nexus/vault/templates/pgbouncer.ini.ctmpl

# PgBouncer Configuration - Rendered by Vault Agent
# Proxies Kratos connections to PostgreSQL with dynamic Vault credentials

{{ with secret "database/creds/nexus-kratos-app" -}}
[databases]
; Kratos connects here, PgBouncer uses Vault credentials for PostgreSQL
; connect_query sets search_path since PgBouncer doesn't support it as startup param
; Both 'nexus' and 'kratos' aliases route to the same backend with kratos schema
nexus = host=db.example.local port=5432 dbname=nexus user={{ .Data.username }} password={{ .Data.password }} connect_query='SET search_path TO kratos,public'
kratos = host=db.example.local port=5432 dbname=nexus user={{ .Data.username }} password={{ .Data.password }} connect_query='SET search_path TO kratos,public'

[pgbouncer]
listen_addr = 127.0.0.1
listen_port = 6432
unix_socket_dir = /var/run/pgbouncer

; Trust localhost - only local processes can connect
; PgBouncer handles real auth to PostgreSQL with Vault credentials
auth_type = trust
auth_file = /etc/pgbouncer/userlist.txt

; Connection pooling
pool_mode = session
max_client_conn = 100
default_pool_size = 20
min_pool_size = 5
reserve_pool_size = 5

; Timeouts
server_connect_timeout = 15
server_idle_timeout = 600
client_idle_timeout = 0

; Logging
logfile = /var/log/pgbouncer/pgbouncer.log
log_connections = 1
log_disconnections = 1
log_pooler_errors = 1

; Admin
admin_users = pgbouncer
stats_users = pgbouncer

; Pid file for SIGHUP from Vault Agent
pidfile = /var/run/pgbouncer/pgbouncer.pid
{{- end }}