joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f8b46fa14ca4a35f2637cd6b759b396dd8922a5
rick-infra/roles/postgresql/templates/pg_hba.conf.j2
Joakim 762d00eebf Add simplified PostgreSQL infrastructure role for database services 
- Provides PostgreSQL server as shared database infrastructure
- Follows KISS principle with only essential configuration (11 variables vs 45 originally)
- Implements maximum security with Unix socket-only superuser access
- Uses scram-sha-256 authentication for application users
- Includes SystemD security hardening
- Applications manage their own databases/users via this infrastructure
- Production-ready with data checksums and localhost-only access
2025-11-18 22:33:56 +01:00

45 lines
2.2 KiB
Django/Jinja
Raw Blame History

# PostgreSQL Client Authentication Configuration File
# Generated by Ansible - PostgreSQL Role
# Documentation: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
# TYPE DATABASE USER ADDRESS METHOD
# =============================================================================
# LOCAL CONNECTIONS
# =============================================================================
# "local" is for Unix domain socket connections only
local all postgres peer
local all all {{ postgresql_auth_method }}
# =============================================================================
# IPv4 LOCAL CONNECTIONS
# =============================================================================
# IPv4 local connections (applications only - no superuser TCP access):
host all all 127.0.0.1/32 {{ postgresql_auth_method }}
# =============================================================================
# IPv6 LOCAL CONNECTIONS
# =============================================================================
# IPv6 local connections (applications only - no superuser TCP access):
host all all ::1/128 {{ postgresql_auth_method }}
# =============================================================================
# SECURITY NOTES
# =============================================================================
# This configuration provides maximum security defaults:
# - postgres superuser ONLY accessible via Unix socket with peer authentication
# - NO TCP access for postgres superuser (even from localhost)
# - All application users use {{ postgresql_auth_method }} over TCP
# - Only local connections allowed by default
#
# Superuser access: sudo -u postgres psql (Unix socket only)
# Application access: psql -h localhost -U appuser -d appdb (TCP with password)
#
# For remote access, add additional 'host' entries above
# Always use the most restrictive authentication method possible
#
# Rick-Infra PostgreSQL Infrastructure
# Applications should create their own database users
Reference in New Issue View Git Blame Copy Permalink