Write out pgpass, also document how to secure the database for production use

3 files changed, 30 insertions, 0 deletions

diff --git a/defaults/main.yml b/defaults/main.yml
index 8b13789..159b40b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1 +1,4 @@
 
+# postgres_pgpass: |
+#   # hostname:port:database:username:password
+#   *:*:*:postgres:my super secret password
diff --git a/readme.md b/readme.md
index c33eb97..a9cb622 100644
--- a/readme.md
+++ b/readme.md
@@ -3,3 +3,24 @@
 Ideally used in conjunction with my Alpine Linux
 playbook, though it shouldn't be hard to adapt it to
 other systems.
+
+
+Securing your postgres installation should go as follows:
+
+```
+root@alpine-dev /root # psql -U postgres  
+psql (11.5)
+Type "help" for help.
+
+postgres=# \password
+Enter new password: 
+Enter it again: 
+postgres=# \q
+root@alpine-dev /root # sv down postgres
+root@alpine-dev /root # sed -i.bak -e's/trust$/md5/g' /var/postgres/pg_hba.conf
+```
+
+Ideally add the password to your `~/.pgpass` if you're going to do
+backups from cron or similar. This can be done by defining `postgres_pgpass`
+as found  commented out in `defaults/main.yml`
+
diff --git a/tasks/main.yml b/tasks/main.yml
index 7b67816..dd3dd98 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -26,3 +26,9 @@
     src: /etc/sv/postgres
     dest: /var/service/postgres
     follow: false
+- name: Write pgpass for 'root'
+  copy:
+    content: '{{postgres_pgpass}}'
+    dest: '/root/.pgpass'
+    mode: '0600'
+  when: postgres_pgpass is defined