|
|
@@ -1,37 +1,35 @@
|
|
|
+{%- set fqdn = salt['pillar.get']('burp:server:fqdn') %}
|
|
|
+{%- set ops_mail = salt['pillar.get']('globals:ops_mail') %}
|
|
|
#
|
|
|
-# Burp server configuration (Salt managed)
|
|
|
+# FFHO burp server config (Salt managed)
|
|
|
#
|
|
|
|
|
|
mode = server
|
|
|
-
|
|
|
-# The default addresses to listen on depend upon compile time options.
|
|
|
-# They may be overridden here.
|
|
|
-address = 10.132.251.71
|
|
|
-port = 4971
|
|
|
+listen = 0.0.0.0:4971
|
|
|
+max_children = 5
|
|
|
|
|
|
# Think carefully before changing the status port address, as it can be used
|
|
|
# to view the contents of backups.
|
|
|
-#status_address = 10.132.251.71
|
|
|
-# If you do not wish to run a status server at all, comment status_port out.
|
|
|
-status_port = 4972
|
|
|
+#listen_status = 127.0.0.1:4972
|
|
|
+#max_status_children = 5
|
|
|
|
|
|
directory = /srv/burp/
|
|
|
|
|
|
dedup_group = global
|
|
|
clientconfdir = /etc/burp/clientconfdir
|
|
|
-
|
|
|
-# Automagically choose protocol
|
|
|
-protocol = 0
|
|
|
-
|
|
|
+# Choose the protocol to use.
|
|
|
+# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
|
|
|
+# with a pseudo mirrored storage on the server and optional rsync). 2 forces
|
|
|
+# protocol2 mode (inline deduplication with variable length blocks).
|
|
|
+# Like many other settings, this can be set per client in the clientconfdir
|
|
|
+# files.
|
|
|
+# protocol = 0
|
|
|
pidfile = /var/run/burp.server.pid
|
|
|
hardlinked_archive = 0
|
|
|
working_dir_recovery_method = delete
|
|
|
-max_children = 5
|
|
|
-max_status_children = 5
|
|
|
umask = 0022
|
|
|
syslog = 1
|
|
|
stdout = 0
|
|
|
-
|
|
|
# The following options can restrict what the client can do.
|
|
|
# Restore clients can override all of these expect for force_backup.
|
|
|
client_can_delete = 0
|
|
|
@@ -54,6 +52,14 @@ client_can_verify = 1
|
|
|
# Set to 0 to turn it off.
|
|
|
version_warn = 1
|
|
|
|
|
|
+# More configuration files can be read, using syntax like the following
|
|
|
+# (without the leading '# ').
|
|
|
+# . path/to/more/conf
|
|
|
+
|
|
|
+# Location of autoupgrade files to serve to clients. Leave it commented out
|
|
|
+# to not autoupgrade clients.
|
|
|
+# autoupgrade_dir = /etc/burp/autoupgrade/server
|
|
|
+
|
|
|
# You can have as many 'keep' lines as you like.
|
|
|
# For example, if running backups daily, setting 7, 4, 6 will keep
|
|
|
# 7 daily backups, 4 weekly, and 6 four-weekly backups.
|
|
|
@@ -61,11 +67,42 @@ keep = 7
|
|
|
# keep = 4
|
|
|
# keep = 6
|
|
|
|
|
|
+# Run as different user/group.
|
|
|
+# user=graham
|
|
|
+# group=nogroup
|
|
|
+
|
|
|
+# CA options.
|
|
|
+# If you want your server to be a certificate authority and generate its own
|
|
|
+# certificates, uncomment the following lines. If the directory specified in
|
|
|
+# ca_conf does not exist, the server will create, populate it, and the paths
|
|
|
+# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
|
|
|
+# overwritten. See docs/burp_ca.txt for more information.
|
|
|
+#ca_conf = /etc/burp/CA.cnf
|
|
|
+#ca_name = burpCA
|
|
|
+#ca_server_name = burpserver
|
|
|
+#ca_burp_ca = /usr/sbin/burp_ca
|
|
|
+#
|
|
|
+# Check for revoked certificates in the certificate revocation list.
|
|
|
+# Turn this off if you use the old ssl_extra_checks_script server script.
|
|
|
ca_crl_check = 0
|
|
|
+
|
|
|
+# SSL certificate authority - same file on both server and client
|
|
|
ssl_cert_ca = /etc/ssl/certs/ffho-cacert.pem
|
|
|
-ssl_cert = /etc/ssl/certs/hamster.in.ffho.net.cert.pem
|
|
|
-ssl_key = /etc/ssl/private/hamster.in.ffho.net.key.pem
|
|
|
-ssl_dhfile = /etc/ssl/dhfile.pem
|
|
|
+
|
|
|
+# Server SSL certificate
|
|
|
+ssl_cert = /etc/ssl/certs/{{ fqdn }}.cert.pem
|
|
|
+
|
|
|
+# Server SSL key
|
|
|
+ssl_key = /etc/ssl/private/{{ fqdn }}.key.pem
|
|
|
+
|
|
|
+# Server DH file.
|
|
|
+ssl_dhfile = /etc/burp/dhfile.pem
|
|
|
+
|
|
|
+# Server SSL ciphers
|
|
|
+#ssl_ciphers =
|
|
|
+
|
|
|
+# Server SSL compression. Default is zlib5. Set to zlib0 to turn it off.
|
|
|
+#ssl_compression = zlib5
|
|
|
|
|
|
|
|
|
timer_script = /usr/share/burp/scripts/timer_script
|
|
|
@@ -88,8 +125,8 @@ timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
|
|
|
# %w - number of warnings, if any
|
|
|
notify_success_script = /usr/share/burp/scripts/notify_script
|
|
|
notify_success_arg = sendmail -t
|
|
|
-notify_success_arg = To: ops@ffho.net
|
|
|
-notify_success_arg = From: ops@ffho.net
|
|
|
+notify_success_arg = To: {{ ops_mail }}
|
|
|
+notify_success_arg = From: {{ ops_mail }}
|
|
|
notify_success_arg = Subject: %b succeeded: %c %w
|
|
|
# Uncomment the following to have success notifications only if there were
|
|
|
# warnings.
|
|
|
@@ -101,6 +138,34 @@ notify_success_arg = Subject: %b succeeded: %c %w
|
|
|
# Uncomment the following for email notifications of backups that failed.
|
|
|
notify_failure_script = /usr/share/burp/scripts/notify_script
|
|
|
notify_failure_arg = sendmail -t
|
|
|
-notify_failure_arg = To: ops@ffho.net
|
|
|
-notify_failure_arg = From: ops@ffho.net
|
|
|
+notify_failure_arg = To: {{ ops_mail }}
|
|
|
+notify_failure_arg = From: {{ ops_mail }}
|
|
|
notify_failure_arg = Subject: %b failed: %c %w
|
|
|
+
|
|
|
+# The server can run scripts on each connection after authentication and before
|
|
|
+# disconnecting.
|
|
|
+#server_script_pre = /usr/share/burp/scripts/ssl_extra_checks_script
|
|
|
+#server_script_pre_arg = /etc/burp/crl
|
|
|
+#server_script_pre_arg = /etc/burp/burp-server.conf
|
|
|
+#server_script_pre_arg = /usr/share/burp/scripts/server-pre-script.local
|
|
|
+# Set server_script_pre_notify to 1 to have notifications on server_script_pre
|
|
|
+# returning non-zero. Most people will want to leave this off - it could
|
|
|
+# result in a lot of emails because clients normally connect once every 20
|
|
|
+# minutes. Requires notify_failure_script to be set above.
|
|
|
+#server_script_pre_notify = 0
|
|
|
+#server_script_post =
|
|
|
+#server_script_post_arg =
|
|
|
+#server_script_post_arg =
|
|
|
+#server_script_post_run_on_fail=0
|
|
|
+# As for server_script_pre_notify, but for post.
|
|
|
+#server_script_post_notify = 0
|
|
|
+
|
|
|
+# Clients that are able to list and restore files belonging to any other
|
|
|
+# client. If this is too permissive, you may set a restore_client for
|
|
|
+# individual original clients in the individual clientconfdir files.
|
|
|
+# restore_client = someclient
|
|
|
+# restore_client = someotherclient
|
|
|
+
|
|
|
+# Whether or not the server process should cache the tree when a monitor client
|
|
|
+# is browsing a backup. Advantage: speed. Disadvantage: more memory is used.
|
|
|
+#monitor_browse_cache = 1
|
