Move bacula::bacula_ssl_{server,client}_{cert,key} to hiera

diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp
index 6e9988c..75bae98 100644 (file)
--- a/modules/bacula/manifests/client.pp
+++ b/modules/bacula/manifests/client.pp
@@ -111,7 +111,7 @@ class bacula::client(
     path        => '/usr/bin:/usr/sbin:/bin:/sbin',
     command     => "sh -c 'setsid /usr/local/sbin/bacula-idle-restart ${port_fd} bacula-fd &'",
     refreshonly => true,
-    subscribe   => [ File[$bacula::bacula_ssl_server_cert], File[$bacula::bacula_ssl_client_cert] ],
+    subscribe   => [ File[$bacula::ssl_server_cert], File[$bacula::ssl_client_cert] ],
     require     => [ File['/usr/local/sbin/bacula-idle-restart'], File['/etc/bacula/fd-conf.d/empty.conf'] ],
   }
 

diff --git a/modules/bacula/manifests/director/client.pp b/modules/bacula/manifests/director/client.pp
index fecbe41..0d356a6 100644 (file)
--- a/modules/bacula/manifests/director/client.pp
+++ b/modules/bacula/manifests/director/client.pp
@@ -18,10 +18,6 @@ define bacula::director::client (
 ) {
   include bacula::director
 
-  $bacula_ssl_ca_path     = $bacula::bacula_ssl_ca_path
-  $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert
-  $bacula_ssl_client_key  = $bacula::bacula_ssl_client_key
-
   # we define this in both bacula::director::client_from_storage and
   # bacula::director::client and it needs to match.
   $pool_name     = "${bacula::director::pool_name}-${client}"

diff --git a/modules/bacula/manifests/director/client_from_storage.pp b/modules/bacula/manifests/director/client_from_storage.pp
index ac77de9..7b4cb11 100644 (file)
--- a/modules/bacula/manifests/director/client_from_storage.pp
+++ b/modules/bacula/manifests/director/client_from_storage.pp
@@ -26,10 +26,6 @@ define bacula::director::client_from_storage (
 ) {
   include bacula::director
 
-  $bacula_ssl_ca_path     = $bacula::bacula_ssl_ca_path
-  $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert
-  $bacula_ssl_client_key  = $bacula::bacula_ssl_client_key
-
   # For historical reasons, we use the same string for
   # director-internal storage name as we do for mediate
   # type names.  If we ever blow away the catalog and start

diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp
index d822559..1b88a49 100644 (file)
--- a/modules/bacula/manifests/init.pp
+++ b/modules/bacula/manifests/init.pp
@@ -1,19 +1,21 @@
 # bacula class -- defines all the variables we care about in our bacula deployment
 #
 # @param operator_email   email address for reports
-# @param do_ssl           use TLS between systems
 # @param ssl_ca_path      full path and filename specifying a PEM encoded TLS CA certificate(s)
+# @param ssl_client_cert  path to TLS client certificate
+# @param ssl_client_key   path to TLS client certificate key
+# @param ssl_server_cert  path to TLS server certificate
+# @param ssl_server_key   path to TLS server certificate key
 # @param public_addresses this host's public IP addresses.  The ones it connects out from and is reachable from outsite.
 # @param has_ipv4         daemons should listen on ipv4
 # @param has_ipv6         daemons should listen on ipv6
 class bacula (
   String  $operator_email          = 'root@localhost',
-  Boolean $do_ssl                  = true,
-  Optional[String] $ssl_ca_path,
-  String  $bacula_ssl_client_cert  = '/etc/ssl/debian/certs/thishost.crt',
-  String  $bacula_ssl_client_key   = '/etc/ssl/private/thishost.key',
-  String  $bacula_ssl_server_cert  = '/etc/ssl/debian/certs/thishost-server.crt',
-  String  $bacula_ssl_server_key   = '/etc/ssl/private/thishost-server.key',
+  String $ssl_ca_path,
+  String $ssl_client_cert,
+  String $ssl_client_key,
+  String $ssl_server_cert,
+  String $ssl_server_key,
 
   Array[Stdlib::IP::Address] $public_addresses = $base::public_addresses,
 
@@ -24,14 +26,11 @@ class bacula (
   $bacula_dsa_client_list     = '/etc/bacula/dsa-clients'
   $tag_bacula_dsa_client_list = 'bacula::dsa::clientlist'
 
-  if $do_ssl {
-    if !$ssl_ca_path { fail('Need ssl_ca_path with do_ssl') }
-
-    $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\""
-  } else {
-    $bacula_tls_ca_certificate_file = ''
-  }
-
+  $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\""
+  $bacula_tls_client_certificate  = "TLS Certificate = \"${ssl_client_cert}\""
+  $bacula_tls_client_key          = "TLS Key = \"${ssl_client_key}\""
+  $bacula_tls_server_certificate  = "TLS Certificate = \"${ssl_server_cert}\""
+  $bacula_tls_server_key          = "TLS Key = \"${ssl_server_key}\""
 
   file { '/usr/local/sbin/bacula-idle-restart':
     mode   => '0555',

diff --git a/modules/bacula/manifests/storage.pp b/modules/bacula/manifests/storage.pp
index 2e7a417..4f63f4b 100644 (file)
--- a/modules/bacula/manifests/storage.pp
+++ b/modules/bacula/manifests/storage.pp
@@ -38,7 +38,7 @@ class bacula::storage (
     path        => '/usr/bin:/usr/sbin:/bin:/sbin',
     command     => "sh -c 'setsid /usr/local/sbin/bacula-idle-restart ${port_sd} bacula-sd &'",
     refreshonly => true,
-    subscribe   => File[$bacula::bacula_ssl_server_cert],
+    subscribe   => File[$bacula::ssl_server_cert],
     require     => File['/usr/local/sbin/bacula-idle-restart'],
   }
 

diff --git a/modules/bacula/templates/bacula-dir.conf.erb b/modules/bacula/templates/bacula-dir.conf.erb
index 8ad48d5..e481622 100644 (file)
--- a/modules/bacula/templates/bacula-dir.conf.erb
+++ b/modules/bacula/templates/bacula-dir.conf.erb
@@ -29,9 +29,8 @@ Director {
   TLS Verify Peer = yes
   TLS Allowed CN = "clientcerts/<%= @director_address %>"
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a server certificate, used for incoming console connections.
-  TLS Certificate = "<%= @bacula_ssl_server_cert %>"
-  TLS Key = "<%= @bacula_ssl_server_key %>"
+  <%= scope['bacula::bacula_tls_server_certificate'] %>
+  <%= scope['bacula::bacula_tls_server_key'] %>
 
   Heartbeat Interval = 60
 }

diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb
index 14d9964..6f930d5 100644 (file)
--- a/modules/bacula/templates/bacula-fd.conf.erb
+++ b/modules/bacula/templates/bacula-fd.conf.erb
@@ -38,9 +38,8 @@ FileDaemon {
   TLS Enable = yes
   TLS Require = yes
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a client certificate, used by the client to connect to the storage daemon
-  TLS Certificate = "<%= @bacula_ssl_client_cert %>"
-  TLS Key = "<%= @bacula_ssl_client_key %>"
+  <%= scope['bacula::bacula_tls_client_certificate'] %>
+  <%= scope['bacula::bacula_tls_client_key'] %>
 
   Heartbeat Interval = 60
 }

diff --git a/modules/bacula/templates/bacula-sd.conf.erb b/modules/bacula/templates/bacula-sd.conf.erb
index d232bd9..370c281 100644 (file)
--- a/modules/bacula/templates/bacula-sd.conf.erb
+++ b/modules/bacula/templates/bacula-sd.conf.erb
@@ -35,9 +35,8 @@ Storage {
   TLS Require = yes
   TLS Verify Peer = yes
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a server certificate, used for incoming connections.
-  TLS Certificate = "<%= @bacula_ssl_server_cert %>"
-  TLS Key = "<%= @bacula_ssl_server_key %>"
+  <%= scope['bacula::bacula_tls_server_certificate'] %>
+  <%= scope['bacula::bacula_tls_server_key'] %>
 }
 
 @|"sh -c 'for f in /etc/bacula/storage-conf.d/*.conf ; do echo @${f} ; done'"

diff --git a/modules/bacula/templates/bconsole.conf.erb b/modules/bacula/templates/bconsole.conf.erb
index 49fbec6..6f91306 100644 (file)
--- a/modules/bacula/templates/bconsole.conf.erb
+++ b/modules/bacula/templates/bconsole.conf.erb
@@ -16,7 +16,6 @@ Director {
   TLS Require = yes
 
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a client certificate, used for console connections to the director.
-  TLS Certificate = "<%= @bacula_ssl_client_cert %>"
-  TLS Key = "<%= @bacula_ssl_client_key %>"
+  <%= scope['bacula::bacula_tls_client_certificate'] %>
+  <%= scope['bacula::bacula_tls_client_key'] %>
 }

diff --git a/modules/bacula/templates/client/fd-per-director.conf.erb b/modules/bacula/templates/client/fd-per-director.conf.erb
index 2f8d46f..7e8f8f9 100644 (file)
--- a/modules/bacula/templates/client/fd-per-director.conf.erb
+++ b/modules/bacula/templates/client/fd-per-director.conf.erb
@@ -14,9 +14,8 @@ Director {
   TLS Verify Peer = yes
   TLS Allowed CN = "clientcerts/<%= @director_address %>"
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a server certificate, used for incoming director connections.
-  TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
-  TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
+  <%= scope['bacula::bacula_tls_server_certificate'] %>
+  <%= scope['bacula::bacula_tls_server_key'] %>
 }
 
 # Send all messages except skipped files back to Director

diff --git a/modules/bacula/templates/director/dir-per-client-from-storage.erb b/modules/bacula/templates/director/dir-per-client-from-storage.erb
index 7a5b433..70e87e4 100644 (file)
--- a/modules/bacula/templates/director/dir-per-client-from-storage.erb
+++ b/modules/bacula/templates/director/dir-per-client-from-storage.erb
@@ -20,9 +20,8 @@ Storage {
   TLS Enable = yes
   TLS Require = yes
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a client certificate, used by the director to connect to the storage daemon
-  TLS Certificate = "<%= @bacula_ssl_client_cert %>"
-  TLS Key = "<%= @bacula_ssl_client_key %>"
+  <%= scope['bacula::bacula_tls_client_certificate'] %>
+  <%= scope['bacula::bacula_tls_client_key'] %>
 }
 
 ########################################################################

diff --git a/modules/bacula/templates/director/dir-per-client.erb b/modules/bacula/templates/director/dir-per-client.erb
index 5ee2d0e..23757a7 100644 (file)
--- a/modules/bacula/templates/director/dir-per-client.erb
+++ b/modules/bacula/templates/director/dir-per-client.erb
@@ -35,8 +35,7 @@ Client {
   TLS Enable = yes
   TLS Require = yes
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a client certificate, used by the director to connect to the client's file daemon
-  TLS Certificate = "<%= @bacula_ssl_client_cert %>"
-  TLS Key = "<%= @bacula_ssl_client_key %>"
+  <%= scope['bacula::bacula_tls_client_certificate'] %>
+  <%= scope['bacula::bacula_tls_client_key'] %>
 }
 

diff --git a/modules/bacula/templates/storage/sd-per-director.conf.erb b/modules/bacula/templates/storage/sd-per-director.conf.erb
index 5a38e90..5b56869 100644 (file)
--- a/modules/bacula/templates/storage/sd-per-director.conf.erb
+++ b/modules/bacula/templates/storage/sd-per-director.conf.erb
@@ -11,9 +11,8 @@ Director {
   TLS Verify Peer = yes
   TLS Allowed CN = "clientcerts/<%= @director_address %>"
   <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
-  # This is a server certificate, used for incoming director connections.
-  TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
-  TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
+  <%= scope['bacula::bacula_tls_server_certificate'] %>
+  <%= scope['bacula::bacula_tls_server_key'] %>
 }
 
 # Send all messages to the Director,