From 05b6738c85ac9c7e3aca110a1df207916f0a50b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Thu, 10 Jun 2021 23:39:42 +0100
Subject: [PATCH] postgres: Set auth method to "reject"

This will reject connections from anywhere except 127.0.0.1, i.e., the
pod's network namespace.

This makes password authentication properly obsolete, instead of just
hiding the password (but still never authenticating with it), but
required a change upstream:
https://github.com/docker-library/postgres/pull/859
---
 configuration/services/gitea.nix     | 1 +
 configuration/services/nextcloud.nix | 1 +
 2 files changed, 2 insertions(+)

diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 2258566..4c34146 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -42,6 +42,7 @@
         environment = {
           POSTGRES_DB = "gitea";
           POSTGRES_USER = "gitea";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
         };
         volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
       };
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 4b74ac7..e8731f8 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -43,6 +43,7 @@
         environment = {
           POSTGRES_DB = "nextcloud";
           POSTGRES_USER = "nextcloud";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
         };
         volumes = [ "nextcloud-db-data:/var/lib/postgresql/data" ];
       };