg {
   require ::gpg
   nagios::plugin{'check_gpg':
     source => 'nagios/plugins/check_gpg',
@@ -16,25 +14,12 @@ class nagios::plugins::gpg(
       group   => nagios,
       mode    => '0600',
       require => Nagios::Plugin['check_gpg'];
-    '/etc/cron.daily/update_nagios_gpgkeys':
-      content => "#!/bin/bash
-function gpg() {
-  cmd=\$1
-  outout=\$(su - nagios -s /bin/bash -c 'gpg --homedir ${gpg_home} --logger-fd 1 \${cmd}')
-  if [ \$? -gt 0 ]; then
-   echo \$output
-   exit 1
-  fi
-}
-
-su - nagios -s /bin/bash -c 'gpg --homedir ${gpg_home} --with-fingerprint --list-keys --with-colons | grep \"^pub\" -A 1 | tail -n 1 | cut -f10 -d\":\" | sort --random-sort | while read key; do
-  gpg \"--keyserver ${keyserver} --recv-keys \${key}\"
-done
-",
-      owner   => root,
+    "${gpg_home}/sks-keyservers.netCA.pem":
+      source  => 'puppet:///modules/nagios/plugin_data/sks-keyservers.netCA.pem',
+      owner   => nagios,
       group   => 0,
-      mode    => '0700',
-      require => File[$gpg_home];
+      mode    => '0400',
+      before  => Nagios_command['check_gpg'];
   }
   nagios_command {
     'check_gpg':
diff --git a/manifests/service/gpgkey.pp b/manifests/service/gpgkey.pp
index 08b7473..f04352a 100644
--- a/manifests/service/gpgkey.pp
+++ b/manifests/service/gpgkey.pp
@@ -6,8 +6,8 @@ define nagios::service::gpgkey(
 ){
   validate_slength($name,40,40)
   require ::nagios::plugins::gpg
-  $gpg_home      = $nagios::plugins::gpg::gpg_home
-  $gpg_keyserver = $nagios::plugins::gpg::keyserver
+  $gpg_home = $nagios::plugins::gpg::gpg_home
+  $gpg_cmd  = "gpg --homedir ${gpg_home}"
 
   exec{"manage_key_${name}":
     user  => nagios,
@@ -20,8 +20,8 @@ define nagios::service::gpgkey(
 
   if $ensure == 'present' {
     Exec["manage_key_${name}"]{
-      command => "gpg --keyserver ${gpg_keyserver} --homedir ${gpg_home} --recv-keys ${name}",
-      unless  => "gpg --homedir ${gpg_home} --list-keys ${name}",
+      command => "${gpg_cmd} --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=${gpg_home}/sks-keyservers.netCA.pem --recv-keys ${name}",
+      unless  => "${gpg_cmd} --list-keys ${name}",
       before  => Nagios::Service["check_gpg_${name}"],
     }
 
@@ -39,8 +39,8 @@ define nagios::service::gpgkey(
     }
   } else {
     Exec["manage_key_${name}"]{
-      command => "gpg --batch --homedir ${gpg_home} --delete-key ${name}",
-      onlyif  => "gpg --homedir ${gpg_home} --list-keys ${name}",
+      command => "${gpg_cmd} --batch --delete-key ${name}",
+      onlyif  => "${gpg_cmd} --list-keys ${name}",
       require => Nagios::Service["check_gpg_${name}"],
     }
   }