From 8ae16a65dfa37dd48ec83cbf1171e03f85b5a9f6 Mon Sep 17 00:00:00 2001 From: Sheppy Date: Tue, 28 Mar 2023 09:18:24 +0200 Subject: [PATCH] add: vault pki basics --- group_vars/all.yaml | 14 + .../files/hashicorp-archive-keyring.gpg | Bin 0 -> 2879 bytes roles/vault-pki/files/hashicorp.list | 1 + roles/vault-pki/tasks/main.yaml | 30 ++ roles/vault-pki/templates/vault.env | 0 roles/vault-pki/templates/vault.hcl | 106 ++++ roles/zabbix-agent/handlers/main.yml | 4 + roles/zabbix-agent/tasks/main.yaml | 25 + .../zabbix-agent/templates/zabbix_agentd.conf | 507 ++++++++++++++++++ 9 files changed, 687 insertions(+) create mode 100644 roles/vault-pki/files/hashicorp-archive-keyring.gpg create mode 100644 roles/vault-pki/files/hashicorp.list create mode 100644 roles/vault-pki/tasks/main.yaml create mode 100644 roles/vault-pki/templates/vault.env create mode 100644 roles/vault-pki/templates/vault.hcl create mode 100644 roles/zabbix-agent/handlers/main.yml create mode 100644 roles/zabbix-agent/tasks/main.yaml create mode 100644 roles/zabbix-agent/templates/zabbix_agentd.conf diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 45bae97..76b8ce9 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -11,6 +11,8 @@ smtp_internal_host: 192.168.122.101 smtp_service_user: noreply smtp_service_pass: HISTORY_PURGED_SECRET +pki_domain: pki.atlantishq.de + # overwritten in monitoring master group var monitoring_master: false @@ -77,3 +79,15 @@ keycloak_clients: groups: "soundlib" master_address: "https://sounds.atlantishq.de" skips: + + pki: + party_secret : "HISTORY_PURGED_SECRET" + client_id: z_hashicorp_vault + client_secret: "HISTORY_PURGED_SECRET" + redirect_uris: + - "https://pki.atlantishq.de/*" + description: "PKI Vault" + keycloak_id: "00000000-0000-0000-0000-000000000004" + groups: "pki" + master_address: "https://pki.atlantishq.de" + skips: diff --git a/roles/vault-pki/files/hashicorp-archive-keyring.gpg b/roles/vault-pki/files/hashicorp-archive-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..674dd40c4219e7f397ea58978a945ccf952b79ff GIT binary patch literal 2879 zcmaLXcRUn~9|!PrHizTv6%kUQG9r7Om7G0`jyrptkv)>Vg|b5;GS3|{I@vtp?3qn= zgskJ~>GgYF&wsyvKi}`?^XEGgNJ9c|X<8-%1J)pu&6U}KU5t*M&8s9XGK2nkr#mWq zE47K;_lyiJS!FtclVU8=ncE*{1#LHRnz0KPmObz`ViQ`6D)>6v&)?Yx%RcjfO0CEJ z%pu{3F|eLx^Xtl6F*~zxBzsQVu>5QTc{tP!F+YhD@^VrrV{UU6+wCGHFi(}_sK5E* z(;7e%IsN=cEl36-*>$DuTf}?5n$ro`;9aqgw2kT0oQcl`Ntz-9#CzmQx6o$hBG-Bh zi#_*_1Lo9TpJAe}-pFt9=rc_I+G-Do6K;*r9wO8p;+El8&sAKtE3P2@v%89`oG)Z+r?s-O^)Vz_ddrqiJIR=Ip2 z=+2LnA5Qvqq8e$cQ}le43Z=2*0SRl0%p1mYvqcJ|E%(mk7G{CWk{K^Tv^uhXq#G?s zhMF?}vhQLFxR_5Q1@zzDYTFNZY&j}xyGZ`pB{HJ+g3m-!tF%K_0K2`!=@Cc+-x4QI zP^wvQT8=_A;Y*cFHFh3yW7C4m0rW%wqB@v{ji=WI4z9?XJhGnu`?}@+=kz;NwEt%U{(C|M?&cyN12iOo5K#c+fgHr7)RYwD zKr$vON(yQq2{VwG2*^zYWC>;FCGm^hw$rs_QjSkl-YsLkXnxPTPDBcXw=~OUvr(*Mr5jH1`k||jxdr+*-W_3-SfTy` z^osJ1SD)O%Y)xSy^A}wsWukMPB5%e^wU4c?c&b(!Z-nJLcHu7`Uyo zF5r)@WNJ+4xe#Qa*8I*V;WEe!gl7xzbE;jRK@kNzea3z%8+8^=fz%0UJM%q0Gka@fL9KZY_~q{(Qzl6`fhckQ;hN4&e9(E zYD0DdM@f1nt9kGeYrYRAJN>Q{cZ!FT zZ>l@Pj%rga4_PO0v=oHH9)}KG#iKC`vVzI|FtC2*C1eaJKJ#Fm*2<^iAy`_z=xu%H zu-+kKb2iR)N33Zy3J?0$MAw2120oKn zY`@BH{n@2Q;qnZo&hmcPud%kV3Vioo!Iy$fT#iG+xy~$!Rj3(nS`hT)m%w{(S1ieZ z5c1yn_*KRpKC$X#J0p12j0!Ohxw?-jaP?Hzgf?@hT&y#sd*o7U=Bq6cxzFrM>Mu&* z6pzjZyf&mFQ?0FK7ec!DQwAFbJ2H;}QsK%7kdMSuuM*7?eFZ*tbYS!_ESv%tHD)=UHw*4`@5MI-PvF4fuyvs)n$ljz7VSW32OXn$#4@n_-_p_(#rh+hex z5NA)dZ?I?lH-`}x_Z;<&8iCUh2HSAdi&UBH!_FFOWmUyo!;(v)6%UL%A#=|Tv)9^P zurqU~!~sq6Ph0?L&?f|uCrwhSw3K0 zg4l$-V1|)j;s)^}_&9nbGJ)Zkhx%!nA0E+C9aU2Nt4YnGgpRZ^oVNA=*_7Mshpj%m zJrD)sl*x_huVP7x5hERK3mTTey-XfE)0+J7Et)_BUKq**yBL^6;e`Jxzcv)W{6a^;NVIke)$|l!Jq5RzKRi zxr#>zGV(wEP;*lo*zd!^U_#rs$@}Ke`mt#`C^BT6uOClC&h9GD(D}kEI3MsMKo{2j zQ!acvIYLB8jmAkj1B+^e(;oXDAa1|~&~b7d6`>hS&wui&dilN-c{?(`P~-{|%gYbH z-M@6IN{&s{7YgWmKz;mG<)-JcV2c%y;RZ|Z`uzkcsI#hXU}0-u9`s5hIQTEw?9sd0 zr5tOD5`6qsbXS%%M@3g7#*dAwtB>esT~>XR3$EpBuX^qaQsW3#mxmDsUH$YI9rcipeY5CQDmd zqyMIgIcX()j=9&$sw4vn*?*cnzw<#cj!7nu(92t8LZ!`^o2*ZaSz}vO%<8PPbSKc0UOr}gIX2YGn()Dx(H|Sotn{XTkPx(+MTa5_XT_Hf* z$o@(MLRYA7q;h9rxpj(P_pu|Z>_ZSHFBQ^1`s9qPnC?!7ypph1nXPQ3`?b)WD$d|GYo)}xHWVvE3KON1l#20Mp znA4=!S2rgXCT7tiG*)Y6Y@x7J*ecQS!!IOAY zcmkMJ19R?QXs%;4J4h+BPC*r)AfA*?s&J@OQR1Sd$dWr*qF9}5+HfM~Kwc{zHw0c? z;~B4dozFzq@@7gN!l*9mt?{yh?50+f1&-l3_%pE}l()W*&{OU;j`U+`p-j(Bge zDCL?^&tSJnGE0sHbClD F;BR8aVf_FA literal 0 HcmV?d00001 diff --git a/roles/vault-pki/files/hashicorp.list b/roles/vault-pki/files/hashicorp.list new file mode 100644 index 0000000..db4192e --- /dev/null +++ b/roles/vault-pki/files/hashicorp.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com bullseye main diff --git a/roles/vault-pki/tasks/main.yaml b/roles/vault-pki/tasks/main.yaml new file mode 100644 index 0000000..6c76215 --- /dev/null +++ b/roles/vault-pki/tasks/main.yaml @@ -0,0 +1,30 @@ +- name: Copy Hashicorp APT-key + copy: + src: hashicorp-archive-keyring.gpg + dest: /usr/share/keyrings/ + mode: 0644 + notify: + - apt update + +- name: Add hashicorp apt repo + copy: + src: hashicorp.list + dest: /etc/apt/sources.list.d/ + mode: 0644 + notify: + - apt update + +- meta: flush_handlers + +- name: Install vault + apt: + name: vault + state: present + +- name: Template config + template: + src: "{{ item }}" + dest: "/etc/vault.d/" + with_items: + - vault.hcl + - vault.env diff --git a/roles/vault-pki/templates/vault.env b/roles/vault-pki/templates/vault.env new file mode 100644 index 0000000..e69de29 diff --git a/roles/vault-pki/templates/vault.hcl b/roles/vault-pki/templates/vault.hcl new file mode 100644 index 0000000..4fc06f7 --- /dev/null +++ b/roles/vault-pki/templates/vault.hcl @@ -0,0 +1,106 @@ +ui = true + +storage "file" { + path = "/opt/vault/data" +} + +listener "tcp" { + address = "0.0.0.0:8200" + tls_disable = 1 +} + +api_addr = "http://127.0.0.1:8200" + +# Terraform OIDC config for reference +#path "/secret/*" { +# capabilities = ["read", "list"] +#} +# +#resource "vault_identity_oidc_key" "keycloak_provider_key" { +# name = "keycloak" +# algorithm = "RS256" +#} +# +#resource "vault_jwt_auth_backend" "keycloak" { +# path = "oidc" +# type = "oidc" +# default_role = "{{ keycloak_clients['pki']['groups'] }}" +# +# oidc_discovery_url="https://{{ keycloak_address }}/realms/master" +# oidc_client_id="{{ keycloak_clients['pki']['client_id'] }}" +# oidc_client_secret="{{ keycloak_clients['pki']['client_secret'] }}" +# +# tune { +# audit_non_hmac_request_keys = [] +# audit_non_hmac_response_keys = [] +# default_lease_ttl = "1h" +# listing_visibility = "unauth" +# max_lease_ttl = "1h" +# passthrough_request_headers = [] +# token_type = "default-service" +# } +#} +# +#resource "vault_jwt_auth_backend_role" "pki" { +# backend = vault_jwt_auth_backend.keycloak.path +# role_name = "pki" +# role_type = "oidc" +# token_ttl = 3600 +# token_max_ttl = 3600 +# +# bound_audiences="{{ pki_domain }}" +# user_claim = "sub" +# claim_mappings = { +# preferred_username = "username" +# email = "email" +# } +# +# allowed_redirect_uris = [ +# "https://{{ pki_domain }}/oidc/oidc/callback", +# "https://{{ pki_domain }}/ui/vault/auth/oidc/oidc/callback" +# ] +# groups_claim = format("/resource_access/%s/roles", +# keycloak_openid_client.openid_client.client_id) +#} +# +#data "vault_policy_document" "reader_policy" { +# rule { +# path = "/secret/*" +# capabilities = ["list", "read"] +# } +#} +# +#resource "vault_policy" "reader_policy" { +# name = "reader" +# policy = data.vault_policy_document.reader_policy.hcl +#} +#data "vault_policy_document" "manager_policy" { +# rule { +# path = "/secret/*" +# capabilities = ["create", "update", "delete"] +# } +#} +# +#resource "vault_policy" "manager_policy" { +# name = "management" +# policy = data.vault_policy_document.manager_policy.hcl +#} +# +#resource "vault_identity_oidc_role" "management_role" { +# name = "management" +# key = vault_identity_oidc_key.keycloak_provider_key.name +#} +# +#resource "vault_identity_group" "management_group" { +# name = vault_identity_oidc_role.management_role.name +# type = "external" +# policies = [ +# vault_policy.manager_policy.name +# ] +#} +# +#resource "vault_identity_group_alias" "management_group_alias" { +# name = "pki" +# mount_accessor = vault_jwt_auth_backend.keycloak.accessor +# canonical_id = vault_identity_group.management_group.id +#} diff --git a/roles/zabbix-agent/handlers/main.yml b/roles/zabbix-agent/handlers/main.yml new file mode 100644 index 0000000..c43d2f8 --- /dev/null +++ b/roles/zabbix-agent/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart zabbix-agent + systemd: + name: zabbix-agent + state: restarted diff --git a/roles/zabbix-agent/tasks/main.yaml b/roles/zabbix-agent/tasks/main.yaml new file mode 100644 index 0000000..4f5da80 --- /dev/null +++ b/roles/zabbix-agent/tasks/main.yaml @@ -0,0 +1,25 @@ +- name: Install zabbix Agent + apt: + pkg: + - zabbix-agent + notify: + - restart zabbix-agent + +- name: Copy agent conf file + template: + src: zabbix_agentd.conf + dest: /etc/zabbix/zabbix_agentd.conf + owner: zabbix + notify: + - restart zabbix-agent + +- name: Create legacy directories for backwards compability + file: + path: "{{ item }}" + state: directory + owner: zabbix + with_items: + - /var/log/zabbix-agent/ + - /etc/zabbix/zabbix_agentd.conf.d + notify: + - restart zabbix-agent diff --git a/roles/zabbix-agent/templates/zabbix_agentd.conf b/roles/zabbix-agent/templates/zabbix_agentd.conf new file mode 100644 index 0000000..5b53319 --- /dev/null +++ b/roles/zabbix-agent/templates/zabbix_agentd.conf @@ -0,0 +1,507 @@ +# This is a configuration file for Zabbix agent daemon (Unix) +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agentd.pid + +PidFile=/run/zabbix/zabbix_agentd.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/var/log/zabbix-agent/zabbix_agentd.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +DebugLevel=3 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. +# +# Mandatory: no +# Default: +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + +##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes, if StartAgents is not explicitly set to 0 +# Default: +# Server= + +Server=192.168.122.92 + +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: StartAgents +# Number of pre-forked instances of zabbix_agentd that process passive checks. +# If set to 0, disables passive checks and the agent will not listen on any TCP port. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartAgents=3 + +##### Active checks related + +### Option: ServerActive +# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# +# Mandatory: no +# Default: +# ServerActive= + +ServerActive=192.168.122.92 + +### Option: Hostname +# Unique, case sensitive hostname. +# Required for active checks and must match hostname as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostMetadata= +HostMetadata=Linux + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 60-3600 +# Default: +# RefreshActiveChecks=120 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=100 + +### Option: MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxLinesPerSecond=20 + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Spend no more than Timeout seconds on processing +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +### Option: AllowRoot +# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /etc/zabbix, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/etc/zabbix/zabbix_agentd.userparams.conf +# Include=/etc/zabbix/zabbix_agentd.conf.d/ +Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=, +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of agent modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_agentd --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at agent startup. Modules are used to extend functionality of the agent. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll=