roles/podman_link/defaults/main.yml

@@ -26,5 +26,3 @@ podman_link_zammad_api_token: ""
 podman_link_postgres_zammad_postgresql_host: zammad-postgresql
 podman_link_postgres_zammad_es_host: opensearch
 podman_link_postgres_zammad_memcached_server: zammad-memcached:11211
-# podman_link_opensearch_hub_ip:
-# podman_link_opensearch_spoke_ip:

roles/podman_link/tasks/main.yml

@@ -8,23 +8,6 @@
     mode: "0444"
   become: true
 
-- name: Allow access from hub to spoke to Opensearch using firewalld rich rule
-  ansible.posix.firewalld:
-    rich_rule: >-
-      rule family="ipv4"
-      source address="{{ podman_link_opensearch_hub_ip }}"
-      destination address="{{ podman_link_opensearch_spoke_ip }}"
-      port protocol="tcp" port="{{ item }}" accept
-    permanent: yes
-    state: enabled
-  with_items:
-    - 9200
-    - 9300
-  when:
-    - podman_link_opensearch_hub_ip is defined
-    - podman_link_opensearch_spoke_ip is defined
-  become: true
-
 - name: Podman CDR Link | PATCH | Install podman and verify rootless podman user
   ansible.builtin.include_role:
     role: sr2c.core.podman_host
@@ -141,32 +124,17 @@
     - postgresql-data
 
 # Postgres/Redis runs with UID/GID 999 inside the container
-- name: Podman CDR Link | PATCH | Ensure local PostgreSQL connections require password
+- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration
-  ansible.builtin.lineinfile:
+  ansible.builtin.template:
-    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
+    src: home/pg_hba.conf
-    regexp: "^local\\s+all"
+    dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf"
-    line: "local\tall\tall\tscram-sha-256"
+    mode: "0400"
-    state: present
+    owner: "{{ _podman_link_user_subuid_start + 999 }}"
-    create: false
+    group: "{{ _podman_link_user_subgid_start + 999 }}"
   become: true
   with_items:
-    - postgresql
+    - zammad
-    - bridge-postgresql
+    - bridge
-  notify:
-    - Restart Link
-
-# Postgres/Redis runs with UID/GID 999 inside the container
-- name: Podman CDR Link | PATCH | Ensure local PostgreSQL replication requires password
-  ansible.builtin.lineinfile:
-    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
-    regexp: "^local\\s+replication"
-    line: "local\treplication\tall\tscram-sha-256"
-    state: present
-    create: false
-  become: true
-  with_items:
-    - postgresql
-    - bridge-postgresql
   notify:
     - Restart Link
 
@@ -224,7 +192,6 @@
     bsoft: 3g
     bhard: 3g
     state: present
-  become: true
   with_items:
     - signal
     - whatsapp

roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container

@@ -2,6 +2,7 @@
 ContainerName=bridge-postgresql
 EnvironmentFile=common-bridge.env
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
+Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_bridge.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-postgresql-data:/var/lib/postgresql/data:rw,Z
 Network=link.network
 

roles/podman_link/templates/home/config/containers/systemd/common-zammad.env

@@ -10,5 +10,4 @@ ELASTICSEARCH_USER=admin
 ELASTICSEARCH_PASS={{ podman_link_opensearch_password }}
 ELASTICSEARCH_SCHEMA=https
 ELASTICSEARCH_REINDEX=false
-NGINX_SERVER_SCHEME=https
 TZ=Etc/UTC

roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container

@@ -18,10 +18,6 @@ Environment=compatibility.override_main_response_version=true
 Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch:{{ podman_link_stack_version }}
 PublishPort=127.0.0.1:9200:9200
 PublishPort=127.0.0.1:9600:9600
-{% if podman_link_opensearch_spoke_ip is defined %}
-PublishPort={{ podman_link_opensearch_spoke_ip }}:9200:9200
-PublishPort={{ podman_link_opensearch_spoke_ip }}:9300:9300
-{% endif %}
 Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-data:/usr/share/opensearch/data:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml:/usr/share/opensearch/config/opensearch-security/config.yml:rw,Z
 Network=zammad.network

roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container

@@ -7,8 +7,9 @@ Environment=POSTGRES_PASSWORD={{ podman_link_postgres_zammad_password }}
 Environment=POSTGRES_USER={{ podman_link_postgres_zammad_user }}
 Environment=POSTGRES_DB={{ podman_link_postgres_zammad_database }}
 Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256
-Environment=POSTGRES_INITDB_ARGS=--auth=scram-sha-256
+Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
+Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_zammad.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z

roles/podman_link/templates/home/nginx.conf

@@ -61,47 +61,11 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
 
-  client_max_body_size 50M;
+	location / {
-
+		proxy_pass http://zammad;
-  # legacy web socket server
+		proxy_set_header X-Real-IP $remote_addr;
-  location /ws {
+        proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header X-Forwarded-Port 443;
-    proxy_set_header Connection "Upgrade";
+	}
-    proxy_set_header Host $http_host;
-    proxy_set_header CLIENT_IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_read_timeout 86400;
-    proxy_pass http://zammad;
-  }
-
-  # action cable
-  location /cable {
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "Upgrade";
-    proxy_set_header Host $http_host;
-    proxy_set_header CLIENT_IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_read_timeout 86400;
-    proxy_pass http://zammad;
-  }
-
-  location / {
-    proxy_set_header Host $http_host;
-    proxy_set_header CLIENT_IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto  $scheme;
-
-    proxy_set_header X-Forwarded-User "";
-
-    proxy_read_timeout 180;
-    proxy_pass http://zammad;
-
-    gzip on;
-    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
-    gzip_proxied any;
-  }
 }

roles/podman_link/templates/home/pg_hba.conf

@@ -0,0 +1 @@
+host all all all scram-sha-256