From d63edbecc7f42d94f75629e67fba0b592c9166d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Thu, 10 Jun 2021 23:39:42 +0100
Subject: [PATCH] postgres: Set auth method to "reject"

This will reject connections from anywhere except 127.0.0.1, i.e., the
pod's network namespace.

This makes password authentication properly obsolete, instead of just
hiding the password (but still never authenticating with it), but
required a change upstream:
https://github.com/docker-library/postgres/pull/859
---
 configuration/services/gitea.nix     | 1 +
 configuration/services/nextcloud.nix | 1 +
 2 files changed, 2 insertions(+)

diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 2258566..4c34146 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -42,6 +42,7 @@
         environment = {
           POSTGRES_DB = "gitea";
           POSTGRES_USER = "gitea";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
         };
         volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
       };
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 4b74ac7..e8731f8 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -43,6 +43,7 @@
         environment = {
           POSTGRES_DB = "nextcloud";
           POSTGRES_USER = "nextcloud";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
         };
         volumes = [ "nextcloud-db-data:/var/lib/postgresql/data" ];
       };