From 8cf4032ecec5b9f58d829e89f231179170432539 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 22 May 2016 17:21:16 +0200 Subject: =?UTF-8?q?Tunnel=20bacula=20(dir=20=E2=86=92=20{fd,sd}=20and=20fd?= =?UTF-8?q?=20=E2=86=92=20sd)=20traffic=20through=20IPSec.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- certs/bacula/antilop-fd.pem | 33 --------- certs/bacula/benjamin-dir.pem | 32 --------- certs/bacula/benjamin-fd.pem | 32 --------- certs/bacula/benjamin-sd.pem | 32 --------- certs/bacula/civett-fd.pem | 34 --------- certs/bacula/data-master.pem | 38 ---------- certs/bacula/elefant-fd.pem | 33 --------- certs/bacula/giraff-fd.pem | 32 --------- certs/bacula/mistral-fd.pem | 33 --------- roles/bacula-dir/handlers/main.yml | 3 - roles/bacula-dir/tasks/main.yml | 69 ------------------ .../templates/etc/bacula/bacula-dir.conf.j2 | 23 +++--- .../templates/etc/stunnel/bacula-dir.conf.j2 | 81 ---------------------- .../files/lib/systemd/system/bacula-sd.service | 2 +- roles/bacula-sd/handlers/main.yml | 3 - roles/bacula-sd/tasks/main.yml | 58 ---------------- .../templates/etc/bacula/bacula-sd.conf.j2 | 5 +- .../templates/etc/stunnel/bacula-sd.conf.j2 | 64 ----------------- .../files/lib/systemd/system/bacula-fd.service | 2 +- roles/common/handlers/main.yml | 3 - roles/common/tasks/bacula.yml | 72 ------------------- .../common/templates/etc/bacula/bacula-fd.conf.j2 | 6 +- roles/common/templates/etc/iptables/services.j2 | 10 --- .../common/templates/etc/stunnel/bacula-fd.conf.j2 | 73 ------------------- 24 files changed, 14 insertions(+), 759 deletions(-) delete mode 100644 certs/bacula/antilop-fd.pem delete mode 100644 certs/bacula/benjamin-dir.pem delete mode 100644 certs/bacula/benjamin-fd.pem delete mode 100644 certs/bacula/benjamin-sd.pem delete mode 100644 certs/bacula/civett-fd.pem delete mode 100644 certs/bacula/data-master.pem delete mode 100644 certs/bacula/elefant-fd.pem delete mode 100644 certs/bacula/giraff-fd.pem delete mode 100644 certs/bacula/mistral-fd.pem delete mode 100644 roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 delete mode 100644 roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 delete mode 100644 roles/common/templates/etc/stunnel/bacula-fd.conf.j2 diff --git a/certs/bacula/antilop-fd.pem b/certs/bacula/antilop-fd.pem deleted file mode 100644 index ab0dcc4..0000000 --- a/certs/bacula/antilop-fd.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFoTCCA4mgAwIBAgIJALyrqlng65g3MA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG -RDEcMBoGA1UEAwwTYW50aWxvcC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDIyMTE0MDZa -Fw0yNTA1MzAyMTE0MDZaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT -TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTYW50aWxvcC5mcmlw -b3N0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM8zFuFJlDjy -d2gouIpHJu2pCRkJLF4O0HyMszXGj3l28Qaf2GlwS0GwJtyH47jIlKD4edRw/wdY -mi/fxb9k5Dtlt7PJrrHQh+EAcaqEpE8VHIsuqsKZd7CMjDoW6S7ciDIMULfk3H0h -artu4+QnYAqHJtMaSzO2wB/iLdl6iWoCpPBp24cAgC10m3TWlneuXNNgEk3fy63P -dbJdTww6hsUNHVBkB3JkKEWU+0uyGE3v/Qruz/JuotvJttZ4p5tPr+jGNEYPNgVq -vUBSnu+OwCNgw/XNgn7z6WivmcxLwMqxfb6P1xbMhJab2DD4+5Z/rpGQv1L2xNNi -YfffeZp4J/Vzv8p7qmCotGqOFGI7Y5NHcMdg7IRwQvDPxXK7tZYbjaYY8dmsHDDG -wKzMx+zn+FOtI005rL4OFrdxpis0jR6WwMRa35TaepyqYncto+fsQvOQDf425cHo -kzoMj4ULZZaONNlsIu7X6Su+qcS5oQVUDFpArNrMNQEJTyFkzhZClZ54n1jOemcA -QO/OGuZ8wx1py9+KRlUc//UyXLjVk0ugxv5CLM1yJwY5Gn199wG2PwiXaT8Q6oRf -NR01kz/2sirrPIuWMCu/JKjVZPauF3fuwdRo9fXauWO5HkELDMAfsaKm59Kb/iD9 -f5OxR3Wiik+1EMhj8tHZuKfGHzMbHSMtAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFk -bWluQGZyaXBvc3Qub3JnghNhbnRpbG9wLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC -MAAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQQvLlHhpXBKB+b4X8dG4+d/eIN -tDANBgkqhkiG9w0BAQ0FAAOCAgEAEoeIfl9wOFFQCVQ4yqVnKq7ZTZv2cQXSPqTn -1zE6pqes69tUBVa0ulwKLbp9yss6PadHJEetZBy77QVOPFnVzXsRuq9TYPoXp51i -Z9v2VQEljUPHGEj4kGCCKHTOjsTmPRgSeh3NE9K8g9EEeJGet+mq8J6HRzsChhKB -u/NjTcQnWgzLue5QdrdTPlbgsdfmpzuotVeojHiOcwodWAdEJWIe/Dz7moqlx4Uq -JCAxakCcsTSixJN+iiN1PNvCf6S1WCwL+7flp151hkZ08K34jF0dnChjht+x99qx -+ZjdU+2dC5nRUv5qNABb0zQvKmIo39VFbshnIuVE4FbIsyg9oGxg6cn4AwKGF/ZC -s/6fNuvjvfhNVcm+ZujdtQwiPK3wnXjQ9Boe+ti8jGJtierIKxbIXfb0/wNWMSfK -5u/eH3NCYsKNTzvBa/n3sKgBYrzZDoTXjeHdeSsulaaX7TQWYwi0ILcZa6N/waGs -9rXxLczGHl/bz8MEHp5cWCC0dTOTLjZUTFvxMAdyOOaq3xOxlLxT0CyC7s9Otyh4 -hC6aZwlxDUjxjd08fL81I1+wiRemJQ4TGhx3aAdtev92TSoDEfTElz7Ma1MNCXy+ -V4m1hTjBQnq7+UsRy85WULkfEB9einDhT+p12KPqjO/R1+D7SbhFuF8v+H+UyfFs -5d3FeOo= ------END CERTIFICATE----- diff --git a/certs/bacula/benjamin-dir.pem b/certs/bacula/benjamin-dir.pem deleted file mode 100644 index 7642206..0000000 --- a/certs/bacula/benjamin-dir.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFhDCCA2ygAwIBAgIJAMIcL9J2M0mNMA0GCSqGSIb3DQEBDQUAMFcxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMRIwEAYDVQQLDAlCYWN1bGFE -aXIxHDAaBgNVBAMME2JlbmphbWluLm1hcnhpc3Quc2UwHhcNMTUwNjAyMTExODA4 -WhcNMjUwNTMwMTExODA4WjBXMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhT -U0xjZXJ0czESMBAGA1UECwwJQmFjdWxhRGlyMRwwGgYDVQQDDBNiZW5qYW1pbi5t -YXJ4aXN0LnNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwT6aIKM1 -NPqcyiU4jC7vCjelOtkHwk4Rst8d8tKjz09Aq6prb9zObPz2WMzj0QiWGlK5342C -nYxWkYCzwRr0CniCL4eLgKHrlmMPQ3Vu3kbxH9yO/f6lOj51MFD84c5dfwRI3q3b -gy9P9V+dwScJ4C+oTbzHLE7dbhhfDnk9FKWaaZYC1cDIybL1hmYPDtlUBiMYYDuU -e7QYkvkSSUrf8yABIDOzcz3777IqZPkDREeMfSlH2HX9ny9YQ5X3r01SrkCd4GAf -A9bL74hrKGvtpc+IIQRwopRmQH3VG8YWQD8iXEVGcokwhtNOeR4Zc8RVtLAAJW0+ -w+c/Y5oMsnO6BACOjR8TtdfiZgHo2mCzEhqH/x4f6EqsU+WN6pj2JR8wosGRl5Im -kdKpwMJb2cwUX3kFK6CAQIx5xPVKP5Eymmn6NzZlLMgUQsiLrZ6ZQnRac3eBz7Ny -slPQE0C3NyGwJhmWIGWggz7mT9KhGnamgeW/FJDPj8TAX4gGwaRRyDNo9ay8+qOc -OB5ko0l6yt06tg+ZnzM8C/Cay84HKBXOtFr32KeA+ati+qIJL6Ak+gJmZl4CqYWm -FV5gexEBSSh6N3pu30k4jItPZ4j+rQePQr5ZrYiJiz5rVMXViotUi5JPXfnANOFm -6+prfhPXe0Kea0N11ICgjsvQhjsDjyWpMC0CAwEAAaNTMFEwMQYDVR0RBCowKIER -YWRtaW5AZnJpcG9zdC5vcmeCE2JlbmphbWluLm1hcnhpc3Quc2UwDAYDVR0TAQH/ -BAIwADAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQENBQADggIBADdtDeA/O+4M -opRyHqheQDDab0bnlA+we4gA0kJ31JjmHURzmBB9/ZCkxlDokBCJozBAdNxWOrdy -JI+k8Y2TwPXuHu0PodFbFWAuSOfNfzrOWbAlqRJZlcSOZZqZrojmOcfG8rmcXLpg -WWJATgvdVT6cWhY7/cfn2JJuqjQfD3pdC+kDCAVIJANCE5Lh3M7nB+geykdhjxrx -1Z8reGsCSYkRek7wB+EJXl0ULuNJUWvIpYAFm1MBJkj6Uva2RQ92ZFlOhmADn7wp -IlfOb4UjezJWOU+MDBmolSkAKQGVs/Htl7UIgODCwwoWqvYCjuqN5SAqlHferr9z -c83i4tBNfstnTh9ffss7scjvNNX5adNK7kB5iuf4iJVwX0jymwmDV4gErm3J/wtC -mwp6+dgfCCIBZ13sUzY5URRGPxvUF7jZ4VytEJObWIvFnVuRnwVyp468p33jSNLK -LyhmUMHi9ygAHA6XITHPEH/zJYHAzGklHh7GefAUxSBva4EaNQDZ2Q6Y/IC4w4ZJ -CpV7sab8R+ywJhsBMmgWuXFiyFei7ptFZ8Q1qDoCfU0KTn+MatvJbY8SAMsFk5LK -F+WmwTY3fugxyoy736j+QH2RagGUHX2ONwbqQvwpUG6iLB5BnYKsftg6LyiLlzEi -VdjKmptcqY+gBEZMaYhF/x4zhckABUhI ------END CERTIFICATE----- diff --git a/certs/bacula/benjamin-fd.pem b/certs/bacula/benjamin-fd.pem deleted file mode 100644 index 5058ad0..0000000 --- a/certs/bacula/benjamin-fd.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFgjCCA2qgAwIBAgIJAL36I3WYX4J7MA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG -RDEcMBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5zZTAeFw0xNTA2MDIxMDQ5MDha -Fw0yNTA1MzAxMDQ5MDhaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT -TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTYmVuamFtaW4ubWFy -eGlzdC5zZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL1HDbw9IyMJ -MZse/mLwPBccX8/S5NFIqot6dumNuIOwpx0aAzF6rN0C55h/GQXWciFAeEy7aPib -NiiwwsEzAQy4JZJ2ZWMpdCN0XhyOUnyjs3L0keH48ywnRfHJP6GF6w+AgD9Y3otX -DphFnpaGMXfP2zGwNgAw7EelBgEBA+sall2tDdv/q4sziegpimCCS1VwLxEINadJ -WY5XgbYQzUiKm1C3A7/PQDlLyWfOYApxfFPKJZQOCI3Fb/q8eztqXrDSQybxRLhf -T6ak8mylVU3+z2Yc2kvtgFs4PTD+XUU1MhDxqiKqpJQJPIzslbVFpYaFm8BBZJli -dBasJAe+YYra0XuZ6wJEavRtWGrCPOnwwvTE8z4rAs/1xpEk4UMyBaWfKhjgYZBv -pQLaaO0Y5VAM0JidiZkEvCaXQqv+pAl6uCBjzw5eOpf6Ju+kZeKKdt9Q5cNg/ZFl -6ZbI/31OjXZxm+xmADhWtrzO+UZwBbLsvN3kIdtkLdU/J9KvhTpQkTtS2YR2FNvD -BIpB3m8lp2pabhtZt2FtDZbQM9krKelXxuZUXcgK8+hd+iQJ6e3U0lbHO0eYkGUk -8H9PpvsIl/sVrTpBW/fHnbm9ZRLknctuY5XMjxeVe2Rr1stPeP5530Mmggw0s+zv -HGpcz1MMRQuag29dyFhIJfwJCi8HL8hVAgMBAAGjUzBRMDEGA1UdEQQqMCiBEWFk -bWluQGZyaXBvc3Qub3JnghNiZW5qYW1pbi5tYXJ4aXN0LnNlMAwGA1UdEwEB/wQC -MAAwDgYDVR0PAQH/BAQDAgKkMA0GCSqGSIb3DQEBDQUAA4ICAQCY/h/+VTe7N323 -zMneN6yPIgj8PXMpfiL9NfxeFBECwWI89p13fOOMKKItH7tUdtZA8iTk3oyCMl+t -y38caohCNun7y8db+jLtSxa6s6NOwUWRWwz9EJpVR9x5AsQ6ZynJDNFF6f4+0Wo+ -G4rJ9zTNKOuUlOkwOUj8SzL4NkaWdyI6Zfxvzq0vGdztI4k6rCz1Dcq82UdSrVfc -SnPaaMsqtdwVIFT8nldQr+sU5Zu8SH4Q5iee0hL91Q7Lg8WzIEbZDdYWEAQuZ6Vk -VsV456nLyNzYPqTtWSK/Xi1xCRLaUZsXIlb0gfD26UzO3Jy1hyekBCg+2hZNjJfC -lZ/CKpTqTXSCvjjM7tASd2tz6PJBEIIoF6bwEh75o5WEueb7NHDPigWxB+yG9sIJ -DDCFPKK9kNpbx7u6HittONBK/oekUZAnzh9AqY2GVvKJ32uAeYf+V+h9D/jOh7F/ -HMTR/s2Dve+NYrX+6Reyk5sYRXLuxlgdxHxQbsuOeINTY/sxYMSAPJxFvUIJNznj -iOn3bk54sMnk3/5YPedxfS2gNHN2L+vnbeNBQ8JI0VAFHa/dhq4594avFrz33dSH -3VCLUn52izJxBxLaJYKLVrd1k40ayEUI5WEBs5gYcIviS5Dr0oZhOUJceGpkn2TT -3BB5gaJpE6RwIwmvuse2YOlCKo7xEA== ------END CERTIFICATE----- diff --git a/certs/bacula/benjamin-sd.pem b/certs/bacula/benjamin-sd.pem deleted file mode 100644 index 0443810..0000000 --- a/certs/bacula/benjamin-sd.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFgjCCA2qgAwIBAgIJALEP4ryGZFdWMA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFT -RDEcMBoGA1UEAwwTYmVuamFtaW4ubWFyeGlzdC5zZTAeFw0xNTA2MDIxMDUzMDha -Fw0yNTA1MzAxMDUzMDhaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT -TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFTRDEcMBoGA1UEAwwTYmVuamFtaW4ubWFy -eGlzdC5zZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL1A9zHK4bEK -hxSncIRuwly+rPRf0KGJF6opY7RkS9UnsYXS+5i9Gw89ikiutX8ADHuqy7kXnoiO -W7Ihuk/903RATzU5pVCweHcf/XHMsWW3Yrwgus25fP3aSxjHyZt8e3RAZGTvDySe -8FCbGJe5tFoEM6YLdzaWY8cFiohgZjU+PD/i5kIiGizNe6qYO37ANQIaCrO0iex8 -OfFjSJbmIvZOVuyipxUs0wTF/zTq7fBoM2k+/tBTEorPszGx81hvCmsjdEQMVjih -1ThczGTI9m+yE5hHKoUxX/NlFPjhGGFc3suCL8kWPPTRDmimRY9bQWbafqPL+ZXG -ubz1Li9AIyYP+iTukyI1hdo8kKlgO4oA+aTqfUZYDeXcP5d85KHaIqtSida8L93G -YbSsG2zfDuCGcHttZVLPE3+/cYuqG6821cAyKOY6H1D3+6RdR+bgh2WxFRBPJs7D -RRRJGz/Fe1zbacKehQL9J7hmq4vIvh3mqnRk1eCrpR85XkH/6XO1/Zc7ienZaSD6 -/dK3xk2FM1tVNRsfdp73Ky2Msz7sbz3ajHzXj2IzaDYSdP5ldZ6htahNrRR6N05M -viBW7eIj7tvx542gjw2nNUulI4E4eX9yiC1QUeYEdyBS8arje4E5wO7ZiQNmARhD -QBKEjudRaDQTuko9MFYK1QO9hmB4gt4RAgMBAAGjUzBRMDEGA1UdEQQqMCiBEWFk -bWluQGZyaXBvc3Qub3JnghNiZW5qYW1pbi5tYXJ4aXN0LnNlMAwGA1UdEwEB/wQC -MAAwDgYDVR0PAQH/BAQDAgKkMA0GCSqGSIb3DQEBDQUAA4ICAQCw2v6UZe67o5TS -UCnShsjG2iNZW3Q5rSsDEOlViS9pk1LAyVJAiZ7yqFly1+TGe20QCDbIePQcgwla -0TIciZIO6jbQAYItvgfUwdrSVrKCffBNopnY2IPBAgWsuZeY5/sFwT5bagC6y4au -WLq9FHFt20JAo0y4iT/oSaKIY9gdJjWmAomFXMZL9KxUotKF+6UFGgN19QwAKGFX -1GHME+bTTwlmEvGIAAY/C3SlLqe6vQDAKR0aY+BHrxdIfg6FtAvYgXWjcrMLaHul -HMpUFpq9+sVA2nDwGTgg0jsOU4v2OBDuUoOxjztx/BwPTmPF+U6HkN4cHSeD03yQ -QMYPMU1o5FXkhdBCKtzgPqCFDSD0IyeyFeQ7MzIbpylQTcRz4J/d3uy7q1DhEIYk -omt5H1dgbsEfXXWcIhUuJj9dhl36YkM9OE5k4bytntqHImD6/q7JZbOODuqHkmR7 -2w2QgwS8i+d1iMZ+d/9Z+HtemhUIltgpR0RvJa4aFzfmj0zAWXWNDK2S3nTmr086 -kuAxour48AUUHYX/44jijEUhh22pypwATcrinH5WWbftoUP87+kwTCwLWnZF2VS+ -aIvLOPhY06fqdj7J6k4AZ3muq7SGCCdCTEtdH7Xsz/ACenUG1A5ueziW/MeC+ZOZ -5PnEB/KBWMy43A42ajz8fA41/Qj0WA== ------END CERTIFICATE----- diff --git a/certs/bacula/civett-fd.pem b/certs/bacula/civett-fd.pem deleted file mode 100644 index 0b8bd7b..0000000 --- a/certs/bacula/civett-fd.pem +++ /dev/null @@ -1,34 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFzzCCA7egAwIBAgIJAK35SShtN1ELMA0GCSqGSIb3DQEBDQUAMGUxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG -RDErMCkGA1UEAwwiY2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAe -Fw0xNTA2MDMxODMwNDZaFw0yNTA1MzExODMwNDZaMGUxEDAOBgNVBAoMB0ZyaXBv -c3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDErMCkGA1UE -AwwiY2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAKWesiEEzXH7UchQpfSTGPdHvDc4Ar6hmDxc -Yr5cgSin/JDWAhdMqvU6T/g+BDjcYj+IcyopYCZ84BatZLdKyEklYQolDrI1+7cb -og96dlOmVc3d7epn5uuKOS7sm6IGB5M3BNVkWzKkm2BJaG9WuxxG4i/DOPunrT1G -bJcrJsfUQzbHULjESvw8Xy0p2Iie5XZ3TIXg8UJ2kmrCDs69+tUikxTQ6ut2iw/F -o6+hMPWJjno5dsJDQ/4VuVceZZjDzL9Mm6d5mq3f3rJQOi92eEDsTtcOUrZnga2l -lTrgpTAlAoQHIsGGQjeyz0GXqBH1hdAV9YF1rddh6tl953KsEvVGI7xG+S/DoNGx -2fpOU8Z2mimeqowtwKPBh6T/l5YJccEaKvgnx2Kyf6r4tkYEvEtB9ceooisaBDsg -5s5qRv8stL1mfMakFIcwz7o7/4ZzW8GWIUcsiqbj4H+75wDi+tfEBdBF1/LQt7xf -kDFjxX136telHM8HlWl5xKcApCDhlmSj1DZaVcy6Q2DJ850K81t0hYRzCqAJiPZ4 -ErAvHxA5ceUd+KGdyCZiup3n9Mp5sMYHYRsWxupVZ1ANNA9lW0t4h1G4Vczn/t0o -qkdjxksoam2yFrMolnbhZd7jhbbqJ0kbK0WaXddErO6zjnzaepQKXEN7dmZ8jI+J -7HWoKrOzAgMBAAGjgYEwfzBABgNVHREEOTA3gRFhZG1pbkBmcmlwb3N0Lm9yZ4Ii -Y2l2ZXR0LmZyaXByb2dyYW12YXJ1c3luZGlrYXRldC5zZTAMBgNVHRMBAf8EAjAA -MA4GA1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQUCWfNyFVLQ/2xS0QJAOgNu7jWatow -DQYJKoZIhvcNAQENBQADggIBAJ4ykMLi1nEkob5Q2Gy0bWdGzzHswQGW1FEGXnna -TdlHs34OEYZOzcbdqj2X9EK9Y0Dlx1BzdbB4QRgx3Oehs7D5KhRABPw7/rTj7q6f -WPPai1j6260z+Ah+GFStMMYyoOn8mx8babHf4YcelBgOtzKyKJ5Kr6uGRcMTS8Gs -cGfkDKUG7PdEIAT8tXstA8MuVVjDC7FYKusCoJKleCIFMgWH29HHIU/psqk4oiNK -B35VdAp2LT+qsRTlBmPphELHiVElpG6rCLCBsSTDnEi2qWhiNlVjYHRdfY6bo0Hu -1pPO7mAk4I7JOaFed9FXxYfSag+LiVpXMSI67586jZxqnA6Oyd02AJYJT3Eym8Gz -hKOniEYF4mwYw6bNeapmrzl5cId32B+KeE+2OMLOVx4gTtTdcXbvUfaTFzHh1Y5Y -f8hWGKQPv0405lXeyMzeZxuyMYA3rkcKexpfeVks4VLmMpH2XPXXo2W4QDGo5RRs -cWZJbLgs9SYkJM9m7qvE3R38D8aGQkAgt8eCWxcnCdx8NZ7WodLOKSHMR3yGU1Fy -ygj9blvlVkEZbFWBv7BR4MbaTwboZG+PygbJpgjXTadApFOlZTPCwFgHgMGKuhj+ -f6Hjsi0K0e4csyL62kqYxuWVN9wwEgiKAm43rNa4eL61Hw9/3Fm8+oj/qg/0u0t3 -zEaD ------END CERTIFICATE----- diff --git a/certs/bacula/data-master.pem b/certs/bacula/data-master.pem deleted file mode 100644 index 22dce60..0000000 --- a/certs/bacula/data-master.pem +++ /dev/null @@ -1,38 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGmTCCBIGgAwIBAgIJAMwKAL/cZeW/MA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD -VQQGEwJTRTEUMBIGA1UEChMLZnJpcG9zdC5vcmcxGzAZBgNVBAsTEmZyaXBvc3Qu -b3JnIEJBQ1VMQTEfMB0GA1UEAxMWZnJpcG9zdC5vcmcgbWFzdGVyIGtleTEgMB4G -CSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcwHhcNMTMwMTA4MTMwMjIzWhcN -MTMwMjA3MTMwMjIzWjCBgzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC2ZyaXBvc3Qu -b3JnMRswGQYDVQQLExJmcmlwb3N0Lm9yZyBCQUNVTEExHzAdBgNVBAMTFmZyaXBv -c3Qub3JnIG1hc3RlciBrZXkxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGZyaXBvc3Qu -b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtZOy47VinnSATFd4 -LJd+y1p20xdsRR9B7807trtlsqtomPNHIivA/cqlYJk8xdEX9bO4biOrKcTVH2to -r6WIKPCc+2Bu/nhq2Hh4GHtDeRpyvhby+MreLlb1GvTrw/iG9is8pZ/GJ9e7sJn+ -QzZxbvUn/wppWPieXfGYSvDdMyjYv5es/ImeWz3+pCiwUSSHIKIOXT87wQbt3Hhf -5ZC7ZrTHPSPyaahPGNB9CFtl7VLvKJYtlbVweiR0mYG+tVXu17VfFt6aT0qIqzSL -rs57CKOJUDJHRZeF3R4MA3eFhEI8t495JYFzK7P0K0O/HqA/sxZnXkODak98bdTS -6cfKrOD/NiriEayqf/2ekDZL0zraEz1gUF2UInfdEPVF/dVWhrUTc+gzcOshI+6G -SNpW6gXi4nnG4r6ZelCkyoDsHL7G75SriamvszGXIWCc9wmrOkcQPniSG6A+EblB -HBzQA77g86o7n+5CvPsCAMc8tpdfqEG5RN74zMaKflDy4L+zlI06IgVsrJNpThWD -aHFDTgD1M20bKyriBZ0ST7IIX3e4awvfUdw4A+me7JDov0LWZRQE68SM0L8WUpEC -guB5+lTqwYOi/bhw7QS0dtwzAecRHSd9S4TT92+Dl1Xyw7Vh4IKyYTo9kxzftwKl -guqATvjV922NhwZhUHW4GLlA4vMCAwEAAaOCAQwwggEIMB0GA1UdDgQWBBR0uhlQ -78EvNbpwDElIsAdoBPdB0DCBuAYDVR0jBIGwMIGtgBR0uhlQ78EvNbpwDElIsAdo -BPdB0KGBiaSBhjCBgzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC2ZyaXBvc3Qub3Jn -MRswGQYDVQQLExJmcmlwb3N0Lm9yZyBCQUNVTEExHzAdBgNVBAMTFmZyaXBvc3Qu -b3JnIG1hc3RlciBrZXkxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGZyaXBvc3Qub3Jn -ggkAzAoAv9xl5b8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4 -QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4ICAQCjNJlSOcFtr4J+Qfw5WMc0feoa -Ee7PxK1z90GQJCQEEadUrsm89yCj34r4jhhrt8JC1+7V6igU48cn6o1xYrFFFfHY -p74AH6xMNHP88dulQcNrOgR3TTFejjLncnga5/iZDXEf060oREZEbwdoThrxbJ8Q -H92pr4ywW6Mj0j4b05VyjN0oOQdOPFdxZ3CPAliLn3hbwdIQ73vh7S5k/l523sja -l8bDx4OU5TKInaM6i7Xglfkyrig6e1Mi5XbZCs0RK1hOeVgmRI2f/RiHgLE/b4TW -i0uE9RkHChgUlPAamuXiF0w1VJuxr2adZoLfnQtY8CcwwpsbXUEUGyr3+59yRl6H -s1AHCyM91A1iVU35pPDhjR7LvS0Yqp0gAt8zLNbyvmwZcINoAm3VKfZNDQwzvfrP -4ThDX+dS3PjyNogvNmqgkMu4ta/6WlDmo1X4cC88V0HW1uujrF0Cuwh4IuavxVgA -Atpzj4kh7EP/sDPguHO48NMkbDZ6k2A6ZepCzyldEfRjCfS1jyoX2LqrpW3dQL7Z -bJpMTXSo/l5aUYGb50cdLzDLVbc/CZnG3NrVetvogRUOcax5Sn0nrsqLrQvn5kwh -G9+ufbOvvECOWAVQuJv2RwBj4VffSwASkhI9kR8x8+DZ01mBMFOAXx6KGFsgjSeL -JIZyqPYX/iH61mHk2Q== ------END CERTIFICATE----- diff --git a/certs/bacula/elefant-fd.pem b/certs/bacula/elefant-fd.pem deleted file mode 100644 index 1f9fe2e..0000000 --- a/certs/bacula/elefant-fd.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFoTCCA4mgAwIBAgIJAP7SDEuZmEQMMA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG -RDEcMBoGA1UEAwwTZWxlZmFudC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDIyMTIyNTNa -Fw0yNTA1MzAyMTIyNTNaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT -TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTZWxlZmFudC5mcmlw -b3N0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN+hwkzPGGs5 -pdgl15TYB+arxA4xWju316BhXrWH1qW5xUcrnL/ewpm3yTt+fkipn7gLOpGQlJjZ -loHop8iSXn/5e+0WW+r9EJ9VNHagKuuVyyIaKR7pU9J5pBQqqQDASj8IcE3lTu2Z -kUwBPdo19de37NRU0acHOFAKEGARsoORLTbKryB4oBt4BWvZbl+ob8XXNzcD0bQQ -0HsETroBM76HBXTa7JzTeAFzopESvYJZquCEmRIoKhP2qYY2megPfUPPv7yDKfhx -uDA2X8msuJmn7GnKKUiFAM4m9PMlulCIR55p5mBeMMbUIX2EqWuDh27Tf6QAWoZn -xG6AVBeXq7W0/MCWcE389jPSbB/Z68Voeq3v6HoqHUTAU3JNV1EXYPEg91OYA6/I -SbO6phu005ONASKkAGFDOCTZya/rDEuptT/Bx+7u4Y3R6J+jDbMWLy69spcW0hU0 -o2u7vdCn4Q+bnEK+/SLr8vw0wmXGEWD0pJ/C6KviIji4ccHHw1DbUfR96S57qyBU -jZA+MahVNoXexTMABjtteQITv+jdqwXJix9NVOJw0ZUR6PQw7T8MZN5I4aislmdQ -5zjIaPedH4EkniaAId2nd+0PzA9+kWTd2/4TmX4kj8tVZQ1Rh0FW5V0z6gE2SLzE -fEsu/hjIKs9B8YxFlQ+OY83OB+QQppn5AgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFk -bWluQGZyaXBvc3Qub3JnghNlbGVmYW50LmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC -MAAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBTRnrDNVJIPDTuYPxCp7Xy7KKKM -9DANBgkqhkiG9w0BAQ0FAAOCAgEAJsR5HZxwiLsWHy8Dc+HTLrbnpqri800ngof7 -XoIvrn56mnZFPPAWkVenW8+7DC8i2nG2SHAFaCp05WL/bjP4k+tO+V59SjIv3Id4 -gBkZM3k7mM5ZaA7Cx32WXoX2r1tm80kTChf8cW03XPDE3nd18uDdv2L5pVMg+mYB -DY6EEaZ/HbEkg6Wst+q2eZkOAHD/kq3Sh920nkehgrBIr+JzoLnbu2K2EoZSqKsg -51cU2+eewv9/Nfrb/oU/Rxe810xvxBbTKljRsUUxmty+X7ckO7znUQoOQ6ez1pyA -Ccj6TYPTV1ASwKUf8y1zWcWAH3/xl3TD/Csm+lvqqSuZN8IAQ7Jb017d+v6VtzkU -zewtzWyo31ju/Ky5Y46uUR/dPWLQvmm2uTNk2/dLILitWYY7nQAYXcxWSoky0P07 -tkCln55709PZxl3BxDfRFNxdmTXTkfRE0p6KgB+rtyxoV0d+svsFMlFPqaHpJaDW -JyvUQgfjpUijbRj9hsDQFR8bF1WNUo4gQ5QFpNLfeg9y3ChXGYzsbT23bzbK6ZHX -kw8dg1LlOVIT+B7Z3/iHwXm3T1VGBLZSOubAgphHQ6xXNBk5zH0Y1J70pmcY+D59 -rOhUVAZ2MryVVqtT1CAv5JRNHlkObzbUPY8waq4tuG0InTKA9hPw2Aro8XepiECx -7LVjepE= ------END CERTIFICATE----- diff --git a/certs/bacula/giraff-fd.pem b/certs/bacula/giraff-fd.pem deleted file mode 100644 index 7bce789..0000000 --- a/certs/bacula/giraff-fd.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFfzCCA2egAwIBAgIJAJ6fcDGMzN/EMA0GCSqGSIb3DQEBDQUAMFUxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG -RDEbMBkGA1UEAwwSZ2lyYWZmLmZyaXBvc3Qub3JnMB4XDTE1MDYwMTIyNDc1OVoX -DTI1MDUyOTIyNDc1OVowVTEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NM -Y2VydHMxETAPBgNVBAsMCEJhY3VsYUZEMRswGQYDVQQDDBJnaXJhZmYuZnJpcG9z -dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC28HnVjuyY4AaJ -GWglojt6TSbZ+9r7PySJbdLKT1Ugc3iCARqPqakGspVrUATWoSqOOMROxqIj/96L -EtJBd4OvrooLpOJjVO0h0gCwTZbWAlwUvru8eYxYbBPSFsh33D5KDeQKd7+eXZ1u -X7eKO8CeiCbw16kWYchRPYd2cFHz0sFjyknmrhJ3/OJWkUslMLiAjczVOXSJqu6A -D2gCdNBUfEsbAyter1dEOpCyD92iTrzT4bUc0A0UioTG2C8PJWgpMBUvxd1tNnf4 -op3qYurwzFGda+F2tYGDuJzq1lxxPF7jwGxVncWAdf7sTXBenMNMn/KOixkrUNx+ -vN6qRGtGoRGc1/5Rligtf1+6a796ckxUovBjvuIoNv3YzNzJuPmQY3lMNDnAVp+f -sQaUN7G3Z0dZuMGb2sCmUW8j6372ZY8A6aRP9lmZsTzsf4hc43R+m5t9XctfX7nu -sX2L1ip/vWjT+ZewvmDq8BzfJ+96EytyWUHifc7JcaEcPoi/YIobSZiDcT8sS9ek -NxiAsOK/CNVzJp0pkDA6LN+vjDsZvhOyY35lvgtCw74fwfvBjtWwz7PxIbCSovBZ -+Mmdt020YlfMloLM0cZjhZaWRKIdQdl4vhr8r9uSbF0q/0M+FsFro3ueqML5Ea8e -GinJwwDOzZBAnxSLx16SGg7hvIY1XwIDAQABo1IwUDAwBgNVHREEKTAngRFhZG1p -bkBmcmlwb3N0Lm9yZ4ISZ2lyYWZmLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgKkMA0GCSqGSIb3DQEBDQUAA4ICAQAAaEaqiTe7U/3vGVTh -kJ25iXDvMYdUwjaYs2kkpKVPT48DXEzDFRvLETB6foL3qR3tkbWfLg7Sewn5kbtt -YmbQMLXhI3P74jse5L0dh4+m5wkmPvoiegDOAp8xCt6TkoV9oOoKQhV7xTtkHHub -yyDzu9QotehO3tCM7J8gLLYPAcicMoj/dEebDkieY/5nurFGgJly264H0XUatsiT -jUzvad7/7csHT9tjSZ83zyC5o2izPWCPPFOMCT9Uag+J5/yj+FjPEERWsSG4/pSl -9oWKEwiAxVpXlW4NjKy5JuyVJnf3cpfk/SCRjVHUE/ABe14pb+xaeqemstkGXKOR -1nzIePf2zrcGYSPnzb4myJwOkzk0PbPnWwEbNzrIdXq/sJZalAGpQK0SVmnzjH5Z -jm7prnpW/aWHCR2tdGLgTOlwUehW3+7xjiKVSakpbejPQV6S/AYmkUvCetE/S/rY -UOLUC0LAbwswvHvymIkknJnD7pErFWBC5sRinOuudIuTdPb4eaRUnPI0g35bnAQ1 -8YxVqMUCKCxrjJUejKJcZUydFq0BlNk+ocW0NqoAshc2icEfW6rw8ipu9lbiFKVH -yEby8eXOMoNa7ti7C4JDerJRpFxh8RDFFgtLIVHhxVTGrR7hrb22eW+18+czy5+9 -Od3MfoQyp3gF6e6wPwy374uvWA== ------END CERTIFICATE----- diff --git a/certs/bacula/mistral-fd.pem b/certs/bacula/mistral-fd.pem deleted file mode 100644 index 3a2f274..0000000 --- a/certs/bacula/mistral-fd.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFoTCCA4mgAwIBAgIJANqolbIM5xOFMA0GCSqGSIb3DQEBDQUAMFYxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMREwDwYDVQQLDAhCYWN1bGFG -RDEcMBoGA1UEAwwTbWlzdHJhbC5mcmlwb3N0Lm9yZzAeFw0xNTA2MDIyMTMyMjBa -Fw0yNTA1MzAyMTMyMjBaMFYxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNT -TGNlcnRzMREwDwYDVQQLDAhCYWN1bGFGRDEcMBoGA1UEAwwTbWlzdHJhbC5mcmlw -b3N0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKvCIiK4ggZ6 -y7BVpU7xQSApaPw21LUYvTaltpsHiYLHR4bHzzprflQMrUfCVBSdkyQc7QX4ca3Y -gpIyJi0xyQAgYPgkue4fHuGSzRcaETP8MADcROna0Rq79tUMre4qKD/ZPwI53FNy -HZktWGZa3B5AOQvmwPOeOLHzRK5sTWZBDX+Zfx/46VtDTdFwUcZ/aMClpgm2WQ2V -6NsXtaS6VENgZ+jgCk9Lrkqpf/OYBEGjC+O3PpHJdVb8+5BBokuz3v2/0uOUE3Wq -Epp0D9ya7KTxOOfFvOPo0aNUuj3LW55mxikvWe7tQqBLfnuQAxO6CiXz9XqdPyLQ -Rk6IURCg9BfAASg7SJGTTfEhTJ10i4XiFLByNVL7Vp1RbDcof1drdsq729XNra0G -AtftxB+gPWGCO90kvne2jFkFGYY2YlF3yX4vtmqbbta7Za3O/oJS42m/mgzZQpd1 -N2ch+m+PIzoIVz2J7CwIPLxV+OBjYjmv2CCOJX7GUOHbYMYJG3ixDoGqkhy/FQtR -wL/25LElr967+5yDgWZDD3soV2bghYnCpdWMpfu9PkG6eT+AIZYamVo34RzwMJQU -eBJzc+VStNa0Y/bNr2NSimw8ZyI+m+UvuqwindwZaPPw0DRrY+DgjjVvkr0JQiMv -no+yHg/K02mEEvf4e6gh324JKDlsMXOPAgMBAAGjcjBwMDEGA1UdEQQqMCiBEWFk -bWluQGZyaXBvc3Qub3JnghNtaXN0cmFsLmZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC -MAAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBR8kCzCw/cMvL9uAtSf1lj8hMpV -1zANBgkqhkiG9w0BAQ0FAAOCAgEAoEFqWQv6WV5bb9Erp+0GG/oEroCYSFN8t5hB -l8LvrHvmZI6c7CebUB+WBPhyCypQKdFs5l1zI9yCltRk2xaTS8CYzgVhm7/mEK3K -QAXYLLill0TtGi00Oe5kZqSLNgnhtobKuYSiElVT+2oeu87BKt3nql8Qfl8brdjE -t/MHIYVcDdMW+4/F/9EQqN9lurHEe1Kfp0VmnUoS9cYCBIty49xg7xbQFHw5FxMY -gmeV9OpDUkiQoH+kuixsXZzSRAT+6+j08j0Tu5naBoBY+uL/4eSTGsh/DE734D91 -IsiD/NvCFNB3vGaZtc+MejJX02+7jFhPzZ/N2a+RhQ2BiQcsWYwdTF4U+DubbP8u -XjO0Gc4TPXQvXe2ZED+EyTfk1DEnLPk0m0QEEXvLNmaJKmcxlcYYXRyFmE2c/ZHo -QPeeUfEGC2CcB+krZ3BoEM3Us+cddVUvlx55gclww2/O1H/hpPGPYL+eYLOl+xVV -SvoLeln1skqG7dYnWJt7f2KE6eOtXlphMWsg1xjbhhd1k0zPs64KDXvdU00tgoIt -QjKEdEHIjn9fRZE5u3fycg3PXdcheTQVF1GYyZo+Yhc6yAB8/d0jlKxqTM7NS3XT -xEHDbh8tKtDUEuQX+p4GlyWaZ0Wy/UZI4rJZPx0iRaHc+EZCdwSfNR4LZnTdu/5m -eLOX11g= ------END CERTIFICATE----- diff --git a/roles/bacula-dir/handlers/main.yml b/roles/bacula-dir/handlers/main.yml index 778a1c4..3f3c1bc 100644 --- a/roles/bacula-dir/handlers/main.yml +++ b/roles/bacula-dir/handlers/main.yml @@ -2,8 +2,5 @@ - name: systemctl daemon-reload command: /bin/systemctl daemon-reload -- name: Restart stunnel@bacula-dir - service: name=stunnel4@bacula-dir state=restarted - - name: Restart bacula-director service: name=bacula-director state=restarted diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index 8d182d2..30a25c1 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -1,72 +1,3 @@ -- name: Create /etc/stunnel/certs - file: path=/etc/stunnel/certs - state=directory - owner=root group=root - mode=0755 - -- name: Generate a private key and a X.509 certificate for Bacula Dir - command: genkeypair.sh x509 - --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem - --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key - --ou=BaculaDir --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart stunnel@bacula-dir - tags: - - genkey - -- name: Fetch Bacula Dir X.509 certificate - # Ensure we don't fetch private data - become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem - dest=certs/bacula/{{ inventory_hostname_short }}-dir.pem - tags: - - genkey - -- name: Copy Bacula SD X.509 certificates - copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem - dest=/etc/stunnel/certs/ - owner=root group=root - mode=0644 - with_items: "{{ groups['bacula-sd'] | difference([inventory_hostname]) | sort }}" - register: r2 - notify: - - Restart stunnel@bacula-dir - -- name: Copy Bacula FD X.509 certificates - copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-fd.pem - dest=/etc/stunnel/certs/ - owner=root group=root - mode=0644 - with_items: "{{ groups.all | difference([inventory_hostname]) | sort }}" - register: r3 - notify: - - Restart stunnel@bacula-dir - -- name: Configure stunnel - template: src=etc/stunnel/bacula-dir.conf.j2 - dest=/etc/stunnel/bacula-dir.conf - owner=root group=root - mode=0644 - register: r4 - notify: - - Restart stunnel@bacula-dir - -- name: Enable stunnel@bacula-dir - service: name=stunnel4@bacula-dir enabled=yes - -- name: Start stunnel@bacula-dir - service: name=stunnel4@bacula-dir state=started - when: not (r1.changed or r2.changed or r3.changed or r4.changed) - -- meta: flush_handlers - - - - name: Install bacula-director apt: pkg={{ item }} with_items: diff --git a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 index 42b5f74..046ba01 100644 --- a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 +++ b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 @@ -12,11 +12,9 @@ Director { # define myself QueryFile = "/etc/bacula/scripts/query.sql" Maximum Concurrent Jobs = 1 DirAddress = 127.0.0.1 - DirSourceAddress = 127.0.0.1 DirPort = 9101 FDConnectTimeout = 5 min SDConnectTimeout = 5 min - Heartbeat Interval = 1 min } @@ -365,17 +363,11 @@ FileSet { # Client (File Services) to backup -{% set n = 0 %} {% for fd in groups.all | sort %} -{% set n = n + 1 %} Client { Name = {{ hostvars[fd].inventory_hostname_short }}-fd -{% if fd == inventory_hostname %} - Address = 127.0.0.1 -{% else %} - Address = 127.0.{{ n }}.1 -{% endif %} - FDPort = 9112 + Address = {{ ipsec[ hostvars[fd].inventory_hostname_short ] }} + FDPort = 9102 Catalog = MyCatalog @|"sed -n '/^{{ hostvars[fd].inventory_hostname_short }}-fd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir" File Retention = 4 months @@ -387,16 +379,17 @@ Client { # Definition of file storage device +{% for sd in groups['bacula-sd'] | sort %} Storage { - Name = {{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd - Address = 127.0.0.1 - SDPort = 9113 - @|"sed -n '/^{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir" + Name = {{ hostvars[sd].inventory_hostname_short }}-sd + Address = {{ ipsec[ hostvars[sd].inventory_hostname_short ] }} + SDPort = 9103 + @|"sed -n '/^{{ hostvars[sd].inventory_hostname_short }}-sd\\s/ {s//Password = /p; q}' /etc/bacula/passwords-dir" Device = FileStorage Media Type = File - Heartbeat Interval = 1 min } +{% endfor %} # Default pool definition Pool { diff --git a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 deleted file mode 100644 index 6219aff..0000000 --- a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 +++ /dev/null @@ -1,81 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem -key = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key -client = yes -socket = a:SO_BINDTODEVICE=lo - -socket = l:TCP_NODELAY=1 -socket = l:SO_KEEPALIVE=1 -socket = l:TCP_KEEPIDLE=60 -socket = l:TCP_KEEPINTVL=15 -socket = l:TCP_KEEPCNT=116 - -socket = r:TCP_NODELAY=1 -socket = r:SO_KEEPALIVE=1 -socket = r:TCP_KEEPIDLE=60 -socket = r:TCP_KEEPINTVL=15 -socket = r:TCP_KEEPCNT=116 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -{% if 'bacula-sd' not in group_names %} -[{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd] -accept = 127.0.{{ n }}.1:9113 -connect = {{ groups['bacula-sd'][0] }}:9103 -delay = yes -CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem -{% endif %} - -{% set n = 0 %} -{% for fd in groups.all | sort %} -{% set n = n + 1 %} -{% if fd != inventory_hostname %} -[{{ hostvars[fd].inventory_hostname_short }}-fd] -accept = 127.0.{{ n }}.1:9112 -connect = {{ fd }}:9102 -delay = yes -CAfile = /etc/stunnel/certs/{{ hostvars[fd].inventory_hostname_short }}-fd.pem -{% endif %} - -{% endfor %} - -; vim:ft=dosini diff --git a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service b/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service index ca147a7..698ad17 100644 --- a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service +++ b/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service @@ -4,7 +4,7 @@ After=network.target [Service] Type=forking -PIDFile=/var/run/bacula/bacula-sd.9113.pid +PIDFile=/var/run/bacula/bacula-sd.9103.pid StandardOutput=syslog User=bacula Group=tape diff --git a/roles/bacula-sd/handlers/main.yml b/roles/bacula-sd/handlers/main.yml index c6adb80..3434333 100644 --- a/roles/bacula-sd/handlers/main.yml +++ b/roles/bacula-sd/handlers/main.yml @@ -2,8 +2,5 @@ - name: systemctl daemon-reload command: /bin/systemctl daemon-reload -- name: Restart stunnel@bacula-sd - service: name=stunnel4@bacula-sd state=restarted - - name: Restart bacula-sd service: name=bacula-sd state=restarted diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml index 795804f..ad77db4 100644 --- a/roles/bacula-sd/tasks/main.yml +++ b/roles/bacula-sd/tasks/main.yml @@ -1,61 +1,3 @@ -- name: Create /etc/stunnel/certs - file: path=/etc/stunnel/certs - state=directory - owner=root group=root - mode=0755 - -- name: Generate a private key and a X.509 certificate for Bacula SD - command: genkeypair.sh x509 - --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem - --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key - --ou=BaculaSD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart stunnel@bacula-sd - tags: - - genkey - -- name: Fetch Bacula SD X.509 certificate - # Ensure we don't fetch private data - become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem - dest=certs/bacula/{{ inventory_hostname_short }}-sd.pem - tags: - - genkey - -- name: Copy Bacula Dir/FD X.509 certificates - assemble: src=certs/bacula regexp="-(dir|fd)\.pem$" remote_src=no - dest=/etc/stunnel/certs/bacula-dir+fds.pem - owner=root group=root - mode=0644 - register: r2 - notify: - - Restart stunnel@bacula-sd - -- name: Configure stunnel - template: src=etc/stunnel/bacula-sd.conf.j2 - dest=/etc/stunnel/bacula-sd.conf - owner=root group=root - mode=0644 - register: r3 - notify: - - Restart stunnel@bacula-sd - -- name: Enable stunnel@bacula-sd - service: name=stunnel4@bacula-sd enabled=yes - -- name: Start stunnel - service: name=stunnel4@bacula-sd state=started - when: not (r1.changed or r2.changed or r3.changed) - -- meta: flush_handlers - - - - name: Install bacula-sd apt: pkg=bacula-sd diff --git a/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2 index fbfdca5..5ffa17c 100644 --- a/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2 +++ b/roles/bacula-sd/templates/etc/bacula/bacula-sd.conf.j2 @@ -15,9 +15,8 @@ Storage { # define myself Working Directory = /var/lib/bacula Pid Directory = /var/run/bacula Maximum Concurrent Jobs = 20 - SDAddress = 127.0.0.1 - SDPort = 9113 - Heartbeat Interval = 1 min + SDAddress = {{ ipsec[inventory_hostname_short] }} + SDPort = 9103 } # diff --git a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 deleted file mode 100644 index 051412c..0000000 --- a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 +++ /dev/null @@ -1,64 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem -key = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key - -socket = l:TCP_NODELAY=1 -socket = l:SO_KEEPALIVE=1 -socket = l:TCP_KEEPIDLE=60 -socket = l:TCP_KEEPINTVL=15 -socket = l:TCP_KEEPCNT=116 - -socket = r:TCP_NODELAY=1 -socket = r:SO_KEEPALIVE=1 -socket = r:TCP_KEEPIDLE=60 -socket = r:TCP_KEEPINTVL=15 -socket = r:TCP_KEEPCNT=116 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[{{ inventory_hostname_short }}-sd] -client = no -accept = 9103 -connect = 127.0.0.1:9113 -CAfile = /etc/stunnel/certs/bacula-dir+fds.pem - -; vim:ft=dosini diff --git a/roles/common/files/lib/systemd/system/bacula-fd.service b/roles/common/files/lib/systemd/system/bacula-fd.service index 07bd2e5..ee5afe3 100644 --- a/roles/common/files/lib/systemd/system/bacula-fd.service +++ b/roles/common/files/lib/systemd/system/bacula-fd.service @@ -4,7 +4,7 @@ After=network.target [Service] Type=forking -PIDFile=/var/run/bacula/bacula-fd.9112.pid +PIDFile=/var/run/bacula/bacula-fd.9102.pid StandardOutput=syslog ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index efab81b..250c77b 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -44,9 +44,6 @@ - name: Reload Postfix service: name=postfix state=reloaded -- name: Restart stunnel@bacula-fd - service: name=stunnel4@bacula-fd state=restarted - - name: Restart bacula-fd service: name=bacula-fd state=restarted diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 1bd2b77..35666bd 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -1,75 +1,3 @@ -- name: Create /etc/stunnel/certs - file: path=/etc/stunnel/certs - state=directory - owner=root group=root - mode=0755 - -- name: Generate a private key and a X.509 certificate for Bacula FD - command: genkeypair.sh x509 - --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem - --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key - --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart stunnel@bacula-fd - tags: - - genkey - -- name: Fetch Bacula FD X.509 certificate - # Ensure we don't fetch private data - become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem - dest=certs/bacula/{{ inventory_hostname_short }}-fd.pem - tags: - - genkey - -- name: Copy Bacula Dir X.509 certificates - assemble: src=certs/bacula regexp="-dir\.pem$" remote_src=no - dest=/etc/stunnel/certs/bacula-dirs.pem - owner=root group=root - mode=0644 - register: r2 - when: "'bacula-dir' not in group_names" - notify: - - Restart stunnel@bacula-fd - -- name: Copy Bacula SD X.509 certificates - copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem - dest=/etc/stunnel/certs/ - owner=root group=root - mode=0644 - register: r3 - with_items: "{{ groups['bacula-sd'] | difference([inventory_hostname]) }}" - notify: - - Restart stunnel@bacula-fd - -- name: Configure stunnel - template: src=etc/stunnel/bacula-fd.conf.j2 - dest=/etc/stunnel/bacula-fd.conf - owner=root group=root - mode=0644 - register: r4 - when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names" - notify: - - Restart stunnel@bacula-fd - -- name: Enable stunnel@bacula-fd - when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names" - service: name=stunnel4@bacula-fd enabled=yes - -- name: Start stunnel@bacula-fd - service: name=stunnel4@bacula-fd state=started - when: ('bacula-dir' not in group_names or 'bacula-sd' not in group_names) and - not (r1.changed or r2.changed or r3.changed or r4.changed) - -- meta: flush_handlers - - - - name: Install bacula-fd apt: pkg=bacula-fd diff --git a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 b/roles/common/templates/etc/bacula/bacula-fd.conf.j2 index 432768b..d64ac86 100644 --- a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 +++ b/roles/common/templates/etc/bacula/bacula-fd.conf.j2 @@ -27,11 +27,9 @@ FileDaemon { # define myself Working Directory = /var/lib/bacula Pid Directory = /var/run/bacula Maximum Concurrent Jobs = 20 - FDAddress = 127.0.0.1 - FDPort = 9112 - FDSourceAddress = 127.0.0.1 + FDAddress = {{ ipsec[inventory_hostname_short] }} + FDPort = 9102 SDConnectTimeout = 5 min - Heartbeat Interval = 1 min PKI Signatures = Yes # Enable Data Signing PKI Encryption = Yes # Enable Data Encryption diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 953cea5..ccbc735 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -61,16 +61,6 @@ in tcp 80,443 # HTTP/HTTPS out tcp 993 # IMAP out tcp 4190 # MANAGESIEVE {% endif %} -{% if 'bacula-dir' in group_names and groups.all | difference(groups['bacula-dir']) %} -out tcp 9102 # BACULA-FD -{% elif groups['bacula-dir'] | difference([inventory_hostname]) %} -in tcp 9102 # BACULA-FD -{% endif %} -{% if 'bacula-sd' in group_names and groups.all | difference(groups['bacula-sd']) %} -in tcp 9103 # BACULA-SD -{% elif groups['bacula-sd'] | difference([inventory_hostname]) %} -out tcp 9103 # BACULA-SD -{% endif %} {% if 'LDAP-provider' in group_names %} out tcp 11371 # HKP out tcp 43 # WHOIS diff --git a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 b/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 deleted file mode 100644 index 057dc48..0000000 --- a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 +++ /dev/null @@ -1,73 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem -key = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key - -socket = l:TCP_NODELAY=1 -socket = l:SO_KEEPALIVE=1 -socket = l:TCP_KEEPIDLE=60 -socket = l:TCP_KEEPINTVL=15 -socket = l:TCP_KEEPCNT=116 - -socket = r:TCP_NODELAY=1 -socket = r:SO_KEEPALIVE=1 -socket = r:TCP_KEEPIDLE=60 -socket = r:TCP_KEEPINTVL=15 -socket = r:TCP_KEEPCNT=116 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[{{ inventory_hostname_short }}-fd] -client = no -accept = 9102 -connect = 9112 -CAfile = /etc/stunnel/certs/bacula-dirs.pem - -{% if 'bacula-sd' not in group_names %} -[{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd] -client = yes -accept = 127.0.0.1:9113 -connect = {{ groups['bacula-sd'][0] }}:9103 -delay = yes -CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem -{% endif %} - -; vim:ft=dosini -- cgit v1.2.3