path => '/usr/bin:/usr/sbin:/bin:/sbin',
command => "sh -c 'setsid /usr/local/sbin/bacula-idle-restart ${port_fd} bacula-fd &'",
refreshonly => true,
- subscribe => [ File[$bacula::bacula_ssl_server_cert], File[$bacula::bacula_ssl_client_cert] ],
+ subscribe => [ File[$bacula::ssl_server_cert], File[$bacula::ssl_client_cert] ],
require => [ File['/usr/local/sbin/bacula-idle-restart'], File['/etc/bacula/fd-conf.d/empty.conf'] ],
}
) {
include bacula::director
- $bacula_ssl_ca_path = $bacula::bacula_ssl_ca_path
- $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert
- $bacula_ssl_client_key = $bacula::bacula_ssl_client_key
-
# we define this in both bacula::director::client_from_storage and
# bacula::director::client and it needs to match.
$pool_name = "${bacula::director::pool_name}-${client}"
) {
include bacula::director
- $bacula_ssl_ca_path = $bacula::bacula_ssl_ca_path
- $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert
- $bacula_ssl_client_key = $bacula::bacula_ssl_client_key
-
# For historical reasons, we use the same string for
# director-internal storage name as we do for mediate
# type names. If we ever blow away the catalog and start
# bacula class -- defines all the variables we care about in our bacula deployment
#
# @param operator_email email address for reports
-# @param do_ssl use TLS between systems
# @param ssl_ca_path full path and filename specifying a PEM encoded TLS CA certificate(s)
+# @param ssl_client_cert path to TLS client certificate
+# @param ssl_client_key path to TLS client certificate key
+# @param ssl_server_cert path to TLS server certificate
+# @param ssl_server_key path to TLS server certificate key
# @param public_addresses this host's public IP addresses. The ones it connects out from and is reachable from outsite.
# @param has_ipv4 daemons should listen on ipv4
# @param has_ipv6 daemons should listen on ipv6
class bacula (
String $operator_email = 'root@localhost',
- Boolean $do_ssl = true,
- Optional[String] $ssl_ca_path,
- String $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt',
- String $bacula_ssl_client_key = '/etc/ssl/private/thishost.key',
- String $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt',
- String $bacula_ssl_server_key = '/etc/ssl/private/thishost-server.key',
+ String $ssl_ca_path,
+ String $ssl_client_cert,
+ String $ssl_client_key,
+ String $ssl_server_cert,
+ String $ssl_server_key,
Array[Stdlib::IP::Address] $public_addresses = $base::public_addresses,
$bacula_dsa_client_list = '/etc/bacula/dsa-clients'
$tag_bacula_dsa_client_list = 'bacula::dsa::clientlist'
- if $do_ssl {
- if !$ssl_ca_path { fail('Need ssl_ca_path with do_ssl') }
-
- $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\""
- } else {
- $bacula_tls_ca_certificate_file = ''
- }
-
+ $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\""
+ $bacula_tls_client_certificate = "TLS Certificate = \"${ssl_client_cert}\""
+ $bacula_tls_client_key = "TLS Key = \"${ssl_client_key}\""
+ $bacula_tls_server_certificate = "TLS Certificate = \"${ssl_server_cert}\""
+ $bacula_tls_server_key = "TLS Key = \"${ssl_server_key}\""
file { '/usr/local/sbin/bacula-idle-restart':
mode => '0555',
path => '/usr/bin:/usr/sbin:/bin:/sbin',
command => "sh -c 'setsid /usr/local/sbin/bacula-idle-restart ${port_sd} bacula-sd &'",
refreshonly => true,
- subscribe => File[$bacula::bacula_ssl_server_cert],
+ subscribe => File[$bacula::ssl_server_cert],
require => File['/usr/local/sbin/bacula-idle-restart'],
}
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a server certificate, used for incoming console connections.
- TLS Certificate = "<%= @bacula_ssl_server_cert %>"
- TLS Key = "<%= @bacula_ssl_server_key %>"
+ <%= scope['bacula::bacula_tls_server_certificate'] %>
+ <%= scope['bacula::bacula_tls_server_key'] %>
Heartbeat Interval = 60
}
TLS Enable = yes
TLS Require = yes
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a client certificate, used by the client to connect to the storage daemon
- TLS Certificate = "<%= @bacula_ssl_client_cert %>"
- TLS Key = "<%= @bacula_ssl_client_key %>"
+ <%= scope['bacula::bacula_tls_client_certificate'] %>
+ <%= scope['bacula::bacula_tls_client_key'] %>
Heartbeat Interval = 60
}
TLS Require = yes
TLS Verify Peer = yes
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a server certificate, used for incoming connections.
- TLS Certificate = "<%= @bacula_ssl_server_cert %>"
- TLS Key = "<%= @bacula_ssl_server_key %>"
+ <%= scope['bacula::bacula_tls_server_certificate'] %>
+ <%= scope['bacula::bacula_tls_server_key'] %>
}
@|"sh -c 'for f in /etc/bacula/storage-conf.d/*.conf ; do echo @${f} ; done'"
TLS Require = yes
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a client certificate, used for console connections to the director.
- TLS Certificate = "<%= @bacula_ssl_client_cert %>"
- TLS Key = "<%= @bacula_ssl_client_key %>"
+ <%= scope['bacula::bacula_tls_client_certificate'] %>
+ <%= scope['bacula::bacula_tls_client_key'] %>
}
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a server certificate, used for incoming director connections.
- TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
- TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
+ <%= scope['bacula::bacula_tls_server_certificate'] %>
+ <%= scope['bacula::bacula_tls_server_key'] %>
}
# Send all messages except skipped files back to Director
TLS Enable = yes
TLS Require = yes
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a client certificate, used by the director to connect to the storage daemon
- TLS Certificate = "<%= @bacula_ssl_client_cert %>"
- TLS Key = "<%= @bacula_ssl_client_key %>"
+ <%= scope['bacula::bacula_tls_client_certificate'] %>
+ <%= scope['bacula::bacula_tls_client_key'] %>
}
########################################################################
TLS Enable = yes
TLS Require = yes
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a client certificate, used by the director to connect to the client's file daemon
- TLS Certificate = "<%= @bacula_ssl_client_cert %>"
- TLS Key = "<%= @bacula_ssl_client_key %>"
+ <%= scope['bacula::bacula_tls_client_certificate'] %>
+ <%= scope['bacula::bacula_tls_client_key'] %>
}
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
<%= scope['bacula::bacula_tls_ca_certificate_file'] %>
- # This is a server certificate, used for incoming director connections.
- TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
- TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
+ <%= scope['bacula::bacula_tls_server_certificate'] %>
+ <%= scope['bacula::bacula_tls_server_key'] %>
}
# Send all messages to the Director,