fix: secure pg + fix old way of sharing podman network

inventory/host_vars/example.yml

@@ -14,10 +14,6 @@ network_interfaces:
   - name: lan1
     type: ethernet
     mac_address: 0a:3f:5b:1c:d2:e4
-  - name: podman-gw
-    type: bridge
-    ipv4:
-      address: "{{ podman_gw_gateway }}/10"
 
 # Unbound DNS resolver configuration
 # ----------------------------------
@@ -151,24 +147,24 @@ nfs_bind_addresses:
 
 # Podman configuration
 # --------------------
-podman_gw_gateway: 100.64.0.1
+# Address inside containers that maps to the host's loopback (via pasta
-podman_gw_subnet: 100.64.0.0/10
+# --map-host-loopback). Containers reach host services bound to 127.0.0.1
+# by connecting to this address. Defined in roles/podman/defaults/main.yml.
+# podman_gw_gateway: 100.64.0.1
 
 # PostgreSQL configuration
 # ------------------------
 postgres_admin_password: "{{ vault_postgres_admin_password }}"
-postgres_bind: "127.0.0.1,{{ podman_gw_gateway }}" # Comma-separated for PostgreSQL
+postgres_bind: "127.0.0.1"
 postgres_firewall_allowed_sources:
   - 127.0.0.0/8
-  - "{{ podman_gw_subnet }}"
 
 # Valkey configuration
 # --------------------
 valkey_admin_password: "{{ vault_valkey_admin_password }}"
-valkey_bind: "127.0.0.1 {{ podman_gw_gateway }}" # Space-separated for Valkey
+valkey_bind: "127.0.0.1"
 valkey_firewall_allowed_sources:
   - 127.0.0.0/8
-  - "{{ podman_gw_subnet }}"
 
 # Valkey ACL users
 valkey_acl_users:

roles/net_persist/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: Process ethernet interface persistence
   when: interface.type is not defined or interface.type == 'ethernet'
   block:
-    - name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address }})"
+    - name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address | default('N/A') }})"
       ansible.builtin.set_fact:
         interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress', 'equalto', interface.mac_address) | map(attribute='device') | first }}"
 

roles/networking/tasks/main.yml

@@ -20,6 +20,29 @@
     interface: "{{ item }}"
   loop: "{{ hostvars[inventory_hostname].network_interfaces | default([]) }}"
 
+- name: Remove stale podman-gw systemd-networkd configuration
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/systemd/network/10-podman-gw.netdev
+    - /etc/systemd/network/20-podman-gw.network
+  register: stale_podman_gw
+
+- name: Mark networkd reload required after podman-gw cleanup
+  ansible.builtin.set_fact:
+    network_reload_required: true
+  when: stale_podman_gw is changed
+
+- name: Tear down podman-gw bridge interface if present
+  ansible.builtin.command: ip link delete podman-gw
+  register: podman_gw_link_del
+  changed_when: podman_gw_link_del.rc == 0
+  failed_when:
+    - podman_gw_link_del.rc != 0
+    - "'Cannot find device' not in podman_gw_link_del.stderr"
+    - "'does not exist' not in podman_gw_link_del.stderr"
+
 - name: Reload networkd and resolved
   ansible.builtin.systemd:
     name: "{{ item }}"

roles/postgres/templates/pg_hba.conf.j2

@@ -4,25 +4,27 @@
 # This file controls: which hosts are allowed to connect, how clients
 # are authenticated, which PostgreSQL user names they can use, which
 # databases they can access.
+#
+# Authentication policy:
+# - Unix socket: trust (admin access via `become_user: postgres`, e.g. Ansible)
+# - All TCP connections: scram-sha-256 (passwords required, including loopback)
+#   This is required because pasta forwards rootless container traffic via
+#   host loopback, so containers appear as source 127.0.0.1.
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 # "local" is for Unix domain socket connections only
 local   all             all                                     trust
 
-# IPv4 local connections:
+# IPv4 connections (all require password, even loopback):
 {% for source in postgres_firewall_allowed_sources %}
-{% if source.startswith('127.0.0.') %}
-host    all             all             {{ source }}            trust
-{% else %}
 host    all             all             {{ source }}            scram-sha-256
-{% endif %}
 {% endfor %}
 
 # IPv6 local connections:
-host    all             all             ::1/128                 trust
+host    all             all             ::1/128                 scram-sha-256
 
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     trust
-host    replication     all             127.0.0.1/32            trust
+host    replication     all             127.0.0.1/32            scram-sha-256
-host    replication     all             ::1/128                 trust
+host    replication     all             ::1/128                 scram-sha-256