Which client authentication methods make sense when calling `initdb`?

Postgres offers many client authentication methods : - Trust Authentication - Password Authentication - GSSAPI Authentication - SSPI Authentication - Ident Authentication - Peer Authentication - LDAP Authentication - RADIUS Authentication - Certificate Authentication - PAM Authentication - BSD Authentication The client authentication method flags on initdb : - -A or --auth - --auth-host - --auth-local …specify the default authentication method for users used in pg_hba.conf. I am making a Wizard tool for creating an initdb string, the string to be executed by someone setting up a new Postgres cluster. This led me to contemplate all the possible values for authentication with initdb. ➥ Of the list above, which are practical/sensible for use with initdb? Obviously trust is the simplest way to get started, though usually best to change soon after the cluster is established. Some are not practical. For example, PAM authentication requires that the user must already exist in the database. So PAM cannot be used for setting up a new cluster with initdb. I am not familiar with several of the other authentication methods. And I am no security expect. This leaves me wondering: Which of the client authentication methods could be used practically/sensibly with initdb?