diff options
| author |  Joe Banks <[email protected]> | 2024-06-02 19:57:13 +0100 |
|---|---|---|
| committer | Joe Banks <[email protected]> | 2024-06-04 19:59:20 +0100 |
| commit | 6d25b4a6398b2e92ffd68abc7e3f282e2b6eb649 (patch) | |
| tree | c7f083c3e937826fb1c67d162a03f19dda9c1107 /ansible/roles | |
| parent | Add devops user account (diff) | |
Add automatic HBA rules for all users to connect via mTLS
Diffstat (limited to 'ansible/roles')
| -rw-r--r-- | ansible/roles/postgres/tasks/main.yml | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/ansible/roles/postgres/tasks/main.yml b/ansible/roles/postgres/tasks/main.yml index 1fb54e3..6ba787d 100644 --- a/ansible/roles/postgres/tasks/main.yml +++ b/ansible/roles/postgres/tasks/main.yml @@ -24,7 +24,7 @@ community.postgresql.postgresql_user: name: "{{ item.name }}" password: "{{ item.password }}" - role_attr_flags: "{{ item['role_attr_flags'] | default('') }}" + role_attr_flags: "{{ item.role_attr_flags | default('') }}" state: present loop_control: label: "{{ item.name }}" @@ -51,8 +51,14 @@ insertafter: "# Put your actual configuration here" marker: "# {mark} ANSIBLE MANAGED HBA CONF BLOCK" block: | + # Manually configured HBA rules {% for rule in postgres_hba_rules %} - {{ rule.conn_type }} {{ rule.database }} {{ rule.user }} {{ rule.address }} {{ rule.method }} {{ rule['options'] | default('') }} + {{ rule.conn_type }} {{ rule.database }} {{ rule.user }} {{ rule.address }} {{ rule.method }} {{ rule.options | default('') }} + {% endfor %} + + # Automatically configured mTLS HBA rules + {% for user in postgres_users if user.name != 'devops' %} + hostssl {{ user.name }} {{ user.name }} all cert map=mtls_cn_map {% endfor %} loop: "{{ postgres_hba_rules }}" notify: @@ -114,4 +120,4 @@ tags: - role::postgres notify: - - Restart the postgres service + - Reload the postgres service |