Add automatic HBA rules for all users to connect via mTLS

python-discord · Jun 4, 2024 · 6d25b4a · 6d25b4a
1 parent b4decf8
commit 6d25b4a
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/ansible/roles/postgres/tasks/main.yml b/ansible/roles/postgres/tasks/main.yml
@@ -24,7 +24,7 @@
   community.postgresql.postgresql_user:
     name: "{{ item.name }}"
     password: "{{ item.password }}"
-    role_attr_flags: "{{ item['role_attr_flags'] | default('') }}"
+    role_attr_flags: "{{ item.role_attr_flags | default('') }}"
     state: present
   loop_control:
     label: "{{ item.name }}"
@@ -51,8 +51,14 @@
     insertafter: "# Put your actual configuration here"
     marker: "# {mark} ANSIBLE MANAGED HBA CONF BLOCK"
     block: |
+      # Manually configured HBA rules
       {% for rule in postgres_hba_rules %}
-      {{ rule.conn_type }}    {{ rule.database }}    {{ rule.user }}    {{ rule.address }}    {{ rule.method }}   {{ rule['options'] | default('') }}
+      {{ rule.conn_type }}    {{ rule.database }}    {{ rule.user }}    {{ rule.address }}    {{ rule.method }}   {{ rule.options | default('') }}
+      {% endfor %}
+
+      # Automatically configured mTLS HBA rules
+      {% for user in postgres_users if user.name != 'devops' %}
+      hostssl {{ user.name }} {{ user.name }} all cert map=mtls_cn_map
       {% endfor %}
   loop: "{{ postgres_hba_rules }}"
   notify:
@@ -114,4 +120,4 @@
   tags:
     - role::postgres
   notify:
-    - Restart the postgres service
+    - Reload the postgres service