Clément Désiles
31 lines
1.4 KiB
Django/Jinja
31 lines
1.4 KiB
Django/Jinja
# PostgreSQL Client Authentication Configuration File
|
|
# { ansible_managed }
|
|
# ============================================================================
|
|
# This file controls: which hosts are allowed to connect, how clients
|
|
# are authenticated, which PostgreSQL user names they can use, which
|
|
# databases they can access.
|
|
#
|
|
# Authentication policy:
|
|
# - Unix socket: trust (admin access via `become_user: postgres`, e.g. Ansible)
|
|
# - All TCP connections: scram-sha-256 (passwords required, including loopback)
|
|
# This is required because pasta forwards rootless container traffic via
|
|
# host loopback, so containers appear as source 127.0.0.1.
|
|
|
|
# TYPE DATABASE USER ADDRESS METHOD
|
|
# "local" is for Unix domain socket connections only
|
|
local all all trust
|
|
|
|
# IPv4 connections (all require password, even loopback):
|
|
{% for source in postgres_firewall_allowed_sources %}
|
|
host all all {{ source }} scram-sha-256
|
|
{% endfor %}
|
|
|
|
# IPv6 local connections:
|
|
host all all ::1/128 scram-sha-256
|
|
|
|
# Allow replication connections from localhost, by a user with the
|
|
# replication privilege.
|
|
local replication all trust
|
|
host replication all 127.0.0.1/32 scram-sha-256
|
|
host replication all ::1/128 scram-sha-256
|