NRPE configuration file using Hiera lookups with Ansible

hiera.py

from ansible import utils, errors
import os
import subprocess
import json
import sys

class LookupModule(object):

    def __init__(self, basedir=None, **kwargs):
        self.basedir = basedir

    def run(self, terms, inject=None, **kwargs):

        terms = utils.listify_lookup_plugin_terms(terms, self.basedir, inject)

        ret = []

        context = kwargs['vars']
        # Hardcoding fetch of environment variables that Hiera needs for now while testing
        environment = context.get('environment', '')
        sitecode_lc = context.get('sitecode_lc', '')

        for term in terms:
            try:
                p = subprocess.Popen(['lib/hiera/bin/hiera',
                    # Hardcoding hiera datasource while testing
                    '-c', 'hiera.yaml',
                    '-f', 'json',
                    term,
                    r'environment=%s' % environment,
                    r'sitecode_lc=%s' % sitecode_lc
                ], stdout=subprocess.PIPE)

                out, err = p.communicate()

                if out is None:
                    out = ""
                else:
                    out = json.loads(out)

                print >> sys.stderr, "Looked up '{0}', got value ({1}):\n{2}\n".format(term, type(out), out)

                if isinstance(out, list):
                    ret.extend(out)
                else:
                    ret.append(out)
            except Exception as e:
                print >> sys.stderr, 'Exception (Hiera lookup): {0}'.format(e)
                ret.append("")

        return ret

nrpe.cfg-lookups.j2

#############################################################################
# Sample NRPE Config File
# Written by: Ethan Galstad (nagios@nagios.org)
#
# Last Modified: 11-23-2007
#
# NOTES:
# This is a sample configuration file for the NRPE daemon.  It needs to be
# located on the remote host that is running the NRPE daemon, not the host
# from which the check_nrpe client is being executed.
#############################################################################


# LOG FACILITY
# The syslog facility that should be used for logging purposes.

log_facility=daemon



# PID FILE
# The name of the file in which the NRPE daemon should write it's process ID
# number.  The file is only written if the NRPE daemon is started by the root
# user and is running in standalone mode.

pid_file=/var/run/nrpe_pid



# PORT NUMBER
# Port number we should wait for connections on.
# NOTE: This must be a non-priviledged port (i.e. > 1024).
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#server_port=5666
server_port={{ lookup('hiera', 'nrpe_server_port') }}



# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#server_address=127.0.0.1



# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#nrpe_user=nagios
nrpe_user={{ lookup('hiera', 'nrpe_user') }}



# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#nrpe_group=nagios
nrpe_group={{ lookup('hiera', 'nrpe_group') }}



# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address.  I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

allowed_hosts={{ lookup('hiera', 'nrpe_allowed_hosts')|join(',') }}

# COMMAND ARGUMENT PROCESSING
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments to commands that are executed.  This option only works
# if the daemon was configured with the --enable-command-args configure script
# option.
#
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments

dont_blame_nrpe=1



# COMMAND PREFIX
# This option allows you to prefix all commands with a user-defined string.
# A space is automatically added between the specified prefix string and the
# command line from the command definition.
#
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
# Usage scenario:
# Execute restricted commmands using sudo.  For this to work, you need to add
# the nagios user to your /etc/sudoers.  An example entry for alllowing
# execution of the plugins from might be:
#
# nagios          ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
#
# This lets the nagios user run all commands in that directory (and only them)
# without asking for a password.  If you do this, make sure you don't give
# random users write access to that directory or its contents!
# command_prefix = /usr/bin/sudo
{% set lookup_command_prefix = lookup('hiera', 'nrpe_command_prefix') %}
{% if lookup_command_prefix is defined and lookup_command_prefix != '' %}command_prefix={{ lookup_command_prefix }}{% endif %}



# DEBUGGING OPTION
# This option determines whether or not debugging messages are logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on

debug=0



# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.

#command_timeout=60
command_timeout={{ lookup('hiera', 'nrpe_command_timeout') }}



# CONNECTION TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# wait for a connection to be established before exiting. This is sometimes
# seen where a network problem stops the SSL being established even though
# all network sessions are connected. This causes the nrpe daemons to
# accumulate, eating system resources. Do not set this too low.

#connection_timeout=300
connection_timeout={{ lookup('hiera', 'nrpe_connection_timeout') }}



# WEEK RANDOM SEED OPTION
# This directive allows you to use SSL even if your system does not have
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
# were not applied). The random number generator will be seeded from a file
# which is either a file pointed to by the environment valiable $RANDFILE
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
# be initialized and a warning will be issued.
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness

#allow_weak_random_seed=1



# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.

#include=<somefile.cfg>



# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).

#include_dir=<somedirectory>
#include_dir=<someotherdirectory>

{% for key, command in (lookup('hiera', 'icinga::nrpe::commands').iteritems()) %}
command[{{ key }}]={{ command }}
{% endfor %}