Lock down the repmgr user (#222)

* Lock down the repmgr user

* Add PGPASSFILE to timescale dockerfile

Dockerfile

@@ -19,6 +19,7 @@ COPY ./bin/* /fly/bin/
 FROM wrouesnel/postgres_exporter:latest AS postgres_exporter
 FROM postgres:${PG_VERSION}
 ENV PGDATA=/data/postgresql
+ENV PGPASSFILE=/data/.pgpass
 ARG VERSION
 ARG PG_MAJOR_VERSION
 ARG POSTGIS_MAJOR=3

Dockerfile-timescaledb

@@ -20,6 +20,7 @@ FROM wrouesnel/postgres_exporter:latest AS postgres_exporter
 
 FROM postgres:${PG_VERSION}
 ENV PGDATA=/data/postgresql
+ENV PGPASSFILE=/data/.pgpass
 ARG VERSION
 ARG PG_MAJOR_VERSION
 ARG POSTGIS_MAJOR=3

internal/flypg/pg.go

@@ -471,14 +471,14 @@ func (c *PGConfig) setDefaultHBA() error {
 			Database: "replication",
 			User:     c.repmgrUsername,
 			Address:  "fdaa::/16",
-			Method:   "trust",
+			Method:   "md5",
 		},
 		{
 			Type:     "host",
 			Database: fmt.Sprintf("replication,%s", c.repmgrDatabase),
 			User:     c.repmgrUsername,
 			Address:  "fdaa::/16",
-			Method:   "trust",
+			Method:   "md5",
 		},
 		{
 			Type:     "host",

internal/flypg/repmgr.go

@@ -124,6 +124,7 @@ func (r *RepMgr) initialize() error {
 	if err := os.WriteFile(r.PasswordConfigPath, []byte(passStr), 0600); err != nil {
 		return fmt.Errorf("failed to write file %s: %s", r.PasswordConfigPath, err)
 	}
+
 	if err := utils.SetFileOwnership(r.PasswordConfigPath, "postgres"); err != nil {
 		return fmt.Errorf("failed to set file ownership: %s", err)
 	}
@@ -178,6 +179,7 @@ func (r *RepMgr) setDefaults() error {
 		"priority":                     100,
 		"node_rejoin_timeout":          30,
 		"standby_reconnect_timeout":    30,
+		"passfile":                     fmt.Sprintf("'%s'", r.PasswordConfigPath),
 	}
 
 	if !r.eligiblePrimary() {