From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 29 Sep 2019 17:00:45 +0000 (+0200)
Subject: move localhost guest access in front of catch-all localhost access
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=6f0519ea008323e67f933fd1168c6c906f2c289d

move localhost guest access in front of catch-all localhost access
---

diff --git a/modules/postgres/manifests/cluster.pp b/modules/postgres/manifests/cluster.pp
index 92f87d160..1f639cda8 100644
--- a/modules/postgres/manifests/cluster.pp
+++ b/modules/postgres/manifests/cluster.pp
@@ -86,6 +86,14 @@ define postgres::cluster(
       order   => '00',
       content => template('postgres/cluster/pg_hba.conf-head.erb'),
     }
+    postgres::cluster::hba_entry { 'local-connections':
+      pg_port  => $real_port,
+      database => 'all',
+      user     => 'all',
+      address  => ['127.0.0.1', '::1'],
+      order    => '30',
+      firewall => false,
+    }
     Concat::Fragment <| tag == "postgres::cluster::${real_version}::${real_cluster}::hba" |>
   }
 }
diff --git a/modules/postgres/manifests/cluster/hba_entry.pp b/modules/postgres/manifests/cluster/hba_entry.pp
index 68313746a..843a4a780 100644
--- a/modules/postgres/manifests/cluster/hba_entry.pp
+++ b/modules/postgres/manifests/cluster/hba_entry.pp
@@ -15,6 +15,7 @@
 # @param address          hosts that match
 # @param method           auth method
 # @param order            ordering of this entry in pg_hba.conf
+# @param firewall         also add a firewall rule
 define postgres::cluster::hba_entry (
   Optional[Integer] $pg_port = undef,
   Optional[String] $pg_cluster = undef,
@@ -25,6 +26,7 @@ define postgres::cluster::hba_entry (
   Optional[Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]]] $address = undef,
   Enum['md5', 'trust'] $method = 'md5',
   String $order = '50',
+  Boolean $firewall = true,
 ) {
   $address_methods = ['md5', 'trust']
   if $method in $address_methods {
@@ -66,7 +68,7 @@ define postgres::cluster::hba_entry (
   }
   ###
 
-  if ($address) {
+  if ($address and $firewall) {
     ferm::rule::simple { "postgres::cluster::hba_entry::${name}":
       description => "allow access to pg${real_version}/${real_cluster}: ${name}",
       saddr       => $address,
diff --git a/modules/postgres/templates/cluster/pg_hba.conf-head.erb b/modules/postgres/templates/cluster/pg_hba.conf-head.erb
index d84d7d135..65b903194 100644
--- a/modules/postgres/templates/cluster/pg_hba.conf-head.erb
+++ b/modules/postgres/templates/cluster/pg_hba.conf-head.erb
@@ -9,14 +9,5 @@ local   all             postgres                                peer
 
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
-# IPv4 local connections:
-host    all             all             127.0.0.1/32            md5
-# IPv6 local connections:
-host    all             all             ::1/128                 md5
-# Allow replication connections from localhost, by a user with the
-# replication privilege.
-#local   replication     all                                     peer
-#host    replication     all             127.0.0.1/32            md5
-#host    replication     all             ::1/128                 md5
 ######################################
 
diff --git a/modules/roles/manifests/ftp_master.pp b/modules/roles/manifests/ftp_master.pp
index b95330c42..40f804096 100644
--- a/modules/roles/manifests/ftp_master.pp
+++ b/modules/roles/manifests/ftp_master.pp
@@ -36,6 +36,7 @@ class roles::ftp_master (
     user     => 'guest',
     address  => '127.0.0.1',
     method   => 'trust',
+    order    => '20',
+    firewall => false,
   }
-
 }