diff --git a/REFERENCE.md b/REFERENCE.md
index cea8beaf..b64bd5dc 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -17,6 +17,7 @@
### Defined types
* [`bacula::director::client`](#bacula--director--client): Define a Bacula Director Client
+* [`bacula::director::console`](#bacula--director--console): Define a Bacula Director Console
* [`bacula::director::fileset`](#bacula--director--fileset): Configure a Bacula Director Fileset
* [`bacula::director::job`](#bacula--director--job): Configure a Bacula Director Job
* [`bacula::director::pool`](#bacula--director--pool): Configure a Bacula Director Pool
@@ -34,6 +35,7 @@
### Data types
+* [`Bacula::Command`](#Bacula--Command): A Bacula console command
* [`Bacula::JobType`](#Bacula--JobType): The type of job
* [`Bacula::Message`](#Bacula--Message): A Bacula message specification
* [`Bacula::Runscript`](#Bacula--Runscript): A Bacula Runscript specification
@@ -1007,6 +1009,127 @@ The path to the bacula configuration directory
Default value: `$bacula::conf_dir`
+### `bacula::director::console`
+
+This define creates a console declaration for the director.
+Resources of this type are intended to manage conf.d/console.conf entries.
+
+Aside from Director resource names and console command names,
+the special keyword *all* can be specified in any of the above access control lists.
+When this keyword is present, any resource or command name (which ever is appropriate) will be accepted.
+
+#### Examples
+
+#####
+
+```puppet
+bacula::director::console { 'Monitoring':
+ password => 'monitoring_password',
+}
+```
+
+#### Parameters
+
+The following parameters are available in the `bacula::director::console` defined type:
+
+* [`conf_dir`](#-bacula--director--console--conf_dir)
+* [`password`](#-bacula--director--console--password)
+* [`jobacl`](#-bacula--director--console--jobacl)
+* [`clientacl`](#-bacula--director--console--clientacl)
+* [`storageacl`](#-bacula--director--console--storageacl)
+* [`scheduleacl`](#-bacula--director--console--scheduleacl)
+* [`poolacl`](#-bacula--director--console--poolacl)
+* [`filesetacl`](#-bacula--director--console--filesetacl)
+* [`catalogacl`](#-bacula--director--console--catalogacl)
+* [`commandacl`](#-bacula--director--console--commandacl)
+* [`whereacl`](#-bacula--director--console--whereacl)
+
+##### `conf_dir`
+
+Data type: `String`
+
+The bacula configuration director. Should not need adjusting
+
+Default value: `$bacula::conf_dir`
+
+##### `password`
+
+Data type: `String[1]`
+
+The password that must be supplied for a named Bacula Console to be authorized
+
+##### `jobacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Job resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### `clientacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Client resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### `storageacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Storage resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### `scheduleacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Schedule resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### `poolacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Pool resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### `filesetacl`
+
+Data type: `Optional[String[1]]`
+
+A list of FileSet resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### `catalogacl`
+
+Data type: `String[1]`
+
+A list of Catalog resource names that can be accessed by the console.
+
+Default value: `'*all*'`
+
+##### `commandacl`
+
+Data type: `Array[Bacula::Command]`
+
+A list of of console commands that can be executed by the console.
+
+Default value: `['list']`
+
+##### `whereacl`
+
+Data type: `Optional[String[1]]`
+
+This directive permits you to specify where a restricted console can restore files.
+
+Default value: `undef`
+
### `bacula::director::fileset`
This class handles a Director's fileset.conf entry. Filesets are intended to
@@ -2164,6 +2287,15 @@ A boolean value
## Data types
+### `Bacula::Command`
+
+A Bacula console command
+
+* **See also**
+ * https://www.bacula.org/15.0.x-manuals/en/console/Bacula_Enterprise_Console.html
+
+Alias of `Enum['add', 'autodisplay', 'automount', 'cancel', 'cloud', 'create', 'delete', 'disable', 'enable', 'estimate', 'exit', 'gui', 'help', 'label', 'list', 'llist', 'messages', 'memory', 'mount', 'prune', 'purge', 'query', 'quit', 'relabel', 'release', 'reload', 'restart', 'resume', 'restore', 'run', 'setbandwidth', 'setdebug', 'setip', 'show', 'sqlquery', 'status', 'tag', 'time', 'trace', 'umount', 'unmount', 'update', 'use', 'var', 'version', 'wait', '.api', '.backups', '.clients', '.catalogs', '.defaults', '.die', '.dir', '.dump', '.exit', '.events', '.filesets', '.help', '.jobs', '.estimate', '.jlist', '.levels', '.messages', '.msgs', '.pools', '.quit', '.putfile', '.schedule', '.sql', '.status', '.storage', '.volstatus', '.media', '.mediatypes', '.locations', '.actiononpurge', '.bvfs_lsdirs', '.bvfs_lsfiles', '.bvfs_get_volumes', '.bvfs_update', '.bvfs_get_jobids', '.bvfs_get_jobs', '.bvfs_get_bootstrap', '.bvfs_get_fileindex', '.bvfs_versions', '.bvfs_get_delta', '.bvfs_restore', '.bvfs_cleanup', '.bvfs_decode_lstat', '.bvfs_clear_cache', '.bvfs_update_fv', '.bvfs_delete_fileid', '.setuid', '.ls', '.types', '.query', '.tags']`
+
### `Bacula::JobType`
The type of job
diff --git a/manifests/director.pp b/manifests/director.pp
index 40e0b7b1..0731fd6c 100644
--- a/manifests/director.pp
+++ b/manifests/director.pp
@@ -155,6 +155,7 @@
]
$sub_confs_with_secrets = [
+ "${conf_dir}/conf.d/console.conf",
"${conf_dir}/conf.d/client.conf",
"${conf_dir}/conf.d/storage.conf",
]
diff --git a/manifests/director/console.pp b/manifests/director/console.pp
new file mode 100644
index 00000000..2e4b750a
--- /dev/null
+++ b/manifests/director/console.pp
@@ -0,0 +1,58 @@
+# @summary Define a Bacula Director Console
+#
+# This define creates a console declaration for the director.
+# Resources of this type are intended to manage conf.d/console.conf entries.
+#
+# @param conf_dir The bacula configuration director. Should not need adjusting
+# @param password The password that must be supplied for a named Bacula Console to be authorized
+# @param jobacl A list of Job resource names that can be accessed by the console.
+# @param clientacl A list of Client resource names that can be accessed by the console.
+# @param storageacl A list of Storage resource names that can be accessed by the console.
+# @param scheduleacl A list of Schedule resource names that can be accessed by the console.
+# @param poolacl A list of Pool resource names that can be accessed by the console.
+# @param filesetacl A list of FileSet resource names that can be accessed by the console.
+# @param catalogacl A list of Catalog resource names that can be accessed by the console.
+# @param commandacl A list of of console commands that can be executed by the console.
+# @param whereacl This directive permits you to specify where a restricted console can restore files.
+#
+# Aside from Director resource names and console command names,
+# the special keyword *all* can be specified in any of the above access control lists.
+# When this keyword is present, any resource or command name (which ever is appropriate) will be accepted.
+#
+# @example
+# bacula::director::console { 'Monitoring':
+# password => 'monitoring_password',
+# }
+#
+define bacula::director::console (
+ String[1] $password,
+ String $conf_dir = $bacula::conf_dir,
+ String[1] $catalogacl = '*all*',
+ Array[Bacula::Command] $commandacl = ['list'],
+ Optional[String[1]] $jobacl = undef,
+ Optional[String[1]] $clientacl = undef,
+ Optional[String[1]] $storageacl = undef,
+ Optional[String[1]] $scheduleacl = undef,
+ Optional[String[1]] $poolacl = undef,
+ Optional[String[1]] $filesetacl = undef,
+ Optional[String[1]] $whereacl = undef,
+) {
+ $epp_console_variables = {
+ name => $name,
+ password => $password,
+ commandacl => $commandacl,
+ whereacl => $whereacl,
+ jobacl => $jobacl,
+ clientacl => $clientacl,
+ storageacl => $storageacl,
+ scheduleacl => $scheduleacl,
+ poolacl => $poolacl,
+ filesetacl => $filesetacl,
+ catalogacl => $catalogacl,
+ }
+
+ concat::fragment { "bacula-director-console-${name}":
+ target => "${conf_dir}/conf.d/console.conf",
+ content => epp('bacula/bacula-dir-console.epp', $epp_console_variables),
+ }
+}
diff --git a/spec/defines/director_console_spec.rb b/spec/defines/director_console_spec.rb
new file mode 100644
index 00000000..5b10695e
--- /dev/null
+++ b/spec/defines/director_console_spec.rb
@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'bacula::director::console' do
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) { facts }
+
+ let(:pre_condition) { 'include bacula' }
+
+ context 'with default parameters' do
+ let(:title) { 'Monitoring' }
+
+ let(:params) do
+ {
+ password: 'monitoring_password',
+ }
+ end
+
+ it { is_expected.to contain_concat__fragment('bacula-director-console-Monitoring').with(content: <<~FRAGMENT) }
+ Console {
+ Name = Monitoring
+ Password = "monitoring_password"
+ CatalogACL = *all*
+ CommandACL = list
+ }
+ FRAGMENT
+ end
+
+ context 'with all parameters set' do
+ let(:title) { 'restricted-user' }
+
+ let(:params) do
+ {
+ password: 'A different UntrustedUser',
+ jobacl: 'Restricted Client Save',
+ clientacl: 'restricted-client',
+ storageacl: 'second-storage',
+ scheduleacl: 'weekly-schedule',
+ poolacl: 'backup-pool',
+ filesetacl: "Restricted Client's FileSet",
+ catalogacl: 'RestrictedCatalog',
+ commandacl: %w[run restore],
+ whereacl: '/',
+ }
+ end
+
+ it { is_expected.to contain_concat__fragment('bacula-director-console-restricted-user').with(content: <<~FRAGMENT) }
+ Console {
+ Name = restricted-user
+ Password = "A different UntrustedUser"
+ JobACL = Restricted Client Save
+ ClientACL = restricted-client
+ StorageACL = second-storage
+ ScheduleACL = weekly-schedule
+ PoolACL = backup-pool
+ FileSetACL = Restricted Client's FileSet
+ CatalogACL = RestrictedCatalog
+ CommandACL = run, restore
+ WhereACL = /
+ }
+ FRAGMENT
+ end
+ end
+ end
+end
diff --git a/templates/bacula-dir-console.epp b/templates/bacula-dir-console.epp
new file mode 100644
index 00000000..2da27d3d
--- /dev/null
+++ b/templates/bacula-dir-console.epp
@@ -0,0 +1,42 @@
+<%
+ |
+ String $name,
+ String $password,
+ String $catalogacl,
+ Array $commandacl,
+ Optional[String] $jobacl,
+ Optional[String] $clientacl,
+ Optional[String] $storageacl,
+ Optional[String] $scheduleacl,
+ Optional[String] $poolacl,
+ Optional[String] $filesetacl,
+ Optional[String] $whereacl,
+ |
+-%>
+Console {
+ Name = <%= $name %>
+ Password = "<%= $password %>"
+<% if $jobacl { -%>
+ JobACL = <%= $jobacl %>
+<% } -%>
+<% if $clientacl { -%>
+ ClientACL = <%= $clientacl %>
+<% } -%>
+<% if $storageacl { -%>
+ StorageACL = <%= $storageacl %>
+<% } -%>
+<% if $scheduleacl { -%>
+ ScheduleACL = <%= $scheduleacl %>
+<% } -%>
+<% if $poolacl { -%>
+ PoolACL = <%= $poolacl %>
+<% } -%>
+<% if $filesetacl { -%>
+ FileSetACL = <%= $filesetacl %>
+<% } -%>
+ CatalogACL = <%= $catalogacl %>
+ CommandACL = <%= $commandacl.join(', ') %>
+<% if $whereacl { -%>
+ WhereACL = <%= $whereacl %>
+<% } -%>
+}
diff --git a/templates/bacula-dir-tail.epp b/templates/bacula-dir-tail.epp
index a8e4020d..d5aa3400 100644
--- a/templates/bacula-dir-tail.epp
+++ b/templates/bacula-dir-tail.epp
@@ -5,3 +5,4 @@
@<%= $bacula::conf_dir %>/conf.d/fileset.conf
@<%= $bacula::conf_dir %>/conf.d/jobdefs.conf
@<%= $bacula::conf_dir %>/conf.d/job.conf
+@<%= $bacula::conf_dir %>/conf.d/console.conf
diff --git a/types/command.pp b/types/command.pp
new file mode 100644
index 00000000..e116834f
--- /dev/null
+++ b/types/command.pp
@@ -0,0 +1,104 @@
+# A Bacula console command
+#
+# @see https://www.bacula.org/15.0.x-manuals/en/console/Bacula_Enterprise_Console.html
+type Bacula::Command = Enum[
+ # Console Commands
+ 'add',
+ 'autodisplay',
+ 'automount',
+ 'cancel',
+ 'cloud',
+ 'create',
+ 'delete',
+ 'disable',
+ 'enable',
+ 'estimate',
+ 'exit',
+ 'gui',
+ 'help',
+ 'label',
+ 'list',
+ 'llist',
+ 'messages',
+ 'memory',
+ 'mount',
+ 'prune',
+ 'purge',
+ 'query',
+ 'quit',
+ 'relabel',
+ 'release',
+ 'reload',
+ 'restart',
+ 'resume',
+ 'restore',
+ 'run',
+ 'setbandwidth',
+ 'setdebug',
+ 'setip',
+ 'show',
+ 'sqlquery',
+ 'status',
+ 'tag',
+ 'time',
+ 'trace',
+ 'umount',
+ 'unmount',
+ 'update',
+ 'use',
+ 'var',
+ 'version',
+ 'wait',
+ # Special dot Commands
+ '.api',
+ '.backups',
+ '.clients',
+ '.catalogs',
+ '.defaults',
+ '.die',
+ '.dir',
+ '.dump',
+ '.exit',
+ '.events',
+ '.filesets',
+ '.help',
+ '.jobs',
+ '.estimate',
+ '.jlist',
+ '.levels',
+ '.messages',
+ '.msgs',
+ '.pools',
+ '.quit',
+ '.putfile',
+ '.schedule',
+ '.sql',
+ '.status',
+ '.storage',
+ '.volstatus',
+ '.media',
+ '.mediatypes',
+ '.locations',
+ '.actiononpurge',
+ '.bvfs_lsdirs',
+ '.bvfs_lsfiles',
+ '.bvfs_get_volumes',
+ '.bvfs_update',
+ '.bvfs_get_jobids',
+ '.bvfs_get_jobs',
+ '.bvfs_get_bootstrap',
+ '.bvfs_get_fileindex',
+ '.bvfs_versions',
+ '.bvfs_get_delta',
+ '.bvfs_restore',
+ '.bvfs_cleanup',
+ '.bvfs_decode_lstat',
+ '.bvfs_clear_cache',
+ '.bvfs_update_fv',
+ '.bvfs_delete_fileid',
+ '.setuid',
+ '.ls',
+ '.types',
+ '.query',
+ '.tags',
+]