aboutsummaryrefslogtreecommitdiff
path: root/roles/postgres/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/postgres/templates')
-rw-r--r--roles/postgres/templates/pg_hba.conf.j228
-rw-r--r--roles/postgres/templates/pgsql.conf.j29
2 files changed, 37 insertions, 0 deletions
diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2
new file mode 100644
index 0000000..f77641d
--- /dev/null
+++ b/roles/postgres/templates/pg_hba.conf.j2
@@ -0,0 +1,28 @@
+# vi: ft=conf
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by Unix domain socket
+local all postgres peer
+
+# TYPE DATABASE USER ADDRESS METHOD
+
+# "local" is for Unix domain socket connections only
+local all all peer
+# IPv4 local connections:
+host all all 127.0.0.1/32 md5
+# IPv6 local connections:
+host all all ::1/128 md5
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local replication all peer
+host replication all 127.0.0.1/32 md5
+host replication all ::1/128 md5
+
+{% for host in pg_hba[env]["num" + num] %}
+hostssl {{ host.db }} {{ host.user }} {{ host.host }} scram-sha-256
+{% endfor %}
diff --git a/roles/postgres/templates/pgsql.conf.j2 b/roles/postgres/templates/pgsql.conf.j2
new file mode 100644
index 0000000..beb52d7
--- /dev/null
+++ b/roles/postgres/templates/pgsql.conf.j2
@@ -0,0 +1,9 @@
+# vi: ft=conf
+
+password_encryption = scram-sha-256
+
+listen_addresses = '*'
+
+ssl = on
+ssl_cert_file = '/etc/ssl/certs/{{ ansible_facts.fqdn }}.pem'
+ssl_key_file = '/etc/ssl/private/{{ ansible_facts.fqdn }}.key'