From 0faf0e1929862681c39a500930222c396b2ac897 Mon Sep 17 00:00:00 2001
From: Alex Kotov <kotovalexarian@gmail.com>
Date: Mon, 13 Jul 2020 17:37:13 +0500
Subject: [PATCH] Turn group-specific iptables rules into host-specific

---
 group_vars/postgres.yml                       | 20 -------------------
 host_vars/postgres.crypto-libertarian.com.yml | 20 +++++++++++++++++++
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/group_vars/postgres.yml b/group_vars/postgres.yml
index fff8d77..47db3bf 100644
--- a/group_vars/postgres.yml
+++ b/group_vars/postgres.yml
@@ -1,26 +1,6 @@
 ---
 common__iptables__drop_by_default: true
 
-common__iptables__v4_filter: |
-  # Allow incoming PostgreSQL from specific hosts.
-  -A INPUT  -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-  -A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
-  -A INPUT  -p tcp --dport 5432 -s 10.133.8.214/32    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-  -A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32    -m conntrack --ctstate ESTABLISHED     -j ACCEPT
-
-  # Deny other PostgreSQL.
-  -A INPUT  -p tcp --dport 5432 -j REJECT
-  -A OUTPUT -p tcp --sport 5432 -j REJECT
-
-common__iptables__v6_filter: |
-  # Allow incoming PostgreSQL from specific hosts.
-  -A INPUT  -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-  -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
-
-  # Deny other PostgreSQL.
-  -A INPUT  -p tcp --dport 5432 -j REJECT
-  -A OUTPUT -p tcp --sport 5432 -j REJECT
-
 postgresql_backups_dir: '/var/lib/postgresql/backups/12/main'
 
 postgresql_global_config_options:
diff --git a/host_vars/postgres.crypto-libertarian.com.yml b/host_vars/postgres.crypto-libertarian.com.yml
index c8aeaf9..ebd0fc7 100644
--- a/host_vars/postgres.crypto-libertarian.com.yml
+++ b/host_vars/postgres.crypto-libertarian.com.yml
@@ -88,3 +88,23 @@ postgresql_hba_entries:
     user: all
     address: '::/0'
     auth_method: reject
+
+common__iptables__v4_filter: |
+  # Allow incoming PostgreSQL from specific hosts.
+  -A INPUT  -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  -A INPUT  -p tcp --dport 5432 -s 10.133.8.214/32    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32    -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+
+  # Deny other PostgreSQL.
+  -A INPUT  -p tcp --dport 5432 -j REJECT
+  -A OUTPUT -p tcp --sport 5432 -j REJECT
+
+common__iptables__v6_filter: |
+  # Allow incoming PostgreSQL from specific hosts.
+  -A INPUT  -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+
+  # Deny other PostgreSQL.
+  -A INPUT  -p tcp --dport 5432 -j REJECT
+  -A OUTPUT -p tcp --sport 5432 -j REJECT