mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-26 18:56:03 +02:00
parent
1db79c8045
commit
6a11db2f20
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
archweb_db_host: 'archlinux.org'
|
||||
archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
|
||||
|
||||
# raise tcp window limits to 32MiB
|
||||
tcp_rmem: "10240 87380 33554432"
|
||||
|
|
|
@ -3,17 +3,11 @@
|
|||
- name: "prepare postgres ssl hosts list"
|
||||
hosts: archlinux.org
|
||||
tasks:
|
||||
- name: assign ipv4 addresses to fact postgres_ssl_hosts4
|
||||
set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
|
||||
- name: assign ipv4 addresses to fact postgres_hosts4
|
||||
set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
|
||||
vars:
|
||||
gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
|
||||
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
|
||||
tags: ["postgres", "firewall"]
|
||||
- name: assign ipv6 addresses to fact postgres_ssl_hosts6
|
||||
set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
|
||||
vars:
|
||||
gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
|
||||
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
|
||||
gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
|
||||
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
|
||||
tags: ["postgres", "firewall"]
|
||||
|
||||
- name: setup archlinux.org
|
||||
|
@ -29,8 +23,8 @@
|
|||
- { role: nginx }
|
||||
- { role: postfix_null }
|
||||
- role: postgres
|
||||
postgres_listen_addresses: "*"
|
||||
postgres_ssl: 'on'
|
||||
postgres_listen_addresses: "localhost, {{ wireguard_address }}"
|
||||
postgres_firewalld_zone: wireguard
|
||||
- { role: sudo }
|
||||
- { role: uwsgi }
|
||||
- { role: memcached }
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
hosts: gemini.archlinux.org
|
||||
remote_user: root
|
||||
vars:
|
||||
archweb_db_host: 'archlinux.org'
|
||||
archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
|
||||
dbscripts_commit: '20191022'
|
||||
roles:
|
||||
- { role: common }
|
||||
|
@ -18,7 +18,7 @@
|
|||
- { role: certbot }
|
||||
- { role: nginx }
|
||||
- { role: archusers }
|
||||
- { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", postgres_ssl: 'on', tags: ['archusers'] }
|
||||
- { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", svntogit_repos: "/srv/svntogit/repos", tags: ['archusers'] }
|
||||
- { role: arch_boxes_sync }
|
||||
- { role: archweb, archweb_site: false, archweb_services: true, archweb_mirrorcheck_locations: [5, 6] }
|
||||
- { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
|
||||
|
|
|
@ -31,9 +31,6 @@ DATABASES = {
|
|||
'PASSWORD': '{{ vault_archweb_db_site_password }}',
|
||||
'OPTIONS' : {
|
||||
'application_name': 'archweb',
|
||||
{% if archweb_db_host != 'localhost' %}
|
||||
'sslmode': 'require',
|
||||
{% endif %}
|
||||
}
|
||||
},
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@ umask 077;
|
|||
# TODO put these into credentials.ini and use Config::Simple to read it
|
||||
my $user = '{{ archweb_db_dbscripts_user }}';
|
||||
my $pass = '{{ vault_archweb_db_dbscripts_password }}';
|
||||
my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl == 'on' %};sslmode=require{% endif %}';
|
||||
my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl is defined and postgres_ssl == 'on' %};sslmode=require{% endif %}';
|
||||
|
||||
my $scriptdir="/etc/rsyncd-conf-genscripts";
|
||||
my $infile="$scriptdir/rsyncd.conf.proto";
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
postgres_listen_addresses: 'localhost'
|
||||
postgres_max_connections: '100'
|
||||
postgres_firewalld_zone:
|
||||
|
||||
postgres_ssl: 'off'
|
||||
postgres_ssl_prefer_server_ciphers: 'on'
|
||||
|
@ -14,6 +15,8 @@ postgres_maintenance_work_mem: '64MB'
|
|||
postgres_effective_cache_size: '4GB'
|
||||
postgres_jit: 'on'
|
||||
|
||||
postgres_hosts4: []
|
||||
postgres_hosts6: []
|
||||
postgres_ssl_hosts4: []
|
||||
postgres_ssl_hosts6: []
|
||||
|
||||
|
|
|
@ -67,17 +67,17 @@
|
|||
when: postgres_ssl == 'on'
|
||||
|
||||
- name: open firewall holes to known postgresql ipv4 clients
|
||||
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
|
||||
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
|
||||
rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
|
||||
with_items: "{{ postgres_ssl_hosts4 }}"
|
||||
with_items: "{{ postgres_hosts4 + postgres_ssl_hosts4 }}"
|
||||
when: configure_firewall
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: open firewall holes to known postgresql ipv6 clients
|
||||
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
|
||||
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
|
||||
rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
|
||||
with_items: "{{ postgres_ssl_hosts6 }}"
|
||||
with_items: "{{ postgres_hosts6 + postgres_ssl_hosts6 }}"
|
||||
when: configure_firewall
|
||||
tags:
|
||||
- firewall
|
||||
|
|
|
@ -96,11 +96,17 @@ host sameuser all ::1/128 md5
|
|||
#host replication all ::1/128 md5
|
||||
|
||||
# IPv4 Remote Clients
|
||||
{% for host in postgres_hosts4 %}
|
||||
host all all {{ host }} md5
|
||||
{% endfor %}
|
||||
{% for host in postgres_ssl_hosts4 %}
|
||||
hostssl all all {{ host }} md5
|
||||
{% endfor %}
|
||||
|
||||
# IPv6 Remote Clients
|
||||
{% for host in postgres_hosts6 %}
|
||||
host all all {{ host }} md5
|
||||
{% endfor %}
|
||||
{% for host in postgres_ssl_hosts6 %}
|
||||
hostssl all all {{ host }} md5
|
||||
{% endfor %}
|
||||
|
|
Loading…
Reference in New Issue