fix(podman_link): always use scram-sha-256 auth for postgres

Fixes: #9

roles/podman_link/defaults/main.yml

@@ -26,3 +26,5 @@ podman_link_zammad_api_token: ""
 podman_link_postgres_zammad_postgresql_host: zammad-postgresql
 podman_link_postgres_zammad_es_host: opensearch
 podman_link_postgres_zammad_memcached_server: zammad-memcached:11211
+# podman_link_opensearch_hub_ip:
+# podman_link_opensearch_spoke_ip:

roles/podman_link/tasks/main.yml

@@ -8,6 +8,23 @@
     mode: "0444"
   become: true
 
+- name: Allow access from hub to spoke to Opensearch using firewalld rich rule
+  ansible.posix.firewalld:
+    rich_rule: >-
+      rule family="ipv4"
+      source address="{{ podman_link_opensearch_hub_ip }}"
+      destination address="{{ podman_link_opensearch_spoke_ip }}"
+      port protocol="tcp" port="{{ item }}" accept
+    permanent: yes
+    state: enabled
+  with_items:
+    - 9200
+    - 9300
+  when:
+    - podman_link_opensearch_hub_ip is defined
+    - podman_link_opensearch_spoke_ip is defined
+  become: true
+
 - name: Podman CDR Link | PATCH | Install podman and verify rootless podman user
   ansible.builtin.include_role:
     role: sr2c.core.podman_host
@@ -124,17 +141,32 @@
     - postgresql-data
 
 # Postgres/Redis runs with UID/GID 999 inside the container
-- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration
+- name: Podman CDR Link | PATCH | Ensure local PostgreSQL connections require password
-  ansible.builtin.template:
+  ansible.builtin.lineinfile:
-    src: home/pg_hba.conf
+    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
-    dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf"
+    regexp: "^local\\s+all"
-    mode: "0400"
+    line: "local\tall\tall\tscram-sha-256"
-    owner: "{{ _podman_link_user_subuid_start + 999 }}"
+    state: present
-    group: "{{ _podman_link_user_subgid_start + 999 }}"
+    create: false
   become: true
   with_items:
-    - zammad
+    - postgresql
-    - bridge
+    - bridge-postgresql
+  notify:
+    - Restart Link
+
+# Postgres/Redis runs with UID/GID 999 inside the container
+- name: Podman CDR Link | PATCH | Ensure local PostgreSQL replication requires password
+  ansible.builtin.lineinfile:
+    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
+    regexp: "^local\\s+replication"
+    line: "local\treplication\tall\tscram-sha-256"
+    state: present
+    create: false
+  become: true
+  with_items:
+    - postgresql
+    - bridge-postgresql
   notify:
     - Restart Link
 
@@ -192,6 +224,7 @@
     bsoft: 3g
     bhard: 3g
     state: present
+  become: true
   with_items:
     - signal
     - whatsapp

roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container

@@ -2,7 +2,6 @@
 ContainerName=bridge-postgresql
 EnvironmentFile=common-bridge.env
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
-Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_bridge.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-postgresql-data:/var/lib/postgresql/data:rw,Z
 Network=link.network
 

roles/podman_link/templates/home/config/containers/systemd/common-zammad.env

@@ -10,4 +10,5 @@ ELASTICSEARCH_USER=admin
 ELASTICSEARCH_PASS={{ podman_link_opensearch_password }}
 ELASTICSEARCH_SCHEMA=https
 ELASTICSEARCH_REINDEX=false
+NGINX_SERVER_SCHEME=https
 TZ=Etc/UTC

roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container

@@ -18,6 +18,10 @@ Environment=compatibility.override_main_response_version=true
 Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch:{{ podman_link_stack_version }}
 PublishPort=127.0.0.1:9200:9200
 PublishPort=127.0.0.1:9600:9600
+{% if podman_link_opensearch_spoke_ip is defined %}
+PublishPort={{ podman_link_opensearch_spoke_ip }}:9200:9200
+PublishPort={{ podman_link_opensearch_spoke_ip }}:9300:9300
+{% endif %}
 Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-data:/usr/share/opensearch/data:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml:/usr/share/opensearch/config/opensearch-security/config.yml:rw,Z
 Network=zammad.network

roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container

@@ -7,9 +7,8 @@ Environment=POSTGRES_PASSWORD={{ podman_link_postgres_zammad_password }}
 Environment=POSTGRES_USER={{ podman_link_postgres_zammad_user }}
 Environment=POSTGRES_DB={{ podman_link_postgres_zammad_database }}
 Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256
-Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256
+Environment=POSTGRES_INITDB_ARGS=--auth=scram-sha-256
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
-Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_zammad.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z

roles/podman_link/templates/home/nginx.conf

@@ -61,11 +61,47 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
 
-	location / {
+  client_max_body_size 50M;
-		proxy_pass http://zammad;
+
-		proxy_set_header X-Real-IP $remote_addr;
+  # legacy web socket server
-        proxy_set_header X-Forwarded-For $remote_addr;
+  location /ws {
-        proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_http_version 1.1;
-        proxy_set_header X-Forwarded-Port 443;
+    proxy_set_header Upgrade $http_upgrade;
-	}
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $http_host;
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad;
+  }
+
+  # action cable
+  location /cable {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $http_host;
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad;
+  }
+
+  location / {
+    proxy_set_header Host $http_host;
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+
+    proxy_set_header X-Forwarded-User "";
+
+    proxy_read_timeout 180;
+    proxy_pass http://zammad;
+
+    gzip on;
+    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
+    gzip_proxied any;
+  }
 }

roles/podman_link/templates/home/pg_hba.conf

@@ -1 +0,0 @@
-host all all all scram-sha-256