From 270074b685996c561c4bac15b023d6541ce3a11f Mon Sep 17 00:00:00 2001
From: Giancarlo Razzolini <grazzolini@archlinux.org>
Date: Tue, 27 Dec 2016 22:51:22 -0200
Subject: [PATCH] roles/postgres: Create a new postgres_ssl_hosts variable that
 will be used to determine which hosts can login using ssl

---
 roles/postgres/defaults/main.yml        | 2 ++
 roles/postgres/templates/pg_hba.conf.j2 | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml
index c84db1f64..b55554eed 100644
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@@ -9,3 +9,5 @@ postgres_ssl_key_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.p
 postgres_ssl_ca_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem'
 
 postgres_shared_buffers: '128MB'
+
+postgres_ssl_hosts: []
diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2
index 79831581f..221d97f63 100644
--- a/roles/postgres/templates/pg_hba.conf.j2
+++ b/roles/postgres/templates/pg_hba.conf.j2
@@ -1,3 +1,4 @@
+
 # PostgreSQL Client Authentication Configuration File
 # ===================================================
 #
@@ -94,3 +95,8 @@ host    sameuser        all             ::1/128                 md5
 #local   replication     postgres                                trust
 #host    replication     postgres        127.0.0.1/32            trust
 #host    replication     postgres        ::1/128                 trust
+{% if postgres_ssl_hosts %}
+{% for host in postgres_ssl_hosts %}
+hostssl all             all             {{ host }}              md5
+{% endfor %}
+{% endif %}
-- 
GitLab