projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
a71546a
)
Move bacula::bacula_ssl_ca_path to hiera
author
Peter Palfrader
<peter@palfrader.org>
Wed, 25 Sep 2019 12:09:45 +0000
(14:09 +0200)
committer
Peter Palfrader
<peter@palfrader.org>
Wed, 25 Sep 2019 12:09:45 +0000
(14:09 +0200)
data/common.yaml
patch
|
blob
|
history
modules/bacula/manifests/init.pp
patch
|
blob
|
history
modules/bacula/templates/bacula-dir.conf.erb
patch
|
blob
|
history
modules/bacula/templates/bacula-fd.conf.erb
patch
|
blob
|
history
modules/bacula/templates/bacula-sd.conf.erb
patch
|
blob
|
history
modules/bacula/templates/bconsole.conf.erb
patch
|
blob
|
history
modules/bacula/templates/client/fd-per-director.conf.erb
patch
|
blob
|
history
modules/bacula/templates/director/dir-per-client-from-storage.erb
patch
|
blob
|
history
modules/bacula/templates/director/dir-per-client.erb
patch
|
blob
|
history
modules/bacula/templates/storage/sd-per-director.conf.erb
patch
|
blob
|
history
diff --git
a/data/common.yaml
b/data/common.yaml
index
d8b84a3
..
970397a
100644
(file)
--- a/
data/common.yaml
+++ b/
data/common.yaml
@@
-33,6
+33,11
@@
roles::dns_primary::allow_access:
# bacula
#
bacula::operator_email: 'bacula-reports@admin.debian.org'
# bacula
#
bacula::operator_email: 'bacula-reports@admin.debian.org'
+bacula::ssl_ca_path: '/etc/ssl/debian/certs/ca.crt'
+bacula::ssl_client_cert: '/etc/ssl/debian/certs/thishost.crt'
+bacula::ssl_client_key: '/etc/ssl/private/thishost.key'
+bacula::ssl_server_cert: '/etc/ssl/debian/certs/thishost-server.crt'
+bacula::ssl_server_key: '/etc/ssl/private/thishost-server.key'
bacula::director::db_address: 'postgresql-manda-01.debian.org'
bacula::director::db_port: 5432
bacula::director::db_sslca: '/etc/ssl/debian/certs/ca.crt'
bacula::director::db_address: 'postgresql-manda-01.debian.org'
bacula::director::db_port: 5432
bacula::director::db_sslca: '/etc/ssl/debian/certs/ca.crt'
diff --git
a/modules/bacula/manifests/init.pp
b/modules/bacula/manifests/init.pp
index
eb98084
..
d822559
100644
(file)
--- a/
modules/bacula/manifests/init.pp
+++ b/
modules/bacula/manifests/init.pp
@@
-1,13
+1,15
@@
# bacula class -- defines all the variables we care about in our bacula deployment
#
# @param operator_email email address for reports
# bacula class -- defines all the variables we care about in our bacula deployment
#
# @param operator_email email address for reports
+# @param do_ssl use TLS between systems
+# @param ssl_ca_path full path and filename specifying a PEM encoded TLS CA certificate(s)
# @param public_addresses this host's public IP addresses. The ones it connects out from and is reachable from outsite.
# @param has_ipv4 daemons should listen on ipv4
# @param has_ipv6 daemons should listen on ipv6
class bacula (
String $operator_email = 'root@localhost',
# @param public_addresses this host's public IP addresses. The ones it connects out from and is reachable from outsite.
# @param has_ipv4 daemons should listen on ipv4
# @param has_ipv6 daemons should listen on ipv6
class bacula (
String $operator_email = 'root@localhost',
-
-
String $bacula_ssl_ca_path = '/etc/ssl/debian/certs/ca.crt'
,
+ Boolean $do_ssl = true,
+
Optional[String] $ssl_ca_path
,
String $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt',
String $bacula_ssl_client_key = '/etc/ssl/private/thishost.key',
String $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt',
String $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt',
String $bacula_ssl_client_key = '/etc/ssl/private/thishost.key',
String $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt',
@@
-22,6
+24,15
@@
class bacula (
$bacula_dsa_client_list = '/etc/bacula/dsa-clients'
$tag_bacula_dsa_client_list = 'bacula::dsa::clientlist'
$bacula_dsa_client_list = '/etc/bacula/dsa-clients'
$tag_bacula_dsa_client_list = 'bacula::dsa::clientlist'
+ if $do_ssl {
+ if !$ssl_ca_path { fail('Need ssl_ca_path with do_ssl') }
+
+ $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\""
+ } else {
+ $bacula_tls_ca_certificate_file = ''
+ }
+
+
file { '/usr/local/sbin/bacula-idle-restart':
mode => '0555',
source => 'puppet:///modules/bacula/bacula-idle-restart',
file { '/usr/local/sbin/bacula-idle-restart':
mode => '0555',
source => 'puppet:///modules/bacula/bacula-idle-restart',
diff --git
a/modules/bacula/templates/bacula-dir.conf.erb
b/modules/bacula/templates/bacula-dir.conf.erb
index
c836c72
..
8ad48d5
100644
(file)
--- a/
modules/bacula/templates/bacula-dir.conf.erb
+++ b/
modules/bacula/templates/bacula-dir.conf.erb
@@
-28,7
+28,7
@@
Director {
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming console connections.
TLS Certificate = "<%= @bacula_ssl_server_cert %>"
TLS Key = "<%= @bacula_ssl_server_key %>"
# This is a server certificate, used for incoming console connections.
TLS Certificate = "<%= @bacula_ssl_server_cert %>"
TLS Key = "<%= @bacula_ssl_server_key %>"
diff --git
a/modules/bacula/templates/bacula-fd.conf.erb
b/modules/bacula/templates/bacula-fd.conf.erb
index
2f9acda
..
14d9964
100644
(file)
--- a/
modules/bacula/templates/bacula-fd.conf.erb
+++ b/
modules/bacula/templates/bacula-fd.conf.erb
@@
-37,7
+37,7
@@
FileDaemon {
TLS Enable = yes
TLS Require = yes
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used by the client to connect to the storage daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
# This is a client certificate, used by the client to connect to the storage daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
diff --git
a/modules/bacula/templates/bacula-sd.conf.erb
b/modules/bacula/templates/bacula-sd.conf.erb
index
76bda9e
..
d232bd9
100644
(file)
--- a/
modules/bacula/templates/bacula-sd.conf.erb
+++ b/
modules/bacula/templates/bacula-sd.conf.erb
@@
-34,7
+34,7
@@
Storage {
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming connections.
TLS Certificate = "<%= @bacula_ssl_server_cert %>"
TLS Key = "<%= @bacula_ssl_server_key %>"
# This is a server certificate, used for incoming connections.
TLS Certificate = "<%= @bacula_ssl_server_cert %>"
TLS Key = "<%= @bacula_ssl_server_key %>"
diff --git
a/modules/bacula/templates/bconsole.conf.erb
b/modules/bacula/templates/bconsole.conf.erb
index
5e89a16
..
49fbec6
100644
(file)
--- a/
modules/bacula/templates/bconsole.conf.erb
+++ b/
modules/bacula/templates/bconsole.conf.erb
@@
-15,7
+15,7
@@
Director {
TLS Enable = yes
TLS Require = yes
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used for console connections to the director.
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
# This is a client certificate, used for console connections to the director.
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
diff --git
a/modules/bacula/templates/client/fd-per-director.conf.erb
b/modules/bacula/templates/client/fd-per-director.conf.erb
index
45eedf3
..
2f8d46f
100644
(file)
--- a/
modules/bacula/templates/client/fd-per-director.conf.erb
+++ b/
modules/bacula/templates/client/fd-per-director.conf.erb
@@
-13,7
+13,7
@@
Director {
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
- TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming director connections.
TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
# This is a server certificate, used for incoming director connections.
TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
diff --git
a/modules/bacula/templates/director/dir-per-client-from-storage.erb
b/modules/bacula/templates/director/dir-per-client-from-storage.erb
index
0336cb0
..
7a5b433
100644
(file)
--- a/
modules/bacula/templates/director/dir-per-client-from-storage.erb
+++ b/
modules/bacula/templates/director/dir-per-client-from-storage.erb
@@
-19,7
+19,7
@@
Storage {
TLS Enable = yes
TLS Require = yes
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used by the director to connect to the storage daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
# This is a client certificate, used by the director to connect to the storage daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
diff --git
a/modules/bacula/templates/director/dir-per-client.erb
b/modules/bacula/templates/director/dir-per-client.erb
index
4e4903c
..
5ee2d0e
100644
(file)
--- a/
modules/bacula/templates/director/dir-per-client.erb
+++ b/
modules/bacula/templates/director/dir-per-client.erb
@@
-34,7
+34,7
@@
Client {
TLS Enable = yes
TLS Require = yes
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a client certificate, used by the director to connect to the client's file daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
# This is a client certificate, used by the director to connect to the client's file daemon
TLS Certificate = "<%= @bacula_ssl_client_cert %>"
TLS Key = "<%= @bacula_ssl_client_key %>"
diff --git
a/modules/bacula/templates/storage/sd-per-director.conf.erb
b/modules/bacula/templates/storage/sd-per-director.conf.erb
index
4514cbd
..
5a38e90
100644
(file)
--- a/
modules/bacula/templates/storage/sd-per-director.conf.erb
+++ b/
modules/bacula/templates/storage/sd-per-director.conf.erb
@@
-10,7
+10,7
@@
Director {
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "clientcerts/<%= @director_address %>"
- TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>"
+ <%= scope['bacula::bacula_tls_ca_certificate_file'] %>
# This is a server certificate, used for incoming director connections.
TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"
# This is a server certificate, used for incoming director connections.
TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>"
TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"