Skip to content

Commit

Permalink
1. Enabled TLS encryption for PostgreSQL and PGBouncer.
Browse files Browse the repository at this point in the history
2. Automatically set the number of max_worker_processes and max_parallel_workers based on the system resources.
  • Loading branch information
klention committed Dec 15, 2024
1 parent 4901a51 commit 57b64fd
Showing 4 changed files with 53 additions and 7 deletions.
18 changes: 17 additions & 1 deletion automation/roles/patroni/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -418,7 +418,7 @@
when: postgresql_wal_dir is defined and postgresql_wal_dir | length > 0
tags: patroni, custom_wal_dir

- block: # wheh postgresql NOT exists or PITR
- block: # when postgresql NOT exists or PITR
- name: Prepare PostgreSQL | make sure PostgreSQL data directory "{{ postgresql_data_dir }}" exists
ansible.builtin.file:
path: "{{ postgresql_data_dir }}"
@@ -427,6 +427,22 @@
state: directory
mode: "0700"

# Generating TLS Certificates
- name: Generating TLS Certificates to /var/lib/pgsql/{{ postgresql_version }}
become: true
become_user: postgres
shell:
cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL'
chdir: "/var/lib/pgsql/{{ postgresql_version }}/"

- name: Changing permissions for /var/lib/pgsql/{{ postgresql_version }}/server.key
file:
path: "/var/lib/pgsql/{{ postgresql_version }}/server.key"
state: file
owner: postgres
group: postgres
mode: "0400"

# for Debian based distros only
# patroni bootstrap failure is possible if the PostgreSQL config files are missing
- name: Prepare PostgreSQL | make sure PostgreSQL config directory exists
16 changes: 16 additions & 0 deletions automation/roles/pgbouncer/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -124,6 +124,22 @@
label: "{{ 'pgbouncer' if idx == 0 else 'pgbouncer-%d' % (idx + 1) }}"
tags: pgbouncer_logrotate, pgbouncer

# Generating TLS Certificates
- name: Generating TLS Certificates to {{ pgbouncer_conf_dir }}
become: true
become_user: postgres
shell:
cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL'
chdir: "{{ pgbouncer_conf_dir }}/"

- name: Changing permissions for {{ pgbouncer_conf_dir }}/server.key
file:
path: "{{ pgbouncer_conf_dir }}/server.key"
state: file
owner: postgres
group: postgres
mode: 0400

- name: Configure pgbouncer.ini
ansible.builtin.template:
src: templates/pgbouncer.ini.j2
5 changes: 5 additions & 0 deletions automation/roles/pgbouncer/templates/pgbouncer.ini.j2
Original file line number Diff line number Diff line change
@@ -42,6 +42,11 @@ client_tls_cert_file = {{ pgbouncer_client_tls_cert_file }}
client_tls_ca_file = {{ pgbouncer_client_tls_ca_file }}
client_tls_protocols = {{ pgbouncer_client_tls_protocols }}
client_tls_ciphers = {{ pgbouncer_client_tls_ciphers }}
server_tls_sslmode = {{ pgbouncer_server_tls_sslmode }}
server_tls_protocols = {{ pgbouncer_server_tls_protocols }}
server_tls_ciphers = {{ pgbouncer_server_tls_ciphers }}
server_tls_cert_file = {{ pgbouncer_server_tls_cert_file }}
server_tls_key_file = {{ pgbouncer_server_tls_key_file }}
{% endif %}
log_connections = 0
log_disconnections = 0
21 changes: 15 additions & 6 deletions automation/vars/main.yml
Original file line number Diff line number Diff line change
@@ -235,6 +235,10 @@ postgresql_parameters:
- { option: "max_connections", value: "1000" }
- { option: "superuser_reserved_connections", value: "5" }
- { option: "password_encryption", value: "{{ postgresql_password_encryption_algorithm }}" }
- { option: "ssl", value: "on"}
- { option: "ssl_cert_file", value: "/var/lib/pgsql/{{ postgresql_version }}/server.crt"}
- { option: "ssl_key_file", value: "/var/lib/pgsql/{{ postgresql_version }}/server.key"}
- { option: "ssl_min_protocol_version", value: "TLSv1.2"}
- { option: "max_locks_per_transaction", value: "512" }
- { option: "max_prepared_transactions", value: "0" }
- { option: "huge_pages", value: "try" } # "vm.nr_hugepages" is auto-configured for shared_buffers >= 8GB (if huge_pages_auto_conf is true)
@@ -305,8 +309,8 @@ postgresql_parameters:
- { option: "wal_receiver_status_interval", value: "10s" }
- { option: "idle_in_transaction_session_timeout", value: "10min" } # reduce this timeout if possible
- { option: "jit", value: "off" }
- { option: "max_worker_processes", value: "24" }
- { option: "max_parallel_workers", value: "8" }
- { option: "max_worker_processes", value: "{{ ansible_processor_nproc | int }}" }
- { option: "max_parallel_workers", value: "{{ ansible_processor_nproc | int }}" }
- { option: "max_parallel_workers_per_gather", value: "2" }
- { option: "max_parallel_maintenance_workers", value: "2" }
- { option: "tcp_keepalives_count", value: "10" }
@@ -366,12 +370,17 @@ pgbouncer_auth_user: true # or 'false' if you want to manage the list of users f
pgbouncer_auth_username: pgbouncer # user who can query the database via the user_search function
pgbouncer_auth_password: "" # If not defined, a password will be generated automatically during deployment
pgbouncer_auth_dbname: "postgres"
pgbouncer_client_tls_sslmode: "disable"
pgbouncer_client_tls_key_file: ""
pgbouncer_client_tls_cert_file: ""
pgbouncer_client_tls_sslmode: "require"
pgbouncer_client_tls_key_file: "{{ pgbouncer_conf_dir }}/server.key"
pgbouncer_client_tls_cert_file: "{{ pgbouncer_conf_dir }}/server.crt"
pgbouncer_client_tls_ca_file: ""
pgbouncer_client_tls_protocols: "secure" # allowed values: tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all, secure (tlsv1.2,tlsv1.3)
pgbouncer_client_tls_ciphers: "default" # allowed values: default, secure, fast, normal, all (not recommended)
pgbouncer_client_tls_ciphers: "secure" # allowed values: default, secure, fast, normal, all (not recommended)
pgbouncer_server_tls_sslmode: "require"
pgbouncer_server_tls_protocols: "secure"
pgbouncer_server_tls_ciphers: "secure"
pgbouncer_server_tls_cert_file: "{{ pgbouncer_conf_dir }}/server.crt"
pgbouncer_server_tls_key_file: "{{ pgbouncer_conf_dir }}/server.key"

pgbouncer_pools:
- { name: "postgres", dbname: "postgres", pool_parameters: "" }

0 comments on commit 57b64fd

Please sign in to comment.