From 596c0e98c3745f3ea63df9e9081b9f5cafdc6596 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Fri, 30 Jun 2023 15:55:16 +0200
Subject: [PATCH] remove wireguard endpoint allow postgresql from everywhere
 with password terraform state without wireguard

---
 ansible/hypervisors.yml                       | 11 ++++-
 .../inventory/host_vars/atlas/postgresql.yml  |  8 ++++
 ansible/requirements.yml                      |  5 ++-
 ansible/roles/postgresql/handlers/main.yml    |  4 --
 ansible/roles/postgresql/tasks/main.yml       | 44 -------------------
 terraform/main.tf                             |  1 -
 6 files changed, 20 insertions(+), 53 deletions(-)
 create mode 100644 ansible/inventory/host_vars/atlas/postgresql.yml
 delete mode 100644 ansible/roles/postgresql/handlers/main.yml
 delete mode 100644 ansible/roles/postgresql/tasks/main.yml

diff --git a/ansible/hypervisors.yml b/ansible/hypervisors.yml
index 3b885a1..69d4e38 100644
--- a/ansible/hypervisors.yml
+++ b/ansible/hypervisors.yml
@@ -43,10 +43,17 @@
 - name: Setup special services
   hosts: atlas
 
+  pre_tasks:
+    - name: Create terraform database
+      include_role:
+        name: postgresql_database
+      vars:
+        database_name: terraform_state
+        database_user: terraform
+        database_password: "{{ terraform_db_password }}"
+
   roles:
-    - {role: postgresql, tags: postgresql}
     - {role: ssh_ca, tags: ssh_ca}
-    - {role: wireguard, tags: wireguard}
 
 - hosts: hypervisors
 
diff --git a/ansible/inventory/host_vars/atlas/postgresql.yml b/ansible/inventory/host_vars/atlas/postgresql.yml
new file mode 100644
index 0000000..e6f7abf
--- /dev/null
+++ b/ansible/inventory/host_vars/atlas/postgresql.yml
@@ -0,0 +1,8 @@
+terraform_db_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63343662633564343266666137313830333333666663393639633664356463343063666334616665
+  6664333262343337333136656161383963396262616662620a623831383438613230396463353933
+  38633265333239613232616532373635623433613136343264366635666462373062393566313233
+  3338373062333635370a646563663639353033363737623064313464363332323831646262326138
+  62303530626239643963623530613631636631363234383161363736613139643939653438316166
+  6465346362373161353733343431336235323161313831303934
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index 5062082..afb5f47 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -10,5 +10,6 @@
 - name: ssh_ca_known_hosts
   src: https://git.pim.kunis.nl/home/ansible-role-ssh-ca-known-hosts
   scm: git
-- name: wireguard
-  src: githubixx.ansible_role_wireguard
+- name: postgresql_database
+  src: https://git.pim.kunis.nl/home/ansible-role-postgresql-database
+  scm: git
diff --git a/ansible/roles/postgresql/handlers/main.yml b/ansible/roles/postgresql/handlers/main.yml
deleted file mode 100644
index a09812e..0000000
--- a/ansible/roles/postgresql/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: restart postgres
-  systemd:
-    name: postgresql
-    state: restarted
diff --git a/ansible/roles/postgresql/tasks/main.yml b/ansible/roles/postgresql/tasks/main.yml
deleted file mode 100644
index ac436c5..0000000
--- a/ansible/roles/postgresql/tasks/main.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-- name: Create terraform database
-  postgresql_db:
-    name: terraform_state
-    owner: terraform
-  become: true
-  become_user: postgres
-
-- name: Create database user
-  postgresql_user:
-    name: terraform
-  become: true
-  become_user: postgres
-
-- name: Grant database user access to database
-  postgresql_privs:
-    type: database
-    database: terraform_state
-    roles: terraform
-    grant_option: no
-    privs: all
-  become: true
-  become_user: postgres
-  notify: restart postgres
-
-- name: Allow remote access to database for user
-  postgresql_pg_hba:
-    dest: /etc/postgresql/15/main/pg_hba.conf
-    contype: host
-    databases: all
-    method: trust
-    users: terraform
-    address: "10.42.0.0/24"
-    create: true
-  become: true
-  become_user: postgres
-  notify: restart postgres
-    
-- name: Open postgres port
-  ini_file:
-    path: /etc/postgresql/15/main/postgresql.conf
-    section: null
-    option: listen_addresses
-    value: "'*'"
-  notify: restart postgres
diff --git a/terraform/main.tf b/terraform/main.tf
index 23afd67..5c6e286 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,7 +1,6 @@
 terraform {
   backend "pg" {
     schema_name = "bootstrap"
-    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
   }
 
   required_providers {