fix: review postgres on multiple iface

roles/postgres/README.md

@@ -17,33 +17,19 @@ This Ansible role installs and configures PostgreSQL for local use only. It prov
 
 ## Role Variables
 
-Available variables with defaults (see `defaults/main.yml`):
+See `defaults/main.yml` for all available variables and their default values.
 
+### Key Configuration Requirements
+
+#### Required Password
+
+The `postgres_admin_password` variable must be set in your inventory (min 12 characters). The role will fail if not set.
+
+#### Container Access
+
+For containers to access PostgreSQL, set `postgres_bind` to include the Podman gateway:
 ```yaml
-# PostgreSQL admin user
-postgres_admin_user: postgres
-
-# PostgreSQL admin password (REQUIRED - must be set explicitly)
-# postgres_admin_password: ""  # Intentionally undefined
-
-# PostgreSQL data directory
-postgres_data_dir: /var/lib/postgres/data
-
-# Network configuration
-postgres_listen_addresses: 127.0.0.1  # For container access: "127.0.0.1,{{ podman_subnet_gateway }}"
-postgres_port: 5432
-
-# Firewall configuration
-postgres_firewall_allowed_sources:
-  - 127.0.0.0/8  # Localhost
-  - "{{ podman_subnet | default('10.88.0.0/16') }}"  # Podman bridge network
-
-# Performance tuning
-postgres_shared_buffers: 256MB
-postgres_effective_cache_size: 1GB
-postgres_maintenance_work_mem: 64MB
-postgres_work_mem: 4MB
-postgres_max_connections: 100
+postgres_bind: "127.0.0.1,{{ podman_subnet_gateway }}"
 ```
 
 ## Dependencies
@@ -102,7 +88,7 @@ If your service runs in a container (Docker/Podman), you need to configure Postg
 **Step 1: Configure PostgreSQL in inventory**
 ```yaml
 # inventory/host_vars/yourserver.yml
-postgres_listen_addresses: "127.0.0.1,{{ podman_subnet_gateway }}"
+postgres_bind: "127.0.0.1,{{ podman_subnet_gateway }}"
 postgres_firewall_allowed_sources:
   - 127.0.0.0/8
   - "{{ podman_subnet }}"
@@ -168,7 +154,7 @@ The pattern above ensures users have:
 
 PostgreSQL default configuration:
 - Listens on `localhost` only by default
-- To allow container access, set `postgres_listen_addresses` to include Podman gateway
+- To allow container access, set `postgres_bind` to include Podman gateway
 - UFW firewall rules automatically configured for allowed sources
 - `pg_hba.conf` automatically configured for Podman subnet when enabled
 - No remote network access by default

roles/postgres/defaults/main.yml

@@ -13,12 +13,12 @@ postgres_admin_user: postgres
 postgres_data_dir: /var/lib/postgres/data
 
 # Binding address(es)
-postgres_listen_addresses: "127.0.0.1,{{ podman_subnet_gateway | default('10.88.0.1' }}"
+# example: postgres_bind: "127.0.0.1,10.89.0.1"
+postgres_bind: "127.0.0.1"
 
 # Firewall configuration
 postgres_firewall_allowed_sources:
-  - 127.0.0.0/8 # Localhost
-  - "{{ podman_subnet | default('10.88.0.0/16') }}" # Podman bridge network
+  - 127.0.0.0/8
 
 # Performance tuning (adjust based on your hardware)
 postgres_shared_buffers: 256MB

roles/postgres/tasks/main.yml

@@ -48,13 +48,13 @@
     mode: "0640"
   notify: Restart PostgreSQL
 
-- name: Configure pg_hba.conf for Podman subnet access
-  ansible.builtin.lineinfile:
-    path: "{{ postgres_hba_path }}"
-    line: "host    all             all             {{ podman_subnet }}            scram-sha-256"
-    insertafter: "^# IPv4 local connections:"
-    state: present
-  when: podman_subnet is defined
+- name: Deploy pg_hba.conf from template
+  ansible.builtin.template:
+    src: pg_hba.conf.j2
+    dest: "{{ postgres_hba_path }}"
+    owner: postgres
+    group: postgres
+    mode: "0640"
   notify: Restart PostgreSQL
 
 - name: Setup firewall rules for PostgreSQL

roles/postgres/templates/custom.conf.j2

@@ -2,7 +2,7 @@
 # Override settings from main postgresql.conf
 
 # Network configuration
-listen_addresses = '{{ postgres_listen_addresses }}'
+listen_addresses = '{{ postgres_bind }}'
 port = {{ postgres_port }}
 
 # Performance tuning

roles/postgres/templates/pg_hba.conf.j2

@@ -0,0 +1,28 @@
+# PostgreSQL Client Authentication Configuration File
+# { ansible_managed }
+# ============================================================================
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+# "local" is for Unix domain socket connections only
+local   all             all                                     trust
+
+# IPv4 local connections:
+{% for source in postgres_firewall_allowed_sources %}
+{% if source.startswith('127.0.0.') %}
+host    all             all             {{ source }}            trust
+{% else %}
+host    all             all             {{ source }}            scram-sha-256
+{% endif %}
+{% endfor %}
+
+# IPv6 local connections:
+host    all             all             ::1/128                 trust
+
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     trust
+host    replication     all             127.0.0.1/32            trust
+host    replication     all             ::1/128                 trust