From c72e5131548c595085e5f2c21766cf712cfb5aec Mon Sep 17 00:00:00 2001 From: irl Date: Thu, 4 Dec 2025 18:17:38 +0000 Subject: [PATCH] feat(podman_link): secure postgres access and disable local trust --- roles/podman_link/tasks/main.yml | 15 +++++++++++++++ .../systemd/bridge-postgresql.container | 1 + .../systemd/zammad-postgresql.container | 1 + roles/podman_link/templates/home/pg_hba.conf | 1 + 4 files changed, 18 insertions(+) create mode 100644 roles/podman_link/templates/home/pg_hba.conf diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index d097863..4b42cdd 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -123,6 +123,21 @@ - redis-data - postgresql-data +# Postgres/Redis runs with UID/GID 999 inside the container +- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration + ansible.builtin.template: + src: home/pg_hba.conf + dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf" + mode: "0400" + owner: "{{ _podman_link_user_subuid_start + 999 }}" + group: "{{ _podman_link_user_subgid_start + 999 }}" + become: true + with_items: + - zammad + - bridge + notify: + - Restart Link + # Bridge/Link runs with UID/GID 1000 inside the container (because it's based on the node container) - name: Podman CDR Link | PATCH | Create data directory for bridge-whatsapp ansible.builtin.file: diff --git a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container index 8417cec..4677ee9 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container +++ b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container @@ -2,6 +2,7 @@ ContainerName=bridge-postgresql EnvironmentFile=common-bridge.env Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }} +Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_bridge.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-postgresql-data:/var/lib/postgresql/data:rw,Z Network=link.network diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container index db2513e..0fa9f11 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container @@ -9,6 +9,7 @@ Environment=POSTGRES_DB={{ podman_link_postgres_zammad_database }} Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256 Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }} +Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_zammad.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z diff --git a/roles/podman_link/templates/home/pg_hba.conf b/roles/podman_link/templates/home/pg_hba.conf new file mode 100644 index 0000000..3a48315 --- /dev/null +++ b/roles/podman_link/templates/home/pg_hba.conf @@ -0,0 +1 @@ +host all all all scram-sha-256