smokeping: enable unsafe legacy renegotiation for curl's openssl

Author: kenyon

data/nodes/beta.kenyonralph.com.yaml

@@ -7,6 +7,7 @@ classes:
   - apache::mod::status
   - letsencrypt
   - munin::master
+  - profile::smokeping
   - smokeping
 
 packages:

data/role/homeserver.yaml

@@ -1,5 +1,6 @@
 ---
 classes:
+  - profile::smokeping
   - smokeping
 
 munin::node::plugins:

local-modules/profile/manifests/smokeping.pp

@@ -0,0 +1,31 @@
+# @summary Smokeping configuration
+class profile::smokeping {
+  # Needed because the QC VPN target, probed by curl, doesn't support secure
+  # renegotiation. Unsafe renegotiation is disabled by default in OpenSSL 3.
+  # https://stackoverflow.com/a/72245418/124703
+  file { '/etc/smokeping/openssl.cnf':
+    ensure  => file,
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+    content => @(EOT),
+      openssl_conf = openssl_init
+
+      [openssl_init]
+      ssl_conf = ssl_sect
+
+      [ssl_sect]
+      system_default = system_default_sect
+
+      [system_default_sect]
+      Options = UnsafeLegacyRenegotiation
+      | EOT
+  }
+  -> systemd::dropin_file { 'environment.conf':
+    unit    => 'smokeping.service',
+    content => @(EOT),
+      [Service]
+      Environment=OPENSSL_CONF=/etc/smokeping/openssl.cnf
+      | EOT
+  }
+}