postgres: Set auth method to "reject"

This will reject connections from anywhere except 127.0.0.1, i.e., the pod's network namespace. This makes password authentication properly obsolete, instead of just hiding the password (but still never authenticating with it), but required a change upstream: https://github.com/docker-library/postgres/pull/859
2021-06-11 01:48:54 +01:00
2 changed files with 2 additions and 0 deletions
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -42,6 +42,7 @@
        environment = {
          POSTGRES_DB = "gitea";
          POSTGRES_USER = "gitea";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
        };
        volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
      };
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -43,6 +43,7 @@
        environment = {
          POSTGRES_DB = "nextcloud";
          POSTGRES_USER = "nextcloud";
+          POSTGRES_HOST_AUTH_METHOD = "reject";
        };
        volumes = [ "nextcloud-db-data:/var/lib/postgresql/data" ];
      };