Merge remote-tracking branch 'origin' into chrisg/add-subscription-schema

Author: encima

Dockerfile-15

@@ -90,10 +90,6 @@ RUN ln -s /nix/var/nix/profiles/default/share/postgresql/* /usr/lib/postgresql/s
 RUN ln -s /nix/var/nix/profiles/default/share/postgresql/* /usr/share/postgresql/
 RUN chown -R postgres:postgres /usr/lib/postgresql/share/postgresql/
 RUN chown -R postgres:postgres /usr/share/postgresql/ 
-# Create symbolic links for contrib directory
-RUN mkdir -p /usr/lib/postgresql/share/postgresql/contrib \
-    && find /nix/var/nix/profiles/default/share/postgresql/contrib/ -mindepth 1 -type d -exec sh -c 'for dir do ln -s "$dir" "/usr/lib/postgresql/share/postgresql/contrib/$(basename "$dir")"; done' sh {} + \
-    && chown -R postgres:postgres /usr/lib/postgresql/share/postgresql/contrib/
 
 RUN chown -R postgres:postgres /usr/lib/postgresql
 

Dockerfile-17

@@ -91,7 +91,7 @@ RUN ln -s /nix/var/nix/profiles/default/share/postgresql/* /usr/lib/postgresql/s
 RUN ln -s /nix/var/nix/profiles/default/share/postgresql/* /usr/share/postgresql/
 RUN chown -R postgres:postgres /usr/lib/postgresql/share/postgresql/
 RUN chown -R postgres:postgres /usr/share/postgresql/ 
-# Create symbolic links for contrib directory
+
 RUN tree /nix > /tmp/tree.txt && cat /tmp/tree.txt && cat /tmp/tree.txt >&2
 
 RUN chown -R postgres:postgres /usr/lib/postgresql

Dockerfile-orioledb-17

@@ -91,7 +91,7 @@ RUN ln -s /nix/var/nix/profiles/default/share/postgresql/* /usr/lib/postgresql/s
 RUN ln -s /nix/var/nix/profiles/default/share/postgresql/* /usr/share/postgresql/
 RUN chown -R postgres:postgres /usr/lib/postgresql/share/postgresql/
 RUN chown -R postgres:postgres /usr/share/postgresql/ 
-# Create symbolic links for contrib directory
+
 RUN tree /nix > /tmp/tree.txt && cat /tmp/tree.txt && cat /tmp/tree.txt >&2
 
 RUN chown -R postgres:postgres /usr/lib/postgresql

ansible/files/envoy_config/lds.supabase.yaml

@@ -259,6 +259,12 @@ resources:
                           cluster: gotrue
                           prefix_rewrite: /
                           timeout: 35s
+                          retry_policy:
+                            retry_on: "connect-failure,refused-stream,gateway-error"
+                            num_retries: 3
+                            retry_back_off:
+                              base_interval: 1s
+                              max_interval: 3s
                       - match:
                           prefix: /rest/v1/
                           query_parameters:

ansible/files/envoy_config/lds.yaml

@@ -285,6 +285,12 @@ resources:
                           cluster: gotrue
                           prefix_rewrite: /
                           timeout: 35s
+                          retry_policy:
+                            retry_on: "connect-failure,refused-stream,gateway-error"
+                            num_retries: 3
+                            retry_back_off:
+                              base_interval: 1s
+                              max_interval: 3s
                       - match:
                           prefix: /rest/v1/
                           query_parameters:

ansible/files/postgresql_config/supautils.conf.j2

@@ -1,6 +1,6 @@
 supautils.extensions_parameter_overrides = '{"pg_cron":{"schema":"pg_catalog"}}'
-supautils.policy_grants = '{"postgres":["auth.audit_log_entries","auth.identities","auth.mfa_factors","auth.refresh_tokens","auth.sessions","auth.users","realtime.messages","storage.buckets","storage.migrations","storage.objects","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}'
-supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.identities","auth.mfa_factors","auth.refresh_tokens","auth.sessions","auth.users","realtime.messages","storage.buckets","storage.migrations","storage.objects","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}'
+supautils.policy_grants = '{"postgres":["auth.audit_log_entries","auth.flow_state","auth.identities","auth.instances","auth.mfa_amr_claims","auth.mfa_challenges","auth.mfa_factors","auth.oauth_clients","auth.one_time_tokens","auth.refresh_tokens","auth.saml_providers","auth.saml_relay_states","auth.sessions","auth.sso_domains","auth.sso_providers","auth.users","realtime.messages","realtime.subscription","storage.buckets","storage.buckets_analytics","storage.objects","storage.prefixes","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}'
+supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.flow_state","auth.identities","auth.instances","auth.mfa_amr_claims","auth.mfa_challenges","auth.mfa_factors","auth.oauth_clients","auth.one_time_tokens","auth.refresh_tokens","auth.saml_providers","auth.saml_relay_states","auth.sessions","auth.sso_domains","auth.sso_providers","auth.users","realtime.messages","realtime.subscription","storage.buckets","storage.buckets_analytics","storage.objects","storage.prefixes","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}'
 # full list:                                 address_standardizer, address_standardizer_data_us, adminpack, amcheck, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, file_fdw, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intagg, intarray, isn, lo, ltree, moddatetime, old_snapshot, orioledb, pageinspect, pg_buffercache, pg_cron, pg_freespacemap, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_surgery, pg_tle, pg_trgm, pg_visibility, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgmq, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers, xml2
 # omitted because may be unsafe:             adminpack, amcheck, file_fdw, lo, old_snapshot, pageinspect, pg_freespacemap, pg_surgery, pg_visibility
 # omitted because deprecated:                intagg, xml2

ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql

@@ -18,8 +18,8 @@ begin
     physical backups everywhere
 */
 -- Detach and delete the official function
-alter extension pgmq drop function pgmq.drop_queue;
-drop function pgmq.drop_queue;
+alter extension pgmq drop function pgmq.drop_queue(TEXT);
+drop function pgmq.drop_queue(TEXT);
 
 -- Create and reattach the patched function
 CREATE FUNCTION pgmq.drop_queue(queue_name TEXT)
@@ -134,7 +134,7 @@ BEGIN
 END;
 $func$ LANGUAGE plpgsql;
 
-alter extension pgmq add function pgmq.drop_queue;
+alter extension pgmq add function pgmq.drop_queue(TEXT);
 
 
   update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';

ansible/files/supabase_admin_agent_config/supabase-admin-agent_salt.service.j2

@@ -19,6 +19,8 @@ StandardOutput=journal
 StandardError=journal
 StateDirectory=supabase-admin-agent
 CacheDirectory=supabase-admin-agent
+# set tempdir on permanent disk
+Environment="TMPDIR=/var/tmp"
 
 [Install]
 WantedBy=multi-user.target

ansible/tasks/setup-docker.yml

@@ -1,80 +1,87 @@
-- name: Copy extension packages
-  copy:
-    src: files/extensions/
-    dest: /tmp/extensions/
-  when: debpkg_mode
+- name: debpkg_mode actions
+  when:
+    - debpkg_mode
+  block:
+    - name: Copy extension packages
+      ansible.builtin.copy:
+        dest: '/tmp/extensions/'
+        src: 'files/extensions/'
 
-# Builtin apt module does not support wildcard for deb paths
-- name: Install extensions
-  shell: |
-    set -e
-    apt-get update
-    apt-get install -y --no-install-recommends /tmp/extensions/*.deb
-  when: debpkg_mode
+    - name: Install extensions
+      ansible.builtin.apt:
+        deb: "{{ deb_item }}"
+        force_apt_get: true
+        install_recommends: false
+        state: 'present'
+        update_cache: true
+      loop_control:
+        loop_var: 'deb_item'
+      with_fileglob:
+        - '/tmp/extensions/*.deb'
 
-- name: pgsodium - determine postgres bin directory
-  shell: pg_config --bindir
-  register: pg_bindir_output
-  when: debpkg_mode
-  
-- set_fact:
-    pg_bindir: "{{ pg_bindir_output.stdout }}"
-  when: debpkg_mode 
+    - name: pgsodium - determine PostgreSQL bin directory
+      ansible.builtin.command:
+        cmd:  pg_config --bindir
+      changed_when: false
+      register: 'pg_bindir_output'
+      
+    - name: store the PostgreSQL bin dir as a fact
+      ansible.builtin.set_fact:
+        pg_bindir: "{{ pg_bindir_output['stdout'] }}"
 
-- name: pgsodium - set pgsodium.getkey_script
-  become: yes
-  lineinfile:
-    path: /etc/postgresql/postgresql.conf
-    state: present
-    # script is expected to be placed by finalization tasks for different target platforms
-    line: pgsodium.getkey_script= '{{ pg_bindir }}/pgsodium_getkey.sh'
-  when: debpkg_mode
+    - name: pgsodium - set pgsodium.getkey_script
+      ansible.builtin.lineinfile:
+        path: '/etc/postgresql/postgresql.conf'
+        # script is expected to be placed by finalization tasks for different target platforms
+        line: pgsodium.getkey_script= '{{ pg_bindir }}/pgsodium_getkey.sh'
+        state: 'present'
+      become: true
 
-# supautils
-- name: supautils - add supautils to session_preload_libraries
-  become: yes
-  replace:
-    path: /etc/postgresql/postgresql.conf
-    regexp: "#session_preload_libraries = ''"
-    replace: session_preload_libraries = 'supautils'
-  when: debpkg_mode or stage2_nix
+- name: debpkg_mode or stage2_nix actions
+  when:
+    - (debpkg_mode or stage2_nix)
+  block:
+    # supautils
+    - name: supautils - add supautils to session_preload_libraries
+      ansible.builtin.replace:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "#session_preload_libraries = ''"
+        replace: "session_preload_libraries = 'supautils'"
+      become: true
 
-- name: supautils - write custom supautils.conf
-  template:
-    src: "files/postgresql_config/supautils.conf.j2"
-    dest: /etc/postgresql-custom/supautils.conf
-    mode: 0664
-    owner: postgres
-    group: postgres
-  when: debpkg_mode or stage2_nix
+    - name: supautils - write custom supautils.conf
+      ansible.builtin.template:
+        dest: '/etc/postgresql-custom/supautils.conf'
+        mode: '0664'
+        group: 'postgres'
+        owner: 'postgres'
+        src: 'files/postgresql_config/supautils.conf.j2'
 
-- name: supautils - copy extension custom scripts
-  copy:
-    src: files/postgresql_extension_custom_scripts/
-    dest: /etc/postgresql-custom/extension-custom-scripts
-  become: yes
-  when: debpkg_mode or stage2_nix
+    - name: supautils - copy extension custom scripts
+      ansible.builtin.copy:
+        dest: '/etc/postgresql-custom/extension-custom-scripts'
+        src: 'files/postgresql_extension_custom_scripts/'
+      become: true
 
-- name: supautils - chown extension custom scripts
-  file:
-    mode: 0775
-    owner: postgres
-    group: postgres
-    path: /etc/postgresql-custom/extension-custom-scripts
-    recurse: yes
-  become: yes
-  when: debpkg_mode or stage2_nix
+    - name: supautils - chown extension custom scripts
+      ansible.builtin.file:
+        group: 'postgres'
+        mode: '0775'
+        owner: 'postgres'
+        path: '/etc/postgresql-custom/extension-custom-scripts'
+        recurse: true
+      become: true
 
-- name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
-  become: yes
-  replace:
-    path: /etc/postgresql/postgresql.conf
-    regexp: "#include = '/etc/postgresql-custom/supautils.conf'"
-    replace: "include = '/etc/postgresql-custom/supautils.conf'"
-  when: debpkg_mode or stage2_nix
+    - name: supautils - include /etc/postgresql-custom/supautils.conf in postgresql.conf
+      ansible.builtin.replace:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "#include = '/etc/postgresql-custom/supautils.conf'"
+        replace: "include = '/etc/postgresql-custom/supautils.conf'"
+      become: true
 
 - name: Cleanup - extension packages
-  file:
-    path: /tmp/extensions
-    state: absent
-  when: debpkg_mode
+  ansible.builtin.file:
+    path: '/tmp/extensions'
+    state: 'absent'
+  when:
+    - debpkg_mode

ansible/tasks/setup-envoy.yml

@@ -1,60 +1,61 @@
 - name: Envoy - system user
   ansible.builtin.user:
-    name: envoy
+    name: 'envoy'
+    state: 'present'
 
 - name: Envoy - download binary
   ansible.builtin.get_url:
     checksum: "{{ envoy_release_checksum }}"
-    dest: /opt/envoy
-    group: envoy
-    mode: u+x
-    owner: envoy
+    dest: '/opt/envoy'
+    group: 'envoy'
+    mode: '0700'
+    owner: 'envoy'
     # yamllint disable-line rule:line-length
     url: "https://github.com/envoyproxy/envoy/releases/download/v{{ envoy_release }}/envoy-{{ envoy_release }}-linux-aarch_64"
 
 - name: Envoy - download hot restarter script
   ansible.builtin.get_url:
     checksum: "{{ envoy_hot_restarter_release_checksum }}"
-    dest: /opt/envoy-hot-restarter.py
-    group: envoy
-    mode: u+x
-    owner: envoy
+    dest: '/opt/envoy-hot-restarter.py'
+    group: 'envoy'
+    mode: '0700'
+    owner: 'envoy'
     # yamllint disable-line rule:line-length
-    url: https://raw.githubusercontent.com/envoyproxy/envoy/v{{ envoy_release }}/restarter/hot-restarter.py
+    url: "https://raw.githubusercontent.com/envoyproxy/envoy/v{{ envoy_release }}/restarter/hot-restarter.py"
 
 - name: Envoy - bump up ulimit
   community.general.pam_limits:
-    domain: envoy
-    limit_item: nofile
-    limit_type: soft
-    value: 4096
+    domain: 'envoy'
+    limit_item: 'nofile'
+    limit_type: 'soft'
+    value: '4096'
 
 - name: Envoy - create script to start envoy
   ansible.builtin.copy:
-    dest: /opt/start-envoy.sh
-    group: envoy
-    mode: u+x
-    owner: envoy
-    src: files/start-envoy.sh
+    dest: '/opt/start-envoy.sh'
+    group: 'envoy'
+    mode: '0700'
+    owner: 'envoy'
+    src: 'files/start-envoy.sh'
 
 - name: Envoy - create configuration files
   ansible.builtin.copy:
-    dest: /etc/envoy/
-    directory_mode: u=rwx,g=rwx,o=rx
-    group: envoy
-    mode: u=rw,g=rw,o=r
-    owner: envoy
-    src: files/envoy_config/
+    dest: '/etc/envoy/'
+    directory_mode: '0775'
+    group: 'envoy'
+    mode: '0664'
+    owner: 'envoy'
+    src: 'files/envoy_config/'
 
 - name: Envoy - create service file
   ansible.builtin.copy:
-    dest: /etc/systemd/system/envoy.service
-    mode: u=rw,g=r,o=r
-    src: files/envoy.service
+    dest: '/etc/systemd/system/envoy.service'
+    mode: '0644'
+    src: 'files/envoy.service'
 
 - name: Envoy - disable service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     daemon_reload: true
     enabled: false
-    name: envoy
-    state: stopped
+    name: 'envoy'
+    state: 'stopped'