break postgres client ips into separate variables

we have to use rich rules in firewalld to restict a specific port to a list of specific ip addresses. when using rich rules, you have to specify the address family (ipv4 or ipv6) which we can't do in an automated fashion with the ipv4 and ipv6 addresses of the clients dynamically generated into a single variable. so this commit creates 2 variables; one for ipv4 clients and one for ipv6 clients which can be referred to as required when creating the rich rules.

break postgres client ips into separate variables
7bd299a3 · Phillip Smith (fukawi2) · 4064139d · 7bd299a3 · 7bd299a3 · 7bd299a3
Commit 7bd299a3 authored 6 years ago by Phillip Smith (fukawi2)
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -7,12 +7,16 @@
 - name: "prepare postgres ssl hosts list"
  hosts: apollo.archlinux.org
  tasks:
-      - set_fact: postgres_ssl_hosts="{{ [orion4] + [orion6] + detected_ips}}"
+      - set_fact: postgres_ssl_hosts4="{{ [orion4] + detected_ips}}"
        vars:
-            orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}{{ hostvars['orion.archlinux.org']['ipv4_netmask'] }}"
-            orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}{{ hostvars['orion.archlinux.org']['ipv6_netmask'] }}"
+            orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}"
            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
        tags: ["postgres"]
+      - set_fact: postgres_ssl_hosts6="{{ [orion6] + detected_ips}}"
+        vars:
+            orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}"
+            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
+        tags: ["postgres"]

 - name: setup apollo
  hosts: apollo.archlinux.org

--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@@ -10,4 +10,5 @@ postgres_ssl_ca_file: '/var/lib/postgres/data/chain.pem'

 postgres_shared_buffers: '128MB'

-postgres_ssl_hosts: []
+postgres_ssl_hosts4: []
+postgres_ssl_hosts6: []
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -50,7 +50,18 @@
        remote_src=true owner=postgres group=postgres mode=0400
  when: postgres_ssl == 'on'

- name: open firewall holes to known postgresql clients
-  firewalld: service=postgresql permanent=true state=enabled source={{item}} immediate=yes
-  with_items: "{{ postgres_ssl_hosts }}"
+- name: open firewall holes to known postgresql ipv4 clients
+  firewalld: permanent=true state=enabled immediate=yes
+    rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
+  with_items: "{{ postgres_ssl_hosts4 }}"
  when: configure_firewall
+  tags:
+    - firewall
+
+- name: open firewall holes to known postgresql ipv6 clients
+  firewalld: permanent=true state=enabled immediate=yes
+    rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
+  with_items: "{{ postgres_ssl_hosts6 }}"
+  when: configure_firewall
+  tags:
+    - firewall
--- a/roles/postgres/templates/pg_hba.conf.j2
+++ b/roles/postgres/templates/pg_hba.conf.j2
@@ -90,6 +90,13 @@ host    sameuser        all             ::1/128                 md5
 #local   replication     all                                     peer
 #host    replication     all             127.0.0.1/32            md5
 #host    replication     all             ::1/128                 md5
-{% for host in postgres_ssl_hosts %}
+
+# IPv4 Remote Clients
+{% for host in postgres_ssl_hosts4 %}
+hostssl all             all             {{ host }}              md5
+{% endfor %}
+
+# IPv6 Remote Clients
+{% for host in postgres_ssl_hosts6 %}
 hostssl all             all             {{ host }}              md5
 {% endfor %}