1. Enabled TLS encryption for PostgreSQL and PGBouncer.

2. Automatically set the number of max_worker_processes and max_parallel_workers based on the system resources.
vitabaks · Dec 15, 2024 · 6ed248f · 6ed248f
1 parent 4901a51
commit 6ed248f
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 7 deletions.
diff --git a/automation/roles/patroni/tasks/main.yml b/automation/roles/patroni/tasks/main.yml
@@ -418,7 +418,7 @@
   when: postgresql_wal_dir is defined and postgresql_wal_dir | length > 0
   tags: patroni, custom_wal_dir
 
-- block:  # wheh postgresql NOT exists or PITR
+- block:  # when postgresql NOT exists or PITR
     - name: Prepare PostgreSQL | make sure PostgreSQL data directory "{{ postgresql_data_dir }}" exists
       ansible.builtin.file:
         path: "{{ postgresql_data_dir }}"
@@ -427,6 +427,22 @@
         state: directory
         mode: "0700"
 
+    # Generating TLS Certificates
+    - name: Generating TLS Certificates to {{ postgresql_home_dir }}/{{ postgresql_version }}
+      become: true
+      become_user: postgres
+      shell:
+        cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL'
+        chdir: "{{ postgresql_home_dir }}/{{ postgresql_version }}/"
+
+    - name: Changing permissions for {{ postgresql_home_dir }}/{{ postgresql_version }}/server.key
+      file:
+        path: "{{ postgresql_home_dir }}/{{ postgresql_version }}/server.key"
+        state: file
+        owner: postgres
+        group: postgres
+        mode: "0400"
+
     # for Debian based distros only
     # patroni bootstrap failure is possible if the PostgreSQL config files are missing
     - name: Prepare PostgreSQL | make sure PostgreSQL config directory exists

diff --git a/automation/roles/pgbouncer/tasks/main.yml b/automation/roles/pgbouncer/tasks/main.yml
@@ -124,6 +124,22 @@
     label: "{{ 'pgbouncer' if idx == 0 else 'pgbouncer-%d' % (idx + 1) }}"
   tags: pgbouncer_logrotate, pgbouncer
 
+# Generating TLS Certificates
+- name: Generating TLS Certificates to {{ pgbouncer_conf_dir }}
+  become: true
+  become_user: postgres
+  shell:
+    cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL'
+    chdir: "{{ pgbouncer_conf_dir }}/"
+
+- name: Changing permissions for {{ pgbouncer_conf_dir }}/server.key
+  file:
+    path: "{{ pgbouncer_conf_dir }}/server.key"
+    state: file
+    owner: postgres
+    group: postgres
+    mode: 0400
+
 - name: Configure pgbouncer.ini
   ansible.builtin.template:
     src: templates/pgbouncer.ini.j2

diff --git a/automation/roles/pgbouncer/templates/pgbouncer.ini.j2 b/automation/roles/pgbouncer/templates/pgbouncer.ini.j2
@@ -42,6 +42,11 @@ client_tls_cert_file = {{ pgbouncer_client_tls_cert_file }}
 client_tls_ca_file = {{ pgbouncer_client_tls_ca_file }}
 client_tls_protocols = {{ pgbouncer_client_tls_protocols }}
 client_tls_ciphers = {{ pgbouncer_client_tls_ciphers }}
+server_tls_sslmode = {{ pgbouncer_server_tls_sslmode }}
+server_tls_protocols = {{ pgbouncer_server_tls_protocols }}
+server_tls_ciphers = {{ pgbouncer_server_tls_ciphers }}
+server_tls_cert_file = {{ pgbouncer_server_tls_cert_file }}
+server_tls_key_file = {{ pgbouncer_server_tls_key_file }}
 {% endif %}
 log_connections = 0
 log_disconnections = 0

diff --git a/automation/vars/main.yml b/automation/vars/main.yml
@@ -235,6 +235,10 @@ postgresql_parameters:
   - { option: "max_connections", value: "1000" }
   - { option: "superuser_reserved_connections", value: "5" }
   - { option: "password_encryption", value: "{{ postgresql_password_encryption_algorithm }}" }
+  - { option: "ssl", value: "on"}
+  - { option: "ssl_cert_file", value: "{{ postgresql_home_dir }}/{{ postgresql_version }}/server.crt"}
+  - { option: "ssl_key_file", value: "{{ postgresql_home_dir }}/{{ postgresql_version }}/server.key"}
+  - { option: "ssl_min_protocol_version", value: "TLSv1.2"}
   - { option: "max_locks_per_transaction", value: "512" }
   - { option: "max_prepared_transactions", value: "0" }
   - { option: "huge_pages", value: "try" }  # "vm.nr_hugepages" is auto-configured for shared_buffers >= 8GB (if huge_pages_auto_conf is true)
@@ -305,8 +309,8 @@ postgresql_parameters:
   - { option: "wal_receiver_status_interval", value: "10s" }
   - { option: "idle_in_transaction_session_timeout", value: "10min" }  # reduce this timeout if possible
   - { option: "jit", value: "off" }
-  - { option: "max_worker_processes", value: "24" }
-  - { option: "max_parallel_workers", value: "8" }
+  - { option: "max_worker_processes", value: "{{ ansible_processor_nproc | int }}" }
+  - { option: "max_parallel_workers", value: "{{ ansible_processor_nproc | int }}" }
   - { option: "max_parallel_workers_per_gather", value: "2" }
   - { option: "max_parallel_maintenance_workers", value: "2" }
   - { option: "tcp_keepalives_count", value: "10" }
@@ -366,12 +370,17 @@ pgbouncer_auth_user: true # or 'false' if you want to manage the list of users f
 pgbouncer_auth_username: pgbouncer # user who can query the database via the user_search function
 pgbouncer_auth_password: "" # If not defined, a password will be generated automatically during deployment
 pgbouncer_auth_dbname: "postgres"
-pgbouncer_client_tls_sslmode: "disable"
-pgbouncer_client_tls_key_file: ""
-pgbouncer_client_tls_cert_file: ""
+pgbouncer_client_tls_sslmode: "require"
+pgbouncer_client_tls_key_file: "{{ pgbouncer_conf_dir }}/server.key"
+pgbouncer_client_tls_cert_file: "{{ pgbouncer_conf_dir }}/server.crt"
 pgbouncer_client_tls_ca_file: ""
 pgbouncer_client_tls_protocols: "secure" # allowed values: tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all, secure (tlsv1.2,tlsv1.3)
-pgbouncer_client_tls_ciphers: "default" # allowed values: default, secure, fast, normal, all (not recommended)
+pgbouncer_client_tls_ciphers: "secure" # allowed values: default, secure, fast, normal, all (not recommended)
+pgbouncer_server_tls_sslmode: "require"
+pgbouncer_server_tls_protocols: "secure"
+pgbouncer_server_tls_ciphers: "secure"
+pgbouncer_server_tls_cert_file: "{{ pgbouncer_conf_dir }}/server.crt"
+pgbouncer_server_tls_key_file: "{{ pgbouncer_conf_dir }}/server.key"
 
 pgbouncer_pools:
   - { name: "postgres", dbname: "postgres", pool_parameters: "" }