Use wireguard for db connections to archlinux.org

Fix #177

group_vars/mirrors.yml

 ---
-archweb_db_host: 'archlinux.org'
+archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
 
 # raise tcp window limits to 32MiB
 tcp_rmem: "10240 87380 33554432"

playbooks/archlinux.org.yml

@@ -3,17 +3,11 @@
 - name: "prepare postgres ssl hosts list"
   hosts: archlinux.org
   tasks:
-    - name: assign ipv4 addresses to fact postgres_ssl_hosts4
-      set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
+    - name: assign ipv4 addresses to fact postgres_hosts4
+      set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
       vars:
-        gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
-        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
-      tags: ["postgres", "firewall"]
-    - name: assign ipv6 addresses to fact postgres_ssl_hosts6
-      set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
-      vars:
-        gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
-        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
+        gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
+        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
       tags: ["postgres", "firewall"]
 
 - name: setup archlinux.org
@@ -29,8 +23,8 @@
     - { role: nginx }
     - { role: postfix_null }
     - role: postgres
-      postgres_listen_addresses: "*"
-      postgres_ssl: 'on'
+      postgres_listen_addresses: "localhost, {{ wireguard_address }}"
+      postgres_firewalld_zone: wireguard
     - { role: sudo }
     - { role: uwsgi }
     - { role: memcached }

playbooks/gemini.archlinux.org.yml

@@ -4,7 +4,7 @@
   hosts: gemini.archlinux.org
   remote_user: root
   vars:
-    archweb_db_host: 'archlinux.org'
+    archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
     dbscripts_commit: '20191022'
   roles:
     - { role: common }
@@ -18,7 +18,7 @@
     - { role: certbot }
     - { role: nginx }
     - { role: archusers }
-    - { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", postgres_ssl: 'on', tags: ['archusers'] }
+    - { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", tags: ['archusers'] }
     - { role: arch_boxes_sync }
     - { role: archweb, archweb_site: false, archweb_services: true, archweb_mirrorcheck_locations: [5, 6] }
     - { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }

roles/archweb/templates/local_settings.py.j2

@@ -31,9 +31,6 @@ DATABASES = {
         'PASSWORD': '{{ vault_archweb_db_site_password }}',
         'OPTIONS' : {
             'application_name': 'archweb',
-{% if archweb_db_host != 'localhost' %}
-            'sslmode': 'require',
-{% endif %}
         }
     },
 }

roles/dbscripts/templates/gen_rsyncd.conf.pl

@@ -10,7 +10,7 @@ umask 077;
 # TODO put these into credentials.ini and use Config::Simple to read it
 my $user = '{{ archweb_db_dbscripts_user }}';
 my $pass = '{{ vault_archweb_db_dbscripts_password }}';
-my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl == 'on' %};sslmode=require{% endif %}';
+my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl is defined and postgres_ssl == 'on' %};sslmode=require{% endif %}';
 
 my $scriptdir="/etc/rsyncd-conf-genscripts";
 my $infile="$scriptdir/rsyncd.conf.proto";

roles/postgres/defaults/main.yml

 ---
 postgres_listen_addresses: 'localhost'
 postgres_max_connections: '100'
+postgres_firewalld_zone:
 
 postgres_ssl: 'off'
 postgres_ssl_prefer_server_ciphers: 'on'
@@ -14,6 +15,8 @@ postgres_maintenance_work_mem: '64MB'
 postgres_effective_cache_size: '4GB'
 postgres_jit: 'on'
 
+postgres_hosts4: []
+postgres_hosts6: []
 postgres_ssl_hosts4: []
 postgres_ssl_hosts6: []
 

roles/postgres/tasks/main.yml

@@ -67,17 +67,17 @@
   when: postgres_ssl == 'on'
 
 - name: open firewall holes to known postgresql ipv4 clients
-  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
     rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
-  with_items: "{{ postgres_ssl_hosts4 }}"
+  with_items: "{{ postgres_hosts4 + postgres_ssl_hosts4 }}"
   when: configure_firewall
   tags:
     - firewall
 
 - name: open firewall holes to known postgresql ipv6 clients
-  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
     rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
-  with_items: "{{ postgres_ssl_hosts6 }}"
+  with_items: "{{ postgres_hosts6 + postgres_ssl_hosts6 }}"
   when: configure_firewall
   tags:
     - firewall

roles/postgres/templates/pg_hba.conf.j2

@@ -96,11 +96,17 @@ host    sameuser        all             ::1/128                 md5
 #host    replication     all             ::1/128                 md5
 
 # IPv4 Remote Clients
+{% for host in postgres_hosts4 %}
+host    all             all             {{ host }}              md5
+{% endfor %}
 {% for host in postgres_ssl_hosts4 %}
 hostssl all             all             {{ host }}              md5
 {% endfor %}
 
 # IPv6 Remote Clients
+{% for host in postgres_hosts6 %}
+host    all             all             {{ host }}              md5
+{% endfor %}
 {% for host in postgres_ssl_hosts6 %}
 hostssl all             all             {{ host }}              md5
 {% endfor %}