projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
c9dbb5a
)
Moar krypto
author
Peter Palfrader
<peter@palfrader.org>
Fri, 24 Aug 2012 11:54:44 +0000
(11:54 +0000)
committer
Peter Palfrader
<peter@palfrader.org>
Fri, 24 Aug 2012 11:54:44 +0000
(11:54 +0000)
modules/bacula/manifests/init.pp
patch
|
blob
|
history
modules/bacula/manifests/node.pp
patch
|
blob
|
history
modules/bacula/templates/bacula-dir.conf.erb
patch
|
blob
|
history
modules/bacula/templates/bacula-fd.conf.erb
patch
|
blob
|
history
modules/bacula/templates/bacula-sd.conf.erb
patch
|
blob
|
history
modules/bacula/templates/bconsole.conf.erb
patch
|
blob
|
history
modules/bacula/templates/per-client.conf.erb
patch
|
blob
|
history
diff --git
a/modules/bacula/manifests/init.pp
b/modules/bacula/manifests/init.pp
index
7685213
..
6143d12
100644
(file)
--- a/
modules/bacula/manifests/init.pp
+++ b/
modules/bacula/manifests/init.pp
@@
-27,4
+27,10
@@
class bacula {
$bacula_storage_secret = hkdf('/etc/puppet/secret', "bacula-sd-${bacula_storage_name}")
$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${::fqdn}")
$bacula_monitor_secret = hkdf('/etc/puppet/secret', "bacula-monitor-${bacula_director_name}")
$bacula_storage_secret = hkdf('/etc/puppet/secret', "bacula-sd-${bacula_storage_name}")
$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${::fqdn}")
$bacula_monitor_secret = hkdf('/etc/puppet/secret', "bacula-monitor-${bacula_director_name}")
+
+ $bacula_ca_path = '/etc/ssl/debian/certs/ca.crt'
+ $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt'
+ $bacula_ssl_client_key = '/etc/ssl/debian/keys/thishost.key'
+ $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt'
+ $bacula_ssl_server_key = '/etc/ssl/debian/keys/thishost-server.key'
}
}
diff --git
a/modules/bacula/manifests/node.pp
b/modules/bacula/manifests/node.pp
index
ac4be83
..
c96e69d
100644
(file)
--- a/
modules/bacula/manifests/node.pp
+++ b/
modules/bacula/manifests/node.pp
@@
-3,6
+3,9
@@
define bacula::node() {
include bacula
$bacula_client_port = $bacula::bacula_client_port
include bacula
$bacula_client_port = $bacula::bacula_client_port
+ $bacula_ca_path = $bacula::bacula_ca_path
+ $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert
+ $bacula_ssl_client_key = $bacula::bacula_ssl_client_key
$bacula_client_name = "${name}-fd"
$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${name}")
$bacula_client_name = "${name}-fd"
$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${name}")
diff --git
a/modules/bacula/templates/bacula-dir.conf.erb
b/modules/bacula/templates/bacula-dir.conf.erb
index
66ff569
..
4a4c52d
100644
(file)
--- a/
modules/bacula/templates/bacula-dir.conf.erb
+++ b/
modules/bacula/templates/bacula-dir.conf.erb
@@
-23,6
+23,15
@@
Director {
ip = { addr = 127.0.0.1; port = 9101 }
ip = { addr = <%=bacula_director_address%>; port = <%=bacula_director_port%> }
}
ip = { addr = 127.0.0.1; port = 9101 }
ip = { addr = <%=bacula_director_address%>; port = <%=bacula_director_port%> }
}
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming console connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
########################################################################
}
########################################################################
@@
-139,6
+148,13
@@
Storage {
Device = <%= bacula_filestor_device %>
Media Type = <%= bacula_filestor_name %>
Maximum Concurrent Jobs = 10
Device = <%= bacula_filestor_device %>
Media Type = <%= bacula_filestor_name %>
Maximum Concurrent Jobs = 10
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used by the director to connect to the storage daemon
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
########################################################################
}
########################################################################
diff --git
a/modules/bacula/templates/bacula-fd.conf.erb
b/modules/bacula/templates/bacula-fd.conf.erb
index
8317406
..
1b433ea
100644
(file)
--- a/
modules/bacula/templates/bacula-fd.conf.erb
+++ b/
modules/bacula/templates/bacula-fd.conf.erb
@@
-8,6
+8,15
@@
Director {
Name = <%= bacula_director_name %>
Password = "<%= bacula_client_secret %>"
Director {
Name = <%= bacula_director_name %>
Password = "<%= bacula_client_secret %>"
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming director connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
# "Global" File daemon configuration specifications
}
# "Global" File daemon configuration specifications
@@
-19,6
+28,13
@@
FileDaemon {
Maximum Concurrent Jobs = 20
FDAddress = <%= fqdn %>
Maximum Network Buffer Size = 524288
Maximum Concurrent Jobs = 20
FDAddress = <%= fqdn %>
Maximum Network Buffer Size = 524288
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used by the client to connect to the storage daemon
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
# Send all messages except skipped files back to Director
}
# Send all messages except skipped files back to Director
diff --git
a/modules/bacula/templates/bacula-sd.conf.erb
b/modules/bacula/templates/bacula-sd.conf.erb
index
0559ed6
..
11e5b08
100644
(file)
--- a/
modules/bacula/templates/bacula-sd.conf.erb
+++ b/
modules/bacula/templates/bacula-sd.conf.erb
@@
-12,6
+12,15
@@
Storage {
Maximum Concurrent Jobs = 21
SDAddress = <%= bacula_storage_address %>
Heartbeat Interval = 180
Maximum Concurrent Jobs = 21
SDAddress = <%= bacula_storage_address %>
Heartbeat Interval = 180
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ # TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
# List Directors who are permitted to contact Storage daemon
}
# List Directors who are permitted to contact Storage daemon
@@
-19,6
+28,15
@@
Storage {
Director {
Name = <%= bacula_director_name %>
Password = "<%= bacula_storage_secret %>"
Director {
Name = <%= bacula_director_name %>
Password = "<%= bacula_storage_secret %>"
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming director connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
}
diff --git
a/modules/bacula/templates/bconsole.conf.erb
b/modules/bacula/templates/bconsole.conf.erb
index
f5bb2e6
..
6c4cd80
100644
(file)
--- a/
modules/bacula/templates/bconsole.conf.erb
+++ b/
modules/bacula/templates/bconsole.conf.erb
@@
-11,4
+11,12
@@
Director {
DIRport = 9101
address = <%= bacula_director_address %>
Password = "<%= bacula_director_secret %>"
DIRport = 9101
address = <%= bacula_director_address %>
Password = "<%= bacula_director_secret %>"
+
+ TLS Enable = yes
+ TLS Require = yes
+
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used for console connections to the director.
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
}
diff --git
a/modules/bacula/templates/per-client.conf.erb
b/modules/bacula/templates/per-client.conf.erb
index
b376582
..
9be2f42
100644
(file)
--- a/
modules/bacula/templates/per-client.conf.erb
+++ b/
modules/bacula/templates/per-client.conf.erb
@@
-30,4
+30,11
@@
Client {
AutoPrune = yes # Prune expired Jobs/Files
Heartbeat Interval = 180
AutoPrune = yes # Prune expired Jobs/Files
Heartbeat Interval = 180
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used by the director to connect to the client's file daemon
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
}