From c700f9897620fb408706504f0e166614622b9d5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Fri, 18 Dec 2020 17:53:28 +0100
Subject: [PATCH 1/2] Add a firewall rule to allow clients to connect

Previously it was not an issue because services that connected to the
PostgreSQL primary were also on the same server as a standby server.
---
 site-cookbooks/kosmos-postgresql/recipes/default.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb
index b3c9f4f..8055b8b 100644
--- a/site-cookbooks/kosmos-postgresql/recipes/default.rb
+++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb
@@ -64,6 +64,13 @@ postgresql_clients.each do |client|
     access_method "md5"
     notifies :reload, "service[#{postgresql_service}]", :immediately
   end
+
+  firewall_rule "postgresql #{hostname}" do
+    port        5432
+    protocol    :tcp
+    command     :allow
+    source ip
+  end
 end
 
 postgresql_replicas.each do |replica|
-- 
2.25.1


From 87388ac69d35d1a1e270b7847ff21729b450b468 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Fri, 18 Dec 2020 17:54:31 +0100
Subject: [PATCH 2/2] Add the postgresql_client role to the mastodon role

This will add the firewall rule and pg_hba access rule on the PostgreSQL
servers
---
 nodes/andromeda.kosmos.org.json | 5 ++---
 roles/mastodon.rb               | 1 +
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json
index 338bb9c..a4bd9a3 100644
--- a/nodes/andromeda.kosmos.org.json
+++ b/nodes/andromeda.kosmos.org.json
@@ -24,9 +24,9 @@
     "ipaddress": "46.4.18.160",
     "roles": [
       "base",
-      "postgresql_primary",
       "mastodon",
-      "ejabberd"
+      "ejabberd",
+      "postgresql_client"
     ],
     "recipes": [
       "kosmos-base",
@@ -130,7 +130,6 @@
     "recipe[kosmos-base::andromeda_firewall]",
     "recipe[kosmos-ipfs]",
     "recipe[kosmos-ipfs::public_gateway]",
-    "role[postgresql_primary]",
     "recipe[kosmos-btcpayserver::proxy]",
     "role[mastodon]",
     "role[ejabberd]",
diff --git a/roles/mastodon.rb b/roles/mastodon.rb
index 44bbcdc..5bb39e4 100644
--- a/roles/mastodon.rb
+++ b/roles/mastodon.rb
@@ -3,4 +3,5 @@ name "mastodon"
 run_list %w(
   kosmos-mastodon
   kosmos-mastodon::nginx
+  role[postgresql_client]
 )
-- 
2.25.1