Add simplified PostgreSQL infrastructure role for database services

- Provides PostgreSQL server as shared database infrastructure - Follows KISS principle with only essential configuration (11 variables vs 45 originally) - Implements maximum security with Unix socket-only superuser access - Uses scram-sha-256 authentication for application users - Includes SystemD security hardening - Applications manage their own databases/users via this infrastructure - Production-ready with data checksums and localhost-only access
2025-11-18 21:33:50 +01:00
parent 7c3b02e5ad
commit 762d00eebf
9 changed files with 532 additions and 0 deletions
--- a/roles/postgresql/templates/pg_hba.conf.j2
+++ b/roles/postgresql/templates/pg_hba.conf.j2
@@ -0,0 +1,45 @@
+# PostgreSQL Client Authentication Configuration File
+# Generated by Ansible - PostgreSQL Role
+# Documentation: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# =============================================================================
+# LOCAL CONNECTIONS
+# =============================================================================
+
+# "local" is for Unix domain socket connections only
+local   all             postgres                                peer
+local   all             all                                     {{ postgresql_auth_method }}
+
+# =============================================================================
+# IPv4 LOCAL CONNECTIONS
+# =============================================================================
+
+# IPv4 local connections (applications only - no superuser TCP access):
+host    all             all             127.0.0.1/32            {{ postgresql_auth_method }}
+
+# =============================================================================
+# IPv6 LOCAL CONNECTIONS  
+# =============================================================================
+
+# IPv6 local connections (applications only - no superuser TCP access):
+host    all             all             ::1/128                 {{ postgresql_auth_method }}
+
+# =============================================================================
+# SECURITY NOTES
+# =============================================================================
+# This configuration provides maximum security defaults:
+# - postgres superuser ONLY accessible via Unix socket with peer authentication
+# - NO TCP access for postgres superuser (even from localhost)
+# - All application users use {{ postgresql_auth_method }} over TCP
+# - Only local connections allowed by default
+#
+# Superuser access: sudo -u postgres psql (Unix socket only)
+# Application access: psql -h localhost -U appuser -d appdb (TCP with password)
+#
+# For remote access, add additional 'host' entries above
+# Always use the most restrictive authentication method possible
+#
+# Rick-Infra PostgreSQL Infrastructure
+# Applications should create their own database users
--- a/roles/postgresql/templates/postgresql.conf.j2
+++ b/roles/postgresql/templates/postgresql.conf.j2
@@ -0,0 +1,16 @@
+# PostgreSQL Configuration - Rick-Infra Simplified
+# Generated by Ansible PostgreSQL role
+# PostgreSQL's excellent defaults are used except for essentials
+
+# Network and Security
+listen_addresses = '{{ postgresql_listen_addresses }}'
+port = {{ postgresql_port }}
+
+# Basic Performance (only override if needed)
+max_connections = {{ postgresql_max_connections }}
+shared_buffers = {{ postgresql_shared_buffers }}
+
+# Authentication
+password_encryption = {{ postgresql_auth_method }}
+
+# Rick-Infra: PostgreSQL infrastructure role - keeping it simple
--- a/roles/postgresql/templates/systemd-override.conf.j2
+++ b/roles/postgresql/templates/systemd-override.conf.j2
@@ -0,0 +1,26 @@
+# PostgreSQL SystemD Security Override - Rick-Infra Simplified
+# Generated by Ansible PostgreSQL role
+
+[Service]
+# Essential Security Restrictions
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+RestrictRealtime=true
+LockPersonality=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# File System Access (PostgreSQL standard paths)
+ReadWritePaths=/var/lib/postgres
+
+# Network Security (localhost only)
+{% if postgresql_listen_addresses == "localhost" %}
+IPAddressDeny=any
+IPAddressAllow=localhost
+{% endif %}
+
+# Rick-Infra: Essential security hardening only