diff --git a/packer/files/haproxy-http.xml b/packer/files/haproxy-http.xml
new file mode 100644
index 0000000..fee9a01
--- /dev/null
+++ b/packer/files/haproxy-http.xml
@@ -0,0 +1,6 @@
+
+
+HAProxy-HTTP
+HAProxy load-balancer
+
+
diff --git a/packer/files/haproxy-https.xml b/packer/files/haproxy-https.xml
new file mode 100644
index 0000000..026073d
--- /dev/null
+++ b/packer/files/haproxy-https.xml
@@ -0,0 +1,6 @@
+
+
+HAProxy-HTTPS
+HAProxy load-balancer
+
+
diff --git a/packer/files/postgres.service b/packer/files/postgres.service
new file mode 100644
index 0000000..48914b5
--- /dev/null
+++ b/packer/files/postgres.service
@@ -0,0 +1,21 @@
+Documentation=man:postgres(1)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User=postgres
+
+# Disable OOM kill
+OOMScoreAdjust=-1000
+Environment=PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
+Environment=PG_OOM_ADJUST_VALUE=0
+
+ExecStart=/usr/local/pgsql/bin/postgres -D /var/lib/pgsql/data
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=mixed
+KillSignal=SIGINT
+TimeoutSec=infinity
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/packer/files/relabel_ndb.sh b/packer/files/relabel_ndb.sh
new file mode 100644
index 0000000..98037ad
--- /dev/null
+++ b/packer/files/relabel_ndb.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Relabel system
+sudo restorecon -Rv /
+# Reconfigure selinux to enforce mode for reboots
+sudo sed -i 's/^SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
+# Immediately reenable selinux enforce mode
+sudo setenforce 1
\ No newline at end of file
diff --git a/packer/postgres/postgres.pkr.hcl b/packer/postgres/postgres.pkr.hcl
index 269d611..6008d98 100644
--- a/packer/postgres/postgres.pkr.hcl
+++ b/packer/postgres/postgres.pkr.hcl
@@ -69,14 +69,18 @@ build {
timeout = "20m"
}
+ provisioner "file" {
+ source = "../files"
+ destination = "/tmp"
+ }
+
provisioner "shell" {
+ execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
environment_vars = [
"POSTGRES_VERSION=${var.postgres_version}",
"POSTGIS_VERSION=${var.postgis_version}"
]
- execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
script = "../scripts/postgres-install.sh"
- timeout = "15m"
}
provisioner "shell" {
diff --git a/packer/postgres/variables.pkr.hcl b/packer/postgres/variables.pkr.hcl
index abadf78..3644a76 100644
--- a/packer/postgres/variables.pkr.hcl
+++ b/packer/postgres/variables.pkr.hcl
@@ -17,13 +17,13 @@ variable "base_image_name" {
variable "postgres_version" {
type = string
description = "Postgres major version to install on the Image"
- default = "14"
+ default = "15.8"
}
variable "postgis_version" {
type = string
description = "Postgis version to install"
- default = "postgis33_14"
+ default = "3.5.0"
}
variable "image_delete" {
diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh
index 1e216ed..f8c4e25 100644
--- a/packer/scripts/install-deps.sh
+++ b/packer/scripts/install-deps.sh
@@ -2,7 +2,7 @@
set -e
# Install dependencies and cli tools needed by other packer scripts and NDB service
-dnf update -y && yum upgrade -y
+dnf update -y
dnf install -y ansible unzip iptables nftables wget lvm2* zip lsof rsync network-scripts
# Ensure that ansible collections needed are installed
diff --git a/packer/scripts/os-stig.sh b/packer/scripts/os-stig.sh
index b2e6d73..3698882 100644
--- a/packer/scripts/os-stig.sh
+++ b/packer/scripts/os-stig.sh
@@ -10,3 +10,10 @@ unzip *-ansible.zip
TASKS_FILE=$( find roles/*/tasks -name main.yml -type f )
sed -i '/notify: do_reboot/d' $TASKS_FILE
chmod +x enforce.sh && ./enforce.sh
+
+# FIPS hosts can't use ed25519 keys, so comment out the hostkey from the sshd_config
+sed -i 's|^HostKey /etc/ssh/ssh_host_ed25519_key|#HostKey /etc/ssh/ssh_host_ed25519_key|' /etc/ssh/sshd_config
+
+# User password setting changes. Accounts are used to access VMs with SSH using ssh keys, but expired passwords prevent SSH from working even with ssh-keys so passwords shouldn't expire
+sed -i 's/^PASS_MAX_DAYS [0-9]\+/PASS_MAX_DAYS -1/' /etc/login.defs
+sed -i 's/^PASS_MIN_DAYS [0-9]\+/PASS_MIN_DAYS 0/' /etc/login.defs
\ No newline at end of file
diff --git a/packer/scripts/postgres-install.sh b/packer/scripts/postgres-install.sh
index ddd653c..19288cc 100644
--- a/packer/scripts/postgres-install.sh
+++ b/packer/scripts/postgres-install.sh
@@ -1,12 +1,90 @@
#!/bin/bash
set -e
-wget https://apt.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL
-sudo rpm --import PGDG-RPM-GPG-KEY-RHEL
-sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
-sudo dnf -qy module disable postgresql
-sudo dnf install -y postgresql${POSTGRES_VERSION}-server
-sudo rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
-sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
-sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
-sudo dnf install -y ${POSTGIS_VERSION}
+export PATH=$PATH:/usr/local/bin
+subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
+dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+dnf groupinstall -y "Development Tools"
+dnf install -y zlib-devel readline-devel libicu-devel systemd-devel cmake libxml2-devel proj-devel gdal-devel protobuf-devel protobuf-c-devel json-c-devel
+
+dnf -qy module disable postgresql
+
+wget https://ftp.postgresql.org/pub/source/v${POSTGRES_VERSION}/postgresql-${POSTGRES_VERSION}.tar.bz2
+
+tar -xvf postgresql-${POSTGRES_VERSION}.tar.bz2
+cd postgresql-${POSTGRES_VERSION}/
+ls -l
+
+./configure --with-systemd
+make
+make install
+useradd postgres
+useradd etcd
+echo 'export PATH=$PATH:/usr/local/bin:/usr/local/pgsql/bin' >> /home/postgres/.bashrc
+cd
+
+# Install postgis
+## Install GEOS from source
+wget https://download.osgeo.org/geos/geos-3.13.0.tar.bz2
+# Unpack and setup build directory
+tar xvfj geos-3.13.0.tar.bz2
+cd geos-3.13.0
+mkdir _build
+cd _build
+# Set up the build
+cmake \
+ -DCMAKE_BUILD_TYPE=Release \
+ -DCMAKE_INSTALL_PREFIX=/usr/local \
+ ..
+# Run the build, test, install
+make
+make install
+cd
+
+## Install postgis from source
+wget https://postgis.net/stuff/postgis-${POSTGIS_VERSION}.tar.gz
+tar -xvzf postgis-${POSTGIS_VERSION}.tar.gz
+cd postgis-${POSTGIS_VERSION}
+./configure --with-pgconfig=/usr/local/pgsql/bin/pg_config
+make
+make install
+cd
+
+# Install HA postgres deps
+
+dnf install -y python3-devel python3-psycopg2 haproxy keepalived
+wget https://github.com/etcd-io/etcd/releases/download/v3.5.16/etcd-v3.5.16-linux-amd64.tar.gz
+tar xzvf etcd-v3.5.16-linux-amd64.tar.gz
+cp etcd-v3.5.16-linux-amd64/etcd* /usr/bin/.
+
+sudo pip3 install --force-reinstall cdiff
+sudo pip3 install --force-reinstall -v "patroni[etcd]==3.2.2"
+
+mkdir /var/lib/etcd
+chown etcd:etcd /var/lib/etcd/
+
+# Move files
+
+# Copy the postgres systemd service into the correct location for NDB
+cp /tmp/files/postgres.service /etc/systemd/system/era_postgres.service
+cp /tmp/files/haproxy* /etc/firewalld/services/.
+cd /etc/firewalld/services
+restorecon haproxy-http.xml
+restorecon haproxy-https.xml
+chmod 640 haproxy*
+
+# Copy relabel script into permanent location to resolve issues with NDB not setting SELinux labels properly after copying files onto a new DB from a profile
+cp /tmp/files/relabel_ndb.sh /usr/local/bin/.
+chmod +x /usr/local/bin/relabel_ndb.sh
+
+# Set up watchdog
+modprobe softdog
+chown postgres /dev/watchdog
+
+# Turn off pwquality enforcement. NDB can have issues creating new DBs from a profile caused by not being able to update the NDB user password
+echo "enforcing = 0" >> /etc/security/pwquality.conf
+
+# Set SELinux to permissive mode which is required in some cases to get NDB to properly create a new DB from a profile. The relabel_ndb.sh should be called in the NDB post_create_script to relabel the machine and turn SELinux enforcement back on
+sudo sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
+sudo setenforce 0
\ No newline at end of file