bpt22 pushed to branch main at Root / DBRoot / PostgreSQL Commits: 01114cf1 by Bernardo Pavloski Tomasi at 2025-08-01T16:23:45-03:00 hostname verification added [skip ci] - - - - - 3 changed files: - .gitlab-ci.yml - + ansible/verify-hostnames.sh - pg_hba.conf Changes: ===================================== .gitlab-ci.yml ===================================== @@ -41,13 +41,21 @@ sync: exit 1 fi - - cd ansible - - ansible-playbook main.yml -i inv.ini --private-key ../key + - | + cd ansible + if ./verify-hostnames.sh ../pg_hba.conf; then + ansible-playbook main.yml -i inv.ini --private-key ../key + else + exit 1 + fi rules: - - changes: - - "pg_hba.conf" - - "postgresql.conf" + - if: '$CI_COMMIT_BRANCH == "main"' + changes: + - "pg_hba.conf" + - "postgresql.conf" + when: always + - when: never variables: ===================================== ansible/verify-hostnames.sh ===================================== @@ -0,0 +1,72 @@ +#!/bin/sh + +pg_hba="$1" + +# Extrair hostnames não-IP e não-localhost +hostnames=$( +awk ' + $1 == "hostssl" && + $4 != "" && + $4 != "localhost" && + $4 !~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]+)?$/ && + $4 !~ /:/ { print $4 } +' "$pg_hba" +) + + +# +# verify_reverse_lookup +# +verify_reverse_lookup() { + + local host="$1" + local ip_addr="$2" + + reverse=$(nslookup "$ip_addr" 2>/dev/null | awk '$2 == "name" { print $4 }') + if [ -z "$reverse" ]; then + echo " ! No reverse DNS found for $ip_addr" + return 1 + fi + + echo " Reverse: $reverse" + if expr "$reverse" : ".*$host" > /dev/null; then + echo " ✔ Reverse DNS matches hostname" + return 0 + else + echo " ✘ Reverse DNS does NOT match hostname" + return 1 + fi +} + + +# +# verify_hostname +# +verify_hostname() { + + echo "Checking $host" + + local host=$1 + local ip_addrs=$(nslookup "$host" 2> /dev/null | awk '/^Address: / { print $2 }') + + if [ -n "$ip_addrs" ]; then + for ip_addr in $ip_addrs; do + echo " > Resolved IP: $ip_addr" + if ! verify_reverse_lookup "$host" "$ip_addr"; then + return 1 + fi + done + else + echo " > Could not resolve any IP addresses" + return 1 + fi +} + + +for host in $hostnames; do + if ! verify_hostname "$host"; then + echo "Verification failed" + exit 1 + fi +done + ===================================== pg_hba.conf ===================================== @@ -71,9 +71,9 @@ hostssl pnld_administrativo painelpnld pnldprod.c3sl.ufpr.br s # Ademir hostssl ademir ademir 10.254.221.0/24 scram-sha-256 hostssl ademir_dev ademir 10.254.221.0/24 scram-sha-256 -hostssl ademir ademir ademir.c3sl.ufpr.br scram-sha-256 -hostssl ademir_dev ademir ademir.c3sl.ufpr.br scram-sha-256 -hostssl ademir_dev ademir gitlabrunner.c3sl.ufpr.br scram-sha-256 +#hostssl ademir ademir ademir.c3sl.ufpr.br scram-sha-256 +#hostssl ademir_dev ademir ademir.c3sl.ufpr.br scram-sha-256 +#hostssl ademir_dev ademir gitlabrunner.c3sl.ufpr.br scram-sha-256 hostssl ademir_dev ademir wrk1-k8stest.c3sl.ufpr.br scram-sha-256 hostssl ademir_dev ademir wrk2-k8stest.c3sl.ufpr.br scram-sha-256 hostssl ademir_dev ademir wrk3-k8stest.c3sl.ufpr.br scram-sha-256 View it on GitLab: https://gitlab.c3sl.ufpr.br/root/dbroot/postgresql-sync-config/-/commit/0111... -- View it on GitLab: https://gitlab.c3sl.ufpr.br/root/dbroot/postgresql-sync-config/-/commit/0111... You're receiving this email because of your account on gitlab.c3sl.ufpr.br.