Make possible to optionnaly protect munin web interface with a basic http authentication

group_vars/monitoring

@@ -6,9 +6,15 @@ with_mon: False
 
 with_munin: False
 with_munin_node: False
+
 munin_master_vhostname: localhost
 munin_master_vhostport: 80
 
+with_munin_http_auth: False
+munin_http_auth_file: /etc/nginx/auth_munin
+munin_http_auth_username: munin
+munin_http_auth_password_hash: kRNB9HYFOWHgo # openssl passwd -crypt mu1234nin
+
 munin_masters:
   - 127.0.0.1/32
 munin_nodes:

roles/monitoring/tasks/munin.yml

@@ -6,6 +6,10 @@
   action: template src=munin/munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
   when_boolean: ${with_munin}
 
+- name: Create basic authentication file for munin web interface
+  action: template src=munin/nginx_auth.j2 dest=${munin_http_auth_file} owner=root group=www-data mode=0640
+  when_boolean: ${with_munin} and ${with_munin_http_auth}
+
 - name: Install munin nginx virtual host (sites-available)
   action: template src=munin/nginx_vhost.j2 dest=/etc/nginx/sites-available/munin owner=root group=root mode=0644
   notify:

roles/monitoring/templates/munin/nginx_auth.j2

@@ -0,0 +1 @@
+{{ munin_http_auth_username }}:{{ munin_http_auth_password_hash }}

roles/monitoring/templates/munin/nginx_vhost.j2

@@ -12,6 +12,10 @@ server {
     error_log   /var/log/nginx/munin.error.log;
 
     location / {
+{% if with_munin_http_auth %}
+        auth_basic "Restricted Access";
+        auth_basic_user_file {{ munin_http_auth_file }};
+{% endif %}
         root /var/cache/munin/www/;
         break;
     }