Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
6a11db2f
Commit
6a11db2f
authored
Aug 01, 2021
by
Kristian Klausen
🎉
Browse files
Use wireguard for db connections to archlinux.org
Fix
#177
parent
1db79c80
Changes
8
Hide whitespace changes
Inline
Side-by-side
group_vars/mirrors.yml
View file @
6a11db2f
---
archweb_db_host
:
'
archlinux.org'
archweb_db_host
:
"
{{
hostvars[
'archlinux.org'
]['wireguard_address']
}}"
# raise tcp window limits to 32MiB
tcp_rmem
:
"
10240
87380
33554432"
...
...
playbooks/archlinux.org.yml
View file @
6a11db2f
...
...
@@ -3,17 +3,11 @@
-
name
:
"
prepare
postgres
ssl
hosts
list"
hosts
:
archlinux.org
tasks
:
-
name
:
assign ipv4 addresses to fact postgres_
ssl_
hosts4
set_fact
:
postgres_
ssl_
hosts4="{{ [gemini4] + detected_ips }}"
-
name
:
assign ipv4 addresses to fact postgres_hosts4
set_fact
:
postgres_hosts4="{{ [gemini4] + detected_ips }}"
vars
:
gemini4
:
"
{{
hostvars['gemini.archlinux.org']['ipv4_address']
}}/32"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv4_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/32')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact
:
postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars
:
gemini6
:
"
{{
hostvars['gemini.archlinux.org']['ipv6_address']
}}/128"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv6_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/128')
|
list
}}"
gemini4
:
"
{{
hostvars['gemini.archlinux.org']['wireguard_address']
}}/32"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['wireguard_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/32')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
setup archlinux.org
...
...
@@ -29,8 +23,8 @@
-
{
role
:
nginx
}
-
{
role
:
postfix_null
}
-
role
:
postgres
postgres_listen_addresses
:
"
*
"
postgres_
ssl
:
'
on'
postgres_listen_addresses
:
"
localhost,
{{
wireguard_address
}}
"
postgres_
firewalld_zone
:
wireguard
-
{
role
:
sudo
}
-
{
role
:
uwsgi
}
-
{
role
:
memcached
}
...
...
playbooks/gemini.archlinux.org.yml
View file @
6a11db2f
...
...
@@ -4,7 +4,7 @@
hosts
:
gemini.archlinux.org
remote_user
:
root
vars
:
archweb_db_host
:
'
archlinux.org'
archweb_db_host
:
"
{{
hostvars[
'archlinux.org'
]['wireguard_address']
}}"
dbscripts_commit
:
'
20191022'
roles
:
-
{
role
:
common
}
...
...
@@ -18,7 +18,7 @@
-
{
role
:
certbot
}
-
{
role
:
nginx
}
-
{
role
:
archusers
}
-
{
role
:
dbscripts
,
repos_domain
:
"
repos.archlinux.org"
,
repos_rsync_domain
:
"
rsync.archlinux.org"
,
svntogit_repos
:
"
/srv/svntogit/repos"
,
postgres_ssl
:
'
on'
,
tags
:
[
'
archusers'
]
}
-
{
role
:
dbscripts
,
repos_domain
:
"
repos.archlinux.org"
,
repos_rsync_domain
:
"
rsync.archlinux.org"
,
svntogit_repos
:
"
/srv/svntogit/repos"
,
tags
:
[
'
archusers'
]
}
-
{
role
:
arch_boxes_sync
}
-
{
role
:
archweb
,
archweb_site
:
false
,
archweb_services
:
true
,
archweb_mirrorcheck_locations
:
[
5
,
6
]
}
-
{
role
:
sources
,
sources_domain
:
"
sources.archlinux.org"
,
sources_dir
:
"
/srv/sources"
}
...
...
roles/archweb/templates/local_settings.py.j2
View file @
6a11db2f
...
...
@@ -31,9 +31,6 @@ DATABASES = {
'PASSWORD': '{{ vault_archweb_db_site_password }}',
'OPTIONS' : {
'application_name': 'archweb',
{% if archweb_db_host != 'localhost' %}
'sslmode': 'require',
{% endif %}
}
},
}
...
...
roles/dbscripts/templates/gen_rsyncd.conf.pl
View file @
6a11db2f
...
...
@@ -10,7 +10,7 @@ umask 077;
# TODO put these into credentials.ini and use Config::Simple to read it
my
$user
=
'
{{ archweb_db_dbscripts_user }}
';
my
$pass
=
'
{{ vault_archweb_db_dbscripts_password }}
';
my
$db
=
'
DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl ==
'
on
'
%};sslmode=require{% endif %}
';
my
$db
=
'
DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl
is defined and postgres_ssl
==
'
on
'
%};sslmode=require{% endif %}
';
my
$scriptdir
=
"
/etc/rsyncd-conf-genscripts
";
my
$infile
=
"
$scriptdir
/rsyncd.conf.proto
";
...
...
roles/postgres/defaults/main.yml
View file @
6a11db2f
---
postgres_listen_addresses
:
'
localhost'
postgres_max_connections
:
'
100'
postgres_firewalld_zone
:
postgres_ssl
:
'
off'
postgres_ssl_prefer_server_ciphers
:
'
on'
...
...
@@ -14,6 +15,8 @@ postgres_maintenance_work_mem: '64MB'
postgres_effective_cache_size
:
'
4GB'
postgres_jit
:
'
on'
postgres_hosts4
:
[]
postgres_hosts6
:
[]
postgres_ssl_hosts4
:
[]
postgres_ssl_hosts6
:
[]
...
...
roles/postgres/tasks/main.yml
View file @
6a11db2f
...
...
@@ -67,17 +67,17 @@
when
:
postgres_ssl == 'on'
-
name
:
open firewall holes to known postgresql ipv4 clients
ansible.posix.firewalld
:
permanent=true state=enabled immediate=yes
ansible.posix.firewalld
:
zone={{ postgres_firewalld_zone }}
permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
with_items
:
"
{{
postgres_ssl_hosts4
}}"
with_items
:
"
{{
postgres_hosts4
+
postgres_ssl_hosts4
}}"
when
:
configure_firewall
tags
:
-
firewall
-
name
:
open firewall holes to known postgresql ipv6 clients
ansible.posix.firewalld
:
permanent=true state=enabled immediate=yes
ansible.posix.firewalld
:
zone={{ postgres_firewalld_zone }}
permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
with_items
:
"
{{
postgres_ssl_hosts6
}}"
with_items
:
"
{{
postgres_hosts6
+
postgres_ssl_hosts6
}}"
when
:
configure_firewall
tags
:
-
firewall
...
...
roles/postgres/templates/pg_hba.conf.j2
View file @
6a11db2f
...
...
@@ -96,11 +96,17 @@ host sameuser all ::1/128 md5
#host replication all ::1/128 md5
# IPv4 Remote Clients
{% for host in postgres_hosts4 %}
host all all {{ host }} md5
{% endfor %}
{% for host in postgres_ssl_hosts4 %}
hostssl all all {{ host }} md5
{% endfor %}
# IPv6 Remote Clients
{% for host in postgres_hosts6 %}
host all all {{ host }} md5
{% endfor %}
{% for host in postgres_ssl_hosts6 %}
hostssl all all {{ host }} md5
{% endfor %}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment