fix: ban unencrypted direct connection to pg

[samrose]

We want to ban ip if unsupported connections attempts are repeatedly created (such as unencrypted, etc)

Summary by CodeRabbit

• Chores
  • Updated PostgreSQL fail2ban filter configuration to improve authentication monitoring and security event detection.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A new ignore regex pattern was added to the PostgreSQL fail2ban filter configuration template to exclude specific host-based authentication errors from triggering bans.

Changes

Cohort / File(s)	Summary
PostgreSQL Fail2Ban Filter Configuration ansible/files/fail2ban_config/filter-postgresql.conf.j2	Added ignore regex pattern for "no pg\_hba.conf entry for host" errors to prevent false-positive ban triggers on host-based authentication failures

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A pattern, so new, for PostgreSQL logs,
Ignore those host errors through digital bogs,
No more false bans on pg\_hba mistakes,
The filter grows smarter with each care it takes! 🔒

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is minimal and lacks required sections from the template (e.g., problem statement, solution details, testing notes), though it communicates the basic intent.	Use the repository's template to provide more structured information including what problem this solves, implementation details, and how the changes were tested.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly relates to the main change: adding a new ignore regex pattern to ban unencrypted direct connections to PostgreSQL, as shown by the filter configuration update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @ansible/files/fail2ban_config/filter-postgresql.conf.j2:
- Line 3: The failregex currently '^.*no pg_hba\.conf entry for host
"<HOST>",.*$' in filter-postgresql.conf.j2 is too broad and will match any
pg_hba.conf mismatch; narrow it to target only unencrypted/SSL-related failures
by changing the pattern to require SSL-specific text (e.g., include "SSL off",
"connection requires SSL" or "SSL encryption" phrases) or replace the failregex
with an ignoreregex if you intend to skip these messages entirely; update the
pattern in the template so the failregex only triggers on messages containing
SSL-related keywords rather than all "no pg_hba.conf entry" errors.

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73c1922 and 637bbe4.

📒 Files selected for processing (1)

• ansible/files/fail2ban_config/filter-postgresql.conf.j2