From 4f234f16caa0cfbfba2315d835e13258c68d2a49 Mon Sep 17 00:00:00 2001
From: Rob Young <rob@robyoung.digital>
Date: Mon, 3 Oct 2016 10:32:54 +0100
Subject: [PATCH] Add support for host based authentication

This addresses #3
---
 README.md                | 12 ++++++++++++
 defaults/main.yml        |  7 +++++++
 tasks/configure.yml      |  9 +++++++++
 templates/pg_hba.conf.j2 |  9 +++++++++
 4 files changed, 37 insertions(+)
 create mode 100644 templates/pg_hba.conf.j2

diff --git a/README.md b/README.md
index e23baeb..a028a79 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,18 @@ The directories (usually one, but can be multiple) where PostgreSQL's socket wil
 
 Global configuration options that will be set in `postgresql.conf`. Note that for RHEL/CentOS 6 (or very old versions of PostgreSQL), you need to at least override this variable and set the `option` to `unix_socket_directory`.
 
+    postgresql_hba_entries:
+      - type: host # required; local, host, hostssl or hostnossl
+        database: exampledb # required
+        user: jdoe # required
+        address: 192.0.2.0/24 # either this or ip_address / ip_mask are required unless type is 'local'
+        ip_address: # alternative to 'address'
+        ip_mask: # alternative to 'address'
+        auth_method: # required
+        auth_options: # optional
+
+Configure [host based authentication](https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) entries to be set in the `pg_hba.conf`. 
+
     postgresql_locales:
       - 'en_US.UTF-8'
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 10cb662..3f59904 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -13,6 +13,13 @@ postgresql_global_config_options:
   - option: unix_socket_directories
     value: '{{ postgresql_unix_socket_directories | join(",") }}'
 
+# Host based authentication (hba) entries to be added to the pg_hba.conf.
+postgresql_hba_entries:
+  - type: local
+    database: all
+    user: all
+    auth_method: trust
+
 # Debian only. Used to generate the locales used by PostgreSQL databases.
 postgresql_locales:
   - 'en_US.UTF-8'
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 9b03d9e..a78bed3 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -8,6 +8,15 @@
   with_items: "{{ postgresql_global_config_options }}"
   notify: restart postgresql
 
+- name: Configure host based authentication.
+  template:
+    src: "templates/pg_hba.conf.j2"
+    dest: "{{ postgresql_config_path }}/pg_hba.conf"
+    owner: "{{ postgresql_user }}"
+    group: "{{ postgresql_group }}"
+    mode: 0600
+  notify: restart postgresql
+
 - name: Ensure PostgreSQL unix socket dirs exist.
   file:
     path: "{{ item }}"
diff --git a/templates/pg_hba.conf.j2 b/templates/pg_hba.conf.j2
new file mode 100644
index 0000000..05cc8a0
--- /dev/null
+++ b/templates/pg_hba.conf.j2
@@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
+
+{% for client in postgresql_hba_entries %}
+{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
+{% endfor %}