defenseunicorns · jacobbmay · Oct 18, 2024 · Oct 18, 2024 · Oct 18, 2024 · Oct 21, 2024
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+<short>HAProxy-HTTP</short>
+<description>HAProxy load-balancer</description>
+<port protocol="tcp" port="80"/>
+</service>
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+<short>HAProxy-HTTPS</short>
+<description>HAProxy load-balancer</description>
+<port protocol="tcp" port="443"/>
+</service>
@@ -0,0 +1,21 @@
+Documentation=man:postgres(1)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User=postgres
+
+# Disable OOM kill
+OOMScoreAdjust=-1000
+Environment=PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
+Environment=PG_OOM_ADJUST_VALUE=0
+
+ExecStart=/usr/local/pgsql/bin/postgres -D /var/lib/pgsql/data
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=mixed
+KillSignal=SIGINT
+TimeoutSec=infinity
+
+[Install]
+WantedBy=multi-user.target
@@ -69,14 +69,18 @@ build {
     timeout           = "20m"
   }
 
+  provisioner "file" {
+    source      = "../files"
+    destination = "/tmp"
+  }
+
   provisioner "shell" {
+    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
     environment_vars = [
       "POSTGRES_VERSION=${var.postgres_version}",
       "POSTGIS_VERSION=${var.postgis_version}"
     ]
-    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
     script          = "../scripts/postgres-install.sh"
-    timeout         = "15m"
   }
 
   provisioner "shell" {

@@ -17,13 +17,13 @@ variable "base_image_name" {
 variable "postgres_version" {
   type        = string
   description = "Postgres major version to install on the Image"
-  default     = "14"
+  default     = "15.8"
 }
 
 variable "postgis_version" {
   type        = string
   description = "Postgis version to install"
-  default     = "postgis33_14"
+  default     = "3.5.0"
 }
 
 variable "image_delete" {

@@ -2,7 +2,7 @@
 set -e
 
 # Install dependencies and cli tools needed by other packer scripts and NDB service
-dnf update -y && yum upgrade -y
+dnf update -y
 dnf install -y ansible unzip iptables nftables wget lvm2* zip lsof rsync network-scripts
 
 # Ensure that ansible collections needed are installed 

@@ -10,3 +10,10 @@ unzip *-ansible.zip
 TASKS_FILE=$( find roles/*/tasks -name main.yml -type f )
 sed -i '/notify: do_reboot/d' $TASKS_FILE
 chmod +x enforce.sh && ./enforce.sh
+
+# FIPS hosts can't use ed25519 keys, so comment out the hostkey from the sshd_config
+sed -i 's|^HostKey /etc/ssh/ssh_host_ed25519_key|#HostKey /etc/ssh/ssh_host_ed25519_key|' /etc/ssh/sshd_config
+
+# User password setting changes. Accounts are used to access VMs with SSH using ssh keys, but expired passwords prevent SSH from working even with ssh-keys so passwords shouldn't expire
+sed -i 's/^PASS_MAX_DAYS [0-9]\+/PASS_MAX_DAYS -1/' /etc/login.defs
+sed -i 's/^PASS_MIN_DAYS [0-9]\+/PASS_MIN_DAYS 0/' /etc/login.defs
@@ -1,12 +1,77 @@
 #!/bin/bash
 set -e
 
-wget https://apt.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL
-sudo rpm --import PGDG-RPM-GPG-KEY-RHEL
-sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
-sudo dnf -qy module disable postgresql
-sudo dnf install -y postgresql${POSTGRES_VERSION}-server
-sudo rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
-sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
-sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
-sudo dnf install -y ${POSTGIS_VERSION}
+export PATH=$PATH:/usr/local/bin
+subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
+dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+dnf groupinstall -y "Development Tools"
+dnf install -y zlib-devel readline-devel libicu-devel systemd-devel cmake libxml2-devel proj-devel gdal-devel protobuf-devel protobuf-c-devel json-c-devel
+
+dnf -qy module disable postgresql
+
+wget https://ftp.postgresql.org/pub/source/v${POSTGRES_VERSION}/postgresql-${POSTGRES_VERSION}.tar.bz2
+
+tar -xvf postgresql-${POSTGRES_VERSION}.tar.bz2
+cd postgresql-${POSTGRES_VERSION}/
+ls -l
+
+./configure --with-systemd
+make
+make install
+useradd postgres
+useradd etcd
+cd
+
+# Install postgis
+## Install GEOS from source
+wget https://download.osgeo.org/geos/geos-3.13.0.tar.bz2
+# Unpack and setup build directory
+tar xvfj geos-3.13.0.tar.bz2
+cd geos-3.13.0
+mkdir _build
+cd _build
+# Set up the build
+cmake \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DCMAKE_INSTALL_PREFIX=/usr/local \
+    ..
+# Run the build, test, install
+make
+make install
+cd
+
+## Install postgis from source
+wget https://postgis.net/stuff/postgis-${POSTGIS_VERSION}.tar.gz
+tar -xvzf postgis-${POSTGIS_VERSION}.tar.gz
+cd postgis-${POSTGIS_VERSION}
+./configure --with-pgconfig=/usr/local/pgsql/bin/pg_config
+make
+make install
+cd
+
+# Install HA postgres deps
+
+dnf install -y  python3-devel python3-psycopg2 haproxy keepalived
+wget https://github.com/etcd-io/etcd/releases/download/v3.5.16/etcd-v3.5.16-linux-amd64.tar.gz
+tar xzvf etcd-v3.5.16-linux-amd64.tar.gz
+cp etcd-v3.5.16-linux-amd64/etcd* /usr/bin/.
+
+sudo pip3 install --force-reinstall -v "patroni[etcd]==3.2.2"
+
+# Move files
+
+# Copy the postgres systemd service into the correct location for NDB
+cp /tmp/files/postgres.service /etc/systemd/system/era_postgres.service
+cp /tmp/files/haproxy* /etc/firewalld/services/.
+cd /etc/firewalld/services
+restorecon haproxy-http.xml
+restorecon haproxy-https.xml
+chmod 640 haproxy*
+
+# Set up watchdog
+modprobe softdog
+chown postgres /dev/watchdog
+
+# Turn off pwquality enforcement. NDB can have issues creating new DBs from a profile caused by not being able to update the NDB user password
+echo "enforcing = 0" >> /etc/security/pwquality.conf