# bacula
#
bacula::operator_email: 'bacula-reports@admin.debian.org'
+bacula::ssl_ca_path: '/etc/ssl/debian/certs/ca.crt'
+bacula::ssl_client_cert: '/etc/ssl/debian/certs/thishost.crt'
+bacula::ssl_client_key: '/etc/ssl/private/thishost.key'
+bacula::ssl_server_cert: '/etc/ssl/debian/certs/thishost-server.crt'
+bacula::ssl_server_key: '/etc/ssl/private/thishost-server.key'
bacula::director::db_address: 'postgresql-manda-01.debian.org'
bacula::director::db_port: 5432
bacula::director::db_sslca: '/etc/ssl/debian/certs/ca.crt'
# bacula class -- defines all the variables we care about in our bacula deployment
#
# @param operator_email email address for reports
+# @param do_ssl use TLS between systems
+# @param ssl_ca_path full path and filename specifying a PEM encoded TLS CA certificate(s)
# @param public_addresses this host's public IP addresses. The ones it connects out from and is reachable from outsite.
# @param has_ipv4 daemons should listen on ipv4
# @param has_ipv6 daemons should listen on ipv6
class bacula (
String $operator_email = 'root@localhost',
-
- String $bacula_ssl_ca_path = '/etc/ssl/debian/certs/ca.crt',
+ Boolean $do_ssl = true,
+ Optional[String] $ssl_ca_path,
String $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt',
String $bacula_ssl_client_key = '/etc/ssl/private/thishost.key',
String $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt',
$bacula_dsa_client_list = '/etc/bacula/dsa-clients'
$tag_bacula_dsa_client_list = 'bacula::dsa::clientlist'
+ if $do_ssl {
+ if !$ssl_ca_path { fail('Need ssl_ca_path with do_ssl') }
+
+ $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\""
+ } else {
+ $bacula_tls_ca_certificate_file = ''
+ }
+
+
file { '/usr/local/sbin/bacula-idle-restart':
mode => '0555',
source => 'puppet:///modules/bacula/bacula-idle-restart',
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming console connections.
TLS Certificate = "<%= @bacula_ssl_server_cert %>"
TLS Key = "<%= @bacula_ssl_server_key %>"
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used by the client to connect to the storage daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming connections.
TLS Certificate = "<%= @bacula_ssl_server_cert %>"
TLS Key = "<%= @bacula_ssl_server_key %>"
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used for console connections to the director.
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
- TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming director connections.
TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used by the director to connect to the storage daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used by the director to connect to the client's file daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
- TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming director connections.
TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"