$bacula_storage_secret = hkdf('/etc/puppet/secret', "bacula-sd-${bacula_storage_name}")
$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${::fqdn}")
$bacula_monitor_secret = hkdf('/etc/puppet/secret', "bacula-monitor-${bacula_director_name}")
+
+ $bacula_ca_path = '/etc/ssl/debian/certs/ca.crt'
+ $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt'
+ $bacula_ssl_client_key = '/etc/ssl/debian/keys/thishost.key'
+ $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt'
+ $bacula_ssl_server_key = '/etc/ssl/debian/keys/thishost-server.key'
}
include bacula
$bacula_client_port = $bacula::bacula_client_port
+ $bacula_ca_path = $bacula::bacula_ca_path
+ $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert
+ $bacula_ssl_client_key = $bacula::bacula_ssl_client_key
$bacula_client_name = "${name}-fd"
$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${name}")
ip = { addr = 127.0.0.1; port = 9101 }
ip = { addr = <%=bacula_director_address%>; port = <%=bacula_director_port%> }
}
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming console connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
########################################################################
Device = <%= bacula_filestor_device %>
Media Type = <%= bacula_filestor_name %>
Maximum Concurrent Jobs = 10
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used by the director to connect to the storage daemon
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
########################################################################
Director {
Name = <%= bacula_director_name %>
Password = "<%= bacula_client_secret %>"
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming director connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
# "Global" File daemon configuration specifications
Maximum Concurrent Jobs = 20
FDAddress = <%= fqdn %>
Maximum Network Buffer Size = 524288
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used by the client to connect to the storage daemon
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
# Send all messages except skipped files back to Director
Maximum Concurrent Jobs = 21
SDAddress = <%= bacula_storage_address %>
Heartbeat Interval = 180
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ # TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
# List Directors who are permitted to contact Storage daemon
Director {
Name = <%= bacula_director_name %>
Password = "<%= bacula_storage_secret %>"
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS Verify Peer = yes
+ TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a server certificate, used for incoming director connections.
+ TLS Certificate = "<%= bacula_ssl_server_cert %>"
+ TLS Key = "<%= bacula_ssl_server_key %>"
}
DIRport = 9101
address = <%= bacula_director_address %>
Password = "<%= bacula_director_secret %>"
+
+ TLS Enable = yes
+ TLS Require = yes
+
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used for console connections to the director.
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
AutoPrune = yes # Prune expired Jobs/Files
Heartbeat Interval = 180
+
+ TLS Enable = yes
+ TLS Require = yes
+ TLS CA Certificate File = "<%= bacula_ca_path %>"
+ # This is a client certificate, used by the director to connect to the client's file daemon
+ TLS Certificate = "<%= bacula_ssl_client_cert %>"
+ TLS Key = "<%= bacula_ssl_client_key %>"
}
projects / dsa-puppet.git / commitdiff