shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-10-03 01:00:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: ansible postgres jail

Browse Source
This commit is contained in:
auricom
2022-07-23 19:32:16 +02:00
parent 0be718c78d
commit a3666c302f
16 changed files with 411 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/inventory/group_vars/all/all.sops.yml
View File

@@ -2,6 +2,7 @@ kind: Secret
secret_domain: ENC[AES256_GCM,data:SjdnR9pDjveodvo=,iv:GKvdD7c3bmaQN+CAYoKwAy78em9vYljGyl6VfGmJk9E=,tag:hz92J7d1NokEeyB6vxr3Uw==,type:str]
secret_cluster_domain: ENC[AES256_GCM,data:o+bvKkMvPfZ9+oobxsZj,iv:iJTqLF0+3v/kMHWJIUXQK3++CoLI+fC6IOrQgpiXofw=,tag:XWEid6zEhdpxka88rW2mkw==,type:str]
secret_email_domain: ENC[AES256_GCM,data:xQwrd9Tgcgpq+I63KA8=,iv:w8fs1kXFwuRBNiswZMu5i/bOazqUPRxEwMWm0z/igxg=,tag:FaWpGtK7ldOEcHgXxZX6/A==,type:str]
postgres_password: ENC[AES256_GCM,data:xNkFUfAWE3YLRYbzHfoZRg==,iv:RDLvBCkF+cRlHZumScZbRmDsymoSjlESMBaITk0FmxE=,tag:BJdUa2NcTSNoHlng1OKjJA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -17,8 +18,8 @@ sops:
c3JkOFZzYnpINjQ5QnNkaE9IYUdXL3MKsBelDv/z5nTYC6/1Zm8kmzqEoLBVPnhy
v0v/6n1GksmzslbNdKhy+xtxHYrqouhc2P4hNi0R8p8u76RXERN5fg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-15T13:41:20Z"
mac: ENC[AES256_GCM,data:j2ugchoPb4S5IFQjtgLOi9q715lkn+al0eM8yyIChSlbzGJB+tFi7c3Wt5r/Q1eOpCb5jvUI5XqvD9D9tTQt2yAedRADaQRnOhEa2sS/wNVgl16ZSmC3vxoQLmfR2gzf+x3MiwjnLUjh6uXhtGt/c3O6+LEOqHSACjJFo+nDkj4=,iv:LenINPlwtvqZtKO+EoIhFWRZ971jrfIOTP43cRmHCHw=,tag:qg+QTku/5w5mEY+rZEGB1w==,type:str]
lastmodified: "2022-07-23T10:38:21Z"
mac: ENC[AES256_GCM,data:VchuuJFJO63sWqBgOPQNgtzve5fA5PGo1j6UQGv+v4mFcSbb8+P0ihpynZl6bNcqdA5+dgYalsFpEOsjmHeshn9d1R9dtSiycK8k1IFUdsvbfnRTdxTwyc93xT2AGgGOstq2kPxBQ6CKHDJTI/yMpuzdd6ZoKnlxFW4+orxAf5c=,iv:w6HGOtuA6XVOaZFzB8lcSh3qEatGD3GudhbjzeJQ82k=,tag:lSvDhiiI1zhoCypHliaUXQ==,type:str]
pgp: []
unencrypted_regex: ^(kind)$
version: 3.7.3

22
ansible/inventory/group_vars/all/wireguard.sops.yml Normal file
View File

@@ -0,0 +1,22 @@
kind: Secret
wireguard_private_key: ENC[AES256_GCM,data:n7+yDJlb50mm2CiFRJ8YbvtzZaJOD2Hlz1/jbwtCSerRPTbJpDnCaL78EdI=,iv:5D8M8lKJPiduyGp6D2Woi/VEHkAVHi3v5NB2LRY+UNA=,tag:NkvkhueDrDf/1Ly9zv5YCw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNWlaV1YvWUw0NEJOR2Rz
aHd5eU9SdjFuTDgyZDhzUjVIMmFMczg5MmlZCm5vT1VTdjh4WkhCNWsrOG9SaWFM
L0FpSGVuR3hPN04zNHRCd3JMQXVLZVEKLS0tIFFhY1plTzdScmJrWW8xMXpIUXBP
RHR1bnp1VXZJNUI5dmVXcXRvU2NFem8KFdpVMZL4By87eR2mFB5P2ViZxA04p2uI
oe1Wg5bmqLNsfr+Z/Ai6Xc8D9ojuPvNXUkrzdLq5i6M+mi1ultazxQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-22T12:36:41Z"
mac: ENC[AES256_GCM,data:Pdlc1pFCdB6C4Zzm2HkBh8NJn/uE3KVXwWmWlUqbjHRRCqxED1X7lMVxNHgy/ZmmuB1StoZrzwGUVTGRhpcWGX9D614TrKgjPtkr4dxdshYIfIXPsskVnNfULQcvitTjprLj3JKXbZgjO86hGo5c1SgZpEiapuNdvYSHH6EGjyU=,iv:72i8p3q9Tg1kU6BExNtlakXLLt19Aic5xmgU2Hv2VqI=,tag:yu0KkQVK2/Z0mr/scwIekQ==,type:str]
pgp: []
unencrypted_regex: ^(kind)$
version: 3.7.3

7
ansible/roles/truenas/handlers/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: restart postgresql
ansible.builtin.service:
name: postgresql
state: restarted
delegate_to: "{{ postgres_jail_ip.stdout }}"
remote_user: root

67
ansible/roles/truenas/tasks/jail-postgres.yml
View File

@@ -1,67 +0,0 @@
---
- name: jail-postgres | get jail ip
ansible.builtin.shell:
cmd: iocage exec postgres ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
changed_when: false
register: jail_ip
become: true
# TODO : check if postgres already installed
# - block:
# - name: jail-postgres | create zfs pools
# community.general.zfs:
# name: "{{ item }}"
# state: present
# loop:
# - "{{ pool_name }}/jail-mounts"
# - "{{ pool_name }}/jail-mounts/postgres"
# - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}"
# - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/base"
# - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/pg_wal"
# - name: jail-postgres | configure zfs pool postgresql
# community.general.zfs:
# name: "{{ pool_name }}/jail-mounts/postgres"
# state: present
# extra_zfs_properties:
# atime: off
# setuid: off
# - name: jail-postgres | configure zfs pool postgresql
# community.general.zfs:
# name: "{{ pool_name }}/jail-mounts/postgres"
# state: present
# extra_zfs_properties:
# atime: off
# setuid: off
# - name: jail-postgres | create empty data{{ postgres_version }}dir
# ansible.builtin.shell:
# cmd: iocage exec postgres mkdir -p /var/db/postgres/data{{ postgres_version }}
# - name: jail-postgres | mount data {{ postgres_version }}
# ansible.builtin.shell:
# cmd: iocage fstab -a postgres /mnt/{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }} /var/db/postgres/data{{ postgres_version }} nullfs rw 0 0
# become: true
- block:
- name: jail-postgres | packages
community.general.pkgng:
name:
- postgresql{{ postgres_version }}-server
- postgresql{{ postgres_version }}-contrib
- postgresql{{ postgres_version }}-client
state: present
- name: jail-postgres | change postgres/data{{ postgres_version }} mod
ansible.builtin.file:
path: /var/db/postgres/data{{ postgres_version }}
owner: postgres
group: postgres
- name: jail-postgres | initdb
ansible.builtin.shell:
cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ postgres_version }}'
delegate_to: "{{ jail_ip.stdout }}"
remote_user: root

24
ansible/roles/truenas/tasks/jails-prepare.yml
View File

@@ -1,24 +0,0 @@
---
- name: jail-prepare | create .ssh directory
ansible.builtin.shell:
cmd: iocage exec postgres 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
- name: jail-prepare | deploy ssh keys
ansible.builtin.shell:
cmd: iocage exec postgres 'echo "{{ item }}" >> /root/.ssh/authorized_keys'
loop: "{{ public_ssh_keys }}"
- name: jail-prepare | activate sshd
ansible.builtin.shell:
cmd: iocage exec postgres 'sysrc sshd_enable="YES"'
- name: jail-prepare | sshd permit root login
ansible.builtin.shell:
cmd: iocage exec postgres 'echo "PermitRootLogin yes" > /etc/ssh/sshd_config'
- name: jail-prepare | start sshd
ansible.builtin.shell:
cmd: iocage exec postgres 'service sshd start'
- name: jail-prepare | install packages
ansible.builtin.raw: pkg install -y python3 bash; ln -s /usr/local/bin/bash /bin/bash

36
ansible/roles/truenas/tasks/jails/init.yml Normal file
View File

@@ -0,0 +1,36 @@
---
- name: jail-prepare | {{ outside_item.item }} | start jail
ansible.builtin.shell:
cmd: iocage start {{ outside_item.item }}
become: true
- name: jail-prepare | {{ outside_item.item }} | create .ssh directory
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
become: true
- name: jail-prepare | {{ outside_item.item }} | deploy ssh keys
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'echo "{{ item }}" >> /root/.ssh/authorized_keys'
loop: "{{ public_ssh_keys }}"
become: true
- name: jail-prepare | {{ outside_item.item }} | activate sshd
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'sysrc sshd_enable="YES"'
become: true
- name: jail-prepare | {{ outside_item.item }} | sshd permit root login
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config'
become: true
- name: jail-prepare | {{ outside_item.item }} | start sshd
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'service sshd start'
become: true
- name: jail-prepare | {{ outside_item.item }} | install packages
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'pkg install -y python39 bash; ln -s /usr/local/bin/bash /bin/bash'
become: true

25
ansible/roles/truenas/tasks/jails.yml → ansible/roles/truenas/tasks/jails/main.yml
View File

@@ -4,6 +4,7 @@
cmd: iocage list | grep {{ item }}
loop: "{{ groups['truenas-jails'] }}"
register: jails_check
changed_when: false
failed_when: jails_check.rc != 0 and jails_check.rc != 1
- name: jails | is iocage fetch required
@@ -32,21 +33,9 @@
become: true
when: jail_missing
- name: jails | check jails states
ansible.builtin.shell:
cmd: iocage get state {{ item }}
loop: "{{ groups['truenas-jails'] }}"
register: jails_state
- name: jails | start jails
ansible.builtin.shell:
cmd: iocage start {{ item.item }}
loop: "{{ jails_state.results }}"
when: item.stdout == "down"
become: true
- name: jails | prepare jails
ansible.builtin.include_tasks: jails-prepare.yml
loop: "{{ jails_state.results }}"
when: item.stdout == "down"
become: true
- name: jails | init jails
ansible.builtin.include_tasks: init.yml
loop: "{{ jails_check.results }}"
loop_control:
loop_var: outside_item
when: outside_item.rc == 1

60
ansible/roles/truenas/tasks/jails/postgres-conf.yml Normal file
View File

@@ -0,0 +1,60 @@
---
- name: jail-postgres | get jail ip
ansible.builtin.shell:
cmd: iocage exec postgres ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
changed_when: false
register: postgres_jail_ip
become: true
- name: jail-postgres | copy letsencrypt certificate
ansible.builtin.copy:
src: /mnt/storage/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
remote_src: true
dest: /mnt/storage/jail-mounts/postgres/data{{ postgres_version }}/{{ item.dest }}
owner: 770
group: 770
mode: 0600
loop:
- { src: "fullchain.pem", dest: "server.crt" }
- { src: "key.pem", dest: "server.key" }
notify: restart postgresql
become: true
- block:
- name: jail-postgres | disable full page writes because of ZFS
ansible.builtin.lineinfile:
path: /var/db/postgres/data{{ postgres_version }}/postgresql.conf
regexp: '^full_page_writes\s*='
line: "full_page_writes=off"
state: present
notify: restart postgresql
- name: jail-postgres | listen to all addresses
ansible.builtin.lineinfile:
path: /var/db/postgres/data{{ postgres_version }}/postgresql.conf
regexp: '^listen_addresses\s*='
line: "listen_addresses = '*'"
state: present
notify: restart postgresql
- name: jail-postgres | ssl configuration
ansible.builtin.blockinfile:
path: /var/db/postgres/data{{ postgres_version }}/postgresql.conf
block: |
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_prefer_server_ciphers = on
state: present
notify: restart postgresql
- name: jail-postgres | configure postgres
ansible.builtin.template:
src: postgres/pg_hba.conf
dest: /var/db/postgres/data{{ postgres_version }}/pg_hba.conf
owner: postgres
group: postgres
notify: restart postgresql
delegate_to: "{{ postgres_jail_ip.stdout }}"
remote_user: root

143
ansible/roles/truenas/tasks/jails/postgres-init.yml Normal file
View File

@@ -0,0 +1,143 @@
---
- name: jail-postgres | get jail ip
ansible.builtin.shell:
cmd: iocage exec postgres ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
changed_when: false
register: postgres_jail_ip
become: true
- block:
- name: jail-postgres | create zfs pools
community.general.zfs:
name: "{{ item }}"
state: present
loop:
- "{{ pool_name }}/jail-mounts"
- "{{ pool_name }}/jail-mounts/postgres"
- "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}"
- name: jail-postgres | configure zfs pool postgresql
community.general.zfs:
name: "{{ pool_name }}/jail-mounts/postgres"
state: present
extra_zfs_properties:
atime: off
setuid: off
- name: jail-postgres | configure zfs pool postgresql
community.general.zfs:
name: "{{ pool_name }}/jail-mounts/postgres"
state: present
extra_zfs_properties:
atime: off
setuid: off
- name: jail-postgres | create empty data{{ postgres_version }} dir
ansible.builtin.shell:
cmd: iocage exec postgres mkdir -p /var/db/postgres/data{{ postgres_version }}
- name: jail-postgres | mount data{{ postgres_version }}
ansible.builtin.shell:
cmd: iocage fstab -a postgres /mnt/{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }} /var/db/postgres/data{{ postgres_version }} nullfs rw 0 0
become: true
- block:
- name: jail-postgres | packages
community.general.pkgng:
name:
- postgresql{{ postgres_version }}-server
- postgresql{{ postgres_version }}-contrib
- postgresql{{ postgres_version }}-client
- py39-pip
state: present
- name: jail-postgres | pip packages
ansible.builtint.pip:
name: psycopg2
state: present
- name: jail-postgres | change postgres/data{{ postgres_version }} mod
ansible.builtin.file:
path: /var/db/postgres/data{{ postgres_version }}
owner: postgres
group: postgres
- name: jail-postgres | initdb
ansible.builtin.shell:
cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ postgres_version }}'
- name: jail-postgres | move base and pg_wal
ansible.builtin.shell:
cmd: su -m postgres -c 'mv /var/db/postgres/data{{ postgres_version }}/{{ item }} /var/db/postgres/data{{ postgres_version }}/{{ item }}0'
loop:
- base
- pg_wal
- name: jail-postgres | create base and pg_wal empty dirs
ansible.builtin.file:
path: /var/db/postgres/data{{ postgres_version }}/{{ item }}
state: directory
owner: postgres
group: postgres
loop:
- base
- pg_wal
delegate_to: "{{ postgres_jail_ip.stdout }}"
remote_user: root
- block:
- name: jail-postgres | create missing zfs pools
community.general.zfs:
name: "{{ item }}"
state: present
loop:
- "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/base"
- "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/pg_wal"
- name: jail-postgres | mount base
ansible.builtin.shell:
cmd: iocage fstab -a postgres /mnt/{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/{{ item }} /var/db/postgres/data{{ postgres_version }}/{{ item }} nullfs rw 0 0
loop:
- base
- pg_wal
become: true
- block:
- name: jail-postgres | move base and pg_wal content to mounts
ansible.builtin.shell:
cmd: mv /var/db/postgres/data{{ postgres_version }}/{{ item }}0/* /var/db/postgres/data{{ postgres_version }}/{{ item }}/; rmdir /var/db/postgres/data{{ postgres_version }}/{{ item }}0
loop:
- base
- pg_wal
- name: jail-postgres | change mod
ansible.builtin.file:
path: /var/db/postgres/data{{ postgres_version }}/{{ item }}
state: directory
owner: postgres
group: postgres
recurse: true
loop:
- base
- pg_wal
- name: jail-postgres | enable postgresql service
community.general.sysrc:
name: postgresql_enable
state: present
value: "YES"
- name: jail-postgres | start postgresql service
ansible.builtin.service:
name: postgresql
state: started
- name: jail-postgres | change postgres password
postgresql_query:
login_user: postgres
query: ALTER USER postgres PASSWORD '{{ postgres_password }}'
delegate_to: "{{ postgres_jail_ip.stdout }}"
remote_user: root

27
ansible/roles/truenas/tasks/main.yml
View File

@@ -1,15 +1,26 @@
---
# - ansible.builtin.include_tasks: directories.yml
- ansible.builtin.include_tasks: directories.yml
# - ansible.builtin.include_tasks: scripts.yml
- ansible.builtin.include_tasks: scripts.yml
# - ansible.builtin.include_tasks: telegraf.yml
- ansible.builtin.include_tasks: telegraf.yml
# - ansible.builtin.include_tasks: wireguard.yml
# when: "main_nas == false"
- ansible.builtin.include_tasks: wireguard.yml
when: "main_nas == false"
# - ansible.builtin.include_tasks: jails.yml
# when: "main_nas"
- block:
- ansible.builtin.include_tasks: jails/main.yml
- ansible.builtin.shell:
cmd: test -f /mnt/storage/jail-mounts/postgres/data{{ postgres_version }}/postgresql.conf
register: postgres_data_exists
become: true
changed_when: false
failed_when: postgres_data_exists.rc != 0 and postgres_data_exists.rc != 1
- ansible.builtin.include_tasks: jails/postgres-init.yml
when: postgres_data_exists.rc == 1
- ansible.builtin.include_tasks: jails/postgres-conf.yml
- ansible.builtin.include_tasks: jail-postgres.yml
when: "main_nas"

1
ansible/roles/truenas/tasks/telegraf.yml
View File

@@ -4,7 +4,6 @@
repo: https://github.com/samuelkadolph/truenas-telegraf
dest: "{{ telegraf_dir }}"
version: main
mode: 0775
- name: telegraf | copy configuration
ansible.builtin.template:

97
ansible/roles/truenas/templates/postgres/pg_hba.conf Normal file
View File

@@ -0,0 +1,97 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type:
# - "local" is a Unix-domain socket
# - "host" is a TCP/IP socket (encrypted or not)
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
#
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# CAUTION: Configuring the system for local "trust" authentication
# allows any local user to connect as any PostgreSQL user, including
# the database superuser. If you do not trust all your local users,
# use another authentication method.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
hostssl all all 0.0.0.0/0 scram-sha-256
# IPv6 local connections:
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust

15
ansible/roles/truenas/templates/scripts/certificates_deploy.bash
View File

@@ -9,14 +9,25 @@
SCRIPT_PATH="{{ scripts_dir }}"
CERTIFICATE_PATH="{{ certificates_dir }}"
CONFIG_FILE="${SCRIPT_PATH}/certificates_deploy.conf"
{% if main_nas == true %}POSTGRES_DIR="/mnt/storage/jail-mounts/postgres/data{{ postgres_version }}/"{% endif %}
# Check if cert has been uploaded last week
result=$(find ${CERTIFICATE_PATH}/cert.pem -mtime -7)
if [[ "$result" == "${CERTIFICATE_PATH}/cert.pem" ]]; then
# Deploy certificate
# Deploy certificate (truenas UI & minio)
python ${SCRIPT_PATH}/certificates_deploy.py -c ${CONFIG_FILE}
test $? -ne 0 && FLAG_NOTIF=true
{% if main_nas == true %}
fi
# Deploy certificate (postgresql jail)
umask 0177
cp ${CERTIFICATE_PATH}/fullchain.pem ${POSTGRES_DIR}/server.crt
cp ${CERTIFICATE_PATH}/key.pem ${POSTGRES_DIR}/server.key
chown 770:770 ${POSTGRES_DIR}/server.crt ${POSTGRES_DIR}/server.key
chmod 600 ${POSTGRES_DIR}/server.crt ${POSTGRES_DIR}/server.key
# restart postgresql
iocage postgres service postgresql restart
{% endif %}
fi

1
ansible/roles/workstation/tasks/packages-common.yml
View File

@@ -60,6 +60,7 @@
- name: packages-common | python
ansible.builtin.pip:
name:
- ansible-lint
- borgbackup
- yt-dlp
- s-tui

2
ansible/roles/workstation/tasks/wireguard.yml
View File

@@ -1,6 +1,6 @@
---
- name: wireguard | copy wireguard configuration
ansible.builtin.copy:
ansible.builtin.template:
src: wireguard/{{ ansible_facts['nodename'] }}.conf
dest: ~/wireguard.conf
mode: 0600

4
ansible/roles/workstation/files/wireguard/claude-thinkpad-fedora.conf → ansible/roles/workstation/templates/wireguard/claude-thinkpad-fedora.conf
View File

@@ -1,8 +1,8 @@
[Interface]
Address = 10.10.0.4/32
ListenPort = 51820
PrivateKey = kPbM3V+bV74avE/GXFwhOrmaRSf3p34bm/aR3A72GG4=
DNS = 10.10.0.1
PrivateKey = {{ wireguard_private_key }}
DNS = 192.168.8.1,{{ secret_domain }}
[Peer]
PublicKey = K7kgSuPwH2NA7FeLHwvGMX02kvhD8DxHgL/wflsgx34=