fix(podman_link): always use scram-sha-256 auth for postgres

2025-12-20 14:55:47 +00:00 · 2025-12-20 14:55:47 +00:00 · d51df92450
commit d51df92450
parent a4cc851036
4 changed files with 25 additions and 13 deletions
--- a/roles/podman_link/tasks/main.yml
+++ b/roles/podman_link/tasks/main.yml
@ -141,17 +141,32 @@
    - postgresql-data

 # Postgres/Redis runs with UID/GID 999 inside the container
- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration
-  ansible.builtin.template:
-    src: home/pg_hba.conf
-    dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf"
-    mode: "0400"
-    owner: "{{ _podman_link_user_subuid_start + 999 }}"
-    group: "{{ _podman_link_user_subgid_start + 999 }}"
+- name: Podman CDR Link | PATCH | Ensure local PostgreSQL connections require password
+  ansible.builtin.lineinfile:
+    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
+    regexp: "^local\\s+all"
+    line: "local\tall\tall\tscram-sha-256"
+    state: present
+    create: false
  become: true
  with_items:
-    - zammad
-    - bridge
+    - postgresql
+    - bridge-postgresql
+  notify:
+    - Restart Link
+
+# Postgres/Redis runs with UID/GID 999 inside the container
+- name: Podman CDR Link | PATCH | Ensure local PostgreSQL replication requires password
+  ansible.builtin.lineinfile:
+    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
+    regexp: "^local\\s+replication"
+    line: "local\treplication\tall\tscram-sha-256"
+    state: present
+    create: false
+  become: true
+  with_items:
+    - postgresql
+    - bridge-postgresql
  notify:
    - Restart Link