diff options
Diffstat (limited to 'templates/pg_hba.conf.j2')
-rw-r--r-- | templates/pg_hba.conf.j2 | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/templates/pg_hba.conf.j2 b/templates/pg_hba.conf.j2 new file mode 100644 index 0000000..930ed2a --- /dev/null +++ b/templates/pg_hba.conf.j2 | |||
@@ -0,0 +1,107 @@ | |||
1 | # {{ ansible_managed }} | ||
2 | # PostgreSQL Client Authentication Configuration File | ||
3 | # =================================================== | ||
4 | # | ||
5 | # Refer to the "Client Authentication" section in the PostgreSQL | ||
6 | # documentation for a complete description of this file. A short | ||
7 | # synopsis follows. | ||
8 | # | ||
9 | # This file controls: which hosts are allowed to connect, how clients | ||
10 | # are authenticated, which PostgreSQL user names they can use, which | ||
11 | # databases they can access. Records take one of these forms: | ||
12 | # | ||
13 | # local DATABASE USER METHOD [OPTIONS] | ||
14 | # host DATABASE USER ADDRESS METHOD [OPTIONS] | ||
15 | # hostssl DATABASE USER ADDRESS METHOD [OPTIONS] | ||
16 | # hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] | ||
17 | # | ||
18 | # (The uppercase items must be replaced by actual values.) | ||
19 | # | ||
20 | # The first field is the connection type: "local" is a Unix-domain | ||
21 | # socket, "host" is either a plain or SSL-encrypted TCP/IP socket, | ||
22 | # "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a | ||
23 | # plain TCP/IP socket. | ||
24 | # | ||
25 | # DATABASE can be "all", "sameuser", "samerole", "replication", a | ||
26 | # database name, or a comma-separated list thereof. The "all" | ||
27 | # keyword does not match "replication". Access to replication | ||
28 | # must be enabled in a separate record (see example below). | ||
29 | # | ||
30 | # USER can be "all", a user name, a group name prefixed with "+", or a | ||
31 | # comma-separated list thereof. In both the DATABASE and USER fields | ||
32 | # you can also write a file name prefixed with "@" to include names | ||
33 | # from a separate file. | ||
34 | # | ||
35 | # ADDRESS specifies the set of hosts the record matches. It can be a | ||
36 | # host name, or it is made up of an IP address and a CIDR mask that is | ||
37 | # an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that | ||
38 | # specifies the number of significant bits in the mask. A host name | ||
39 | # that starts with a dot (.) matches a suffix of the actual host name. | ||
40 | # Alternatively, you can write an IP address and netmask in separate | ||
41 | # columns to specify the set of hosts. Instead of a CIDR-address, you | ||
42 | # can write "samehost" to match any of the server's own IP addresses, | ||
43 | # or "samenet" to match any address in any subnet that the server is | ||
44 | # directly connected to. | ||
45 | # | ||
46 | # METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", | ||
47 | # "ident", "peer", "pam", "ldap", "radius" or "cert". Note that | ||
48 | # "password" sends passwords in clear text; "md5" is preferred since | ||
49 | # it sends encrypted passwords. | ||
50 | # | ||
51 | # OPTIONS are a set of options for the authentication in the format | ||
52 | # NAME=VALUE. The available options depend on the different | ||
53 | # authentication methods -- refer to the "Client Authentication" | ||
54 | # section in the documentation for a list of which options are | ||
55 | # available for which authentication methods. | ||
56 | # | ||
57 | # Database and user names containing spaces, commas, quotes and other | ||
58 | # special characters must be quoted. Quoting one of the keywords | ||
59 | # "all", "sameuser", "samerole" or "replication" makes the name lose | ||
60 | # its special character, and just match a database or username with | ||
61 | # that name. | ||
62 | # | ||
63 | # This file is read on server startup and when the postmaster receives | ||
64 | # a SIGHUP signal. If you edit the file on a running system, you have | ||
65 | # to SIGHUP the postmaster for the changes to take effect. You can | ||
66 | # use "pg_ctl reload" to do that. | ||
67 | |||
68 | # Put your actual configuration here | ||
69 | # ---------------------------------- | ||
70 | # | ||
71 | # If you want to allow non-local connections, you need to add more | ||
72 | # "host" records. In that case you will also need to make PostgreSQL | ||
73 | # listen on a non-local interface via the listen_addresses | ||
74 | # configuration parameter, or via the -i or -h command line switches. | ||
75 | |||
76 | |||
77 | |||
78 | |||
79 | # DO NOT DISABLE! | ||
80 | # If you change this first entry you will need to make sure that the | ||
81 | # database superuser can access the database using some other method. | ||
82 | # Noninteractive access to all databases is required during automatic | ||
83 | # maintenance (custom daily cronjobs, replication, and similar tasks). | ||
84 | # | ||
85 | # Database administrative login by Unix domain socket | ||
86 | local all postgres peer | ||
87 | |||
88 | # TYPE DATABASE USER ADDRESS METHOD | ||
89 | |||
90 | # "local" is for Unix domain socket connections only | ||
91 | local all all peer | ||
92 | # IPv4 local connections: | ||
93 | host all all 127.0.0.1/32 md5 | ||
94 | {% for host in postgres_allowed_hosts %} | ||
95 | host all {{ host.user }} {{ host.range }} md5 | ||
96 | {% endfor %} | ||
97 | |||
98 | # IPv6 local connections: | ||
99 | host all all ::1/128 md5 | ||
100 | # Allow replication connections from localhost, by a user with the | ||
101 | # replication privilege. | ||
102 | #local replication postgres peer | ||
103 | #host replication postgres 127.0.0.1/32 md5 | ||
104 | #host replication postgres ::1/128 md5 | ||
105 | {% for host in postgres_replication_hosts %} | ||
106 | hostssl replication {{ host.user }} {{ host.range }} md5 | ||
107 | {% endfor %} | ||