Define access rules in the PostgreSQL primary recipe

Access is done for the IP of a server for all users and all databases
for ejabberd and gitea

site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb

@@ -27,12 +27,6 @@
 
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 
-postgresql_service = "service[#{postgresql_service_name}]"
-
-service postgresql_service do
-  supports restart: true, status: true, reload: true
-end
-
 postgresql_user 'ejabberd' do
   action :create
   password postgresql_data_bag_item['ejabberd_user_password']
@@ -40,8 +34,6 @@ end
 
 databases = ["ejabberd", "ejabberd_5apps"]
 
-ejabberd_servers = search(:node, "role:ejabberd AND chef_environment:#{node.chef_environment}")
-
 databases.each do |database|
   postgresql_database database do
     owner 'ejabberd'
@@ -60,17 +52,4 @@ databases.each do |database|
     action :nothing
   end
 
-  ejabberd_servers.each do |ejabberd_server|
-    ip = ip_for(ejabberd_server)
-    hostname = ejabberd_server[:hostname]
-
-    postgresql_access "#{database} #{hostname}" do
-      access_type "host"
-      access_db database
-      access_user "ejabberd"
-      access_addr "#{ip}/32"
-      access_method "md5"
-      notifies :reload, postgresql_service, :delayed
-    end
-  end
 end

site-cookbooks/kosmos-postgresql/recipes/default.rb

@@ -27,6 +27,10 @@
 postgresql_version = "12"
 postgresql_service = "postgresql@#{postgresql_version}-main"
 
+service postgresql_service do
+  supports restart: true, status: true, reload: true
+end
+
 postgresql_custom_server postgresql_version do
   role "primary"
 end
@@ -54,6 +58,25 @@ postgresql_replicas.each do |replica|
     notifies :reload, "service[#{postgresql_service}]", :immediately
   end
 
+  gitea_servers = search(:node, "role:gitea AND chef_environment:#{node.chef_environment}") || []
+  ejabberd_servers = search(:node, "role:ejabberd AND chef_environment:#{node.chef_environment}") || []
+
+  servers = (gitea_servers + ejabberd_servers).uniq
+
+  servers.each do |server|
+    ip = ip_for(server)
+    hostname = server[:hostname]
+
+    postgresql_access "#{hostname} all" do
+      access_type "host"
+      access_db "all"
+      access_user "all"
+      access_addr "#{ip}/32"
+      access_method "md5"
+      notifies :reload, "service[#{postgresql_service}]", :immediately
+    end
+  end
+
   unless node.chef_environment == "development"
     include_recipe "firewall"
 

site-cookbooks/kosmos_gitea/recipes/pg_db.rb

@@ -6,12 +6,6 @@
 
 gitea_data_bag_item = data_bag_item("credentials", "gitea")
 
-postgresql_service = "service[#{postgresql_service_name}]"
-
-service postgresql_service do
-  supports restart: true, status: true, reload: true
-end
-
 postgresql_user "gitea" do
   action :create
   password gitea_data_bag_item["postgresql_password"]
@@ -21,17 +15,3 @@ postgresql_database "gitea" do
   owner "gitea"
   action :create
 end
-
-search(:node, "role:gitea AND chef_environment:#{node.chef_environment}").each do |gitea_server|
-  ip = ip_for(gitea_server)
-  hostname = gitea_server[:hostname]
-
-  postgresql_access "gitea #{hostname}" do
-    access_type "host"
-    access_db "gitea"
-    access_user "gitea"
-    access_addr "#{ip}/32"
-    access_method "md5"
-    notifies :reload, postgresql_service, :delayed
-  end
-end