[ADD] HBA_EXTRA_RULES support to allow custom pg_hba.conf rules

josep-tecnativa · josep-tecnativa · commit 41e55585d32c · 2024-11-28T16:41:51.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -15,7 +15,8 @@ ENV CERTS="{}" \
     WAN_DATABASES='["all"]' \
     WAN_HBA_TPL="{connection} {db} {user} {cidr} {meth}" \
     WAN_TLS=1 \
-    WAN_USERS='["all"]'
+    WAN_USERS='["all"]' \
+    HBA_EXTRA_RULES=""
 RUN apk add --no-cache python3 \
     && mkdir -p /etc/postgres \
     && chmod a=rwx /etc/postgres
diff --git a/README.md b/README.md
@@ -105,4 +105,17 @@ Wether to enable or not TLS in WAN connections.
 
 Users allowed to connect from WAN.
 
+#### `HBA_EXTRA_RULES`
+
+JSON array of additional pg_hba.conf rules to append. Each array element should be a string representing a valid pg_hba.conf line.
+
+Example HBA_EXTRA_RULES format in an .env file:
+
+HBA_EXTRA_RULES=["host all all 192.168.1.0/24 md5", "hostssl mydb myuser 10.0.0.0/8 scram-sha-256"]
+
+This adds the following lines to pg_hba.conf:
+
+host all all 192.168.1.0/24 md5
+hostssl mydb myuser 10.0.0.0/8 scram-sha-256
+
 [`Dockerfile`]: https://github.com/Tecnativa/docker-postgres-autoconf/blob/master/Dockerfile
diff --git a/autoconf-entrypoint b/autoconf-entrypoint
@@ -33,6 +33,7 @@ WAN_USERS = json.loads(os.environ["WAN_USERS"])
 PGSSLCERT = os.environ.get("PGSSLCERT")
 PGSSLKEY = os.environ.get("PGSSLKEY")
 PGSSLROOTCERT = os.environ.get("PGSSLROOTCERT")
+HBA_EXTRA_RULES = os.environ.get("HBA_EXTRA_RULES", "")
 
 # Configuration file templates
 CONF_FOLDER = "/etc/postgres"
@@ -86,6 +87,17 @@ for filen in (PGSSLCERT, PGSSLKEY, PGSSLROOTCERT):
 if ssl_conf:
     ssl_conf.append("ssl = on")
 
+# Parse extra rules for pg_hba.conf
+extra_hba_rules = []
+if HBA_EXTRA_RULES:
+    try:
+        extra_hba_rules = json.loads(HBA_EXTRA_RULES)
+        if not isinstance(extra_hba_rules, list):
+            raise ValueError("HBA_EXTRA_RULES must be a JSON array")
+    except json.JSONDecodeError:
+        print("Invalid JSON in HBA_EXTRA_RULES", file=sys.stderr)
+        sys.exit(1)
+
 # Generate LAN auth configuration
 for interface in netifaces.interfaces():
     for type_, addresses in netifaces.ifaddresses(interface).items():
@@ -123,6 +135,13 @@ if WAN_CONNECTION != "hostssl" or ssl_conf:
             )
         )
 
+# Append extra rules to hba_conf
+for rule in extra_hba_rules:
+    if not isinstance(rule, str):
+        print("Each rule in HBA_EXTRA_RULES must be a string", file=sys.stderr)
+        sys.exit(1)
+    hba_conf.append(rule)
+
 # Write postgres configuration files
 with open(CONF_FILE, "w") as conf_file:
     conf_file.write(
