diff --git a/group_vars/production/vars.yml b/group_vars/production/vars.yml index d5bdd5b..52c0c16 100644 --- a/group_vars/production/vars.yml +++ b/group_vars/production/vars.yml @@ -1,7 +1,10 @@ # vim: ft=yaml.ansible # code: language=ansible --- +internal_subnet: 10.2.16.0/24 postgresql_version: 14 -db_passwords: - nextcloud: "{{ vault_db_passwords.nextcloud }}" +databases: + nextcloud: + username: nextcloud + password: "{{ vault_db_passwords.nextcloud }}" diff --git a/group_vars/shared/vars.yml b/group_vars/shared/vars.yml index 492a298..25ac29e 100644 --- a/group_vars/shared/vars.yml +++ b/group_vars/shared/vars.yml @@ -1,5 +1,6 @@ # vim: ft=yaml.ansible # code: language=ansible --- +internal_subnet: 10.2.18.0/24 tls_email: "{{ vault_tls_email }}" njalla_api_token: "{{ vault_njalla_api_token }}" diff --git a/group_vars/staging/vars.yml b/group_vars/staging/vars.yml index d5bdd5b..dcb97a4 100644 --- a/group_vars/staging/vars.yml +++ b/group_vars/staging/vars.yml @@ -1,7 +1,10 @@ # vim: ft=yaml.ansible # code: language=ansible --- +internal_subnet: 10.2.19.0/24 postgresql_version: 14 -db_passwords: - nextcloud: "{{ vault_db_passwords.nextcloud }}" +databases: + nextcloud: + username: nextcloud + password: "{{ vault_db_passwords.nextcloud }}" diff --git a/roles/apps/tasks/main.yml b/roles/apps/tasks/main.yml index 80b7c52..3fb7c1a 100644 --- a/roles/apps/tasks/main.yml +++ b/roles/apps/tasks/main.yml @@ -24,8 +24,7 @@ state: directory - name: Configure apps - ansible.builtin.include_tasks: - file: configure_app.yml + ansible.builtin.include_tasks: configure_app.yml vars: app_name: "{{ item }}" app_vars: "{{ apps_vars[item] }}" diff --git a/roles/apps/templates/compose-files/nextcloud.yml.j2 b/roles/apps/templates/compose-files/nextcloud.yml.j2 index 2397c51..78a7bfd 100644 --- a/roles/apps/templates/compose-files/nextcloud.yml.j2 +++ b/roles/apps/templates/compose-files/nextcloud.yml.j2 @@ -15,8 +15,8 @@ services: environment: POSTGRES_HOST: "{{ db_host }}" POSTGRES_DB: nextcloud - POSTGRES_USER: nextcloud - POSTGRES_PASSWORD: {{ db_passwords.nextcloud }} + POSTGRES_USER: "{{ databases.nextcloud.username }}" + POSTGRES_PASSWORD: {{ databases.nextcloud.password }} REDIS_HOST: redis REDIS_HOST_PASSWORD: {{ redis_passwords.nextcloud }} MAIL_FROM_ADDRESS: noreply diff --git a/roles/postgresql/tasks/database.yml b/roles/postgresql/tasks/database.yml new file mode 100644 index 0000000..28bdb8b --- /dev/null +++ b/roles/postgresql/tasks/database.yml @@ -0,0 +1,35 @@ +# vim: ft=yaml.ansible +# code: language=ansible +--- +- name: Create database user '{{ db_vars.username }}' + community.postgresql.postgresql_user: + name: "{{ db_vars.username }}" + password: "{{ db_vars.password }}" + state: present + environment: + PGOPTIONS: '-c password_encryption=scram-sha-256' + +- name: Create database '{{ db_name }}' + community.postgresql.postgresql_db: + name: "{{ db_name }}" + owner: "{{ db_vars.username }}" + template: template0 + encoding: UTF-8 + state: present + +- name: Grant all priviliges to owner on database '{{ db_name }}' + community.postgresql.postgresql_privs: + database: "{{ db_name }}" + roles: "{{ db_vars.username }}" + privs: ALL + state: present + +- name: Allow connections to database '{{ db_name }}' + community.postgresql.postgresql_pg_hba: + dest: "{{ postgresql_pgdata }}/pg_hba.conf" + contype: host + users: "{{ db_vars.username }}" + databases: "{{ db_name }}" + source: "{{ internal_subnet }}" + method: scram-sha-256 + state: present diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index 2a9e4f8..43ded3d 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -21,6 +21,7 @@ name: - postgresql{{ postgresql_version }}-server - python{{ ansible_python.version.major }}-psycopg2 + - python{{ ansible_python.version.major }}-ipaddress state: present - name: Create PostgreSQL service override folder @@ -58,3 +59,10 @@ name: "{{ postgresql_service }}" enabled: true state: started + +- name: Set up databases + ansible.builtin.include_tasks: database.yml + vars: + db_name: "{{ item.key }}" + db_vars: "{{ item.value }}" + loop: "{{ databases | dict2items }}" diff --git a/roles/virt-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml index d0f791b..722b814 100644 --- a/roles/virt-common/tasks/firewall.yml +++ b/roles/virt-common/tasks/firewall.yml @@ -68,29 +68,17 @@ # state: enabled # loop: "{{ groups['control_infra'] }}" -- name: Firewall rules for DB servers - when: hostname in groups['production'] or hostname in groups['staging'] +- name: Firewall rules for database servers + when: hostname in groups['dbservers'] notify: Reload firewalld block: - - name: Production | Allow incoming connections from app servers to PostgreSQL port in zone 'internal' + - name: Allow incoming connections from internal subnet to PostgreSQL port in zone 'internal' ansible.posix.firewalld: zone: internal - source: "{{ hostvars[item].internal_ipv4 }}" + source: "{{ internal_subnet }}" service: postgresql permanent: true state: enabled - loop: "{{ groups['app_prod'] }}" - when: hostname in groups['db_prod'] - - - name: Staging | Allow incoming connections from app servers to PostgreSQL port in zone 'internal' - ansible.posix.firewalld: - zone: internal - source: "{{ hostvars[item].internal_ipv4 }}" - service: postgresql - permanent: true - state: enabled - loop: "{{ groups['app_stage'] }}" - when: hostname in groups['db_stage'] - name: Firewall rules for proxy servers when: hostname in group['proxyservers']