summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-05-22 17:21:16 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-05-22 17:53:58 +0200
commit8cf4032ecec5b9f58d829e89f231179170432539 (patch)
tree24947cc32af42e98bca3ed0b6319c69c77321262
parentf7a5a19edc504980e2e8f93ab027162756710d59 (diff)
Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec.
-rw-r--r--certs/bacula/antilop-fd.pem33
-rw-r--r--certs/bacula/benjamin-dir.pem32
-rw-r--r--certs/bacula/benjamin-fd.pem32
-rw-r--r--certs/bacula/benjamin-sd.pem32
-rw-r--r--certs/bacula/civett-fd.pem34
-rw-r--r--certs/bacula/data-master.pem38
-rw-r--r--certs/bacula/elefant-fd.pem33
-rw-r--r--certs/bacula/giraff-fd.pem32
-rw-r--r--certs/bacula/mistral-fd.pem33
-rw-r--r--roles/bacula-dir/handlers/main.yml3
-rw-r--r--roles/bacula-dir/tasks/main.yml69
-rw-r--r--roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j223
-rw-r--r--roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j281
-rw-r--r--roles/bacula-sd/files/lib/systemd/system/bacula-sd.service2
-rw-r--r--roles/bacula-sd/handlers/main.yml3
-rw-r--r--roles/bacula-sd/tasks/main.yml58
-rw-r--r--roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j25
-rw-r--r--roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j264
-rw-r--r--roles/common/files/lib/systemd/system/bacula-fd.service2
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/bacula.yml72
-rw-r--r--roles/common/templates/etc/bacula/bacula-fd.conf.j26
-rw-r--r--roles/common/templates/etc/iptables/services.j210
-rw-r--r--roles/common/templates/etc/stunnel/bacula-fd.conf.j273
24 files changed, 14 insertions, 759 deletions
diff --git a/certs/bacula/antilop-fd.pem b/certs/bacula/antilop-fd.pem
deleted file mode 100644
index ab0dcc4..0000000
--- a/certs/bacula/antilop-fd.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFoTCCA4mgAwIBAgIJALyrqlng65g3MA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG
-RDEcMBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDIyMTE0MDZa
-Fw0yNTA1MzAyMTE0MDZaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT
-TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTYW50aWxvcC5mcmlw
-b3N0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM8zFuFJlDjy
-d2gouIpHJu2pCRkJLF4O0HyMszXGj3l28Qaf2GlwS0GwJtyH47jIlKD4edRw/wdY
-mi/fxb9k5Dtlt7PJrrHQh+EAcaqEpE8VHIsuqsKZd7CMjDoW6S7ciDIMULfk3H0h
-artu4+QnYAqHJtMaSzO2wB/iLdl6iWoCpPBp24cAgC10m3TWlneuXNNgEk3fy63P
-dbJdTww6hsUNHVBkB3JkKEWU+0uyGE3v/Qruz/JuotvJttZ4p5tPr+jGNEYPNgVq
-vUBSnu+OwCNgw/XNgn7z6WivmcxLwMqxfb6P1xbMhJab2DD4+5Z/rpGQv1L2xNNi
-YfffeZp4J/Vzv8p7qmCotGqOFGI7Y5NHcMdg7IRwQvDPxXK7tZYbjaYY8dmsHDDG
-wKzMx+zn+FOtI005rL4OFrdxpis0jR6WwMRa35TaepyqYncto+fsQvOQDf425cHo
-kzoMj4ULZZaONNlsIu7X6Su+qcS5oQVUDFpArNrMNQEJTyFkzhZClZ54n1jOemcA
-QO/OGuZ8wx1py9+KRlUc//UyXLjVk0ugxv5CLM1yJwY5Gn199wG2PwiXaT8Q6oRf
-NR01kz/2sirrPIuWMCu/JKjVZPauF3fuwdRo9fXauWO5HkELDMAfsaKm59Kb/iD9
-f5OxR3Wiik+1EMhj8tHZuKfGHzMbHSMtAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFk
-bWluQGZyaXBvc3Qub3JnghNhbnRpbG9wLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC
-MAAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQQvLlHhpXBKB+b4X8dG4+d/eIN
-tDANBgkqhkiG9w0BAQ0FAAOCAgEAEoeIfl9wOFFQCVQ4yqVnKq7ZTZv2cQXSPqTn
-1zE6pqes69tUBVa0ulwKLbp9yss6PadHJEetZBy77QVOPFnVzXsRuq9TYPoXp51i
-Z9v2VQEljUPHGEj4kGCCKHTOjsTmPRgSeh3NE9K8g9EEeJGet+mq8J6HRzsChhKB
-u/NjTcQnWgzLue5QdrdTPlbgsdfmpzuotVeojHiOcwodWAdEJWIe/Dz7moqlx4Uq
-JCAxakCcsTSixJN+iiN1PNvCf6S1WCwL+7flp151hkZ08K34jF0dnChjht+x99qx
-+ZjdU+2dC5nRUv5qNABb0zQvKmIo39VFbshnIuVE4FbIsyg9oGxg6cn4AwKGF/ZC
-s/6fNuvjvfhNVcm+ZujdtQwiPK3wnXjQ9Boe+ti8jGJtierIKxbIXfb0/wNWMSfK
-5u/eH3NCYsKNTzvBa/n3sKgBYrzZDoTXjeHdeSsulaaX7TQWYwi0ILcZa6N/waGs
-9rXxLczGHl/bz8MEHp5cWCC0dTOTLjZUTFvxMAdyOOaq3xOxlLxT0CyC7s9Otyh4
-hC6aZwlxDUjxjd08fL81I1+wiRemJQ4TGhx3aAdtev92TSoDEfTElz7Ma1MNCXy+
-V4m1hTjBQnq7+UsRy85WULkfEB9einDhT+p12KPqjO/R1+D7SbhFuF8v+H+UyfFs
-5d3FeOo=
------END CERTIFICATE-----
diff --git a/certs/bacula/benjamin-dir.pem b/certs/bacula/benjamin-dir.pem
deleted file mode 100644
index 7642206..0000000
--- a/certs/bacula/benjamin-dir.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFhDCCA2ygAwIBAgIJAMIcL9J2M0mNMA0GCSqGSIb3DQEBDQUAMFcxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRIwEAYDVQQLDAlCYWN1bGFE
-aXIxHDAaBgNVBAMME2JlbmphbWluLm1hcnhpc3Quc2UwHhcNMTUwNjAyMTExODA4
-WhcNMjUwNTMwMTExODA4WjBXMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhT
-U0xjZXJ0czESMBAGA1UECwwJQmFjdWxhRGlyMRwwGgYDVQQDDBNiZW5qYW1pbi5t
-YXJ4aXN0LnNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwT6aIKM1
-NPqcyiU4jC7vCjelOtkHwk4Rst8d8tKjz09Aq6prb9zObPz2WMzj0QiWGlK5342C
-nYxWkYCzwRr0CniCL4eLgKHrlmMPQ3Vu3kbxH9yO/f6lOj51MFD84c5dfwRI3q3b
-gy9P9V+dwScJ4C+oTbzHLE7dbhhfDnk9FKWaaZYC1cDIybL1hmYPDtlUBiMYYDuU
-e7QYkvkSSUrf8yABIDOzcz3777IqZPkDREeMfSlH2HX9ny9YQ5X3r01SrkCd4GAf
-A9bL74hrKGvtpc+IIQRwopRmQH3VG8YWQD8iXEVGcokwhtNOeR4Zc8RVtLAAJW0+
-w+c/Y5oMsnO6BACOjR8TtdfiZgHo2mCzEhqH/x4f6EqsU+WN6pj2JR8wosGRl5Im
-kdKpwMJb2cwUX3kFK6CAQIx5xPVKP5Eymmn6NzZlLMgUQsiLrZ6ZQnRac3eBz7Ny
-slPQE0C3NyGwJhmWIGWggz7mT9KhGnamgeW/FJDPj8TAX4gGwaRRyDNo9ay8+qOc
-OB5ko0l6yt06tg+ZnzM8C/Cay84HKBXOtFr32KeA+ati+qIJL6Ak+gJmZl4CqYWm
-FV5gexEBSSh6N3pu30k4jItPZ4j+rQePQr5ZrYiJiz5rVMXViotUi5JPXfnANOFm
-6+prfhPXe0Kea0N11ICgjsvQhjsDjyWpMC0CAwEAAaNTMFEwMQYDVR0RBCowKIER
-YWRtaW5AZnJpcG9zdC5vcmeCE2JlbmphbWluLm1hcnhpc3Quc2UwDAYDVR0TAQH/
-BAIwADAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQENBQADggIBADdtDeA/O+4M
-opRyHqheQDDab0bnlA+we4gA0kJ31JjmHURzmBB9/ZCkxlDokBCJozBAdNxWOrdy
-JI+k8Y2TwPXuHu0PodFbFWAuSOfNfzrOWbAlqRJZlcSOZZqZrojmOcfG8rmcXLpg
-WWJATgvdVT6cWhY7/cfn2JJuqjQfD3pdC+kDCAVIJANCE5Lh3M7nB+geykdhjxrx
-1Z8reGsCSYkRek7wB+EJXl0ULuNJUWvIpYAFm1MBJkj6Uva2RQ92ZFlOhmADn7wp
-IlfOb4UjezJWOU+MDBmolSkAKQGVs/Htl7UIgODCwwoWqvYCjuqN5SAqlHferr9z
-c83i4tBNfstnTh9ffss7scjvNNX5adNK7kB5iuf4iJVwX0jymwmDV4gErm3J/wtC
-mwp6+dgfCCIBZ13sUzY5URRGPxvUF7jZ4VytEJObWIvFnVuRnwVyp468p33jSNLK
-LyhmUMHi9ygAHA6XITHPEH/zJYHAzGklHh7GefAUxSBva4EaNQDZ2Q6Y/IC4w4ZJ
-CpV7sab8R+ywJhsBMmgWuXFiyFei7ptFZ8Q1qDoCfU0KTn+MatvJbY8SAMsFk5LK
-F+WmwTY3fugxyoy736j+QH2RagGUHX2ONwbqQvwpUG6iLB5BnYKsftg6LyiLlzEi
-VdjKmptcqY+gBEZMaYhF/x4zhckABUhI
------END CERTIFICATE-----
diff --git a/certs/bacula/benjamin-fd.pem b/certs/bacula/benjamin-fd.pem
deleted file mode 100644
index 5058ad0..0000000
--- a/certs/bacula/benjamin-fd.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFgjCCA2qgAwIBAgIJAL36I3WYX4J7MA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG
-RDEcMBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5zZTAeFw0xNTA2MDIxMDQ5MDha
-Fw0yNTA1MzAxMDQ5MDhaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT
-TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTYmVuamFtaW4ubWFy
-eGlzdC5zZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL1HDbw9IyMJ
-MZse/mLwPBccX8/S5NFIqot6dumNuIOwpx0aAzF6rN0C55h/GQXWciFAeEy7aPib
-NiiwwsEzAQy4JZJ2ZWMpdCN0XhyOUnyjs3L0keH48ywnRfHJP6GF6w+AgD9Y3otX
-DphFnpaGMXfP2zGwNgAw7EelBgEBA+sall2tDdv/q4sziegpimCCS1VwLxEINadJ
-WY5XgbYQzUiKm1C3A7/PQDlLyWfOYApxfFPKJZQOCI3Fb/q8eztqXrDSQybxRLhf
-T6ak8mylVU3+z2Yc2kvtgFs4PTD+XUU1MhDxqiKqpJQJPIzslbVFpYaFm8BBZJli
-dBasJAe+YYra0XuZ6wJEavRtWGrCPOnwwvTE8z4rAs/1xpEk4UMyBaWfKhjgYZBv
-pQLaaO0Y5VAM0JidiZkEvCaXQqv+pAl6uCBjzw5eOpf6Ju+kZeKKdt9Q5cNg/ZFl
-6ZbI/31OjXZxm+xmADhWtrzO+UZwBbLsvN3kIdtkLdU/J9KvhTpQkTtS2YR2FNvD
-BIpB3m8lp2pabhtZt2FtDZbQM9krKelXxuZUXcgK8+hd+iQJ6e3U0lbHO0eYkGUk
-8H9PpvsIl/sVrTpBW/fHnbm9ZRLknctuY5XMjxeVe2Rr1stPeP5530Mmggw0s+zv
-HGpcz1MMRQuag29dyFhIJfwJCi8HL8hVAgMBAAGjUzBRMDEGA1UdEQQqMCiBEWFk
-bWluQGZyaXBvc3Qub3JnghNiZW5qYW1pbi5tYXJ4aXN0LnNlMAwGA1UdEwEB/wQC
-MAAwDgYDVR0PAQH/BAQDAgKkMA0GCSqGSIb3DQEBDQUAA4ICAQCY/h/+VTe7N323
-zMneN6yPIgj8PXMpfiL9NfxeFBECwWI89p13fOOMKKItH7tUdtZA8iTk3oyCMl+t
-y38caohCNun7y8db+jLtSxa6s6NOwUWRWwz9EJpVR9x5AsQ6ZynJDNFF6f4+0Wo+
-G4rJ9zTNKOuUlOkwOUj8SzL4NkaWdyI6Zfxvzq0vGdztI4k6rCz1Dcq82UdSrVfc
-SnPaaMsqtdwVIFT8nldQr+sU5Zu8SH4Q5iee0hL91Q7Lg8WzIEbZDdYWEAQuZ6Vk
-VsV456nLyNzYPqTtWSK/Xi1xCRLaUZsXIlb0gfD26UzO3Jy1hyekBCg+2hZNjJfC
-lZ/CKpTqTXSCvjjM7tASd2tz6PJBEIIoF6bwEh75o5WEueb7NHDPigWxB+yG9sIJ
-DDCFPKK9kNpbx7u6HittONBK/oekUZAnzh9AqY2GVvKJ32uAeYf+V+h9D/jOh7F/
-HMTR/s2Dve+NYrX+6Reyk5sYRXLuxlgdxHxQbsuOeINTY/sxYMSAPJxFvUIJNznj
-iOn3bk54sMnk3/5YPedxfS2gNHN2L+vnbeNBQ8JI0VAFHa/dhq4594avFrz33dSH
-3VCLUn52izJxBxLaJYKLVrd1k40ayEUI5WEBs5gYcIviS5Dr0oZhOUJceGpkn2TT
-3BB5gaJpE6RwIwmvuse2YOlCKo7xEA==
------END CERTIFICATE-----
diff --git a/certs/bacula/benjamin-sd.pem b/certs/bacula/benjamin-sd.pem
deleted file mode 100644
index 0443810..0000000
--- a/certs/bacula/benjamin-sd.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFgjCCA2qgAwIBAgIJALEP4ryGZFdWMA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFT
-RDEcMBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5zZTAeFw0xNTA2MDIxMDUzMDha
-Fw0yNTA1MzAxMDUzMDhaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT
-TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFTRDEcMBoGA1UEAwwTYmVuamFtaW4ubWFy
-eGlzdC5zZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL1A9zHK4bEK
-hxSncIRuwly+rPRf0KGJF6opY7RkS9UnsYXS+5i9Gw89ikiutX8ADHuqy7kXnoiO
-W7Ihuk/903RATzU5pVCweHcf/XHMsWW3Yrwgus25fP3aSxjHyZt8e3RAZGTvDySe
-8FCbGJe5tFoEM6YLdzaWY8cFiohgZjU+PD/i5kIiGizNe6qYO37ANQIaCrO0iex8
-OfFjSJbmIvZOVuyipxUs0wTF/zTq7fBoM2k+/tBTEorPszGx81hvCmsjdEQMVjih
-1ThczGTI9m+yE5hHKoUxX/NlFPjhGGFc3suCL8kWPPTRDmimRY9bQWbafqPL+ZXG
-ubz1Li9AIyYP+iTukyI1hdo8kKlgO4oA+aTqfUZYDeXcP5d85KHaIqtSida8L93G
-YbSsG2zfDuCGcHttZVLPE3+/cYuqG6821cAyKOY6H1D3+6RdR+bgh2WxFRBPJs7D
-RRRJGz/Fe1zbacKehQL9J7hmq4vIvh3mqnRk1eCrpR85XkH/6XO1/Zc7ienZaSD6
-/dK3xk2FM1tVNRsfdp73Ky2Msz7sbz3ajHzXj2IzaDYSdP5ldZ6htahNrRR6N05M
-viBW7eIj7tvx542gjw2nNUulI4E4eX9yiC1QUeYEdyBS8arje4E5wO7ZiQNmARhD
-QBKEjudRaDQTuko9MFYK1QO9hmB4gt4RAgMBAAGjUzBRMDEGA1UdEQQqMCiBEWFk
-bWluQGZyaXBvc3Qub3JnghNiZW5qYW1pbi5tYXJ4aXN0LnNlMAwGA1UdEwEB/wQC
-MAAwDgYDVR0PAQH/BAQDAgKkMA0GCSqGSIb3DQEBDQUAA4ICAQCw2v6UZe67o5TS
-UCnShsjG2iNZW3Q5rSsDEOlViS9pk1LAyVJAiZ7yqFly1+TGe20QCDbIePQcgwla
-0TIciZIO6jbQAYItvgfUwdrSVrKCffBNopnY2IPBAgWsuZeY5/sFwT5bagC6y4au
-WLq9FHFt20JAo0y4iT/oSaKIY9gdJjWmAomFXMZL9KxUotKF+6UFGgN19QwAKGFX
-1GHME+bTTwlmEvGIAAY/C3SlLqe6vQDAKR0aY+BHrxdIfg6FtAvYgXWjcrMLaHul
-HMpUFpq9+sVA2nDwGTgg0jsOU4v2OBDuUoOxjztx/BwPTmPF+U6HkN4cHSeD03yQ
-QMYPMU1o5FXkhdBCKtzgPqCFDSD0IyeyFeQ7MzIbpylQTcRz4J/d3uy7q1DhEIYk
-omt5H1dgbsEfXXWcIhUuJj9dhl36YkM9OE5k4bytntqHImD6/q7JZbOODuqHkmR7
-2w2QgwS8i+d1iMZ+d/9Z+HtemhUIltgpR0RvJa4aFzfmj0zAWXWNDK2S3nTmr086
-kuAxour48AUUHYX/44jijEUhh22pypwATcrinH5WWbftoUP87+kwTCwLWnZF2VS+
-aIvLOPhY06fqdj7J6k4AZ3muq7SGCCdCTEtdH7Xsz/ACenUG1A5ueziW/MeC+ZOZ
-5PnEB/KBWMy43A42ajz8fA41/Qj0WA==
------END CERTIFICATE-----
diff --git a/certs/bacula/civett-fd.pem b/certs/bacula/civett-fd.pem
deleted file mode 100644
index 0b8bd7b..0000000
--- a/certs/bacula/civett-fd.pem
+++ /dev/null
@@ -1,34 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFzzCCA7egAwIBAgIJAK35SShtN1ELMA0GCSqGSIb3DQEBDQUAMGUxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG
-RDErMCkGA1UEAwwiY2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAe
-Fw0xNTA2MDMxODMwNDZaFw0yNTA1MzExODMwNDZaMGUxEDAOBgNVBAoMB0ZyaXBv
-c3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDErMCkGA1UE
-AwwiY2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTCCAiIwDQYJKoZI
-hvcNAQEBBQADggIPADCCAgoCggIBAKWesiEEzXH7UchQpfSTGPdHvDc4Ar6hmDxc
-Yr5cgSin/JDWAhdMqvU6T/g+BDjcYj+IcyopYCZ84BatZLdKyEklYQolDrI1+7cb
-og96dlOmVc3d7epn5uuKOS7sm6IGB5M3BNVkWzKkm2BJaG9WuxxG4i/DOPunrT1G
-bJcrJsfUQzbHULjESvw8Xy0p2Iie5XZ3TIXg8UJ2kmrCDs69+tUikxTQ6ut2iw/F
-o6+hMPWJjno5dsJDQ/4VuVceZZjDzL9Mm6d5mq3f3rJQOi92eEDsTtcOUrZnga2l
-lTrgpTAlAoQHIsGGQjeyz0GXqBH1hdAV9YF1rddh6tl953KsEvVGI7xG+S/DoNGx
-2fpOU8Z2mimeqowtwKPBh6T/l5YJccEaKvgnx2Kyf6r4tkYEvEtB9ceooisaBDsg
-5s5qRv8stL1mfMakFIcwz7o7/4ZzW8GWIUcsiqbj4H+75wDi+tfEBdBF1/LQt7xf
-kDFjxX136telHM8HlWl5xKcApCDhlmSj1DZaVcy6Q2DJ850K81t0hYRzCqAJiPZ4
-ErAvHxA5ceUd+KGdyCZiup3n9Mp5sMYHYRsWxupVZ1ANNA9lW0t4h1G4Vczn/t0o
-qkdjxksoam2yFrMolnbhZd7jhbbqJ0kbK0WaXddErO6zjnzaepQKXEN7dmZ8jI+J
-7HWoKrOzAgMBAAGjgYEwfzBABgNVHREEOTA3gRFhZG1pbkBmcmlwb3N0Lm9yZ4Ii
-Y2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAMBgNVHRMBAf8EAjAA
-MA4GA1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQUCWfNyFVLQ/2xS0QJAOgNu7jWatow
-DQYJKoZIhvcNAQENBQADggIBAJ4ykMLi1nEkob5Q2Gy0bWdGzzHswQGW1FEGXnna
-TdlHs34OEYZOzcbdqj2X9EK9Y0Dlx1BzdbB4QRgx3Oehs7D5KhRABPw7/rTj7q6f
-WPPai1j6260z+Ah+GFStMMYyoOn8mx8babHf4YcelBgOtzKyKJ5Kr6uGRcMTS8Gs
-cGfkDKUG7PdEIAT8tXstA8MuVVjDC7FYKusCoJKleCIFMgWH29HHIU/psqk4oiNK
-B35VdAp2LT+qsRTlBmPphELHiVElpG6rCLCBsSTDnEi2qWhiNlVjYHRdfY6bo0Hu
-1pPO7mAk4I7JOaFed9FXxYfSag+LiVpXMSI67586jZxqnA6Oyd02AJYJT3Eym8Gz
-hKOniEYF4mwYw6bNeapmrzl5cId32B+KeE+2OMLOVx4gTtTdcXbvUfaTFzHh1Y5Y
-f8hWGKQPv0405lXeyMzeZxuyMYA3rkcKexpfeVks4VLmMpH2XPXXo2W4QDGo5RRs
-cWZJbLgs9SYkJM9m7qvE3R38D8aGQkAgt8eCWxcnCdx8NZ7WodLOKSHMR3yGU1Fy
-ygj9blvlVkEZbFWBv7BR4MbaTwboZG+PygbJpgjXTadApFOlZTPCwFgHgMGKuhj+
-f6Hjsi0K0e4csyL62kqYxuWVN9wwEgiKAm43rNa4eL61Hw9/3Fm8+oj/qg/0u0t3
-zEaD
------END CERTIFICATE-----
diff --git a/certs/bacula/data-master.pem b/certs/bacula/data-master.pem
deleted file mode 100644
index 22dce60..0000000
--- a/certs/bacula/data-master.pem
+++ /dev/null
@@ -1,38 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGmTCCBIGgAwIBAgIJAMwKAL/cZeW/MA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
-VQQGEwJTRTEUMBIGA1UEChMLZnJpcG9zdC5vcmcxGzAZBgNVBAsTEmZyaXBvc3Qu
-b3JnIEJBQ1VMQTEfMB0GA1UEAxMWZnJpcG9zdC5vcmcgbWFzdGVyIGtleTEgMB4G
-CSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcwHhcNMTMwMTA4MTMwMjIzWhcN
-MTMwMjA3MTMwMjIzWjCBgzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC2ZyaXBvc3Qu
-b3JnMRswGQYDVQQLExJmcmlwb3N0Lm9yZyBCQUNVTEExHzAdBgNVBAMTFmZyaXBv
-c3Qub3JnIG1hc3RlciBrZXkxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGZyaXBvc3Qu
-b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtZOy47VinnSATFd4
-LJd+y1p20xdsRR9B7807trtlsqtomPNHIivA/cqlYJk8xdEX9bO4biOrKcTVH2to
-r6WIKPCc+2Bu/nhq2Hh4GHtDeRpyvhby+MreLlb1GvTrw/iG9is8pZ/GJ9e7sJn+
-QzZxbvUn/wppWPieXfGYSvDdMyjYv5es/ImeWz3+pCiwUSSHIKIOXT87wQbt3Hhf
-5ZC7ZrTHPSPyaahPGNB9CFtl7VLvKJYtlbVweiR0mYG+tVXu17VfFt6aT0qIqzSL
-rs57CKOJUDJHRZeF3R4MA3eFhEI8t495JYFzK7P0K0O/HqA/sxZnXkODak98bdTS
-6cfKrOD/NiriEayqf/2ekDZL0zraEz1gUF2UInfdEPVF/dVWhrUTc+gzcOshI+6G
-SNpW6gXi4nnG4r6ZelCkyoDsHL7G75SriamvszGXIWCc9wmrOkcQPniSG6A+EblB
-HBzQA77g86o7n+5CvPsCAMc8tpdfqEG5RN74zMaKflDy4L+zlI06IgVsrJNpThWD
-aHFDTgD1M20bKyriBZ0ST7IIX3e4awvfUdw4A+me7JDov0LWZRQE68SM0L8WUpEC
-guB5+lTqwYOi/bhw7QS0dtwzAecRHSd9S4TT92+Dl1Xyw7Vh4IKyYTo9kxzftwKl
-guqATvjV922NhwZhUHW4GLlA4vMCAwEAAaOCAQwwggEIMB0GA1UdDgQWBBR0uhlQ
-78EvNbpwDElIsAdoBPdB0DCBuAYDVR0jBIGwMIGtgBR0uhlQ78EvNbpwDElIsAdo
-BPdB0KGBiaSBhjCBgzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC2ZyaXBvc3Qub3Jn
-MRswGQYDVQQLExJmcmlwb3N0Lm9yZyBCQUNVTEExHzAdBgNVBAMTFmZyaXBvc3Qu
-b3JnIG1hc3RlciBrZXkxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGZyaXBvc3Qub3Jn
-ggkAzAoAv9xl5b8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4
-QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4ICAQCjNJlSOcFtr4J+Qfw5WMc0feoa
-Ee7PxK1z90GQJCQEEadUrsm89yCj34r4jhhrt8JC1+7V6igU48cn6o1xYrFFFfHY
-p74AH6xMNHP88dulQcNrOgR3TTFejjLncnga5/iZDXEf060oREZEbwdoThrxbJ8Q
-H92pr4ywW6Mj0j4b05VyjN0oOQdOPFdxZ3CPAliLn3hbwdIQ73vh7S5k/l523sja
-l8bDx4OU5TKInaM6i7Xglfkyrig6e1Mi5XbZCs0RK1hOeVgmRI2f/RiHgLE/b4TW
-i0uE9RkHChgUlPAamuXiF0w1VJuxr2adZoLfnQtY8CcwwpsbXUEUGyr3+59yRl6H
-s1AHCyM91A1iVU35pPDhjR7LvS0Yqp0gAt8zLNbyvmwZcINoAm3VKfZNDQwzvfrP
-4ThDX+dS3PjyNogvNmqgkMu4ta/6WlDmo1X4cC88V0HW1uujrF0Cuwh4IuavxVgA
-Atpzj4kh7EP/sDPguHO48NMkbDZ6k2A6ZepCzyldEfRjCfS1jyoX2LqrpW3dQL7Z
-bJpMTXSo/l5aUYGb50cdLzDLVbc/CZnG3NrVetvogRUOcax5Sn0nrsqLrQvn5kwh
-G9+ufbOvvECOWAVQuJv2RwBj4VffSwASkhI9kR8x8+DZ01mBMFOAXx6KGFsgjSeL
-JIZyqPYX/iH61mHk2Q==
------END CERTIFICATE-----
diff --git a/certs/bacula/elefant-fd.pem b/certs/bacula/elefant-fd.pem
deleted file mode 100644
index 1f9fe2e..0000000
--- a/certs/bacula/elefant-fd.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFoTCCA4mgAwIBAgIJAP7SDEuZmEQMMA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG
-RDEcMBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDIyMTIyNTNa
-Fw0yNTA1MzAyMTIyNTNaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT
-TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTZWxlZmFudC5mcmlw
-b3N0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN+hwkzPGGs5
-pdgl15TYB+arxA4xWju316BhXrWH1qW5xUcrnL/ewpm3yTt+fkipn7gLOpGQlJjZ
-loHop8iSXn/5e+0WW+r9EJ9VNHagKuuVyyIaKR7pU9J5pBQqqQDASj8IcE3lTu2Z
-kUwBPdo19de37NRU0acHOFAKEGARsoORLTbKryB4oBt4BWvZbl+ob8XXNzcD0bQQ
-0HsETroBM76HBXTa7JzTeAFzopESvYJZquCEmRIoKhP2qYY2megPfUPPv7yDKfhx
-uDA2X8msuJmn7GnKKUiFAM4m9PMlulCIR55p5mBeMMbUIX2EqWuDh27Tf6QAWoZn
-xG6AVBeXq7W0/MCWcE389jPSbB/Z68Voeq3v6HoqHUTAU3JNV1EXYPEg91OYA6/I
-SbO6phu005ONASKkAGFDOCTZya/rDEuptT/Bx+7u4Y3R6J+jDbMWLy69spcW0hU0
-o2u7vdCn4Q+bnEK+/SLr8vw0wmXGEWD0pJ/C6KviIji4ccHHw1DbUfR96S57qyBU
-jZA+MahVNoXexTMABjtteQITv+jdqwXJix9NVOJw0ZUR6PQw7T8MZN5I4aislmdQ
-5zjIaPedH4EkniaAId2nd+0PzA9+kWTd2/4TmX4kj8tVZQ1Rh0FW5V0z6gE2SLzE
-fEsu/hjIKs9B8YxFlQ+OY83OB+QQppn5AgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFk
-bWluQGZyaXBvc3Qub3JnghNlbGVmYW50LmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC
-MAAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBTRnrDNVJIPDTuYPxCp7Xy7KKKM
-9DANBgkqhkiG9w0BAQ0FAAOCAgEAJsR5HZxwiLsWHy8Dc+HTLrbnpqri800ngof7
-XoIvrn56mnZFPPAWkVenW8+7DC8i2nG2SHAFaCp05WL/bjP4k+tO+V59SjIv3Id4
-gBkZM3k7mM5ZaA7Cx32WXoX2r1tm80kTChf8cW03XPDE3nd18uDdv2L5pVMg+mYB
-DY6EEaZ/HbEkg6Wst+q2eZkOAHD/kq3Sh920nkehgrBIr+JzoLnbu2K2EoZSqKsg
-51cU2+eewv9/Nfrb/oU/Rxe810xvxBbTKljRsUUxmty+X7ckO7znUQoOQ6ez1pyA
-Ccj6TYPTV1ASwKUf8y1zWcWAH3/xl3TD/Csm+lvqqSuZN8IAQ7Jb017d+v6VtzkU
-zewtzWyo31ju/Ky5Y46uUR/dPWLQvmm2uTNk2/dLILitWYY7nQAYXcxWSoky0P07
-tkCln55709PZxl3BxDfRFNxdmTXTkfRE0p6KgB+rtyxoV0d+svsFMlFPqaHpJaDW
-JyvUQgfjpUijbRj9hsDQFR8bF1WNUo4gQ5QFpNLfeg9y3ChXGYzsbT23bzbK6ZHX
-kw8dg1LlOVIT+B7Z3/iHwXm3T1VGBLZSOubAgphHQ6xXNBk5zH0Y1J70pmcY+D59
-rOhUVAZ2MryVVqtT1CAv5JRNHlkObzbUPY8waq4tuG0InTKA9hPw2Aro8XepiECx
-7LVjepE=
------END CERTIFICATE-----
diff --git a/certs/bacula/giraff-fd.pem b/certs/bacula/giraff-fd.pem
deleted file mode 100644
index 7bce789..0000000
--- a/certs/bacula/giraff-fd.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFfzCCA2egAwIBAgIJAJ6fcDGMzN/EMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG
-RDEbMBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qub3JnMB4XDTE1MDYwMTIyNDc1OVoX
-DTI1MDUyOTIyNDc1OVowVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM
-Y2VydHMxETAPBgNVBAsMCEJhY3VsYUZEMRswGQYDVQQDDBJnaXJhZmYuZnJpcG9z
-dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC28HnVjuyY4AaJ
-GWglojt6TSbZ+9r7PySJbdLKT1Ugc3iCARqPqakGspVrUATWoSqOOMROxqIj/96L
-EtJBd4OvrooLpOJjVO0h0gCwTZbWAlwUvru8eYxYbBPSFsh33D5KDeQKd7+eXZ1u
-X7eKO8CeiCbw16kWYchRPYd2cFHz0sFjyknmrhJ3/OJWkUslMLiAjczVOXSJqu6A
-D2gCdNBUfEsbAyter1dEOpCyD92iTrzT4bUc0A0UioTG2C8PJWgpMBUvxd1tNnf4
-op3qYurwzFGda+F2tYGDuJzq1lxxPF7jwGxVncWAdf7sTXBenMNMn/KOixkrUNx+
-vN6qRGtGoRGc1/5Rligtf1+6a796ckxUovBjvuIoNv3YzNzJuPmQY3lMNDnAVp+f
-sQaUN7G3Z0dZuMGb2sCmUW8j6372ZY8A6aRP9lmZsTzsf4hc43R+m5t9XctfX7nu
-sX2L1ip/vWjT+ZewvmDq8BzfJ+96EytyWUHifc7JcaEcPoi/YIobSZiDcT8sS9ek
-NxiAsOK/CNVzJp0pkDA6LN+vjDsZvhOyY35lvgtCw74fwfvBjtWwz7PxIbCSovBZ
-+Mmdt020YlfMloLM0cZjhZaWRKIdQdl4vhr8r9uSbF0q/0M+FsFro3ueqML5Ea8e
-GinJwwDOzZBAnxSLx16SGg7hvIY1XwIDAQABo1IwUDAwBgNVHREEKTAngRFhZG1p
-bkBmcmlwb3N0Lm9yZ4ISZ2lyYWZmLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw
-DgYDVR0PAQH/BAQDAgKkMA0GCSqGSIb3DQEBDQUAA4ICAQAAaEaqiTe7U/3vGVTh
-kJ25iXDvMYdUwjaYs2kkpKVPT48DXEzDFRvLETB6foL3qR3tkbWfLg7Sewn5kbtt
-YmbQMLXhI3P74jse5L0dh4+m5wkmPvoiegDOAp8xCt6TkoV9oOoKQhV7xTtkHHub
-yyDzu9QotehO3tCM7J8gLLYPAcicMoj/dEebDkieY/5nurFGgJly264H0XUatsiT
-jUzvad7/7csHT9tjSZ83zyC5o2izPWCPPFOMCT9Uag+J5/yj+FjPEERWsSG4/pSl
-9oWKEwiAxVpXlW4NjKy5JuyVJnf3cpfk/SCRjVHUE/ABe14pb+xaeqemstkGXKOR
-1nzIePf2zrcGYSPnzb4myJwOkzk0PbPnWwEbNzrIdXq/sJZalAGpQK0SVmnzjH5Z
-jm7prnpW/aWHCR2tdGLgTOlwUehW3+7xjiKVSakpbejPQV6S/AYmkUvCetE/S/rY
-UOLUC0LAbwswvHvymIkknJnD7pErFWBC5sRinOuudIuTdPb4eaRUnPI0g35bnAQ1
-8YxVqMUCKCxrjJUejKJcZUydFq0BlNk+ocW0NqoAshc2icEfW6rw8ipu9lbiFKVH
-yEby8eXOMoNa7ti7C4JDerJRpFxh8RDFFgtLIVHhxVTGrR7hrb22eW+18+czy5+9
-Od3MfoQyp3gF6e6wPwy374uvWA==
------END CERTIFICATE-----
diff --git a/certs/bacula/mistral-fd.pem b/certs/bacula/mistral-fd.pem
deleted file mode 100644
index 3a2f274..0000000
--- a/certs/bacula/mistral-fd.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFoTCCA4mgAwIBAgIJANqolbIM5xOFMA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG
-RDEcMBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDIyMTMyMjBa
-Fw0yNTA1MzAyMTMyMjBaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT
-TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTbWlzdHJhbC5mcmlw
-b3N0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKvCIiK4ggZ6
-y7BVpU7xQSApaPw21LUYvTaltpsHiYLHR4bHzzprflQMrUfCVBSdkyQc7QX4ca3Y
-gpIyJi0xyQAgYPgkue4fHuGSzRcaETP8MADcROna0Rq79tUMre4qKD/ZPwI53FNy
-HZktWGZa3B5AOQvmwPOeOLHzRK5sTWZBDX+Zfx/46VtDTdFwUcZ/aMClpgm2WQ2V
-6NsXtaS6VENgZ+jgCk9Lrkqpf/OYBEGjC+O3PpHJdVb8+5BBokuz3v2/0uOUE3Wq
-Epp0D9ya7KTxOOfFvOPo0aNUuj3LW55mxikvWe7tQqBLfnuQAxO6CiXz9XqdPyLQ
-Rk6IURCg9BfAASg7SJGTTfEhTJ10i4XiFLByNVL7Vp1RbDcof1drdsq729XNra0G
-AtftxB+gPWGCO90kvne2jFkFGYY2YlF3yX4vtmqbbta7Za3O/oJS42m/mgzZQpd1
-N2ch+m+PIzoIVz2J7CwIPLxV+OBjYjmv2CCOJX7GUOHbYMYJG3ixDoGqkhy/FQtR
-wL/25LElr967+5yDgWZDD3soV2bghYnCpdWMpfu9PkG6eT+AIZYamVo34RzwMJQU
-eBJzc+VStNa0Y/bNr2NSimw8ZyI+m+UvuqwindwZaPPw0DRrY+DgjjVvkr0JQiMv
-no+yHg/K02mEEvf4e6gh324JKDlsMXOPAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFk
-bWluQGZyaXBvc3Qub3JnghNtaXN0cmFsLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC
-MAAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBR8kCzCw/cMvL9uAtSf1lj8hMpV
-1zANBgkqhkiG9w0BAQ0FAAOCAgEAoEFqWQv6WV5bb9Erp+0GG/oEroCYSFN8t5hB
-l8LvrHvmZI6c7CebUB+WBPhyCypQKdFs5l1zI9yCltRk2xaTS8CYzgVhm7/mEK3K
-QAXYLLill0TtGi00Oe5kZqSLNgnhtobKuYSiElVT+2oeu87BKt3nql8Qfl8brdjE
-t/MHIYVcDdMW+4/F/9EQqN9lurHEe1Kfp0VmnUoS9cYCBIty49xg7xbQFHw5FxMY
-gmeV9OpDUkiQoH+kuixsXZzSRAT+6+j08j0Tu5naBoBY+uL/4eSTGsh/DE734D91
-IsiD/NvCFNB3vGaZtc+MejJX02+7jFhPzZ/N2a+RhQ2BiQcsWYwdTF4U+DubbP8u
-XjO0Gc4TPXQvXe2ZED+EyTfk1DEnLPk0m0QEEXvLNmaJKmcxlcYYXRyFmE2c/ZHo
-QPeeUfEGC2CcB+krZ3BoEM3Us+cddVUvlx55gclww2/O1H/hpPGPYL+eYLOl+xVV
-SvoLeln1skqG7dYnWJt7f2KE6eOtXlphMWsg1xjbhhd1k0zPs64KDXvdU00tgoIt
-QjKEdEHIjn9fRZE5u3fycg3PXdcheTQVF1GYyZo+Yhc6yAB8/d0jlKxqTM7NS3XT
-xEHDbh8tKtDUEuQX+p4GlyWaZ0Wy/UZI4rJZPx0iRaHc+EZCdwSfNR4LZnTdu/5m
-eLOX11g=
------END CERTIFICATE-----
diff --git a/roles/bacula-dir/handlers/main.yml b/roles/bacula-dir/handlers/main.yml
index 778a1c4..3f3c1bc 100644
--- a/roles/bacula-dir/handlers/main.yml
+++ b/roles/bacula-dir/handlers/main.yml
@@ -2,8 +2,5 @@
- name: systemctl daemon-reload
command: /bin/systemctl daemon-reload
-- name: Restart stunnel@bacula-dir
- service: name=stunnel4@bacula-dir state=restarted
-
- name: Restart bacula-director
service: name=bacula-director state=restarted
diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml
index 8d182d2..30a25c1 100644
--- a/roles/bacula-dir/tasks/main.yml
+++ b/roles/bacula-dir/tasks/main.yml
@@ -1,72 +1,3 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for Bacula Dir
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem
- --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key
- --ou=BaculaDir --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@bacula-dir
- tags:
- - genkey
-
-- name: Fetch Bacula Dir X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem
- dest=certs/bacula/{{ inventory_hostname_short }}-dir.pem
- tags:
- - genkey
-
-- name: Copy Bacula SD X.509 certificates
- copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem
- dest=/etc/stunnel/certs/
- owner=root group=root
- mode=0644
- with_items: "{{ groups['bacula-sd'] | difference([inventory_hostname]) | sort }}"
- register: r2
- notify:
- - Restart stunnel@bacula-dir
-
-- name: Copy Bacula FD X.509 certificates
- copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-fd.pem
- dest=/etc/stunnel/certs/
- owner=root group=root
- mode=0644
- with_items: "{{ groups.all | difference([inventory_hostname]) | sort }}"
- register: r3
- notify:
- - Restart stunnel@bacula-dir
-
-- name: Configure stunnel
- template: src=etc/stunnel/bacula-dir.conf.j2
- dest=/etc/stunnel/bacula-dir.conf
- owner=root group=root
- mode=0644
- register: r4
- notify:
- - Restart stunnel@bacula-dir
-
-- name: Enable stunnel@bacula-dir
- service: name=stunnel4@bacula-dir enabled=yes
-
-- name: Start stunnel@bacula-dir
- service: name=stunnel4@bacula-dir state=started
- when: not (r1.changed or r2.changed or r3.changed or r4.changed)
-
-- meta: flush_handlers
-
-
-
- name: Install bacula-director
apt: pkg={{ item }}
with_items:
diff --git a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2
index 42b5f74..046ba01 100644
--- a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2
+++ b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2
@@ -12,11 +12,9 @@ Director { # define myself
QueryFile = "/etc/bacula/scripts/query.sql"
Maximum Concurrent Jobs = 1
DirAddress = 127.0.0.1
- DirSourceAddress = 127.0.0.1
DirPort = 9101
FDConnectTimeout = 5 min
SDConnectTimeout = 5 min
- Heartbeat Interval = 1 min
}
@@ -365,17 +363,11 @@ FileSet {
# Client (File Services) to backup
-{% set n = 0 %}
{% for fd in groups.all | sort %}
-{% set n = n + 1 %}
Client {
Name = {{ hostvars[fd].inventory_hostname_short }}-fd
-{% if fd == inventory_hostname %}
- Address = 127.0.0.1
-{% else %}
- Address = 127.0.{{ n }}.1
-{% endif %}
- FDPort = 9112
+ Address = {{ ipsec[ hostvars[fd].inventory_hostname_short ] }}
+ FDPort = 9102
Catalog = MyCatalog
@|"sed -n '/^{{ hostvars[fd].inventory_hostname_short }}-fd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir"
File Retention = 4 months
@@ -387,16 +379,17 @@ Client {
# Definition of file storage device
+{% for sd in groups['bacula-sd'] | sort %}
Storage {
- Name = {{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd
- Address = 127.0.0.1
- SDPort = 9113
- @|"sed -n '/^{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir"
+ Name = {{ hostvars[sd].inventory_hostname_short }}-sd
+ Address = {{ ipsec[ hostvars[sd].inventory_hostname_short ] }}
+ SDPort = 9103
+ @|"sed -n '/^{{ hostvars[sd].inventory_hostname_short }}-sd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir"
Device = FileStorage
Media Type = File
- Heartbeat Interval = 1 min
}
+{% endfor %}
# Default pool definition
Pool {
diff --git a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2
deleted file mode 100644
index 6219aff..0000000
--- a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2
+++ /dev/null
@@ -1,81 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem
-key = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-socket = l:TCP_NODELAY=1
-socket = l:SO_KEEPALIVE=1
-socket = l:TCP_KEEPIDLE=60
-socket = l:TCP_KEEPINTVL=15
-socket = l:TCP_KEEPCNT=116
-
-socket = r:TCP_NODELAY=1
-socket = r:SO_KEEPALIVE=1
-socket = r:TCP_KEEPIDLE=60
-socket = r:TCP_KEEPINTVL=15
-socket = r:TCP_KEEPCNT=116
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-{% if 'bacula-sd' not in group_names %}
-[{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd]
-accept = 127.0.{{ n }}.1:9113
-connect = {{ groups['bacula-sd'][0] }}:9103
-delay = yes
-CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem
-{% endif %}
-
-{% set n = 0 %}
-{% for fd in groups.all | sort %}
-{% set n = n + 1 %}
-{% if fd != inventory_hostname %}
-[{{ hostvars[fd].inventory_hostname_short }}-fd]
-accept = 127.0.{{ n }}.1:9112
-connect = {{ fd }}:9102
-delay = yes
-CAfile = /etc/stunnel/certs/{{ hostvars[fd].inventory_hostname_short }}-fd.pem
-{% endif %}
-
-{% endfor %}
-
-; vim:ft=dosini
diff --git a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service b/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service
index ca147a7..698ad17 100644
--- a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service
+++ b/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-PIDFile=/var/run/bacula/bacula-sd.9113.pid
+PIDFile=/var/run/bacula/bacula-sd.9103.pid
StandardOutput=syslog
User=bacula
Group=tape
diff --git a/roles/bacula-sd/handlers/main.yml b/roles/bacula-sd/handlers/main.yml
index c6adb80..3434333 100644
--- a/roles/bacula-sd/handlers/main.yml
+++ b/roles/bacula-sd/handlers/main.yml
@@ -2,8 +2,5 @@
- name: systemctl daemon-reload
command: /bin/systemctl daemon-reload
-- name: Restart stunnel@bacula-sd
- service: name=stunnel4@bacula-sd state=restarted
-
- name: Restart bacula-sd
service: name=bacula-sd state=restarted
diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml
index 795804f..ad77db4 100644
--- a/roles/bacula-sd/tasks/main.yml
+++ b/roles/bacula-sd/tasks/main.yml
@@ -1,61 +1,3 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for Bacula SD
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem
- --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key
- --ou=BaculaSD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@bacula-sd
- tags:
- - genkey
-
-- name: Fetch Bacula SD X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem
- dest=certs/bacula/{{ inventory_hostname_short }}-sd.pem
- tags:
- - genkey
-
-- name: Copy Bacula Dir/FD X.509 certificates
- assemble: src=certs/bacula regexp="-(dir|fd)\.pem$" remote_src=no
- dest=/etc/stunnel/certs/bacula-dir+fds.pem
- owner=root group=root
- mode=0644
- register: r2
- notify:
- - Restart stunnel@bacula-sd
-
-- name: Configure stunnel
- template: src=etc/stunnel/bacula-sd.conf.j2
- dest=/etc/stunnel/bacula-sd.conf
- owner=root group=root
- mode=0644
- register: r3
- notify:
- - Restart stunnel@bacula-sd
-
-- name: Enable stunnel@bacula-sd
- service: name=stunnel4@bacula-sd enabled=yes
-
-- name: Start stunnel
- service: name=stunnel4@bacula-sd state=started
- when: not (r1.changed or r2.changed or r3.changed)
-
-- meta: flush_handlers
-
-
-
- name: Install bacula-sd
apt: pkg=bacula-sd
diff --git a/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2
index fbfdca5..5ffa17c 100644
--- a/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2
+++ b/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2
@@ -15,9 +15,8 @@ Storage { # define myself
Working Directory = /var/lib/bacula
Pid Directory = /var/run/bacula
Maximum Concurrent Jobs = 20
- SDAddress = 127.0.0.1
- SDPort = 9113
- Heartbeat Interval = 1 min
+ SDAddress = {{ ipsec[inventory_hostname_short] }}
+ SDPort = 9103
}
#
diff --git a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2
deleted file mode 100644
index 051412c..0000000
--- a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2
+++ /dev/null
@@ -1,64 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem
-key = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key
-
-socket = l:TCP_NODELAY=1
-socket = l:SO_KEEPALIVE=1
-socket = l:TCP_KEEPIDLE=60
-socket = l:TCP_KEEPINTVL=15
-socket = l:TCP_KEEPCNT=116
-
-socket = r:TCP_NODELAY=1
-socket = r:SO_KEEPALIVE=1
-socket = r:TCP_KEEPIDLE=60
-socket = r:TCP_KEEPINTVL=15
-socket = r:TCP_KEEPCNT=116
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[{{ inventory_hostname_short }}-sd]
-client = no
-accept = 9103
-connect = 127.0.0.1:9113
-CAfile = /etc/stunnel/certs/bacula-dir+fds.pem
-
-; vim:ft=dosini
diff --git a/roles/common/files/lib/systemd/system/bacula-fd.service b/roles/common/files/lib/systemd/system/bacula-fd.service
index 07bd2e5..ee5afe3 100644
--- a/roles/common/files/lib/systemd/system/bacula-fd.service
+++ b/roles/common/files/lib/systemd/system/bacula-fd.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-PIDFile=/var/run/bacula/bacula-fd.9112.pid
+PIDFile=/var/run/bacula/bacula-fd.9102.pid
StandardOutput=syslog
ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index efab81b..250c77b 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -44,9 +44,6 @@
- name: Reload Postfix
service: name=postfix state=reloaded
-- name: Restart stunnel@bacula-fd
- service: name=stunnel4@bacula-fd state=restarted
-
- name: Restart bacula-fd
service: name=bacula-fd state=restarted
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index 1bd2b77..35666bd 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -1,75 +1,3 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for Bacula FD
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
- --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key
- --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@bacula-fd
- tags:
- - genkey
-
-- name: Fetch Bacula FD X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
- dest=certs/bacula/{{ inventory_hostname_short }}-fd.pem
- tags:
- - genkey
-
-- name: Copy Bacula Dir X.509 certificates
- assemble: src=certs/bacula regexp="-dir\.pem$" remote_src=no
- dest=/etc/stunnel/certs/bacula-dirs.pem
- owner=root group=root
- mode=0644
- register: r2
- when: "'bacula-dir' not in group_names"
- notify:
- - Restart stunnel@bacula-fd
-
-- name: Copy Bacula SD X.509 certificates
- copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem
- dest=/etc/stunnel/certs/
- owner=root group=root
- mode=0644
- register: r3
- with_items: "{{ groups['bacula-sd'] | difference([inventory_hostname]) }}"
- notify:
- - Restart stunnel@bacula-fd
-
-- name: Configure stunnel
- template: src=etc/stunnel/bacula-fd.conf.j2
- dest=/etc/stunnel/bacula-fd.conf
- owner=root group=root
- mode=0644
- register: r4
- when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names"
- notify:
- - Restart stunnel@bacula-fd
-
-- name: Enable stunnel@bacula-fd
- when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names"
- service: name=stunnel4@bacula-fd enabled=yes
-
-- name: Start stunnel@bacula-fd
- service: name=stunnel4@bacula-fd state=started
- when: ('bacula-dir' not in group_names or 'bacula-sd' not in group_names) and
- not (r1.changed or r2.changed or r3.changed or r4.changed)
-
-- meta: flush_handlers
-
-
-
- name: Install bacula-fd
apt: pkg=bacula-fd
diff --git a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
index 432768b..d64ac86 100644
--- a/roles/common/templates/etc/bacula/bacula-fd.conf.j2
+++ b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
@@ -27,11 +27,9 @@ FileDaemon { # define myself
Working Directory = /var/lib/bacula
Pid Directory = /var/run/bacula
Maximum Concurrent Jobs = 20
- FDAddress = 127.0.0.1
- FDPort = 9112
- FDSourceAddress = 127.0.0.1
+ FDAddress = {{ ipsec[inventory_hostname_short] }}
+ FDPort = 9102
SDConnectTimeout = 5 min
- Heartbeat Interval = 1 min
PKI Signatures = Yes # Enable Data Signing
PKI Encryption = Yes # Enable Data Encryption
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 953cea5..ccbc735 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -61,16 +61,6 @@ in tcp 80,443 # HTTP/HTTPS
out tcp 993 # IMAP
out tcp 4190 # MANAGESIEVE
{% endif %}
-{% if 'bacula-dir' in group_names and groups.all | difference(groups['bacula-dir']) %}
-out tcp 9102 # BACULA-FD
-{% elif groups['bacula-dir'] | difference([inventory_hostname]) %}
-in tcp 9102 # BACULA-FD
-{% endif %}
-{% if 'bacula-sd' in group_names and groups.all | difference(groups['bacula-sd']) %}
-in tcp 9103 # BACULA-SD
-{% elif groups['bacula-sd'] | difference([inventory_hostname]) %}
-out tcp 9103 # BACULA-SD
-{% endif %}
{% if 'LDAP-provider' in group_names %}
out tcp 11371 # HKP
out tcp 43 # WHOIS
diff --git a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 b/roles/common/templates/etc/stunnel/bacula-fd.conf.j2
deleted file mode 100644
index 057dc48..0000000
--- a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2
+++ /dev/null
@@ -1,73 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
-key = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key
-
-socket = l:TCP_NODELAY=1
-socket = l:SO_KEEPALIVE=1
-socket = l:TCP_KEEPIDLE=60
-socket = l:TCP_KEEPINTVL=15
-socket = l:TCP_KEEPCNT=116
-
-socket = r:TCP_NODELAY=1
-socket = r:SO_KEEPALIVE=1
-socket = r:TCP_KEEPIDLE=60
-socket = r:TCP_KEEPINTVL=15
-socket = r:TCP_KEEPCNT=116
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[{{ inventory_hostname_short }}-fd]
-client = no
-accept = 9102
-connect = 9112
-CAfile = /etc/stunnel/certs/bacula-dirs.pem
-
-{% if 'bacula-sd' not in group_names %}
-[{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd]
-client = yes
-accept = 127.0.0.1:9113
-connect = {{ groups['bacula-sd'][0] }}:9103
-delay = yes
-CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem
-{% endif %}
-
-; vim:ft=dosini