# PostgreSQL Client Authentication Configuration File # Generated by Ansible - PostgreSQL Role # Documentation: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html # TYPE DATABASE USER ADDRESS METHOD # ============================================================================= # LOCAL CONNECTIONS # ============================================================================= # "local" is for Unix domain socket connections only local all postgres peer local all all {{ postgresql_auth_method }} # ============================================================================= # IPv4 LOCAL CONNECTIONS # ============================================================================= # IPv4 local connections (applications only - no superuser TCP access): host all all 127.0.0.1/32 {{ postgresql_auth_method }} # ============================================================================= # IPv6 LOCAL CONNECTIONS # ============================================================================= # IPv6 local connections (applications only - no superuser TCP access): host all all ::1/128 {{ postgresql_auth_method }} # ============================================================================= # SECURITY NOTES # ============================================================================= # This configuration provides maximum security defaults: # - postgres superuser ONLY accessible via Unix socket with peer authentication # - NO TCP access for postgres superuser (even from localhost) # - All application users use {{ postgresql_auth_method }} over TCP # - Only local connections allowed by default # # Superuser access: sudo -u postgres psql (Unix socket only) # Application access: psql -h localhost -U appuser -d appdb (TCP with password) # # For remote access, add additional 'host' entries above # Always use the most restrictive authentication method possible # # Rick-Infra PostgreSQL Infrastructure # Applications should create their own database users