modules/profile/manifests/postgresql/base_pg_hba_rules.pp

   1 define profile::postgresql::base_pg_hba_rules (
   2   Optional[String] $pg_path  = undef,
   3   String           $pg_user  = "postgres",
   4   String           $pg_group = "postgres",
   5 ) {
   6   unless empty($pg_path) {
   7     concat { "$pg_path/pg_hba.conf":
   8       owner   => $pg_user,
   9       group   => $pg_group,
  10       mode    => '0640',
  11       warn    => true,
  12       require => File[$pg_path],
  13     }
  14
  15     Postgresql::Server::Pg_hba_rule {
  16       target             => "$pg_path/pg_hba.conf",
  17       postgresql_version => "10",
  18     }
  19   }
  20
  21   postgresql::server::pg_hba_rule { "$title - local access as postgres user":
  22     description => 'Allow local access to postgres user',
  23     type        => 'local',
  24     database    => 'all',
  25     user        => $pg_user,
  26     auth_method => 'ident',
  27     order       => "00-01",
  28   }
  29   postgresql::server::pg_hba_rule { "$title - localhost access as postgres user":
  30     description => 'Allow localhost access to postgres user',
  31     type        => 'host',
  32     database    => 'all',
  33     user        => $pg_user,
  34     address     => "127.0.0.1/32",
  35     auth_method => 'md5',
  36     order       => "00-02",
  37   }
  38   postgresql::server::pg_hba_rule { "$title - localhost ip6 access as postgres user":
  39     description => 'Allow localhost access to postgres user',
  40     type        => 'host',
  41     database    => 'all',
  42     user        => $pg_user,
  43     address     => "::1/128",
  44     auth_method => 'md5',
  45     order       => "00-03",
  46     target      => "$pg_path/pg_hba.conf",
  47     postgresql_version => "10",
  48   }
  49   postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
  50     description => 'Deny remote access to postgres user',
  51     type        => 'host',
  52     database    => 'all',
  53     user        => $pg_user,
  54     address     => "0.0.0.0/0",
  55     auth_method => 'reject',
  56     order       => "00-04",
  57   }
  58   postgresql::server::pg_hba_rule { "$title - local access":
  59     description => 'Allow local access with password',
  60     type        => 'local',
  61     database    => 'all',
  62     user        => 'all',
  63     auth_method => 'md5',
  64     order       => "10-01",
  65   }
  66
  67   postgresql::server::pg_hba_rule { "$title - local access with same name":
  68     description => 'Allow local access with same name',
  69     type        => 'local',
  70     database    => 'all',
  71     user        => 'all',
  72     auth_method => 'ident',
  73     order       => "10-02",
  74   }
  75
  76 }