Commit 6a11db2f authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Use wireguard for db connections to archlinux.org

Fix #177
parent 1db79c80
---
archweb_db_host: 'archlinux.org'
archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
# raise tcp window limits to 32MiB
tcp_rmem: "10240 87380 33554432"
......
......@@ -3,17 +3,11 @@
- name: "prepare postgres ssl hosts list"
hosts: archlinux.org
tasks:
- name: assign ipv4 addresses to fact postgres_ssl_hosts4
set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
- name: assign ipv4 addresses to fact postgres_hosts4
set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
vars:
gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars:
gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: setup archlinux.org
......@@ -29,8 +23,8 @@
- { role: nginx }
- { role: postfix_null }
- role: postgres
postgres_listen_addresses: "*"
postgres_ssl: 'on'
postgres_listen_addresses: "localhost, {{ wireguard_address }}"
postgres_firewalld_zone: wireguard
- { role: sudo }
- { role: uwsgi }
- { role: memcached }
......
......@@ -4,7 +4,7 @@
hosts: gemini.archlinux.org
remote_user: root
vars:
archweb_db_host: 'archlinux.org'
archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
dbscripts_commit: '20191022'
roles:
- { role: common }
......@@ -18,7 +18,7 @@
- { role: certbot }
- { role: nginx }
- { role: archusers }
- { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", postgres_ssl: 'on', tags: ['archusers'] }
- { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", tags: ['archusers'] }
- { role: arch_boxes_sync }
- { role: archweb, archweb_site: false, archweb_services: true, archweb_mirrorcheck_locations: [5, 6] }
- { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
......
......@@ -31,9 +31,6 @@ DATABASES = {
'PASSWORD': '{{ vault_archweb_db_site_password }}',
'OPTIONS' : {
'application_name': 'archweb',
{% if archweb_db_host != 'localhost' %}
'sslmode': 'require',
{% endif %}
}
},
}
......
......@@ -10,7 +10,7 @@ umask 077;
# TODO put these into credentials.ini and use Config::Simple to read it
my $user = '{{ archweb_db_dbscripts_user }}';
my $pass = '{{ vault_archweb_db_dbscripts_password }}';
my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl == 'on' %};sslmode=require{% endif %}';
my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl is defined and postgres_ssl == 'on' %};sslmode=require{% endif %}';
my $scriptdir="/etc/rsyncd-conf-genscripts";
my $infile="$scriptdir/rsyncd.conf.proto";
......
---
postgres_listen_addresses: 'localhost'
postgres_max_connections: '100'
postgres_firewalld_zone:
postgres_ssl: 'off'
postgres_ssl_prefer_server_ciphers: 'on'
......@@ -14,6 +15,8 @@ postgres_maintenance_work_mem: '64MB'
postgres_effective_cache_size: '4GB'
postgres_jit: 'on'
postgres_hosts4: []
postgres_hosts6: []
postgres_ssl_hosts4: []
postgres_ssl_hosts6: []
......
......@@ -67,17 +67,17 @@
when: postgres_ssl == 'on'
- name: open firewall holes to known postgresql ipv4 clients
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_ssl_hosts4 }}"
with_items: "{{ postgres_hosts4 + postgres_ssl_hosts4 }}"
when: configure_firewall
tags:
- firewall
- name: open firewall holes to known postgresql ipv6 clients
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_ssl_hosts6 }}"
with_items: "{{ postgres_hosts6 + postgres_ssl_hosts6 }}"
when: configure_firewall
tags:
- firewall
......
......@@ -96,11 +96,17 @@ host sameuser all ::1/128 md5
#host replication all ::1/128 md5
# IPv4 Remote Clients
{% for host in postgres_hosts4 %}
host all all {{ host }} md5
{% endfor %}
{% for host in postgres_ssl_hosts4 %}
hostssl all all {{ host }} md5
{% endfor %}
# IPv6 Remote Clients
{% for host in postgres_hosts6 %}
host all all {{ host }} md5
{% endfor %}
{% for host in postgres_ssl_hosts6 %}
hostssl all all {{ host }} md5
{% endfor %}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment