From 6a11db2f2078ec0ebb76208092b436bff800cffe Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sun, 1 Aug 2021 17:21:09 +0200
Subject: [PATCH] Use wireguard for db connections to archlinux.org

Fix #177
---
 group_vars/mirrors.yml                       |  2 +-
 playbooks/archlinux.org.yml                  | 18 ++++++------------
 playbooks/gemini.archlinux.org.yml           |  4 ++--
 roles/archweb/templates/local_settings.py.j2 |  3 ---
 roles/dbscripts/templates/gen_rsyncd.conf.pl |  2 +-
 roles/postgres/defaults/main.yml             |  3 +++
 roles/postgres/tasks/main.yml                |  8 ++++----
 roles/postgres/templates/pg_hba.conf.j2      |  6 ++++++
 8 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/group_vars/mirrors.yml b/group_vars/mirrors.yml
index c33327ab1..a424fa109 100644
--- a/group_vars/mirrors.yml
+++ b/group_vars/mirrors.yml
@@ -1,5 +1,5 @@
 ---
-archweb_db_host: 'archlinux.org'
+archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
 
 # raise tcp window limits to 32MiB
 tcp_rmem: "10240 87380 33554432"
diff --git a/playbooks/archlinux.org.yml b/playbooks/archlinux.org.yml
index 6302c0c47..b9c7d845a 100644
--- a/playbooks/archlinux.org.yml
+++ b/playbooks/archlinux.org.yml
@@ -3,17 +3,11 @@
 - name: "prepare postgres ssl hosts list"
   hosts: archlinux.org
   tasks:
-    - name: assign ipv4 addresses to fact postgres_ssl_hosts4
-      set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
+    - name: assign ipv4 addresses to fact postgres_hosts4
+      set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
       vars:
-        gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
-        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
-      tags: ["postgres", "firewall"]
-    - name: assign ipv6 addresses to fact postgres_ssl_hosts6
-      set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
-      vars:
-        gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
-        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
+        gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
+        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
       tags: ["postgres", "firewall"]
 
 - name: setup archlinux.org
@@ -29,8 +23,8 @@
     - { role: nginx }
     - { role: postfix_null }
     - role: postgres
-      postgres_listen_addresses: "*"
-      postgres_ssl: 'on'
+      postgres_listen_addresses: "localhost, {{ wireguard_address }}"
+      postgres_firewalld_zone: wireguard
     - { role: sudo }
     - { role: uwsgi }
     - { role: memcached }
diff --git a/playbooks/gemini.archlinux.org.yml b/playbooks/gemini.archlinux.org.yml
index 13a94511b..e5244c923 100644
--- a/playbooks/gemini.archlinux.org.yml
+++ b/playbooks/gemini.archlinux.org.yml
@@ -4,7 +4,7 @@
   hosts: gemini.archlinux.org
   remote_user: root
   vars:
-    archweb_db_host: 'archlinux.org'
+    archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
     dbscripts_commit: '20191022'
   roles:
     - { role: common }
@@ -18,7 +18,7 @@
     - { role: certbot }
     - { role: nginx }
     - { role: archusers }
-    - { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", postgres_ssl: 'on', tags: ['archusers'] }
+    - { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", tags: ['archusers'] }
     - { role: arch_boxes_sync }
     - { role: archweb, archweb_site: false, archweb_services: true, archweb_mirrorcheck_locations: [5, 6] }
     - { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
diff --git a/roles/archweb/templates/local_settings.py.j2 b/roles/archweb/templates/local_settings.py.j2
index 5db526852..c21095377 100644
--- a/roles/archweb/templates/local_settings.py.j2
+++ b/roles/archweb/templates/local_settings.py.j2
@@ -31,9 +31,6 @@ DATABASES = {
         'PASSWORD': '{{ vault_archweb_db_site_password }}',
         'OPTIONS' : {
             'application_name': 'archweb',
-{% if archweb_db_host != 'localhost' %}
-            'sslmode': 'require',
-{% endif %}
         }
     },
 }
diff --git a/roles/dbscripts/templates/gen_rsyncd.conf.pl b/roles/dbscripts/templates/gen_rsyncd.conf.pl
index c01422ebc..83f42d8a2 100755
--- a/roles/dbscripts/templates/gen_rsyncd.conf.pl
+++ b/roles/dbscripts/templates/gen_rsyncd.conf.pl
@@ -10,7 +10,7 @@ umask 077;
 # TODO put these into credentials.ini and use Config::Simple to read it
 my $user = '{{ archweb_db_dbscripts_user }}';
 my $pass = '{{ vault_archweb_db_dbscripts_password }}';
-my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl == 'on' %};sslmode=require{% endif %}';
+my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl is defined and postgres_ssl == 'on' %};sslmode=require{% endif %}';
 
 my $scriptdir="/etc/rsyncd-conf-genscripts";
 my $infile="$scriptdir/rsyncd.conf.proto";
diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml
index 5b9ea91f6..d9c961151 100644
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 postgres_listen_addresses: 'localhost'
 postgres_max_connections: '100'
+postgres_firewalld_zone:
 
 postgres_ssl: 'off'
 postgres_ssl_prefer_server_ciphers: 'on'
@@ -14,6 +15,8 @@ postgres_maintenance_work_mem: '64MB'
 postgres_effective_cache_size: '4GB'
 postgres_jit: 'on'
 
+postgres_hosts4: []
+postgres_hosts6: []
 postgres_ssl_hosts4: []
 postgres_ssl_hosts6: []
 
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index 9c7212220..56111f69d 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -67,17 +67,17 @@
   when: postgres_ssl == 'on'
 
 - name: open firewall holes to known postgresql ipv4 clients
-  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
     rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
-  with_items: "{{ postgres_ssl_hosts4 }}"
+  with_items: "{{ postgres_hosts4 + postgres_ssl_hosts4 }}"
   when: configure_firewall
   tags:
     - firewall
 
 - name: open firewall holes to known postgresql ipv6 clients
-  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
     rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
-  with_items: "{{ postgres_ssl_hosts6 }}"
+  with_items: "{{ postgres_hosts6 + postgres_ssl_hosts6 }}"
   when: configure_firewall
   tags:
     - firewall
diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2
index bf1dd8acb..a74a30e21 100644
--- a/roles/postgres/templates/pg_hba.conf.j2
+++ b/roles/postgres/templates/pg_hba.conf.j2
@@ -96,11 +96,17 @@ host    sameuser        all             ::1/128                 md5
 #host    replication     all             ::1/128                 md5
 
 # IPv4 Remote Clients
+{% for host in postgres_hosts4 %}
+host    all             all             {{ host }}              md5
+{% endfor %}
 {% for host in postgres_ssl_hosts4 %}
 hostssl all             all             {{ host }}              md5
 {% endfor %}
 
 # IPv6 Remote Clients
+{% for host in postgres_hosts6 %}
+host    all             all             {{ host }}              md5
+{% endfor %}
 {% for host in postgres_ssl_hosts6 %}
 hostssl all             all             {{ host }}              md5
 {% endfor %}
-- 
GitLab