Merge branch 'unstable' into stable
This commit is contained in:
commit
7052b7bd1e
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -21,6 +21,18 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [23.03.1] 2023-03-16
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* pgbouncer: new role
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* apt: deb822 migration python script is looked relative to shell script
|
||||||
|
* listupgrade: remove old typo version of the cron task
|
||||||
|
* minifirewall: support protocols in numeric form
|
||||||
|
|
||||||
## [23.03] 2023-03-16
|
## [23.03] 2023-03-16
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
deb822_migrate_script=$(command -v deb822-migration.py)
|
deb822_migrate_script=$(command -v deb822-migration.py)
|
||||||
|
|
||||||
if [ -z "${deb822_migrate_script}" ]; then
|
if [ -z "${deb822_migrate_script}" ]; then
|
||||||
deb822_migrate_script="./deb822-migration.py"
|
deb822_migrate_script="$(dirname "$0")/deb822-migration.py"
|
||||||
fi
|
fi
|
||||||
if [ ! -x "${deb822_migrate_script}" ]; then
|
if [ ! -x "${deb822_migrate_script}" ]; then
|
||||||
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
|
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
|
||||||
|
|
|
@ -58,6 +58,12 @@
|
||||||
month: "{{ listupgrade_cron_month }}"
|
month: "{{ listupgrade_cron_month }}"
|
||||||
state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}"
|
state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}"
|
||||||
|
|
||||||
|
- name: Remove old lisupgrade typo
|
||||||
|
cron:
|
||||||
|
name: "lisupgrade.sh"
|
||||||
|
cron_file: "listupgrade"
|
||||||
|
state: absent
|
||||||
|
|
||||||
- name: old-kernel-autoremoval script is present
|
- name: old-kernel-autoremoval script is present
|
||||||
copy:
|
copy:
|
||||||
src: old-kernel-autoremoval.sh
|
src: old-kernel-autoremoval.sh
|
||||||
|
|
|
@ -39,7 +39,7 @@ is_minifirewall_started() {
|
||||||
if test -x /usr/share/scripts/minifirewall_status; then
|
if test -x /usr/share/scripts/minifirewall_status; then
|
||||||
/usr/share/scripts/minifirewall_status > /dev/null
|
/usr/share/scripts/minifirewall_status > /dev/null
|
||||||
else
|
else
|
||||||
/sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
/sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1)))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
is_started() {
|
is_started() {
|
||||||
/sbin/iptables -L -n \
|
/sbin/iptables -L -n \
|
||||||
| grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
| grep --quiet --extended-regexp "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||||
}
|
}
|
||||||
return_started() {
|
return_started() {
|
||||||
echo "started"
|
echo "started"
|
||||||
|
|
|
@ -0,0 +1,38 @@
|
||||||
|
# PgBouncer
|
||||||
|
|
||||||
|
Installation and basic configuration of PgBouncer.
|
||||||
|
|
||||||
|
## Tasks
|
||||||
|
|
||||||
|
Everything is in the `tasks/main.yml` file.
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
Main variables are :
|
||||||
|
|
||||||
|
* `pgbouncer_listen_addr`: the listen IP for PgBouncer (default: `127.0.0.1`),
|
||||||
|
* `pgbouncer_listen_port`: the listen post for PgBouncer (default: `6432`),
|
||||||
|
* `pgbouncer_databases`: the databases that clients of PgBouncer can connect to,
|
||||||
|
* `pgbouncer_account_list`: the accounts that clients of PgBouncer can connect to.
|
||||||
|
|
||||||
|
The variable `pgbouncer_databases` must have the `name`, `host` and `port` attributes. The variable can be defined like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
pgbouncer_databases:
|
||||||
|
- { name: "db1", host: "192.168.3.14", port: "5432" }
|
||||||
|
- { name: "*", host: "192.168.2.71", port: "5432" }
|
||||||
|
```
|
||||||
|
|
||||||
|
The variable `pgbouncer_account_list` must have the `name` and `hash` attributes. The variable can be defined like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
pgbouncer_account_list:
|
||||||
|
- { name: "account1", hash: "<hash>" }
|
||||||
|
- { name: "account2", hash: "<hash>" }
|
||||||
|
```
|
||||||
|
|
||||||
|
The value of `hash` can be obtained by running this command on the PostgreSQL server: `select passwd from pg_shadow where usename='account1';`
|
||||||
|
|
||||||
|
> These accounts must exist on the PostegreSQL server.
|
||||||
|
|
||||||
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
pgbouncer_listen_addr: "127.0.0.1"
|
||||||
|
pgbouncer_listen_port: "6432"
|
||||||
|
|
||||||
|
pgbouncer_databases: []
|
||||||
|
|
||||||
|
pgbouncer_account_list: []
|
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
- name: PgBouncer is installed
|
||||||
|
apt:
|
||||||
|
name: pgbouncer
|
||||||
|
state: present
|
||||||
|
- name: Limit for PgBouncer is set
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/default/pgbouncer
|
||||||
|
line: ulimit -n 65536
|
||||||
|
- name: Add config file for PgBouncer
|
||||||
|
template:
|
||||||
|
src: pgbouncer.ini.j2
|
||||||
|
dest: /etc/pgbouncer/pgbouncer.ini
|
||||||
|
- name: Populate userlist.txt
|
||||||
|
template:
|
||||||
|
src: userlist.txt.j2
|
||||||
|
dest: /etc/pgbouncer/userlist.txt
|
|
@ -0,0 +1,29 @@
|
||||||
|
[databases]
|
||||||
|
{% for db in pgbouncer_databases %}
|
||||||
|
{{ db.name }} = host={{ db.host }} port={{ db.port }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
[pgbouncer]
|
||||||
|
logfile = /var/log/postgresql/pgbouncer.log
|
||||||
|
pidfile = /var/run/postgresql/pgbouncer.pid
|
||||||
|
|
||||||
|
listen_addr = {{ pgbouncer_listen_addr }}
|
||||||
|
listen_port = {{ pgbouncer_listen_port }}
|
||||||
|
unix_socket_dir =
|
||||||
|
|
||||||
|
auth_type = scram-sha-256
|
||||||
|
auth_file = /etc/pgbouncer/userlist.txt
|
||||||
|
|
||||||
|
# La connexion au serveur redevient libre lorsque le client termine une transaction
|
||||||
|
# Autres valeurs possibles : session (lorsque le client ferme la session), statement (lorsque la requête se termine)
|
||||||
|
pool_mode = transaction
|
||||||
|
|
||||||
|
# Nombre maximum de connexions entrantes
|
||||||
|
max_client_conn = 5000
|
||||||
|
|
||||||
|
# Nombre de connexion maintenues avec le serveur
|
||||||
|
default_pool_size = 20
|
||||||
|
|
||||||
|
# Ne pas enregistrer les connexions qui se passent bien
|
||||||
|
log_connections = 0
|
||||||
|
log_disconnections = 0
|
|
@ -0,0 +1,3 @@
|
||||||
|
{% for account in pgbouncer_account_list %}
|
||||||
|
"{{ account.name }}" "{{ account.hash }}"
|
||||||
|
{% endfor %}
|
Loading…
Reference in New Issue