Merge pull request 'Add a firewall rule to allow PostgreSQL clients to connect' (#269) from bugfix/postgresql_client_firewall into master

Reviewed-on: #269
2020-12-22 22:15:06 +00:00 · 2020-12-22 22:15:06 +00:00 · c71d243c40
parent bb4b919548 7d0490f3da
commit c71d243c40
3 changed files with 10 additions and 3 deletions
--- a/nodes/andromeda.kosmos.org.json
+++ b/nodes/andromeda.kosmos.org.json
@ -24,9 +24,9 @@
    "ipaddress": "46.4.18.160",
    "roles": [
      "base",
-      "postgresql_primary",
      "mastodon",
-      "ejabberd"
+      "ejabberd",
+      "postgresql_client"
    ],
    "recipes": [
      "kosmos-base",
@ -130,7 +130,6 @@
    "recipe[kosmos-base::andromeda_firewall]",
    "recipe[kosmos-ipfs]",
    "recipe[kosmos-ipfs::public_gateway]",
-    "role[postgresql_primary]",
    "recipe[kosmos-btcpayserver::proxy]",
    "role[mastodon]",
    "role[ejabberd]",
--- a/roles/mastodon.rb
+++ b/roles/mastodon.rb
@ -3,4 +3,5 @@ name "mastodon"
 run_list %w(
  kosmos-mastodon
  kosmos-mastodon::nginx
+  role[postgresql_client]
 )
--- a/site-cookbooks/kosmos-postgresql/recipes/default.rb
+++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb
@ -64,6 +64,13 @@ postgresql_clients.each do |client|
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
+
+  firewall_rule "postgresql #{hostname}" do
+    port        5432
+    protocol    :tcp
+    command     :allow
+    source ip
+  end
 end

 postgresql_replicas.each do |replica|