feat(podman_link): secure postgres access and disable local trust

2025-12-04 18:17:38 +00:00 · 2025-12-04 18:17:38 +00:00 · c72e513154
commit c72e513154
parent e79576cd73
4 changed files with 18 additions and 0 deletions
--- a/roles/podman_link/tasks/main.yml
+++ b/roles/podman_link/tasks/main.yml
@ -123,6 +123,21 @@
    - redis-data
    - postgresql-data

+# Postgres/Redis runs with UID/GID 999 inside the container
+- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration
+  ansible.builtin.template:
+    src: home/pg_hba.conf
+    dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf"
+    mode: "0400"
+    owner: "{{ _podman_link_user_subuid_start + 999 }}"
+    group: "{{ _podman_link_user_subgid_start + 999 }}"
+  become: true
+  with_items:
+    - zammad
+    - bridge
+  notify:
+    - Restart Link
+
 # Bridge/Link runs with UID/GID 1000 inside the container (because it's based on the node container)
 - name: Podman CDR Link | PATCH | Create data directory for bridge-whatsapp
  ansible.builtin.file:
--- a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container
+++ b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container
@ -2,6 +2,7 @@
 ContainerName=bridge-postgresql
 EnvironmentFile=common-bridge.env
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
+Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_bridge.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-postgresql-data:/var/lib/postgresql/data:rw,Z
 Network=link.network

--- a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container
+++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container
@ -9,6 +9,7 @@ Environment=POSTGRES_DB={{ podman_link_postgres_zammad_database }}
 Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256
 Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
+Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_zammad.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z
--- a/roles/podman_link/templates/home/pg_hba.conf
+++ b/roles/podman_link/templates/home/pg_hba.conf
@ -0,0 +1 @@
+host all all all scram-sha-256