Merge branch 'unstable' into stable

CHANGELOG.md

@@ -21,6 +21,18 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [23.03.1] 2023-03-16
+
+### Added
+
+* pgbouncer: new role
+
+### Changed
+
+* apt: deb822 migration python script is looked relative to shell script
+* listupgrade: remove old typo version of the cron task
+* minifirewall: support protocols in numeric form
+
 ## [23.03] 2023-03-16
 
 ### Added

apt/files/deb822-migration.sh

@@ -3,7 +3,7 @@
 deb822_migrate_script=$(command -v deb822-migration.py)
 
 if [ -z "${deb822_migrate_script}" ]; then
-    deb822_migrate_script="./deb822-migration.py"
+    deb822_migrate_script="$(dirname "$0")/deb822-migration.py"
 fi
 if [ ! -x "${deb822_migrate_script}" ]; then
     >&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"

listupgrade/tasks/main.yml

@@ -58,6 +58,12 @@
     month: "{{ listupgrade_cron_month }}"
     state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}"
 
+- name: Remove old lisupgrade typo
+  cron:
+    name: "lisupgrade.sh"
+    cron_file: "listupgrade"
+    state: absent
+
 - name: old-kernel-autoremoval script is present
   copy:
     src: old-kernel-autoremoval.sh

minifirewall/files/check_minifirewall

@@ -39,7 +39,7 @@ is_minifirewall_started() {
     if test -x /usr/share/scripts/minifirewall_status; then
       /usr/share/scripts/minifirewall_status > /dev/null
     else
-      /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+      /sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1)))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
     fi
   fi
 }

minifirewall/files/minifirewall_status

@@ -2,7 +2,7 @@
 
 is_started() {
   /sbin/iptables -L -n \
-    | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+    | grep --quiet --extended-regexp "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
 }
 return_started() {
   echo "started"

pgbouncer/README.md

@@ -0,0 +1,38 @@
+# PgBouncer
+
+Installation and basic configuration of PgBouncer.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+Main variables are :
+
+* `pgbouncer_listen_addr`: the listen IP for PgBouncer (default: `127.0.0.1`),
+* `pgbouncer_listen_port`: the listen post for PgBouncer (default: `6432`),
+* `pgbouncer_databases`: the databases that clients of PgBouncer can connect to,
+* `pgbouncer_account_list`: the accounts that clients of PgBouncer can connect to.
+
+The variable `pgbouncer_databases` must have the `name`, `host` and `port` attributes. The variable can be defined like this:
+
+```
+pgbouncer_databases:
+  - { name: "db1", host: "192.168.3.14", port: "5432" }
+  - { name: "*", host: "192.168.2.71", port: "5432" }
+```
+
+The variable `pgbouncer_account_list` must have the `name` and `hash` attributes. The variable can be defined like this:
+
+```
+pgbouncer_account_list:
+  - { name: "account1", hash: "<hash>" }
+  - { name: "account2", hash: "<hash>" }
+```
+
+The value of `hash` can be obtained by running this command on the PostgreSQL server: `select passwd from pg_shadow where usename='account1';`
+
+> These accounts must exist on the PostegreSQL server.
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.

pgbouncer/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+pgbouncer_listen_addr: "127.0.0.1"
+pgbouncer_listen_port: "6432"
+
+pgbouncer_databases: []
+
+pgbouncer_account_list: []

pgbouncer/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: PgBouncer is installed
+  apt:
+    name: pgbouncer
+    state: present
+- name: Limit for PgBouncer is set
+  lineinfile:
+    path: /etc/default/pgbouncer
+    line: ulimit -n 65536
+- name: Add config file for PgBouncer
+  template:
+    src: pgbouncer.ini.j2
+    dest: /etc/pgbouncer/pgbouncer.ini
+- name: Populate userlist.txt
+  template:
+    src: userlist.txt.j2
+    dest: /etc/pgbouncer/userlist.txt

pgbouncer/templates/pgbouncer.ini.j2

@@ -0,0 +1,29 @@
+[databases]
+{% for db in pgbouncer_databases %}
+{{ db.name }} = host={{ db.host }} port={{ db.port }}
+{% endfor %}
+
+[pgbouncer]
+logfile = /var/log/postgresql/pgbouncer.log
+pidfile = /var/run/postgresql/pgbouncer.pid
+
+listen_addr = {{ pgbouncer_listen_addr }}
+listen_port = {{ pgbouncer_listen_port }}
+unix_socket_dir =
+
+auth_type = scram-sha-256
+auth_file = /etc/pgbouncer/userlist.txt
+
+# La connexion au serveur redevient libre lorsque le client termine une transaction
+# Autres valeurs possibles : session (lorsque le client ferme la session), statement (lorsque la requête se termine)
+pool_mode = transaction
+
+# Nombre maximum de connexions entrantes
+max_client_conn = 5000
+
+# Nombre de connexion maintenues avec le serveur
+default_pool_size = 20
+
+# Ne pas enregistrer les connexions qui se passent bien
+log_connections = 0
+log_disconnections = 0

pgbouncer/templates/userlist.txt.j2

@@ -0,0 +1,3 @@
+{% for account in pgbouncer_account_list %}
+"{{ account.name }}" "{{ account.hash }}"
+{% endfor %}