32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
# File 'modules/profile/manifests/syslog/remote.pp', line 32
class profile::syslog::remote (
Boolean $enable = lookup('profile::syslog::remote::enable'),
Profile::Syslog::Hosts $central_hosts_tls = lookup('profile::syslog::remote::central_hosts_tls'),
Enum['auth-logs', 'standard'] $send_logs = lookup('profile::syslog::remote::send_logs'),
Integer $queue_size = lookup('profile::syslog::remote::queue_size'),
Enum['disabled', 'puppet', 'cfssl'] $mtls_provider = lookup('profile::syslog::remote::mtls_provider'),
Enum['x509/certvalid', 'x509/name'] $tls_server_auth = lookup('profile::syslog::remote::tls_server_auth'),
Enum['gtls', 'ossl'] $tls_netstream_driver = lookup('profile::syslog::remote::tls_netstream_driver'),
Stdlib::Unixpath $tls_trusted_ca = lookup('profile::syslog::remote::tls_trusted_ca'),
) {
$owner = 'root'
$group = 'root'
# force ossl on buster #T351181
$_tls_netstream_driver = debian::codename::le('buster').bool2str('ossl', $tls_netstream_driver)
if $enable {
if $central_hosts_tls.empty {
fail('profile::syslog::remote: requires \$central_hosts_tls if enabled')
}
$_central_hosts_tls = pick($central_hosts_tls[$::site], $central_hosts_tls['default'])
if $tls_netstream_driver == 'gtls' {
ensure_packages('rsyslog-gnutls')
} else {
# for >= bullseye, available in debian main
# otherwise through component/rsyslog-openssl (T324623)
if debian::codename::eq('buster') {
# On Buster syslog clients acting as syslog servers,
# apt::package_from_component may have been defined
# in rsyslog::receiver as well
ensure_resource('apt::package_from_component', 'rsyslog-tls', {
component => 'component/rsyslog-openssl',
packages => ['rsyslog-openssl', 'rsyslog-kafka', 'rsyslog'],
before => Class['rsyslog'],
})
} else {
ensure_packages('rsyslog-openssl')
}
}
file { '/etc/rsyslog':
ensure => 'directory',
owner => $owner,
group => $group,
mode => '0400',
}
case $mtls_provider {
'puppet': {
puppet::expose_agent_certs { '/etc/rsyslog':
provide_private => true,
user => $owner,
group => $group,
require => File['/etc/rsyslog'],
}
$cert_file = '/etc/rsyslog/ssl/cert.pem'
$key_file = '/etc/rsyslog/ssl/server.key'
}
'cfssl': {
$ssl_paths = profile::pki::get_cert('syslog')
$cert_file = $ssl_paths['chained']
$key_file = $ssl_paths['key']
}
default: {
$cert_file = undef
$key_file = undef
}
}
rsyslog::conf { 'remote_syslog':
content => template('profile/syslog/remote/syslog.conf.erb'),
priority => 30,
}
}
# No ensure=>absent handling is needed for the $enable == false case
# because ::rsyslog uses recursive purge to manage the files in its config
# directory. Simply not adding the file will cause Puppet to remove it if
# present.
}
|