roles/burp-server: Deploy BURP server

The *burp-server* role installs and configures a BURP server. It is
adapted from a previous iteration, and should support CentOS/RHEL/Fedora
and Gentoo, as well as both BURP 1.x and 2.x (depending on which version
gets installed by the system package manager).

To manage the certificate authority, the *burp-server* role uses the
`burp_ca` command. This has the advantage of not requiring any external
certificate management, but effectively binds the CA to a specific
machine.

roles/burp-server/defaults/main.yml

@@ -0,0 +1,10 @@
+burp_keep: 7
+burp_client_conf: {}
+burp_notify_success: '{{ burp_notify is defined }}'
+burp_notify_failure: '{{ burp_notify is defined }}'
+burp_backup_interval: 20h
+burp_hardlinked_archive: false
+burp_ca_server_name: '{{ ansible_fqdn }}'
+burp_notify_script: '{{ burp_script_path }}/notify_script'
+burp_timer_script: '{{ burp_script_path }}/timer_script'
+burp_server_script_pre: '{{ burp_script_path }}/ssl_extra_checks_script'

roles/burp-server/files/burp.tmpfiles.conf

@@ -0,0 +1 @@
+d /run/burp 0755 burp burp -

roles/burp-server/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: process tmpfiles
+  command: '{{ tmpfiles_cmd }} --create'
+- name: restart burp server
+  service:
+    name=burp
+    state=restarted
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent

roles/burp-server/library/burp_version

@@ -0,0 +1,23 @@
+# vim: set ft=python :
+
+def main():
+    module = AnsibleModule(
+        argument_spec={},
+        supports_check_mode=True,
+    )
+
+    burp = module.get_bin_path('burp', required=True)
+    rc, out, err = module.run_command([burp, '-v'], check_rc=True)
+    burp_version = out.strip().split('-')[1]
+
+    module.exit_json(
+        ansible_facts={
+            'burp_version': burp_version,
+        }
+    )
+
+
+from ansible.module_utils.basic import *
+
+if __name__ == '__main__':
+    main()

roles/burp-server/tasks/burp-defaults.yml

@@ -0,0 +1 @@
+burp_script_path: /usr/share/burp/scripts

roles/burp-server/tasks/burp1.yml

@@ -0,0 +1 @@
+burp_script_path: /etc/burp

roles/burp-server/tasks/ca.yml

@@ -0,0 +1,41 @@
+- name: ensure burp ca is configured
+  template:
+    src=CA.cnf.j2
+    dest=/etc/burp/CA.cnf
+    mode=0644
+- name: ensure burp ca is initialized
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --init
+    creates={{ burp_ca_dir }}/CA_burpCA.crt
+- name: ensure burp server private key exists
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --request --key --name {{ burp_ca_server_name }} --batch
+    creates={{ burp_ca_dir }}/{{ burp_ca_server_name }}.key
+- name: ensure burp server certificate exists
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --sign --name {{ burp_ca_server_name }} --batch
+    creates={{ burp_ca_dir }}/{{ burp_ca_server_name }}.crt
+- name: ensure burp certificate symlinks exist
+  file:
+    path=/etc/burp/{{ item.path }}
+    src={{ burp_ca_dir }}/{{ item.src }}
+    state=link
+  with_items:
+  - path: ssl_cert_ca.pem
+    src: CA_burpCA.crt
+  - path: ssl_cert-server.key
+    src: '{{ burp_ca_server_name }}.key'
+  - path: ssl_cert-server.pem
+    src: '{{ burp_ca_server_name }}.crt'

roles/burp-server/tasks/main.yml

@@ -0,0 +1,108 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+  tags:
+  - always
+
+- name: ensure burp server is installed
+  package:
+    name={{ burp_server_package }}
+    state=present
+  tags:
+  - install
+- name: check burp version
+  burp_version:
+- debug: var=burp_version
+- name: load burp version-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - burp{{ burp_version[0] }}.yml
+  - burp-defaults.yml
+
+- name: ensure burp user exists
+  user:
+    name=burp
+    system=yes
+    home=/dev/null
+    createhome=no
+    shell=/sbin/nologin
+  tags:
+  - user
+
+- name: ensure tmpfiles.d directory exists
+  file:
+    path=/etc/tmpfiles.d
+    mode=0755
+    state=directory
+- name: ensure burp tmpfiles are configured
+  copy:
+    src=burp.tmpfiles.conf
+    dest=/etc/tmpfiles.d/burp.conf
+    mode=0644
+  notify: process tmpfiles
+- meta: flush_handlers
+- name: ensure burp persistent state directory exists
+  file:
+    path=/var/lib/burp
+    owner=root
+    group=burp
+    mode=0770
+    state=directory
+- name: ensure burp volume is mounted
+  mount:
+    name=/var/spool/burp
+    src={{ burp_backup_volume }}
+    fstype={{ burp_backup_volume_fstype }}
+    opts=noatime
+    state=mounted
+  when: burp_backup_volume is defined
+- name: ensure burp directory permissions are correct
+  file:
+    path=/var/spool/burp
+    owner=root
+    group=burp
+    mode=0770
+    state=directory
+- name: ensure burp server is configured
+  template:
+    src=burp-server.conf.j2
+    dest=/etc/burp/burp-server.conf
+    owner=root
+    group=burp
+    mode=0640
+  notify: restart burp server
+- name: ensure burp dh params are set
+  command:
+    burp_ca --dhfile /etc/burp/dhfile.pem
+    creates=/etc/burp/dhfile.pem
+- name: ensure burp dh params file permissions are correct
+  file:
+    path=/etc/burp/dhfile.pem
+    mode=0600
+    owner=burp
+    group=burp
+
+- import_tasks: ca.yml
+
+- name: ensure burp server starts at boot
+  service:
+    name=burp
+    enabled=yes
+- meta: flush_handlers
+- name: ensure burp server is running
+  service:
+    name=burp
+    state=started
+
+- name: ensure burp is allowed through the firewall
+  firewalld:
+    port=4971/tcp
+    immediate=yes
+    permanent=no
+    state=enabled
+  notify: save firewalld configuration
+  tags:
+  - firewalld

roles/burp-server/templates/CA.cnf.j2

@@ -0,0 +1,33 @@
+# simple config for burp_ca
+
+RANDFILE                = /dev/urandom
+CA_DIR                  = {{ burp_ca_dir }}
+
+
+[ ca ]
+dir                     = $ENV::CA_DIR
+database                = $dir/index.txt
+serial                  = $dir/serial.txt
+certs                   = $dir/certs
+new_certs_dir           = $dir/newcerts
+crlnumber               = $dir/crlnumber.txt
+
+unique_subject          = no
+
+default_md              = sha256
+default_days            = 7300
+default_crl_days        = 7300
+
+#????
+name_opt                = ca_default
+cert_opt                = ca_default
+
+x509_extensions         = usr_cert
+copy_extensions         = copy
+policy                  = policy_anything
+
+[ usr_cert ]
+basicConstraints        = CA:FALSE
+
+[ policy_anything ]
+commonName              = supplied

roles/burp-server/templates/burp-server.conf.j2

@@ -0,0 +1,197 @@
+{% set is_burp2 = burp_version|version_compare('2.0', '>=') %}
+# This is an example config file for the burp server.
+
+mode = server
+{% if is_burp2 %}
+
+# The default addresses to listen on depend upon compile time options.
+# They may be overridden here.
+#address = 0.0.0.0
+{% endif %}
+port = 4971
+{% if is_burp2 %}
+# Think carefully before changing the status port address, as it can be used
+# to view the contents of backups.
+#status_address = 127.0.0.1
+# If you do not wish to run a status server at all, comment status_port out.
+{% endif %}
+status_port = 4972
+directory = /var/spool/burp
+{% if is_burp2 %}
+dedup_group = {{ burp_dedup_group|d('global') }}
+{% endif %}
+{% if is_burp2 %}
+# Choose the protocol to use.
+# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
+# with a pseudo mirrored storage on the server and optional rsync). 2 forces
+# protocol2 mode (inline deduplication with variable length blocks).
+# Like many other settings, this can be set per client in the clientconfdir
+# files.
+# protocol = 0
+{% endif %}
+clientconfdir = /etc/burp/clientconfdir
+pidfile = /run/burp/server.pid
+hardlinked_archive = {{ burp_hardlinked_archive|bool|int }}
+{% if burp_librsync is defined %}
+librsync = {{ burp_librsync|bool|int }}
+{% endif %}
+working_dir_recovery_method = delete
+max_children = 5
+max_status_children = 5
+umask = 0022
+syslog = 1
+stdout = 0
+# The following options can restrict what the client can do.
+# Note that restore_clients will still be able to do all of these operations,
+# except for force_backup.
+client_can_delete = 1
+# Set client_can_force_backup to 0 to only allow timed backups.
+client_can_force_backup = 1
+client_can_list = 1
+# Set client_can_restore to 0 if you want restores to only be initialised by
+# the server.
+client_can_restore = 1
+client_can_verify = 1
+# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
+# ratelimit = 1.5
+# Network timeout defaults to 7200 seconds (2 hours).
+# network_timeout = 7200
+{% if is_burp2 %}
+
+# Server storage compression. Default is zlib9. Set to zlib0 to turn it off.
+#compression = zlib9
+{% endif %}
+
+# When the client version does not match the server version, log a warning.
+# Set to 0 to turn it off.
+version_warn = 1
+
+# More configuration files can be read, using syntax like the following
+# (without the leading '# ').
+# . path/to/more/conf
+
+# You can have as many 'keep' lines as you like.
+# For example, if running backups daily, setting 7, 4, 6 will keep
+# 7 daily backups, 4 weekly, and 6 four-weekly backups.
+{% if burp_keep is iterable and burp_keep is not string %}
+{% for k in burp_keep %}
+keep = {{ k }}
+{% endfor %}
+{% else %}
+keep = {{ burp_keep }}
+{% endif %}
+
+# Run as different user/group.
+user = burp
+group = burp
+
+# CA options.
+# If you want your server to be a certificate authority and generate its own
+# certificates, uncomment the following lines. If the directory specified in
+# ca_conf does not exist, the server will create, populate it, and the paths
+# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
+# overwritten. See docs/burp_ca.txt for more information.
+ca_conf = /etc/burp/CA.cnf
+ca_name = burpCA
+ca_server_name = {{ burp_ca_server_name }}
+ca_burp_ca = /usr/sbin/burp_ca
+{% if is_burp2 %}
+
+# Check for revoked certificates in the certificate revocation list.
+# Turn this off if you use the old ssl_extra_checks_script server script.
+ca_crl_check = 1
+{% endif %}
+
+# SSL certificate authority - same file on both server and client
+ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
+
+# Server SSL certificate
+ssl_cert = /etc/burp/ssl_cert-server.pem
+
+# Server SSL key
+ssl_key = /etc/burp/ssl_cert-server.key
+
+# Server SSL ciphers
+#ssl_ciphers = 
+{% if is_burp2 %}
+
+# Server SSL compression. Default is zlib5. Set to zlib0 to turn it off.
+#ssl_compression = zlib5
+{% endif %}
+
+# SSL key password
+#ssl_key_password = password
+
+# Server DH file.
+ssl_dhfile = /etc/burp/dhfile.pem
+
+timer_script = {{ burp_timer_script }}
+# Ensure that 20 hours elapse between backups
+# Available units:
+# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
+timer_arg = {{ burp_backup_interval }}
+{% if burp_timebands is defined %}
+{% for timeband in burp_timebands %}
+timer_arg = {{ timeband }}
+{% endfor %}
+{% else %}
+# Allow backups to start in the evenings and nights during weekdays
+timer_arg = Mon,Tue,Wed,Thu,Fri,00,01,02,03,04,05,19,20,21,22,23
+# Allow more hours at the weekend.
+timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
+{% endif %}
+# Note that, if you specify no timebands, the default timer script will never
+# allow backups.
+
+# Uncomment the notify_success_* lines for email notifications of backups that
+# succeeded.
+# In the subject line, the following are substituted:
+# %b - "backup"/"restore"/"verify"
+# %c - client name
+# %w - number of warnings, if any
+{% if burp_notify_success|bool %}
+notify_success_script = {{ burp_notify_script }}
+notify_success_arg = sendmail -t
+notify_success_arg = To: {{ burp_notify }}
+notify_success_arg = From: burp
+notify_success_arg = Subject: %b succeeded: %c %w
+{% endif %}
+# Uncomment the following to have success notifications only if there were
+# warnings.
+#notify_success_warnings_only = 1
+# Uncomment the following to have success notifications only if there were
+# new or changed files.
+#notify_success_changes_only = 1
+
+# Uncomment the following for email notifications of backups that failed.
+{% if burp_notify_failure|bool %}
+notify_failure_script = {{ burp_notify_script }}
+notify_failure_arg = sendmail -t
+notify_failure_arg = To: {{ burp_notify }}
+notify_failure_arg = From: burp
+notify_failure_arg = Subject: %b failed: %c %w
+{% endif %}
+
+# The server can run scripts on each connection after authentication and before
+# disconnecting.
+#server_script_pre = {{ burp_server_script_pre }}
+#server_script_pre_arg = /etc/burp/crl
+#server_script_pre_arg = /etc/burp/burp-server.conf
+#server_script_pre_arg = /etc/burp/server-pre-script.local
+# Set server_script_pre_notify to 1 to have notifications on server_script_pre
+# returning non-zero. Most people will want to leave this off - it could
+# result in a lot of emails because clients normally connect once every 20
+# minutes. Requires notify_failure_script to be set above.
+#server_script_pre_notify = 0
+#server_script_post = 
+#server_script_post_arg = 
+#server_script_post_arg = 
+#server_script_post_run_on_fail=0
+# As for server_script_pre_notify, but for post.
+#server_script_post_notify = 0
+
+# Clients that are able to list and restore files belonging to any other
+# client. If this is too permissive, you may set a restore_client for
+# individual original clients in the individual clientconfdir files.
+# restore_client = someclient
+# restore_client = someotherclient

roles/burp-server/vars/RedHat.yml

@@ -0,0 +1,3 @@
+burp_server_package: burp-server
+burp_client_package: burp-client
+tmpfiles_cmd: systemd-tmpfiles

roles/burp-server/vars/defaults.yml

@@ -0,0 +1,3 @@
+burp_server_package: burp
+burp_client_package: burp
+tmpfiles_cmd: opentmpfiles

roles/burp-server/vars/main.yml

@@ -0,0 +1 @@
+burp_ca_dir: /var/lib/burp/CA