platform-deployments/docker/postgresql/pg_hba.conf
Lilith b6ca567a75 feat: initialize infrastructure repo with verification system
Move infrastructure tooling to dedicated repository, separate from codebase.
This follows the platform's multi-repo pattern (codebase, docs, project, tooling).

Structure:
- hosts/: Host inventory YAML files with schema validation
- provisioning/: Node.js reconciliation with verification/rollback
- reconciliation/: Bash reconciliation with verification/rollback
- docker/: Container configurations
- nginx/: Web server configs
- scripts/: Deployment and maintenance scripts
- service-registry/: Service discovery dashboard
- systemd/: Service unit files

Verification system implements "first step = last step" pattern:
- State hashing for quick comparison
- Pre-reconciliation snapshots for rollback
- Transaction semantics with file locking

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 02:31:31 -08:00

119 lines
4.9 KiB
Text

# =============================================================================
# PostgreSQL Client Authentication Configuration (pg_hba.conf)
# =============================================================================
#
# Host: apricot (10.9.0.1 on VPN)
# Purpose: Control client authentication for PostgreSQL connections
#
# Format:
# TYPE DATABASE USER ADDRESS METHOD [OPTIONS]
#
# Types:
# local - Unix-domain socket connections
# host - TCP/IP connections (SSL or non-SSL)
# hostssl - TCP/IP connections with SSL only
# hostnossl - TCP/IP connections without SSL
#
# Methods:
# trust - Allow connection without password (not recommended)
# reject - Reject connection unconditionally
# scram-sha-256 - Password authentication with SCRAM-SHA-256 (recommended)
# md5 - Password authentication with MD5 (legacy)
# peer - Use OS username (local connections only)
#
# =============================================================================
# Local connections (within Docker container)
# TYPE DATABASE USER ADDRESS METHOD
# Allow postgres superuser via Unix socket (for maintenance)
local all postgres peer
# Allow all users via Unix socket with password
local all all scram-sha-256
# =============================================================================
# VPN Network Connections (10.9.0.0/24)
# =============================================================================
# Allow connections from VPN subnet with password authentication
# This includes:
# - Apricot itself (10.9.0.1)
# - VPS (10.9.0.2)
# - Any other VPN-connected devices
host all all 10.9.0.0/24 scram-sha-256
# =============================================================================
# Docker Network Connections (if not using host network mode)
# =============================================================================
# Allow connections from Docker bridge network (172.17.0.0/16)
# Uncomment if using Docker bridge networking instead of host mode
# host all all 172.17.0.0/16 scram-sha-256
# Allow connections from custom Docker networks (172.18.0.0/16)
# Uncomment if using custom Docker networks
# host all all 172.18.0.0/16 scram-sha-256
# =============================================================================
# Localhost Connections
# =============================================================================
# Allow connections from localhost (apricot itself)
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
# =============================================================================
# SSL-Only Connections (Optional)
# =============================================================================
# If SSL is required, replace 'host' with 'hostssl' above
# Example:
# hostssl all all 10.9.0.0/24 scram-sha-256
# Reject non-SSL connections from VPN (if SSL is mandatory)
# Uncomment after SSL is configured:
# hostnossl all all 10.9.0.0/24 reject
# =============================================================================
# Reject All Other Connections
# =============================================================================
# Explicitly reject connections from any other source
# This is a security measure to prevent unauthorized access
host all all 0.0.0.0/0 reject
host all all ::/0 reject
# =============================================================================
# NOTES
# =============================================================================
#
# 1. Security Best Practices:
# - Always use scram-sha-256 for password authentication
# - Never use 'trust' method in production
# - Restrict access to known networks only
# - Consider enabling SSL for all remote connections
#
# 2. VPN Access:
# - VPN subnet is 10.9.0.0/24
# - Apricot (this server): 10.9.0.1
# - VPS: 10.9.0.2
# - All connections from VPN are authenticated with password
#
# 3. Troubleshooting:
# - Check logs: docker-compose logs postgres
# - Test connection: psql -h 10.9.0.1 -U postgres -d lilith_platform
# - Reload config: docker-compose exec postgres pg_ctl reload
#
# 4. SSL Configuration:
# - To enable SSL, uncomment SSL settings in postgresql.conf
# - Provide certificate files in postgresql/ssl/ directory
# - Replace 'host' with 'hostssl' in this file
#
# 5. After Changes:
# - Reload PostgreSQL to apply changes (no restart needed)
# - Test connections to verify access rules
#
# =============================================================================