From 64aed0bc2ed9592f7efe092acc9a7ff13b02f98b Mon Sep 17 00:00:00 2001
From: Maria Haider <mariah@sunet.se>
Date: Wed, 10 May 2023 15:00:46 +0200
Subject: [PATCH] nagios4 stuffs

---
 .../modules/eid/manifests/nagios_monitor.pp   | 20 ++++----
 .../eid/templates/monitor/apache2.conf.erb    | 48 +++++++++++++++++++
 2 files changed, 60 insertions(+), 8 deletions(-)
 create mode 100644 global/overlay/etc/puppet/modules/eid/templates/monitor/apache2.conf.erb

diff --git a/global/overlay/etc/puppet/modules/eid/manifests/nagios_monitor.pp b/global/overlay/etc/puppet/modules/eid/manifests/nagios_monitor.pp
index 71c7fb99..c88f3eb8 100644
--- a/global/overlay/etc/puppet/modules/eid/manifests/nagios_monitor.pp
+++ b/global/overlay/etc/puppet/modules/eid/manifests/nagios_monitor.pp
@@ -24,11 +24,6 @@ class eid::nagios_monitor {
   #class {'nagioscfg::slack': domain => 'sunet.slack.com', token => safe_hiera('slack_token','') } ->
   class {'nagioscfg::passive': enable_notifications => '1', obsess_over_services => '0', obsess_over_hosts => '0', nagios_config_file   => '/etc/nagios4/nagios.cfg'}
 
-  sunet::misc::htpasswd_user { $web_admin_user :
-      filename => "/etc/nagios4/htpasswd.users",
-      password => $web_admin_pw,
-      group    => 'www-data',
-  }
 
   package {'apache2': ensure => 'latest'}
   service { 'apache2':
@@ -36,21 +31,30 @@ class eid::nagios_monitor {
     enable  => true,
   }
 
-  exec { 'a2enconf nagios4-cgi.conf':
-    creates     => '/etc/apache2/conf-enabled/nagios4-cgi.conf',
-    notify      => Service['apache2'],
+  file { '/etc/nagios4/apache2.conf':
+    ensure  => file,
+    mode    => '0644',
+    content => template('eid/monitor/apache2.conf.erb'),
+    notify  => Service['apache2'],
   }
 
   file { '/etc/apache2/conf-enabled/nagios4-cgi.conf':
     ensure  => link,
   }
 
+  exec { 'a2enconf nagios4-cgi.conf':
+    creates     => '/etc/apache2/conf-enabled/nagios4-cgi.conf',
+    notify      => Service['apache2'],
+  }
+
   exec { 'a2enmod auth_digest authz_groupfile':
     subscribe   => File['/etc/apache2/conf-enabled/nagios4-cgi.conf'],
     refreshonly => true,
     notify      => Service['apache2'],
   }
 
+  #Run this manually 'htdigest -c /etc/nagios4/htdigest.users Nagios4 nagiosadmin' and enter the password in $web_admin_pw
+
   file {
       '/root/MONITOR_WEB_PASSWORD':
         content => sprintf("%s\n%s\n", $web_admin_user, $web_admin_pw),
diff --git a/global/overlay/etc/puppet/modules/eid/templates/monitor/apache2.conf.erb b/global/overlay/etc/puppet/modules/eid/templates/monitor/apache2.conf.erb
new file mode 100644
index 00000000..1988ad9f
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/eid/templates/monitor/apache2.conf.erb
@@ -0,0 +1,48 @@
+# apache configuration for nagios 4.x
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    #
+    # The default Debian nagios4 install sets use_authentication=0 in
+    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+    # This is insecure.  As a compromise this default apache2 configuration
+    # only allows private IP addresses access.
+    #
+    # The <Files>...</Files> below shows how you can secure the nagios4
+    # web site so anybody can view it, but only authenticated users can issue
+    # commands (such as silence notifications).  To do that replace the
+    # "Require all granted" with "Require valid-user", and use htdigest
+    # program from the apache2-utils package to add users to
+    # /etc/nagios4/htdigest.users.
+    #
+    # A step up is to insist all users validate themselves by moving
+    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+    # can configure which people get to see a particular service from
+    # within the nagios configuration.
+    #
+    #Require ip ::1/128 fc00::/7 fe80::/10 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16
+    AuthDigestDomain "Nagios4"
+    AuthDigestProvider file
+    AuthUserFile        "/etc/nagios4/htdigest.users"
+    AuthGroupFile       "/etc/group"
+    AuthName    "Nagios4"
+    AuthType    Digest
+    #Require all        granted
+    Require     valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+    Options     +ExecCGI
+</Directory>
\ No newline at end of file