Commit d13089e6 authored by Phillip Smith (fukawi2)'s avatar Phillip Smith (fukawi2)
Browse files

break postgres client ips into separate variables

we have to use rich rules in firewalld to restict a specific port to a list of
specific ip addresses. when using rich rules, you have to specify the address
family (ipv4 or ipv6) which we can't do in an automated fashion with the ipv4
and ipv6 addresses of the clients dynamically generated into a single variable.
so this commit creates 2 variables; one for ipv4 clients and one for ipv6
clients which can be referred to as required when creating the rich rules.
parent c43b18f8
......@@ -7,12 +7,16 @@
- name: "prepare postgres ssl hosts list"
hosts: apollo.archlinux.org
tasks:
- set_fact: postgres_ssl_hosts="{{ [orion4] + [orion6] + detected_ips}}"
- set_fact: postgres_ssl_hosts4="{{ [orion4] + detected_ips}}"
vars:
orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}{{ hostvars['orion.archlinux.org']['ipv4_netmask'] }}"
orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}{{ hostvars['orion.archlinux.org']['ipv6_netmask'] }}"
orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
tags: ["postgres"]
- set_fact: postgres_ssl_hosts6="{{ [orion6] + detected_ips}}"
vars:
orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
tags: ["postgres"]
- name: setup apollo
hosts: apollo.archlinux.org
......
......@@ -10,4 +10,5 @@ postgres_ssl_ca_file: '/var/lib/postgres/data/chain.pem'
postgres_shared_buffers: '128MB'
postgres_ssl_hosts: []
postgres_ssl_hosts4: []
postgres_ssl_hosts6: []
......@@ -50,7 +50,18 @@
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
- name: open firewall holes to known postgresql clients
firewalld: service=postgresql permanent=true state=enabled source={{item}} immediate=yes
with_items: "{{ postgres_ssl_hosts }}"
- name: open firewall holes to known postgresql ipv4 clients
firewalld: permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_ssl_hosts4 }}"
when: configure_firewall
tags:
- firewall
- name: open firewall holes to known postgresql ipv6 clients
firewalld: permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_ssl_hosts6 }}"
when: configure_firewall
tags:
- firewall
......@@ -90,6 +90,13 @@ host sameuser all ::1/128 md5
#local replication all peer
#host replication all 127.0.0.1/32 md5
#host replication all ::1/128 md5
{% for host in postgres_ssl_hosts %}
# IPv4 Remote Clients
{% for host in postgres_ssl_hosts4 %}
hostssl all all {{ host }} md5
{% endfor %}
# IPv6 Remote Clients
{% for host in postgres_ssl_hosts6 %}
hostssl all all {{ host }} md5
{% endfor %}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment