Add secure postgres deployment
This commit is contained in:
Thomas Kleinendorst
parent
2b1518a5c3
commit
cfb228cada
15 changed files with 115 additions and 26 deletions
30
roles/postgres/files/ensure_certificate_setup.sh
Normal file
30
roles/postgres/files/ensure_certificate_setup.sh
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
echo "Running as $(whoami)..."
|
||||
|
||||
target_user='postgres'
|
||||
# This user shouldn't be mapped to postgres on the host but rather to postgres on the container.
|
||||
# This user has host uid: 558821 (in container it's uid: 70). This number is resolved by getting the start
|
||||
# of the subuid range for this user and then than adding 70 (-1) to it (since we know that that is the uid
|
||||
# of the postgres user within the container).
|
||||
target_path_subuid_start="$(su $target_user -c 'grep $USER /etc/subuid | cut -d ":" -f 2')"
|
||||
target_host_postgres_id=$(($target_path_subuid_start + 70 - 1))
|
||||
|
||||
certsPath="/home/$target_user/certs"
|
||||
|
||||
if [[ ! -e "$certsPath" ]]; then
|
||||
echo "Certs directory doesn't exist, creating certs directory: $certsPath..."
|
||||
mkdir "$certsPath"
|
||||
fi
|
||||
|
||||
echo "Copying certificates..."
|
||||
cert_files='/etc/letsencrypt/live/postgres.kleinendorst.info/fullchain.pem /etc/letsencrypt/live/postgres.kleinendorst.info/privkey.pem'
|
||||
for srcPath in $cert_files; do
|
||||
echo "Copying: $srcPath to $certsPath..."
|
||||
cp -L "$srcPath" "$certsPath"
|
||||
|
||||
newFileName="$certsPath/$(basename $srcPath)"
|
||||
echo "Setting permissions for: $newFileName to uid: $target_host_postgres_id..."
|
||||
|
||||
chown "$target_host_postgres_id:$target_host_postgres_id" "$newFileName"
|
||||
chmod 0600 "$newFileName"
|
||||
done
|
||||
53
roles/postgres/tasks/main.yml
Normal file
53
roles/postgres/tasks/main.yml
Normal file
|
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
- name: Include user role
|
||||
ansible.builtin.include_role:
|
||||
name: user
|
||||
vars:
|
||||
user_username: "{{ postgres_unix_username }}"
|
||||
user_password: "{{ postgres_unix_password }}"
|
||||
- name: Install ensure_certificate_setup.sh
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
src: ensure_certificate_setup.sh
|
||||
dest: "/root/.bin/"
|
||||
mode: '0700'
|
||||
owner: root
|
||||
- name: Create certificates for PostgreSQL (postgres.kleinendorst.info)
|
||||
become: true
|
||||
ansible.builtin.command:
|
||||
cmd: >-
|
||||
/snap/bin/certbot certonly
|
||||
--dns-cloudflare
|
||||
--dns-cloudflare-propagation-seconds 120
|
||||
--dns-cloudflare-credentials '/root/.secrets/certbot/cloudflare.ini'
|
||||
--deploy-hook '/root/.bin/ensure_certificate_setup.sh'
|
||||
--agree-tos -m {{ administration_email }}
|
||||
-d postgres.kleinendorst.info
|
||||
creates: "/etc/letsencrypt/live/postgres.kleinendorst.info"
|
||||
- name: Create the postgres container
|
||||
ansible.builtin.include_role:
|
||||
name: podman-container
|
||||
apply:
|
||||
become: true
|
||||
become_user: "{{ postgres_unix_username }}"
|
||||
vars:
|
||||
podman_container_name: postgres
|
||||
podman_container_image: docker.io/postgres
|
||||
podman_container_tag: "{{ postgres_version }}"
|
||||
podman_container_publish:
|
||||
- 0.0.0.0:5432:5432
|
||||
podman_container_volumes:
|
||||
- "/home/{{ postgres_unix_username }}/certs/fullchain.pem:/var/lib/postgresql/fullchain.pem:ro"
|
||||
- "/home/{{ postgres_unix_username }}/certs/privkey.pem:/var/lib/postgresql/privkey.pem:ro"
|
||||
podman_simple_container_volumes:
|
||||
- name: postgres_data
|
||||
mnt: /var/lib/postgresql/data
|
||||
podman_container_command:
|
||||
- -c
|
||||
- ssl=on
|
||||
- -c
|
||||
- ssl_cert_file=/var/lib/postgresql/fullchain.pem
|
||||
- -c
|
||||
- ssl_key_file=/var/lib/postgresql/privkey.pem
|
||||
podman_container_env:
|
||||
POSTGRES_PASSWORD: "{{ postgres_password }}"
|
||||
3
roles/postgres/vars/main/defaults.yml
Normal file
3
roles/postgres/vars/main/defaults.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
postgres_unix_username: postgres
|
||||
postgres_version: 17-alpine
|
||||
11
roles/postgres/vars/main/vault.yml
Normal file
11
roles/postgres/vars/main/vault.yml
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33656630396365636165633936316636323163303463643436303933636263326666313933366662
|
||||
3437333064663362666632383137323839326431333966350a653633376662626134333730313430
|
||||
33646337396530616230313062313737343639666234353262356436636364336463643430303438
|
||||
6639346363663231360a386663363632316361613238666465626238666436303561653265666431
|
||||
33316538613366316663303666306263386433373838343061363865313833303037653330343631
|
||||
61653438333361323234666662373965636464346132613339623436343262316636346363643830
|
||||
61626238616561663139323530373933623938633666373637376636353134303638613165643866
|
||||
34343036653365303630643333326165623334353038653961313731336538633830363732616137
|
||||
35343762613738383536653833646263326638663034326638323639343365633863343238356264
|
||||
3239656338663861343337333866306636353764363433636437
|
||||
Loading…
Add table
Add a link
Reference in a new issue