diff --git a/roles/podman_link/defaults/main.yml b/roles/podman_link/defaults/main.yml index 2692592..7b64500 100644 --- a/roles/podman_link/defaults/main.yml +++ b/roles/podman_link/defaults/main.yml @@ -26,5 +26,3 @@ podman_link_zammad_api_token: "" podman_link_postgres_zammad_postgresql_host: zammad-postgresql podman_link_postgres_zammad_es_host: opensearch podman_link_postgres_zammad_memcached_server: zammad-memcached:11211 -# podman_link_opensearch_hub_ip: -# podman_link_opensearch_spoke_ip: diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index f225cf2..4b42cdd 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -8,23 +8,6 @@ mode: "0444" become: true -- name: Allow access from hub to spoke to Opensearch using firewalld rich rule - ansible.posix.firewalld: - rich_rule: >- - rule family="ipv4" - source address="{{ podman_link_opensearch_hub_ip }}" - destination address="{{ podman_link_opensearch_spoke_ip }}" - port protocol="tcp" port="{{ item }}" accept - permanent: yes - state: enabled - with_items: - - 9200 - - 9300 - when: - - podman_link_opensearch_hub_ip is defined - - podman_link_opensearch_spoke_ip is defined - become: true - - name: Podman CDR Link | PATCH | Install podman and verify rootless podman user ansible.builtin.include_role: role: sr2c.core.podman_host @@ -141,32 +124,17 @@ - postgresql-data # Postgres/Redis runs with UID/GID 999 inside the container -- name: Podman CDR Link | PATCH | Ensure local PostgreSQL connections require password - ansible.builtin.lineinfile: - path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf" - regexp: "^local\\s+all" - line: "local\tall\tall\tscram-sha-256" - state: present - create: false +- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration + ansible.builtin.template: + src: home/pg_hba.conf + dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf" + mode: "0400" + owner: "{{ _podman_link_user_subuid_start + 999 }}" + group: "{{ _podman_link_user_subgid_start + 999 }}" become: true with_items: - - postgresql - - bridge-postgresql - notify: - - Restart Link - -# Postgres/Redis runs with UID/GID 999 inside the container -- name: Podman CDR Link | PATCH | Ensure local PostgreSQL replication requires password - ansible.builtin.lineinfile: - path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf" - regexp: "^local\\s+replication" - line: "local\treplication\tall\tscram-sha-256" - state: present - create: false - become: true - with_items: - - postgresql - - bridge-postgresql + - zammad + - bridge notify: - Restart Link @@ -224,7 +192,6 @@ bsoft: 3g bhard: 3g state: present - become: true with_items: - signal - whatsapp diff --git a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container index 8417cec..4677ee9 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container +++ b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container @@ -2,6 +2,7 @@ ContainerName=bridge-postgresql EnvironmentFile=common-bridge.env Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }} +Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_bridge.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-postgresql-data:/var/lib/postgresql/data:rw,Z Network=link.network diff --git a/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env b/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env index 975820d..6f3b378 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env +++ b/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env @@ -10,5 +10,4 @@ ELASTICSEARCH_USER=admin ELASTICSEARCH_PASS={{ podman_link_opensearch_password }} ELASTICSEARCH_SCHEMA=https ELASTICSEARCH_REINDEX=false -NGINX_SERVER_SCHEME=https TZ=Etc/UTC diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container index 9b56e01..3f45ea1 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container @@ -18,10 +18,6 @@ Environment=compatibility.override_main_response_version=true Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch:{{ podman_link_stack_version }} PublishPort=127.0.0.1:9200:9200 PublishPort=127.0.0.1:9600:9600 -{% if podman_link_opensearch_spoke_ip is defined %} -PublishPort={{ podman_link_opensearch_spoke_ip }}:9200:9200 -PublishPort={{ podman_link_opensearch_spoke_ip }}:9300:9300 -{% endif %} Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-data:/usr/share/opensearch/data:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml:/usr/share/opensearch/config/opensearch-security/config.yml:rw,Z Network=zammad.network diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container index 330919b..0fa9f11 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container @@ -7,8 +7,9 @@ Environment=POSTGRES_PASSWORD={{ podman_link_postgres_zammad_password }} Environment=POSTGRES_USER={{ podman_link_postgres_zammad_user }} Environment=POSTGRES_DB={{ podman_link_postgres_zammad_database }} Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256 -Environment=POSTGRES_INITDB_ARGS=--auth=scram-sha-256 +Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }} +Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_zammad.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z diff --git a/roles/podman_link/templates/home/nginx.conf b/roles/podman_link/templates/home/nginx.conf index 4ef8c70..4f32515 100644 --- a/roles/podman_link/templates/home/nginx.conf +++ b/roles/podman_link/templates/home/nginx.conf @@ -61,47 +61,11 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; - client_max_body_size 50M; - - # legacy web socket server - location /ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 86400; - proxy_pass http://zammad; - } - - # action cable - location /cable { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 86400; - proxy_pass http://zammad; - } - - location / { - proxy_set_header Host $http_host; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Forwarded-User ""; - - proxy_read_timeout 180; - proxy_pass http://zammad; - - gzip on; - gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; - gzip_proxied any; - } + location / { + proxy_pass http://zammad; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port 443; + } } diff --git a/roles/podman_link/templates/home/pg_hba.conf b/roles/podman_link/templates/home/pg_hba.conf new file mode 100644 index 0000000..3a48315 --- /dev/null +++ b/roles/podman_link/templates/home/pg_hba.conf @@ -0,0 +1 @@ +host all all all scram-sha-256