feat: migrating and adjusting build steps to work with sourcing files

from nix

Author: samrose

amazon-arm64.pkr.hcl

@@ -106,7 +106,7 @@ source "amazon-ebssurrogate" "source" {
   profile = "${var.profile}"
   #access_key    = "${var.aws_access_key}"
   #ami_name = "${var.ami_name}-arm64-${formatdate("YYYY-MM-DD-hhmm", timestamp())}"
-  ami_name = "${var.ami_name}-${var.postgres-version}"
+  ami_name = "${var.ami_name}-${var.postgres-version}-stage-1"
   ami_virtualization_type = "hvm"
   ami_architecture = "arm64"
   ami_regions   = "${var.ami_regions}"

ansible/tasks/finalize-ami.yml

@@ -33,7 +33,7 @@
     rule: allow
     port: https
   tags:
-  - install-supabase-internal 
+  - install-supabase-internal           
 
 - name: UFW - Deny all other incoming traffic by default
   ufw:
@@ -71,10 +71,11 @@
         systemctl reenable logrotate.timer
   become: yes
 
-- name: import pgsodium_getkey script
-  template:
-    src: files/pgsodium_getkey_readonly.sh.j2
-    dest: "{{ pg_bindir }}/pgsodium_getkey.sh"
-    owner: postgres
-    group: postgres
-    mode: 0700
+# - name: import pgsodium_getkey script
+#   template:
+#     src: files/pgsodium_getkey_readonly.sh.j2
+#     dest: "{{ pg_bindir }}/pgsodium_getkey.sh"
+#     owner: postgres
+#     group: postgres
+#     mode: 0700
+# TODO bring into 2nd phase

ansible/tasks/setup-gotrue.yml

@@ -39,10 +39,10 @@
 
 # libpq is a C library that enables user programs to communicate with
 # the PostgreSQL database server.
-# - name: gotrue - system dependencies
-#   apt:
-#     pkg:
-#       - libpq-dev
+- name: gotrue - system dependencies
+  apt:
+    pkg:
+      - libpq-dev
 
 - name: gotrue - create service file
   template:

ansible/tasks/setup-postgres.yml

@@ -1,13 +1,3 @@
-# - name: Postgres - copy package
-#   copy:
-#     src: files/postgres/
-#     dest: /tmp/build/
-
-# - name: Postgres - add PPA
-#   apt_repository:
-#     repo: "deb [ trusted=yes ] file:///tmp/build ./"
-#     state: present
-
 # - name: Postgres - install commons
 #   apt:
 #     name: postgresql-common
@@ -16,26 +6,9 @@
 # - name: Do not create main cluster
 #   shell:
 #     cmd: sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf
-
-# - name: Postgres - install server
-#   apt:
-#     name: postgresql-{{ postgresql_major }}={{ postgresql_release }}-1.pgdg20.04+1
-#     install_recommends: no
-
-# - name: Postgres - remove PPA
-#   apt_repository:
-#     repo: "deb [ trusted=yes ] file:///tmp/build ./"
-#     state: absent
-
-# - name: Postgres - cleanup package
-#   file:
-#     path: /tmp/build
-#     state: absent
-
-# - name: Create symlink to /usr/lib/postgresql/bin
-#   shell:
-#     cmd: ln -s /usr/lib/postgresql/{{ postgresql_major }}/bin /usr/lib/postgresql/bin
-#TODO resolve in new build
+#
+# TODO These lines appear to be installing and configuring https://launchpad.net/ubuntu/+source/postgresql-common 
+# as far as I can see, we don't need this now.
 
 - name: create postgres group
   group:
@@ -133,38 +106,3 @@
     mode: 0750
   with_items:
     - "/data/pgdata"
-
-# - name: Link database data_dir to data volume directory
-#   file:
-#     src: "/data/pgdata"
-#     path: "/var/lib/postgresql/data"
-#     state: link
-#     force: yes
-
-# - name: Initialize the database
-#   become: yes
-#   become_user: postgres
-#   shell:
-#     cmd: /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data initdb -o "--allow-group-access"
-#   vars:
-#     ansible_command_timeout: 60
-#     # Circumvents the following error:
-#     # "Timeout (12s) waiting for privilege escalation prompt"
-
-# - name: copy PG systemd unit
-#   template:
-#     src: files/postgresql_config/postgresql.service.j2
-#     dest: /etc/systemd/system/postgresql.service
-
-# - name: copy optimizations systemd unit
-#   template:
-#     src: files/database-optimizations.service.j2
-#     dest: /etc/systemd/system/database-optimizations.service
-
-# # Reload
-# - name: System - systemd reload
-#   systemd:
-#     enabled: yes
-#     name: postgresql
-#     daemon_reload: yes
-# TODO resolve in new build

ansible/tasks/stage2/playbook.yml

@@ -0,0 +1,15 @@
+- hosts: localhost
+  become: yes
+
+
+  tasks:
+    - set_fact:
+        supabase_internal: true
+      tags:
+        - install-supabase-internal
+
+    - set_fact:
+        parallel_jobs: 16
+
+    - name: Install Postgres from nix binary cache
+      import_tasks: stage2-setup-postgres.yml

ansible/tasks/stage2/stage2-setup-postgres.yml

@@ -0,0 +1,154 @@
+- name: Install Postgres from nix binary cache
+  become: yes
+  shell: |
+    sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres#psql_15/bin"
+
+- name: Ensure /usr/lib/postgresql/bin directory exists
+  file:
+    path: /usr/lib/postgresql/bin
+    state: directory
+    owner: postgres
+    group: postgres
+
+
+- name: Ensure /usr/lib/postgresql/share directory exists
+  file:
+    path: /usr/lib/postgresql/share/postgresql
+    state: directory
+    owner: postgres
+    group: postgres
+
+- name: Ensure /usr/lib/postgresql/share/contrib directory exists
+  file:
+    path: /usr/lib/postgresql/share/postgresql/contrib
+    state: directory
+    owner: postgres
+    group: postgres
+
+- name: Ensure /usr/lib/postgresql/share/timezonesets directory exists
+  file:
+    path: /usr/lib/postgresql/share/postgresql/timezonesets
+    state: directory
+    owner: postgres
+    group: postgres
+
+- name: Ensure /usr/lib/postgresql/share/tsearch_data directory exists
+  file:
+    path: /usr/lib/postgresql/share/postgresql/tsearch_data
+    state: directory
+    owner: postgres
+    group: postgres
+
+- name: Ensure /usr/lib/postgresql/share/extension directory exists
+  file:
+    path: /usr/lib/postgresql/share/postgresql/extension
+    state: directory
+    owner: postgres
+    group: postgres
+
+- name: Create symbolic links from /home/postgres/.nix-profile/bin to /usr/lib/postgresql/bin
+  file:
+    src: "{{ item }}"
+    dest: "/usr/lib/postgresql/bin/{{ item | basename }}"
+    state: link
+  with_fileglob:
+    - "/home/postgres/.nix-profile/bin/*"
+  become: yes
+
+
+- name: Create symbolic links from /home/postgres/.nix-profile/share/postgresql to /usr/lib/postgresql/share/postgresql
+  file:
+    src: "{{ item }}"
+    dest: "/usr/lib/postgresql/share/postgresql/{{ item | basename }}"
+    state: link
+  with_fileglob:
+    - "/home/postgres/.nix-profile/share/postgresql/*"
+  become: yes
+
+- name: Create symbolic links from /home/postgres/.nix-profile/share/postgresql/extension to /usr/lib/postgresql/share/postgresql/extension
+  file:
+    src: "{{ item }}"
+    dest: "/usr/lib/postgresql/share/postgresql/extension/{{ item | basename }}"
+    state: link
+  with_fileglob:
+    - "/home/postgres/.nix-profile/share/postgresql/extension/*"
+  become: yes
+
+
+# - name: Create directories recursively
+#   file:
+#     path: "/usr/lib/postgresql/share/postgresql/contrib/{{ item | dirname }}"
+#     state: directory
+#   with_fileglob:
+#     - "/home/postgres/.nix-profile/share/postgresql/contrib/*"
+
+# - name: Create symbolic links for files
+#   file:
+#     src: "{{ item }}"
+#     dest: "/usr/lib/postgresql/share/postgresql/contrib/{{ item | regex_replace('^/home/postgres/.nix-profile/share/postgresql/contrib/', '') }}"
+#     state: link
+#   with_find:
+#     paths: "/home/postgres/.nix-profile/share/postgresql/contrib/"
+#     recurse: yes
+#     patterns: "*"
+#     file_type: any
+
+- name: Create symbolic links from /home/postgres/.nix-profile/share/postgresql/timezonesets to /usr/lib/postgresql/share/postgresql/timeszonesets
+  file:
+    src: "{{ item }}"
+    dest: "/usr/lib/postgresql/share/postgresql/timezonesets/{{ item | basename }}"
+    state: link
+  with_fileglob:
+    - "/home/postgres/.nix-profile/share/postgresql/timezonesets/*"
+  become: yes
+
+- name: Create symbolic links from /home/postgres/.nix-profile/share/postgresql/tsearch_data to /usr/lib/postgresql/share/postgresql/tsearch_data
+  file:
+    src: "{{ item }}"
+    dest: "/usr/lib/postgresql/share/postgresql/tsearch_data/{{ item | basename }}"
+    state: link
+  with_fileglob:
+    - "/home/postgres/.nix-profile/share/postgresql/tsearch_data/*"
+  become: yes
+
+
+# Install extensions before init
+# - name: Install Postgres extensions
+#   import_tasks: tasks/setup-docker.yml
+# TODO resolve in new build
+
+- name: Link database data_dir to data volume directory
+  file:
+    src: "/data/pgdata"
+    path: "/var/lib/postgresql/data"
+    state: link
+    force: yes
+    owner: postgres
+    group: postgres
+
+- name: Initialize the database
+  become: yes
+  become_user: postgres
+  shell:
+    cmd: /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data initdb -o "--allow-group-access"
+  vars:
+    ansible_command_timeout: 60
+#     # Circumvents the following error:
+#     # "Timeout (12s) waiting for privilege escalation prompt"
+
+- name: copy PG systemd unit
+  template:
+    src: files/postgresql_config/postgresql.service.j2
+    dest: /etc/systemd/system/postgresql.service
+
+- name: copy optimizations systemd unit
+  template:
+    src: files/database-optimizations.service.j2
+    dest: /etc/systemd/system/database-optimizations.service
+
+# # # Reload
+- name: System - systemd reload
+  systemd:
+    enabled: yes
+    name: postgresql
+    daemon_reload: yes

flake.nix

@@ -29,6 +29,7 @@
         # it also serves as a base for importing the orioldb/postgres overlay to 
         #build the orioledb postgres patched version of postgresql16
         oriole_pkgs = import nixpkgs {
+          config = { allowUnfree = true; };
           inherit system;
           overlays = [
             # NOTE (aseipp): add any needed overlays here. in theory we could
@@ -44,6 +45,7 @@
         #This variable works the same as 'oriole_pkgs' but builds using the upstream
         #nixpkgs builds of postgresql 15 and 16 + the overlays listed below
         pkgs = import nixpkgs {
+          config = { allowUnfree = true; };
           inherit system;
           overlays = [
             # NOTE (aseipp): add any needed overlays here. in theory we could
@@ -450,7 +452,7 @@
             mkdir -p $out/bin
             substitute ${./nix/tools/run-replica.sh.in} $out/bin/start-postgres-replica \
               --subst-var-by 'PGSQL_SUPERUSER' '${pgsqlSuperuser}' \
-              --subst-var-by 'PSQL15_BINDIR' '${basePackages.psql_15.bin}'\
+              --subst-var-by 'PSQL15_BINDIR' '${basePackages.psql_15.bin}'
             chmod +x $out/bin/start-postgres-replica
           '';
           sync-exts-versions = pkgs.runCommand "sync-exts-versions" { } ''
@@ -545,7 +547,11 @@
             nix-update
             pg_prove
             shellcheck
-
+            ansible
+            ansible-lint
+            (packer.overrideAttrs (oldAttrs: {
+              version = "1.7.8";
+            }))
             basePackages.start-server
             basePackages.start-client
             basePackages.start-replica

scripts/nix-provision.sh

@@ -5,14 +5,39 @@ set -o errexit
 set -o pipefail
 set -o xtrace
 
+function install_packages {
+	# Setup Ansible on host VM
+	sudo apt-get update && sudo apt-get install software-properties-common -y
+	sudo add-apt-repository --yes --update ppa:ansible/ansible && sudo apt-get install ansible -y
+	ansible-galaxy collection install community.general
+
+}
+
+
 
 function install_nix() {
     sudo su -c "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \
     --extra-conf \"substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com\" \
     --extra-conf \"trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\" " -s /bin/bash root
     . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-    sudo -u postgres bash -c '. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres#psql_15/bin'
 
 }
 
+
+function execute_stage2_playbook {
+
+sudo tee /etc/ansible/ansible.cfg <<EOF
+[defaults]
+callbacks_enabled = timer, profile_tasks, profile_roles
+EOF
+	# Run Ansible playbook
+	#export ANSIBLE_LOG_PATH=/tmp/ansible.log && export ANSIBLE_DEBUG=True && export ANSIBLE_REMOTE_TEMP=/tmp 
+	export ANSIBLE_LOG_PATH=/tmp/ansible.log && export ANSIBLE_REMOTE_TEMP=/tmp
+	ansible-playbook  /tmp/ansible-playbook/stage2/playbook.yml $ARGS
+}
+
+
+install_packages
 install_nix
+execute_stage2_playbook
+