modules/profile/manifests/postgresql/base_pg_hba_rules.pp

   1 define profile::postgresql::base_pg_hba_rules (
   2   Optional[String] $pg_path  = undef,
   3   String           $pg_user  = "postgres",
   4   String           $pg_group = "postgres",
   5 ) {
   6   unless empty($pg_path) {
   7     concat { "$pg_path/pg_hba.conf":
   8       owner   => $pg_user,
   9       group   => $pg_group,
  10       mode    => '0640',
  11       warn    => true,
  12       require => File[$pg_path],
  13     }
  14
  15     Postgresql::Server::Pg_hba_rule {
  16       target             => "$pg_path/pg_hba.conf",
  17       postgresql_version => "10",
  18     }
  19   }
  20
  21   postgresql::server::pg_hba_rule { "$title - local access as postgres user":
  22     description => 'Allow local access to postgres user',
  23     type        => 'local',
  24     database    => 'all',
  25     user        => $pg_user,
  26     auth_method => 'ident',
  27     order       => "00-01",
  28   }
  29   postgresql::server::pg_hba_rule { "$title - localhost access as postgres user":
  30     description => 'Allow localhost access to postgres user',
  31     type        => 'host',
  32     database    => 'all',
  33     user        => $pg_user,
  34     address     => "127.0.0.1/32",
  35     auth_method => 'md5',
  36     order       => "00-02",
  37   }
  38   postgresql::server::pg_hba_rule { "$title - localhost ip6 access as postgres user":
  39     description => 'Allow localhost access to postgres user',
  40     type        => 'host',
  41     database    => 'all',
  42     user        => $pg_user,
  43     address     => "::1/128",
  44     auth_method => 'md5',
  45     order       => "00-03",
  46   }
  47   postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
  48     description => 'Deny remote access to postgres user',
  49     type        => 'host',
  50     database    => 'all',
  51     user        => $pg_user,
  52     address     => "0.0.0.0/0",
  53     auth_method => 'reject',
  54     order       => "00-04",
  55   }
  56   postgresql::server::pg_hba_rule { "$title - local access":
  57     description => 'Allow local access with password',
  58     type        => 'local',
  59     database    => 'all',
  60     user        => 'all',
  61     auth_method => 'md5',
  62     order       => "10-01",
  63   }
  64
  65   postgresql::server::pg_hba_rule { "$title - local access with same name":
  66     description => 'Allow local access with same name',
  67     type        => 'local',
  68     database    => 'all',
  69     user        => 'all',
  70     auth_method => 'ident',
  71     order       => "10-02",
  72   }
  73
  74 }