diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index 82a4747..f225cf2 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -141,17 +141,32 @@ - postgresql-data # Postgres/Redis runs with UID/GID 999 inside the container -- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration - ansible.builtin.template: - src: home/pg_hba.conf - dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf" - mode: "0400" - owner: "{{ _podman_link_user_subuid_start + 999 }}" - group: "{{ _podman_link_user_subgid_start + 999 }}" +- name: Podman CDR Link | PATCH | Ensure local PostgreSQL connections require password + ansible.builtin.lineinfile: + path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf" + regexp: "^local\\s+all" + line: "local\tall\tall\tscram-sha-256" + state: present + create: false become: true with_items: - - zammad - - bridge + - postgresql + - bridge-postgresql + notify: + - Restart Link + +# Postgres/Redis runs with UID/GID 999 inside the container +- name: Podman CDR Link | PATCH | Ensure local PostgreSQL replication requires password + ansible.builtin.lineinfile: + path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf" + regexp: "^local\\s+replication" + line: "local\treplication\tall\tscram-sha-256" + state: present + create: false + become: true + with_items: + - postgresql + - bridge-postgresql notify: - Restart Link diff --git a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container index 4677ee9..8417cec 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container +++ b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container @@ -2,7 +2,6 @@ ContainerName=bridge-postgresql EnvironmentFile=common-bridge.env Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }} -Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_bridge.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-postgresql-data:/var/lib/postgresql/data:rw,Z Network=link.network diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container index 0fa9f11..330919b 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container @@ -7,9 +7,8 @@ Environment=POSTGRES_PASSWORD={{ podman_link_postgres_zammad_password }} Environment=POSTGRES_USER={{ podman_link_postgres_zammad_user }} Environment=POSTGRES_DB={{ podman_link_postgres_zammad_database }} Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256 -Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 +Environment=POSTGRES_INITDB_ARGS=--auth=scram-sha-256 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }} -Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_zammad.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z diff --git a/roles/podman_link/templates/home/pg_hba.conf b/roles/podman_link/templates/home/pg_hba.conf deleted file mode 100644 index 3a48315..0000000 --- a/roles/podman_link/templates/home/pg_hba.conf +++ /dev/null @@ -1 +0,0 @@ -host all all all scram-sha-256