Joakim
762d00eebf
- Provides PostgreSQL server as shared database infrastructure - Follows KISS principle with only essential configuration (11 variables vs 45 originally) - Implements maximum security with Unix socket-only superuser access - Uses scram-sha-256 authentication for application users - Includes SystemD security hardening - Applications manage their own databases/users via this infrastructure - Production-ready with data checksums and localhost-only access
26 lines
662 B
Django/Jinja
26 lines
662 B
Django/Jinja
# PostgreSQL SystemD Security Override - Rick-Infra Simplified
|
|
# Generated by Ansible PostgreSQL role
|
|
|
|
[Service]
|
|
# Essential Security Restrictions
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectHome=true
|
|
ProtectSystem=strict
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
RestrictRealtime=true
|
|
LockPersonality=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
|
|
# File System Access (PostgreSQL standard paths)
|
|
ReadWritePaths=/var/lib/postgres
|
|
|
|
# Network Security (localhost only)
|
|
{% if postgresql_listen_addresses == "localhost" %}
|
|
IPAddressDeny=any
|
|
IPAddressAllow=localhost
|
|
{% endif %}
|
|
|
|
# Rick-Infra: Essential security hardening only |