mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-26 18:56:03 +02:00
Code Issues

Use wireguard for db connections to archlinux.org 

Fix #177
This commit is contained in:
Kristian Klausen 2021-08-01 17:21:09 +02:00
parent 1db79c8045
commit 6a11db2f20
8 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/mirrors.yml
View File

@ -1,5 +1,5 @@
---
archweb_db_host: 'archlinux.org'
archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
# raise tcp window limits to 32MiB
tcp_rmem: "10240 87380 33554432"

18
playbooks/archlinux.org.yml
View File

@ -3,17 +3,11 @@
- name: "prepare postgres ssl hosts list"
hosts: archlinux.org
tasks:
- name: assign ipv4 addresses to fact postgres_ssl_hosts4
set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
- name: assign ipv4 addresses to fact postgres_hosts4
set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
vars:
gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars:
gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: setup archlinux.org
@ -29,8 +23,8 @@
- { role: nginx }
- { role: postfix_null }
- role: postgres
postgres_listen_addresses: "*"
postgres_ssl: 'on'
postgres_listen_addresses: "localhost, {{ wireguard_address }}"
postgres_firewalld_zone: wireguard
- { role: sudo }
- { role: uwsgi }
- { role: memcached }

4
playbooks/gemini.archlinux.org.yml
View File

@ -4,7 +4,7 @@
hosts: gemini.archlinux.org
remote_user: root
vars:
archweb_db_host: 'archlinux.org'
archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
dbscripts_commit: '20191022'
roles:
- { role: common }
@ -18,7 +18,7 @@
- { role: certbot }
- { role: nginx }
- { role: archusers }
- { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", postgres_ssl: 'on', tags: ['archusers'] }
- { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", tags: ['archusers'] }
- { role: arch_boxes_sync }
- { role: archweb, archweb_site: false, archweb_services: true, archweb_mirrorcheck_locations: [5, 6] }
- { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }

3
roles/archweb/templates/local_settings.py.j2
View File

@ -31,9 +31,6 @@ DATABASES = {
'PASSWORD': '{{ vault_archweb_db_site_password }}',
'OPTIONS' : {
'application_name': 'archweb',
{% if archweb_db_host != 'localhost' %}
'sslmode': 'require',
{% endif %}
}
},
}

2
roles/dbscripts/templates/gen_rsyncd.conf.pl
View File

@ -10,7 +10,7 @@ umask 077;
# TODO put these into credentials.ini and use Config::Simple to read it
my $user = '{{ archweb_db_dbscripts_user }}';
my $pass = '{{ vault_archweb_db_dbscripts_password }}';
my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl == 'on' %};sslmode=require{% endif %}';
my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl is defined and postgres_ssl == 'on' %};sslmode=require{% endif %}';
my $scriptdir="/etc/rsyncd-conf-genscripts";
my $infile="$scriptdir/rsyncd.conf.proto";

3
roles/postgres/defaults/main.yml
View File

@ -1,6 +1,7 @@
---
postgres_listen_addresses: 'localhost'
postgres_max_connections: '100'
postgres_firewalld_zone:
postgres_ssl: 'off'
postgres_ssl_prefer_server_ciphers: 'on'
@ -14,6 +15,8 @@ postgres_maintenance_work_mem: '64MB'
postgres_effective_cache_size: '4GB'
postgres_jit: 'on'
postgres_hosts4: []
postgres_hosts6: []
postgres_ssl_hosts4: []
postgres_ssl_hosts6: []

8
roles/postgres/tasks/main.yml
View File

@ -67,17 +67,17 @@
when: postgres_ssl == 'on'
- name: open firewall holes to known postgresql ipv4 clients
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_ssl_hosts4 }}"
with_items: "{{ postgres_hosts4 + postgres_ssl_hosts4 }}"
when: configure_firewall
tags:
- firewall
- name: open firewall holes to known postgresql ipv6 clients
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_ssl_hosts6 }}"
with_items: "{{ postgres_hosts6 + postgres_ssl_hosts6 }}"
when: configure_firewall
tags:
- firewall

6
roles/postgres/templates/pg_hba.conf.j2
View File

@ -96,11 +96,17 @@ host sameuser all ::1/128 md5
#host replication all ::1/128 md5
# IPv4 Remote Clients
{% for host in postgres_hosts4 %}
host all all {{ host }} md5
{% endfor %}
{% for host in postgres_ssl_hosts4 %}
hostssl all all {{ host }} md5
{% endfor %}
# IPv6 Remote Clients
{% for host in postgres_hosts6 %}
host all all {{ host }} md5
{% endfor %}
{% for host in postgres_ssl_hosts6 %}
hostssl all all {{ host }} md5
{% endfor %}