bpt22 pushed to branch main at Root / DBRoot / PostgreSQL
Commits:
-
01114cf1
by Bernardo Pavloski Tomasi at 2025-08-01T16:23:45-03:00
3 changed files:
Changes:
| ... | ... | @@ -41,13 +41,21 @@ sync: |
| 41 | 41 | exit 1
|
| 42 | 42 | fi
|
| 43 | 43 | |
| 44 | - - cd ansible
|
|
| 45 | - - ansible-playbook main.yml -i inv.ini --private-key ../key
|
|
| 44 | + - |
|
|
| 45 | + cd ansible
|
|
| 46 | + if ./verify-hostnames.sh ../pg_hba.conf; then
|
|
| 47 | + ansible-playbook main.yml -i inv.ini --private-key ../key
|
|
| 48 | + else
|
|
| 49 | + exit 1
|
|
| 50 | + fi
|
|
| 46 | 51 | |
| 47 | 52 | rules:
|
| 48 | - - changes:
|
|
| 49 | - - "pg_hba.conf"
|
|
| 50 | - - "postgresql.conf"
|
|
| 53 | + - if: '$CI_COMMIT_BRANCH == "main"'
|
|
| 54 | + changes:
|
|
| 55 | + - "pg_hba.conf"
|
|
| 56 | + - "postgresql.conf"
|
|
| 57 | + when: always
|
|
| 58 | + - when: never
|
|
| 51 | 59 | |
| 52 | 60 | |
| 53 | 61 | variables:
|
| 1 | +#!/bin/sh
|
|
| 2 | + |
|
| 3 | +pg_hba="$1"
|
|
| 4 | + |
|
| 5 | +# Extrair hostnames não-IP e não-localhost
|
|
| 6 | +hostnames=$(
|
|
| 7 | +awk '
|
|
| 8 | + $1 == "hostssl" &&
|
|
| 9 | + $4 != "" &&
|
|
| 10 | + $4 != "localhost" &&
|
|
| 11 | + $4 !~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]+)?$/ &&
|
|
| 12 | + $4 !~ /:/ { print $4 }
|
|
| 13 | +' "$pg_hba"
|
|
| 14 | +)
|
|
| 15 | + |
|
| 16 | + |
|
| 17 | +#
|
|
| 18 | +# verify_reverse_lookup
|
|
| 19 | +#
|
|
| 20 | +verify_reverse_lookup() {
|
|
| 21 | + |
|
| 22 | + local host="$1"
|
|
| 23 | + local ip_addr="$2"
|
|
| 24 | + |
|
| 25 | + reverse=$(nslookup "$ip_addr" 2>/dev/null | awk '$2 == "name" { print $4 }')
|
|
| 26 | + if [ -z "$reverse" ]; then
|
|
| 27 | + echo " ! No reverse DNS found for $ip_addr"
|
|
| 28 | + return 1
|
|
| 29 | + fi
|
|
| 30 | + |
|
| 31 | + echo " Reverse: $reverse"
|
|
| 32 | + if expr "$reverse" : ".*$host" > /dev/null; then
|
|
| 33 | + echo " ✔ Reverse DNS matches hostname"
|
|
| 34 | + return 0
|
|
| 35 | + else
|
|
| 36 | + echo " ✘ Reverse DNS does NOT match hostname"
|
|
| 37 | + return 1
|
|
| 38 | + fi
|
|
| 39 | +}
|
|
| 40 | + |
|
| 41 | + |
|
| 42 | +#
|
|
| 43 | +# verify_hostname
|
|
| 44 | +#
|
|
| 45 | +verify_hostname() {
|
|
| 46 | + |
|
| 47 | + echo "Checking $host"
|
|
| 48 | + |
|
| 49 | + local host=$1
|
|
| 50 | + local ip_addrs=$(nslookup "$host" 2> /dev/null | awk '/^Address: / { print $2 }')
|
|
| 51 | + |
|
| 52 | + if [ -n "$ip_addrs" ]; then
|
|
| 53 | + for ip_addr in $ip_addrs; do
|
|
| 54 | + echo " > Resolved IP: $ip_addr"
|
|
| 55 | + if ! verify_reverse_lookup "$host" "$ip_addr"; then
|
|
| 56 | + return 1
|
|
| 57 | + fi
|
|
| 58 | + done
|
|
| 59 | + else
|
|
| 60 | + echo " > Could not resolve any IP addresses"
|
|
| 61 | + return 1
|
|
| 62 | + fi
|
|
| 63 | +}
|
|
| 64 | + |
|
| 65 | + |
|
| 66 | +for host in $hostnames; do
|
|
| 67 | + if ! verify_hostname "$host"; then
|
|
| 68 | + echo "Verification failed"
|
|
| 69 | + exit 1
|
|
| 70 | + fi
|
|
| 71 | +done
|
|
| 72 | + |
| ... | ... | @@ -71,9 +71,9 @@ hostssl pnld_administrativo painelpnld pnldprod.c3sl.ufpr.br s |
| 71 | 71 | # Ademir
|
| 72 | 72 | hostssl ademir ademir 10.254.221.0/24 scram-sha-256
|
| 73 | 73 | hostssl ademir_dev ademir 10.254.221.0/24 scram-sha-256
|
| 74 | -hostssl ademir ademir ademir.c3sl.ufpr.br scram-sha-256
|
|
| 75 | -hostssl ademir_dev ademir ademir.c3sl.ufpr.br scram-sha-256
|
|
| 76 | -hostssl ademir_dev ademir gitlabrunner.c3sl.ufpr.br scram-sha-256
|
|
| 74 | +#hostssl ademir ademir ademir.c3sl.ufpr.br scram-sha-256
|
|
| 75 | +#hostssl ademir_dev ademir ademir.c3sl.ufpr.br scram-sha-256
|
|
| 76 | +#hostssl ademir_dev ademir gitlabrunner.c3sl.ufpr.br scram-sha-256
|
|
| 77 | 77 | hostssl ademir_dev ademir wrk1-k8stest.c3sl.ufpr.br scram-sha-256
|
| 78 | 78 | hostssl ademir_dev ademir wrk2-k8stest.c3sl.ufpr.br scram-sha-256
|
| 79 | 79 | hostssl ademir_dev ademir wrk3-k8stest.c3sl.ufpr.br scram-sha-256
|