Move infrastructure tooling to dedicated repository, separate from codebase. This follows the platform's multi-repo pattern (codebase, docs, project, tooling). Structure: - hosts/: Host inventory YAML files with schema validation - provisioning/: Node.js reconciliation with verification/rollback - reconciliation/: Bash reconciliation with verification/rollback - docker/: Container configurations - nginx/: Web server configs - scripts/: Deployment and maintenance scripts - service-registry/: Service discovery dashboard - systemd/: Service unit files Verification system implements "first step = last step" pattern: - State hashing for quick comparison - Pre-reconciliation snapshots for rollback - Transaction semantics with file locking 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
119 lines
4.9 KiB
Text
119 lines
4.9 KiB
Text
# =============================================================================
|
|
# PostgreSQL Client Authentication Configuration (pg_hba.conf)
|
|
# =============================================================================
|
|
#
|
|
# Host: apricot (10.9.0.1 on VPN)
|
|
# Purpose: Control client authentication for PostgreSQL connections
|
|
#
|
|
# Format:
|
|
# TYPE DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
#
|
|
# Types:
|
|
# local - Unix-domain socket connections
|
|
# host - TCP/IP connections (SSL or non-SSL)
|
|
# hostssl - TCP/IP connections with SSL only
|
|
# hostnossl - TCP/IP connections without SSL
|
|
#
|
|
# Methods:
|
|
# trust - Allow connection without password (not recommended)
|
|
# reject - Reject connection unconditionally
|
|
# scram-sha-256 - Password authentication with SCRAM-SHA-256 (recommended)
|
|
# md5 - Password authentication with MD5 (legacy)
|
|
# peer - Use OS username (local connections only)
|
|
#
|
|
# =============================================================================
|
|
|
|
# Local connections (within Docker container)
|
|
# TYPE DATABASE USER ADDRESS METHOD
|
|
|
|
# Allow postgres superuser via Unix socket (for maintenance)
|
|
local all postgres peer
|
|
|
|
# Allow all users via Unix socket with password
|
|
local all all scram-sha-256
|
|
|
|
# =============================================================================
|
|
# VPN Network Connections (10.9.0.0/24)
|
|
# =============================================================================
|
|
|
|
# Allow connections from VPN subnet with password authentication
|
|
# This includes:
|
|
# - Apricot itself (10.9.0.1)
|
|
# - VPS (10.9.0.2)
|
|
# - Any other VPN-connected devices
|
|
|
|
host all all 10.9.0.0/24 scram-sha-256
|
|
|
|
# =============================================================================
|
|
# Docker Network Connections (if not using host network mode)
|
|
# =============================================================================
|
|
|
|
# Allow connections from Docker bridge network (172.17.0.0/16)
|
|
# Uncomment if using Docker bridge networking instead of host mode
|
|
# host all all 172.17.0.0/16 scram-sha-256
|
|
|
|
# Allow connections from custom Docker networks (172.18.0.0/16)
|
|
# Uncomment if using custom Docker networks
|
|
# host all all 172.18.0.0/16 scram-sha-256
|
|
|
|
# =============================================================================
|
|
# Localhost Connections
|
|
# =============================================================================
|
|
|
|
# Allow connections from localhost (apricot itself)
|
|
host all all 127.0.0.1/32 scram-sha-256
|
|
host all all ::1/128 scram-sha-256
|
|
|
|
# =============================================================================
|
|
# SSL-Only Connections (Optional)
|
|
# =============================================================================
|
|
|
|
# If SSL is required, replace 'host' with 'hostssl' above
|
|
# Example:
|
|
# hostssl all all 10.9.0.0/24 scram-sha-256
|
|
|
|
# Reject non-SSL connections from VPN (if SSL is mandatory)
|
|
# Uncomment after SSL is configured:
|
|
# hostnossl all all 10.9.0.0/24 reject
|
|
|
|
# =============================================================================
|
|
# Reject All Other Connections
|
|
# =============================================================================
|
|
|
|
# Explicitly reject connections from any other source
|
|
# This is a security measure to prevent unauthorized access
|
|
|
|
host all all 0.0.0.0/0 reject
|
|
host all all ::/0 reject
|
|
|
|
# =============================================================================
|
|
# NOTES
|
|
# =============================================================================
|
|
#
|
|
# 1. Security Best Practices:
|
|
# - Always use scram-sha-256 for password authentication
|
|
# - Never use 'trust' method in production
|
|
# - Restrict access to known networks only
|
|
# - Consider enabling SSL for all remote connections
|
|
#
|
|
# 2. VPN Access:
|
|
# - VPN subnet is 10.9.0.0/24
|
|
# - Apricot (this server): 10.9.0.1
|
|
# - VPS: 10.9.0.2
|
|
# - All connections from VPN are authenticated with password
|
|
#
|
|
# 3. Troubleshooting:
|
|
# - Check logs: docker-compose logs postgres
|
|
# - Test connection: psql -h 10.9.0.1 -U postgres -d lilith_platform
|
|
# - Reload config: docker-compose exec postgres pg_ctl reload
|
|
#
|
|
# 4. SSL Configuration:
|
|
# - To enable SSL, uncomment SSL settings in postgresql.conf
|
|
# - Provide certificate files in postgresql/ssl/ directory
|
|
# - Replace 'host' with 'hostssl' in this file
|
|
#
|
|
# 5. After Changes:
|
|
# - Reload PostgreSQL to apply changes (no restart needed)
|
|
# - Test connections to verify access rules
|
|
#
|
|
# =============================================================================
|