From: Peter Palfrader Date: Wed, 25 Sep 2019 12:09:45 +0000 (+0200) Subject: Move bacula::bacula_ssl_ca_path to hiera X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=b00db688588f052e860f0ff461c0b787f9c5227b Move bacula::bacula_ssl_ca_path to hiera --- diff --git a/data/common.yaml b/data/common.yaml index d8b84a3cf..970397ae8 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -33,6 +33,11 @@ roles::dns_primary::allow_access: # bacula # bacula::operator_email: 'bacula-reports@admin.debian.org' +bacula::ssl_ca_path: '/etc/ssl/debian/certs/ca.crt' +bacula::ssl_client_cert: '/etc/ssl/debian/certs/thishost.crt' +bacula::ssl_client_key: '/etc/ssl/private/thishost.key' +bacula::ssl_server_cert: '/etc/ssl/debian/certs/thishost-server.crt' +bacula::ssl_server_key: '/etc/ssl/private/thishost-server.key' bacula::director::db_address: 'postgresql-manda-01.debian.org' bacula::director::db_port: 5432 bacula::director::db_sslca: '/etc/ssl/debian/certs/ca.crt' diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp index eb98084b3..d82255904 100644 --- a/modules/bacula/manifests/init.pp +++ b/modules/bacula/manifests/init.pp @@ -1,13 +1,15 @@ # bacula class -- defines all the variables we care about in our bacula deployment # # @param operator_email email address for reports +# @param do_ssl use TLS between systems +# @param ssl_ca_path full path and filename specifying a PEM encoded TLS CA certificate(s) # @param public_addresses this host's public IP addresses. The ones it connects out from and is reachable from outsite. # @param has_ipv4 daemons should listen on ipv4 # @param has_ipv6 daemons should listen on ipv6 class bacula ( String $operator_email = 'root@localhost', - - String $bacula_ssl_ca_path = '/etc/ssl/debian/certs/ca.crt', + Boolean $do_ssl = true, + Optional[String] $ssl_ca_path, String $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt', String $bacula_ssl_client_key = '/etc/ssl/private/thishost.key', String $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt', @@ -22,6 +24,15 @@ class bacula ( $bacula_dsa_client_list = '/etc/bacula/dsa-clients' $tag_bacula_dsa_client_list = 'bacula::dsa::clientlist' + if $do_ssl { + if !$ssl_ca_path { fail('Need ssl_ca_path with do_ssl') } + + $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\"" + } else { + $bacula_tls_ca_certificate_file = '' + } + + file { '/usr/local/sbin/bacula-idle-restart': mode => '0555', source => 'puppet:///modules/bacula/bacula-idle-restart', diff --git a/modules/bacula/templates/bacula-dir.conf.erb b/modules/bacula/templates/bacula-dir.conf.erb index c836c72b5..8ad48d5a1 100644 --- a/modules/bacula/templates/bacula-dir.conf.erb +++ b/modules/bacula/templates/bacula-dir.conf.erb @@ -28,7 +28,7 @@ Director { TLS Require = yes TLS Verify Peer = yes TLS Allowed CN = "clientcerts/<%= @director_address %>" - TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a server certificate, used for incoming console connections. TLS Certificate = "<%= @bacula_ssl_server_cert %>" TLS Key = "<%= @bacula_ssl_server_key %>" diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb index 2f9acda33..14d996449 100644 --- a/modules/bacula/templates/bacula-fd.conf.erb +++ b/modules/bacula/templates/bacula-fd.conf.erb @@ -37,7 +37,7 @@ FileDaemon { TLS Enable = yes TLS Require = yes - TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a client certificate, used by the client to connect to the storage daemon TLS Certificate = "<%= @bacula_ssl_client_cert %>" TLS Key = "<%= @bacula_ssl_client_key %>" diff --git a/modules/bacula/templates/bacula-sd.conf.erb b/modules/bacula/templates/bacula-sd.conf.erb index 76bda9e2a..d232bd968 100644 --- a/modules/bacula/templates/bacula-sd.conf.erb +++ b/modules/bacula/templates/bacula-sd.conf.erb @@ -34,7 +34,7 @@ Storage { TLS Enable = yes TLS Require = yes TLS Verify Peer = yes - TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a server certificate, used for incoming connections. TLS Certificate = "<%= @bacula_ssl_server_cert %>" TLS Key = "<%= @bacula_ssl_server_key %>" diff --git a/modules/bacula/templates/bconsole.conf.erb b/modules/bacula/templates/bconsole.conf.erb index 5e89a1612..49fbec68a 100644 --- a/modules/bacula/templates/bconsole.conf.erb +++ b/modules/bacula/templates/bconsole.conf.erb @@ -15,7 +15,7 @@ Director { TLS Enable = yes TLS Require = yes - TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a client certificate, used for console connections to the director. TLS Certificate = "<%= @bacula_ssl_client_cert %>" TLS Key = "<%= @bacula_ssl_client_key %>" diff --git a/modules/bacula/templates/client/fd-per-director.conf.erb b/modules/bacula/templates/client/fd-per-director.conf.erb index 45eedf376..2f8d46f53 100644 --- a/modules/bacula/templates/client/fd-per-director.conf.erb +++ b/modules/bacula/templates/client/fd-per-director.conf.erb @@ -13,7 +13,7 @@ Director { TLS Require = yes TLS Verify Peer = yes TLS Allowed CN = "clientcerts/<%= @director_address %>" - TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a server certificate, used for incoming director connections. TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>" TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>" diff --git a/modules/bacula/templates/director/dir-per-client-from-storage.erb b/modules/bacula/templates/director/dir-per-client-from-storage.erb index 0336cb004..7a5b4333e 100644 --- a/modules/bacula/templates/director/dir-per-client-from-storage.erb +++ b/modules/bacula/templates/director/dir-per-client-from-storage.erb @@ -19,7 +19,7 @@ Storage { TLS Enable = yes TLS Require = yes - TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a client certificate, used by the director to connect to the storage daemon TLS Certificate = "<%= @bacula_ssl_client_cert %>" TLS Key = "<%= @bacula_ssl_client_key %>" diff --git a/modules/bacula/templates/director/dir-per-client.erb b/modules/bacula/templates/director/dir-per-client.erb index 4e4903c69..5ee2d0eb4 100644 --- a/modules/bacula/templates/director/dir-per-client.erb +++ b/modules/bacula/templates/director/dir-per-client.erb @@ -34,7 +34,7 @@ Client { TLS Enable = yes TLS Require = yes - TLS CA Certificate File = "<%= @bacula_ssl_ca_path %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a client certificate, used by the director to connect to the client's file daemon TLS Certificate = "<%= @bacula_ssl_client_cert %>" TLS Key = "<%= @bacula_ssl_client_key %>" diff --git a/modules/bacula/templates/storage/sd-per-director.conf.erb b/modules/bacula/templates/storage/sd-per-director.conf.erb index 4514cbd52..5a38e9025 100644 --- a/modules/bacula/templates/storage/sd-per-director.conf.erb +++ b/modules/bacula/templates/storage/sd-per-director.conf.erb @@ -10,7 +10,7 @@ Director { TLS Require = yes TLS Verify Peer = yes TLS Allowed CN = "clientcerts/<%= @director_address %>" - TLS CA Certificate File = "<%= scope['bacula::bacula_ssl_ca_path'] %>" + <%= scope['bacula::bacula_tls_ca_certificate_file'] %> # This is a server certificate, used for incoming director connections. TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>" TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>"