limit -sd access to bacula clients and the director

[mirror/dsa-puppet.git] / modules / bacula / manifests / director.pp

diff --git a/modules/bacula/manifests/director.pp b/modules/bacula/manifests/director.pp
index 3bb0197..b4e0105 100644 (file)
--- a/modules/bacula/manifests/director.pp
+++ b/modules/bacula/manifests/director.pp
@@ -1,37 +1,127 @@
+# our bacula director
 class bacula::director inherits bacula {
 
-  package {
-    "bacula-director-pgsql": ensure => installed;
-    "bacula-common": ensure => installed;
-    "bacula-common-pgsql": ensure => installed;
-  }
-
-  service {
-    "bacula-director":
-      ensure => running,
-      enable => true,
-      hasstatus => true,
-      require => Package["bacula-director-pgsql"];
-  }
-  file {
-    "/etc/bacula/conf.d":
-      ensure  => directory,
-      mode => 755,
-      group => bacula,
-      notify  => Exec["bacula-director restart"]
-      ;
-    "/etc/bacula/bacula-dir.conf":
-      content => template("bacula/etc/bacula/bacula-dir.conf.erb"),
-      mode => 440,
-      group => bacula,
-      require => Package["bacula-director-pgsql"],
-      notify  => Exec["bacula-director restart"]
-      ;
-  }
-
-  exec {
-    "bacula-director restart":
-      path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-      refreshonly => true;
+  ensure_packages ( [
+    'bacula-director-pgsql',
+    'bacula-common',
+    'bacula-common-pgsql'
+  ], {
+    ensure => 'installed',
+  })
+
+  service { 'bacula-director':
+    ensure    => running,
+    enable    => true,
+    hasstatus => true,
+    require   => Package['bacula-director-pgsql']
+  }
+  dsa_systemd::override { 'bacula-director':
+    content => @(EOT)
+      [Unit]
+      After=unbound.service
+      | EOT
+  }
+
+  exec { 'bacula-director reload':
+    path        => '/usr/bin:/usr/sbin:/bin:/sbin',
+    command     => 'service bacula-director reload',
+    refreshonly => true,
+  }
+
+  file { '/etc/bacula/conf.d':
+    ensure  => directory,
+    mode    => '0755',
+    group   => bacula,
+    purge   => true,
+    force   => true,
+    recurse => true,
+    source  => 'puppet:///files/empty/',
+    notify  => Exec['bacula-director reload']
+  }
+
+  file { '/etc/bacula/bacula-dir.conf':
+    content => template('bacula/bacula-dir.conf.erb'),
+    mode    => '0440',
+    group   => bacula,
+    require => Package['bacula-director-pgsql'],
+    notify  => Exec['bacula-director reload']
+  }
+
+  file { '/etc/bacula/conf.d/empty.conf':
+    content => '',
+    mode    => '0440',
+    group   => bacula,
+    require => Package['bacula-director-pgsql'],
+    notify  => Exec['bacula-director reload']
+  }
+
+  Bacula::Node<<| |>>
+
+  package { 'bacula-console':
+    ensure => installed;
+  }
+
+  file { '/etc/bacula/bconsole.conf':
+    content => template('bacula/bconsole.conf.erb'),
+    mode    => '0640',
+    group   => bacula,
+    require => Package['bacula-console']
+  }
+
+  package { 'python3-psycopg2': ensure => installed }
+  file { '/etc/bacula/scripts/volume-purge-action':
+    mode   => '0555',
+    source => 'puppet:///modules/bacula/volume-purge-action',
+    ;
+  }
+  file { '/etc/bacula/scripts/volumes-delete-old':
+    mode   => '0555',
+    source => 'puppet:///modules/bacula/volumes-delete-old',
+    ;
+  }
+  file { '/etc/bacula/storages-list.d':
+    ensure  => directory,
+    mode    => '0755',
+    group   => bacula,
+    purge   => true,
+    force   => true,
+    recurse => true,
+    source  => 'puppet:///files/empty/',
+  }
+  file { '/usr/local/sbin/dsa-bacula-scheduler':
+    source => 'puppet:///modules/bacula/dsa-bacula-scheduler',
+    mode   => '0555',
+  }
+
+  file { '/etc/cron.d/puppet-bacula-stuff': ensure => absent, }
+  concat::fragment { 'puppet-crontab--bacula-director':
+    target  => '/etc/cron.d/puppet-crontab',
+    content => @(EOF)
+      @daily root chronic /etc/bacula/scripts/volume-purge-action -v
+      @daily root chronic /etc/bacula/scripts/volumes-delete-old -v
+      */3 * * * * root sleep $(( $RANDOM \% 60 )); flock -w 0 -e /usr/local/sbin/dsa-bacula-scheduler /usr/local/sbin/dsa-bacula-scheduler
+      | EOF
+  }
+
+  concat { $bacula::bacula_dsa_client_list:
+  }
+  concat::fragment { 'bacula-dsa-client-list::header' :
+    target  => $bacula::bacula_dsa_client_list,
+    content => '',
+    order   => '00',
+  }
+  Concat::Fragment <<| tag == $bacula::tag_bacula_dsa_client_list |>>
+
+  @@ferm::rule::simple { "bacula::director-to-fd::${::fqdn}":
+    tag         => "bacula::director-to-fd::${::fqdn}",
+    description => 'Allow bacula-fd from the bacula-director',
+    port        => '7', # overridden on collecting
+    saddr       => $bacula::public_addresses,
+  }
+  @@ferm::rule::simple { "bacula::director-to-storage::${::fqdn}":
+    tag         => "bacula::director-to-storage::${::fqdn}",
+    description => 'Allow bacula-storage access from the bacula-director',
+    chain       => 'bacula-sd',
+    saddr       => $bacula::public_addresses,
   }
 }