From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 24 Aug 2012 11:54:44 +0000 (+0000)
Subject: Moar krypto
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;ds=sidebyside;h=388707f3641e2d1fec30a9ba60ac930bf721ea3f;p=dsa-puppet.git

Moar krypto
---

diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp
index 76852132..6143d12a 100644
--- a/modules/bacula/manifests/init.pp
+++ b/modules/bacula/manifests/init.pp
@@ -27,4 +27,10 @@ class bacula {
 	$bacula_storage_secret    = hkdf('/etc/puppet/secret', "bacula-sd-${bacula_storage_name}")
 	$bacula_client_secret     = hkdf('/etc/puppet/secret', "bacula-fd-${::fqdn}")
 	$bacula_monitor_secret    = hkdf('/etc/puppet/secret', "bacula-monitor-${bacula_director_name}")
+
+	$bacula_ca_path           = '/etc/ssl/debian/certs/ca.crt'
+	$bacula_ssl_client_cert   = '/etc/ssl/debian/certs/thishost.crt'
+	$bacula_ssl_client_key    = '/etc/ssl/debian/keys/thishost.key'
+	$bacula_ssl_server_cert   = '/etc/ssl/debian/certs/thishost-server.crt'
+	$bacula_ssl_server_key    = '/etc/ssl/debian/keys/thishost-server.key'
 }
diff --git a/modules/bacula/manifests/node.pp b/modules/bacula/manifests/node.pp
index ac4be838..c96e69df 100644
--- a/modules/bacula/manifests/node.pp
+++ b/modules/bacula/manifests/node.pp
@@ -3,6 +3,9 @@ define bacula::node() {
 	include bacula
 
 	$bacula_client_port   = $bacula::bacula_client_port
+	$bacula_ca_path       = $bacula::bacula_ca_path
+	$bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert
+	$bacula_ssl_client_key  = $bacula::bacula_ssl_client_key
 
 	$bacula_client_name   = "${name}-fd"
 	$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${name}")
diff --git a/modules/bacula/templates/bacula-dir.conf.erb b/modules/bacula/templates/bacula-dir.conf.erb
index 66ff569f..4a4c52d8 100644
--- a/modules/bacula/templates/bacula-dir.conf.erb
+++ b/modules/bacula/templates/bacula-dir.conf.erb
@@ -23,6 +23,15 @@ Director {
      ip = { addr = 127.0.0.1; port = 9101 }
 	 ip = { addr = <%=bacula_director_address%>; port = <%=bacula_director_port%> }
   }
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS Verify Peer = yes
+  TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a server certificate, used for incoming console connections.
+  TLS Certificate = "<%= bacula_ssl_server_cert %>"
+  TLS Key = "<%= bacula_ssl_server_key %>"
 }
 
 ########################################################################
@@ -139,6 +148,13 @@ Storage {
   Device = <%= bacula_filestor_device %>
   Media Type = <%= bacula_filestor_name %>
   Maximum Concurrent Jobs = 10
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a client certificate, used by the director to connect to the storage daemon
+  TLS Certificate = "<%= bacula_ssl_client_cert %>"
+  TLS Key = "<%= bacula_ssl_client_key %>"
 }
 
 ########################################################################
diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb
index 83174065..1b433eab 100644
--- a/modules/bacula/templates/bacula-fd.conf.erb
+++ b/modules/bacula/templates/bacula-fd.conf.erb
@@ -8,6 +8,15 @@
 Director {
   Name = <%= bacula_director_name %>
   Password = "<%= bacula_client_secret %>"
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS Verify Peer = yes
+  TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a server certificate, used for incoming director connections.
+  TLS Certificate = "<%= bacula_ssl_server_cert %>"
+  TLS Key = "<%= bacula_ssl_server_key %>"
 }
 
 # "Global" File daemon configuration specifications
@@ -19,6 +28,13 @@ FileDaemon {
   Maximum Concurrent Jobs = 20
   FDAddress = <%= fqdn %>
   Maximum Network Buffer Size = 524288
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a client certificate, used by the client to connect to the storage daemon
+  TLS Certificate = "<%= bacula_ssl_client_cert %>"
+  TLS Key = "<%= bacula_ssl_client_key %>"
 }
 
 # Send all messages except skipped files back to Director
diff --git a/modules/bacula/templates/bacula-sd.conf.erb b/modules/bacula/templates/bacula-sd.conf.erb
index 0559ed68..11e5b084 100644
--- a/modules/bacula/templates/bacula-sd.conf.erb
+++ b/modules/bacula/templates/bacula-sd.conf.erb
@@ -12,6 +12,15 @@ Storage {
   Maximum Concurrent Jobs = 21
   SDAddress = <%= bacula_storage_address %>
   Heartbeat Interval = 180
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS Verify Peer = yes
+  # TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a server certificate, used for incoming connections.
+  TLS Certificate = "<%= bacula_ssl_server_cert %>"
+  TLS Key = "<%= bacula_ssl_server_key %>"
 }
 
 # List Directors who are permitted to contact Storage daemon
@@ -19,6 +28,15 @@ Storage {
 Director {
   Name = <%= bacula_director_name %>
   Password = "<%= bacula_storage_secret %>"
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS Verify Peer = yes
+  TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a server certificate, used for incoming director connections.
+  TLS Certificate = "<%= bacula_ssl_server_cert %>"
+  TLS Key = "<%= bacula_ssl_server_key %>"
 }
 
 
diff --git a/modules/bacula/templates/bconsole.conf.erb b/modules/bacula/templates/bconsole.conf.erb
index f5bb2e64..6c4cd808 100644
--- a/modules/bacula/templates/bconsole.conf.erb
+++ b/modules/bacula/templates/bconsole.conf.erb
@@ -11,4 +11,12 @@ Director {
   DIRport = 9101
   address = <%= bacula_director_address %>
   Password = "<%= bacula_director_secret %>"
+
+  TLS Enable = yes
+  TLS Require = yes
+
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a client certificate, used for console connections to the director.
+  TLS Certificate = "<%= bacula_ssl_client_cert %>"
+  TLS Key = "<%= bacula_ssl_client_key %>"
 }
diff --git a/modules/bacula/templates/per-client.conf.erb b/modules/bacula/templates/per-client.conf.erb
index b3765822..9be2f42a 100644
--- a/modules/bacula/templates/per-client.conf.erb
+++ b/modules/bacula/templates/per-client.conf.erb
@@ -30,4 +30,11 @@ Client {
   AutoPrune = yes                     # Prune expired Jobs/Files
 
   Heartbeat Interval = 180
+
+  TLS Enable = yes
+  TLS Require = yes
+  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  # This is a client certificate, used by the director to connect to the client's file daemon
+  TLS Certificate = "<%= bacula_ssl_client_cert %>"
+  TLS Key = "<%= bacula_ssl_client_key %>"
 }