roles/common/tasks/bacula.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

- name: Create /etc/stunnel/certs
  file: path=/etc/stunnel/certs
        state=directory
        owner=root group=root
        mode=0755

- name: Generate a private key and a X.509 certificate for Bacula FD
  command: genkeypair.sh x509
                         --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
                         --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key
                         --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
                         -t rsa -b 4096 -h sha512
  register: r1
  changed_when: r1.rc == 0
  failed_when: r1.rc > 1
  notify:
    - Restart stunnel@bacula-fd
  tags:
    - genkey

- name: Fetch Bacula FD X.509 certificate
  # Ensure we don't fetch private data
  become: False
  fetch_cmd: cmd="openssl x509"
             stdin=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem
             dest=certs/bacula/{{ inventory_hostname_short }}-fd.pem
  tags:
    - genkey

- name: Copy Bacula Dir X.509 certificates
  assemble: src=certs/bacula regexp="-dir\.pem$" remote_src=no
            dest=/etc/stunnel/certs/bacula-dirs.pem
            owner=root group=root
            mode=0644
  register: r2
  when: "'bacula-dir' not in group_names"
  notify:
    - Restart stunnel@bacula-fd

- name: Copy Bacula SD X.509 certificates
  copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem
        dest=/etc/stunnel/certs/
        owner=root group=root
        mode=0644
  register: r3
  with_items: "{{ groups['bacula-sd'] | difference([inventory_hostname]) }}"
  notify:
    - Restart stunnel@bacula-fd

- name: Configure stunnel
  template: src=etc/stunnel/bacula-fd.conf.j2
            dest=/etc/stunnel/bacula-fd.conf
            owner=root group=root
            mode=0644
  register: r4
  when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names"
  notify:
    - Restart stunnel@bacula-fd

- name: Enable stunnel@bacula-fd
  when: "'bacula-dir' not in group_names or 'bacula-sd' not in group_names"
  service: name=stunnel4@bacula-fd enabled=yes

- name: Start stunnel@bacula-fd
  service: name=stunnel4@bacula-fd state=started
  when: ('bacula-dir' not in group_names or 'bacula-sd' not in group_names) and
        not (r1.changed or r2.changed or r3.changed or r4.changed)

- meta: flush_handlers


- name: Install bacula-fd
  apt: pkg=bacula-fd

- name: Create /var/lib/bacula/tmp
  file: path=/var/lib/bacula/tmp
        state=directory
        owner=root group=root
        mode=0700

- name: Delete /etc/bacula/common_default_passwords
  file: path=/etc/bacula/common_default_passwords state=absent

# Create with:
#   echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-fd
- name: Ensure /etc/bacula/passwords-fd exists
  file: path=/etc/bacula/passwords-fd
        state=file
        owner=root group=root
        mode=0600

- name: Configure bacula
  template: src=etc/bacula/bacula-fd.conf.j2
            dest=/etc/bacula/bacula-fd.conf
            owner=root group=root
            mode=0644
  notify:
    - Restart bacula-fd

- name: Create /etc/bacula/ssl
  file: path=/etc/bacula/ssl
        state=directory
        owner=root group=root
        mode=0755

- name: Generate a keypair for data encryption
  command: genkeypair.sh x509
                         --pubkey=/etc/bacula/ssl/{{ inventory_hostname_short }}.pem
                         --privkey=/etc/bacula/ssl/{{ inventory_hostname_short }}.pem
                         --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }}
                         -t rsa -b 4096 -h sha512
  register: r
  changed_when: r.rc == 0
  failed_when: r.rc > 1
  notify:
    - Restart bacula-fd
  tags:
    - genkey

- name: Copy the master public key for data encryption
  copy: src=certs/bacula/data-master.pem
        dest=/etc/bacula/ssl/master.pem
        owner=root group=root
        mode=0644
  tags:
    - genkey

- name: Copy bacula-fd.service
  copy: src=lib/systemd/system/bacula-fd.service
        dest=/lib/systemd/system/bacula-fd.service
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Restart bacula-fd

- meta: flush_handlers

- name: Enable bacula-fd
  service: name=bacula-fd enabled=yes

- name: Start bacula-fd
  service: name=bacula-fd state=started