Split the director config coming from each node in two parts: one that comes from...

[mirror/dsa-puppet.git] / modules / bacula / manifests / storage.pp

diff --git a/modules/bacula/manifests/storage.pp b/modules/bacula/manifests/storage.pp
index 2db1fa2..69e8ddc 100644 (file)
--- a/modules/bacula/manifests/storage.pp
+++ b/modules/bacula/manifests/storage.pp
@@ -1,5 +1,17 @@
 # the bacula storage node
-class bacula::storage inherits bacula {
+#
+# @param backup_path the directory where backups should be stored
+# @param filestor_device Storage device name prefix
+# @param filestor_name Storage device media type name prefix
+# @param port_sd Port for the sd to listen on
+class bacula::storage (
+  String $backup_path     = '/srv/bacula',
+  String $filestor_device = 'FileStorage',
+  String $filestor_name   = 'File',
+  Integer $port_sd        = 9103,
+) inherits bacula {
+  $storage_secret = hkdf('/etc/puppet/secret', "bacula-sd-${::fqdn}")
+
   package { 'bacula-sd':
     ensure => installed
   }
@@ -19,9 +31,9 @@ class bacula::storage inherits bacula {
 
   exec { 'bacula-sd restart-when-idle':
     path        => '/usr/bin:/usr/sbin:/bin:/sbin',
-    command     => 'sh -c "setsid /usr/local/sbin/bacula-idle-restart sd &"',
+    command     => "sh -c 'setsid /usr/local/sbin/bacula-idle-restart ${port_sd} bacula-sd &'",
     refreshonly => true,
-    subscribe   => File[$bacula_ssl_server_cert],
+    subscribe   => File[$bacula::bacula_ssl_server_cert],
     require     => File['/usr/local/sbin/bacula-idle-restart'],
   }
 
@@ -44,19 +56,14 @@ class bacula::storage inherits bacula {
     notify  => Exec['bacula-sd restart-when-idle']
   }
 
-  ferm::rule { 'dsa-bacula-sd-v4':
-    domain      => '(ip)',
-    description => 'Allow bacula-sd access from director and clients',
-    rule        => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V4 5.153.231.125 5.153.231.126) ACCEPT; }',
-    notarule    => true,
-  }
-
-  ferm::rule { 'dsa-bacula-sd-v6':
-    domain      => '(ip6)',
-    description => 'Allow bacula-sd access from director and clients',
-    rule        => 'proto tcp mod state state (NEW) dport (bacula-sd) @subchain \'bacula-sd\' { saddr ($HOST_DEBIAN_V6) ACCEPT; }',
-    notarule    => true,
+  # allow access from director and fds
+  ferm::rule::simple { 'dsa-bacula-sd':
+    description => 'Access to the bacula-storage',
+    port        => $port_sd,
+    target      => 'bacula-sd',
   }
+  Ferm::Rule::Simple <<| tag == "bacula::director-to-storage::${bacula::bacula_director_address}" |>>;
+  Ferm::Rule::Simple <<| tag == "bacula::fd-to-storage::${::fqdn}" |>>;
 
   file { '/etc/bacula/storage-conf.d/empty.conf':
     content => '',
@@ -65,26 +72,18 @@ class bacula::storage inherits bacula {
     notify  => Exec['bacula-sd restart-when-idle']
   }
 
-  file { "${bacula_backup_path}/Catalog":
-    ensure  => directory,
-    mode    => '0755',
-    owner   => bacula,
-    group   => bacula,
-    ;
-  }
-
   package { 'python3-psycopg2': ensure => installed }
   file { '/usr/local/bin/bacula-unlink-removed-volumes':
-    source  => 'puppet:///modules/bacula/bacula-unlink-removed-volumes',
-    mode    => '0555',
+    source => 'puppet:///modules/bacula/bacula-unlink-removed-volumes',
+    mode   => '0555',
   }
-  file { "/etc/cron.d/puppet-bacula-storage-stuff": ensure => absent, }
-  concat::fragment { 'dsa-puppet-stuff--bacula-storage':
-    target => '/etc/cron.d/dsa-puppet-stuff',
-    content  => @(EOF)
+  file { '/etc/cron.d/puppet-bacula-storage-stuff': ensure => absent, }
+  concat::fragment { 'puppet-crontab--bacula-storage':
+    target  => '/etc/cron.d/puppet-crontab',
+    content => @(EOF)
       @daily bacula chronic /usr/local/bin/bacula-unlink-removed-volumes -v
       | EOF
   }
 
-  Bacula::Storage_per_node<<| |>>
+  Bacula::Storage::Client<<| tag == "bacula::to-storage::${::fqdn}" |>>
 }