From 95f5a6627ce5597d2cd552845323c1afa592b517 Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Fri, 18 Apr 2025 23:49:20 +0200
Subject: [PATCH] add file control for pg_hba

---
 manifests/main/files.pp        | 16 +++++++++++++++-
 templates/pg_hba.conf.erb.erb  | 18 ++++++++++++++++++
 templates/pg_hba_rule.conf.erb |  3 +++
 3 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 templates/pg_hba.conf.erb.erb
 create mode 100644 templates/pg_hba_rule.conf.erb

diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index 4b4b150..5e0e850 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -6,5 +6,19 @@
 class postgresql_cd::main::files (
 
 ) inherits postgresql_cd::params {
-  require postgresql_cd::main::dirs
+  if $fqdn == $pl_server_fqdn {
+    require postgresql_cd::main::dirs
+
+    file { '/var/lib/pgsql/data/pg_hba.conf':
+      ensure => file,
+      owner    => 'postgres',
+      group    => 'postgres',
+      mode     => '0600',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => postgresql_db_t,
+      seluser  => unconfined_u,
+      content  => template('postgresql_cd/pg_hba.conf.erb'),
+    }
+  }
 }
diff --git a/templates/pg_hba.conf.erb.erb b/templates/pg_hba.conf.erb.erb
new file mode 100644
index 0000000..767bf86
--- /dev/null
+++ b/templates/pg_hba.conf.erb.erb
@@ -0,0 +1,18 @@
+################################################################################
+##########          pg_hba.conf header generated by puppet            ##########
+################################################################################
+# general syntax
+
+# Type database user address method options
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     md5
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            md5
+# IPv6 local connections:
+host    all             all             ::1/128                 md5
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     md5
+host    replication     all             127.0.0.1/32            md5
+host    replication     all             ::1/128                 md5
\ No newline at end of file
diff --git a/templates/pg_hba_rule.conf.erb b/templates/pg_hba_rule.conf.erb
new file mode 100644
index 0000000..2e84157
--- /dev/null
+++ b/templates/pg_hba_rule.conf.erb
@@ -0,0 +1,3 @@
+# description:  <%=@name%>
+# order number: <%=@psql_auth_order%>
+<%= @pl_auth_type %>  <%= @pl_auth_database %>  <%= @pl_auth_user %> <%= @pl_auth_address %> <%=@pl_auth_method %> <%=@psql_auth_option%>