Remove default HBA

2020-07-05 11:45:51 +05:00 · 2020-07-05 11:45:51 +05:00 · d416e8d408
commit d416e8d408
parent 310c273019
3 changed files with 79 additions and 28 deletions
--- a/host_vars/postgres.crypto-libertarian.com.yml
+++ b/host_vars/postgres.crypto-libertarian.com.yml
@ -18,6 +18,45 @@ common__certbot__post_hook: null
 common__certbot__pre_hook: null

 postgres__hba:
+  - type: local
+    database: all
+    user: postgres
+    method: peer
+
+  - type: local
+    database: all
+    user: all
+    method: peer
+
+  - type: host
+    database: all
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: all
+    user: all
+    address: '::1/128'
+    method: md5
+
+  - type: local
+    database: replication
+    user: all
+    method: peer
+
+  - type: host
+    database: replication
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: replication
+    user: all
+    address: '::1/128'
+    method: md5
+
  - type: hostssl
    database: matrix_synapse
    user: matrix_synapse
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@ -1,5 +1,43 @@
 ---
-postgres__hba: []
+postgres__hba:
+  - type: local
+    database: all
+    user: postgres
+    method: peer
+
+  - type: local
+    database: all
+    user: all
+    method: peer
+
+  - type: host
+    database: all
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: all
+    user: all
+    address: '::1/128'
+    method: md5
+
+  - type: local
+    database: replication
+    user: all
+    method: peer
+
+  - type: host
+    database: replication
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: replication
+    user: all
+    address: '::1/128'
+    method: md5

 postgres__config:
  - key: listen_addresses
--- a/roles/postgres/templates/pg_hba.conf
+++ b/roles/postgres/templates/pg_hba.conf
@ -72,32 +72,6 @@
 # listen on a non-local interface via the listen_addresses
 # configuration parameter, or via the -i or -h command line switches.

-
-
-
-# DO NOT DISABLE!
-# If you change this first entry you will need to make sure that the
-# database superuser can access the database using some other method.
-# Noninteractive access to all databases is required during automatic
-# maintenance (custom daily cronjobs, replication, and similar tasks).
-#
-# Database administrative login by Unix domain socket
-local   all             postgres                                     peer
-
-# TYPE  DATABASE        USER            ADDRESS                      METHOD
-
-# "local" is for Unix domain socket connections only
-local   all             all                                          peer
-# IPv4 local connections:
-host    all             all             127.0.0.1/32                 md5
-# IPv6 local connections:
-host    all             all             ::1/128                      md5
-# Allow replication connections from localhost, by a user with the
-# replication privilege.
-local   replication     all                                          peer
-host    replication     all             127.0.0.1/32                 md5
-host    replication     all             ::1/128                      md5
-# Additional rules:
 {% for item in postgres__hba %}
-{{ item.type }} {{ item.database }} {{ item.user }} {{ item.address }} {{ item.method }}
+{{ item.type }} {{ item.database }} {{ item.user }} {{ item.address | default('') }} {{ item.method }}
 {% endfor %}