make possible to keep nonssl endpoint and remove hardcoded alg for auth

2024-11-25 00:06:42 +00:00 · 2023-02-15 16:16:09 +03:00 · 2023-02-15 16:16:09 +03:00 · 4f40c189f7
commit 4f40c189f7
parent 916e75951e
4 changed files with 35 additions and 25 deletions
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@ -1,13 +1,14 @@
 postgresql_version: "15.2"
 # Options
 postgresql_group: "postgresql"
 postgresql_superuser_db: "postgres"
 postgresql_superuser_name: "postgres"
 postgresql_superuser_password: "postgres"
 # SSL options
 postgresql_ssl: true
-postgresql_group: "postgresql"
+postgresql_ssl_keep_nonssl_endpoint: false
 postgresql_self_signed_cert: true
 postgresql_self_signed_cert_name: "cert"
--- a/templates/13-pg_hba.conf.j2
+++ b/templates/13-pg_hba.conf.j2
@ -47,10 +47,10 @@
 # or "samenet" to match any address in any subnet that the server is
 # directly connected to.
 #
-# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
 # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
 # Note that "password" sends passwords in clear text; "md5" or
-# "scram-sha-256" are preferred since they send encrypted passwords.
+# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
 #
 # OPTIONS are a set of options for the authentication in the format
 # NAME=VALUE.  The available options depend on the different
@ -85,14 +85,17 @@ local   all             all                                     trust
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
 # IPv4 local connections:
-host    all             all             127.0.0.1/32            scram-sha-256
+host    all             all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
 # IPv6 local connections:
-host    all             all             ::1/128                 scram-sha-256
+host    all             all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            scram-sha-256
+host    replication     all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
-host    replication     all             ::1/128                 scram-sha-256
+host    replication     all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
-{% if postgresql_ssl|bool %}
+{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
-hostssl all             all             0.0.0.0/0               scram-sha-256
+host    all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}
 {% if postgresql_ssl|bool %}
 hostssl all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}
--- a/templates/14-pg_hba.conf.j2
+++ b/templates/14-pg_hba.conf.j2
@ -47,10 +47,10 @@
 # or "samenet" to match any address in any subnet that the server is
 # directly connected to.
 #
-# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
 # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
 # Note that "password" sends passwords in clear text; "md5" or
-# "scram-sha-256" are preferred since they send encrypted passwords.
+# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
 #
 # OPTIONS are a set of options for the authentication in the format
 # NAME=VALUE.  The available options depend on the different
@ -85,14 +85,17 @@ local   all             all                                     trust
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
 # IPv4 local connections:
-host    all             all             127.0.0.1/32            scram-sha-256
+host    all             all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
 # IPv6 local connections:
-host    all             all             ::1/128                 scram-sha-256
+host    all             all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            scram-sha-256
+host    replication     all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
-host    replication     all             ::1/128                 scram-sha-256
+host    replication     all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
-{% if postgresql_ssl|bool %}
+{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
-hostssl all             all             0.0.0.0/0               scram-sha-256
+host    all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}
 {% if postgresql_ssl|bool %}
 hostssl all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}
--- a/templates/15-pg_hba.conf.j2
+++ b/templates/15-pg_hba.conf.j2
@ -47,10 +47,10 @@
 # or "samenet" to match any address in any subnet that the server is
 # directly connected to.
 #
-# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
 # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
 # Note that "password" sends passwords in clear text; "md5" or
-# "scram-sha-256" are preferred since they send encrypted passwords.
+# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
 #
 # OPTIONS are a set of options for the authentication in the format
 # NAME=VALUE.  The available options depend on the different
@ -85,14 +85,17 @@ local   all             all                                     trust
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
 # IPv4 local connections:
-host    all             all             127.0.0.1/32            scram-sha-256
+host    all             all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
 # IPv6 local connections:
-host    all             all             ::1/128                 scram-sha-256
+host    all             all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            scram-sha-256
+host    replication     all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
-host    replication     all             ::1/128                 scram-sha-256
+host    replication     all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
-{% if postgresql_ssl|bool %}
+{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
-hostssl all             all             0.0.0.0/0               scram-sha-256
+host    all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}
 {% if postgresql_ssl|bool %}
 hostssl all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}