From 19d2172aa38339647914ca0e2a7e4a5f5748506d Mon Sep 17 00:00:00 2001 From: Joel Joos Date: Tue, 1 Oct 2024 10:52:38 +0200 Subject: [PATCH 01/24] feat: added PAM Auth option --- templates/console.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/console.conf.j2 b/templates/console.conf.j2 index 14fdb1d..7c9cc1c 100644 --- a/templates/console.conf.j2 +++ b/templates/console.conf.j2 @@ -19,6 +19,8 @@ Console { {% if item.tlsenable is defined %} TlsEnable = {{ item.tlsenable | ternary('Yes', 'No') }} {% endif %} +{% if item.pamauth is defined %} + UsePamAuthentication = {{ item.pamauth | ternary('Yes', 'No') }} } {% else %} # This file is not enabled. From cd92023295f8e3f009a8246eaa025b503e62ede7 Mon Sep 17 00:00:00 2001 From: Joel Joos Date: Tue, 1 Oct 2024 10:59:11 +0200 Subject: [PATCH 02/24] chore: make linter happy --- templates/console.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/console.conf.j2 b/templates/console.conf.j2 index 7c9cc1c..7a1ca15 100644 --- a/templates/console.conf.j2 +++ b/templates/console.conf.j2 @@ -21,6 +21,7 @@ Console { {% endif %} {% if item.pamauth is defined %} UsePamAuthentication = {{ item.pamauth | ternary('Yes', 'No') }} +{% endif %} } {% else %} # This file is not enabled. From b314df3238581caa2a55e396aed9ec44e6d8de52 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Thu, 5 Sep 2024 12:12:13 +0200 Subject: [PATCH 03/24] fix: '{{ }}' in loop --- tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index d5a7ae9..b9916fc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -62,12 +62,12 @@ mode: "0640" backup: "{{ bareos_dir_backup_configurations }}" loop: - - src: bareos_dir_tls_ca_cert_src - dest: bareos_dir_tls_ca_cert_dest - - src: bareos_dir_tls_cert_src - dest: bareos_dir_tls_cert_dest - - src: bareos_dir_tls_cert_key_src - dest: bareos_dir_tls_cert_key_dest + - src: "{{ bareos_dir_tls_ca_cert_src }}" + dest: "{{ bareos_dir_tls_ca_cert_dest }}" + - src: "{{ bareos_dir_tls_cert_src }}" + dest: "{{ bareos_dir_tls_cert_dest }}" + - src: "{{ bareos_dir_tls_cert_key_src }}" + dest: "{{ bareos_dir_tls_cert_key_dest }}" when: - bareos_dir_tls_enable - bareos_dir_tls_ca_cert_src != "" From a760230726177cf4d8e63bf629affab85550fc47 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 09:36:15 +0100 Subject: [PATCH 04/24] fix: bareos-dir.conf.j2 template TLS settings fix the TLS if conditions, add option `bareos_dir_tls_allowed_cns`. --- templates/bareos-dir.conf.j2 | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/templates/bareos-dir.conf.j2 b/templates/bareos-dir.conf.j2 index e6a12f1..c4c95bc 100644 --- a/templates/bareos-dir.conf.j2 +++ b/templates/bareos-dir.conf.j2 @@ -8,23 +8,27 @@ Director { Maximum Concurrent Jobs = {{ bareos_dir_max_concurrent_jobs }} {% endif %} Messages = "{{ bareos_dir_message }}" -{% if not bareos_dir_tls_enable %} - TLS Enable = No + + TLS Enable = {{ bareos_dir_tls_enable | ternary("yes","no")}} +{% if bareos_dir_tls_ca_cert_dest is defined and + bareos_dir_tls_cert_dest is defined and + bareos_dir_tls_cert_key_dest is defined +%} + TLS CA Certificate File = {{ bareos_dir_tls_ca_cert_dest }} + TLS Certificate = {{ bareos_dir_tls_cert_dest }} + TLS Key = {{ bareos_dir_tls_cert_key_dest }} {% endif %} -{% if bareos_dir_tls_verify_peer %} - TLS Verify Peer = Yes + + TLS Verify Peer = {{ bareos_dir_tls_verify_peer | default(false) | ternary("yes","no")}} +{% if bareos_dir_tls_allowed_cns is defined and + bareos_dir_tls_allowed_cns is iterable %} +{% for cn in bareos_dir_tls_allowed_cns %} + TLS Allowed CN = "{{ cn }}" +{% endfor %} {% endif %} + {% if bareos_dir_plugins is defined %} Plugin Names = "{{ bareos_dir_plugin_name }}" Plugin Directory = "{{ bareos_dir_plugin_dir }}" {% endif %} -{% if bareos_dir_tls_ca_cert_dest is defined and bareos_dir_tls_ca_cert_dest != "" %} - TLS CA Certificate File = "{{ bareos_dir_tls_ca_cert_dest }}" -{% endif %} -{% if bareos_dir_tls_cert_dest is defined and bareos_dir_tls_cert_dest != "" %} - TLS Certificate = "{{ bareos_dir_tls_cert_dest }}" -{% endif %} -{% if bareos_dir_tls_cert_key_dest is defined and bareos_dir_tls_cert_key_dest != "" %} - TLS Key = "{{ bareos_dir_tls_cert_key_dest }}" -{% endif %} } From 61a4a238b306862251cdb00c7c47b502988d92b9 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 09:37:57 +0100 Subject: [PATCH 05/24] chore(meta): update TLS argument_specs --- meta/argument_specs.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml index 0c2e124..8c9ce2f 100644 --- a/meta/argument_specs.yml +++ b/meta/argument_specs.yml @@ -33,12 +33,20 @@ argument_specs: description: "The messages configuration to use." bareos_dir_tls_enable: type: "bool" - default: yes - description: "Enable TLS." + default: true + description: > + Enable TLS support. + If no certificates are configured PSK (Pre Shared Keys) ciphers will be used. + If the other side does not support TLS, or cleartext is configured the connection will be aborted. bareos_dir_tls_verify_peer: type: "bool" - default: no - description: "Verify the peer." + default: false + description: > + Request and verify the peers certificate. + In server context, unless the TLS Allowed CN configuration directive is specified, + any client certificate signed by a known-CA will be accepted. + In client context, the server certificate CommonName attribute is checked against the + Address and TLS Allowed CN configuration directives. bareos_dir_tls_ca_cert_src: type: "str" description: "The CA Certificate for the Director (src)" @@ -57,6 +65,13 @@ argument_specs: bareos_dir_tls_cert_key_dest: type: "str" description: "The TLS certificate key of the director (dest)" + bareos_dir_tls_allowed_cns: + type: "list" + required: false + description: > + CN attribute of allowed peer certificates. + If `bareos_dir_tls_verify_peer` is true, + all connection request certificates will be checked against this list. bareos_dir_catalogs: type: "list" default: [] From e54b4d8f5c45ed0259f5aeadd4a0695a0379cb29 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 09:40:19 +0100 Subject: [PATCH 06/24] chore(ci): add TLS dummy test files for molecule --- molecule/default/tls_files/molecule-ca.pem | 34 +++++++++++++ molecule/default/tls_files/molecule-test.key | 52 ++++++++++++++++++++ molecule/default/tls_files/molecule-test.pem | 35 +++++++++++++ 3 files changed, 121 insertions(+) create mode 100644 molecule/default/tls_files/molecule-ca.pem create mode 100644 molecule/default/tls_files/molecule-test.key create mode 100644 molecule/default/tls_files/molecule-test.pem diff --git a/molecule/default/tls_files/molecule-ca.pem b/molecule/default/tls_files/molecule-ca.pem new file mode 100644 index 0000000..d22d987 --- /dev/null +++ b/molecule/default/tls_files/molecule-ca.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF6jCCA9KgAwIBAgIUfC/Gz2xsr6KrBFLNc2tpAYOK+BgwDQYJKoZIhvcNAQEL +BQAwgZ8xCzAJBgNVBAYTAkNIMRQwEgYDVQQIDAtCYXNlbC1TdGFkdDEOMAwGA1UE +BwwFQmFzZWwxEzARBgNVBAoMCkFkZmluaXMgQUcxEDAOBgNVBAsMB1Rlc3Rpbmcx +ITAfBgNVBAMMGGJhcmVvcy13ZWJ1aS5leGFtcGxlLmNvbTEgMB4GCSqGSIb3DQEJ +ARYRZHVtbXlAZXhhbXBsZS5jb20wHhcNMjQxMDI4MTMwNDQ1WhcNMjYxMDI4MTMw +NDQ1WjB6MQswCQYDVQQGEwJDSDEUMBIGA1UECAwLQmFzZWwtU3RhZHQxDjAMBgNV +BAcMBUJhc2VsMRAwDgYDVQQKDAdBZGZpbmlzMRAwDgYDVQQLDAdUZXN0aW5nMSEw +HwYDVQQDDBhiYXJlb3Mtd2VidWkuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCZAtCNVtFEvOgW2lbbTpsAnzQvqGDEV42UYgWl4hk/ +bpgl8+NBDHxNuQHDjAnRQcBSmw0ZgfgtKZm1nDvaiIhGmuCuzkxXWeBG31iEp/YS +4+X/ciN6/NPfyIBk08sA905y7fBIjCnYM+8D2gB0w1/INzHujBSrHU/upnkv9yKi +2WpmYo+BtzZu2Lpjs2FIVguoJPsyMfuS+W3oz6QeJZLTMNGdDXyUAoonOyihP0nB +dq3eMTOgB4c+XL+d6fvfxIVXGU4Cos1JVX4QiV2jzK7eIsoxoBUrnq3FwERxqCtr +IibOWDjo69Y2vSfpAAIWXtYqXEiccX70/+wZOz4KFbi2lNmT/9bx3annk+enXJ9J +fUX3QSH6SsyUROnDWMecth/wZeDwPeINzwU8R+iy09IauU4rj464icvQQQXjz5Iq +C/HYgMrUolXg4PIiiXpsMxnqglcvkEbW7H9mFAkJaK1yMdNjBPRKovIeQbo27Lr9 +ODBmXwC8c9LGTaE33QBtAo5CsxNb8Aq4wccZwL/F1dd5G0RNdtdOefGSmIFTyKXS ++rng5utrpZGEAMymZa+zA+bSspQ1gQvuhp3ELKLwO/ByPElcBZX2QMblJRcXFJ7d +eIJ2e++GE9+RhL2h25ePcjDwtAq2BaTQA3NJhCMeXptV0wwFPLBKvbB1Z+qNE4P8 +AQIDAQABo0IwQDAdBgNVHQ4EFgQUTPS2FzCmAWW3arAS978YU8u8fAowHwYDVR0j +BBgwFoAUX/Q1ekxqcabTcuZsDvl9iwVvVrcwDQYJKoZIhvcNAQELBQADggIBAF94 +MGDv75jX2pR4ONE0Uy0/+bc2lz6PL0LfyIDpMh1RELTy08uCp0hCkeHuDZNOsZxc +X8J3PhtF9e5vimd/tbTyvPxvRKy7XQLkq3TumtVH0tu8sGj1LlVNw5+1dBgDrwPC +xX0UMx6RHRweHCbtOLqlNy4AEj+R7h0piU76oen8BWVJuinC+nidp4RDcVHOZAt/ +Y0gEA1wwE9mxo7WGGMzWo9PpbL2PnJIbBfKs/Gj58EoNzmHJWE8dhusADwLEDOu1 +KVUf8mqkzCn2/EHYKtbOBtHHOwG7qseLUiXJ+98e2AwJ9MpdpvBskR3oqMkObmo7 +OiiUZxXI6wEqPwzZeBVJujBY7UmXR1CQgJ3r6i3UBZRthejCxJM91aYR0VIqqcTT +OAs+szVklaUfMB381EX3KFIWZYIHVbc7kHROeu3e6ufgCqRgpWQjhvR47glxHlYR +GH8O5hcSAwvPfhnsQ2zXd6X24nujusNS1SbILX0etBTSI5s8++2g/wVDq2YEc/3l +cMpRRnAx2qH8u/cOUWhShc4jTyJ6+7wRAkglhy/G17e1TDNCCUzTXxSlxoX9NKwm +R3jB8RhzWh7Q/+n4s6vRT2toBu/mbT/Ohukh+wDkd893xbhcQ2db1JT8aocp79RK +D0mLqasMsj2DrmWt2Lsf1XY8cOGoRizUsGops36X +-----END CERTIFICATE----- diff --git a/molecule/default/tls_files/molecule-test.key b/molecule/default/tls_files/molecule-test.key new file mode 100644 index 0000000..bbde1e6 --- /dev/null +++ b/molecule/default/tls_files/molecule-test.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCZAtCNVtFEvOgW +2lbbTpsAnzQvqGDEV42UYgWl4hk/bpgl8+NBDHxNuQHDjAnRQcBSmw0ZgfgtKZm1 +nDvaiIhGmuCuzkxXWeBG31iEp/YS4+X/ciN6/NPfyIBk08sA905y7fBIjCnYM+8D +2gB0w1/INzHujBSrHU/upnkv9yKi2WpmYo+BtzZu2Lpjs2FIVguoJPsyMfuS+W3o +z6QeJZLTMNGdDXyUAoonOyihP0nBdq3eMTOgB4c+XL+d6fvfxIVXGU4Cos1JVX4Q +iV2jzK7eIsoxoBUrnq3FwERxqCtrIibOWDjo69Y2vSfpAAIWXtYqXEiccX70/+wZ +Oz4KFbi2lNmT/9bx3annk+enXJ9JfUX3QSH6SsyUROnDWMecth/wZeDwPeINzwU8 +R+iy09IauU4rj464icvQQQXjz5IqC/HYgMrUolXg4PIiiXpsMxnqglcvkEbW7H9m +FAkJaK1yMdNjBPRKovIeQbo27Lr9ODBmXwC8c9LGTaE33QBtAo5CsxNb8Aq4wccZ +wL/F1dd5G0RNdtdOefGSmIFTyKXS+rng5utrpZGEAMymZa+zA+bSspQ1gQvuhp3E +LKLwO/ByPElcBZX2QMblJRcXFJ7deIJ2e++GE9+RhL2h25ePcjDwtAq2BaTQA3NJ +hCMeXptV0wwFPLBKvbB1Z+qNE4P8AQIDAQABAoICABBTDI0HxivfO6O0h6++Iytd +0OOEw04vSRubmZ6pEKiD1Be4fXZjLp/cLSP/vMxmh25IvI0MIL4wwgVuNbSK/H8L +5wy/VcW8AQGOspL0mHxLdC5crwxgDPrDGW+oaPAhcm0wlYIn8g7u+4EdsQ7ECWQC +/4DD0TCwX+bGPAeyBi/5ojBqM4VTVqtc1AXvDWH6TCQUTfh8/KohkmhUPt44hAGk +I7jtx2zDGJo25Y7Ogb/yOXqLJUbdhsBQhOEEJasp/E/ek0QUunIofNqmzSa8n6tz +ar8ApUGSHFgMu0ClAHzdl+ZL40Z2YtRUOf3R0mcwlwjN77FBKppY84d9mpDY4Gvw +BJZ7X4Sl52lTh2pU9H8a1Pn4fVrxtCcFqEQV5nLemGO9W2APF0KaNGKRVg2ogc5P +1bHR60bUjznU6C+vxaILXy0loeWq0pUZlXJoAf5iNzIOEgFGAei5EdR/pBJcLnNW +I6dmvFcK3I2IqbhNJ3/wah4avsYim36aWR2WjU8ujfbI7PfDyv3NCuV/bm2MRAze +/LHAr347d8I4n+Ft1zrgdQHshtwAEYXCUs5nsD6+cUMYac89LcqbmTvQ++H7QI5M +XgGWxaZAwGK7CO9kgQNdPLtDUYzLkhkvv44GXpBpPSntUNFc7pN6dEWgifPcIzcA +X3+3iTbisda/JUsk2ecBAoIBAQDS4USqV5L03fr8hyI45qh11MDjGgqvlR0Tsphd +0Oj5gVPMoSX8y+KYOm+tOBS9JSkt9aXnuztJ+zPmBvZiGgYh4aRodzDRDUdE7WlY +NFs8Ay870aqsF2I87lKWTtUBNgV7DzgIPXWfcxoS/e4M2jqhrAwwiQohC9EK7Gai +XH0/bPbJsXXTDtPJpKe561rrmrjYvUCSkv9C+l2Y/H/seNijJXFuXZ/h/HEy87ZV +rRV9lihPNkkPr4KDsPGSQf69JsjmrGbeILxzCg27PHpb3Y7SfeGXj7IWMtiy0s6j +hRXZ/Qzms+I9FcsYxn8OdXttmUs6luwjCSEX6IEUWEdA5nlVAoIBAQC5v9V8hvxL +W3n1FHFa1JlwJzljnvMn2D6YWDPVq/ubZt/Bs+AhxUPDt5XqC3SMcYbdzHPNbKbZ +E3PIeAW9h+QGIzkw90DvcZwX0xOAMoAdjFLO3gA0UzyhtOZUaB4iT5tpLuA1Zqg6 +bk5jx2E6GbC5TCsjc5BLsBEqZ8kKNGwbGz4viuFmHA5EjrpKDfAWs1Yd22FYNkog +fEVjB65zlYTl77wn+dvpwDXP4IbRYLITfuNxiipIdn+V0saDQAd+seEZaOUpiUCZ +W3gX/7jvOIZdX6g42RZLCt0Sn1Y5XmHgWK4cB8p+KaidEGBAYn3P8YYSEYGz+v3c +hytbVPi1ucf9AoIBABcRX1KG6+NvWOJA4gR5btoc4NC2645TcG/ULIiurp2EgSc0 +RZSGtQ3T7p1zMgmSxBNr+K8FszGfkgjKoC8RC7SvGy32Q9fKbQ5kLg7hA03oR0Vy +5QmYMT3bEBuzGefdAfJ5MrbsCi7cB3EmZ+DuClXfHSI+C2acBUz9mSiPl3/VqpVb +nTjuOUqogVR8I2D8dtX2tdaSz+uCubRfgpraiVAna2YYRcIRvExHjp2GpoAradNo +a8uUdmFzfKl0IKqOUJGzMDmCOTsYUXI25megL9xkusW6iU+WVlARcVs/1qkW3k9q +RAhMlv/pzsJFJbBSgYEyOziF6iHUZDJWiczWqVUCggEAJ6pigXwl5kW7jm12I2pg +9cU6iR6JWEniXBABybA3Q6E9SRULWMrSRLowhlE56z/XCAg/9m8sVhDEWdvfhfC9 +7d2Zue4i7L77EU9ey7J9D1JG4KwhqQrZWMLTqNSvEq6jRlvfPygT5p5lmQMbrReN +WJR+Zcyo1LDdiYuuL8KwDz3LEsX6ih6VoWhFOckuKvrS+f8+E2NMgxFmk9YxF7en +MJ74NCU0I/+KvkB5Kb8XZ/hhw344t06uwiTHhYGn2BNOOWnf/fW0WMtiouVV7afJ +cakauEELdKz2NqLV+9w+1HS7gXrccAKfYiL8GuOtcDloYvVgGDoR+gTXamKD1fK9 +VQKCAQAHPI4XEf9RQOvyHq4IRNGSqFp9jcSM1Xq5A7fFQ2E+FVmb5j3D1tPCn8gx +cMcOU6giELiwkTGtHzHX2Ys25ya/3HMBSMQtlScJUQAUmdU1ZZPxaWnOw03h/+Zh +kzxAnLdgdkkvEGFyGWJGzOT2Si1vDDegfvucFXiQyUEen539O8+khznu3vuJbgDt +V4jtUB8ZM0vQYQSiKXP6QLMGD+ddOVK3IQEMQAUhXjcO9UPF1RrBIwqgoFZTIm94 +nbs1AK9ChW13yV0OKvJuUYOq0gHPPIMaI/5cVNmC1YjeYHx8++s2r0ZpJ0NAiLka +JCTfWhmiwPKkEyK5rJq5zOQpyf6g +-----END PRIVATE KEY----- diff --git a/molecule/default/tls_files/molecule-test.pem b/molecule/default/tls_files/molecule-test.pem new file mode 100644 index 0000000..5ecfd24 --- /dev/null +++ b/molecule/default/tls_files/molecule-test.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGITCCBAmgAwIBAgIUO3payEGDpdtdlo8hzloqR7OMBAkwDQYJKoZIhvcNAQEL +BQAwgZ8xCzAJBgNVBAYTAkNIMRQwEgYDVQQIDAtCYXNlbC1TdGFkdDEOMAwGA1UE +BwwFQmFzZWwxEzARBgNVBAoMCkFkZmluaXMgQUcxEDAOBgNVBAsMB1Rlc3Rpbmcx +ITAfBgNVBAMMGGJhcmVvcy13ZWJ1aS5leGFtcGxlLmNvbTEgMB4GCSqGSIb3DQEJ +ARYRZHVtbXlAZXhhbXBsZS5jb20wHhcNMjQxMDI4MTI1NDUzWhcNMjkxMDI4MTI1 +NDUzWjCBnzELMAkGA1UEBhMCQ0gxFDASBgNVBAgMC0Jhc2VsLVN0YWR0MQ4wDAYD +VQQHDAVCYXNlbDETMBEGA1UECgwKQWRmaW5pcyBBRzEQMA4GA1UECwwHVGVzdGlu +ZzEhMB8GA1UEAwwYYmFyZW9zLXdlYnVpLmV4YW1wbGUuY29tMSAwHgYJKoZIhvcN +AQkBFhFkdW1teUBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBALG1vmmRPoussCeWddH6LYw/SrhbfwWoGU14G/GuSE+I+rGOq72TDxBz +hUxJSsZFt7b0w+4Fw/iiGL26H/fqpGIRgKV6WqAzzAjLVhKpxT6IHclH6tbEjk97 +1xFW9sJPq2mw7z7C9qY6pDSG+Cz4zcMKcxo6HtFCRL5Nw5l1Dyns1Yv3ODx5wsR3 +qdkSbZfo0Qvx6c7RPfLCiyy41ueX9IpKPzwBieGoBqcPC75vdarGDApBRkydCsjo +5pR+zjAGHpyOmdHvm59cg//RjNIpTwb/VLK6/2F5O3aqfBTro5p9ADR77my/Gc5Q +u0xAd9zPmKPc4HrRlbX0usVyb3JKXUf2LpiGkjkeiNaQuXNhhgSEJvW0aNuuvwcP +JeQ6WJxObfqOq3WSpY4wztzOW90xecx/4BGgB2BDVwSJfDbsxVZhSpLdZ2RPhyvA +G72qyFoRRaDnDOpmGmkMY9I1rzm7o/nUNpwsCHo35V+psWbMW9HPVKK2AcWZb1El +27Y+DvlytidftcObLQKFKsIyxtBidV8sJUvJNlJ3lNf8g3lrzVwDBTm1g8AvzhwS +LyKxGY5jw7KDhL7AXBEg7IiPxwcoolVcf2/+rWooSa5HIHzyOsONk7ZkE00kUlx5 +8C3tgafyqsmxDashlSjfMzNnXmbJo9lW24lot58v4qRnmYhjhe0RAgMBAAGjUzBR +MB0GA1UdDgQWBBRf9DV6TGpxptNy5mwO+X2LBW9WtzAfBgNVHSMEGDAWgBRf9DV6 +TGpxptNy5mwO+X2LBW9WtzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4ICAQClXdzTSZZQkg55reHK79O6RomxvLg3ereSmKwKyhrNky4SlZ1HsN6BR8FF +sDFloXIsslIVUzkf3uosg5j7Gp9QPAU+OqzBKThPgjPuwocuT7qBQYGeJgeJ/pwB +dVHlKnDTX0pKatGm1j7xa6JIsLlvo9VHQ3O/Ofj7im6K9lBfnTu13zQq1WU9n0Yk +TYvr6+7FfHITBv9VKv/rCBbYF5iaQD+Nphpk2GOBGkxrscMMeLrifMv9IA/J86K0 +D/aroBpbRmzuO7RWcqduiiULakrWqmFS5JOYEHdVmMys7WMjycr+hrEl3G5aUgp1 +2Ufr32wNQvzmXvssZkS7eKvcWtvjJPLDofZ5T3rWahiHqcP77wBXAklwdk6MBChK +YpxYQVH7qH8K1Q3hdbAs0zZaPLpXSjI8d5Cc03+BWiusxsTms9OOhsXCIa+7cc4x +DK2PNGUb6ug4nCZ/pE16g1k12BePao2MKryEfEMIrh7egJdpdpmWMzI0BcFvR2vR +lFdtBVSdlVqk1BIxmWyN7OfsHSrwqYE9MT5RJz2wszMYk15RyrqvSKZMzKIWEaL9 +VW6OyOmsurs/OsFADX1A8ySjxqz1NPwxh9qXtj01VOA4zm1OgfIIyEYgBKxm2ZnI +6mQkTRV2w2557KjeTjPtruR9ne4jT2YwTbnC9pMnuUAdB2FMxA== +-----END CERTIFICATE----- From a761f75cea0f18249498ec419a6d5648143b4dfd Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 09:40:55 +0100 Subject: [PATCH 07/24] chore(ci): add TLS vars in molecule converge --- molecule/default/converge.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 29ccf75..95190e5 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -273,6 +273,15 @@ bareos_dir_plugins: - director-python + bareos_dir_tls_enable: true + bareos_dir_tls_cert_src: "tls_files/molecule-test.pem" + bareos_dir_tls_ca_cert_src: "tls_files/molecule-ca.pem" + bareos_dir_tls_cert_key_src: "tls_files/molecule-test.key" + bareos_dir_tls_verify_peer: true + bareos_dir_tls_allowed_cns: + - "bareos-01@example.com" + - "bareos-02@example.com" + - role: adfinis.bareos_console bareos_console_directors: - name: bareos-dir From 0a2f0bb732f41448ef25517414b95decf2ccdc45 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 09:52:35 +0100 Subject: [PATCH 08/24] chore(ci): remove old distros from matrix --- .github/workflows/molecule.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 9542456..f9e0b44 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: ansible-lint uses: ansible-community/ansible-lint-action@main test: @@ -30,18 +30,12 @@ jobs: tag: "latest" - image: "debian" tag: "bullseye" - - image: "debian" - tag: "buster" - image: "enterpriselinux" tag: "8" - image: "enterpriselinux" tag: "latest" - - image: "fedora" - tag: "38" - image: "fedora" tag: "39" - # TODO no packages for fedora 40 yet: https://download.bareos.org/current/ - # pipeline will fail for now. replace 38 as soon as 40 is ready and working. - image: "fedora" tag: "latest" - image: "opensuse" From 2c0250e7f23e23d0ff0cb2f07016dfa10de9c094 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 10:05:10 +0100 Subject: [PATCH 09/24] fix(ci): drop unsupported distros drop all distros that are sadly incompatible with the `robertdebock.bootstrap` role. --- .github/workflows/molecule.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index f9e0b44..5fe1f3f 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -30,20 +30,16 @@ jobs: tag: "latest" - image: "debian" tag: "bullseye" - - image: "enterpriselinux" - tag: "8" - image: "enterpriselinux" tag: "latest" - image: "fedora" tag: "39" - image: "fedora" tag: "latest" - - image: "opensuse" - tag: "latest" - image: "ubuntu" - tag: "latest" + tag: "jammy" - image: "ubuntu" - tag: "focal" + tag: "latest" steps: - name: checkout uses: actions/checkout@v4 From 7845994e0c9c67e5d69ae19f1017974a67682f55 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 11:49:34 +0100 Subject: [PATCH 10/24] chore(ci): rm TODO, requirements2png actions --- .github/workflows/requirements2png.yml | 35 -------------------------- .github/workflows/todo.yml | 20 --------------- 2 files changed, 55 deletions(-) delete mode 100644 .github/workflows/requirements2png.yml delete mode 100644 .github/workflows/todo.yml diff --git a/.github/workflows/requirements2png.yml b/.github/workflows/requirements2png.yml deleted file mode 100644 index 6ce9be7..0000000 --- a/.github/workflows/requirements2png.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# -# Ansible managed -# - -on: - - push - -name: Ansible Graphviz - -jobs: - build: - runs-on: ubuntu-20.04 - permissions: - contents: write - steps: - - name: checkout - uses: actions/checkout@v3 - with: - path: ${{ github.repository }} - - name: create png - uses: robertdebock/graphviz-action@1.0.7 - - name: Commit files - run: | - cd ${{ github.repository }} - git config --local user.email "github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" - git add requirements.dot requirements.png - git commit -m "Add generated files" - - name: save to png branch - uses: ad-m/github-push-action@master - with: - directory: ${{ github.repository }} - force: true - branch: png diff --git a/.github/workflows/todo.yml b/.github/workflows/todo.yml deleted file mode 100644 index 3e6e417..0000000 --- a/.github/workflows/todo.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# -# Ansible managed -# - -name: "TODO 2 Issue" - -on: - push: - -jobs: - build: - runs-on: "ubuntu-20.04" - steps: - - uses: "actions/checkout@master" - - name: "TODO to Issue" - uses: "alstr/todo-to-issue-action@v2.3" - id: "todo" - with: - TOKEN: ${{ secrets.GITHUB_TOKEN }} From 72f75e8710aeaedff791781192693c16aa1f9a67 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 30 Oct 2024 11:52:53 +0100 Subject: [PATCH 11/24] doc: update README --- README.md | 26 +++----------------------- 1 file changed, 3 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 8e0061c..20524c9 100644 --- a/README.md +++ b/README.md @@ -359,40 +359,20 @@ bareos_dir_schedules: [] bareos_dir_storages: [] ``` -## [Requirements](#requirements) - -- pip packages listed in [requirements.txt](https://github.com/adfinis/ansible-role-bareos_dir/blob/master/requirements.txt). - -## [State of used roles](#state-of-used-roles) - -The following roles are used to prepare a system. You can prepare your system in another way. - -| Requirement | GitHub | GitLab | -|-------------|--------|--------| -|[robertdebock.bootstrap](https://galaxy.ansible.com/adfinis/robertdebock.bootstrap)|[![Build Status GitHub](https://github.com/adfinis/robertdebock.bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/adfinis/robertdebock.bootstrap/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/robertdebock.bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/robertdebock.bootstrap)| -|[adfinis.bareos_repository](https://galaxy.ansible.com/adfinis/bareos_repository)|[![Build Status GitHub](https://github.com/adfinis/ansible-role-bareos_repository/workflows/Ansible%20Molecule/badge.svg)](https://github.com/adfinis/ansible-role-bareos_repository/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-bareos_repository/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-bareos_repository)| -|[robertdebock.buildtools](https://galaxy.ansible.com/adfinis/robertdebock.buildtools)|[![Build Status GitHub](https://github.com/adfinis/robertdebock.buildtools/workflows/Ansible%20Molecule/badge.svg)](https://github.com/adfinis/robertdebock.buildtools/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/robertdebock.buildtools/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/robertdebock.buildtools)| -|[robertdebock.epel](https://galaxy.ansible.com/adfinis/robertdebock.epel)|[![Build Status GitHub](https://github.com/adfinis/robertdebock.epel/workflows/Ansible%20Molecule/badge.svg)](https://github.com/adfinis/robertdebock.epel/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/robertdebock.epel/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/robertdebock.epel)| -|[robertdebock.python_pip](https://galaxy.ansible.com/adfinis/robertdebock.python_pip)|[![Build Status GitHub](https://github.com/adfinis/robertdebock.python_pip/workflows/Ansible%20Molecule/badge.svg)](https://github.com/adfinis/robertdebock.python_pip/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/robertdebock.python_pip/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/robertdebock.python_pip)| -|[robertdebock.postgres](https://galaxy.ansible.com/adfinis/robertdebock.postgres)|[![Build Status GitHub](https://github.com/adfinis/robertdebock.postgres/workflows/Ansible%20Molecule/badge.svg)](https://github.com/adfinis/robertdebock.postgres/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/robertdebock.postgres/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/robertdebock.postgres)| - ## [Context](#context) This role is a part of many compatible roles. Have a look at [the documentation of these roles](https://adfinis.com/) for further information. -Here is an overview of related roles: -![dependencies](https://raw.githubusercontent.com/adfinis/ansible-role-bareos_dir/png/requirements.png "Dependencies") - ## [Compatibility](#compatibility) This role has been tested on these [container images](https://hub.docker.com/u/robertdebock): |container|tags| |---------|----| -|[Debian](https://hub.docker.com/r/robertdebock/debian)|buster, bullseye, bookworm| +|[Debian](https://hub.docker.com/r/robertdebock/debian)|bullseye, bookworm| |[EL](https://hub.docker.com/r/robertdebock/enterpriselinux)|9| -|[Fedora](https://hub.docker.com/r/robertdebock/fedora)|38, 39| -|[Ubuntu](https://hub.docker.com/r/robertdebock/ubuntu)|jammy| +|[Fedora](https://hub.docker.com/r/robertdebock/fedora)|39, 40| +|[Ubuntu](https://hub.docker.com/r/robertdebock/ubuntu)|jammy, numbat| The minimum version of Ansible required is 2.12, tests have been done to: From d6ca5f57ce49a4a8ebd73d58601fcb588e937a1a Mon Sep 17 00:00:00 2001 From: Marlon Moser Date: Tue, 29 Oct 2024 14:28:29 +0100 Subject: [PATCH 12/24] ci: use reusable workflows --- .github/workflows/galaxy.yml | 13 +++---------- .github/workflows/semantic-release.yml | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/semantic-release.yml diff --git a/.github/workflows/galaxy.yml b/.github/workflows/galaxy.yml index 1f8d455..9c09ba4 100644 --- a/.github/workflows/galaxy.yml +++ b/.github/workflows/galaxy.yml @@ -1,18 +1,11 @@ --- -# -# Ansible managed -# - name: Release to Ansible Galaxy on: release: types: [created, edited, published, released] + jobs: release: - runs-on: ubuntu-20.04 - steps: - - name: galaxy - uses: robertdebock/galaxy-action@1.2.1 - with: - galaxy_api_key: ${{ secrets.galaxy_api_key }} + uses: adfinis/github-workflows-bareos/.github/workflows/ansible-role.yaml@v0.1.0 + secrets: inherit diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml new file mode 100644 index 0000000..a7cf072 --- /dev/null +++ b/.github/workflows/semantic-release.yml @@ -0,0 +1,15 @@ +--- +# runs on each push to main and is responsible for creating new tags/releases +name: Create Semantic Release + +on: + push: + branches: + - main + - master + +jobs: + semantic-release: + uses: adfinis/github-workflows-bareos/.github/workflows/semantic-release.yaml@v0.1.0 + secrets: + ADFINISBOT_GITHUB_TOKEN: ${{ secrets.ADFINISBOT_GITHUB_TOKEN }} From b637b07bf37ce1c193f95fc950c68667de1de0ee Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Tue, 5 Nov 2024 18:09:48 +0100 Subject: [PATCH 13/24] chore: update options templates/console.conf.j2 --- templates/console.conf.j2 | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/templates/console.conf.j2 b/templates/console.conf.j2 index 7a1ca15..e9c7770 100644 --- a/templates/console.conf.j2 +++ b/templates/console.conf.j2 @@ -7,20 +7,18 @@ Console { Description = "{{ item.description }}" {% endif %} Password = "{{ item.password }}" + TLS Enable = {{ item.tls_enable | default(true) | ternary('Yes', 'No') }} {% if item.commandacl is defined %} - CommandACL = {{ item.commandacl | join(', ') }} + Command ACL = {{ item.commandacl | join(', ') }} {% endif %} {% if item.jobacl is defined %} - JobACL = {{ item.jobacl | join(', ') }} + Job ACL = {{ item.jobacl | join(', ') }} {% endif %} {% if item.profile is defined %} Profile = "{{ item.profile }}" {% endif %} -{% if item.tlsenable is defined %} - TlsEnable = {{ item.tlsenable | ternary('Yes', 'No') }} -{% endif %} -{% if item.pamauth is defined %} - UsePamAuthentication = {{ item.pamauth | ternary('Yes', 'No') }} +{% if item.use_pam_authentication is defined %} + UsePamAuthentication = {{ item.use_pam_authentication | ternary('Yes', 'No') }} {% endif %} } {% else %} From 3a4fe7bd28b072ff761135c5d2be294643500ccf Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Tue, 5 Nov 2024 18:22:15 +0100 Subject: [PATCH 14/24] chore(meta): `bareos_dir_consoles` argument_specs --- meta/argument_specs.yml | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml index 8c9ce2f..849956b 100644 --- a/meta/argument_specs.yml +++ b/meta/argument_specs.yml @@ -79,7 +79,44 @@ argument_specs: bareos_dir_consoles: type: "list" default: [] - description: "A list of consoled to configure." + description: "A list of consoles to configure." + elements: "dict" + options: + name: + type: "str" + required: true + description: > + The name of the console. + This name must match the name specified at the Console client. + description: + type: "str" + password: + type: "str" + required: true + description: > + Specifies the password that must be supplied for a named Bareos Console to be authorized. + commandacl: + type: "list" + elements: "str" + jobacl: + type: "list" + elements: "str" + profile: + type: "str" + description: > + See https://docs.bareos.org/Configuration/Director.html#directorresourceprofile + tls_enable: + type: "bool" + default: true + description: "Enable TLS support." + use_pam_authentication: + type: "bool" + default: false + description: > + Use PAM authentication for this console. + Cannot be used in combination with the option `profile` or `commandacl`! + See: https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration#pam-configuration + bareos_dir_counters: type: "list" default: [] From 5cf11cdf8dd8edc5638c1d8b170ce894e6af2691 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Tue, 5 Nov 2024 18:22:53 +0100 Subject: [PATCH 15/24] feat(ci): bareos_dir_consoles with PAM auth --- molecule/default/converge.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 95190e5..74e3ca6 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -24,6 +24,12 @@ - .status jobacl: - "*all" + tls_enable: true + - name: pam-console + description: "Console uses PAM authentication" + password: "MySecretPAMPassword" + tls_enable: true + use_pam_authentication: true bareos_dir_clients: - name: bareos-fd address: 127.0.0.1 From 7cd38fdcc66f06dca10b135c7915a10b252e5af8 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:15:54 +0100 Subject: [PATCH 16/24] feat: add vars/defaults for PAM support --- defaults/main.yml | 3 +++ vars/Debian.yml | 4 ++++ vars/main.yml | 2 ++ 3 files changed, 9 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 92afcfc..b5e7ccf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -77,3 +77,6 @@ bareos_dir_schedules: [] # A list of storages to configure. bareos_dir_storages: [] + +# Enable PAM authentication +bareos_dir_pam_auth_enable: false diff --git a/vars/Debian.yml b/vars/Debian.yml index 985e69c..cf9f5a2 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -8,3 +8,7 @@ bareos_dir_debug_packages: - gdb bareos_dir_plugin_dir: "/usr/lib/bareos/plugins" + +bareos_dir_pam_auth_requirements: + - libpam-modules + - python3-bareos diff --git a/vars/main.yml b/vars/main.yml index 9345e17..6dce040 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -27,3 +27,5 @@ bareos_dir_plugin_list: - name: director-python packages: - bareos-director-python3-plugin + +bareos_dir_pam_auth_requirements: [] From 1fe61201778387eff91d03fe6aca4e13b4fd6cc7 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:16:31 +0100 Subject: [PATCH 17/24] chore(meta): argument_specs PAM auth variables --- meta/argument_specs.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml index 849956b..12d9add 100644 --- a/meta/argument_specs.yml +++ b/meta/argument_specs.yml @@ -167,3 +167,40 @@ argument_specs: elements: "str" required: false version_added: v1.1.0 + bareos_dir_pam_auth_enable: + type: "bool" + default: false + description: > + Setup Bareos Director to use PAM authentication via Unix socket or LDAP socket. + Follows the setup guide at + https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration#pam-configuration + bareos_dir_pam_auth_method: + type: "str" + default: "unix" + choices: + - "ldap" + - "unix" + description: "Decide if Unix or LDAP socket should be used for PAM authentication" + bareos_dir_pam_auth_profile: + type: "str" + default: "webui-admin" + description: "The Bareos profile to use for the user, after a successful login attempt" + bareos_dir_pam_auth_username: + type: "str" + default: "pam-adduser" + description: > + Technical user account for the Bareos Console connection. + Required to be able to add the user resources in Bareos, after a successful PAM authentication. + bareos_dir_pam_auth_password: + type: "str" + default: "lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname')" + description: >- + Password for technical user account for the Bareos Console connection. + Randomized, but idempotent password will be generated if variable is unset. + bareos_dir_pam_auth_tls_enable: + type: "bool" + default: false + description: > + If TLS should be used for the Bareos Console + WebUI does not support pre-shared keys (PSK), so if this is desired, + an actual CA and certificates need to be in place. From ddd5381e9abd84928be1a1e5d0ee3b56dfa3890d Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:18:03 +0100 Subject: [PATCH 18/24] feat: tasks/pam_auth.yml for PAM authentication Set up PAM authentication on Bareos Director according to Bareos documentation[1]. This is a biased implementation, adding a dedicated Bareos Console, which is used to generate new Bareos users after successful PAM authentication (unix or LDAP socket). Refs: [1] https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration#pam-configuration --- tasks/main.yml | 9 ++++++ tasks/pam_auth.yml | 78 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 tasks/pam_auth.yml diff --git a/tasks/main.yml b/tasks/main.yml index b9916fc..1bb32ea 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -277,6 +277,15 @@ - bareos_dir_plugins is defined - bareos_dir_plugins is iterable +- name: Import PAM authentication tasklist + ansible.builtin.import_tasks: + file: pam_auth.yml + when: + - bareos_dir_pam_auth_enable + - bareos_dir_pam_auth_method is defined + - bareos_dir_pam_auth_method == "ldap" or + bareos_dir_pam_auth_method == "unix" + - name: Start bareos-dir ansible.builtin.service: name: bareos-dir diff --git a/tasks/pam_auth.yml b/tasks/pam_auth.yml new file mode 100644 index 0000000..6bfd447 --- /dev/null +++ b/tasks/pam_auth.yml @@ -0,0 +1,78 @@ +--- +# Follows the setup process according to +# https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration#pam-configuration + +- name: pam_auth | Install PAM dependencies + ansible.builtin.package: + name: "{{ bareos_dir_pam_auth_requirements }}" + state: present + +- name: pam_auth | Create bconsole password if bareos_dir_pam_auth_password unset + ansible.builtin.set_fact: + bareos_dir_pam_auth_password: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}" + when: + - bareos_dir_pam_auth_password is not defined or + bareos_dir_pam_auth_password == "" + +- name: pam_auth | Create bareos conf in /etc/pam.d/ + ansible.builtin.template: + src: templates/pam.d/bareos.j2 + dest: /etc/pam.d/bareos + owner: root + group: bareos + mode: "0644" + +# required for unix.socket auth to read /etc/shadow +- name: pam_auth | Add bareos user to group shadow + ansible.builtin.user: + name: bareos + groups: shadow + append: true + when: + - bareos_dir_pam_auth_method == "unix" + - ansible_facts.os_family == "Debian" + +# required for unix.socket auth to read /etc/shadow +- name: pam_auth | Change permissions for /etc/shadow + ansible.builtin.file: + path: "/etc/shadow" + owner: root + group: bareos + mode: "0040" + when: + - bareos_dir_pam_auth_method == "unix" + - ansible_facts.os_family == "RedHat" + +- name: pam_auth | Download pam_exec_add_bareos_user.py from bareos Github + ansible.builtin.get_url: + url: https://github.com/bareos/bareos/blob/master/contrib/misc/bareos_pam_integration/pam_exec_add_bareos_user.py + dest: "/usr/local/bin/pam_exec_add_bareos_user.py" + owner: bareos + group: bareos + mode: "0744" + +- name: pam_auth | Create PAM specific Bareos Console + ansible.builtin.template: + src: console.conf.j2 + dest: "/etc/bareos/bareos-dir.d/console/pam-adduser.conf" + owner: bareos + group: bareos + mode: "0644" + backup: "{{ bareos_dir_backup_configurations }}" + loop: + - name: "{{ bareos_dir_pam_auth_username | default('pam-adduser') }}" + description: >- + Dedicated Console for PAM authentication. + Using this, a user who successfully authenticates against LDAP, + will be created as Bareos user with ACLs as defined in profile {{ bareos_dir_pam_auth_profile | default('webui-admin') }}. + password: "{{ bareos_dir_pam_auth_password | default( ) }}" + tls_enable: "{{ bareos_dir_pam_auth_tls_enable | default(false) }}" + commandacl: + - ".api" + - ".profiles" + - ".users" + - "configure" + - "version" + notify: + - Check configuration + - Reload bareos-dir From 1adb42195d602d78251d61de7230240b4101a2b9 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:20:21 +0100 Subject: [PATCH 19/24] chore(ci): include PAM auth tasks in molecule --- molecule/default/converge.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 74e3ca6..a552c5f 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -288,6 +288,10 @@ - "bareos-01@example.com" - "bareos-02@example.com" + bareos_dir_pam_auth_enable: true + bareos_dir_pam_auth_method: unix + bareos_dir_pam_auth_tls_enable: true + - role: adfinis.bareos_console bareos_console_directors: - name: bareos-dir From 96009c09ab38f0f61a089b2c5131cef2d949b5bf Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:40:01 +0100 Subject: [PATCH 20/24] chore: add dedicated RedHat.yml vars --- vars/RedHat.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vars/RedHat.yml diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..ef25dfc --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,10 @@ +--- + +bareos_dir_debug_packages: + - bareos-debuginfo + - gdb + +bareos_dir_plugin_name: python3 + +bareos_dir_pam_auth_requirements: + - pam From 32b019e42615e8a905e9d221898acf51e11d47a2 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:41:34 +0100 Subject: [PATCH 21/24] chore: /etc/pam.d template bareos --- templates/pam.d/bareos.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 templates/pam.d/bareos.j2 diff --git a/templates/pam.d/bareos.j2 b/templates/pam.d/bareos.j2 new file mode 100644 index 0000000..3407708 --- /dev/null +++ b/templates/pam.d/bareos.j2 @@ -0,0 +1,9 @@ +{{ ansible_managed | comment }} +{% if bareos_dir_pam_auth_method | default("unix") == "unix" %} +auth required pam_unix.so +account requisite pam_unix.so +{% elif bareos_dir_pam_auth_method == "ldap" %} +auth required pam_ldap.so +account requisite pam_ldap.so +{% endif %} +account [default=ignore] pam_exec.so /usr/bin/python3 /usr/local/bin/pam_exec_add_bareos_user.py --name {{ bareos_dir_pam_auth_username | default('pam-adduser') }} --password {{ bareos_dir_pam_auth_password }} --profile {{ bareos_dir_pam_auth_profile | default("webui-admin") }} From 2e490e1e5e72b9f2ca14b01ab1a3b39199750620 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:53:41 +0100 Subject: [PATCH 22/24] chore: extend tasks/assert.yml --- tasks/assert.yml | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/tasks/assert.yml b/tasks/assert.yml index dc8baaa..ad203ca 100644 --- a/tasks/assert.yml +++ b/tasks/assert.yml @@ -124,6 +124,13 @@ - bareos_dir_storages is iterable quiet: true +- name: assert | Test bareos_dir_packages + ansible.builtin.assert: + that: + - bareos_dir_packages is defined + - bareos_dir_packages is iterable + quiet: true + - name: assert | Test bareos_dir_install_debug_packages ansible.builtin.assert: that: @@ -131,7 +138,6 @@ - bareos_dir_install_debug_packages is boolean quiet: true - - name: assert | Test bareos_dir_catalogs ansible.builtin.assert: that: @@ -185,3 +191,26 @@ ansible.builtin.assert: that: - bareos_dir_messages is defined + quiet: true + +- name: assert | Test bareos_dir_pam_auth_enable + ansible.builtin.assert: + that: + - bareos_dir_pam_auth_enable is defined + - bareos_dir_pam_auth_enable is boolean + quiet: true + +- name: assert | Test bareos_dir_pam_auth_requirements + ansible.builtin.assert: + that: + - bareos_dir_pam_auth_requirements is defined + - bareos_dir_pam_auth_requirements is iterable + quiet: true + +- name: assert | Test bareos_dir_plugin_list + ansible.builtin.assert: + that: + - bareos_dir_plugin_list is defined + - bareos_dir_plugin_list is iterable + quiet: true + From 9088411906a1970b16514f6839c62b2913679db7 Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Wed, 6 Nov 2024 17:53:41 +0100 Subject: [PATCH 23/24] chore: extend tasks/assert.yml --- tasks/assert.yml | 1 - tasks/pam_auth.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/assert.yml b/tasks/assert.yml index ad203ca..6b8f2d8 100644 --- a/tasks/assert.yml +++ b/tasks/assert.yml @@ -213,4 +213,3 @@ - bareos_dir_plugin_list is defined - bareos_dir_plugin_list is iterable quiet: true - diff --git a/tasks/pam_auth.yml b/tasks/pam_auth.yml index 6bfd447..aba9e9b 100644 --- a/tasks/pam_auth.yml +++ b/tasks/pam_auth.yml @@ -65,7 +65,7 @@ Dedicated Console for PAM authentication. Using this, a user who successfully authenticates against LDAP, will be created as Bareos user with ACLs as defined in profile {{ bareos_dir_pam_auth_profile | default('webui-admin') }}. - password: "{{ bareos_dir_pam_auth_password | default( ) }}" + password: "{{ bareos_dir_pam_auth_password }}" tls_enable: "{{ bareos_dir_pam_auth_tls_enable | default(false) }}" commandacl: - ".api" From 6ce8348bf01aa149af86086fa62bff0d9d08ef0f Mon Sep 17 00:00:00 2001 From: Patrick Hasler Date: Thu, 7 Nov 2024 12:39:03 +0100 Subject: [PATCH 24/24] fix: PAM auth console file name set file name according to the name of the bareos console --- tasks/pam_auth.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/pam_auth.yml b/tasks/pam_auth.yml index aba9e9b..497a72c 100644 --- a/tasks/pam_auth.yml +++ b/tasks/pam_auth.yml @@ -54,7 +54,7 @@ - name: pam_auth | Create PAM specific Bareos Console ansible.builtin.template: src: console.conf.j2 - dest: "/etc/bareos/bareos-dir.d/console/pam-adduser.conf" + dest: "/etc/bareos/bareos-dir.d/console/{{ item.name }}.conf" owner: bareos group: bareos mode: "0644"