#15 Ansible: adding security updates & pgAudit

dragarcia · dragarcia · commit b7c2e0a9df58 · 2020-05-15T17:08:30.000+08:00
diff --git a/ansible/files/apt_periodic b/ansible/files/apt_periodic
@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
@@ -29,14 +29,12 @@
       file:
         path: /tmp/00-schema.sql
         state: absent
-
-    - name: Set up password for superadmin postgres
-      become: yes
-      become_user: postgres
-      postgresql_user:
-        name: postgres
-        password: "{{ postgres_superadmin_password }}"
     
+    - name: Adjust APT update intervals
+      copy: 
+        src: files/apt_periodic
+        dest: /etc/apt/apt.conf.d/10periodic
+
     - name: UFW - Allow SSH connections
       ufw:
         rule: allow
diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml
@@ -43,6 +43,37 @@
     update_cache: yes
     cache_valid_time: 3600
 
+- name: pgAudit - download & install dependencies
+  apt:
+    pkg:
+      - postgresql-server-dev-12
+      - libssl-dev
+      - libkrb5-dev
+    update_cache: yes
+    install_recommends: no
+
+- name: pgAudit - download latest release
+  git:
+    repo: https://github.com/pgaudit/pgaudit.git
+    dest: /tmp/pgaudit
+  become: yes
+
+- name: pgAudit - build
+  make: 
+    chdir: /tmp/pgaudit
+    target: check
+    params:
+      USE_PGXS: 1
+  become: yes
+
+- name: pgAudit - install
+  make:
+    chdir: /tmp/pgaudit
+    target: install
+    params:
+      USE_PGXS: 1
+  become: yes
+
 - name: plv8 - download & install dependencies
   apt:
     pkg:
diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml
@@ -13,11 +13,18 @@
   apt:
     pkg:
       - ufw
+      - fail2ban
+      - unattended-upgrades
       - python3
       - python3-pip
     update_cache: yes
     cache_valid_time: 3600
 
+- name: Adjust APT update intervals
+  copy: 
+    src: files/apt_periodic
+    dest: /etc/apt/apt.conf.d/10periodic
+
 - name: Install psycopg2 to enable ansible postgreSQL features
   pip: 
     name: psycopg2-binary
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -11,12 +11,16 @@ postgresql_ext_install_dev_headers: yes
 # Warning: Make sure the postgresql & postgis versions are compatible with one another
 postgresql_ext_postgis_version: 3
 
-postgresql_shared_preload_libraries: [pg_stat_statements]
+postgresql_shared_preload_libraries: [pg_stat_statements, pgaudit]
 
 postgresql_pg_hba_custom:
   - {type: "host", database: "all", user: "all", address: "0.0.0.0/0", method: "md5" }
 
-postgres_superadmin_password: "a1b2c3d4e5f6g7"
-
 pgtap_release: v1.1.0
-pgtap_release_checksum: sha1:cca57708e723de18735a723b774577dc52f6f31e
+pgtap_release_checksum: sha1:cca57708e723de18735a723b774577dc52f6f31e
+
+postgresql_log_destination: "csvlog"
+postgresql_logging_collector: on
+postgresql_log_filename: "postgresql.log"
+postgresql_log_rotation_age: 0
+postgresql_log_rotation_size: 0
