Merge branch 'dev' of git.jonasgunz.de:repos/ansible_collection into dev

2 files changed, 37 insertions, 0 deletions

diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2
new file mode 100644
index 0000000..f77641d
--- /dev/null
+++ b/roles/postgres/templates/pg_hba.conf.j2
@@ -0,0 +1,28 @@
+# vi: ft=conf
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     peer
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            md5
+# IPv6 local connections:
+host    all             all             ::1/128                 md5
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     peer
+host    replication     all             127.0.0.1/32            md5
+host    replication     all             ::1/128                 md5
+
+{% for host in pg_hba[env]["num" + num] %}
+hostssl {{ host.db }} {{ host.user }} {{ host.host }} scram-sha-256
+{% endfor %}
diff --git a/roles/postgres/templates/pgsql.conf.j2 b/roles/postgres/templates/pgsql.conf.j2
new file mode 100644
index 0000000..beb52d7
--- /dev/null
+++ b/roles/postgres/templates/pgsql.conf.j2
@@ -0,0 +1,9 @@
+# vi: ft=conf
+
+password_encryption = scram-sha-256
+
+listen_addresses = '*'
+
+ssl = on
+ssl_cert_file = '/etc/ssl/certs/{{ ansible_facts.fqdn }}.pem'
+ssl_key_file = '/etc/ssl/private/{{ ansible_facts.fqdn }}.key'