fix: secure pg + fix old way of sharing podman network

roles/net_persist/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: Process ethernet interface persistence
   when: interface.type is not defined or interface.type == 'ethernet'
   block:
-    - name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address }})"
+    - name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address | default('N/A') }})"
       ansible.builtin.set_fact:
         interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress', 'equalto', interface.mac_address) | map(attribute='device') | first }}"
 

roles/networking/tasks/main.yml

@@ -20,6 +20,29 @@
     interface: "{{ item }}"
   loop: "{{ hostvars[inventory_hostname].network_interfaces | default([]) }}"
 
+- name: Remove stale podman-gw systemd-networkd configuration
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/systemd/network/10-podman-gw.netdev
+    - /etc/systemd/network/20-podman-gw.network
+  register: stale_podman_gw
+
+- name: Mark networkd reload required after podman-gw cleanup
+  ansible.builtin.set_fact:
+    network_reload_required: true
+  when: stale_podman_gw is changed
+
+- name: Tear down podman-gw bridge interface if present
+  ansible.builtin.command: ip link delete podman-gw
+  register: podman_gw_link_del
+  changed_when: podman_gw_link_del.rc == 0
+  failed_when:
+    - podman_gw_link_del.rc != 0
+    - "'Cannot find device' not in podman_gw_link_del.stderr"
+    - "'does not exist' not in podman_gw_link_del.stderr"
+
 - name: Reload networkd and resolved
   ansible.builtin.systemd:
     name: "{{ item }}"

roles/postgres/templates/pg_hba.conf.j2

@@ -4,25 +4,27 @@
 # This file controls: which hosts are allowed to connect, how clients
 # are authenticated, which PostgreSQL user names they can use, which
 # databases they can access.
+#
+# Authentication policy:
+# - Unix socket: trust (admin access via `become_user: postgres`, e.g. Ansible)
+# - All TCP connections: scram-sha-256 (passwords required, including loopback)
+#   This is required because pasta forwards rootless container traffic via
+#   host loopback, so containers appear as source 127.0.0.1.
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 # "local" is for Unix domain socket connections only
 local   all             all                                     trust
 
-# IPv4 local connections:
+# IPv4 connections (all require password, even loopback):
 {% for source in postgres_firewall_allowed_sources %}
-{% if source.startswith('127.0.0.') %}
-host    all             all             {{ source }}            trust
-{% else %}
 host    all             all             {{ source }}            scram-sha-256
-{% endif %}
 {% endfor %}
 
 # IPv6 local connections:
-host    all             all             ::1/128                 trust
+host    all             all             ::1/128                 scram-sha-256
 
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     trust
-host    replication     all             127.0.0.1/32            trust
-host    replication     all             ::1/128                 trust
+host    replication     all             127.0.0.1/32            scram-sha-256
+host    replication     all             ::1/128                 scram-sha-256