kotovalexarian/fedihub-ansible
Archived
1
0
Fork 0
Code Activity
This repository has been archived on 2023-03-27. You can view files and clone it, but cannot push or open issues or pull requests.
fedihub-ansible/host_vars/postgres.crypto-libertarian.com.yml

156 lines
5.4 KiB
YAML
Raw Normal View History

Revert "Remove hosts" This reverts commit b11f609d1887016ee545e37446886bfd8ed32091.
2020-10-09 07:50:47 -04:00
---
ansible_become_pass_for:
kotovalexarian: !vault |
$ANSIBLE_VAULT;1.2;AES256;kotovalexarian
61623634613531666632363233346539303131313038666132643464313263356162616661336339
6437356339396139346435636462613163396332313135620a383962643839393764616130663264
39363331653837376434613266623331333563343264383365336234666230633334313338623938
3562303035333732360a393931353339653539323732316137363532316234306461393265633763
64343336303765646239386265306435323230303764376439346530646138323137333461383766
3534613339653530643635316531356166313735623339613937
xuhcc: !vault |
$ANSIBLE_VAULT;1.2;AES256;xuhcc
33343933353961653437653139333435306663383434646339353763303530353731383438653337
3531393762396135366332396632653036346333623133650a306162326438333931303862383330
39626564333130623731343339663764643632323566393734346565353934656561386462326434
6538303365386631640a366330333135313464333962313638643465613836643037323833626131
39623562376439376665636537396339613462356131343763323437623334323463
ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
common__certbot__cert_name: 'postgres.crypto-libertarian.com'
common__certbot__cert_domains:
- 'postgres.crypto-libertarian.com'
postgresql_users:
- name: matrix_synapse
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;postgres
65363838636633623362663839303333346337646138333862373831343162343161356435336565
3032626439376630656338373464376463663935366134660a316136373261303331633836633937
30646533386163313136656138633437386366616234383265366261346636396130626333333235
3264356332336461320a323065616231663165613737646566336434663862306333393465366261
33373533393361356664343337353861313334623136353138643834336236306662383032316432
3336623036373964313036633434626239396139336666393361
- name: matrix_media_repo
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;postgres
39386236643763333734653936616466376334636166646133653335626365373039356262376161
3439353138643533613166333562663134666539653431340a636231353663633033363034643232
63393063346332353765343961383730633266613532656234336266623538376332636361353932
6634626266333033330a626536333161663239353831306466323038373961663132306334386437
64376231643964363935633531643938616430396664393237613361626465373536643339656566
6233663734316163386434343332346364363362653934363162
postgresql_databases:
- name: matrix_synapse
owner: matrix_synapse
lc_collate: C
lc_ctype: C
- name: matrix_media_repo
owner: matrix_media_repo
lc_collate: C
lc_ctype: C
postgresql_hba_entries:
- type: local
database: all
user: all
auth_method: peer
- type: host
database: all
user: all
address: '127.0.0.1/32'
auth_method: md5
- type: host
database: all
user: all
address: '::1/128'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '134.209.196.172/32'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '2a03:b0c0:2:f0::142:3001/128'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '10.133.8.214/32'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '134.209.196.172/32'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '2a03:b0c0:2:f0::142:3001/128'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '10.133.8.214/32'
auth_method: md5
- type: host
database: all
user: all
address: '0.0.0.0/0'
auth_method: reject
- type: host
database: all
user: all
address: '::/0'
auth_method: reject
common__iptables__v4_filter: |
# Allow incoming HTTP for Certbot to work.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP.
-A INPUT -p tcp --dport 80 -j REJECT
-A OUTPUT -p tcp --dport 80 -j REJECT
# Allow incoming PostgreSQL from specific hosts.
-A INPUT -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 5432 -s 10.133.8.214/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other PostgreSQL.
-A INPUT -p tcp --dport 5432 -j REJECT
-A OUTPUT -p tcp --sport 5432 -j REJECT
common__iptables__v6_filter: |
# Allow incoming HTTP for Certbot to work.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP.
-A INPUT -p tcp --dport 80 -j REJECT
-A OUTPUT -p tcp --dport 80 -j REJECT
# Allow incoming PostgreSQL from specific hosts.
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other PostgreSQL.
-A INPUT -p tcp --dport 5432 -j REJECT
-A OUTPUT -p tcp --sport 5432 -j REJECT
Copy permalink