Restrict .pgpass to read-only borgmatic user only

Remove superuser from .pgpass since it's not needed for automated operations. Only borgmatic (with pg_read_all_data role) needs passwordless access for pg_dump backups. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-16 12:30:21 -08:00 · 2026-01-16 09:51:30 -08:00 · 2026-01-16 09:51:30 -08:00
commit 544682e92e
1 changed files with 4 additions and 2 deletions
--- a/ansible/roles/postgresql/tasks/main.yml
+++ b/ansible/roles/postgresql/tasks/main.yml
@ -166,10 +166,12 @@

 # === Write credential files for local access ===

- name: Write .pgpass file for local authentication
+# .pgpass is used by borgmatic for pg_dump backups
+# Only includes read-only roles (borgmatic has pg_read_all_data)
+- name: Write .pgpass file for borgmatic backups
  ansible.builtin.copy:
    content: |
-      localhost:{{ postgresql_port }}:*:{{ ansible_user_id }}:{{ pg_superuser_password }}
+      # Managed by ansible - only read-only roles
      localhost:{{ postgresql_port }}:*:borgmatic:{{ pg_user_passwords['borgmatic'] }}
    dest: ~/.pgpass
    mode: '0600'