From 544682e92eab0646884cf8b7e8fde696a524a036 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 16 Jan 2026 09:51:30 -0800
Subject: [PATCH] Restrict .pgpass to read-only borgmatic user only

Remove superuser from .pgpass since it's not needed for automated
operations. Only borgmatic (with pg_read_all_data role) needs
passwordless access for pg_dump backups.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/roles/postgresql/tasks/main.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/postgresql/tasks/main.yml b/ansible/roles/postgresql/tasks/main.yml
index c4e8658..6a6ff30 100644
--- a/ansible/roles/postgresql/tasks/main.yml
+++ b/ansible/roles/postgresql/tasks/main.yml
@@ -166,10 +166,12 @@
 
 # === Write credential files for local access ===
 
-- name: Write .pgpass file for local authentication
+# .pgpass is used by borgmatic for pg_dump backups
+# Only includes read-only roles (borgmatic has pg_read_all_data)
+- name: Write .pgpass file for borgmatic backups
   ansible.builtin.copy:
     content: |
-      localhost:{{ postgresql_port }}:*:{{ ansible_user_id }}:{{ pg_superuser_password }}
+      # Managed by ansible - only read-only roles
       localhost:{{ postgresql_port }}:*:borgmatic:{{ pg_user_passwords['borgmatic'] }}
     dest: ~/.pgpass
     mode: '0600'