diff --git a/ansible/deploy-postgres-11.yml b/ansible/deploy-postgres-11.yml new file mode 100644 index 00000000..b15ef74a --- /dev/null +++ b/ansible/deploy-postgres-11.yml @@ -0,0 +1,38 @@ +--- + +# Deploy PostgreSQL 11.7 + +- import_playbook: ansible-version.yml + +- hosts: ams-pg.ooni.nu + gather_facts: true # to gather `ansible_service_mgr` + tags: postgresql11 + roles: + - role: postgresql11 + +#- name: install prometheus-postgres-exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-postgres-exporter +# +# +#- name: install prom process exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-process-exporter +# +#- name: install prom Nginx exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-nginx-exporter +# +# +#- name: install prox Haproxy exporter +# apt: +# cache_valid_time: 86400 +# install_recommends: no +# name: prometheus-haproxy-exporter +# diff --git a/ansible/inventory b/ansible/inventory index 01e1c637..56f33ac3 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -126,9 +126,11 @@ ams-orchestra.ooni.nu mia-run.ooni.nu ams-api.ooni.nu ams-jupyter.ooni.nu -ams-pg.ooni.nu mia-explorer-test.ooni.nu +[have_nftables] +ams-pg.ooni.nu + [have_nginx] prometheus.infra.ooni.io amsmatomo.ooni.nu diff --git a/ansible/roles/adm/tasks/main.yml b/ansible/roles/adm/tasks/main.yml index cd03a6f5..68551cd4 100644 --- a/ansible/roles/adm/tasks/main.yml +++ b/ansible/roles/adm/tasks/main.yml @@ -37,9 +37,11 @@ - name: root .ssh/authorized_keys2 template: src=authorized_keys_root dest=/root/.ssh/authorized_keys2 owner=root group=root mode=0400 + # TODO remove direct ssh as root - name: legacy root .ssh/authorized_keys template: src=authorized_keys_root_legacy dest=/root/.ssh/authorized_keys backup=yes owner=root group=root mode=0400 + # TODO remove direct ssh as root - name: require gid=0 for su # to prevent any process doing `su` while knowing The Password lineinfile: diff --git a/ansible/roles/adm/templates/authorized_keys b/ansible/roles/adm/templates/authorized_keys index 6597c31b..9be257ad 100644 --- a/ansible/roles/adm/templates/authorized_keys +++ b/ansible/roles/adm/templates/authorized_keys @@ -1,4 +1,5 @@ -# ansible-managed in ooni-sysadmin.git +# managed by ansible +# see roles/adm/templates/authorized_keys {% for k in passwd[item]['keys'] %} {{ k }} {% endfor %} diff --git a/ansible/roles/adm/templates/sudoers b/ansible/roles/adm/templates/sudoers index f18a8224..43608de3 100644 --- a/ansible/roles/adm/templates/sudoers +++ b/ansible/roles/adm/templates/sudoers @@ -1,4 +1,4 @@ -# ansible-managed in ooni-sysadmin.git +# ansible-managed in roles/adm/templates/sudoers {% for login in adm_logins %} {{ passwd[login].login }} ALL=(ALL:ALL) NOPASSWD: ALL {% endfor %} diff --git a/ansible/roles/base-buster/README.adoc b/ansible/roles/base-buster/README.adoc new file mode 100644 index 00000000..51496452 --- /dev/null +++ b/ansible/roles/base-buster/README.adoc @@ -0,0 +1,2 @@ + +Configure base host based on Buster diff --git a/ansible/roles/base-buster/meta/main.yml b/ansible/roles/base-buster/meta/main.yml new file mode 100644 index 00000000..4f2c687f --- /dev/null +++ b/ansible/roles/base-buster/meta/main.yml @@ -0,0 +1,12 @@ +--- +dependencies: + - role: track_etc_directory + - role: adm + become: false + remote_user: root + gather_facts: false + + #- role: ooca-cert + # ooca_ssl_dir: '{{ ngxprom_ssl_dir }}' + # ooca_ssl_subj: '/O=OONI/OU=Prometheus Exporter/CN={{ inventory_hostname }}' + # ooca_ca: exporter_ca diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml new file mode 100644 index 00000000..1330b9d9 --- /dev/null +++ b/ansible/roles/base-buster/tasks/main.yml @@ -0,0 +1,126 @@ +--- +- name: Remove apt repo + file: + path: /etc/apt/sources.list.d/ftp_nl_debian_org_debian.list + state: absent + +- name: Remove apt repo + file: + path: /etc/apt/sources.list.d/security_debian_org.list + state: absent + +- name: Set apt repos + template: + src: templates/sources.list + dest: /etc/apt/sources.list + mode: 0644 + owner: root + +- name: Update apt cache and upgrade packages + apt: + update_cache: yes + upgrade: dist + +- name: Installs base packages + tags: base-packages + apt: + install_recommends: no + cache_valid_time: 86400 + name: + # - prometheus-node-exporter-collectors + - bash-completion + - byobu + - chrony + - fail2ban + - iotop + - manpages + - ncdu + - netdata-core + - netdata-plugins-bash + - netdata-plugins-python + - netdata-web + - nullmailer + - prometheus-node-exporter + - rsync + - strace + - tcpdump + - tmux + +- name: Remove smartmontools + apt: + name: smartmontools + state: absent + +- name: Reset failed smartd + command: systemctl reset-failed + +- name: Autoremove + apt: + autoremove: yes + +- name: Clean cache + apt: + autoclean: yes + +- name: allow netdata.service + blockinfile: + path: /etc/ooni/nftables/tcp/19999.nft + create: yes + block: | + add rule inet filter input ip saddr {{ lookup('dig', 'prometheus.infra.ooni.io/A') }} tcp dport 19999 counter accept comment "netdata.service" + +- name: reload nftables service + systemd: + name: nftables.service + state: reloaded + +- name: configure netdata.service + blockinfile: + path: /etc/netdata/netdata.conf + block: | + # Managed by ansible, see roles/base-buster/tasks/main.yml + [global] + run as user = netdata + web files owner = root + web files group = root + bind socket to IP = 0.0.0.0 + + [plugins] + python.d = yes + +- name: configure netdata chrony + blockinfile: + path: /etc/netdata/python.d/chrony.conf + create: yes + block: | + # Managed by ansible, see roles/base-buster/tasks/main.yml + update_every: 5 + local: + command: 'chronyc -n tracking' + +#- name: configure netdata nginx +# blockinfile: +# path: /etc/netdata/python.d/nginx.conf +# create: yes +# block: | +# # Managed by ansible, see roles/base-buster/tasks/main.yml +# update_every: 5 +# nginx_log: +# name : 'nginx_log' +# path : '/var/log/nginx/access.log' + +#- name: configure netdata haproxy +# blockinfile: +# path: /etc/netdata/python.d/haproxy.conf +# block: | +# # Managed by ansible, see roles/base-buster/tasks/main.yml +# update_every: 5 +# via_url: +# url: 'http://127.0.0.1:7000/haproxy_stats;csv;norefresh' + +- name: restart netdata service + systemd: + name: netdata.service + state: restarted + + diff --git a/ansible/roles/base-buster/templates/sources.list b/ansible/roles/base-buster/templates/sources.list new file mode 100644 index 00000000..57415bf8 --- /dev/null +++ b/ansible/roles/base-buster/templates/sources.list @@ -0,0 +1,7 @@ +# Managed by ansible +# roles/base-buster/templates/sources.list + +deb http://deb.debian.org/debian buster main contrib non-free +deb http://security.debian.org/debian-security buster/updates main contrib non-free +deb http://deb.debian.org/debian buster-backports main +deb [trusted=yes] https://dl.bintray.com/ooni/internal-pull-requests unstable main diff --git a/ansible/roles/nftables/README.adoc b/ansible/roles/nftables/README.adoc new file mode 100644 index 00000000..e3bef58f --- /dev/null +++ b/ansible/roles/nftables/README.adoc @@ -0,0 +1,25 @@ +Install nftables based firewall + +Set up /etc/ooni/nftables/ + +Rules for specific services are *not* configured by this role + +When creating rules to accept TCP traffic from any IPv4/6 address, +files are named with the port number to detect collisions. + +Example (also see roles/nftables/tasks/main.yml): + +/etc/ooni/nftables/tcp/8080.nft + +``` +add rule inet filter input tcp dport 8080 counter accept comment "MyService" +``` + + +Otherwise: + +/etc/ooni/nftables/tcp/5432_postgres_internal.nft + +``` +add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport 5432 counter accept comment "Internal PostgreSQL" +``` diff --git a/ansible/roles/nftables/tasks/main.yml b/ansible/roles/nftables/tasks/main.yml new file mode 100644 index 00000000..955a760b --- /dev/null +++ b/ansible/roles/nftables/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Install nftables + apt: + cache_valid_time: 86400 + name: nftables + +- name: create config dir + file: + path: /etc/ooni/nftables/tcp + state: directory + owner: root + group: root + mode: 0755 + +- name: allow SSH + blockinfile: + path: /etc/ooni/nftables/tcp/22.nft + create: yes + block: | + add rule inet filter input tcp dport 22 counter accept comment "Incoming SSH" + +- name: Overwrite nftables.conf + template: + src: templates/nftables.conf + dest: /etc/nftables.conf + mode: 0755 + owner: root + +- name: Enable and start nftables service + systemd: + name: nftables.service + state: reloaded + enabled: yes + diff --git a/ansible/roles/nftables/templates/nftables.conf b/ansible/roles/nftables/templates/nftables.conf new file mode 100755 index 00000000..abfca0cd --- /dev/null +++ b/ansible/roles/nftables/templates/nftables.conf @@ -0,0 +1,37 @@ +#!/usr/sbin/nft -f +# +# Nftables configuration script +# +# Managed by ansible +# roles/nftables/templates/nftables.conf +# +# The ruleset is applied atomically + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + iif lo accept comment "Accept incoming traffic from localhost" + ct state invalid drop + ct state established,related accept comment "Accept traffic related to outgoing connections" + } + + chain forward { + type filter hook forward priority 0; + policy accept; + } + + chain output { + type filter hook output priority 0; + policy accept; + } +} + +# Configure TCP traffic rules +include "/etc/ooni/nftables/tcp/*.nft" + +# Configure any other rule +include "/etc/ooni/nftables/*.nft" + diff --git a/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem b/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem new file mode 100644 index 00000000..9b182b72 --- /dev/null +++ b/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/ansible/roles/nginx-buster/files/ssl_intermediate.conf b/ansible/roles/nginx-buster/files/ssl_intermediate.conf new file mode 100644 index 00000000..96d2e6e2 --- /dev/null +++ b/ansible/roles/nginx-buster/files/ssl_intermediate.conf @@ -0,0 +1,3 @@ +# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; diff --git a/ansible/roles/nginx-buster/files/ssl_modern.conf b/ansible/roles/nginx-buster/files/ssl_modern.conf new file mode 100644 index 00000000..9ad7c11d --- /dev/null +++ b/ansible/roles/nginx-buster/files/ssl_modern.conf @@ -0,0 +1,4 @@ +# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +# NB: technically, it does not require ssl_dhparam as it has no DHE, only ECDHE. diff --git a/ansible/roles/nginx-buster/tasks/main.yml b/ansible/roles/nginx-buster/tasks/main.yml new file mode 100644 index 00000000..f48c9ef3 --- /dev/null +++ b/ansible/roles/nginx-buster/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: install stable nginx + apt: + name: nginx + cache_valid_time: 86400 + +# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 +# +# Guide https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups +# suggests ffdhe2048 instead of `openssl dhparam` to avoid https://weakdh.org/ +- name: copy nginx configuration snippets + copy: src={{item}} dest=/etc/nginx/{{ item }} mode=0444 owner=root group=root + with_items: + - ffdhe2048_dhparam.pem # ffdhe2048 Diffie-Hellman parameters + - ssl_intermediate.conf + - ssl_modern.conf + +- name: remove `default` vhost + file: path={{item}} state=absent + notify: reload nginx + with_items: + - /etc/nginx/conf.d/default.conf + - /etc/nginx/sites-available/default + - /etc/nginx/sites-enabled/default + +- name: set nginx.conf + template: + src=nginx.conf + dest=/etc/nginx/nginx.conf + mode=0444 + notify: reload nginx +... diff --git a/ansible/roles/nginx-buster/templates/nginx.conf b/ansible/roles/nginx-buster/templates/nginx.conf new file mode 100644 index 00000000..a4d1dac1 --- /dev/null +++ b/ansible/roles/nginx-buster/templates/nginx.conf @@ -0,0 +1,101 @@ + +# Managed by ansible +# roles/nginx-buster/templates/nginx.conf +# +# Generated with: +# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 +# + +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +# anonymize ipaddr +map $remote_addr $remote_addr_anon { + ~(?P\d+\.\d+\.\d+)\. $ip.0; + ~(?P[^:]+:[^:]+): $ip::; + default 0.0.0.0; +} + +# log anonymized ipaddr and caching status +#log_format apilogfmt '$remote_addr_anon $upstream_cache_status [$time_local] ' +# '"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; + + +http { + + # Basic Settings + + sendfile on; + tcp_nopush on; # TCP_CORK HTTP headers with sendfile() body into single packet + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Logging Settings + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + # Gzip Settings + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + # Virtual Host Configs + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + + + ## SSL configuration + + # generated 2020-06-25, Mozilla Guideline v5.4, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration + # https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /path/to/signed_cert_plus_intermediates; + ssl_certificate_key /path/to/private_key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl_dhparam /etc/nginx/ffdhe2048_dhparam.pem; # https://tools.ietf.org/html/rfc7919 + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + +} + diff --git a/ansible/roles/postgresql11/meta/main.yml b/ansible/roles/postgresql11/meta/main.yml new file mode 100644 index 00000000..9be116a0 --- /dev/null +++ b/ansible/roles/postgresql11/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: base-buster + - role: nftables diff --git a/ansible/roles/postgresql11/tasks/main.yml b/ansible/roles/postgresql11/tasks/main.yml new file mode 100644 index 00000000..1e84bdb3 --- /dev/null +++ b/ansible/roles/postgresql11/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: Create vg.metadb Volume Group + lvg: + vg: vg.metadb + pvs: + - /dev/xvdb1 + - /dev/xvdc1 + - /dev/xvdd1 + - /dev/xvde1 + - /dev/xvdf1 + - /dev/xvdg1 + - /dev/xvdh1 + +- name: Create metadb logical volume + lvol: + vg: vg.metadb + lv: metadb + size: 100%VG + +- name: Create filesystem for metadb + filesystem: + fstype: ext4 + dev: /dev/vg.metadb/metadb + opts: -L metadb + +- name: Mount metadb FS + mount: + fstype: ext4 + opts: noatime + path: /var/lib/postgresql + src: LABEL=metadb + state: mounted + +- name: install PG11 and its prom exporter + apt: + cache_valid_time: 86400 + name: + - postgresql-11 + - prometheus-postgres-exporter + +- name: Overwrite pg_hba.conf + template: + src: templates/pg_hba.conf + dest: /etc/postgresql/11/main/pg_hba.conf + mode: 0644 + owner: root + +- name: Overwrite postgresql.conf + template: + src: templates/postgresql.conf + dest: /etc/postgresql/11/main/postgresql.conf + mode: 0644 + owner: root + +- name: Reload pg after conf change + service: name=postgresql state=reloaded + +- name: allow prometheus-postgres-exporter.service + blockinfile: + path: /etc/ooni/nftables/tcp/9187.nft + create: yes + block: | + add rule inet filter input tcp dport 9187 counter accept comment "prometheus-postgres-exporter.service" + +- name: allow incoming TCP connections to database + blockinfile: + path: /etc/ooni/nftables/tcp/5432.nft + create: yes + block: | + add rule inet filter input ip saddr {{ lookup('dig', 'ams-api.ooni.nu/A') }} tcp dport 5432 counter accept comment "incoming psql" + add rule inet filter input ip saddr {{ lookup('dig', 'ams-jupyter.ooni.nu/A') }} tcp dport 5432 counter accept comment "incoming psql" + add rule inet filter input ip saddr {{ lookup('dig', 'datacollector.infra.ooni.io/A') }} tcp dport 5432 counter accept comment "incoming psql" + add rule inet filter input ip saddr {{ lookup('dig', 'fastpath.ooni.nu/A') }} tcp dport 5432 counter accept comment "incoming psql" + +- name: reload nftables service + systemd: + name: nftables.service + state: reloaded + diff --git a/ansible/roles/postgresql11/templates/pg_hba.conf b/ansible/roles/postgresql11/templates/pg_hba.conf new file mode 100644 index 00000000..883d0b6c --- /dev/null +++ b/ansible/roles/postgresql11/templates/pg_hba.conf @@ -0,0 +1,109 @@ +# Managed by ansible +# roles/postgresql11/templates/pg_hba.conf + + +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + + +# DO NOT DISABLE! +# If you change this first entry you will need to make sure that the +# database superuser can access the database using some other method. +# Noninteractive access to all databases is required during automatic +# maintenance (custom daily cronjobs, replication, and similar tasks). +# +# Database administrative login by Unix domain socket +local all postgres peer + +# TYPE DATABASE USER ADDRESS METHOD + +# Unix domain socket: allow all local connections without password +local all all trust + +# IPv4 local connections: +host all all 127.0.0.1/32 md5 +host all all 127.0.0.1/32 md5 +# IPv6 local connections: +host all all ::1/128 md5 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all peer +host replication all 127.0.0.1/32 md5 +host replication all ::1/128 md5 + +# Allow incoming SSL connections without password +# protected by filtering on source ipaddr using nftables +hostssl all all 0.0.0.0/0 trust diff --git a/ansible/roles/postgresql11/templates/postgresql.conf b/ansible/roles/postgresql11/templates/postgresql.conf new file mode 100644 index 00000000..506e4c0b --- /dev/null +++ b/ansible/roles/postgresql11/templates/postgresql.conf @@ -0,0 +1,699 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: kB = kilobytes Time units: ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +data_directory = '/var/lib/postgresql/11/main' # use data in another directory + # (change requires restart) +hba_file = '/etc/postgresql/11/main/pg_hba.conf' # host-based authentication file + # (change requires restart) +ident_file = '/etc/postgresql/11/main/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +#listen_addresses = 'localhost' # what IP address(es) to listen on; +listen_addresses = '*' + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP Keepalives - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = md5 # md5 or scram-sha-256 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - SSL - + +ssl = on +#ssl_ca_file = '' +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' +#ssl_crl_file = '' +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 4011MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +# TODO restore after import +work_mem = 32MB # min 64kB +# TODO restore after import +maintenance_work_mem = 1024MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#max_stack_depth = 2MB # min 100kB +dynamic_shared_memory_type = posix # the default is the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # use none to disable dynamic shared memory + # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kB, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 25 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 512kB # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#parallel_leader_participation = on +#max_parallel_workers = 8 # maximum number of max_worker_processes that + # can be used in parallel operations +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) +#backend_flush_after = 0 # measured in pages, 0 disables + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +# TODO +fsync = off # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +# TODO +synchronous_commit = off # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux) + # fsync + # fsync_writethrough + # open_sync +# TODO restore after import +full_page_writes = off # recover from partial page writes +#wal_compression = off # enable compression of full-page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +# TODO disabled after restore +wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +max_wal_size = 1GB +min_wal_size = 80MB +#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 256kB # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the master and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#wal_keep_segments = 0 # in logfile segments; 0 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables + +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Master Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a master server. + +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from master + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_bitmapscan = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_parallel_hash = on +#enable_partition_pruning = on + +# - Planner Cost Constants - + +seq_page_cost = 1.0 # measured on an arbitrary scale +random_page_cost = 1.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +effective_cache_size = 12035MB + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#force_parallel_mode = off +#jit = off # allow JIT compilation + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, syslog, and eventlog, + # depending on platform. csvlog + # requires logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr and csvlog + # into log files. Required to be on for + # csvlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (win32): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +log_line_prefix = '%m [%p] %q%u@%d ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %p = process ID + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'Etc/UTC' + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +cluster_name = '11/main' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Query and Index Statistics Collector - + +#track_activities = on +#track_counts = on +#track_io_timing = off +#track_functions = none # none, pl, all +#track_activity_query_size = 1024 # (change requires restart) +stats_temp_directory = '/var/run/postgresql/11-main.pg_stat_tmp' + + +# - Monitoring - + +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off +#log_statement_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +# TODO restore after import +autovacuum = off # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_tablespace = '' # a tablespace name, '' uses the default +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_min_age = 50000000 +#vacuum_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples + # before index cleanup, 0 always performs + # index cleanup +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_fuzzy_search_limit = 0 +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'Etc/UTC' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 0 # min -15, max 3 +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'C.UTF-8' # locale for system error message + # strings +lc_monetary = 'C.UTF-8' # locale for monetary formatting +lc_numeric = 'C.UTF-8' # locale for number formatting +lc_time = 'C.UTF-8' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Shared Library Preloading - + +#shared_preload_libraries = '' # (change requires restart) +#local_preload_libraries = '' +#session_preload_libraries = '' +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#default_with_oids = off +#escape_string_warning = on +#lo_compat_privileges = off +#operator_precedence_warning = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. + +include_dir = 'conf.d' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here diff --git a/ansible/roles/prometheus/templates/prometheus.yml.j2 b/ansible/roles/prometheus/templates/prometheus.yml.j2 index ce8c021d..421aab6d 100755 --- a/ansible/roles/prometheus/templates/prometheus.yml.j2 +++ b/ansible/roles/prometheus/templates/prometheus.yml.j2 @@ -51,7 +51,7 @@ scrape_configs: module: [{{ bbjob.module }}] static_configs: - targets: -{% for target in bbjob.targets %} +{% for target in (bbjob.targets|sort) %} - {{ target }} {% endfor %} relabel_configs: @@ -135,7 +135,7 @@ scrape_configs: key_file: "{{ prometheus_ssl_dir }}/{{ inventory_hostname }}.key" static_configs: - targets: -{% for host in (groups.all) %} +{% for host in (groups.all|sort) %} - {{ host }}:9100 {% endfor %} @@ -151,10 +151,30 @@ scrape_configs: key_file: "{{ prometheus_ssl_dir }}/{{ inventory_hostname }}.key" static_configs: - targets: -{% for host in (groups.have_netdata) %} +{% for host in (groups.have_netdata|sort) %} - {{ host }}:9100 {% endfor %} + - job_name: 'raw-netdata' + scrape_interval: 5s + scheme: http + metrics_path: "/api/v1/allmetrics?format=prometheus&help=yes" + params: + format: [prometheus] + static_configs: + - targets: + - ams-pg.ooni.nu:19999 + +# - job_name: 'raw postgres-exporter' +# scrape_interval: 5s +# scheme: https +# metrics_path: /api/v1/allmetrics +# params: +# format: [prometheus] +# static_configs: +# - targets: +# - ams-pg.ooni.nu:9187 + - job_name: 'gorush' scrape_interval: 5s scheme: https