From c0a2aa7bfdcb0d56ec24e0ad98d5f248a995fd70 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Wed, 25 Sep 2019 00:32:23 +0200
Subject: [PATCH] continue with moving director address to a more local thing

---
 modules/bacula/manifests/director.pp          |  9 ++++++-
 modules/bacula/manifests/init.pp              |  2 --
 modules/bacula/manifests/storage.pp           |  2 +-
 modules/bacula/manifests/storage/client.pp    |  6 ++++-
 modules/bacula/manifests/storage/director.pp  | 25 +++++++++++++++++++
 modules/bacula/templates/bacula-sd.conf.erb   | 24 ------------------
 .../storage/sd-per-director.conf.erb          | 24 ++++++++++++++++++
 7 files changed, 63 insertions(+), 29 deletions(-)
 create mode 100644 modules/bacula/manifests/storage/director.pp
 create mode 100644 modules/bacula/templates/storage/sd-per-director.conf.erb

diff --git a/modules/bacula/manifests/director.pp b/modules/bacula/manifests/director.pp
index ca065c7d0..5aaa061ba 100644
--- a/modules/bacula/manifests/director.pp
+++ b/modules/bacula/manifests/director.pp
@@ -8,7 +8,7 @@
 # @param port_dir       Port that the director should listen on
 # @param db_sslca       SSL CA store for DB access
 # @param director_name  bacula name of this dir instance
-# @param director_address  address of this sd instance that other instances should connect to (dns name)
+# @param director_address  address of this dir instance that other instances should connect to (dns name)
 class bacula::director(
   String  $db_address,
   Integer $db_port,
@@ -28,6 +28,13 @@ class bacula::director(
   $some_pool_name = "poolfull-${pool_name}-${director_address}"
   $some_client_name = "${director_address}-fd"
 
+  # let the SD know we exist
+  @@bacula::storage::director{ $::fqdn:
+    tag              => 'bacula::to-storage',
+    director_name    => $director_name,
+    director_address => $director_address,
+  }
+
   ensure_packages ( [
     'bacula-director-pgsql',
     'bacula-common',
diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp
index c9c554b4a..7b78df816 100644
--- a/modules/bacula/manifests/init.pp
+++ b/modules/bacula/manifests/init.pp
@@ -5,8 +5,6 @@ class bacula (
   String  $bacula_operator_email      = 'bacula-reports@admin.debian.org',
   String  $bacula_director_name       = 'debian-dir',
 
-  Stdlib::Host  $bacula_director_address    = 'dinis.debian.org',
-
   String  $bacula_db_secret           = hkdf('/etc/puppet/secret', "bacula-db-${::hostname}"),
 
   String  $bacula_ca_path             = '/etc/ssl/debian/certs/ca.crt',
diff --git a/modules/bacula/manifests/storage.pp b/modules/bacula/manifests/storage.pp
index ffa80e39a..80b4755de 100644
--- a/modules/bacula/manifests/storage.pp
+++ b/modules/bacula/manifests/storage.pp
@@ -18,7 +18,6 @@ class bacula::storage (
   Boolean $has_ipv4        = $bacula::public_addresses.any |$addr| { $addr =~ Stdlib::IP::Address::V4 },
   Boolean $has_ipv6        = $bacula::public_addresses.any |$addr| { $addr =~ Stdlib::IP::Address::V6 },
 ) inherits bacula {
-  $storage_secret = hkdf('/etc/puppet/secret', "bacula-sd-${::fqdn}")
 
   package { 'bacula-sd':
     ensure => installed
@@ -93,5 +92,6 @@ class bacula::storage (
       | EOF
   }
 
+  Bacula::Storage::Director<<| tag == 'bacula::to-storage' |>>
   Bacula::Storage::Client<<| tag == "bacula::to-storage::${::fqdn}" |>>
 }
diff --git a/modules/bacula/manifests/storage/client.pp b/modules/bacula/manifests/storage/client.pp
index ba2f930b1..e49ff2b32 100644
--- a/modules/bacula/manifests/storage/client.pp
+++ b/modules/bacula/manifests/storage/client.pp
@@ -14,6 +14,10 @@ define bacula::storage::client(
   $media_type_name = "${bacula::storage::filestor_name}-${client}"
   $directory       = "${bacula::storage::backup_path}/${client}"
 
+  # this is created in both bacula::storage::client and
+  # bacula::storage::director and needs to be the same
+  $dir_storage_secret = hkdf('/etc/puppet/secret', "bacula::director<->storage::${director_server}<->${::fqdn}")
+
   file {
     "/etc/bacula/storage-conf.d/${client}.conf":
       content => template('bacula/storage/sd-per-client.conf.erb'),
@@ -35,7 +39,7 @@ define bacula::storage::client(
     client                  => $client,
     storage_address         => $bacula::storage::storage_address,
     port_sd                 => $bacula::storage::port_sd,
-    storage_secret          => $bacula::storage::storage_secret,
+    storage_secret          => $dir_storage_secret,
     storage_device_name     => $device_name,
     storage_media_type_name => $media_type_name,
   }
diff --git a/modules/bacula/manifests/storage/director.pp b/modules/bacula/manifests/storage/director.pp
new file mode 100644
index 000000000..de4f25ef4
--- /dev/null
+++ b/modules/bacula/manifests/storage/director.pp
@@ -0,0 +1,25 @@
+# Bacula sd config: director snippet
+#
+# Each/The director exports this class to be collected by each/the storage.
+#
+# @param director_name     bacula name of the dir instance
+# @param director_address  address of this dir instance that other instances should connect to (dns name)
+define bacula::storage::director(
+  String $director_name,
+  Stdlib::Host $director_address,
+) {
+  include bacula::storage
+
+  # this is created in both bacula::storage::client and
+  # bacula::storage::director and needs to be the same
+  $dir_storage_secret = hkdf('/etc/puppet/secret', "bacula::director<->storage::${director_address}<->${::fqdn}")
+
+  file {
+    "/etc/bacula/storage-conf.d/Dir_${director_address}.conf":
+      content => template('bacula/storage/sd-per-director.conf.erb'),
+      mode    => '0440',
+      group   => bacula,
+      notify  => Exec['bacula-sd restart-when-idle'],
+      ;
+  }
+}
diff --git a/modules/bacula/templates/bacula-sd.conf.erb b/modules/bacula/templates/bacula-sd.conf.erb
index 0a0ef7998..12b45aa5d 100644
--- a/modules/bacula/templates/bacula-sd.conf.erb
+++ b/modules/bacula/templates/bacula-sd.conf.erb
@@ -40,28 +40,4 @@ Storage {
   TLS Key = "<%= @bacula_ssl_server_key %>"
 }
 
-# List Directors who are permitted to contact Storage daemon
-#
-Director {
-  Name = <%= @bacula_director_name %>
-  Password = "<%= @storage_secret %>"
-
-  TLS Enable = yes
-  TLS Require = yes
-  TLS Verify Peer = yes
-  TLS Allowed CN = "clientcerts/<%= @bacula_director_address %>"
-  TLS CA Certificate File = "<%= @bacula_ca_path %>"
-  # This is a server certificate, used for incoming director connections.
-  TLS Certificate = "<%= @bacula_ssl_server_cert %>"
-  TLS Key = "<%= @bacula_ssl_server_key %>"
-}
-
-# Send all messages to the Director,
-# mount messages also are sent to the email address
-#
-Messages {
-  Name = Standard
-  director = <%= @bacula_director_name %> = all
-}
-
 @|"sh -c 'for f in /etc/bacula/storage-conf.d/*.conf ; do echo @${f} ; done'"
diff --git a/modules/bacula/templates/storage/sd-per-director.conf.erb b/modules/bacula/templates/storage/sd-per-director.conf.erb
new file mode 100644
index 000000000..7b3e115f6
--- /dev/null
+++ b/modules/bacula/templates/storage/sd-per-director.conf.erb
@@ -0,0 +1,24 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+Director {
+  Name = <%= @director_name %>
+  Password = "<%= @dir_storage_secret %>"
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS Verify Peer = yes
+  TLS Allowed CN = "clientcerts/<%= @director_address %>"
+  TLS CA Certificate File = "<%= @bacula_ca_path %>"
+  # This is a server certificate, used for incoming director connections.
+  TLS Certificate = "<%= @bacula_ssl_server_cert %>"
+  TLS Key = "<%= @bacula_ssl_server_key %>"
+}
+
+# Send all messages to the Director,
+#
+Messages {
+  Name = Standard
+  director = <%= @director_name %> = all
+}
-- 
2.20.1