From 3a39c6e693a835d98ed382bdc3ce72eac31ea664 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 16 Oct 2015 15:38:20 +0200
Subject: fetch things over hkps and on every check

---
 manifests/plugins/gpg.pp    | 27 ++++++---------------------
 manifests/service/gpgkey.pp | 12 ++++++------
 2 files changed, 12 insertions(+), 27 deletions(-)

(limited to 'manifests')

diff --git a/manifests/plugins/gpg.pp b/manifests/plugins/gpg.pp
index 632ad1f..a09736a 100644
--- a/manifests/plugins/gpg.pp
+++ b/manifests/plugins/gpg.pp
@@ -1,8 +1,6 @@
 # check_gpg from
 # https://github.com/lelutin/nagios-plugins/blob/master/check_gpg
-class nagios::plugins::gpg(
-  $keyserver = 'hkp://keys.mayfirst.org',
-) {
+class nagios::plugins::gpg {
   require ::gpg
   nagios::plugin{'check_gpg':
     source => 'nagios/plugins/check_gpg',
@@ -16,25 +14,12 @@ class nagios::plugins::gpg(
       group   => nagios,
       mode    => '0600',
       require => Nagios::Plugin['check_gpg'];
-    '/etc/cron.daily/update_nagios_gpgkeys':
-      content => "#!/bin/bash
-function gpg() {
-  cmd=\$1
-  outout=\$(su - nagios -s /bin/bash -c 'gpg --homedir ${gpg_home} --logger-fd 1 \${cmd}')
-  if [ \$? -gt 0 ]; then
-   echo \$output
-   exit 1
-  fi
-}
-
-su - nagios -s /bin/bash -c 'gpg --homedir ${gpg_home} --with-fingerprint --list-keys --with-colons | grep \"^pub\" -A 1 | tail -n 1 | cut -f10 -d\":\" | sort --random-sort | while read key; do
-  gpg \"--keyserver ${keyserver} --recv-keys \${key}\"
-done
-",
-      owner   => root,
+    "${gpg_home}/sks-keyservers.netCA.pem":
+      source  => 'puppet:///modules/nagios/plugin_data/sks-keyservers.netCA.pem',
+      owner   => nagios,
       group   => 0,
-      mode    => '0700',
-      require => File[$gpg_home];
+      mode    => '0400',
+      before  => Nagios_command['check_gpg'];
   }
   nagios_command {
     'check_gpg':
diff --git a/manifests/service/gpgkey.pp b/manifests/service/gpgkey.pp
index 08b7473..f04352a 100644
--- a/manifests/service/gpgkey.pp
+++ b/manifests/service/gpgkey.pp
@@ -6,8 +6,8 @@ define nagios::service::gpgkey(
 ){
   validate_slength($name,40,40)
   require ::nagios::plugins::gpg
-  $gpg_home      = $nagios::plugins::gpg::gpg_home
-  $gpg_keyserver = $nagios::plugins::gpg::keyserver
+  $gpg_home = $nagios::plugins::gpg::gpg_home
+  $gpg_cmd  = "gpg --homedir ${gpg_home}"
 
   exec{"manage_key_${name}":
     user  => nagios,
@@ -20,8 +20,8 @@ define nagios::service::gpgkey(
 
   if $ensure == 'present' {
     Exec["manage_key_${name}"]{
-      command => "gpg --keyserver ${gpg_keyserver} --homedir ${gpg_home} --recv-keys ${name}",
-      unless  => "gpg --homedir ${gpg_home} --list-keys ${name}",
+      command => "${gpg_cmd} --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=${gpg_home}/sks-keyservers.netCA.pem --recv-keys ${name}",
+      unless  => "${gpg_cmd} --list-keys ${name}",
       before  => Nagios::Service["check_gpg_${name}"],
     }
 
@@ -39,8 +39,8 @@ define nagios::service::gpgkey(
     }
   } else {
     Exec["manage_key_${name}"]{
-      command => "gpg --batch --homedir ${gpg_home} --delete-key ${name}",
-      onlyif  => "gpg --homedir ${gpg_home} --list-keys ${name}",
+      command => "${gpg_cmd} --batch --delete-key ${name}",
+      onlyif  => "${gpg_cmd} --list-keys ${name}",
       require => Nagios::Service["check_gpg_${name}"],
     }
   }
-- 
cgit v1.2.3