aboutsummaryrefslogtreecommitdiff
path: root/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
blob: 07c4bb6989e42c18d8e455c5fa983dc331d5cb58 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
define profile::postgresql::base_pg_hba_rules (
  Optional[String] $pg_path  = undef,
  String           $pg_user  = "postgres",
  String           $pg_group = "postgres",
) {
  unless empty($pg_path) {
    concat { "$pg_path/pg_hba.conf":
      owner   => $pg_user,
      group   => $pg_group,
      mode    => '0640',
      warn    => true,
      require => File[$pg_path],
    }

    Postgresql::Server::Pg_hba_rule {
      target             => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }
  }

  postgresql::server::pg_hba_rule { "$title - local access as postgres user":
    description => 'Allow local access to postgres user',
    type        => 'local',
    database    => 'all',
    user        => $pg_user,
    auth_method => 'ident',
    order       => "00-01",
  }
  postgresql::server::pg_hba_rule { "$title - localhost access as postgres user":
    description => 'Allow localhost access to postgres user',
    type        => 'host',
    database    => 'all',
    user        => $pg_user,
    address     => "127.0.0.1/32",
    auth_method => 'md5',
    order       => "00-02",
  }
  postgresql::server::pg_hba_rule { "$title - localhost ip6 access as postgres user":
    description => 'Allow localhost access to postgres user',
    type        => 'host',
    database    => 'all',
    user        => $pg_user,
    address     => "::1/128",
    auth_method => 'md5',
    order       => "00-03",
  }
  postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
    description => 'Deny remote access to postgres user',
    type        => 'host',
    database    => 'all',
    user        => $pg_user,
    address     => "0.0.0.0/0",
    auth_method => 'reject',
    order       => "00-04",
  }
  postgresql::server::pg_hba_rule { "$title - local access":
    description => 'Allow local access with password',
    type        => 'local',
    database    => 'all',
    user        => 'all',
    auth_method => 'md5',
    order       => "10-01",
  }

  postgresql::server::pg_hba_rule { "$title - local access with same name":
    description => 'Allow local access with same name',
    type        => 'local',
    database    => 'all',
    user        => 'all',
    auth_method => 'ident',
    order       => "10-02",
  }

}