roles/burp-server: Deploy BURP server
The *burp-server* role installs and configures a BURP server. It is adapted from a previous iteration, and should support CentOS/RHEL/Fedora and Gentoo, as well as both BURP 1.x and 2.x (depending on which version gets installed by the system package manager). To manage the certificate authority, the *burp-server* role uses the `burp_ca` command. This has the advantage of not requiring any external certificate management, but effectively binds the CA to a specific machine.
This commit is contained in:
33
roles/burp-server/templates/CA.cnf.j2
Normal file
33
roles/burp-server/templates/CA.cnf.j2
Normal file
@@ -0,0 +1,33 @@
|
||||
# simple config for burp_ca
|
||||
|
||||
RANDFILE = /dev/urandom
|
||||
CA_DIR = {{ burp_ca_dir }}
|
||||
|
||||
|
||||
[ ca ]
|
||||
dir = $ENV::CA_DIR
|
||||
database = $dir/index.txt
|
||||
serial = $dir/serial.txt
|
||||
certs = $dir/certs
|
||||
new_certs_dir = $dir/newcerts
|
||||
crlnumber = $dir/crlnumber.txt
|
||||
|
||||
unique_subject = no
|
||||
|
||||
default_md = sha256
|
||||
default_days = 7300
|
||||
default_crl_days = 7300
|
||||
|
||||
#????
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
|
||||
x509_extensions = usr_cert
|
||||
copy_extensions = copy
|
||||
policy = policy_anything
|
||||
|
||||
[ usr_cert ]
|
||||
basicConstraints = CA:FALSE
|
||||
|
||||
[ policy_anything ]
|
||||
commonName = supplied
|
||||
197
roles/burp-server/templates/burp-server.conf.j2
Normal file
197
roles/burp-server/templates/burp-server.conf.j2
Normal file
@@ -0,0 +1,197 @@
|
||||
{% set is_burp2 = burp_version|version_compare('2.0', '>=') %}
|
||||
# This is an example config file for the burp server.
|
||||
|
||||
mode = server
|
||||
{% if is_burp2 %}
|
||||
|
||||
# The default addresses to listen on depend upon compile time options.
|
||||
# They may be overridden here.
|
||||
#address = 0.0.0.0
|
||||
{% endif %}
|
||||
port = 4971
|
||||
{% if is_burp2 %}
|
||||
# Think carefully before changing the status port address, as it can be used
|
||||
# to view the contents of backups.
|
||||
#status_address = 127.0.0.1
|
||||
# If you do not wish to run a status server at all, comment status_port out.
|
||||
{% endif %}
|
||||
status_port = 4972
|
||||
directory = /var/spool/burp
|
||||
{% if is_burp2 %}
|
||||
dedup_group = {{ burp_dedup_group|d('global') }}
|
||||
{% endif %}
|
||||
{% if is_burp2 %}
|
||||
# Choose the protocol to use.
|
||||
# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
|
||||
# with a pseudo mirrored storage on the server and optional rsync). 2 forces
|
||||
# protocol2 mode (inline deduplication with variable length blocks).
|
||||
# Like many other settings, this can be set per client in the clientconfdir
|
||||
# files.
|
||||
# protocol = 0
|
||||
{% endif %}
|
||||
clientconfdir = /etc/burp/clientconfdir
|
||||
pidfile = /run/burp/server.pid
|
||||
hardlinked_archive = {{ burp_hardlinked_archive|bool|int }}
|
||||
{% if burp_librsync is defined %}
|
||||
librsync = {{ burp_librsync|bool|int }}
|
||||
{% endif %}
|
||||
working_dir_recovery_method = delete
|
||||
max_children = 5
|
||||
max_status_children = 5
|
||||
umask = 0022
|
||||
syslog = 1
|
||||
stdout = 0
|
||||
# The following options can restrict what the client can do.
|
||||
# Note that restore_clients will still be able to do all of these operations,
|
||||
# except for force_backup.
|
||||
client_can_delete = 1
|
||||
# Set client_can_force_backup to 0 to only allow timed backups.
|
||||
client_can_force_backup = 1
|
||||
client_can_list = 1
|
||||
# Set client_can_restore to 0 if you want restores to only be initialised by
|
||||
# the server.
|
||||
client_can_restore = 1
|
||||
client_can_verify = 1
|
||||
# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
|
||||
# ratelimit = 1.5
|
||||
# Network timeout defaults to 7200 seconds (2 hours).
|
||||
# network_timeout = 7200
|
||||
{% if is_burp2 %}
|
||||
|
||||
# Server storage compression. Default is zlib9. Set to zlib0 to turn it off.
|
||||
#compression = zlib9
|
||||
{% endif %}
|
||||
|
||||
# When the client version does not match the server version, log a warning.
|
||||
# Set to 0 to turn it off.
|
||||
version_warn = 1
|
||||
|
||||
# More configuration files can be read, using syntax like the following
|
||||
# (without the leading '# ').
|
||||
# . path/to/more/conf
|
||||
|
||||
# You can have as many 'keep' lines as you like.
|
||||
# For example, if running backups daily, setting 7, 4, 6 will keep
|
||||
# 7 daily backups, 4 weekly, and 6 four-weekly backups.
|
||||
{% if burp_keep is iterable and burp_keep is not string %}
|
||||
{% for k in burp_keep %}
|
||||
keep = {{ k }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
keep = {{ burp_keep }}
|
||||
{% endif %}
|
||||
|
||||
# Run as different user/group.
|
||||
user = burp
|
||||
group = burp
|
||||
|
||||
# CA options.
|
||||
# If you want your server to be a certificate authority and generate its own
|
||||
# certificates, uncomment the following lines. If the directory specified in
|
||||
# ca_conf does not exist, the server will create, populate it, and the paths
|
||||
# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
|
||||
# overwritten. See docs/burp_ca.txt for more information.
|
||||
ca_conf = /etc/burp/CA.cnf
|
||||
ca_name = burpCA
|
||||
ca_server_name = {{ burp_ca_server_name }}
|
||||
ca_burp_ca = /usr/sbin/burp_ca
|
||||
{% if is_burp2 %}
|
||||
|
||||
# Check for revoked certificates in the certificate revocation list.
|
||||
# Turn this off if you use the old ssl_extra_checks_script server script.
|
||||
ca_crl_check = 1
|
||||
{% endif %}
|
||||
|
||||
# SSL certificate authority - same file on both server and client
|
||||
ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
|
||||
|
||||
# Server SSL certificate
|
||||
ssl_cert = /etc/burp/ssl_cert-server.pem
|
||||
|
||||
# Server SSL key
|
||||
ssl_key = /etc/burp/ssl_cert-server.key
|
||||
|
||||
# Server SSL ciphers
|
||||
#ssl_ciphers =
|
||||
{% if is_burp2 %}
|
||||
|
||||
# Server SSL compression. Default is zlib5. Set to zlib0 to turn it off.
|
||||
#ssl_compression = zlib5
|
||||
{% endif %}
|
||||
|
||||
# SSL key password
|
||||
#ssl_key_password = password
|
||||
|
||||
# Server DH file.
|
||||
ssl_dhfile = /etc/burp/dhfile.pem
|
||||
|
||||
timer_script = {{ burp_timer_script }}
|
||||
# Ensure that 20 hours elapse between backups
|
||||
# Available units:
|
||||
# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
|
||||
timer_arg = {{ burp_backup_interval }}
|
||||
{% if burp_timebands is defined %}
|
||||
{% for timeband in burp_timebands %}
|
||||
timer_arg = {{ timeband }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
# Allow backups to start in the evenings and nights during weekdays
|
||||
timer_arg = Mon,Tue,Wed,Thu,Fri,00,01,02,03,04,05,19,20,21,22,23
|
||||
# Allow more hours at the weekend.
|
||||
timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
|
||||
{% endif %}
|
||||
# Note that, if you specify no timebands, the default timer script will never
|
||||
# allow backups.
|
||||
|
||||
# Uncomment the notify_success_* lines for email notifications of backups that
|
||||
# succeeded.
|
||||
# In the subject line, the following are substituted:
|
||||
# %b - "backup"/"restore"/"verify"
|
||||
# %c - client name
|
||||
# %w - number of warnings, if any
|
||||
{% if burp_notify_success|bool %}
|
||||
notify_success_script = {{ burp_notify_script }}
|
||||
notify_success_arg = sendmail -t
|
||||
notify_success_arg = To: {{ burp_notify }}
|
||||
notify_success_arg = From: burp
|
||||
notify_success_arg = Subject: %b succeeded: %c %w
|
||||
{% endif %}
|
||||
# Uncomment the following to have success notifications only if there were
|
||||
# warnings.
|
||||
#notify_success_warnings_only = 1
|
||||
# Uncomment the following to have success notifications only if there were
|
||||
# new or changed files.
|
||||
#notify_success_changes_only = 1
|
||||
|
||||
# Uncomment the following for email notifications of backups that failed.
|
||||
{% if burp_notify_failure|bool %}
|
||||
notify_failure_script = {{ burp_notify_script }}
|
||||
notify_failure_arg = sendmail -t
|
||||
notify_failure_arg = To: {{ burp_notify }}
|
||||
notify_failure_arg = From: burp
|
||||
notify_failure_arg = Subject: %b failed: %c %w
|
||||
{% endif %}
|
||||
|
||||
# The server can run scripts on each connection after authentication and before
|
||||
# disconnecting.
|
||||
#server_script_pre = {{ burp_server_script_pre }}
|
||||
#server_script_pre_arg = /etc/burp/crl
|
||||
#server_script_pre_arg = /etc/burp/burp-server.conf
|
||||
#server_script_pre_arg = /etc/burp/server-pre-script.local
|
||||
# Set server_script_pre_notify to 1 to have notifications on server_script_pre
|
||||
# returning non-zero. Most people will want to leave this off - it could
|
||||
# result in a lot of emails because clients normally connect once every 20
|
||||
# minutes. Requires notify_failure_script to be set above.
|
||||
#server_script_pre_notify = 0
|
||||
#server_script_post =
|
||||
#server_script_post_arg =
|
||||
#server_script_post_arg =
|
||||
#server_script_post_run_on_fail=0
|
||||
# As for server_script_pre_notify, but for post.
|
||||
#server_script_post_notify = 0
|
||||
|
||||
# Clients that are able to list and restore files belonging to any other
|
||||
# client. If this is too permissive, you may set a restore_client for
|
||||
# individual original clients in the individual clientconfdir files.
|
||||
# restore_client = someclient
|
||||
# restore_client = someotherclient
|
||||
Reference in New Issue
Block a user