kotovalexarian
/
fedihub-ansible
Archived
1
0
Fork 0
Code
This repository has been archived on 2023-03-28. You can view files and clone it, but cannot push or open issues or pull requests.
fedihub-ansible/host_vars/postgres.fedihub.com.yml

208 lines
8.1 KiB
YAML
Raw Permalink Blame History

---
ansible_become_pass_for:
kotovalexarian: !vault |
$ANSIBLE_VAULT;1.2;AES256;kotovalexarian
61623634613531666632363233346539303131313038666132643464313263356162616661336339
6437356339396139346435636462613163396332313135620a383962643839393764616130663264
39363331653837376434613266623331333563343264383365336234666230633334313338623938
3562303035333732360a393931353339653539323732316137363532316234306461393265633763
64343336303765646239386265306435323230303764376439346530646138323137333461383766
3534613339653530643635316531356166313735623339613937
xuhcc: !vault |
$ANSIBLE_VAULT;1.2;AES256;xuhcc
33343933353961653437653139333435306663383434646339353763303530353731383438653337
3531393762396135366332396632653036346333623133650a306162326438333931303862383330
39626564333130623731343339663764643632323566393734346565353934656561386462326434
6538303365386631640a366330333135313464333962313638643465613836643037323833626131
39623562376439376665636537396339613462356131343763323437623334323463
ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
common__certbot__cert_name: 'postgres.fedihub.com'
common__certbot__cert_domains:
- 'postgres.fedihub.com'
postgresql_users:
- name: fedihub_website_production
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;postgres
39316237386233313937336432323439613263363363326530653464666237353235613530633932
6537356137393131353564333232646132343736323733620a333966306563376436326335396333
30353538633238383463643862653230313932633162616436306365316134313061306564306531
3633343834336333650a663062393934663663646561616162386161336364326430346239396361
36393735656637636165646261643166383464656231393361656634636565643434353163353738
6134383131623635343166343165633164363766336334386365
- name: matrix_synapse
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;postgres
65363838636633623362663839303333346337646138333862373831343162343161356435336565
3032626439376630656338373464376463663935366134660a316136373261303331633836633937
30646533386163313136656138633437386366616234383265366261346636396130626333333235
3264356332336461320a323065616231663165613737646566336434663862306333393465366261
33373533393361356664343337353861313334623136353138643834336236306662383032316432
3336623036373964313036633434626239396139336666393361
- name: matrix_media_repo
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;postgres
39386236643763333734653936616466376334636166646133653335626365373039356262376161
3439353138643533613166333562663134666539653431340a636231353663633033363034643232
63393063346332353765343961383730633266613532656234336266623538376332636361353932
6634626266333033330a626536333161663239353831306466323038373961663132306334386437
64376231643964363935633531643938616430396664393237613361626465373536643339656566
6233663734316163386434343332346364363362653934363162
postgresql_databases:
- name: fedihub_website_production
owner: fedihub_website_production
lc_collate: C
lc_ctype: C
- name: matrix_synapse
owner: matrix_synapse
lc_collate: C
lc_ctype: C
- name: matrix_media_repo
owner: matrix_media_repo
lc_collate: C
lc_ctype: C
postgresql_hba_entries:
- type: local
database: all
user: all
auth_method: peer
- type: host
database: all
user: all
address: '127.0.0.1/32'
auth_method: md5
- type: host
database: all
user: all
address: '::1/128'
auth_method: md5
- type: host # TODO: replace with "hostssl"
database: fedihub_website_production
user: fedihub_website_production
address: '167.71.69.105/32'
auth_method: md5
- type: host # TODO: replace with "hostssl"
database: fedihub_website_production
user: fedihub_website_production
address: '2a03:b0c0:2:f0::191:6001/128'
auth_method: md5
- type: host # TODO: replace with "hostssl"
database: fedihub_website_production
user: fedihub_website_production
address: '10.110.0.3/32'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '188.166.85.61/32'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '2a03:b0c0:2:d0::ca1:e001/128'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '10.110.0.4/32'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '167.172.46.255/32'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '2a03:b0c0:2:f0::187:5001/128'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '10.110.0.5/32'
auth_method: md5
- type: host
database: all
user: all
address: '0.0.0.0/0'
auth_method: reject
- type: host
database: all
user: all
address: '::/0'
auth_method: reject
common__iptables__v4_filter: |
# Allow incoming HTTP for Certbot to work.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP.
-A INPUT -p tcp --dport 80 -j REJECT
-A OUTPUT -p tcp --dport 80 -j REJECT
# Allow incoming PostgreSQL from specific hosts.
# website.fedihub.com (public)
-A INPUT -p tcp --dport 5432 -s 167.71.69.105/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 167.71.69.105/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# website.fedihub.com (private)
-A INPUT -p tcp --dport 5432 -s 10.110.0.3/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 10.110.0.3/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# matrix.fedihub.com (public)
-A INPUT -p tcp --dport 5432 -s 188.166.85.61/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 188.166.85.61/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# matrix.fedihub.com (private)
-A INPUT -p tcp --dport 5432 -s 10.110.0.4/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 10.110.0.4/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# matrix-media-repo.fedihub.com (public)
-A INPUT -p tcp --dport 5432 -s 167.172.46.255/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 167.172.46.255/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# matrix-media-repo.fedihub.com (private)
-A INPUT -p tcp --dport 5432 -s 10.110.0.5/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 10.110.0.5/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other PostgreSQL.
-A INPUT -p tcp --dport 5432 -j REJECT
-A OUTPUT -p tcp --sport 5432 -j REJECT
common__iptables__v6_filter: |
# Allow incoming HTTP for Certbot to work.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP.
-A INPUT -p tcp --dport 80 -j REJECT
-A OUTPUT -p tcp --dport 80 -j REJECT
# Allow incoming PostgreSQL from specific hosts.
# website.fedihub.com
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::191:6001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::191:6001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# matrix.fedihub.com
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# matrix-media-repo.fedihub.com
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other PostgreSQL.
-A INPUT -p tcp --dport 5432 -j REJECT
-A OUTPUT -p tcp --sport 5432 -j REJECT
View Git Blame Copy Permalink