diff --git a/automation/roles/patroni/tasks/main.yml b/automation/roles/patroni/tasks/main.yml index 2d5d6f49c..9af700375 100644 --- a/automation/roles/patroni/tasks/main.yml +++ b/automation/roles/patroni/tasks/main.yml @@ -418,7 +418,7 @@ when: postgresql_wal_dir is defined and postgresql_wal_dir | length > 0 tags: patroni, custom_wal_dir -- block: # wheh postgresql NOT exists or PITR +- block: # when postgresql NOT exists or PITR - name: Prepare PostgreSQL | make sure PostgreSQL data directory "{{ postgresql_data_dir }}" exists ansible.builtin.file: path: "{{ postgresql_data_dir }}" @@ -427,6 +427,22 @@ state: directory mode: "0700" + # Generating TLS Certificates + - name: Generating TLS Certificates to /var/lib/pgsql/{{ postgresql_version }} + become: true + become_user: postgres + shell: + cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL' + chdir: "/var/lib/pgsql/{{ postgresql_version }}/" + + - name: Changing permissions for /var/lib/pgsql/{{ postgresql_version }}/server.key + file: + path: "/var/lib/pgsql/{{ postgresql_version }}/server.key" + state: file + owner: postgres + group: postgres + mode: "0400" + # for Debian based distros only # patroni bootstrap failure is possible if the PostgreSQL config files are missing - name: Prepare PostgreSQL | make sure PostgreSQL config directory exists diff --git a/automation/roles/pgbouncer/tasks/main.yml b/automation/roles/pgbouncer/tasks/main.yml index cd2fb08fe..63fe0b51e 100644 --- a/automation/roles/pgbouncer/tasks/main.yml +++ b/automation/roles/pgbouncer/tasks/main.yml @@ -124,6 +124,22 @@ label: "{{ 'pgbouncer' if idx == 0 else 'pgbouncer-%d' % (idx + 1) }}" tags: pgbouncer_logrotate, pgbouncer +# Generating TLS Certificates +- name: Generating TLS Certificates to {{ pgbouncer_conf_dir }} + become: true + become_user: postgres + shell: + cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL' + chdir: "{{ pgbouncer_conf_dir }}/" + +- name: Changing permissions for {{ pgbouncer_conf_dir }}/server.key + file: + path: "{{ pgbouncer_conf_dir }}/server.key" + state: file + owner: postgres + group: postgres + mode: 0400 + - name: Configure pgbouncer.ini ansible.builtin.template: src: templates/pgbouncer.ini.j2 diff --git a/automation/roles/pgbouncer/templates/pgbouncer.ini.j2 b/automation/roles/pgbouncer/templates/pgbouncer.ini.j2 index 8926d97bb..f2b6bd56d 100644 --- a/automation/roles/pgbouncer/templates/pgbouncer.ini.j2 +++ b/automation/roles/pgbouncer/templates/pgbouncer.ini.j2 @@ -42,6 +42,11 @@ client_tls_cert_file = {{ pgbouncer_client_tls_cert_file }} client_tls_ca_file = {{ pgbouncer_client_tls_ca_file }} client_tls_protocols = {{ pgbouncer_client_tls_protocols }} client_tls_ciphers = {{ pgbouncer_client_tls_ciphers }} +server_tls_sslmode = {{ pgbouncer_server_tls_sslmode }} +server_tls_protocols = {{ pgbouncer_server_tls_protocols }} +server_tls_ciphers = {{ pgbouncer_server_tls_ciphers }} +server_tls_cert_file = {{ pgbouncer_server_tls_cert_file }} +server_tls_key_file = {{ pgbouncer_server_tls_key_file }} {% endif %} log_connections = 0 log_disconnections = 0 diff --git a/automation/vars/main.yml b/automation/vars/main.yml index bf7e55cc2..a8d973c66 100644 --- a/automation/vars/main.yml +++ b/automation/vars/main.yml @@ -235,6 +235,10 @@ postgresql_parameters: - { option: "max_connections", value: "1000" } - { option: "superuser_reserved_connections", value: "5" } - { option: "password_encryption", value: "{{ postgresql_password_encryption_algorithm }}" } + - { option: "ssl", value: "on"} + - { option: "ssl_cert_file", value: "/var/lib/pgsql/{{ postgresql_version }}/server.crt"} + - { option: "ssl_key_file", value: "/var/lib/pgsql/{{ postgresql_version }}/server.key"} + - { option: "ssl_min_protocol_version", value: "TLSv1.2"} - { option: "max_locks_per_transaction", value: "512" } - { option: "max_prepared_transactions", value: "0" } - { option: "huge_pages", value: "try" } # "vm.nr_hugepages" is auto-configured for shared_buffers >= 8GB (if huge_pages_auto_conf is true) @@ -305,8 +309,8 @@ postgresql_parameters: - { option: "wal_receiver_status_interval", value: "10s" } - { option: "idle_in_transaction_session_timeout", value: "10min" } # reduce this timeout if possible - { option: "jit", value: "off" } - - { option: "max_worker_processes", value: "24" } - - { option: "max_parallel_workers", value: "8" } + - { option: "max_worker_processes", value: "{{ ansible_processor_nproc | int }}" } + - { option: "max_parallel_workers", value: "{{ ansible_processor_nproc | int }}" } - { option: "max_parallel_workers_per_gather", value: "2" } - { option: "max_parallel_maintenance_workers", value: "2" } - { option: "tcp_keepalives_count", value: "10" } @@ -366,12 +370,17 @@ pgbouncer_auth_user: true # or 'false' if you want to manage the list of users f pgbouncer_auth_username: pgbouncer # user who can query the database via the user_search function pgbouncer_auth_password: "" # If not defined, a password will be generated automatically during deployment pgbouncer_auth_dbname: "postgres" -pgbouncer_client_tls_sslmode: "disable" -pgbouncer_client_tls_key_file: "" -pgbouncer_client_tls_cert_file: "" +pgbouncer_client_tls_sslmode: "require" +pgbouncer_client_tls_key_file: "{{ pgbouncer_conf_dir }}/server.key" +pgbouncer_client_tls_cert_file: "{{ pgbouncer_conf_dir }}/server.crt" pgbouncer_client_tls_ca_file: "" pgbouncer_client_tls_protocols: "secure" # allowed values: tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all, secure (tlsv1.2,tlsv1.3) -pgbouncer_client_tls_ciphers: "default" # allowed values: default, secure, fast, normal, all (not recommended) +pgbouncer_client_tls_ciphers: "secure" # allowed values: default, secure, fast, normal, all (not recommended) +pgbouncer_server_tls_sslmode: "require" +pgbouncer_server_tls_protocols: "secure" +pgbouncer_server_tls_ciphers: "secure" +pgbouncer_server_tls_cert_file: "{{ pgbouncer_conf_dir }}/server.crt" +pgbouncer_server_tls_key_file: "{{ pgbouncer_conf_dir }}/server.key" pgbouncer_pools: - { name: "postgres", dbname: "postgres", pool_parameters: "" }