active_postgres 0.7.0 → 0.9.0

data/lib/active_postgres/configuration.rb

@@ -2,18 +2,21 @@ require 'yaml'
 
 module ActivePostgres
   class Configuration
-    attr_reader :environment, :version, :user, :ssh_key, :primary, :standbys, :components, :secrets_config, :database_config
+    attr_reader :environment, :version, :user, :ssh_key, :ssh_host_key_verification, :primary, :standbys, :components, :secrets_config,
+                :database_config
 
     def initialize(config_hash, environment = 'development')
       @environment = environment
       env_config = config_hash[environment] || {}
 
-      # Check if deployment should be skipped (e.g., for development)
       @skip_deployment = env_config['skip_deployment'] == true
 
       @version = env_config['version'] || 18
       @user = env_config['user'] || 'ubuntu'
       @ssh_key = File.expand_path(env_config['ssh_key'] || '~/.ssh/id_rsa')
+      @ssh_host_key_verification = normalize_ssh_host_key_verification(
+        env_config['ssh_host_key_verification'] || env_config['ssh_verify_host_key']
+      )
 
       @primary = env_config['primary'] || {}
       @standbys = env_config['standby'] || []
@@ -65,6 +68,16 @@ module ActivePostgres
       private_ip_for(node) || host
     end
 
+    # Returns the host to use for direct PostgreSQL connections (private_ip preferred)
+    def connection_host_for(host)
+      node = node_config_for(host)
+      private_ip_for(node) || host
+    end
+
+    def primary_connection_host
+      connection_host_for(primary_host)
+    end
+
     def standby_config_for(host)
       @standbys.find { |s| s['host'] == host }
     end
@@ -82,6 +95,29 @@ module ActivePostgres
 
       # Validate required secrets if components are enabled
       raise Error, 'Missing replication_password secret' if component_enabled?(:repmgr) && !secrets_config['replication_password']
+      raise Error, 'Missing monitoring_password secret' if component_enabled?(:monitoring) && !secrets_config['monitoring_password']
+
+        if component_enabled?(:repmgr)
+          dns_failover = component_config(:repmgr)[:dns_failover]
+          if dns_failover && dns_failover[:enabled]
+            domain = dns_failover[:domain].to_s.strip
+            servers = Array(dns_failover[:dns_servers])
+            provider = (dns_failover[:provider] || 'dnsmasq').to_s.strip
+
+            raise Error, 'dns_failover.domain is required when enabled' if domain.empty?
+            raise Error, 'dns_failover.dns_servers is required when enabled' if servers.empty?
+            raise Error, "Unsupported dns_failover provider '#{provider}'" unless provider == 'dnsmasq'
+
+            servers.each do |server|
+              next unless server.is_a?(Hash)
+
+              ssh_host = server['ssh_host'] || server[:ssh_host] || server['host'] || server[:host]
+              private_ip = server['private_ip'] || server[:private_ip] || server['ip'] || server[:ip]
+              raise Error, 'dns_failover.dns_servers entries must include host/ssh_host or private_ip' if
+                (ssh_host.nil? || ssh_host.to_s.strip.empty?) && (private_ip.nil? || private_ip.to_s.strip.empty?)
+            end
+          end
+        end
 
       true
     end
@@ -99,6 +135,10 @@ module ActivePostgres
       component_config(:repmgr)[:database] || 'repmgr'
     end
 
+    def replication_user
+      component_config(:repmgr)[:replication_user] || 'replication'
+    end
+
     def pgbouncer_user
       component_config(:pgbouncer)[:user] || 'pgbouncer'
     end
@@ -186,5 +226,22 @@ module ActivePostgres
         value
       end
     end
+
+    def normalize_ssh_host_key_verification(value)
+      return :always if value.nil?
+
+      normalized = case value
+                   when Symbol
+                     value
+                   else
+                     value.to_s.strip.downcase.tr('-', '_').to_sym
+                   end
+
+      return :always if normalized == :always
+      return :accept_new if %i[accept_new acceptnew new].include?(normalized)
+
+      raise Error,
+            "Invalid ssh_host_key_verification '#{value}'. Use 'always' or 'accept_new'."
+    end
   end
 end

data/lib/active_postgres/connection_pooler.rb

@@ -321,10 +321,7 @@ module ActivePostgres
           WHERE passwd IS NOT NULL
         SQL
 
-        upload! StringIO.new(sql), '/tmp/get_all_users.sql'
-        execute :chmod, '644', '/tmp/get_all_users.sql'
-        userlist = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_all_users.sql').strip
-        execute :rm, '-f', '/tmp/get_all_users.sql'
+        userlist = @ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
         unless userlist.include?(pgbouncer_user)
           pgbouncer_pass = SecureRandom.hex(16)
@@ -335,10 +332,7 @@ module ActivePostgres
             "GRANT CONNECT ON DATABASE postgres TO #{pgbouncer_user};"
           ].join("\n")
 
-          upload! StringIO.new(sql), '/tmp/create_pgbouncer_user.sql'
-          execute :chmod, '644', '/tmp/create_pgbouncer_user.sql'
-          execute :sudo, '-u', postgres_user, 'psql', '-f', '/tmp/create_pgbouncer_user.sql'
-          execute :rm, '-f', '/tmp/create_pgbouncer_user.sql'
+          @ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user, tuples_only: false, capture: false)
 
           sql = <<~SQL.strip
             SELECT passwd
@@ -346,10 +340,7 @@ module ActivePostgres
             WHERE usename = '#{pgbouncer_user}'
           SQL
 
-          upload! StringIO.new(sql), '/tmp/get_pgbouncer_pass.sql'
-          execute :chmod, '644', '/tmp/get_pgbouncer_pass.sql'
-          encrypted = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_pgbouncer_pass.sql').strip
-          execute :rm, '-f', '/tmp/get_pgbouncer_pass.sql'
+          encrypted = @ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
           userlist += "\n\"#{pgbouncer_user}\" \"#{encrypted}\""
         end

data/lib/active_postgres/credentials.rb

@@ -2,8 +2,8 @@ module ActivePostgres
   class Credentials
     def self.get(key_path)
       # Try to get from Rails credentials if Rails is available
-      if defined?(Rails) && Rails.respond_to?(:application) && Rails.application
-        value = Rails.application.credentials.dig(*key_path.split('.').map(&:to_sym))
+      if defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application
+        value = ::Rails.application.credentials.dig(*key_path.split('.').map(&:to_sym))
         return value if value
       end
 
@@ -11,7 +11,7 @@ module ActivePostgres
     end
 
     def self.available?
-      defined?(Rails) && Rails.respond_to?(:application) && Rails.application&.credentials
+      defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application&.credentials
     end
   end
 end

data/lib/active_postgres/direct_executor.rb

@@ -0,0 +1,91 @@
+require 'pg'
+
+module ActivePostgres
+  class DirectExecutor
+    attr_reader :config
+
+    def initialize(config, quiet: false)
+      @config = config
+      @quiet = quiet
+    end
+
+    def quiet?
+      @quiet
+    end
+
+    def postgres_running?(host)
+      with_connection(host) do |conn|
+        conn.exec('SELECT 1')
+        true
+      end
+    rescue PG::Error
+      false
+    end
+
+    def run_sql(host, sql)
+      with_connection(host) do |conn|
+        result = conn.exec(sql)
+        result.values.flatten.join("\n")
+      end
+    rescue PG::Error => e
+      raise Error, "Failed to execute SQL on #{host}: #{e.message}"
+    end
+
+    def get_postgres_status(host)
+      run_sql(host, 'SELECT version();')
+    end
+
+    private
+
+    def with_connection(host)
+      connection_host = config.connection_host_for(host)
+      superuser_password = resolve_secret(config.secrets_config['superuser_password'])
+
+      conn = PG.connect(
+        host: connection_host,
+        port: 5432,
+        dbname: 'postgres',
+        user: config.postgres_user,
+        password: superuser_password,
+        connect_timeout: 10,
+        sslmode: config.component_enabled?(:ssl) ? 'require' : 'prefer'
+      )
+
+      begin
+        yield conn
+      ensure
+        conn.close
+      end
+    end
+
+    def resolve_secret(value)
+      return nil if value.nil?
+
+      # Handle Rails credentials
+      if value.start_with?('rails_credentials:')
+        return resolve_rails_credentials(value)
+      end
+
+      # Handle environment variables
+      if value.start_with?('$')
+        return ENV[value[1..]]
+      end
+
+      # Handle shell commands
+      if value.start_with?('$(') && value.end_with?(')')
+        return `#{value[2..-2]}`.strip
+      end
+
+      value
+    end
+
+    def resolve_rails_credentials(value)
+      path = value.sub('rails_credentials:', '')
+      keys = path.split('.').map(&:to_sym)
+
+      Rails.application.credentials.dig(*keys)
+    rescue NameError
+      nil
+    end
+  end
+end

data/lib/active_postgres/generators/active_postgres/install_generator.rb

@@ -112,6 +112,7 @@ module ActivePostgres
         puts "  superuser_password: \"#{generate_secure_password}\""
         puts "  replication_password: \"#{generate_secure_password}\""
         puts "  repmgr_password: \"#{generate_secure_password}\""
+        puts "  monitoring_password: \"#{generate_secure_password}\""
         puts
         puts '🔐 Secure passwords have been auto-generated above.'
         puts '📌 Update primary_host and replica_host with your actual IPs after provisioning.'

data/lib/active_postgres/generators/active_postgres/templates/postgres.yml.erb

@@ -11,6 +11,8 @@ shared: &shared
   version: 18
   user: ubuntu
   ssh_key: ~/.ssh/id_rsa
+  # SSH host key verification: always (strict) or accept_new (first connection)
+  ssh_host_key_verification: always
 
   components:
     core:
@@ -31,17 +33,32 @@ shared: &shared
       # Optional: Override default repmgr user/database
       # user: repmgr
       # database: repmgr
+      # replication_user: replication
+      # dns_failover:
+      #   enabled: true
+      #   provider: dnsmasq
+      #   domain: mesh.internal
+      #   dns_servers:
+      #     - host: 18.170.173.14
+      #       private_ip: 10.8.0.10
+      #     - host: 98.85.183.175
+      #       private_ip: 10.8.0.110
+      #   primary_record: db-primary.mesh.internal
+      #   replica_record: db-replica.mesh.internal
 
     pgbouncer:
       enabled: false
       # Optional: Override default pgbouncer user
       # user: pgbouncer
+      # follow_primary: true
+      # follow_primary_interval: 5
     
     pgbackrest:
       enabled: false
     
     monitoring:
       enabled: false
+      # user: postgres_exporter
     
     ssl:
       enabled: false
@@ -80,6 +97,6 @@ production:
     superuser_password: rails_credentials:postgres.superuser_password
     replication_password: rails_credentials:postgres.replication_password
     repmgr_password: rails_credentials:postgres.repmgr_password
+    monitoring_password: rails_credentials:postgres.monitoring_password
     pgbouncer_password: rails_credentials:postgres.password
     app_password: rails_credentials:postgres.password
-

data/lib/active_postgres/health_checker.rb

@@ -1,10 +1,19 @@
 module ActivePostgres
   class HealthChecker
-    attr_reader :config, :ssh_executor
+    attr_reader :config, :executor
 
     def initialize(config)
       @config = config
-      @ssh_executor = SSHExecutor.new(config, quiet: true)
+      @executor = create_executor
+    end
+
+    # Backwards compatibility alias
+    def ssh_executor
+      @executor
+    end
+
+    private def create_executor
+      DirectExecutor.new(config, quiet: true)
     end
 
     def show_status
@@ -287,31 +296,29 @@ module ActivePostgres
     def check_pgbouncer_status(host)
       return '-' unless config.component_enabled?(:pgbouncer)
 
-      ssh_executor.execute_on_host(host) do
-        result = capture(:sudo, 'systemctl', 'is-active', 'pgbouncer').strip
-        result == 'active' ? '✓ running' : '✗ down'
-      end
+      check_pgbouncer_direct(host) ? '✓ running' : '✗ down'
     rescue StandardError
       '✗ down'
     end
 
     def check_pgbouncer_running(host)
-      ssh_executor.execute_on_host(host) do
-        result = capture(:sudo, 'systemctl', 'is-active', 'pgbouncer').strip
-        result == 'active'
-      end
+      check_pgbouncer_direct(host)
     rescue StandardError
       false
     end
 
-    def check_pgbouncer_userlist(host)
-      app_user = config.app_user
-      return true unless app_user # No app user configured, skip check
+    def check_pgbouncer_userlist(_host)
+      true
+    end
+
+    def check_pgbouncer_direct(host)
+      require 'socket'
+      connection_host = config.connection_host_for(host)
+      pgbouncer_port = config.component_config(:pgbouncer)[:listen_port] || 6432
 
-      ssh_executor.execute_on_host(host) do
-        userlist = capture(:sudo, 'cat', '/etc/pgbouncer/userlist.txt').strip
-        userlist.include?(app_user)
-      end
+      socket = TCPSocket.new(connection_host, pgbouncer_port)
+      socket.close
+      true
     rescue StandardError
       false
     end

data/lib/active_postgres/rollback_manager.rb

@@ -113,12 +113,10 @@ module ActivePostgres
 
     def register_database_removal(host, database_name)
       postgres_user = config.postgres_user
+      executor = ssh_executor
       register("Drop database #{database_name} on #{host}", host: host) do
         sql = "DROP DATABASE IF EXISTS #{database_name};"
-        upload! StringIO.new(sql), '/tmp/drop_database.sql'
-        execute :chmod, '644', '/tmp/drop_database.sql'
-        execute :sudo, '-u', postgres_user, 'psql', '-f', '/tmp/drop_database.sql'
-        execute :rm, '-f', '/tmp/drop_database.sql'
+        executor.run_sql_on_backend(self, sql, postgres_user: postgres_user, tuples_only: false, capture: false)
       rescue StandardError
         nil
       end
@@ -126,12 +124,10 @@ module ActivePostgres
 
     def register_postgres_user_removal(host, username)
       postgres_user = config.postgres_user
+      executor = ssh_executor
       register("Drop PostgreSQL user #{username} on #{host}", host: host) do
         sql = "DROP USER IF EXISTS #{username};"
-        upload! StringIO.new(sql), '/tmp/drop_user.sql'
-        execute :chmod, '644', '/tmp/drop_user.sql'
-        execute :sudo, '-u', postgres_user, 'psql', '-f', '/tmp/drop_user.sql'
-        execute :rm, '-f', '/tmp/drop_user.sql'
+        executor.run_sql_on_backend(self, sql, postgres_user: postgres_user, tuples_only: false, capture: false)
       rescue StandardError
         nil
       end

data/lib/active_postgres/secrets.rb

@@ -15,7 +15,7 @@ module ActivePostgres
       return nil unless secret_value
 
       resolved = resolve_secret_value(secret_value)
-      @cache[secret_key] = resolved
+      @cache[secret_key] = resolved unless resolved.nil?
       resolved
     end
 
@@ -25,6 +25,21 @@ module ActivePostgres
       end
     end
 
+    def resolve_value(value)
+      case value
+      when Hash
+        value.each_with_object({}) do |(k, v), result|
+          result[k] = resolve_value(v)
+        end
+      when Array
+        value.map { |v| resolve_value(v) }
+      when String
+        resolve_secret_value(value)
+      else
+        value
+      end
+    end
+
     def cache_to_files(directory = '.secrets')
       require 'fileutils'
 
@@ -45,9 +60,10 @@ module ActivePostgres
 
     def resolve_secret_value(value)
       case value
-      when /^rails_credentials:(.+)$/
+      when /^(rails_credentials|credentials):(.+)$/
         # Rails credentials: rails_credentials:postgres.superuser_password
-        key_path = ::Regexp.last_match(1)
+        # Alias: credentials:postgres.superuser_password
+        key_path = ::Regexp.last_match(2).to_s.strip
         fetch_from_rails_credentials(key_path)
       when /^\$\((.+)\)$/
         # Command execution: $(op read "op://...")
@@ -65,10 +81,12 @@ module ActivePostgres
     end
 
     def fetch_from_rails_credentials(key_path)
-      return nil unless Credentials.available?
+      return nil unless defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application
 
       keys = key_path.split('.').map(&:to_sym)
-      Rails.application.credentials.dig(*keys)
+      ::Rails.application.credentials.dig(*keys)
+    rescue StandardError
+      nil
     end
 
     def execute_command(command)

data/lib/active_postgres/ssh_executor.rb

@@ -22,6 +22,10 @@ module ActivePostgres
       on("#{config.user}@#{host}", &)
     end
 
+    def execute_on_host_as(host, user, &)
+      on("#{user}@#{host}", &)
+    end
+
     def execute_on_primary(&)
       execute_on_host(config.primary_host, &)
     end
@@ -94,7 +98,7 @@ module ActivePostgres
 
         info 'Configuring PostgreSQL apt repository...'
         pgdg_repo = "'echo \"deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] " \
-                    'http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > ' \
+                    'https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > ' \
                     "/etc/apt/sources.list.d/pgdg.list'"
         execute :sudo, 'sh', '-c', pgdg_repo
 
@@ -200,24 +204,42 @@ module ActivePostgres
       result
     end
 
-    def run_sql(host, sql)
+    def run_sql(host, sql, postgres_user: config.postgres_user, port: nil, database: nil, tuples_only: true,
+                capture: true)
       result = nil
-      postgres_user = config.postgres_user
+      executor = self
       execute_on_host(host) do
-        # Use a temporary file to avoid shell escaping issues with special characters
-        temp_file = "/tmp/query_#{SecureRandom.hex(8)}.sql"
-        upload! StringIO.new(sql), temp_file
-        execute :chmod, '644', temp_file
-
-        begin
-          result = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', temp_file)
-        ensure
-          execute :rm, '-f', temp_file
-        end
+        backend = self
+        result = executor.run_sql_on_backend(backend, sql,
+                                    postgres_user: postgres_user,
+                                    port: port,
+                                    database: database,
+                                    tuples_only: tuples_only,
+                                    capture: capture)
       end
       result
     end
 
+    def run_sql_on_backend(backend, sql, postgres_user: config.postgres_user, port: nil, database: nil,
+                           tuples_only: true, capture: true)
+      # Use a temporary file to avoid shell escaping issues with special characters
+      temp_file = "/tmp/active_postgres_#{SecureRandom.hex(8)}.sql"
+      backend.upload! StringIO.new(sql), temp_file
+      backend.execute :chmod, '600', temp_file
+      backend.execute :sudo, 'chown', "#{postgres_user}:#{postgres_user}", temp_file
+
+      cmd = [:sudo, '-u', postgres_user, 'psql']
+      cmd << '-t' if tuples_only
+      cmd += ['-p', port.to_s] if port
+      cmd += ['-d', database.to_s] if database
+      cmd += ['-f', temp_file]
+
+      result = capture ? backend.capture(*cmd) : backend.execute(*cmd)
+      result
+    ensure
+      backend.execute :sudo, 'rm', '-f', temp_file
+    end
+
     def ensure_cluster_exists(host, version)
       execute_on_host(host) do
         data_dir = "/var/lib/postgresql/#{version}/main"
@@ -280,7 +302,7 @@ module ActivePostgres
           keys_only: true,
           forward_agent: false,
           auth_methods: ['publickey'],
-          verify_host_key: :accept_new,
+          verify_host_key: config.ssh_host_key_verification || :always,
           timeout: 10,
           number_of_password_prompts: 0
         }

data/lib/active_postgres/version.rb

@@ -1,3 +1,3 @@
 module ActivePostgres
-  VERSION = '0.7.0'.freeze
+  VERSION = '0.9.0'.freeze
 end

data/lib/active_postgres.rb

@@ -21,6 +21,7 @@ require_relative 'active_postgres/standby_deployment_flow'
 require_relative 'active_postgres/cli'
 require_relative 'active_postgres/installer'
 require_relative 'active_postgres/ssh_executor'
+require_relative 'active_postgres/direct_executor'
 require_relative 'active_postgres/health_checker'
 require_relative 'active_postgres/failover'
 require_relative 'active_postgres/performance_tuner'

data/lib/tasks/postgres.rake

@@ -372,6 +372,15 @@ namespace :postgres do
       installer.setup_component('monitoring')
     end
 
+    desc 'Setup only pgBackRest backups'
+    task pgbackrest: :environment do
+      require 'active_postgres'
+
+      config = ActivePostgres::Configuration.load
+      installer = ActivePostgres::Installer.new(config)
+      installer.setup_component('pgbackrest')
+    end
+
     desc 'Setup only repmgr'
     task repmgr: :environment do
       require 'active_postgres'
@@ -412,10 +421,7 @@ namespace :postgres do
             WHERE rolname = '#{user}'
           SQL
 
-          upload! StringIO.new(sql), '/tmp/get_user_hash.sql'
-          execute :chmod, '644', '/tmp/get_user_hash.sql'
-          user_hash = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_user_hash.sql').strip
-          execute :rm, '-f', '/tmp/get_user_hash.sql'
+          user_hash = ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
           if user_hash && !user_hash.empty?
             userlist_entries << user_hash

data/lib/tasks/rotate_credentials.rake

@@ -26,10 +26,7 @@ namespace :postgres do
         escaped_password = new_password.gsub("'", "''")
 
         sql = "ALTER USER #{app_user} WITH PASSWORD '#{escaped_password}';"
-        upload! StringIO.new(sql), '/tmp/rotate_password.sql'
-        execute :chmod, '644', '/tmp/rotate_password.sql'
-        execute :sudo, '-u', 'postgres', 'psql', '-f', '/tmp/rotate_password.sql'
-        execute :rm, '-f', '/tmp/rotate_password.sql'
+        ssh_executor.run_sql_on_backend(self, sql, postgres_user: 'postgres', tuples_only: false, capture: false)
 
         puts "✓ Updated PostgreSQL password for #{app_user}"
       end
@@ -48,10 +45,7 @@ namespace :postgres do
               WHERE rolname = '#{user}'
             SQL
 
-            upload! StringIO.new(sql), '/tmp/get_user_hash.sql'
-            execute :chmod, '644', '/tmp/get_user_hash.sql'
-            user_hash = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_user_hash.sql').strip
-            execute :rm, '-f', '/tmp/get_user_hash.sql'
+            user_hash = ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
             userlist_entries << user_hash if user_hash && !user_hash.empty?
           end
@@ -128,10 +122,7 @@ namespace :postgres do
           escaped_password = new_password.gsub("'", "''")
 
           sql = "ALTER USER #{username} WITH PASSWORD '#{escaped_password}';"
-          upload! StringIO.new(sql), '/tmp/rotate_password.sql'
-          execute :chmod, '644', '/tmp/rotate_password.sql'
-          execute :sudo, '-u', 'postgres', 'psql', '-f', '/tmp/rotate_password.sql'
-          execute :rm, '-f', '/tmp/rotate_password.sql'
+          ssh_executor.run_sql_on_backend(self, sql, postgres_user: 'postgres', tuples_only: false, capture: false)
         end
 
         puts "✓ Updated #{username}"
@@ -152,10 +143,7 @@ namespace :postgres do
               WHERE rolname = '#{user}'
             SQL
 
-            upload! StringIO.new(sql), '/tmp/get_user_hash.sql'
-            execute :chmod, '644', '/tmp/get_user_hash.sql'
-            user_hash = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_user_hash.sql').strip
-            execute :rm, '-f', '/tmp/get_user_hash.sql'
+            user_hash = ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
             userlist_entries << user_hash if user_hash && !user_hash.empty?
           end

data/templates/pg_hba.conf.erb

@@ -39,9 +39,12 @@
   repmgr_network = pg_hba_rules.find { |r| r[:type] == 'host' && r[:address] && !r[:address].start_with?('127.0.0.1') }&.dig(:address) || '10.8.0.0/24'
   repmgr_user = config.repmgr_user
   repmgr_db = config.repmgr_database
+  replication_user = config.replication_user
 %>
 host    replication     <%= repmgr_user %>          <%= repmgr_network %>          scram-sha-256
+<% if replication_user && replication_user != repmgr_user %>
+host    replication     <%= replication_user %>          <%= repmgr_network %>          scram-sha-256
+<% end %>
 host    <%= repmgr_db %>          <%= repmgr_user %>          <%= repmgr_network %>          scram-sha-256
 <% end %>
 
-