feat: enable ipv6 support

darora · darora · commit bd25e5236035 · 2023-10-23T09:34:07.000+08:00
Enables IPv6 support for the base OS, and several services running on
it (kong, pg, pgbouncer)
diff --git a/amazon-arm64.pkr.hcl b/amazon-arm64.pkr.hcl
@@ -243,7 +243,8 @@ build {
       "DOCKER_USER=${var.docker_user}",
       "DOCKER_PASSWD=${var.docker_passwd}",
       "DOCKER_IMAGE=${var.docker_image}",
-      "DOCKER_IMAGE_TAG=${var.docker_image_tag}"
+      "DOCKER_IMAGE_TAG=${var.docker_image_tag}",
+      "POSTGRES_SUPABASE_VERSION=${var.postgres-version}"
     ]
     use_env_var_file = true
     script = "ebssurrogate/scripts/surrogate-bootstrap.sh"
diff --git a/ansible/files/kong_config/kong.conf.j2 b/ansible/files/kong_config/kong.conf.j2
@@ -4,4 +4,4 @@ declarative_config = /etc/kong/kong.yml
 # plugins defined in the dockerfile
 plugins = request-transformer,cors,key-auth,http-log
 
-proxy_listen = 0.0.0.0:80 reuseport backlog=16384, 0.0.0.0:443 http2 ssl reuseport backlog=16834
+proxy_listen = 0.0.0.0:80 reuseport backlog=16384, 0.0.0.0:443 http2 ssl reuseport backlog=16834, [::]:80 reuseport backlog=16384, [::]:443 http2 ssl reuseport backlog=16384
diff --git a/ansible/files/pgbouncer_config/pgbouncer.ini.j2 b/ansible/files/pgbouncer_config/pgbouncer.ini.j2
@@ -51,7 +51,7 @@ pidfile = /var/run/pgbouncer/pgbouncer.pid
 ;;;
 
 ;; IP address or * which means all IPs
-listen_addr = 0.0.0.0
+listen_addr = *
 listen_port = 6543
 
 ;; Unix socket is also used for -R.
diff --git a/ansible/files/postgresql_config/pg_hba.conf.j2 b/ansible/files/postgresql_config/pg_hba.conf.j2
@@ -89,3 +89,6 @@ host  all  all  10.0.0.0/8  scram-sha-256
 host  all  all  172.16.0.0/12  scram-sha-256
 host  all  all  192.168.0.0/16  scram-sha-256
 host  all  all  0.0.0.0/0     scram-sha-256
+
+# IPv6 external connections
+host  all  all  ::0/0     scram-sha-256
diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml
@@ -128,6 +128,7 @@
   copy:
     content: |
       127.0.0.1   localhost
+      ::1         localhost
     dest: /etc/hosts
     mode: 0644
     owner: root
diff --git a/docker/all-in-one/etc/kong/kong.conf b/docker/all-in-one/etc/kong/kong.conf
@@ -5,7 +5,7 @@ declarative_config = /etc/kong/kong.yml
 plugins = request-transformer,cors,key-auth,basic-auth,http-log,ip-restriction,rate-limiting
 
 admin_listen = off
-proxy_listen = 0.0.0.0:80 reuseport backlog=16384, 0.0.0.0:443 http2 ssl reuseport backlog=16834
+proxy_listen = 0.0.0.0:80 reuseport backlog=16384, 0.0.0.0:443 http2 ssl reuseport backlog=16834, [::]:80 reuseport backlog=16384, [::]:443 http2 ssl reuseport backlog=16348
 
 nginx_http_log_format = custom_log '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time $request_length'
 nginx_http_client_body_buffer_size = 512k
diff --git a/docker/all-in-one/etc/pgbouncer/pgbouncer.ini b/docker/all-in-one/etc/pgbouncer/pgbouncer.ini
@@ -50,7 +50,7 @@ pidfile = /var/run/pgbouncer/pgbouncer.pid
 ;;;
 
 ;; IP address or * which means all IPs
-listen_addr = 0.0.0.0
+listen_addr = *
 listen_port = 6543
 
 ;; Unix socket is also used for -R.
diff --git a/docker/all-in-one/etc/postgresql/pg_hba.conf b/docker/all-in-one/etc/postgresql/pg_hba.conf
@@ -89,3 +89,6 @@ host  all  all  10.0.0.0/8  scram-sha-256
 host  all  all  172.16.0.0/12  scram-sha-256
 host  all  all  192.168.0.0/16  scram-sha-256
 host  all  all  0.0.0.0/0     scram-sha-256
+
+# IPv6 external connections
+host  all  all  ::0/0     scram-sha-256
diff --git a/ebssurrogate/scripts/chroot-bootstrap.sh b/ebssurrogate/scripts/chroot-bootstrap.sh
@@ -100,11 +100,6 @@ EOF
 	localedef -i en_US -f UTF-8 en_US.UTF-8
 }
 
-# Disable IPV6 for ufw
-function disable_ufw_ipv6 {
-	sed -i 's/IPV6=yes/IPV6=no/g' /etc/default/ufw
-}
-
 function install_packages_for_build {
 	apt-get install -y --no-install-recommends linux-libc-dev \
 	 acl \
@@ -141,19 +136,7 @@ GRUB_DEFAULT=0
 GRUB_TIMEOUT=0
 GRUB_TIMEOUT_STYLE="hidden"
 GRUB_DISTRIBUTOR="Supabase postgresql"
-GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty1 console=ttyS0 ipv6.disable=1"
-EOF
-}
-
-function setup_grub_conf_amd64 {
-	mkdir -p /etc/default/grub.d
-
-cat << EOF > /etc/default/grub.d/50-aws-settings.cfg
-GRUB_RECORDFAIL_TIMEOUT=0
-GRUB_TIMEOUT=0
-GRUB_CMDLINE_LINUX_DEFAULT=" root=/dev/nvme0n1p2 rootfstype=ext4 rw noatime,nodiratime,discard console=tty1 console=ttyS0 ip=dhcp tsc=reliable net.ifnames=0 quiet module_blacklist=psmouse,input_leds,autofs4 ipv6.disable=1 nvme_core.io_timeout=4294967295 systemd.hostname=ubuntu ipv6.disable=1"
-GRUB_TERMINAL=console
-GRUB_DISABLE_LINUX_UUID=true
+GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty1 console=ttyS0 ipv6.disable=0"
 EOF
 }
 
@@ -230,7 +213,6 @@ setup_hostname
 create_admin_account
 set_default_target
 setup_eth0_interface
-disable_ufw_ipv6
 disable_sshd_passwd_auth
 disable_fsck
 #setup_ccache
