diff --git a/site-modules/profile/manifests/postgresql/server.pp b/site-modules/profile/manifests/postgresql/server.pp --- a/site-modules/profile/manifests/postgresql/server.pp +++ b/site-modules/profile/manifests/postgresql/server.pp @@ -14,6 +14,7 @@ $postgres_port = lookup('swh::postgresql::port') $postgres_datadir = lookup('swh::postgresql::datadir') + $ip_mask_allow_all_users = '0.0.0.0/0' file { [ "${swh_base_directory}/postgresql", "${swh_base_directory}/postgresql/${postgres_version}" ] : ensure => directory, @@ -22,16 +23,60 @@ mode => '0655', } -> class { 'postgresql::server': - ip_mask_allow_all_users => '0.0.0.0/0', + ip_mask_allow_all_users => $ip_mask_allow_all_users, ipv4acls => $network_accesses, postgres_password => $postgres_pass, port => $postgres_port, listen_addresses => [$listen_addresses], datadir => $postgres_datadir, needs_initdb => true, # Needed because managed_repo is false and data_dir is redefined by us ¯\_(ツ)_/¯ - require => Class['profile::postgresql::apt_config'] + require => Class['profile::postgresql::apt_config'], + pg_hba_conf_defaults => false, # see below for the actual default rules + pg_hba_rules => { + # Supersedes the default rules installed by puppetlab-postgres, thus + # allowing pgbouncer/pgsql connection to the postgres user + 'local access as postgres user' => { + database => 'all', + user => 'postgres', + type => 'local', + auth_method => 'ident', + order => 1, + }, + 'local access to database with same name' => { + database => 'all', + user => 'all', + type => 'local', + auth_method => 'ident', + order => 2, + }, + 'allow localhost TCP access to postgresql user' => { + database => 'all', + user => 'postgres', + type => 'host', + address => '127.0.0.1/32', + auth_method => 'md5', + order => 3, + }, + 'allow access to all users' => { + database => 'all', + user => 'all', + type => 'host', + address => $ip_mask_allow_all_users, + auth_method => 'md5', + order => 100, + }, + 'allow access to ipv6 localhost' => { + database => 'all', + user => 'all', + type => 'host', + address => '::1/128', + auth_method => 'md5', + order => 101, + } + } } + # read-only user $guest = 'guest' postgresql::server::role { $guest: password_hash => postgresql_password($guest, 'guest'),