Greg greg
  • Joined on 2018-11-05
greg pushed to master at kosmos/chef 2020-05-15 15:22:09 +00:00
d900ca352c Merge branch 'bugfix/dirsrv_acis_really_fix' of kosmos/chef into master
b4209fa294 Fix the invalid ACIs on initial creation (for real)
Compare 2 commits »
greg merged pull request kosmos/chef#165 2020-05-15 15:22:09 +00:00
Fix the invalid ACIs on initial creation (for real)
greg merged pull request kosmos/chef#165 2020-05-15 15:22:09 +00:00
Fix the invalid ACIs on initial creation (for real)
greg created pull request kosmos/chef#165 2020-05-15 12:11:53 +00:00
Fix the invalid ACIs on initial creation (for real)
greg pushed to bugfix/dirsrv_acis_really_fix at kosmos/chef 2020-05-15 12:10:51 +00:00
b4209fa294 Fix the invalid ACIs on initial creation (for real)
greg created pull request kosmos/chef#164 2020-05-15 11:58:31 +00:00
Fix startup of the dirsrv@master Systemd unit on boot
greg pushed to bugfix/enable_dirsrv at kosmos/chef 2020-05-15 11:57:03 +00:00
10f0460fd5 Fix startup of the dirsrv@master Systemd unit on boot
greg pushed to master at kosmos/chef 2020-05-14 13:34:32 +00:00
bf60f9fca8 Add the Chef client public keys for andromeda and barnard
greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-14 13:10:06 +00:00
da278822f6 Use the new postgresql_primary role on andromeda
18973fe4f6 Remove the deleted tls property from the resources
fbf610a643 Merge branch 'master' into feature/160-postgres_replication
0aae86b545 Merge branch 'feature/turn_ip_config' of kosmos/chef into master
4448ec2173 Configure TURN properly
Compare 6 commits »
greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-14 11:16:43 +00:00
069090bf44 Remove TODOs
dd92d6cdb7 Remove deploying the root cert to clients from the README
Compare 2 commits »
greg commented on pull request kosmos/chef#163 2020-05-14 11:13:54 +00:00
Add recipe to set up PostgreSQL replication, rewrite kosmos-postgresql cookbook

I'm removing that line, this will be done as part of the Mastodon, ejabberd, gitea cookbooks. They wouldn't use a different port, but clients still need access for the specific database, user and IP (https://www.postgresql.org/docs/12/auth-pg-hba-conf.html)

greg commented on pull request kosmos/chef#163 2020-05-14 11:11:33 +00:00
Add recipe to set up PostgreSQL replication, rewrite kosmos-postgresql cookbook

I forgot to remove that part from the README, as we said in #160 that we don't care about verifying the root cert. It would be done in the cookbooks for software that connects to PostgreSQL (together with creating databases) and not in this cookbook

greg commented on issue kosmos/chef#160 2020-05-14 10:44:17 +00:00
Set up Postgres replication

If we only want to encrypt the traffic and do not care about the root cert's validity then there's no need to create an issue for ejabberd, or to wait for a verify-ca feature.

I think the PR is good to go, since right now Mastodon and ejabberd connect to PostgreSQL using localhost, so the ejabberd cookbook will only need to be updated to create a cluster with the new server

greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-14 10:37:07 +00:00
124ee5e6f3 Update the README
greg commented on issue kosmos/chef#160 2020-05-14 09:19:03 +00:00
Set up Postgres replication

Good implementations of PostgreSQL clients give you the option of verifying the cert was generated with the root cert, verify-ca. For example Gitea calls it verify-ca like the PostgreSQL documentation: https://docs.gitea.io/en-us/config-cheat-sheet/#database-database

Since we decided to use IPs, we wouldn't want to check the hostname (or use it), but ejabberd has no option for verify-ca, so ejabberd wouldn't verify anything

See https://www.postgresql.org/docs/12/libpq-ssl.html#LIBPQ-SSL-PROTECTION for the implication of every option

greg commented on issue kosmos/chef#160 2020-05-14 07:02:22 +00:00
Set up Postgres replication

In ejabberd you pass it a path to the CA root certs (https://docs.ejabberd.im/admin/configuration/toplevel/#sql-ssl-cafile). This part works, it fails verifying the hostname

greg commented on issue kosmos/chef#160 2020-05-13 17:18:39 +00:00
Set up Postgres replication

I have pushed changes to my PR (#163) to switch over to a self-signed certificate. In VMs I got it to work, including with psql's verify-ca option.

In my experiments I could not get ejabberd's sql_ssl_cafile and sql_ssl_verify to ever work. At first I thought it was because my cert was a wildcard cert, but I got the same issue with a certicate generated for an example domain (primary.kosmos.org with an /etc/hosts entry) too.

I am always getting this error in ejabberd, so we will do have to do without cert validation, or create an issue: TLS client: In state certify at ssl_handshake.erl:1372 generated CLIENT ALERT: Fatal - Handshake Failure - {bad_cert,hostname_check_failed}.

I also noticed that ejabberd does not support connecting to PostgreSQL servers with only TLS v1.3 enabled, so I have configured it to enable a minimum of v1.2 (

additional_config[:ssl_min_protocol_version] = "TLSv1.2"
)

greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-13 17:11:21 +00:00
0063776297 Remove unused dependencies
8d2ab785fc Use a self-signed TLS certificate for PostgreSQL
84cb3de4a0 Remove outdated comment
Compare 3 commits »
greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-13 13:36:22 +00:00
f3f8e47cce Add replication_password to the postgresql credentials
51b23c2f47 Add postgresql roles
Compare 2 commits »
greg commented on pull request kosmos/chef#163 2020-05-12 14:07:34 +00:00
Add recipe to set up PostgreSQL replication, rewrite kosmos-postgresql cookbook

Thanks, I've pushed a fix for the typo