fix: maintains security hardening while allowing the infrastructure to manage pause/resume operations properly.

samrose · samrose · commit a916d804d02f · 2025-10-16T11:44:48.000-04:00
diff --git a/ansible/files/postgresql_config/postgresql.service.j2 b/ansible/files/postgresql_config/postgresql.service.j2
@@ -23,8 +23,9 @@ EnvironmentFile=-/etc/environment.d/postgresql.env
 LimitNOFILE=16384
 {% if supabase_internal is defined %}
 ProtectHome=yes
-ReadOnlyPaths=/etc /opt
-InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/lib/cloud -/var/cache/supabase-admin-agent -/opt/saltstack -/etc/salt
+ReadOnlyPaths=/opt
+ReadWritePaths=/etc/wal-g /etc/postgresql-custom /etc/adminapi /etc/postgrest /etc/pgbouncer /etc/ssl/adminapi /etc/nftables
+InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/cache/supabase-admin-agent -/opt/saltstack -/etc/salt
 {% endif %}
 [Install]
 WantedBy=multi-user.target
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.042-orioledb-plpgsql-3"
-  postgres17: "17.6.1.021-plpgsql-3"
-  postgres15: "15.14.1.021-plpgsql-3"
+  postgresorioledb-17: "17.5.1.042-orioledb-plpgsql-4"
+  postgres17: "17.6.1.021-plpgsql-4"
+  postgres15: "15.14.1.021-plpgsql-4"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
