Merge pull request #7 from adfinis/bareos-dir-encryption

feat: TLS encryption for Director / WebUI connection
adfinis · Jul 9, 2024 · ad09b38 · ad09b38
2 parents 97b1fa1 + f97bf6d
commit ad09b38
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 37 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -30,6 +30,18 @@ bareos_dir_tls_enable: yes
 # Verify the peer.
 bareos_dir_tls_verify_peer: no
 
+# The path of the CA certificate file.
+bareos_dir_tls_ca_cert_src: ""
+bareos_dir_tls_ca_cert_dest: "/etc/bareos/bareosCA.pem"
+
+# The path of the client certificate of the director
+bareos_dir_tls_cert_src: ""
+bareos_dir_tls_cert_dest: "/etc/bareos/director.pem"
+
+# The path of the client certificate key of the director
+bareos_dir_tls_cert_key_src: ""
+bareos_dir_tls_cert_key_dest: "/etc/bareos/director.key"
+
 # A list of catalogs to configure.
 bareos_dir_catalogs: []
 

diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml
@@ -39,6 +39,24 @@ argument_specs:
         type: "bool"
         default: no
         description: "Verify the peer."
+      bareos_dir_tls_ca_cert_src:
+        type: "str"
+        description: "The CA Certificate for the Director (src)"
+      bareos_dir_tls_ca_cert_dest:
+        type: "str"
+        description: "The CA Certificate for the Director (dest)"
+      bareos_dir_tls_cert_src:
+        type: "str"
+        description: "The TLS certificate of the director (src)"
+      bareos_dir_tls_cert_dest:
+        type: "str"
+        description: "The TLS certificate of the director (dest)"
+      bareos_dir_tls_cert_key_src:
+        type: "str"
+        description: "The TLS certificate key of the director (src)"
+      bareos_dir_tls_cert_key_dest:
+        type: "str"
+        description: "The TLS certificate key of the director (dest)"
       bareos_dir_catalogs:
         type: "list"
         default: []

diff --git a/tasks/assert.yml b/tasks/assert.yml
@@ -60,6 +60,78 @@
       - bareos_dir_tls_verify_peer is boolean
     quiet: true
 
+- name: assert | Test bareos_dir_tls_ca_cert_src
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_tls_ca_cert_src is defined
+      - bareos_dir_tls_ca_cert_src is string
+
+- name: assert | Test bareos_dir_tls_ca_cert_dest
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_tls_ca_cert_dest is defined
+      - bareos_dir_tls_ca_cert_dest is string
+
+- name: assert | Test bareos_dir_tls_cert_src
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_tls_cert_src is defined
+      - bareos_dir_tls_cert_src is string
+
+- name: assert | Test bareos_dir_tls_cert_dest
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_tls_cert_dest is defined
+      - bareos_dir_tls_cert_dest is string
+
+- name: assert | Test bareos_dir_tls_cert_key_src
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_tls_cert_key_src is defined
+      - bareos_dir_tls_cert_key_src is string
+
+- name: assert | Test bareos_dir_tls_cert_key_dest
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_tls_cert_key_dest is defined
+      - bareos_dir_tls_cert_key_dest is string
+
+- name: assert | Test bareos_dir_pools
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_pools is defined
+      - bareos_dir_pools is iterable
+    quiet: true
+
+- name: assert | Test bareos_dir_profiles
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_profiles is defined
+      - bareos_dir_profiles is iterable
+    quiet: true
+
+- name: assert | Test bareos_dir_schedules
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_schedules is defined
+      - bareos_dir_schedules is iterable
+    quiet: true
+
+- name: assert | Test bareos_dir_storages
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_storages is defined
+      - bareos_dir_storages is iterable
+    quiet: true
+
+- name: assert | Test bareos_dir_install_debug_packages
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_install_debug_packages is defined
+      - bareos_dir_install_debug_packages is boolean
+    quiet: true
+
+
 - name: assert | Test bareos_dir_catalogs
   ansible.builtin.assert:
     that:
@@ -113,40 +185,3 @@
   ansible.builtin.assert:
     that:
       - bareos_dir_messages is defined
-      - bareos_dir_messages is iterable
-    quiet: true
-
-- name: assert | Test bareos_dir_pools
-  ansible.builtin.assert:
-    that:
-      - bareos_dir_pools is defined
-      - bareos_dir_pools is iterable
-    quiet: true
-
-- name: assert | Test bareos_dir_profiles
-  ansible.builtin.assert:
-    that:
-      - bareos_dir_profiles is defined
-      - bareos_dir_profiles is iterable
-    quiet: true
-
-- name: assert | Test bareos_dir_schedules
-  ansible.builtin.assert:
-    that:
-      - bareos_dir_schedules is defined
-      - bareos_dir_schedules is iterable
-    quiet: true
-
-- name: assert | Test bareos_dir_storages
-  ansible.builtin.assert:
-    that:
-      - bareos_dir_storages is defined
-      - bareos_dir_storages is iterable
-    quiet: true
-
-- name: assert | Test bareos_dir_install_debug_packages
-  ansible.builtin.assert:
-    that:
-      - bareos_dir_install_debug_packages is defined
-      - bareos_dir_install_debug_packages is boolean
-    quiet: true
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -53,6 +53,28 @@
 - name: Run handlers
   ansible.builtin.meta: flush_handlers
 
+- name: Place TLS certificates
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: bareos
+    group: bareos
+    mode: "0640"
+    backup: "{{ bareos_dir_backup_configurations }}"
+  loop:
+    - src: bareos_dir_tls_ca_cert_src
+      dest: bareos_dir_tls_ca_cert_dest
+    - src: bareos_dir_tls_cert_src
+      dest: bareos_dir_tls_cert_dest
+    - src: bareos_dir_tls_cert_key_src
+      dest: bareos_dir_tls_cert_key_dest
+  when:
+    - bareos_dir_tls_enable
+    - bareos_dir_tls_enable
+    - bareos_dir_tls_ca_cert.src != ""
+    - bareos_dir_tls_cert.src != ""
+    - bareos_dir_tls_cert_key.src != ""
+
 - name: Place bareos-dir.conf
   ansible.builtin.template:
     src: bareos-dir.conf.j2

diff --git a/templates/bareos-dir.conf.j2 b/templates/bareos-dir.conf.j2
@@ -18,4 +18,13 @@ Director {
   Plugin Names = "{{ bareos_dir_plugin_name }}"
   Plugin Directory = "{{ bareos_dir_plugin_dir }}"
 {% endif %}
+{% if bareos_dir_tls_ca_cert_dest is defined and bareos_dir_tls_ca_cert_dest != "" %}
+  TLS CA Certificate File = "{{ bareos_dir_tls_ca_cert_dest }}"
+{% endif %}
+{% if bareos_dir_tls_cert_dest is defined and bareos_dir_tls_cert_dest != "" %}
+  TLS Certificate = "{{ bareos_dir_tls_cert_dest }}"
+{% endif %}
+{% if bareos_dir_tls_cert_key_dest is defined and bareos_dir_tls_cert_key_dest != "" %}
+  TLS Key = "{{ bareos_dir_tls_cert_key_dest }}"
+{% endif %}
 }