Browse Source

icinga2: Move ApiListener certs to new location

Philipp Fromme 2 years ago
parent
commit
9ddb49aed7
2 changed files with 26 additions and 13 deletions
  1. 0 3
      icinga2/api.conf
  2. 26 10
      icinga2/init.sls

+ 0 - 3
icinga2/api.conf

@@ -4,9 +4,6 @@
 
 object ApiListener "api" {
 	bind_host = "127.0.0.1"
-	cert_path = "/etc/icinga2/pki/ffhohost.cert.pem"
-	key_path  = "/etc/icinga2/pki/ffhohost.key.pem"
-	ca_path   = "/etc/ssl/certs/ffho-cacert.pem"
 
 	ticket_salt = TicketSalt
 

+ 26 - 10
icinga2/init.sls

@@ -96,31 +96,45 @@ ffho-plugins:
       - service: icinga2
 
 
-# Install host cert + key readable for icinga
+# Install CA cert + host cert + key readable for icinga
+/var/lib/icinga2/certs:
+  file.directory:
+    - makedirs: True
+
+/var/lib/icinga2/certs/ca.crt:
+  file.managed:
+    - source: salt://certs/ffho-cacert.pem
+    - user: nagios
+    - group: nagios
+    - mode: 644
+    - require:
+      - pkg: icinga2
+      - file: /var/lib/icinga2/certs
+    - watch_in:
+      - sevice: icinga2
+
 {% set pillar_name = 'nodes:' ~ grains['id'] ~ ':certs:' ~ grains['id'] %}
-/etc/icinga2/pki/ffhohost.cert.pem:
+/var/lib/icinga2/certs/{{ grains['id'] }}.crt:
   file.managed:
-    {% if salt['pillar.get'](pillar_name ~ ':cert') == "file" %}
-    - source: salt://certs/certs/{{ cn }}.cert.pem
-    {% else %}
     - contents_pillar: {{ pillar_name }}:cert
-    {% endif %}
-    - user: root
-    - group: root
+    - user: nagios
+    - group: nagios
     - mode: 644
     - require:
       - pkg: icinga2
+      - file: /var/lib/icinga2/certs
     - watch_in:
       - service: icinga2
 
-/etc/icinga2/pki/ffhohost.key.pem:
+/var/lib/icinga2/certs/{{ grains['id'] }}.key:
   file.managed:
     - contents_pillar: {{ pillar_name }}:privkey
-    - user: root
+    - user: nagios
     - group: nagios
     - mode: 440
     - require:
       - pkg: icinga2
+      - file: /var/lib/icinga2/certs
     - watch_in:
       - service: icinga2
 
@@ -130,6 +144,8 @@ ffho-plugins:
 /etc/icinga2/features-enabled/{{ feature }}.conf:
   file.symlink:
     - target: "../features-available/{{ feature }}.conf"
+    - user: nagios
+    - group: nagios
     - require:
       - pkg: icinga2
     - watch_in: