From a3265133b4a390133b3fc306f866433a57fc793e Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 25 Sep 2019 08:40:28 +0200 Subject: [PATCH] Get director name from director --- modules/bacula/manifests/client.pp | 24 ++++++++------ modules/bacula/manifests/client/director.pp | 31 +++++++++++++++++++ modules/bacula/manifests/director.pp | 6 ++++ modules/bacula/manifests/init.pp | 1 - modules/bacula/templates/bacula-fd.conf.erb | 21 +------------ .../templates/client/fd-per-director.conf.erb | 26 ++++++++++++++++ 6 files changed, 78 insertions(+), 31 deletions(-) create mode 100644 modules/bacula/manifests/client/director.pp create mode 100644 modules/bacula/templates/client/fd-per-director.conf.erb diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp index 9d35c63f7..03988fb20 100644 --- a/modules/bacula/manifests/client.pp +++ b/modules/bacula/manifests/client.pp @@ -3,8 +3,8 @@ # this mostly configures the file daemon, but also firewall rules and # fragments to sent to the other servers. # -# @param director_server director server that controls this client's backups -# @param storage_server storage server to use for this client +# @param director_server director server (address) that controls this client's backups +# @param storage_server storage server (address) to use for this client # @param port_fd port that bacula-fd listens on # @param client_name bacula client name for this instance # @param ensure present or absent @@ -21,16 +21,20 @@ class bacula::client( $reverse_ensure = $ensure ? { 'present' => 'absent', 'absent' => 'present' } $client = $::fqdn - $client_secret = hkdf('/etc/puppet/secret', "bacula::director<->fd::${director_server}<->${client}") + + file { '/etc/bacula/fd-conf.d': + ensure => directory, + mode => '0755', + group => bacula, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + notify => Exec['bacula-fd restart-when-idle'], + } if $ensure == 'present' { - @@bacula::director::client { $client: - port_fd => $port_fd, - client => $client, - client_name => $client_name, - client_secret => $client_secret, - tag => "bacula::to-director::${director_server}", - } + Bacula::Client::Director <<| tag == "bacula::to-fd::${director_server}" |>> @@bacula::storage::client { $client: tag => "bacula::to-storage::${storage_server}", diff --git a/modules/bacula/manifests/client/director.pp b/modules/bacula/manifests/client/director.pp new file mode 100644 index 000000000..9c96eb4c8 --- /dev/null +++ b/modules/bacula/manifests/client/director.pp @@ -0,0 +1,31 @@ +# Bacula fd config: director snippet +# +# Each/The director exports this class to be collected by each fd. +# +# @param director_name bacula name of the dir instance +# @param director_address address of this dir instance that other instances should connect to (dns name) +define bacula::client::director( + String $director_name, + Stdlib::Host $director_address, +) { + include bacula::client + + $dir_client_secret = hkdf('/etc/puppet/secret', "bacula::director<->fd::${director_address}<->${::fqdn}") + + @@bacula::director::client { $bacula::client::client: + port_fd => $bacula::client::port_fd, + client => $bacula::client::client, + client_name => $bacula::client::client_name, + client_secret => $dir_client_secret, + tag => "bacula::to-director::${director_address}", + } + + file { + "/etc/bacula/storage-conf.d/Dir_${director_address}.conf": + content => template('bacula/storage/sd-per-director.conf.erb'), + mode => '0440', + group => bacula, + notify => Exec['bacula-sd restart-when-idle'], + ; + } +} diff --git a/modules/bacula/manifests/director.pp b/modules/bacula/manifests/director.pp index ff41e1bb2..e44ed7c04 100644 --- a/modules/bacula/manifests/director.pp +++ b/modules/bacula/manifests/director.pp @@ -36,6 +36,12 @@ class bacula::director( director_name => $director_name, director_address => $director_address, } + # let FDs know we exist + @@bacula::client::director{ $::fqdn: + tag => "bacula::to-fd::${director_address}", + director_name => $director_name, + director_address => $director_address, + } ensure_packages ( [ 'bacula-director-pgsql', diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp index f5cc52d6e..eee682f27 100644 --- a/modules/bacula/manifests/init.pp +++ b/modules/bacula/manifests/init.pp @@ -3,7 +3,6 @@ # @param public_addresses this host's public IP addresses. The ones it connects out from and is reachable from outsite. class bacula ( String $bacula_operator_email = 'bacula-reports@admin.debian.org', - String $bacula_director_name = 'debian-dir', String $bacula_ca_path = '/etc/ssl/debian/certs/ca.crt', String $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt', diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb index 51624af5c..5e07c9fe6 100644 --- a/modules/bacula/templates/bacula-fd.conf.erb +++ b/modules/bacula/templates/bacula-fd.conf.erb @@ -4,21 +4,6 @@ ## # For Bacula release 5.0.1 (24 February 2010) -- debian 5.0.4 -# List Directors who are permitted to contact this File daemon -Director { - Name = <%= @bacula_director_name %> - Password = "<%= @client_secret %>" - - TLS Enable = yes - TLS Require = yes - TLS Verify Peer = yes - TLS Allowed CN = "clientcerts/<%= @director_server %>" - TLS CA Certificate File = "<%= @bacula_ca_path %>" - # This is a server certificate, used for incoming director connections. - TLS Certificate = "<%= @bacula_ssl_server_cert %>" - TLS Key = "<%= @bacula_ssl_server_key %>" -} - # "Global" File daemon configuration specifications FileDaemon { Name = <%= @client_name %> @@ -63,8 +48,4 @@ FileDaemon { <%- end -%> } -# Send all messages except skipped files back to Director -Messages { - Name = Standard - director = <%= @bacula_director_name %> = all, !skipped, !restored -} +@|"sh -c 'for f in /etc/bacula/fd-conf.d/*.conf ; do echo @${f} ; done'" diff --git a/modules/bacula/templates/client/fd-per-director.conf.erb b/modules/bacula/templates/client/fd-per-director.conf.erb new file mode 100644 index 000000000..25daf0a2e --- /dev/null +++ b/modules/bacula/templates/client/fd-per-director.conf.erb @@ -0,0 +1,26 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## +# For Bacula release 5.0.1 (24 February 2010) -- debian 5.0.4 + +# List Directors who are permitted to contact this File daemon +Director { + Name = <%= @director_name %> + Password = "<%= @dir_client_secret %>" + + TLS Enable = yes + TLS Require = yes + TLS Verify Peer = yes + TLS Allowed CN = "clientcerts/<%= @director_address %>" + TLS CA Certificate File = "<%= scope['bacula::bacula_ca_path'] %>" + # This is a server certificate, used for incoming director connections. + TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>" + TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>" +} + +# Send all messages except skipped files back to Director +Messages { + Name = Msg-<%= scope['bacula::client::client_name'] %>-<%= @director_name %> + director = <%= @director_name %> = all, !skipped, !restored +} -- 2.20.1