# PostgreSQL SystemD Security Override - Rick-Infra Simplified
# Generated by Ansible PostgreSQL role

[Service]
# Essential Security Restrictions
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
RestrictRealtime=true
LockPersonality=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

# File System Access (PostgreSQL standard paths)
ReadWritePaths=/var/lib/postgres

# Network Security (localhost only)
{% if postgresql_listen_addresses == "localhost" %}
IPAddressDeny=any
IPAddressAllow=localhost
{% endif %}

# Rick-Infra: Essential security hardening only