supabase
diff --git a/‎ansible/files/envoy_config/lds.supabase.yaml‎
Lines changed: 6 additions & 0 deletions b/‎ansible/files/envoy_config/lds.supabase.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎ansible/files/envoy_config/lds.yaml‎
Lines changed: 6 additions & 0 deletions b/‎ansible/files/envoy_config/lds.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎ansible/files/supabase_admin_agent_config/supabase-admin-agent_salt.service.j2‎
Lines changed: 2 additions & 0 deletions b/‎ansible/files/supabase_admin_agent_config/supabase-admin-agent_salt.service.j2‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎ansible/tasks/setup-docker.yml‎
Lines changed: 77 additions & 70 deletions b/‎ansible/tasks/setup-docker.yml‎
Lines changed: 77 additions & 70 deletions
diff --git a/‎ansible/tasks/setup-envoy.yml‎
Lines changed: 32 additions & 31 deletions b/‎ansible/tasks/setup-envoy.yml‎
Lines changed: 32 additions & 31 deletions
@@ -259,6 +259,12 @@ resources:
                           cluster: gotrue
                           prefix_rewrite: /
                           timeout: 35s
+                          retry_policy:
+                            retry_on: "connect-failure,refused-stream,gateway-error"
+                            num_retries: 3
+                            retry_back_off:
+                              base_interval: 1s
+                              max_interval: 3s
                       - match:
                           prefix: /rest/v1/
                           query_parameters:
 
@@ -285,6 +285,12 @@ resources:
                           cluster: gotrue
                           prefix_rewrite: /
                           timeout: 35s
+                          retry_policy:
+                            retry_on: "connect-failure,refused-stream,gateway-error"
+                            num_retries: 3
+                            retry_back_off:
+                              base_interval: 1s
+                              max_interval: 3s
                       - match:
                           prefix: /rest/v1/
                           query_parameters:
 
@@ -19,6 +19,8 @@ StandardOutput=journal
 StandardError=journal
 StateDirectory=supabase-admin-agent
 CacheDirectory=supabase-admin-agent
+# set tempdir on permanent disk
+Environment="TMPDIR=/var/tmp"
 
 [Install]
 WantedBy=multi-user.target
@@ -1,80 +1,87 @@
-- name: Copy extension packages
-  copy:
-    src: files/extensions/
-    dest: /tmp/extensions/
-  when: debpkg_mode
+- name: debpkg_mode actions
+  when:
+    - debpkg_mode
+  block:
+    - name: Copy extension packages
+      ansible.builtin.copy:
+        dest: '/tmp/extensions/'
+        src: 'files/extensions/'
 
-# Builtin apt module does not support wildcard for deb paths
-- name: Install extensions
-  shell: |
-    set -e
-    apt-get update
-    apt-get install -y --no-install-recommends /tmp/extensions/*.deb
-  when: debpkg_mode
+    - name: Install extensions
+      ansible.builtin.apt:
+        deb: "{{ deb_item }}"
+        force_apt_get: true
+        install_recommends: false
+        state: 'present'
+        update_cache: true
+      loop_control:
+        loop_var: 'deb_item'
+      with_fileglob:
+        - '/tmp/extensions/*.deb'
 
-- name: pgsodium - determine postgres bin directory
-  shell: pg_config --bindir
-  register: pg_bindir_output
-  when: debpkg_mode
-  
-- set_fact:
-    pg_bindir: "{{ pg_bindir_output.stdout }}"
-  when: debpkg_mode 
+    - name: pgsodium - determine PostgreSQL bin directory
+      ansible.builtin.command:
+        cmd:  pg_config --bindir
+      changed_when: false
+      register: 'pg_bindir_output'
+      
+    - name: store the PostgreSQL bin dir as a fact
+      ansible.builtin.set_fact:
+        pg_bindir: "{{ pg_bindir_output['stdout'] }}"
 
-- name: pgsodium - set pgsodium.getkey_script
-  become: yes
-  lineinfile:
-    path: /etc/postgresql/postgresql.conf
-    state: present
-    # script is expected to be placed by finalization tasks for different target platforms
-    line: pgsodium.getkey_script= '{{ pg_bindir }}/pgsodium_getkey.sh'
-  when: debpkg_mode
+    - name: pgsodium - set pgsodium.getkey_script
+      ansible.builtin.lineinfile:
+        path: '/etc/postgresql/postgresql.conf'
+        # script is expected to be placed by finalization tasks for different target platforms
+        line: pgsodium.getkey_script= '{{ pg_bindir }}/pgsodium_getkey.sh'
+        state: 'present'
+      become: true
 
-# supautils
-- name: supautils - add supautils to session_preload_libraries
-  become: yes
-  replace:
-    path: /etc/postgresql/postgresql.conf
-    regexp: "#session_preload_libraries = ''"
-    replace: session_preload_libraries = 'supautils'
-  when: debpkg_mode or stage2_nix
+- name: debpkg_mode or stage2_nix actions
+  when:
+    - (debpkg_mode or stage2_nix)
+  block:
+    # supautils
+    - name: supautils - add supautils to session_preload_libraries
+      ansible.builtin.replace:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "#session_preload_libraries = ''"
+        replace: "session_preload_libraries = 'supautils'"
+      become: true
 
-- name: supautils - write custom supautils.conf
-  template:
-    src: "files/postgresql_config/supautils.conf.j2"
-    dest: /etc/postgresql-custom/supautils.conf
-    mode: 0664
-    owner: postgres
-    group: postgres
-  when: debpkg_mode or stage2_nix
+    - name: supautils - write custom supautils.conf
+      ansible.builtin.template:
+        dest: '/etc/postgresql-custom/supautils.conf'
+        mode: '0664'
+        group: 'postgres'
+        owner: 'postgres'
+        src: 'files/postgresql_config/supautils.conf.j2'
 
-- name: supautils - copy extension custom scripts
-  copy:
-    src: files/postgresql_extension_custom_scripts/
-    dest: /etc/postgresql-custom/extension-custom-scripts
-  become: yes
-  when: debpkg_mode or stage2_nix
+    - name: supautils - copy extension custom scripts
+      ansible.builtin.copy:
+        dest: '/etc/postgresql-custom/extension-custom-scripts'
+        src: 'files/postgresql_extension_custom_scripts/'
+      become: true
 
-- name: supautils - chown extension custom scripts
-  file:
-    mode: 0775
-    owner: postgres
-    group: postgres
-    path: /etc/postgresql-custom/extension-custom-scripts
-    recurse: yes
-  become: yes
-  when: debpkg_mode or stage2_nix
+    - name: supautils - chown extension custom scripts
+      ansible.builtin.file:
+        group: 'postgres'
+        mode: '0775'
+        owner: 'postgres'
+        path: '/etc/postgresql-custom/extension-custom-scripts'
+        recurse: true
+      become: true
 
-- name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
-  become: yes
-  replace:
-    path: /etc/postgresql/postgresql.conf
-    regexp: "#include = '/etc/postgresql-custom/supautils.conf'"
-    replace: "include = '/etc/postgresql-custom/supautils.conf'"
-  when: debpkg_mode or stage2_nix
+    - name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
+      ansible.builtin.replace:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "#include = '/etc/postgresql-custom/supautils.conf'"
+        replace: "include = '/etc/postgresql-custom/supautils.conf'"
+      become: true
 
 - name: Cleanup - extension packages
-  file:
-    path: /tmp/extensions
-    state: absent
-  when: debpkg_mode
+  ansible.builtin.file:
+    path: '/tmp/extensions'
+    state: 'absent'
+  when:
+    - debpkg_mode
@@ -1,60 +1,61 @@
 - name: Envoy - system user
   ansible.builtin.user:
-    name: envoy
+    name: 'envoy'
+    state: 'present'
 
 - name: Envoy - download binary
   ansible.builtin.get_url:
     checksum: "{{ envoy_release_checksum }}"
-    dest: /opt/envoy
-    group: envoy
-    mode: u+x
-    owner: envoy
+    dest: '/opt/envoy'
+    group: 'envoy'
+    mode: '0700'
+    owner: 'envoy'
     # yamllint disable-line rule:line-length
     url: "https://github.com/envoyproxy/envoy/releases/download/v{{ envoy_release }}/envoy-{{ envoy_release }}-linux-aarch_64"
 
 - name: Envoy - download hot restarter script
   ansible.builtin.get_url:
     checksum: "{{ envoy_hot_restarter_release_checksum }}"
-    dest: /opt/envoy-hot-restarter.py
-    group: envoy
-    mode: u+x
-    owner: envoy
+    dest: '/opt/envoy-hot-restarter.py'
+    group: 'envoy'
+    mode: '0700'
+    owner: 'envoy'
     # yamllint disable-line rule:line-length
-    url: https://raw.githubusercontent.com/envoyproxy/envoy/v{{ envoy_release }}/restarter/hot-restarter.py
+    url: "https://raw.githubusercontent.com/envoyproxy/envoy/v{{ envoy_release }}/restarter/hot-restarter.py"
 
 - name: Envoy - bump up ulimit
   community.general.pam_limits:
-    domain: envoy
-    limit_item: nofile
-    limit_type: soft
-    value: 4096
+    domain: 'envoy'
+    limit_item: 'nofile'
+    limit_type: 'soft'
+    value: '4096'
 
 - name: Envoy - create script to start envoy
   ansible.builtin.copy:
-    dest: /opt/start-envoy.sh
-    group: envoy
-    mode: u+x
-    owner: envoy
-    src: files/start-envoy.sh
+    dest: '/opt/start-envoy.sh'
+    group: 'envoy'
+    mode: '0700'
+    owner: 'envoy'
+    src: 'files/start-envoy.sh'
 
 - name: Envoy - create configuration files
   ansible.builtin.copy:
-    dest: /etc/envoy/
-    directory_mode: u=rwx,g=rwx,o=rx
-    group: envoy
-    mode: u=rw,g=rw,o=r
-    owner: envoy
-    src: files/envoy_config/
+    dest: '/etc/envoy/'
+    directory_mode: '0775'
+    group: 'envoy'
+    mode: '0664'
+    owner: 'envoy'
+    src: 'files/envoy_config/'
 
 - name: Envoy - create service file
   ansible.builtin.copy:
-    dest: /etc/systemd/system/envoy.service
-    mode: u=rw,g=r,o=r
-    src: files/envoy.service
+    dest: '/etc/systemd/system/envoy.service'
+    mode: '0644'
+    src: 'files/envoy.service'
 
 - name: Envoy - disable service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     daemon_reload: true
     enabled: false
-    name: envoy
-    state: stopped
+    name: 'envoy'
+    state: 'stopped'