postgres: Set auth method to "reject"

This will reject connections from anywhere except 127.0.0.1, i.e., the pod's network namespace. This makes password authentication properly obsolete, instead of just hiding the password (but still never authenticating with it), but required a change upstream: https://github.com/docker-library/postgres/pull/859
2021-06-10 23:39:42 +01:00 · 2021-06-10 23:39:42 +01:00 · 05b6738c85
parent 7c24369cb9
commit 05b6738c85
2 changed files with 2 additions and 0 deletions
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -42,6 +42,7 @@
        environment = {
          POSTGRES_DB = "gitea";
          POSTGRES_USER = "gitea";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
        };
        volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
      };
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -43,6 +43,7 @@
        environment = {
          POSTGRES_DB = "nextcloud";
          POSTGRES_USER = "nextcloud";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
        };
        volumes = [ "nextcloud-db-data:/var/lib/postgresql/data" ];
      };