Verified Commit cf2b01c0 authored by Florian Pritz's avatar Florian Pritz
Browse files

Fix apollo postgres ip detection and firewall generation



- firewall tag so that the facts exist when only firewall is run
- extract IPs from our host vars all the time. no need to query
autodetected facts
- remove empty elements from the list with select(). not all hosts have
ipv6
- fix the subnetmask for v6
- fix the postgres role configuring a v4 rule instead of v6 for a v6
address
- hardcode netmask for orion addresses too

Little bit much for one commit, but splitting it doesn't make a whole
lot of sense.
Signed-off-by: Florian Pritz's avatarFlorian Pritz <bluewind@xinu.at>
parent 897666a2
---
- name: gather mirror facts
hosts: mirrors
tasks: []
- name: "prepare postgres ssl hosts list"
hosts: apollo.archlinux.org
tasks:
- set_fact: postgres_ssl_hosts4="{{ [orion4] + detected_ips}}"
vars:
orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
tags: ["postgres"]
orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list}}"
tags: ["postgres", "firewall"]
- set_fact: postgres_ssl_hosts6="{{ [orion6] + detected_ips}}"
vars:
orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
tags: ["postgres"]
orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}/128"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list}}"
tags: ["postgres", "firewall"]
- name: setup apollo
hosts: apollo.archlinux.org
......
......@@ -60,7 +60,7 @@
- name: open firewall holes to known postgresql ipv6 clients
firewalld: permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
rich_rule="rule family=ipv6 source address={{item}} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_ssl_hosts6 }}"
when: configure_firewall
tags:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment