fix(podman_link): always use scram-sha-256 auth for postgres

2025-12-20 14:55:47 +00:00 · 2025-12-20 14:55:47 +00:00 · d51df92450
commit d51df92450
parent a4cc851036
4 changed files with 25 additions and 13 deletions
--- a/roles/podman_link/tasks/main.yml
+++ b/roles/podman_link/tasks/main.yml
@ -141,17 +141,32 @@
    - postgresql-data
 # Postgres/Redis runs with UID/GID 999 inside the container
- name: Podman CDR Link | PATCH | Install PostgreSQL host-based authentication configuration
+- name: Podman CDR Link | PATCH | Ensure local PostgreSQL connections require password
-  ansible.builtin.template:
+  ansible.builtin.lineinfile:
-    src: home/pg_hba.conf
+    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
-    dest: "/home/{{ podman_link_podman_rootless_user }}/pg_hba_{{ item }}.conf"
+    regexp: "^local\\s+all"
-    mode: "0400"
+    line: "local\tall\tall\tscram-sha-256"
-    owner: "{{ _podman_link_user_subuid_start + 999 }}"
+    state: present
-    group: "{{ _podman_link_user_subgid_start + 999 }}"
+    create: false
  become: true
  with_items:
-    - zammad
+    - postgresql
-    - bridge
+    - bridge-postgresql
  notify:
    - Restart Link
 # Postgres/Redis runs with UID/GID 999 inside the container
 - name: Podman CDR Link | PATCH | Ensure local PostgreSQL replication requires password
  ansible.builtin.lineinfile:
    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}-data/pg_hba.conf"
    regexp: "^local\\s+replication"
    line: "local\treplication\tall\tscram-sha-256"
    state: present
    create: false
  become: true
  with_items:
    - postgresql
    - bridge-postgresql
  notify:
    - Restart Link
--- a/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container
+++ b/roles/podman_link/templates/home/config/containers/systemd/bridge-postgresql.container
@ -2,7 +2,6 @@
 ContainerName=bridge-postgresql
 EnvironmentFile=common-bridge.env
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
 Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_bridge.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-postgresql-data:/var/lib/postgresql/data:rw,Z
 Network=link.network
--- a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container
+++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container
@ -7,9 +7,8 @@ Environment=POSTGRES_PASSWORD={{ podman_link_postgres_zammad_password }}
 Environment=POSTGRES_USER={{ podman_link_postgres_zammad_user }}
 Environment=POSTGRES_DB={{ podman_link_postgres_zammad_database }}
 Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256
-Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256
+Environment=POSTGRES_INITDB_ARGS=--auth=scram-sha-256
 Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_link_stack_version }}
 Volume=/home/{{ podman_link_podman_rootless_user }}/pg_hba_zammad.conf:/var/lib/postgresql/data/pg_hba.conf:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z
 Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z
--- a/roles/podman_link/templates/home/pg_hba.conf
+++ b/roles/podman_link/templates/home/pg_hba.conf
@ -1 +0,0 @@
 host all all all scram-sha-256