force password auth for all users as default

2018-10-17 22:19:04 +02:00 · 2018-10-17 22:19:04 +02:00 · 719585da34
parent dc21d09988
commit 719585da34
3 changed files with 20 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -28,3 +28,8 @@ postgres_tls_source_use_content: False
 postgres_tls_source_use_files: True
 postgres_tls_cert_source: mycert.pem
 postgres_tls_key_source: mykey.pem
+
+postgresql_hba_entries:
+  - {type: local, database: all, user: all, auth_method: md5}
+  - {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5}
+  - {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
--- a/tasks/config.yml
+++ b/tasks/config.yml
@ -6,5 +6,10 @@
      dest: "{{ __postgres_config_path }}/postgresql.conf"
      mode: 0600
    notify: __postgres_restart
+  - name: Setup client authentication
+    template:
+      src: postgresql/data/pq_hba.conf.j2
+      dest: "{{ __postgres_config_path }}/pg_hba.conf"
+      mode: 0600
  become: True
  become_user: root
--- a/templates/postgresql/data/pg_hba.conf.j2
+++ b/templates/postgresql/data/pg_hba.conf.j2
@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+{% for client in postgresql_hba_entries %}
+{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
+{% endfor %}