From 00d6d904dc26592553ba93710c205603757e3faf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 3 Jun 2015 21:13:10 +0200 Subject: Configure Bacula File Daemon / Storage Daemon / Director. Using client-side data signing/encryption and wrapping inter-host communication into stunnel. --- roles/bacula-dir/tasks/main.yml | 134 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 roles/bacula-dir/tasks/main.yml (limited to 'roles/bacula-dir/tasks/main.yml') diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml new file mode 100644 index 0000000..7bcf239 --- /dev/null +++ b/roles/bacula-dir/tasks/main.yml @@ -0,0 +1,134 @@ +- name: Install stunnel + apt: pkg=stunnel4 + +- name: Auto-enable stunnel + lineinfile: dest=/etc/default/stunnel4 + regexp='^(\s*#)?\s*ENABLED=' + line='ENABLED=1' + owner=root group=root + mode=0644 + +- name: Create /etc/stunnel/certs + file: path=/etc/stunnel/certs + state=directory + owner=root group=root + mode=0755 + +- name: Generate a private key and a X.509 certificate for Bacula Dir + command: genkeypair.sh x509 + --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem + --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key + --ou=BaculaDir --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} + -t rsa -b 4096 -h sha512 + register: r1 + changed_when: r1.rc == 0 + failed_when: r1.rc > 1 + notify: + - Restart stunnel + tags: + - genkey + +- name: Fetch Bacula Dir X.509 certificate + # Ensure we don't fetch private data + sudo: False + fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem + dest=certs/bacula/ + fail_on_missing=yes + flat=yes + tags: + - genkey + +- name: Copy Bacula SD X.509 certificates + copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem + dest=/etc/stunnel/certs/ + owner=root group=root + mode=0644 + with_items: groups['bacula-sd'] | difference([inventory_hostname]) | sort + register: r2 + notify: + - Restart stunnel + +- name: Copy Bacula FD X.509 certificates + copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-fd.pem + dest=/etc/stunnel/certs/ + owner=root group=root + mode=0644 + with_items: groups.all | difference([inventory_hostname]) | sort + register: r3 + notify: + - Restart stunnel + +- name: Configure stunnel + template: src=etc/stunnel/bacula-dir.conf.j2 + dest=/etc/stunnel/bacula-dir.conf + owner=root group=root + mode=0644 + register: r4 + notify: + - Restart stunnel + +- name: Start stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started + when: not (r1.changed or r2.changed or r3.changed or r4.changed) + +- meta: flush_handlers + + + +- name: Install bacula-director + apt: pkg={{ item }} + with_items: + - bacula-console + - bacula-director-mysql + +- name: Create a 'bacula' SQL user + mysql_user: name=bacula password= auth_plugin=auth_socket + state=present + notify: + - Restart bacula-director + +# Create with: +# echo bconsole $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir +# echo $sd-sd $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir +# echo $fd-fd $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir +# +# then add the password for each FD / SD: +# echo $director-dir $password | sudo tee /etc/bacula/passwords-sd +# echo $director-dir $password | sudo tee /etc/bacula/passwords-fd +- name: Ensure /etc/bacula/passwords-dir exists + file: path=/etc/bacula/passwords-dir + state=file + owner=bacula group=bacula + mode=0600 + +- name: Configure bconsole + template: src=etc/bacula/bconsole.conf.j2 + dest=/etc/bacula/bconsole.conf + owner=root group=root + mode=0644 + +- name: Configure bacula + template: src=etc/bacula/bacula-dir.conf.j2 + dest=/etc/bacula/bacula-dir.conf + owner=root group=root + mode=0644 + register: r + notify: + - Restart bacula-director + +- name: Copy bacula-director.service + copy: src=lib/systemd/system/bacula-director.service + dest=/lib/systemd/system/bacula-director.service + owner=root group=root + mode=0644 + notify: + - systemctl daemon-reload + - Restart bacula-director + +- meta: flush_handlers + +- name: Enable bacula-director + service: name=bacula-director enabled=yes + +- name: Start bacula-director + service: name=bacula-director state=started -- cgit v1.2.3