X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fpostgres%2Fmanifests%2Fcluster%2Fhba_entry.pp;h=6a7f7dc4bc735a8421c16c5e49384b71ef3527da;hb=1dee729d00307f93d600b5bb6902494bd30a4484;hp=40e24f590ca79bed6abec2bec2d811763e35e770;hpb=483ee60efd32db8ba0777e569fd72592cfee7bf6;p=mirror%2Fdsa-puppet.git

diff --git a/modules/postgres/manifests/cluster/hba_entry.pp b/modules/postgres/manifests/cluster/hba_entry.pp
index 40e24f590..6a7f7dc4b 100644
--- a/modules/postgres/manifests/cluster/hba_entry.pp
+++ b/modules/postgres/manifests/cluster/hba_entry.pp
@@ -6,6 +6,9 @@
 # See the upstream documentation at https://www.postgresql.org/docs/11/auth-pg-hba-conf.html
 # for details.
 #
+# Default order is 50, postgres::cluster puts the md5 localhost rules at 30,
+# so guest/trust access should probably go at 25.
+#
 # @param pg_port          port of the postgres cluster
 # @param pg_cluster       cluster name
 # @param pg_version       pg version of the cluster
@@ -15,18 +18,20 @@
 # @param address          hosts that match
 # @param method           auth method
 # @param order            ordering of this entry in pg_hba.conf
+# @param firewall         also add a firewall rule
 define postgres::cluster::hba_entry (
   Optional[Integer] $pg_port = undef,
   Optional[String] $pg_cluster = undef,
   Optional[String] $pg_version = undef,
-  Enum['local', 'hostssl'] $connection_type = 'hostssl',
+  Enum['local', 'host', 'hostssl'] $connection_type = 'hostssl',
   Variant[String,Array[String]] $database = 'sameuser',
   Variant[String,Array[String]] $user = 'all',
   Optional[Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]]] $address = undef,
   Enum['md5', 'trust'] $method = 'md5',
   String $order = '50',
+  Boolean $firewall = true,
 ) {
-  $address_methods = ['md5']
+  $address_methods = ['md5', 'trust']
   if $method in $address_methods {
     if !$address {
       fail("Authentication method ${method} needs an address")
@@ -66,7 +71,7 @@ define postgres::cluster::hba_entry (
   }
   ###
 
-  if ($address) {
+  if ($address and $firewall) {
     ferm::rule::simple { "postgres::cluster::hba_entry::${name}":
       description => "allow access to pg${real_version}/${real_cluster}: ${name}",
       saddr       => $address,