From 41b6abafe8af85d8906d04e74ab11916f3d441b9 Mon Sep 17 00:00:00 2001
From: Shaun Davis <davissp14@gmail.com>
Date: Fri, 15 Mar 2024 14:45:19 -0500
Subject: [PATCH] Lock down the repmgr user (#222)

* Lock down the repmgr user

* Add PGPASSFILE to timescale dockerfile
---
 Dockerfile               | 1 +
 Dockerfile-timescaledb   | 1 +
 internal/flypg/pg.go     | 4 ++--
 internal/flypg/repmgr.go | 2 ++
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 72f906fb..85b327c7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,6 +19,7 @@ COPY ./bin/* /fly/bin/
 FROM wrouesnel/postgres_exporter:latest AS postgres_exporter
 FROM postgres:${PG_VERSION}
 ENV PGDATA=/data/postgresql
+ENV PGPASSFILE=/data/.pgpass
 ARG VERSION
 ARG PG_MAJOR_VERSION
 ARG POSTGIS_MAJOR=3
diff --git a/Dockerfile-timescaledb b/Dockerfile-timescaledb
index 2e4920db..16e79b48 100644
--- a/Dockerfile-timescaledb
+++ b/Dockerfile-timescaledb
@@ -20,6 +20,7 @@ FROM wrouesnel/postgres_exporter:latest AS postgres_exporter
 
 FROM postgres:${PG_VERSION}
 ENV PGDATA=/data/postgresql
+ENV PGPASSFILE=/data/.pgpass
 ARG VERSION
 ARG PG_MAJOR_VERSION
 ARG POSTGIS_MAJOR=3
diff --git a/internal/flypg/pg.go b/internal/flypg/pg.go
index 31116c41..f67f9f33 100644
--- a/internal/flypg/pg.go
+++ b/internal/flypg/pg.go
@@ -471,14 +471,14 @@ func (c *PGConfig) setDefaultHBA() error {
 			Database: "replication",
 			User:     c.repmgrUsername,
 			Address:  "fdaa::/16",
-			Method:   "trust",
+			Method:   "md5",
 		},
 		{
 			Type:     "host",
 			Database: fmt.Sprintf("replication,%s", c.repmgrDatabase),
 			User:     c.repmgrUsername,
 			Address:  "fdaa::/16",
-			Method:   "trust",
+			Method:   "md5",
 		},
 		{
 			Type:     "host",
diff --git a/internal/flypg/repmgr.go b/internal/flypg/repmgr.go
index ed360f9d..0db72eeb 100644
--- a/internal/flypg/repmgr.go
+++ b/internal/flypg/repmgr.go
@@ -124,6 +124,7 @@ func (r *RepMgr) initialize() error {
 	if err := os.WriteFile(r.PasswordConfigPath, []byte(passStr), 0600); err != nil {
 		return fmt.Errorf("failed to write file %s: %s", r.PasswordConfigPath, err)
 	}
+
 	if err := utils.SetFileOwnership(r.PasswordConfigPath, "postgres"); err != nil {
 		return fmt.Errorf("failed to set file ownership: %s", err)
 	}
@@ -178,6 +179,7 @@ func (r *RepMgr) setDefaults() error {
 		"priority":                     100,
 		"node_rejoin_timeout":          30,
 		"standby_reconnect_timeout":    30,
+		"passfile":                     fmt.Sprintf("'%s'", r.PasswordConfigPath),
 	}
 
 	if !r.eligiblePrimary() {