From 924107abbe7167a6335853fc0a1624efe40eaa97 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 2 Sep 2024 20:29:51 -0500 Subject: [PATCH 1/6] nextcloud: Support remote database server The _nextcloud_ role originally handled setting up the PostgreSQL database and assumed that it was running on the same server as Nextcloud itself. I have factored out those tasks into their own role, _nextcloud-db_, which can be applied to a separate host. I have also introduced some new variables (`nextcloud_db_host`, `nextcloud_db_name`, `nextcloud_db_user`, and `nextcloud_db_password`), which can be used to specify how to connect to the database, if it is hosted remotely. Since these variables are used by both the _nextcloud_ and _nextcloud-db_ roles, they are actually defined in a separate role, _nextcloud-base_, upon which both depend. --- nextcloud.yml | 9 ++++++++- roles/nextcloud-base/defaults/main.yml | 4 ++++ roles/nextcloud-base/tasks/main.yml | 0 roles/nextcloud-db/meta/main.yml | 2 ++ roles/nextcloud-db/tasks/main.yml | 19 +++++++++++++++++++ roles/nextcloud/meta/main.yml | 1 + roles/nextcloud/tasks/main.yml | 15 --------------- roles/nextcloud/templates/config.php.j2 | 10 +++++----- 8 files changed, 39 insertions(+), 21 deletions(-) create mode 100644 roles/nextcloud-base/defaults/main.yml create mode 100644 roles/nextcloud-base/tasks/main.yml create mode 100644 roles/nextcloud-db/meta/main.yml create mode 100644 roles/nextcloud-db/tasks/main.yml diff --git a/nextcloud.yml b/nextcloud.yml index e9737b1..c3a6017 100644 --- a/nextcloud.yml +++ b/nextcloud.yml @@ -1,7 +1,14 @@ +- hosts: nextcloud-db + vars_files: + - vault/nextcloud + roles: + - role: nextcloud-db + tags: + - nextcloud-db + - hosts: nextcloud vars_files: - vault/nextcloud roles: - - postgresql-server - apache - nextcloud diff --git a/roles/nextcloud-base/defaults/main.yml b/roles/nextcloud-base/defaults/main.yml new file mode 100644 index 0000000..0669852 --- /dev/null +++ b/roles/nextcloud-base/defaults/main.yml @@ -0,0 +1,4 @@ +nextcloud_db_name: nextcloud +nextcloud_db_host: localhost +nextcloud_db_port: '' +nextcloud_db_user: nextcloud diff --git a/roles/nextcloud-base/tasks/main.yml b/roles/nextcloud-base/tasks/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/nextcloud-db/meta/main.yml b/roles/nextcloud-db/meta/main.yml new file mode 100644 index 0000000..d6fc3f9 --- /dev/null +++ b/roles/nextcloud-db/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- nextcloud-base diff --git a/roles/nextcloud-db/tasks/main.yml b/roles/nextcloud-db/tasks/main.yml new file mode 100644 index 0000000..5ed6083 --- /dev/null +++ b/roles/nextcloud-db/tasks/main.yml @@ -0,0 +1,19 @@ +- name: ensure nextcloud database user exists + become: true + become_user: postgres + postgresql_user: + name: '{{ nextcloud_db_user }}' + password: '{{ nextcloud_db_password|d(omit) }}' + state: present + tags: + - postgresql-user + +- name: ensure nextcloud database exists + become: true + become_user: postgres + postgresql_db: + name: nextcloud + owner: nextcloud + state: present + tags: + - postgresql-db diff --git a/roles/nextcloud/meta/main.yml b/roles/nextcloud/meta/main.yml index ff8645c..5804638 100644 --- a/roles/nextcloud/meta/main.yml +++ b/roles/nextcloud/meta/main.yml @@ -1,4 +1,5 @@ dependencies: +- nextcloud-base - role: redis tags: - redis diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 213da0b..9bbb04e 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -27,21 +27,6 @@ tags: - always -- name: ensure nextcloud database user exists - become: true - become_user: postgres - postgresql_user: - name: nextcloud - password: '{{ nextcloud_db_password }}' - state: present -- name: ensure nextcloud database exists - become: true - become_user: postgres - postgresql_db: - name: nextcloud - owner: nextcloud - state: present - - name: ensure nextcloud is configured template: src: config.php.j2 diff --git a/roles/nextcloud/templates/config.php.j2 b/roles/nextcloud/templates/config.php.j2 index f3c3a68..094002f 100644 --- a/roles/nextcloud/templates/config.php.j2 +++ b/roles/nextcloud/templates/config.php.j2 @@ -37,12 +37,12 @@ $CONFIG = array ( 'dbtype' => 'pgsql', 'version' => '{{ nc_version }}', 'overwrite.cli.url' => 'https://{{ nextcloud_server_name }}', - 'dbname' => 'nextcloud', - 'dbhost' => 'localhost', - 'dbport' => '', + 'dbname' => '{{ nextcloud_db_name }}', + 'dbhost' => '{{ nextcloud_db_host }}', + 'dbport' => '{{ nextcloud_db_port }}', 'dbtableprefix' => 'oc_', - 'dbuser' => 'nextcloud', - 'dbpassword' => '{{ nextcloud_db_password }}', + 'dbuser' => '{{ nextcloud_db_user }}', + 'dbpassword' => '{{ nextcloud_db_password|d("") }}', 'installed' => true, 'ldapIgnoreNamingRules' => false, 'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory', From 22dbc3ebc1b2524baf59d5aeaba57cc14dfd0976 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 2 Sep 2024 20:35:32 -0500 Subject: [PATCH 2/6] r/nextcloud-db-cert: Fetch client cert from k8s Currently, the certificate authority that issues certificates for PostgreSQL clients is hosted in Kubernetes and managed by _cert-manager_. Certificates it issues are stored in Kubernetes Secret resources, making them easy to consume by applications running in the cluster, but not for anything outside. Since Nextcloud runs on its own VM, we need a way to get the certificate out of the Secret and into a file on that machine. To that end, I've written the `nextcloud-fetch-cert.py` script. This script uses a Kubernetes Service Account token to authenticate to the Kubernetes API and download the contents of the Secret. It runs periodically, triggered by a systemd timer unit, to ensure the certificate is always up-to-date. The obvious drawback to this approach is the requirement for a static token. Since there's not really a way to "renew" Service Account tokens, it needs to be issued with a fairly long duration, to mitigate the risk of being unable to fetch a new certificate once it has expired because the token has also expired. This somewhat negates the advantage of using certificates for authentication, since now the machine needs a static, pre-defined secret. At some point, I may deploy another instance of _step-ca_ to manage the PostgreSQL client CA. Clients can then use e.g. `certbot` or `step ca certificate` to obtain their certificates. I chose not to implement this yet, though for a couple of reasons. First, I need to move the Nextcloud database very soon, so we switch to using `restic` for backups without having to deal with the database. Second, I am still considering moving Nextcloud into Kubernetes eventually, where it will be able to get the Secret directly; since Nextcloud is the only client outside the cluster, it may not be worth setting up _step-ca_ in that case. --- roles/nextcloud-db-cert/files/fetch-cert.py | 83 +++++++++++++++++++ .../files/nextcloud-fetch-cert.service | 17 ++++ roles/nextcloud-db-cert/handlers/main.yml | 8 ++ roles/nextcloud-db-cert/tasks/main.yml | 71 ++++++++++++++++ .../templates/nextcloud-fetch-cert.timer.j2 | 9 ++ 5 files changed, 188 insertions(+) create mode 100644 roles/nextcloud-db-cert/files/fetch-cert.py create mode 100644 roles/nextcloud-db-cert/files/nextcloud-fetch-cert.service create mode 100644 roles/nextcloud-db-cert/handlers/main.yml create mode 100644 roles/nextcloud-db-cert/tasks/main.yml create mode 100644 roles/nextcloud-db-cert/templates/nextcloud-fetch-cert.timer.j2 diff --git a/roles/nextcloud-db-cert/files/fetch-cert.py b/roles/nextcloud-db-cert/files/fetch-cert.py new file mode 100644 index 0000000..c92ab0c --- /dev/null +++ b/roles/nextcloud-db-cert/files/fetch-cert.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python3 +import base64 +import json +import logging +import os +import ssl +import urllib.error +import urllib.request +from pathlib import Path + +try: + from systemd.journal import JournalHandler as LogHandler +except ModuleNotFoundError: + LogHandler = logging.StreamHandler + + +log = logging.getLogger('fetchcert') + + +CREDENTIALS_DIRECTORY = Path(os.environ['CREDENTIALS_DIRECTORY']) + +CA_FILE = Path('/etc/pki/ca-trust/kube-root-ca.crt') +CERT_OUT = Path('/etc/nextcloud/postgresql.cer') +KEY_OUT = Path('/etc/nextcloud/postgresql.key') + +BASE_URL = 'https://kubernetes.pyrocufflink.blue:6443' +NAMESPACE = 'postgresql-ca' +SECRET = 'nextcloud-client' + + +def main(): + if 'LOG_LEVEL' in os.environ: + logging.root.setLevel(os.environ['LOG_LEVEL'].upper()) + logging.root.addHandler(LogHandler()) + + token_path = CREDENTIALS_DIRECTORY / 'nextcloud.fetchcert.token' + log.debug('Reading token from %s', token_path) + token = token_path.read_text().rstrip() + + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + ctx.load_verify_locations(cafile=CA_FILE) + + url = f'{BASE_URL}/api/v1/namespaces/{NAMESPACE}/secrets/{SECRET}' + headers = { + 'Authorization': f'Bearer {token}' + } + req = urllib.request.Request(url, headers=headers) + log.info('Fetching Secret from %s', url) + try: + res = urllib.request.urlopen(req, context=ctx) + except urllib.error.HTTPError as e: + log.error('%s %s', e, e.read()) + raise SystemExit(1) + with res: + body = json.load(res) + log.info('Received HTTP reponse %d %s', res.status, res.reason) + cert = base64.b64decode(body['data']['tls.crt'].encode('ascii')) + key = base64.b64decode(body['data']['tls.key'].encode('ascii')) + cert_new = CERT_OUT.with_suffix(f'{CERT_OUT.suffix}.new') + key_new = KEY_OUT.with_suffix(f'{KEY_OUT.suffix}.new') + if not CERT_OUT.exists() or CERT_OUT.read_bytes() != cert: + log.debug('Writing certificate to %s', cert_new) + with cert_new.open('wb') as f: + os.fchown(f.fileno(), 0, 48) + os.fchmod(f.fileno(), 0o0444) + f.write(cert) + if not KEY_OUT.exists() or KEY_OUT.read_bytes() != key: + log.debug('Writing private key to %s', key_new) + with key_new.open('wb') as f: + os.fchown(f.fileno(), 0, 48) + os.fchmod(f.fileno(), 0o0440) + f.write(key) + if cert_new.exists(): + log.debug('Renaming %s to %s', cert_new, CERT_OUT) + cert_new.rename(CERT_OUT) + if key_new.exists(): + log.debug('Renaming %s to %s', key_new, KEY_OUT) + key_new.rename(KEY_OUT) + log.info('Successfully fetched certificate from Kubernetes Secret') + + +if __name__ == '__main__': + main() diff --git a/roles/nextcloud-db-cert/files/nextcloud-fetch-cert.service b/roles/nextcloud-db-cert/files/nextcloud-fetch-cert.service new file mode 100644 index 0000000..0e8f7af --- /dev/null +++ b/roles/nextcloud-db-cert/files/nextcloud-fetch-cert.service @@ -0,0 +1,17 @@ +[Unit] +Description=Fetch Nextcloud database client certificate +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +Environment=LOG_LEVEL=debug +ExecStart=/usr/local/libexec/nextcloud-fetch-cert.py +LoadCredential=nextcloud.fetchcert.token +CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN +PrivateTmp=yes +ProtectHome=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=full +ReadWritePaths=/etc/nextcloud diff --git a/roles/nextcloud-db-cert/handlers/main.yml b/roles/nextcloud-db-cert/handlers/main.yml new file mode 100644 index 0000000..c54df98 --- /dev/null +++ b/roles/nextcloud-db-cert/handlers/main.yml @@ -0,0 +1,8 @@ +- name: reload systemd + systemd: + daemon_reload: true + +- name: restart nextcloud-fetch-cert.timer + systemd: + name: nextcloud-fetch-cert.timer + state: restarted diff --git a/roles/nextcloud-db-cert/tasks/main.yml b/roles/nextcloud-db-cert/tasks/main.yml new file mode 100644 index 0000000..20d9a0d --- /dev/null +++ b/roles/nextcloud-db-cert/tasks/main.yml @@ -0,0 +1,71 @@ +- name: ensure nextcloud db cert fetch script is installed + copy: + src: fetch-cert.py + dest: /usr/local/libexec/nextcloud-fetch-cert.py + owner: root + group: root + mode: u=rwx,go=rx + notify: + - restart nextcloud-fetch-cert.timer + tags: + - copy-script + +- name: ensure nextcloud db cert fetch token credential exists + copy: + dest: /etc/credstore/nextcloud.fetchcert.token + content: |+ + {{ nextcloud_fetchcert_token }} + owner: root + group: root + mode: u=rw,go= + diff: false + tags: + - credentials + +- name: ensure kubernetes ca certificate is installed + copy: + src: kube-root-ca.crt + dest: /etc/pki/ca-trust/kube-root-ca.crt + owner: root + group: root + mode: u=rw,go=r + tags: + - cacert + +- name: ensure nextcloud cert fetch timer unit is installed + template: + src: nextcloud-fetch-cert.timer.j2 + dest: /etc/systemd/system/nextcloud-fetch-cert.timer + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + - restart nextcloud-fetch-cert.timer + tags: + - systemd +- name: ensure nextcloud cert fetch service unit is installed + copy: + src: nextcloud-fetch-cert.service + dest: /etc/systemd/system/nextcloud-fetch-cert.service + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + - restart nextcloud-fetch-cert.timer + tags: + - systemd + +- name: ensure nextcloud cert fetch timer is enabled + systemd: + name: nextcloud-fetch-cert.timer + enabled: true + tags: + - service +- name: ensure nextcloud cert fetch timer is started + systemd: + name: nextcloud-fetch-cert.timer + state: started + tags: + - service diff --git a/roles/nextcloud-db-cert/templates/nextcloud-fetch-cert.timer.j2 b/roles/nextcloud-db-cert/templates/nextcloud-fetch-cert.timer.j2 new file mode 100644 index 0000000..2e1b6db --- /dev/null +++ b/roles/nextcloud-db-cert/templates/nextcloud-fetch-cert.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Periodically fetch Nextcloud database client certificate + +[Timer] +OnActiveSec=1s +OnUnitInactiveSec=12h + +[Install] +WantedBy=timers.target From a0378feda8e71800ad4f262685e1dac60e0c681e Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 2 Sep 2024 21:03:33 -0500 Subject: [PATCH 3/6] nextcloud: Move database to db0 Moving the Nextcloud database to the central PostgreSQL server will allow it to take advantage of the monitoring and backups in place there. For backups specifically, this will make it easier to switch from BURP to Restic, since now only the contents of the filesystem need backed up. The PostgreSQL server on _db0_ requires certificate authentication for all clients. The certificate for Nextcloud is stored in a Secret in Kubernetes, so we need to use the _nextcloud-db-cert_ role to install the script to fetch it. Nextcloud configuration doesn't expose the parameters for selecting the certificate and private key files, but fortunately, they can be encoded in the value provided to the `host` parameter, though it makes for a rather cumbersome value. --- group_vars/nextcloud.yml | 9 +---- hosts | 3 ++ nextcloud.yml | 2 + vault/nextcloud | 79 ++++++++++++++++++++++++++++++++-------- 4 files changed, 70 insertions(+), 23 deletions(-) diff --git a/group_vars/nextcloud.yml b/group_vars/nextcloud.yml index 20f295d..a4a43c5 100644 --- a/group_vars/nextcloud.yml +++ b/group_vars/nextcloud.yml @@ -1,11 +1,5 @@ nextcloud_server_name: nextcloud.pyrocufflink.net apache_server_name: '{{ nextcloud_server_name }}' -pg_hba_extra: -- type: host - database: nextcloud - user: nextcloud - address: ::1/128 - method: md5 nextcloud_trusted_proxies: - 127.0.0.1 - ::1 @@ -20,5 +14,4 @@ nextcloud_smtp: port: 25 dnf_automatic_exclude: nextcloud -postgresql_config_dir: /var/lib/pgsql/data -postgresql_allow_remote: false +nextcloud_db_host: postgresql.pyrocufflink.blue;sslcert=/etc/nextcloud/postgresql.cer;sslkey=/etc/nextcloud/postgresql.key;sslrootcert=system;sslmode=verify-full diff --git a/hosts b/hosts index 751a0c0..cf5a082 100644 --- a/hosts +++ b/hosts @@ -113,6 +113,9 @@ vmhost1.pyrocufflink.blue [nextcloud] cloud0.pyrocufflink.blue +[nextcloud-db] +db0.pyrocufflink.blue + [ntpd] [nut-monitor:children] diff --git a/nextcloud.yml b/nextcloud.yml index c3a6017..1f02ed9 100644 --- a/nextcloud.yml +++ b/nextcloud.yml @@ -11,4 +11,6 @@ - vault/nextcloud roles: - apache + - role: nextcloud-db-cert + tags: nextcloud-db-cert - nextcloud diff --git a/vault/nextcloud b/vault/nextcloud index 761915c..b538f12 100644 --- a/vault/nextcloud +++ b/vault/nextcloud @@ -1,16 +1,65 @@ $ANSIBLE_VAULT;1.1;AES256 -33653661376330396337623339373036633836393966663639653965353633643639333861336333 -3631336266646164333837336432626361656133623834360a303534313436343764653133306466 -31313939623336373939633336656337316636323732646535386334343765623363366231306635 -6566333633613066660a333338373164663831396335643537333161343563373264343362333831 -30613533373166396437313565643132663231383233373363366662376132366238613863336561 -32373765643232653035633238643164636666363863313064393739313662356637306565326139 -38636466666136633561313534633531323338363565383036323366306237643463376331386231 -66313932663930366631306533386563636137656464656461356136396130336630306233313638 -33306138326465626561323836386266616438643834643338363232616530616532376431323565 -65383432656466616236386461343435383064643966373363373433346265666139633634323630 -63383130313132333434393636333733653236346265353063656563663462336139663465323931 -34653430393836633763396365393234323937373633313832636535333031316130656137323364 -39393962666131343461313336373061643037363338643332656162633438326539316635393839 -38663761366230393033373762343663386566326566383934316162353734623137393462623835 -316662656538353965626234306438356466 +35373862343534306138396561373666303964623562366139613363306639313437353463353730 +3233363232366137363764316331356336663933343731610a363566663933383162303231346138 +37653864626165666633386265633137316634666664613931663138646334653063363562363566 +6166633336666165380a306132356139396364653632386138346465633733356164376437656361 +64336564386138616465623937666565326232303062373430363966346636356665363936396339 +62623862653433616463316262393837353064613736626637396233306265613832643365393531 +35313337323431653234343361663766383065363865356161623731633239633465656134653165 +62333961393237376166623361636637346330313761303165316431353130656632653464386232 +30343433636334373263353762313738306131626439356363373632316634613835373563346232 +64313034386434653235623935363535623366393365626363393265353365386461383862653835 +37623732343234663635333665653065383561393632326263383364353135373935616630393836 +33323562303862326566356631613634323566626564663161613632303537643935616463633363 +64376530356338316132353361383536666539613531613638343864643966323362373730353061 +66303439376461303732393232323732383665633539306235303863363833346661373230366363 +66346164373330653636633735393938343537356231323366323134356138376336383461383731 +39613762653532303630363566376333376632343733656365386231326161303331383830393733 +61653237373239633566323864616138383832353563613835363135643736636361366238663932 +63623165316433613336363663623636313263356535356666663438376664333739323361636130 +30663036363763663835313933653238633437633830653165643563663933373333303337313732 +39653730353633383735353631333634303530326139336362356539393163386130656261633739 +33393066613665356239373163396263363733643164326339383137333439333866656566333862 +64616163336639313262666634333734633239663233316138646661356163346165306562663631 +33316164396331326463353264383266613062646463633634653163356661343766623031333736 +61333339613563613230663537383062643964366162313562393564656133643462393565623437 +36613165383635653330656130326564616637386334613635643230663264343036313236356265 +31343036613935323739653332346630363433353263306464303339653261373339376233663264 +32346463636535623032613333386238636461643066383533623963383332613936373139393363 +65666564353662363832326337396331663631313333306363636330343835656532653430383264 +36376235363162663964333338613765346638353730633130656432366236396432303730636137 +33306364656637663332343738343135343761663630633132363661316161346336343730393865 +63623335323633626161316537313562363737313036346438373463643865653636653739316337 +61663131366234383833346163356363643137666366333061323634366431653633386332613330 +65316266363866636663643830326138663035393730626332646531366666396566383736626363 +39643633363765353531323336626434396464383332383061336165366164663437386565616262 +32363738343937336430393132656136623838393865626632383061663565346564313939623563 +61356661386363303436376139316437666430353730383935626431396566353634363065633563 +30366465356363396632656661623439326538626233363632303963666231663539646139353865 +37633132643661616661313330653361363630303164333162313062646236366362336639396338 +66663864353763326163326466663237363131383330326135643265363739346361623939363131 +65373034313937663765326336383830356436333465663962393630623133363961653533363335 +34363034613465363238393739656361303833376264626333363464386461306437636430363863 +36306639313236663561663939656336363233306462333033386363363966646237633064623836 +63333562373839633964306362376230626436336134353730333135323862653436353566656436 +38666566383831623664633530663034343433636539613365663230353061633962323931306333 +33363863343664373661623265393938336163376139666465636433396333643336646236373861 +35653733626166396466396565313438366537643234313564303033396433363137626231303136 +36636237346631633237336361666564383131366134386232666538343965633438366661313662 +30336537646330623364643666633938383332323533333032356130343132363134333639646231 +62366631383739313330313566363565666230316636323565653334366665396334383431633730 +35626538306232303833656262346435383863383639383661666536356563396465653335323265 +34396530356437653862376164393133616663616162663038343731373561323636356338336361 +61613934333833353534643566663266356537336163353436383538646338343939336234636562 +63663664346433666639383664306232646136636235643337656161663664616234666437626461 +61343563656362663438613934386538346466373438633838303533343566326561313133303031 +37646262626139336265636230613230353035366363613138376166326261646136333038613265 +61373663653736376535353363323266383663303234316430386436376566636337353233336235 +36306162666630326666383235306562313264363562393464623839653566393531393830316666 +37366462626135353965306462313435373539336664346135643634303339306438613161636335 +32393663663731313865333733656166626265363463373936616635313234353132343036396539 +62643835376439323134303434616434313733633963656433303336396662343262626232313437 +39336364323030633935613534366430623761313762323164356263386132663364663631313535 +66663564623235373836393533376331363664666166313365313233373538316530626231383162 +34373331346136646236346533373137663832323263303439383331613034393433326363383237 +62643833343731313536 From 6f9cd7e4af1dae7a731b33e056afe678b683eb6f Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 2 Sep 2024 21:15:23 -0500 Subject: [PATCH 4/6] r/postgres-exporter: Do not connect to tempate1 DB It turns out, having the exporter connect to the _template1_ database is not a great idea. PostgreSQL does not allow creating a new database if the template database is currently being accessed by any clients. Since _template1_ is the default choice, the `createdb` command will probably fail. It doesn't specifically matter which database the exporter connects to, since it reads most (all?) of its data from the PostgreSQL catalog, which isn't database-specific. --- .../postgres-exporter/templates/postgres-exporter.container.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/postgres-exporter/templates/postgres-exporter.container.j2 b/roles/postgres-exporter/templates/postgres-exporter.container.j2 index 0a0a681..d106bd9 100644 --- a/roles/postgres-exporter/templates/postgres-exporter.container.j2 +++ b/roles/postgres-exporter/templates/postgres-exporter.container.j2 @@ -6,7 +6,7 @@ After=postgresql.service [Container] Image=quay.io/prometheuscommunity/postgres-exporter:v0.15.0 -Environment=DATA_SOURCE_URI='postgres-exporter@:5432/template1?host=/run/postgresql' +Environment=DATA_SOURCE_URI='postgres-exporter@:5432/postgres?host=/run/postgresql' Mount=type=bind,source=/run/postgresql,target=/run/postgresql # container_t cannot access the PostgreSQL socket postgresql_var_run_t SecurityLabelDisable=true From 72936b3868bd37d861fced72faa669e935a41151 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 2 Sep 2024 21:20:26 -0500 Subject: [PATCH 5/6] postgresql: Allow access by IPv6 Since LAN clients have IPv6 addresses now, some may try to connect to the database over IPv6, so we need to allow this in the host-based authentication rules. --- group_vars/postgresql.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/postgresql.yml b/group_vars/postgresql.yml index 53db40b..eb80182 100644 --- a/group_vars/postgresql.yml +++ b/group_vars/postgresql.yml @@ -33,6 +33,11 @@ pg_hba_extra: user: all address: 0.0.0.0/0 method: cert +- type: hostssl + database: sameuser + user: all + address: '::/0' + method: cert postgresql_restore_command: >- runuser -u postgres -- From dce7908a941f8dbe36064b2fd818788384b1252a Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 2 Sep 2024 21:24:59 -0500 Subject: [PATCH 6/6] chromie: Set MinIO root password --- vault/minio/chromie.pyrocufflink.blue | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vault/minio/chromie.pyrocufflink.blue diff --git a/vault/minio/chromie.pyrocufflink.blue b/vault/minio/chromie.pyrocufflink.blue new file mode 100644 index 0000000..4bf03d0 --- /dev/null +++ b/vault/minio/chromie.pyrocufflink.blue @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +30616536623331373031616465663933646439386165386266343530383461353463623631616630 +3739356666633732326464386630643135303335646431390a373532353964336464303930393665 +65336162663731376531336230306464326463396637656236396166646162613132626532393061 +6238336539636232300a653339363632363634656261616334333461313539333731386665383737 +34646336376630666166363962333036323763663166313166366432336165663434373534666333 +62346266623561333538613466643734393932396138386535636266336139623032343239653565 +31383862363362313432336638346265623439326363636363323961313430633938363461616530 +37313337333035343335323261323736343335393132376635303337623939303534353632643231 +61386332653533326463633165373032373635383135663230663066633039333736