From aa15e6195389fe7625e7d7e3f4f4aad518880a4c Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Fri, 26 Jun 2020 12:01:43 +0100 Subject: [PATCH 01/18] Add PostgreSQL 11 role, nginx-buster, base-buster --- ansible/deploy-postgres-11.yml | 43 ++++++++ ansible/roles/base-buster/README.adoc | 2 + ansible/roles/base-buster/meta/main.yml | 8 ++ ansible/roles/base-buster/tasks/main.yml | 19 ++++ .../nginx-buster/files/ffdhe2048_dhparam.pem | 8 ++ .../nginx-buster/files/ssl_intermediate.conf | 3 + .../roles/nginx-buster/files/ssl_modern.conf | 4 + ansible/roles/nginx-buster/tasks/main.yml | 32 ++++++ .../roles/nginx-buster/templates/nginx.conf | 101 ++++++++++++++++++ ansible/roles/postgresql11/meta/main.yml | 3 + ansible/roles/postgresql11/tasks/main.yml | 39 +++++++ 11 files changed, 262 insertions(+) create mode 100644 ansible/deploy-postgres-11.yml create mode 100644 ansible/roles/base-buster/README.adoc create mode 100644 ansible/roles/base-buster/meta/main.yml create mode 100644 ansible/roles/base-buster/tasks/main.yml create mode 100644 ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem create mode 100644 ansible/roles/nginx-buster/files/ssl_intermediate.conf create mode 100644 ansible/roles/nginx-buster/files/ssl_modern.conf create mode 100644 ansible/roles/nginx-buster/tasks/main.yml create mode 100644 ansible/roles/nginx-buster/templates/nginx.conf create mode 100644 ansible/roles/postgresql11/meta/main.yml create mode 100644 ansible/roles/postgresql11/tasks/main.yml diff --git a/ansible/deploy-postgres-11.yml b/ansible/deploy-postgres-11.yml new file mode 100644 index 00000000..9ffb3831 --- /dev/null +++ b/ansible/deploy-postgres-11.yml @@ -0,0 +1,43 @@ +--- + +# Deploy PostgreSQL 11.7 + +- import_playbook: ansible-version.yml + +- hosts: ams-pg.ooni.nu + gather_facts: true # to gather `ansible_service_mgr` + tags: postgresql11 + roles: + - role: postgresql11 + + + # etckeeper + # netdata + # firewall + +#- name: install prometheus-postgres-exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-postgres-exporter +# +# +#- name: install prom process exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-process-exporter +# +#- name: install prom Nginx exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-nginx-exporter +# +# +#- name: install prox Haproxy exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-haproxy-exporter +# diff --git a/ansible/roles/base-buster/README.adoc b/ansible/roles/base-buster/README.adoc new file mode 100644 index 00000000..51496452 --- /dev/null +++ b/ansible/roles/base-buster/README.adoc @@ -0,0 +1,2 @@ + +Configure base host based on Buster diff --git a/ansible/roles/base-buster/meta/main.yml b/ansible/roles/base-buster/meta/main.yml new file mode 100644 index 00000000..2d4168b8 --- /dev/null +++ b/ansible/roles/base-buster/meta/main.yml @@ -0,0 +1,8 @@ +--- +dependencies: + - role: track_etc_directory + + #- role: ooca-cert + # ooca_ssl_dir: '{{ ngxprom_ssl_dir }}' + # ooca_ssl_subj: '/O=OONI/OU=Prometheus Exporter/CN={{ inventory_hostname }}' + # ooca_ca: exporter_ca diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml new file mode 100644 index 00000000..2f70181c --- /dev/null +++ b/ansible/roles/base-buster/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: installs base packages + tags: base-packages + apt: + cache_valid_time: 86400 + name: + # - prometheus-node-exporter-collectors + - bash-completion + - byobu + - chrony + - fail2ban + - iotop + - manpages + - nullmailer + - prometheus-node-exporter + - rsync + - strace + - tcpdump + - tmux diff --git a/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem b/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem new file mode 100644 index 00000000..9b182b72 --- /dev/null +++ b/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/ansible/roles/nginx-buster/files/ssl_intermediate.conf b/ansible/roles/nginx-buster/files/ssl_intermediate.conf new file mode 100644 index 00000000..96d2e6e2 --- /dev/null +++ b/ansible/roles/nginx-buster/files/ssl_intermediate.conf @@ -0,0 +1,3 @@ +# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; diff --git a/ansible/roles/nginx-buster/files/ssl_modern.conf b/ansible/roles/nginx-buster/files/ssl_modern.conf new file mode 100644 index 00000000..9ad7c11d --- /dev/null +++ b/ansible/roles/nginx-buster/files/ssl_modern.conf @@ -0,0 +1,4 @@ +# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +# NB: technically, it does not require ssl_dhparam as it has no DHE, only ECDHE. diff --git a/ansible/roles/nginx-buster/tasks/main.yml b/ansible/roles/nginx-buster/tasks/main.yml new file mode 100644 index 00000000..f48c9ef3 --- /dev/null +++ b/ansible/roles/nginx-buster/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: install stable nginx + apt: + name: nginx + cache_valid_time: 86400 + +# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 +# +# Guide https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups +# suggests ffdhe2048 instead of `openssl dhparam` to avoid https://weakdh.org/ +- name: copy nginx configuration snippets + copy: src={{item}} dest=/etc/nginx/{{ item }} mode=0444 owner=root group=root + with_items: + - ffdhe2048_dhparam.pem # ffdhe2048 Diffie-Hellman parameters + - ssl_intermediate.conf + - ssl_modern.conf + +- name: remove `default` vhost + file: path={{item}} state=absent + notify: reload nginx + with_items: + - /etc/nginx/conf.d/default.conf + - /etc/nginx/sites-available/default + - /etc/nginx/sites-enabled/default + +- name: set nginx.conf + template: + src=nginx.conf + dest=/etc/nginx/nginx.conf + mode=0444 + notify: reload nginx +... diff --git a/ansible/roles/nginx-buster/templates/nginx.conf b/ansible/roles/nginx-buster/templates/nginx.conf new file mode 100644 index 00000000..a4d1dac1 --- /dev/null +++ b/ansible/roles/nginx-buster/templates/nginx.conf @@ -0,0 +1,101 @@ + +# Managed by ansible +# roles/nginx-buster/templates/nginx.conf +# +# Generated with: +# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 +# + +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +# anonymize ipaddr +map $remote_addr $remote_addr_anon { + ~(?P\d+\.\d+\.\d+)\. $ip.0; + ~(?P[^:]+:[^:]+): $ip::; + default 0.0.0.0; +} + +# log anonymized ipaddr and caching status +#log_format apilogfmt '$remote_addr_anon $upstream_cache_status [$time_local] ' +# '"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; + + +http { + + # Basic Settings + + sendfile on; + tcp_nopush on; # TCP_CORK HTTP headers with sendfile() body into single packet + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Logging Settings + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + # Gzip Settings + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + # Virtual Host Configs + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + + + ## SSL configuration + + # generated 2020-06-25, Mozilla Guideline v5.4, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration + # https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /path/to/signed_cert_plus_intermediates; + ssl_certificate_key /path/to/private_key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl_dhparam /etc/nginx/ffdhe2048_dhparam.pem; # https://tools.ietf.org/html/rfc7919 + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + +} + diff --git a/ansible/roles/postgresql11/meta/main.yml b/ansible/roles/postgresql11/meta/main.yml new file mode 100644 index 00000000..63b19aa0 --- /dev/null +++ b/ansible/roles/postgresql11/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: base-buster diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml new file mode 100644 index 00000000..fd509e0c --- /dev/null +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Create vg.metadb Volume Group + lvg: + vg: vg.metadb + pvs: + - /dev/xvdb1 + - /dev/xvdc1 + - /dev/xvdd1 + - /dev/xvde1 + - /dev/xvdf1 + - /dev/xvdg1 + - /dev/xvdh1 + +- name: Create metadb logical volume + lvol: + vg: vg.metadb + lv: metadb + size: 100%VG + +- name: Create filesystem for metadb + filesystem: + fstype: ext4 + dev: /dev/vg.metadb/metadb + opts: -L metadb + +- name: Mount metadb FS + mount: + fstype: ext4 + opts: noatime + path: /var/lib/postgres + src: LABEL=metadb + state: mounted + +- name: installs packages + apt: + cache_valid_time: 86400 + name: + - postgresql-11 + - prometheus-node-exporter From 8b1025ac0620c62235d8b986df8e1ab46022ae03 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Fri, 26 Jun 2020 12:54:52 +0100 Subject: [PATCH 02/18] Fix APT conf --- ansible/roles/base-buster/tasks/main.yml | 32 ++++++++++++++++++- .../roles/base-buster/templates/sources.list | 6 ++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/base-buster/templates/sources.list diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml index 2f70181c..ba85bb9a 100644 --- a/ansible/roles/base-buster/tasks/main.yml +++ b/ansible/roles/base-buster/tasks/main.yml @@ -1,5 +1,31 @@ --- -- name: installs base packages +- name: Remove apt repo + file: + path: /etc/apt/sources.list.d/ftp_nl_debian_org_debian.list + state: absent + +- name: Remove apt repo + file: + path: /etc/apt/sources.list.d/security_debian_org.list + state: absent + +- name: Set apt repos + template: + src: templates/sources.list + dest: /etc/apt/sources.list + mode: 0644 + owner: root + +- name: Update apt cache and upgrade packages + apt: + update_cache: yes + upgrade: dist + +- name: Autoremove + apt: + autoremove: yes + +- name: Installs base packages tags: base-packages apt: cache_valid_time: 86400 @@ -17,3 +43,7 @@ - strace - tcpdump - tmux + +- name: Clean cache + apt: + autoclean: yes diff --git a/ansible/roles/base-buster/templates/sources.list b/ansible/roles/base-buster/templates/sources.list new file mode 100644 index 00000000..6f09cd58 --- /dev/null +++ b/ansible/roles/base-buster/templates/sources.list @@ -0,0 +1,6 @@ +# Managed by ansible +# roles/base-buster/templates/sources.list + +deb http://deb.debian.org/debian buster main contrib non-free +deb http://security.debian.org/debian-security buster/updates main contrib non-free +deb http://deb.debian.org/debian buster-backports main From cbc5cb06537c7466837b868b813f7eeeb42781d3 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Mon, 29 Jun 2020 16:54:56 +0100 Subject: [PATCH 03/18] Add APT sources --- ansible/roles/base-buster/templates/sources.list | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/base-buster/templates/sources.list b/ansible/roles/base-buster/templates/sources.list index 6f09cd58..57415bf8 100644 --- a/ansible/roles/base-buster/templates/sources.list +++ b/ansible/roles/base-buster/templates/sources.list @@ -4,3 +4,4 @@ deb http://deb.debian.org/debian buster main contrib non-free deb http://security.debian.org/debian-security buster/updates main contrib non-free deb http://deb.debian.org/debian buster-backports main +deb [trusted=yes] https://dl.bintray.com/ooni/internal-pull-requests unstable main From ec47537deb8f31bd31e973cfad38b7d60f41a1c3 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Mon, 29 Jun 2020 16:55:26 +0100 Subject: [PATCH 04/18] Setup pg host --- ansible/roles/postgresql11/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml index fd509e0c..75beef45 100644 --- a/ansible/roles/postgresql11/tasks/main.yml +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -37,3 +37,5 @@ name: - postgresql-11 - prometheus-node-exporter + + From fabdc7c84a9cad969d21a8e566f73832a644df2b Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Mon, 29 Jun 2020 16:55:40 +0100 Subject: [PATCH 05/18] Setup nftables --- ansible/roles/nftables/README.adoc | 25 +++++++++++++ ansible/roles/nftables/tasks/main.yml | 34 +++++++++++++++++ .../roles/nftables/templates/nftables.conf | 37 +++++++++++++++++++ ansible/roles/postgresql11/meta/main.yml | 1 + 4 files changed, 97 insertions(+) create mode 100644 ansible/roles/nftables/README.adoc create mode 100644 ansible/roles/nftables/tasks/main.yml create mode 100755 ansible/roles/nftables/templates/nftables.conf diff --git a/ansible/roles/nftables/README.adoc b/ansible/roles/nftables/README.adoc new file mode 100644 index 00000000..15adc90a --- /dev/null +++ b/ansible/roles/nftables/README.adoc @@ -0,0 +1,25 @@ +Install nftables based firewall + +Set up /etc/ooni/nftables/ + +Rules for specific services are *not* configured by this role + +When creating rules to accept TCP traffic from any IPv4/6 address, +files are named with the port number to detect collisions. + +Example: + +/etc/ooni/nftables/tcp/8080.nft + +``` +add rule inet filter input tcp dport 8080 counter accept comment "MyService" +``` + + +Otherwise: + +/etc/ooni/nftables/tcp/5432_postgres_internal.nft + +``` +add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport 5432 counter accept comment "Internal PostgreSQL" +``` diff --git a/ansible/roles/nftables/tasks/main.yml b/ansible/roles/nftables/tasks/main.yml new file mode 100644 index 00000000..955a760b --- /dev/null +++ b/ansible/roles/nftables/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Install nftables + apt: + cache_valid_time: 86400 + name: nftables + +- name: create config dir + file: + path: /etc/ooni/nftables/tcp + state: directory + owner: root + group: root + mode: 0755 + +- name: allow SSH + blockinfile: + path: /etc/ooni/nftables/tcp/22.nft + create: yes + block: | + add rule inet filter input tcp dport 22 counter accept comment "Incoming SSH" + +- name: Overwrite nftables.conf + template: + src: templates/nftables.conf + dest: /etc/nftables.conf + mode: 0755 + owner: root + +- name: Enable and start nftables service + systemd: + name: nftables.service + state: reloaded + enabled: yes + diff --git a/ansible/roles/nftables/templates/nftables.conf b/ansible/roles/nftables/templates/nftables.conf new file mode 100755 index 00000000..abfca0cd --- /dev/null +++ b/ansible/roles/nftables/templates/nftables.conf @@ -0,0 +1,37 @@ +#!/usr/sbin/nft -f +# +# Nftables configuration script +# +# Managed by ansible +# roles/nftables/templates/nftables.conf +# +# The ruleset is applied atomically + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + iif lo accept comment "Accept incoming traffic from localhost" + ct state invalid drop + ct state established,related accept comment "Accept traffic related to outgoing connections" + } + + chain forward { + type filter hook forward priority 0; + policy accept; + } + + chain output { + type filter hook output priority 0; + policy accept; + } +} + +# Configure TCP traffic rules +include "/etc/ooni/nftables/tcp/*.nft" + +# Configure any other rule +include "/etc/ooni/nftables/*.nft" + diff --git a/ansible/roles/postgresql11/meta/main.yml b/ansible/roles/postgresql11/meta/main.yml index 63b19aa0..9be116a0 100644 --- a/ansible/roles/postgresql11/meta/main.yml +++ b/ansible/roles/postgresql11/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - role: base-buster + - role: nftables From 80ee261c8738586f746253c73ecce8246a806bae Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Tue, 30 Jun 2020 12:55:15 +0100 Subject: [PATCH 06/18] Remove and reset smartd --- ansible/roles/base-buster/tasks/main.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml index ba85bb9a..f0df8e4e 100644 --- a/ansible/roles/base-buster/tasks/main.yml +++ b/ansible/roles/base-buster/tasks/main.yml @@ -21,10 +21,6 @@ update_cache: yes upgrade: dist -- name: Autoremove - apt: - autoremove: yes - - name: Installs base packages tags: base-packages apt: @@ -44,6 +40,18 @@ - tcpdump - tmux +- name: Remove smartmontools + apt: + name: smartmontools + state: absent + +- name: Reset failed smartd + command: systemctl reset-failed + +- name: Autoremove + apt: + autoremove: yes + - name: Clean cache apt: autoclean: yes From 48c48f115bae43739d0c823126b6e13a18662354 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Wed, 1 Jul 2020 20:20:25 +0100 Subject: [PATCH 07/18] Improve monitoring --- ansible/inventory | 4 +- ansible/roles/base-buster/tasks/main.yml | 68 +++++++++++++++++++ ansible/roles/nftables/README.adoc | 2 +- ansible/roles/postgresql11/tasks/main.yml | 15 +++- .../prometheus/templates/prometheus.yml.j2 | 27 +++++++- 5 files changed, 109 insertions(+), 7 deletions(-) diff --git a/ansible/inventory b/ansible/inventory index 01e1c637..56f33ac3 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -126,9 +126,11 @@ ams-orchestra.ooni.nu mia-run.ooni.nu ams-api.ooni.nu ams-jupyter.ooni.nu -ams-pg.ooni.nu mia-explorer-test.ooni.nu +[have_nftables] +ams-pg.ooni.nu + [have_nginx] prometheus.infra.ooni.io amsmatomo.ooni.nu diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml index f0df8e4e..32b20019 100644 --- a/ansible/roles/base-buster/tasks/main.yml +++ b/ansible/roles/base-buster/tasks/main.yml @@ -24,6 +24,7 @@ - name: Installs base packages tags: base-packages apt: + install_recommends: no cache_valid_time: 86400 name: # - prometheus-node-exporter-collectors @@ -33,6 +34,10 @@ - fail2ban - iotop - manpages + - netdata-core + - netdata-plugins-bash + - netdata-plugins-python + - netdata-web - nullmailer - prometheus-node-exporter - rsync @@ -55,3 +60,66 @@ - name: Clean cache apt: autoclean: yes + +- name: allow netdata.service + blockinfile: + path: /etc/ooni/nftables/tcp/19999.nft + create: yes + block: | + add rule inet filter input ip saddr {{ lookup('dig', 'prometheus.infra.ooni.io/A') }} tcp dport 19999 counter accept comment "netdata.service" + +- name: reload nftables service + systemd: + name: nftables.service + state: reloaded + +- name: configure netdata.service + blockinfile: + path: /etc/netdata/netdata.conf + block: | + # Managed by ansible, see roles/base-buster/tasks/main.yml + [global] + run as user = netdata + web files owner = root + web files group = root + bind socket to IP = 0.0.0.0 + + [plugins] + python.d = yes + +- name: configure netdata chrony + blockinfile: + path: /etc/netdata/python.d/chrony.conf + create: yes + block: | + # Managed by ansible, see roles/base-buster/tasks/main.yml + update_every: 5 + local: + command: 'chronyc -n tracking' + +- name: configure netdata nginx + blockinfile: + path: /etc/netdata/python.d/chrony.conf + create: yes + block: | + # Managed by ansible, see roles/base-buster/tasks/main.yml + update_every: 5 + nginx_log: + name : 'nginx_log' + path : '/var/log/nginx/access.log' + +#- name: configure netdata haproxy +# blockinfile: +# path: /etc/netdata/python.d/haproxy.conf +# block: | +# # Managed by ansible, see roles/base-buster/tasks/main.yml +# update_every: 5 +# via_url: +# url: 'http://127.0.0.1:7000/haproxy_stats;csv;norefresh' + +- name: restart netdata service + systemd: + name: netdata.service + state: restarted + + diff --git a/ansible/roles/nftables/README.adoc b/ansible/roles/nftables/README.adoc index 15adc90a..e3bef58f 100644 --- a/ansible/roles/nftables/README.adoc +++ b/ansible/roles/nftables/README.adoc @@ -7,7 +7,7 @@ Rules for specific services are *not* configured by this role When creating rules to accept TCP traffic from any IPv4/6 address, files are named with the port number to detect collisions. -Example: +Example (also see roles/nftables/tasks/main.yml): /etc/ooni/nftables/tcp/8080.nft diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml index 75beef45..9711e2a5 100644 --- a/ansible/roles/postgresql11/tasks/main.yml +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -31,11 +31,22 @@ src: LABEL=metadb state: mounted -- name: installs packages +- name: install PG11 and its prom exporter apt: cache_valid_time: 86400 name: - postgresql-11 - - prometheus-node-exporter + - prometheus-postgres-exporter +- name: allow prometheus-postgres-exporter.service + blockinfile: + path: /etc/ooni/nftables/tcp/9187.nft + create: yes + block: | + add rule inet filter input tcp dport 9187 counter accept comment "prometheus-postgres-exporter.service" + +- name: reload nftables service + systemd: + name: nftables.service + state: reloaded diff --git a/ansible/roles/prometheus/templates/prometheus.yml.j2 b/ansible/roles/prometheus/templates/prometheus.yml.j2 index ce8c021d..e86c5af9 100755 --- a/ansible/roles/prometheus/templates/prometheus.yml.j2 +++ b/ansible/roles/prometheus/templates/prometheus.yml.j2 @@ -51,7 +51,7 @@ scrape_configs: module: [{{ bbjob.module }}] static_configs: - targets: -{% for target in bbjob.targets %} +{% for target in (bbjob.targets|sort) %} - {{ target }} {% endfor %} relabel_configs: @@ -135,7 +135,7 @@ scrape_configs: key_file: "{{ prometheus_ssl_dir }}/{{ inventory_hostname }}.key" static_configs: - targets: -{% for host in (groups.all) %} +{% for host in (groups.all|sort) %} - {{ host }}:9100 {% endfor %} @@ -151,9 +151,30 @@ scrape_configs: key_file: "{{ prometheus_ssl_dir }}/{{ inventory_hostname }}.key" static_configs: - targets: -{% for host in (groups.have_netdata) %} +{% for host in (groups.have_netdata|sort) %} - {{ host }}:9100 {% endfor %} + - ams-pg.ooni.nu:9100 + + - job_name: 'raw-netdata' + scrape_interval: 5s + scheme: http + metrics_path: "/api/v1/allmetrics?format=prometheus&help=yes" + params: + format: [prometheus] + static_configs: + - targets: + - ams-pg.ooni.nu:19999 + + - job_name: 'raw postgres-exporter' + scrape_interval: 5s + scheme: https + metrics_path: /api/v1/allmetrics + params: + format: [prometheus] + static_configs: + - targets: + - ams-pg.ooni.nu:9187 - job_name: 'gorush' scrape_interval: 5s From dda26afe4b228da1f64bf8d182f0605c5492f1f4 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Tue, 7 Jul 2020 13:43:51 +0100 Subject: [PATCH 08/18] Minor cleanup --- ansible/deploy-postgres-11.yml | 5 ----- .../prometheus/templates/prometheus.yml.j2 | 19 +++++++++---------- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/ansible/deploy-postgres-11.yml b/ansible/deploy-postgres-11.yml index 9ffb3831..b15ef74a 100644 --- a/ansible/deploy-postgres-11.yml +++ b/ansible/deploy-postgres-11.yml @@ -10,11 +10,6 @@ roles: - role: postgresql11 - - # etckeeper - # netdata - # firewall - #- name: install prometheus-postgres-exporter # apt: # cache_valid_time: 86400 diff --git a/ansible/roles/prometheus/templates/prometheus.yml.j2 b/ansible/roles/prometheus/templates/prometheus.yml.j2 index e86c5af9..421aab6d 100755 --- a/ansible/roles/prometheus/templates/prometheus.yml.j2 +++ b/ansible/roles/prometheus/templates/prometheus.yml.j2 @@ -154,7 +154,6 @@ scrape_configs: {% for host in (groups.have_netdata|sort) %} - {{ host }}:9100 {% endfor %} - - ams-pg.ooni.nu:9100 - job_name: 'raw-netdata' scrape_interval: 5s @@ -166,15 +165,15 @@ scrape_configs: - targets: - ams-pg.ooni.nu:19999 - - job_name: 'raw postgres-exporter' - scrape_interval: 5s - scheme: https - metrics_path: /api/v1/allmetrics - params: - format: [prometheus] - static_configs: - - targets: - - ams-pg.ooni.nu:9187 +# - job_name: 'raw postgres-exporter' +# scrape_interval: 5s +# scheme: https +# metrics_path: /api/v1/allmetrics +# params: +# format: [prometheus] +# static_configs: +# - targets: +# - ams-pg.ooni.nu:9187 - job_name: 'gorush' scrape_interval: 5s From 31a986473fdffafdb22885a7337b057f7b986c0d Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Wed, 15 Jul 2020 16:12:57 +0100 Subject: [PATCH 09/18] Add comments --- ansible/roles/adm/tasks/main.yml | 2 ++ ansible/roles/adm/templates/authorized_keys | 3 ++- ansible/roles/adm/templates/sudoers | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ansible/roles/adm/tasks/main.yml b/ansible/roles/adm/tasks/main.yml index cd03a6f5..68551cd4 100644 --- a/ansible/roles/adm/tasks/main.yml +++ b/ansible/roles/adm/tasks/main.yml @@ -37,9 +37,11 @@ - name: root .ssh/authorized_keys2 template: src=authorized_keys_root dest=/root/.ssh/authorized_keys2 owner=root group=root mode=0400 + # TODO remove direct ssh as root - name: legacy root .ssh/authorized_keys template: src=authorized_keys_root_legacy dest=/root/.ssh/authorized_keys backup=yes owner=root group=root mode=0400 + # TODO remove direct ssh as root - name: require gid=0 for su # to prevent any process doing `su` while knowing The Password lineinfile: diff --git a/ansible/roles/adm/templates/authorized_keys b/ansible/roles/adm/templates/authorized_keys index 6597c31b..9be257ad 100644 --- a/ansible/roles/adm/templates/authorized_keys +++ b/ansible/roles/adm/templates/authorized_keys @@ -1,4 +1,5 @@ -# ansible-managed in ooni-sysadmin.git +# managed by ansible +# see roles/adm/templates/authorized_keys {% for k in passwd[item]['keys'] %} {{ k }} {% endfor %} diff --git a/ansible/roles/adm/templates/sudoers b/ansible/roles/adm/templates/sudoers index f18a8224..43608de3 100644 --- a/ansible/roles/adm/templates/sudoers +++ b/ansible/roles/adm/templates/sudoers @@ -1,4 +1,4 @@ -# ansible-managed in ooni-sysadmin.git +# ansible-managed in roles/adm/templates/sudoers {% for login in adm_logins %} {{ passwd[login].login }} ALL=(ALL:ALL) NOPASSWD: ALL {% endfor %} From d570058fc714c7df79fd04c5daae1e79629607dc Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Wed, 15 Jul 2020 16:13:16 +0100 Subject: [PATCH 10/18] Create users --- ansible/roles/base-buster/meta/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/base-buster/meta/main.yml b/ansible/roles/base-buster/meta/main.yml index 2d4168b8..4f2c687f 100644 --- a/ansible/roles/base-buster/meta/main.yml +++ b/ansible/roles/base-buster/meta/main.yml @@ -1,6 +1,10 @@ --- dependencies: - role: track_etc_directory + - role: adm + become: false + remote_user: root + gather_facts: false #- role: ooca-cert # ooca_ssl_dir: '{{ ngxprom_ssl_dir }}' From 537e8f1c1aece99498fe725065168c78455db65d Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Wed, 15 Jul 2020 16:13:24 +0100 Subject: [PATCH 11/18] Install ncdu --- ansible/roles/base-buster/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml index 32b20019..f6382dec 100644 --- a/ansible/roles/base-buster/tasks/main.yml +++ b/ansible/roles/base-buster/tasks/main.yml @@ -34,6 +34,7 @@ - fail2ban - iotop - manpages + - ncdu - netdata-core - netdata-plugins-bash - netdata-plugins-python From 9b2c66a7e137058a314d274163ed096c5d6ddf13 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Wed, 15 Jul 2020 16:28:21 +0100 Subject: [PATCH 12/18] Trust localhost IPv4 access on postgresql --- ansible/roles/postgresql11/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml index 9711e2a5..24118105 100644 --- a/ansible/roles/postgresql11/tasks/main.yml +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -38,6 +38,17 @@ - postgresql-11 - prometheus-postgres-exporter +- name: Trust localhost IPv4 access on postgresql + lineinfile: + dest: /etc/postgresql/11/main/pg_hba.conf + regexp: '^host\s+all\s+all+\s+127\.0\.0\.1/32\s+trust' + insertafter: '^# IPv4 local connections:' + line: "host all all 127.0.0.1/32 trust" + state: present + +- name: Reload pg after conf change + service: name=postgresql state=reloaded + - name: allow prometheus-postgres-exporter.service blockinfile: path: /etc/ooni/nftables/tcp/9187.nft From 6d3542ef2d21b9f4e80bc42ff806d60b3c681216 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Wed, 15 Jul 2020 17:23:38 +0100 Subject: [PATCH 13/18] Comment out unused plugin --- ansible/roles/base-buster/tasks/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml index f6382dec..1330b9d9 100644 --- a/ansible/roles/base-buster/tasks/main.yml +++ b/ansible/roles/base-buster/tasks/main.yml @@ -98,16 +98,16 @@ local: command: 'chronyc -n tracking' -- name: configure netdata nginx - blockinfile: - path: /etc/netdata/python.d/chrony.conf - create: yes - block: | - # Managed by ansible, see roles/base-buster/tasks/main.yml - update_every: 5 - nginx_log: - name : 'nginx_log' - path : '/var/log/nginx/access.log' +#- name: configure netdata nginx +# blockinfile: +# path: /etc/netdata/python.d/nginx.conf +# create: yes +# block: | +# # Managed by ansible, see roles/base-buster/tasks/main.yml +# update_every: 5 +# nginx_log: +# name : 'nginx_log' +# path : '/var/log/nginx/access.log' #- name: configure netdata haproxy # blockinfile: From bb51bd913bd2c3cff62ee198a45b46329899802a Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Thu, 16 Jul 2020 11:51:36 +0100 Subject: [PATCH 14/18] Accept incoming TCP traffic to ams-pg --- ansible/roles/postgresql11/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml index 24118105..c092ce72 100644 --- a/ansible/roles/postgresql11/tasks/main.yml +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -56,6 +56,16 @@ block: | add rule inet filter input tcp dport 9187 counter accept comment "prometheus-postgres-exporter.service" +- name: allow incoming TCP connections to database + blockinfile: + path: /etc/ooni/nftables/tcp/5432.nft + create: yes + block: | + add rule inet filter input ip saddr {{ lookup('dig', 'ams-api.ooni.nu/A') }} tcp dport 5432 counter accept comment "incoming psql" + add rule inet filter input ip saddr {{ lookup('dig', 'ams-jupyter.ooni.nu/A') }} tcp dport 5432 counter accept comment "incoming psql" + add rule inet filter input ip saddr {{ lookup('dig', 'datacollector.infra.ooni.io/A') }} tcp dport 5432 counter accept comment "incoming psql" + add rule inet filter input ip saddr {{ lookup('dig', 'fastpath.ooni.nu/A') }} tcp dport 5432 counter accept comment "incoming psql" + - name: reload nftables service systemd: name: nftables.service From 444eea6c6c510024d74ef8da55a80c62408969cc Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Thu, 16 Jul 2020 16:01:23 +0100 Subject: [PATCH 15/18] Fix dir name --- ansible/roles/postgresql11/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml index c092ce72..8af775c7 100644 --- a/ansible/roles/postgresql11/tasks/main.yml +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -27,7 +27,7 @@ mount: fstype: ext4 opts: noatime - path: /var/lib/postgres + path: /var/lib/postgresql src: LABEL=metadb state: mounted From 12a825416464878b8cd6ba402c86a7403ac2beb8 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Fri, 17 Jul 2020 14:04:09 +0100 Subject: [PATCH 16/18] Add temporary pg11 config file --- ansible/roles/postgresql11/tasks/main.yml | 7 + .../postgresql11/templates/postgresql.conf | 698 ++++++++++++++++++ 2 files changed, 705 insertions(+) create mode 100644 ansible/roles/postgresql11/templates/postgresql.conf diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml index 8af775c7..644d6362 100644 --- a/ansible/roles/postgresql11/tasks/main.yml +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -46,6 +46,13 @@ line: "host all all 127.0.0.1/32 trust" state: present +- name: Overwrite postgresql.conf + template: + src: templates/postgresql.conf + dest: /etc/postgresql/11/main/postgresql.conf + mode: 0644 + owner: root + - name: Reload pg after conf change service: name=postgresql state=reloaded diff --git a/ansible/roles/postgresql11/templates/postgresql.conf b/ansible/roles/postgresql11/templates/postgresql.conf new file mode 100644 index 00000000..e7e1d1ea --- /dev/null +++ b/ansible/roles/postgresql11/templates/postgresql.conf @@ -0,0 +1,698 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: kB = kilobytes Time units: ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +data_directory = '/var/lib/postgresql/11/main' # use data in another directory + # (change requires restart) +hba_file = '/etc/postgresql/11/main/pg_hba.conf' # host-based authentication file + # (change requires restart) +ident_file = '/etc/postgresql/11/main/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +#listen_addresses = 'localhost' # what IP address(es) to listen on; + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP Keepalives - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = md5 # md5 or scram-sha-256 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - SSL - + +ssl = on +#ssl_ca_file = '' +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' +#ssl_crl_file = '' +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 4011MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +# TODO restore after import +work_mem = 32MB # min 64kB +# TODO restore after import +maintenance_work_mem = 1024MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#max_stack_depth = 2MB # min 100kB +dynamic_shared_memory_type = posix # the default is the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # use none to disable dynamic shared memory + # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kB, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 25 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 512kB # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#parallel_leader_participation = on +#max_parallel_workers = 8 # maximum number of max_worker_processes that + # can be used in parallel operations +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) +#backend_flush_after = 0 # measured in pages, 0 disables + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +# TODO +fsync = off # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +# TODO +synchronous_commit = off # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux) + # fsync + # fsync_writethrough + # open_sync +# TODO restore after import +full_page_writes = off # recover from partial page writes +#wal_compression = off # enable compression of full-page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +# TODO disabled after restore +wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +max_wal_size = 1GB +min_wal_size = 80MB +#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 256kB # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the master and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#wal_keep_segments = 0 # in logfile segments; 0 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables + +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Master Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a master server. + +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from master + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_bitmapscan = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_parallel_hash = on +#enable_partition_pruning = on + +# - Planner Cost Constants - + +seq_page_cost = 1.0 # measured on an arbitrary scale +random_page_cost = 1.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +effective_cache_size = 12035MB + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#force_parallel_mode = off +#jit = off # allow JIT compilation + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, syslog, and eventlog, + # depending on platform. csvlog + # requires logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr and csvlog + # into log files. Required to be on for + # csvlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (win32): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +log_line_prefix = '%m [%p] %q%u@%d ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %p = process ID + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'Etc/UTC' + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +cluster_name = '11/main' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Query and Index Statistics Collector - + +#track_activities = on +#track_counts = on +#track_io_timing = off +#track_functions = none # none, pl, all +#track_activity_query_size = 1024 # (change requires restart) +stats_temp_directory = '/var/run/postgresql/11-main.pg_stat_tmp' + + +# - Monitoring - + +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off +#log_statement_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +# TODO restore after import +autovacuum = off # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_tablespace = '' # a tablespace name, '' uses the default +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_min_age = 50000000 +#vacuum_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples + # before index cleanup, 0 always performs + # index cleanup +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_fuzzy_search_limit = 0 +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'Etc/UTC' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 0 # min -15, max 3 +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'C.UTF-8' # locale for system error message + # strings +lc_monetary = 'C.UTF-8' # locale for monetary formatting +lc_numeric = 'C.UTF-8' # locale for number formatting +lc_time = 'C.UTF-8' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Shared Library Preloading - + +#shared_preload_libraries = '' # (change requires restart) +#local_preload_libraries = '' +#session_preload_libraries = '' +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#default_with_oids = off +#escape_string_warning = on +#lo_compat_privileges = off +#operator_precedence_warning = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. + +include_dir = 'conf.d' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here From e926cd17effe32524c8429803bcaf11c7d1e9df3 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Fri, 17 Jul 2020 17:46:10 +0100 Subject: [PATCH 17/18] Listen on all interfaces --- ansible/roles/postgresql11/templates/postgresql.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/postgresql11/templates/postgresql.conf b/ansible/roles/postgresql11/templates/postgresql.conf index e7e1d1ea..506e4c0b 100644 --- a/ansible/roles/postgresql11/templates/postgresql.conf +++ b/ansible/roles/postgresql11/templates/postgresql.conf @@ -57,6 +57,7 @@ external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID fil # - Connection Settings - #listen_addresses = 'localhost' # what IP address(es) to listen on; +listen_addresses = '*' # comma-separated list of addresses; # defaults to 'localhost'; use '*' for all # (change requires restart) From 64e3e8fd0cbdf678d987e5e16faa5fc87ac39d4c Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Fri, 17 Jul 2020 19:02:03 +0100 Subject: [PATCH 18/18] Deploy pg_hba.conf --- ansible/roles/postgresql11/tasks/main.yml | 11 +- .../roles/postgresql11/templates/pg_hba.conf | 109 ++++++++++++++++++ 2 files changed, 114 insertions(+), 6 deletions(-) create mode 100644 ansible/roles/postgresql11/templates/pg_hba.conf diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml index 644d6362..1e84bdb3 100644 --- a/ansible/roles/postgresql11/tasks/main.yml +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -38,13 +38,12 @@ - postgresql-11 - prometheus-postgres-exporter -- name: Trust localhost IPv4 access on postgresql - lineinfile: +- name: Overwrite pg_hba.conf + template: + src: templates/pg_hba.conf dest: /etc/postgresql/11/main/pg_hba.conf - regexp: '^host\s+all\s+all+\s+127\.0\.0\.1/32\s+trust' - insertafter: '^# IPv4 local connections:' - line: "host all all 127.0.0.1/32 trust" - state: present + mode: 0644 + owner: root - name: Overwrite postgresql.conf template: diff --git a/ansible/roles/postgresql11/templates/pg_hba.conf b/ansible/roles/postgresql11/templates/pg_hba.conf new file mode 100644 index 00000000..883d0b6c --- /dev/null +++ b/ansible/roles/postgresql11/templates/pg_hba.conf @@ -0,0 +1,109 @@ +# Managed by ansible +# roles/postgresql11/templates/pg_hba.conf + + +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + + +# DO NOT DISABLE! +# If you change this first entry you will need to make sure that the +# database superuser can access the database using some other method. +# Noninteractive access to all databases is required during automatic +# maintenance (custom daily cronjobs, replication, and similar tasks). +# +# Database administrative login by Unix domain socket +local all postgres peer + +# TYPE DATABASE USER ADDRESS METHOD + +# Unix domain socket: allow all local connections without password +local all all trust + +# IPv4 local connections: +host all all 127.0.0.1/32 md5 +host all all 127.0.0.1/32 md5 +# IPv6 local connections: +host all all ::1/128 md5 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all peer +host replication all 127.0.0.1/32 md5 +host replication all ::1/128 md5 + +# Allow incoming SSL connections without password +# protected by filtering on source ipaddr using nftables +hostssl all all 0.0.0.0/0 trust