From d3307821480eb7060e893264e0c7cd44c6adf66e Mon Sep 17 00:00:00 2001
From: Patrick Hasler <patrick.hasler@adfinis.com>
Date: Tue, 5 Nov 2024 13:32:51 +0100
Subject: [PATCH 1/2] feat: add TLS options for bconsole.conf

---
 meta/argument_specs.yml    | 54 +++++++++++++++++++++++++++++++++++---
 templates/bconsole.conf.j2 | 30 +++++++++++++++------
 2 files changed, 72 insertions(+), 12 deletions(-)

diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml
index 30f78a9..cfdd70e 100644
--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@@ -1,14 +1,60 @@
 ---
 
-# # bareos_dir_messages: Daemon
-
 argument_specs:
   main:
-    short_description: "Install and configure BareOS Console (bconsole) on your system."
+    short_description: "Install and configure Bareos Console (bconsole) on your system."
     description: >
-      Install and configure BareOS Console (bconsole) on your system.
+      Install and configure Bareos Console (bconsole) on your system.
     author: Adfinis
     options:
       bareos_console_directors:
         type: "list"
         description: "A list of directors to connect to."
+        elements: "dict"
+        required: true
+        options:
+          name:
+            type: "str"
+            required: true
+            description: >
+              The Director name used to identify the Director in the list of monitored daemons.
+              It is not required to be the same as the one defined in the Director’s configuration file.
+          address:
+            type: "str"
+          dir_port:
+            type: int
+            default: 9101
+          description:
+            type: "str"
+          address:
+            type: "str"
+          password:
+            type: "str"
+            required: true
+            description: "Will be stored as MD5 hash."
+          tls_enable:
+            type: "bool"
+            default: true
+            description: "Enable TLS support."
+          tls_verify_peer:
+            type: "bool"
+            default: false
+            description: >
+              If enabled, the CN of a certificate must match the Address or be in the “TLS Allowed CN” list.
+          tls_allowed_cns:
+            type: "list"
+            elements: "str"
+            description: >
+              CNs of the allowed peer certificates
+          tls_ca_cert:
+            type: "str"
+            description: >
+              Path of a PEM encoded TLS CA certificate(s) file.
+          tls_cert:
+            type: "str"
+            description: >
+              Path of a PEM encoded TLS certificate.
+          tls_key:
+            type: "str"
+            description: >
+              Path of a PEM encoded private key. It must correspond to the specified `tls_cert`.
diff --git a/templates/bconsole.conf.j2 b/templates/bconsole.conf.j2
index 3a3c77d..81aee18 100644
--- a/templates/bconsole.conf.j2
+++ b/templates/bconsole.conf.j2
@@ -3,22 +3,36 @@
 {% if bareos_console_directors is defined %}
 {% for director in bareos_console_directors %}
 Director {
-   Name = "{{ director.name }}"
+  Name = "{{ director.name }}"
 {% if director.description is defined %}
-   Description = "{{ director.description }}"
+  Description = "{{ director.description }}"
 {% endif %}
 {% if director.address is defined %}
-   Address = "{{ director.address }}"
+  Address = "{{ director.address }}"
 {% endif %}
+  Dir Port = {{ director.dir_port | default("9101") }}
 {% if director.password is defined %}
-   Password = "[md5]{{ director.password | md5 }}"
-{% endif %}
-{% if director.tls_enable is defined %}
-   TLS Enable = {{ director.tls_enable | ternary('Yes', 'No') }}
+  Password = "[md5]{{ director.password | md5 }}"
 {% endif %}
+  TLS Enable = {{ director.tls_enable | default(true) | ternary('Yes', 'No') }}
 {% if director.tls_verify_peer is defined %}
-   TLS Verify Peer = {{ director.tls_verify_peer | ternary('Yes', 'No') }}
+  TLS Verify Peer = {{ director.tls_verify_peer | ternary('Yes', 'No') }}
+{% endif %}
+{% if director.tls_ca_cert is defined %}
+  TLS Ca Certificate File = "{{ director.tls_ca_cert }}"
+{% endif %}
+{% if director.tls_cert is defined %}
+  TLS Certificate = "{{ director.tls_cert }}"
+{% endif %}
+{% if director.tls_key is defined %}
+  TLS Key = "{{ director.tls_key }}"
 {% endif %}
+{% if director.tls_allowed_cns is defined %}
+{% for cn in director.tls_allowed_cns %}
+  TLS Allowed CN = "{{ cn }}"
+{% endfor %}
+{% endif %}
+
 }
 {% endfor %}
 {% endif %}

From d46030d9334fb12b331a47a456ac3a2aaadb283f Mon Sep 17 00:00:00 2001
From: Patrick Hasler <patrick.hasler@adfinis.com>
Date: Tue, 5 Nov 2024 13:33:25 +0100
Subject: [PATCH 2/2] feat(ci): add new TLS options to molecule

---
 molecule/default/converge.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index 3461711..694f378 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -1,8 +1,8 @@
 ---
 - name: Converge
   hosts: all
-  become: yes
-  gather_facts: yes
+  become: true
+  gather_facts: true
 
   roles:
     - role: ansible-role-bareos_console
@@ -11,5 +11,13 @@
           address: localhost
           password: "MySuperSecretPassword"
           description: "Bareos Console credentials for local Director"
-          tls_enable: yes
-          tls_verify_peer: no
+          tls_enable: true
+          tls_verify_peer: false
+          dir_port: 1337
+          tls_ca_cert: "/home/data/testCA.pem"
+          tls_cert: "/home/data/test.pem"
+          tls_key: "/home/data/test.key"
+          tls_allowed_cns:
+            - "bareos.example.com"
+            - "bareos-webui.example.com"
+            - "bareos-console.example.com"