Greg greg
  • Joined on 2018-11-05
greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-12 14:05:28 +00:00
eb98aa1bac Clarify the firewall and client authentication rules
0180da1aa6 Fix a typo in the README
Compare 2 commits »
greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-12 10:11:28 +00:00
254f9020ae Enable firewall rules to allow primary/replica to connect
greg commented on issue kosmos/chef#160 2020-05-12 10:03:09 +00:00
Set up Postgres replication

TLS with Let's Encrypt is easier to set up than a self signed cert on all machines. In my experience generating self-signed certs in a pain in the ass.

If the primary PostgreSQL server is for example andromeda.kosmos.org with TLS, changing it to another server in the client configs is the same amount of work as changing an IP (changing the FQDN)

greg created pull request kosmos/chef#163 2020-05-11 16:31:46 +00:00
Add recipe to set up PostgreSQL replication, rewrite kosmos-postgresql cookbook
greg pushed to feature/160-postgres_replication at kosmos/chef 2020-05-11 16:27:52 +00:00
80c7263a72 Upgrade PostgreSQL from 10 to 12
b22a7e3c0f Update the postgresql upstream cookbook
21119fff08 Add a custom resource to set up PostgreSQL 12
greg commented on issue kosmos/chef#160 2020-05-11 09:52:02 +00:00
Set up Postgres replication

re: TLS, it's still useful between clients and servers even with firewall rules and access rules

greg commented on issue kosmos/chef#160 2020-05-11 09:51:21 +00:00
Set up Postgres replication

I ran into a Chef bug that appears to be caused by the implementation of custom resources. Notifications are broken, so adding an access rule using the postgresql_access does not reload the service: https://github.com/sous-chefs/postgresql/issues/648

The custom resource I wrote was really useful since so much code is identical between a primary and a replica, but I might have to rewrite it another way (move the access rules to the recipe, for example). With this bug reloading the PostgreSQL service manually is needed after adding a new rule

I created a repo to reproduce the issue, a maintainer will take a look at it

greg commented on issue kosmos/chef#160 2020-05-07 09:02:13 +00:00
Set up Postgres replication

This took more work than I originally thought to get it right, but I'm getting satisfied with the Chef resource I wrote to set up a PostgreSQL primary or replica, with a TLS cert provided by Let's Encrypt.

Now I'm going to perform the PostgreSQL upgrade in a VM and make sure everything goes smoothly

greg deleted branch feature/turn_ip_config from kosmos/chef 2020-05-02 12:43:46 +00:00
greg closed issue kosmos/chef#159 2020-05-02 12:43:41 +00:00
STUN and TURN discovery for ejabberd
greg merged pull request kosmos/chef#162 2020-05-02 12:43:40 +00:00
Make audio/video calls work
greg merged pull request kosmos/chef#162 2020-05-02 12:43:40 +00:00
Make audio/video calls work
greg pushed to master at kosmos/chef 2020-05-02 12:43:40 +00:00
0aae86b545 Merge branch 'feature/turn_ip_config' of kosmos/chef into master
4448ec2173 Configure TURN properly
Compare 2 commits »
greg commented on pull request kosmos/chef#161 2020-05-02 09:24:49 +00:00
Support audio/video calls for Kosmos XMPP accounts

LGTM! Let's merge after deploying it, in case the turn_ip is required for STUN to function

greg commented on issue kosmos/chef#160 2020-05-01 10:01:39 +00:00
Set up Postgres replication

As discussed in #147 it makes sense to first upgrade the current PostgreSQL server on andromeda to version 12, since the replication configuration has been improved (and simplified). In version 10 the replication settings had to be added to a config file in the data directory, since 12 they live in postgresql.conf with the rest of the config.

I have followed this tutorial to set up replication between two VMs: https://www.percona.com/blog/2019/10/11/how-to-set-up-streaming-replication-in-postgresql-12/

The new set up will have PostgreSQL run with TLS enabled, with certs generated by Let's Encrypt, so the clients and replication can be achieved securely.

In order to secure the servers, we will use a firewall rule that only allows connections from the IP of the servers that need it. We will also use client authentication to limit access to specific databases for each server, and allow for the replication server to the replication database

Now I need to remove some hardcoded values from the new recipes, using instead values from the Chef nodes living in the repo in nodes

I think we can start with the upgrade to 12 on Andromeda and switch to the new config, maybe on Tuesday? After this first step that will require a short downtime, we can install PostgreSQL to the new Hetzner server and confirm replication works, this will not require downtime

greg deleted branch bugfix/152-remove_encryption_keys_tls from kosmos/chef 2020-04-30 15:50:52 +00:00
greg merged pull request kosmos/chef#157 2020-04-30 15:50:30 +00:00
Remove the encryption keys after TLS cert renewal
greg merged pull request kosmos/chef#157 2020-04-30 15:50:30 +00:00
Remove the encryption keys after TLS cert renewal
greg pushed to master at kosmos/chef 2020-04-30 15:50:30 +00:00
53d53f2375 Merge branch 'bugfix/152-remove_encryption_keys_tls' of kosmos/chef into master
1c920a8cb2 Remove the encryption keys after TLS cert renewal
5e3c8066f9 Add the missing certbot command to generate the LDAP TLS cert
d01c9a4d0a Fix the name of the deploy certbot hook
Compare 4 commits »