Following on with my postgres on zfs setup, I needed to configure the auth so that my PostgreSQL replica could securely connect to the primary.

The constraints here are that I’m not using a cloud private network, so need a VPN of some kind! I’m using Tailscale, which is pretty much just wireguard made easy.


First up, following Tailscale’s docs. Make sure you don’t lock yourself out! I’m also using tailscale SSH with 2fa.

ufw allow in on tailscale0
ufw default deny incoming
ufw default allow outgoing
ufw reload
systemctl restart sshd


Next, we need to tell postgres to listen on all addresses. In your postgres config:

listen_addresses = '*'

I wish I could just provide tailscale0, the tailnet CIDR or… anything else. Alas. It’s not that flexible, but at least we can lock things down with the firewall + hba. Don’t skip the other steps!


Next up we just need to setup pg_hba.conf to allow the login!

host    all             all              scram-sha-256

Where is the CIDR range used by Tailscale. Read more here.