Move bacula::bacula_ssl_ca_path to hiera

diff --git a/data/common.yaml b/data/common.yaml
index d8b84a3..970397a 100644 (file)
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -33,6 +33,11 @@ roles::dns_primary::allow_access:
 # bacula
 #
 bacula::operator_email: 'bacula-reports@admin.debian.org'
+bacula::ssl_ca_path:     '/etc/ssl/debian/certs/ca.crt'
+bacula::ssl_client_cert: '/etc/ssl/debian/certs/thishost.crt'
+bacula::ssl_client_key:  '/etc/ssl/private/thishost.key'
+bacula::ssl_server_cert: '/etc/ssl/debian/certs/thishost-server.crt'
+bacula::ssl_server_key:  '/etc/ssl/private/thishost-server.key'
 bacula::director::db_address: 'postgresql-manda-01.debian.org'
 bacula::director::db_port:    5432
 bacula::director::db_sslca:   '/etc/ssl/debian/certs/ca.crt'

diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp
index eb98084..d822559 100644 (file)
--- a/modules/bacula/manifests/init.pp
+++ b/modules/bacula/manifests/init.pp
@@ -1,13 +1,15 @@
 # bacula class -- defines all the variables we care about in our bacula deployment
 #
 # @param operator_email   email address for reports
+# @param do_ssl           use TLS between systems
+# @param ssl_ca_path      full path and filename specifying a PEM encoded TLS CA certificate(s)
 # @param public_addresses this host's public IP addresses.  The ones it connects out from and is reachable from outsite.
 # @param has_ipv4         daemons should listen on ipv4
 # @param has_ipv6         daemons should listen on ipv6
 class bacula (
   String  $operator_email          = 'root@localhost',
-
-  String  $bacula_ssl_ca_path      = '/etc/ssl/debian/certs/ca.crt',
+  Boolean $do_ssl                  = true,
+  Optional[String] $ssl_ca_path,
   String  $bacula_ssl_client_cert  = '/etc/ssl/debian/certs/thishost.crt',
   String  $bacula_ssl_client_key   = '/etc/ssl/private/thishost.key',
   String  $bacula_ssl_server_cert  = '/etc/ssl/debian/certs/thishost-server.crt',
@@ -22,6 +24,15 @@ class bacula (
   $bacula_dsa_client_list     = '/etc/bacula/dsa-clients'
   $tag_bacula_dsa_client_list = 'bacula::dsa::clientlist'
 
+  if $do_ssl {
+    if !$ssl_ca_path { fail('Need ssl_ca_path with do_ssl') }
+
+    $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\""
+  } else {
+    $bacula_tls_ca_certificate_file = ''
+  }
+
+
   file { '/usr/local/sbin/bacula-idle-restart':
     mode   => '0555',
     source => 'puppet:///modules/bacula/bacula-idle-restart',

diff --git a/modules/bacula/templates/bacula-dir.conf.erb b/modules/bacula/templates/bacula-dir.conf.erb
index c836c72..8ad48d5 100644 (file)
--- a/modules/bacula/templates/bacula-dir.conf.erb
+++ b/modules/bacula/templates/bacula-dir.conf.erb
@@ -28,7 +28,7 @@ Director {
   TLS Require = yes
   TLS Verify Peer = yes
   TLS Allowed CN = "clientcerts/<%= @director_address %>"
-  TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a server certificate, used for incoming console connections.
   TLS Certificate = "<%= @bacula_ssl_server_cert %>"
   TLS Key = "<%= @bacula_ssl_server_key %>"

diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb
index 2f9acda..14d9964 100644 (file)
--- a/modules/bacula/templates/bacula-fd.conf.erb
+++ b/modules/bacula/templates/bacula-fd.conf.erb
@@ -37,7 +37,7 @@ FileDaemon {
 
   TLS Enable = yes
   TLS Require = yes
-  TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a client certificate, used by the client to connect to the storage daemon
   TLS Certificate = "<%= @bacula_ssl_client_cert %>"
   TLS Key = "<%= @bacula_ssl_client_key %>"

diff --git a/modules/bacula/templates/bacula-sd.conf.erb b/modules/bacula/templates/bacula-sd.conf.erb
index 76bda9e..d232bd9 100644 (file)
--- a/modules/bacula/templates/bacula-sd.conf.erb
+++ b/modules/bacula/templates/bacula-sd.conf.erb
@@ -34,7 +34,7 @@ Storage {
   TLS Enable = yes
   TLS Require = yes
   TLS Verify Peer = yes
-  TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a server certificate, used for incoming connections.
   TLS Certificate = "<%= @bacula_ssl_server_cert %>"
   TLS Key = "<%= @bacula_ssl_server_key %>"

diff --git a/modules/bacula/templates/bconsole.conf.erb b/modules/bacula/templates/bconsole.conf.erb
index 5e89a16..49fbec6 100644 (file)
--- a/modules/bacula/templates/bconsole.conf.erb
+++ b/modules/bacula/templates/bconsole.conf.erb
@@ -15,7 +15,7 @@ Director {
   TLS Enable = yes
   TLS Require = yes
 
-  TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a client certificate, used for console connections to the director.
   TLS Certificate = "<%= @bacula_ssl_client_cert %>"
   TLS Key = "<%= @bacula_ssl_client_key %>"

diff --git a/modules/bacula/templates/client/fd-per-director.conf.erb b/modules/bacula/templates/client/fd-per-director.conf.erb
index 45eedf3..2f8d46f 100644 (file)
--- a/modules/bacula/templates/client/fd-per-director.conf.erb
+++ b/modules/bacula/templates/client/fd-per-director.conf.erb
@@ -13,7 +13,7 @@ Director {
   TLS Require = yes
   TLS Verify Peer = yes
   TLS Allowed CN = "clientcerts/<%= @director_address %>"
-  TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a server certificate, used for incoming director connections.
   TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
   TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"

diff --git a/modules/bacula/templates/director/dir-per-client-from-storage.erb b/modules/bacula/templates/director/dir-per-client-from-storage.erb
index 0336cb0..7a5b433 100644 (file)
--- a/modules/bacula/templates/director/dir-per-client-from-storage.erb
+++ b/modules/bacula/templates/director/dir-per-client-from-storage.erb
@@ -19,7 +19,7 @@ Storage {
 
   TLS Enable = yes
   TLS Require = yes
-  TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a client certificate, used by the director to connect to the storage daemon
   TLS Certificate = "<%= @bacula_ssl_client_cert %>"
   TLS Key = "<%= @bacula_ssl_client_key %>"

diff --git a/modules/bacula/templates/director/dir-per-client.erb b/modules/bacula/templates/director/dir-per-client.erb
index 4e4903c..5ee2d0e 100644 (file)
--- a/modules/bacula/templates/director/dir-per-client.erb
+++ b/modules/bacula/templates/director/dir-per-client.erb
@@ -34,7 +34,7 @@ Client {
 
   TLS Enable = yes
   TLS Require = yes
-  TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a client certificate, used by the director to connect to the client's file daemon
   TLS Certificate = "<%= @bacula_ssl_client_cert %>"
   TLS Key = "<%= @bacula_ssl_client_key %>"

diff --git a/modules/bacula/templates/storage/sd-per-director.conf.erb b/modules/bacula/templates/storage/sd-per-director.conf.erb
index 4514cbd..5a38e90 100644 (file)
--- a/modules/bacula/templates/storage/sd-per-director.conf.erb
+++ b/modules/bacula/templates/storage/sd-per-director.conf.erb
@@ -10,7 +10,7 @@ Director {
   TLS Require = yes
   TLS Verify Peer = yes
   TLS Allowed CN = "clientcerts/<%= @director_address %>"
-  TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>"
+  <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
   # This is a server certificate, used for incoming director connections.
   TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
   TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"