From 9f3e920d7dca8fd482b5e49475e94e660d5ad7e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?= <1536672+cdesiles@users.noreply.github.com> Date: Tue, 11 Nov 2025 11:11:47 +0100 Subject: [PATCH] fix: review postgres on multiple iface --- roles/postgres/README.md | 40 ++++++++----------------- roles/postgres/defaults/main.yml | 6 ++-- roles/postgres/tasks/main.yml | 14 ++++----- roles/postgres/templates/custom.conf.j2 | 2 +- roles/postgres/templates/pg_hba.conf.j2 | 28 +++++++++++++++++ 5 files changed, 52 insertions(+), 38 deletions(-) create mode 100644 roles/postgres/templates/pg_hba.conf.j2 diff --git a/roles/postgres/README.md b/roles/postgres/README.md index 0f627bc..2c85890 100644 --- a/roles/postgres/README.md +++ b/roles/postgres/README.md @@ -17,33 +17,19 @@ This Ansible role installs and configures PostgreSQL for local use only. It prov ## Role Variables -Available variables with defaults (see `defaults/main.yml`): +See `defaults/main.yml` for all available variables and their default values. +### Key Configuration Requirements + +#### Required Password + +The `postgres_admin_password` variable must be set in your inventory (min 12 characters). The role will fail if not set. + +#### Container Access + +For containers to access PostgreSQL, set `postgres_bind` to include the Podman gateway: ```yaml -# PostgreSQL admin user -postgres_admin_user: postgres - -# PostgreSQL admin password (REQUIRED - must be set explicitly) -# postgres_admin_password: "" # Intentionally undefined - -# PostgreSQL data directory -postgres_data_dir: /var/lib/postgres/data - -# Network configuration -postgres_listen_addresses: 127.0.0.1 # For container access: "127.0.0.1,{{ podman_subnet_gateway }}" -postgres_port: 5432 - -# Firewall configuration -postgres_firewall_allowed_sources: - - 127.0.0.0/8 # Localhost - - "{{ podman_subnet | default('10.88.0.0/16') }}" # Podman bridge network - -# Performance tuning -postgres_shared_buffers: 256MB -postgres_effective_cache_size: 1GB -postgres_maintenance_work_mem: 64MB -postgres_work_mem: 4MB -postgres_max_connections: 100 +postgres_bind: "127.0.0.1,{{ podman_subnet_gateway }}" ``` ## Dependencies @@ -102,7 +88,7 @@ If your service runs in a container (Docker/Podman), you need to configure Postg **Step 1: Configure PostgreSQL in inventory** ```yaml # inventory/host_vars/yourserver.yml -postgres_listen_addresses: "127.0.0.1,{{ podman_subnet_gateway }}" +postgres_bind: "127.0.0.1,{{ podman_subnet_gateway }}" postgres_firewall_allowed_sources: - 127.0.0.0/8 - "{{ podman_subnet }}" @@ -168,7 +154,7 @@ The pattern above ensures users have: PostgreSQL default configuration: - Listens on `localhost` only by default -- To allow container access, set `postgres_listen_addresses` to include Podman gateway +- To allow container access, set `postgres_bind` to include Podman gateway - UFW firewall rules automatically configured for allowed sources - `pg_hba.conf` automatically configured for Podman subnet when enabled - No remote network access by default diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml index 5d8eddb..a4bb377 100644 --- a/roles/postgres/defaults/main.yml +++ b/roles/postgres/defaults/main.yml @@ -13,12 +13,12 @@ postgres_admin_user: postgres postgres_data_dir: /var/lib/postgres/data # Binding address(es) -postgres_listen_addresses: "127.0.0.1,{{ podman_subnet_gateway | default('10.88.0.1' }}" +# example: postgres_bind: "127.0.0.1,10.89.0.1" +postgres_bind: "127.0.0.1" # Firewall configuration postgres_firewall_allowed_sources: - - 127.0.0.0/8 # Localhost - - "{{ podman_subnet | default('10.88.0.0/16') }}" # Podman bridge network + - 127.0.0.0/8 # Performance tuning (adjust based on your hardware) postgres_shared_buffers: 256MB diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index c38573d..dbb90e4 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -48,13 +48,13 @@ mode: "0640" notify: Restart PostgreSQL -- name: Configure pg_hba.conf for Podman subnet access - ansible.builtin.lineinfile: - path: "{{ postgres_hba_path }}" - line: "host all all {{ podman_subnet }} scram-sha-256" - insertafter: "^# IPv4 local connections:" - state: present - when: podman_subnet is defined +- name: Deploy pg_hba.conf from template + ansible.builtin.template: + src: pg_hba.conf.j2 + dest: "{{ postgres_hba_path }}" + owner: postgres + group: postgres + mode: "0640" notify: Restart PostgreSQL - name: Setup firewall rules for PostgreSQL diff --git a/roles/postgres/templates/custom.conf.j2 b/roles/postgres/templates/custom.conf.j2 index 847c922..32f2cdb 100644 --- a/roles/postgres/templates/custom.conf.j2 +++ b/roles/postgres/templates/custom.conf.j2 @@ -2,7 +2,7 @@ # Override settings from main postgresql.conf # Network configuration -listen_addresses = '{{ postgres_listen_addresses }}' +listen_addresses = '{{ postgres_bind }}' port = {{ postgres_port }} # Performance tuning diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2 new file mode 100644 index 0000000..10c13ea --- /dev/null +++ b/roles/postgres/templates/pg_hba.conf.j2 @@ -0,0 +1,28 @@ +# PostgreSQL Client Authentication Configuration File +# { ansible_managed } +# ============================================================================ +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. + +# TYPE DATABASE USER ADDRESS METHOD +# "local" is for Unix domain socket connections only +local all all trust + +# IPv4 local connections: +{% for source in postgres_firewall_allowed_sources %} +{% if source.startswith('127.0.0.') %} +host all all {{ source }} trust +{% else %} +host all all {{ source }} scram-sha-256 +{% endif %} +{% endfor %} + +# IPv6 local connections: +host all all ::1/128 trust + +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all trust +host replication all 127.0.0.1/32 trust +host replication all ::1/128 trust