Following on with my postgres on zfs setup, I needed to configure the auth so that my replica could securely connect to the primary.
The constraints here are that I’m not using a cloud private network, so need a VPN of some kind! I’m using Tailscale, which is pretty much just wireguard made easy.
First up, following Tailscale’s docs. Make sure you don’t lock yourself out! I’m also using tailscale SSH with 2fa.
ufw allow in on tailscale0 ufw default deny incoming ufw default allow outgoing ufw reload systemctl restart sshd
Next, we need to tell postgres to listen on all addresses. In your postgres config:
listen_addresses = '*'
I wish I could just provide
tailscale0, the tailnet CIDR or… anything else. Alas. It’s not that flexible, but at least we can lock things down with the firewall + hba. Don’t skip the other steps!
Next up we just need to setup pg_hba.conf to allow the login!
host all all 100.64.0.0/10 scram-sha-256
100.64.0.0/10 is the CIDR range used by Tailscale. Read more here.