summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/bacula-dir/handlers/main.yml3
-rw-r--r--roles/bacula-dir/tasks/main.yml69
-rw-r--r--roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j223
-rw-r--r--roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j281
-rw-r--r--roles/bacula-sd/files/lib/systemd/system/bacula-sd.service2
-rw-r--r--roles/bacula-sd/handlers/main.yml3
-rw-r--r--roles/bacula-sd/tasks/main.yml58
-rw-r--r--roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j25
-rw-r--r--roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j264
-rw-r--r--roles/common/files/lib/systemd/system/bacula-fd.service2
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/bacula.yml72
-rw-r--r--roles/common/templates/etc/bacula/bacula-fd.conf.j26
-rw-r--r--roles/common/templates/etc/iptables/services.j210
-rw-r--r--roles/common/templates/etc/stunnel/bacula-fd.conf.j273
15 files changed, 14 insertions, 460 deletions
diff --git a/roles/bacula-dir/handlers/main.yml b/roles/bacula-dir/handlers/main.yml
index 778a1c4..3f3c1bc 100644
--- a/roles/bacula-dir/handlers/main.yml
+++ b/roles/bacula-dir/handlers/main.yml
@@ -2,8 +2,5 @@
- name: systemctl daemon-reload
command: /bin/systemctl daemon-reload
-- name: Restart stunnel@bacula-dir
- service: name=stunnel4@bacula-dir state=restarted
-
- name: Restart bacula-director
service: name=bacula-director state=restarted
diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml
index 8d182d2..30a25c1 100644
--- a/roles/bacula-dir/tasks/main.yml
+++ b/roles/bacula-dir/tasks/main.yml
@@ -1,72 +1,3 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for Bacula Dir
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem
- --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key
- --ou=BaculaDir --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@bacula-dir
- tags:
- - genkey
-
-- name: Fetch Bacula Dir X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem
- dest=certs/bacula/{{ inventory_hostname_short }}-dir.pem
- tags:
- - genkey
-
-- name: Copy Bacula SD X.509 certificates
- copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem
- dest=/etc/stunnel/certs/
- owner=root group=root
- mode=0644
- with_items: "{{ groups['bacula-sd'] | difference([inventory_hostname]) | sort }}"
- register: r2
- notify:
- - Restart stunnel@bacula-dir
-
-- name: Copy Bacula FD X.509 certificates
- copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-fd.pem
- dest=/etc/stunnel/certs/
- owner=root group=root
- mode=0644
- with_items: "{{ groups.all | difference([inventory_hostname]) | sort }}"
- register: r3
- notify:
- - Restart stunnel@bacula-dir
-
-- name: Configure stunnel
- template: src=etc/stunnel/bacula-dir.conf.j2
- dest=/etc/stunnel/bacula-dir.conf
- owner=root group=root
- mode=0644
- register: r4
- notify:
- - Restart stunnel@bacula-dir
-
-- name: Enable stunnel@bacula-dir
- service: name=stunnel4@bacula-dir enabled=yes
-
-- name: Start stunnel@bacula-dir
- service: name=stunnel4@bacula-dir state=started
- when: not (r1.changed or r2.changed or r3.changed or r4.changed)
-
-- meta: flush_handlers
-
-
-
- name: Install bacula-director
apt: pkg={{ item }}
with_items:
diff --git a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2
index 42b5f74..046ba01 100644
--- a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2
+++ b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2
@@ -12,11 +12,9 @@ Director { # define myself
QueryFile = "/etc/bacula/scripts/query.sql"
Maximum Concurrent Jobs = 1
DirAddress = 127.0.0.1
- DirSourceAddress = 127.0.0.1
DirPort = 9101
FDConnectTimeout = 5 min
SDConnectTimeout = 5 min
- Heartbeat Interval = 1 min
}
@@ -365,17 +363,11 @@ FileSet {
# Client (File Services) to backup
-{% set n = 0 %}
{% for fd in groups.all | sort %}
-{% set n = n + 1 %}
Client {
Name = {{ hostvars[fd].inventory_hostname_short }}-fd
-{% if fd == inventory_hostname %}
- Address = 127.0.0.1
-{% else %}
- Address = 127.0.{{ n }}.1
-{% endif %}
- FDPort = 9112
+ Address = {{ ipsec[ hostvars[fd].inventory_hostname_short ] }}
+ FDPort = 9102
Catalog = MyCatalog
@|"sed -n '/^{{ hostvars[fd].inventory_hostname_short }}-fd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir"
File Retention = 4 months
@@ -387,16 +379,17 @@ Client {
# Definition of file storage device
+{% for sd in groups['bacula-sd'] | sort %}
Storage {
- Name = {{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd
- Address = 127.0.0.1
- SDPort = 9113
- @|"sed -n '/^{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir"
+ Name = {{ hostvars[sd].inventory_hostname_short }}-sd
+ Address = {{ ipsec[ hostvars[sd].inventory_hostname_short ] }}
+ SDPort = 9103
+ @|"sed -n '/^{{ hostvars[sd].inventory_hostname_short }}-sd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir"
Device = FileStorage
Media Type = File
- Heartbeat Interval = 1 min
}
+{% endfor %}
# Default pool definition
Pool {
diff --git a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2
deleted file mode 100644
index 6219aff..0000000
--- a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2
+++ /dev/null
@@ -1,81 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem
-key = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-socket = l:TCP_NODELAY=1
-socket = l:SO_KEEPALIVE=1
-socket = l:TCP_KEEPIDLE=60
-socket = l:TCP_KEEPINTVL=15
-socket = l:TCP_KEEPCNT=116
-
-socket = r:TCP_NODELAY=1
-socket = r:SO_KEEPALIVE=1
-socket = r:TCP_KEEPIDLE=60
-socket = r:TCP_KEEPINTVL=15
-socket = r:TCP_KEEPCNT=116
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-{% if 'bacula-sd' not in group_names %}
-[{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd]
-accept = 127.0.{{ n }}.1:9113
-connect = {{ groups['bacula-sd'][0] }}:9103
-delay = yes
-CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem
-{% endif %}
-
-{% set n = 0 %}
-{% for fd in groups.all | sort %}
-{% set n = n + 1 %}
-{% if fd != inventory_hostname %}
-[{{ hostvars[fd].inventory_hostname_short }}-fd]
-accept = 127.0.{{ n }}.1:9112
-connect = {{ fd }}:9102
-delay = yes
-CAfile = /etc/stunnel/certs/{{ hostvars[fd].inventory_hostname_short }}-fd.pem
-{% endif %}
-
-{% endfor %}
-
-; vim:ft=dosini
diff --git a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service b/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service
index ca147a7..698ad17 100644
--- a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service
+++ b/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-PIDFile=/var/run/bacula/bacula-sd.9113.pid
+PIDFile=/var/run/bacula/bacula-sd.9103.pid
StandardOutput=syslog
User=bacula
Group=tape
diff --git a/roles/bacula-sd/handlers/main.yml b/roles/bacula-sd/handlers/main.yml
index c6adb80..3434333 100644
--- a/roles/bacula-sd/handlers/main.yml
+++ b/roles/bacula-sd/handlers/main.yml
@@ -2,8 +2,5 @@
- name: systemctl daemon-reload
command: /bin/systemctl daemon-reload
-- name: Restart stunnel@bacula-sd
- service: name=stunnel4@bacula-sd state=restarted
-
- name: Restart bacula-sd
service: name=bacula-sd state=restarted
diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml
index 795804f..ad77db4 100644
--- a/roles/bacula-sd/tasks/main.yml
+++ b/roles/bacula-sd/tasks/main.yml
@@ -1,61 +1,3 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for Bacula SD
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem
- --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key
- --ou=BaculaSD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@bacula-sd
- tags:
- - genkey
-
-- name: Fetch Bacula SD X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem
- dest=certs/bacula/{{ inventory_hostname_short }}-sd.pem
- tags:
- - genkey
-
-- name: Copy Bacula Dir/FD X.509 certificates
- assemble: src=certs/bacula regexp="-(dir|fd)\.pem$" remote_src=no
- dest=/etc/stunnel/certs/bacula-dir+fds.pem
- owner=root group=root
- mode=0644
- register: r2
- notify:
- - Restart stunnel@bacula-sd
-
-- name: Configure stunnel
- template: src=etc/stunnel/bacula-sd.conf.j2
- dest=/etc/stunnel/bacula-sd.conf
- owner=root group=root
- mode=0644
- register: r3
- notify:
- - Restart stunnel@bacula-sd
-
-- name: Enable stunnel@bacula-sd
- service: name=stunnel4@bacula-sd enabled=yes
-
-- name: Start stunnel
- service: name=stunnel4@bacula-sd state=started
- when: not (r1.changed or r2.changed or r3.changed)
-
-- meta: flush_handlers
-
-
-
- name: Install bacula-sd
apt: pkg=bacula-sd
diff --git a/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2
index fbfdca5..5ffa17c 100644
--- a/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2
+++ b/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2
@@ -15,9 +15,8 @@ Storage { # define myself
Working Directory = /var/lib/bacula
Pid Directory = /var/run/bacula
Maximum Concurrent Jobs = 20
- SDAddress = 127.0.0.1
- SDPort = 9113
- Heartbeat Interval = 1 min
+ SDAddress = {{ ipsec[inventory_hostname_short] }}
+ SDPort = 9103
}
#
diff --git a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2
deleted file mode 100644
index 051412c..0000000
--- a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2
+++ /dev/null
@@ -1,64 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem
-key = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key
-
-socket = l:TCP_NODELAY=1
-socket = l:SO_KEEPALIVE=1
-socket = l:TCP_KEEPIDLE=60
-socket = l:TCP_KEEPINTVL=15
-socket = l:TCP_KEEPCNT=116
-
-socket = r:TCP_NODELAY=1
-socket = r:SO_KEEPALIVE=1
-socket = r:TCP_KEEPIDLE=60
-socket = r:TCP_KEEPINTVL=15
-socket = r:TCP_KEEPCNT=116
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[{{ inventory_hostname_short }}-sd]
-client = no
-accept = 9103
-connect = 127.0.0.1:9113
-CAfile = /etc/stunnel/certs/bacula-dir+fds.pem
-
-; vim:ft=dosini
diff --git a/roles/common/files/lib/systemd/system/bacula-fd.service b/roles/common/files/lib/systemd/system/bacula-fd.service
index 07bd2e5..ee5afe3 100644
--- a/roles/common/files/lib/systemd/system/bacula-fd.service
+++ b/roles/common/files/lib/systemd/system/bacula-fd.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-PIDFile=/var/run/bacula/bacula-fd.9112.pid
+PIDFile=/var/run/bacula/bacula-fd.9102.pid
StandardOutput=syslog
ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index efab81b..250c77b 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -44,9 +44,6 @@
- name: Reload Postfix
service: name=postfix state=reloaded
-- name: Restart stunnel@bacula-fd
- service: name=stunnel4@bacula-fd state=restarted
-
- name: Restart bacula-fd
service: name=bacula-fd state=restarted
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index 1bd2b77..35666bd 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -1,75 +1,3 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate a private key and a X.509 certificate for Bacula FD
- command: genkeypair.sh x509
- --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
- --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key
- --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart stunnel@bacula-fd
- tags:
- - genkey
-
-- name: Fetch Bacula FD X.509 certificate
- # Ensure we don't fetch private data
- become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
- dest=certs/bacula/{{ inventory_hostname_short }}-fd.pem
- tags:
- - genkey
-
-- name: Copy Bacula Dir X.509 certificates
- assemble: src=certs/bacula regexp="-dir\.pem$" remote_src=no
- dest=/etc/stunnel/certs/bacula-dirs.pem
- owner=root group=root
- mode=0644
- register: r2
- when: "'bacula-dir' not in group_names"
- notify:
- - Restart stunnel@bacula-fd
-
-- name: Copy Bacula SD X.509 certificates
- copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem
- dest=/etc/stunnel/certs/
- owner=root group=root
- mode=0644
- register: r3
- with_items: "{{ groups['bacula-sd'] | difference([inventory_hostname]) }}"
- notify:
- - Restart stunnel@bacula-fd
-
-- name: Configure stunnel
- template: src=etc/stunnel/bacula-fd.conf.j2
- dest=/etc/stunnel/bacula-fd.conf
- owner=root group=root
- mode=0644
- register: r4
- when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names"
- notify:
- - Restart stunnel@bacula-fd
-
-- name: Enable stunnel@bacula-fd
- when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names"
- service: name=stunnel4@bacula-fd enabled=yes
-
-- name: Start stunnel@bacula-fd
- service: name=stunnel4@bacula-fd state=started
- when: ('bacula-dir' not in group_names or 'bacula-sd' not in group_names) and
- not (r1.changed or r2.changed or r3.changed or r4.changed)
-
-- meta: flush_handlers
-
-
-
- name: Install bacula-fd
apt: pkg=bacula-fd
diff --git a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
index 432768b..d64ac86 100644
--- a/roles/common/templates/etc/bacula/bacula-fd.conf.j2
+++ b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
@@ -27,11 +27,9 @@ FileDaemon { # define myself
Working Directory = /var/lib/bacula
Pid Directory = /var/run/bacula
Maximum Concurrent Jobs = 20
- FDAddress = 127.0.0.1
- FDPort = 9112
- FDSourceAddress = 127.0.0.1
+ FDAddress = {{ ipsec[inventory_hostname_short] }}
+ FDPort = 9102
SDConnectTimeout = 5 min
- Heartbeat Interval = 1 min
PKI Signatures = Yes # Enable Data Signing
PKI Encryption = Yes # Enable Data Encryption
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 953cea5..ccbc735 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -61,16 +61,6 @@ in tcp 80,443 # HTTP/HTTPS
out tcp 993 # IMAP
out tcp 4190 # MANAGESIEVE
{% endif %}
-{% if 'bacula-dir' in group_names and groups.all | difference(groups['bacula-dir']) %}
-out tcp 9102 # BACULA-FD
-{% elif groups['bacula-dir'] | difference([inventory_hostname]) %}
-in tcp 9102 # BACULA-FD
-{% endif %}
-{% if 'bacula-sd' in group_names and groups.all | difference(groups['bacula-sd']) %}
-in tcp 9103 # BACULA-SD
-{% elif groups['bacula-sd'] | difference([inventory_hostname]) %}
-out tcp 9103 # BACULA-SD
-{% endif %}
{% if 'LDAP-provider' in group_names %}
out tcp 11371 # HKP
out tcp 43 # WHOIS
diff --git a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 b/roles/common/templates/etc/stunnel/bacula-fd.conf.j2
deleted file mode 100644
index 057dc48..0000000
--- a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2
+++ /dev/null
@@ -1,73 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
-key = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key
-
-socket = l:TCP_NODELAY=1
-socket = l:SO_KEEPALIVE=1
-socket = l:TCP_KEEPIDLE=60
-socket = l:TCP_KEEPINTVL=15
-socket = l:TCP_KEEPCNT=116
-
-socket = r:TCP_NODELAY=1
-socket = r:SO_KEEPALIVE=1
-socket = r:TCP_KEEPIDLE=60
-socket = r:TCP_KEEPINTVL=15
-socket = r:TCP_KEEPCNT=116
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[{{ inventory_hostname_short }}-fd]
-client = no
-accept = 9102
-connect = 9112
-CAfile = /etc/stunnel/certs/bacula-dirs.pem
-
-{% if 'bacula-sd' not in group_names %}
-[{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd]
-client = yes
-accept = 127.0.0.1:9113
-connect = {{ groups['bacula-sd'][0] }}:9103
-delay = yes
-CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem
-{% endif %}
-
-; vim:ft=dosini