Remove default HBA

host_vars/postgres.crypto-libertarian.com.yml

@@ -18,6 +18,45 @@ common__certbot__post_hook: null
 common__certbot__pre_hook: null
 
 postgres__hba:
+  - type: local
+    database: all
+    user: postgres
+    method: peer
+
+  - type: local
+    database: all
+    user: all
+    method: peer
+
+  - type: host
+    database: all
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: all
+    user: all
+    address: '::1/128'
+    method: md5
+
+  - type: local
+    database: replication
+    user: all
+    method: peer
+
+  - type: host
+    database: replication
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: replication
+    user: all
+    address: '::1/128'
+    method: md5
+
   - type: hostssl
     database: matrix_synapse
     user: matrix_synapse

roles/postgres/defaults/main.yml

@@ -1,5 +1,43 @@
 ---
-postgres__hba: []
+postgres__hba:
+  - type: local
+    database: all
+    user: postgres
+    method: peer
+
+  - type: local
+    database: all
+    user: all
+    method: peer
+
+  - type: host
+    database: all
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: all
+    user: all
+    address: '::1/128'
+    method: md5
+
+  - type: local
+    database: replication
+    user: all
+    method: peer
+
+  - type: host
+    database: replication
+    user: all
+    address: '127.0.0.1/32'
+    method: md5
+
+  - type: host
+    database: replication
+    user: all
+    address: '::1/128'
+    method: md5
 
 postgres__config:
   - key: listen_addresses

roles/postgres/templates/pg_hba.conf

@@ -72,32 +72,6 @@
 # listen on a non-local interface via the listen_addresses
 # configuration parameter, or via the -i or -h command line switches.
 
-
-
-
-# DO NOT DISABLE!
-# If you change this first entry you will need to make sure that the
-# database superuser can access the database using some other method.
-# Noninteractive access to all databases is required during automatic
-# maintenance (custom daily cronjobs, replication, and similar tasks).
-#
-# Database administrative login by Unix domain socket
-local   all             postgres                                     peer
-
-# TYPE  DATABASE        USER            ADDRESS                      METHOD
-
-# "local" is for Unix domain socket connections only
-local   all             all                                          peer
-# IPv4 local connections:
-host    all             all             127.0.0.1/32                 md5
-# IPv6 local connections:
-host    all             all             ::1/128                      md5
-# Allow replication connections from localhost, by a user with the
-# replication privilege.
-local   replication     all                                          peer
-host    replication     all             127.0.0.1/32                 md5
-host    replication     all             ::1/128                      md5
-# Additional rules:
 {% for item in postgres__hba %}
-{{ item.type }} {{ item.database }} {{ item.user }} {{ item.address }} {{ item.method }}
+{{ item.type }} {{ item.database }} {{ item.user }} {{ item.address | default('') }} {{ item.method }}
 {% endfor %}