Add simplified PostgreSQL infrastructure role for database services

- Provides PostgreSQL server as shared database infrastructure - Follows KISS principle with only essential configuration (11 variables vs 45 originally) - Implements maximum security with Unix socket-only superuser access - Uses scram-sha-256 authentication for application users - Includes SystemD security hardening - Applications manage their own databases/users via this infrastructure - Production-ready with data checksums and localhost-only access
2025-11-18 21:33:50 +01:00
parent 7c3b02e5ad
commit 762d00eebf
9 changed files with 532 additions and 0 deletions
--- a/roles/postgresql/templates/pg_hba.conf.j2
+++ b/roles/postgresql/templates/pg_hba.conf.j2
@@ -0,0 +1,45 @@
+# PostgreSQL Client Authentication Configuration File
+# Generated by Ansible - PostgreSQL Role
+# Documentation: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# =============================================================================
+# LOCAL CONNECTIONS
+# =============================================================================
+
+# "local" is for Unix domain socket connections only
+local   all             postgres                                peer
+local   all             all                                     {{ postgresql_auth_method }}
+
+# =============================================================================
+# IPv4 LOCAL CONNECTIONS
+# =============================================================================
+
+# IPv4 local connections (applications only - no superuser TCP access):
+host    all             all             127.0.0.1/32            {{ postgresql_auth_method }}
+
+# =============================================================================
+# IPv6 LOCAL CONNECTIONS  
+# =============================================================================
+
+# IPv6 local connections (applications only - no superuser TCP access):
+host    all             all             ::1/128                 {{ postgresql_auth_method }}
+
+# =============================================================================
+# SECURITY NOTES
+# =============================================================================
+# This configuration provides maximum security defaults:
+# - postgres superuser ONLY accessible via Unix socket with peer authentication
+# - NO TCP access for postgres superuser (even from localhost)
+# - All application users use {{ postgresql_auth_method }} over TCP
+# - Only local connections allowed by default
+#
+# Superuser access: sudo -u postgres psql (Unix socket only)
+# Application access: psql -h localhost -U appuser -d appdb (TCP with password)
+#
+# For remote access, add additional 'host' entries above
+# Always use the most restrictive authentication method possible
+#
+# Rick-Infra PostgreSQL Infrastructure
+# Applications should create their own database users