Merge branch 'develop' into feat/reland-vault-wo-pgsodium

Author: soedirgo

Dockerfile-15

@@ -31,7 +31,7 @@ ARG pg_repack_release=1.4.8
 ARG vault_release=0.2.8
 ARG groonga_release=12.0.8
 ARG pgroonga_release=2.4.0
-ARG wrappers_release=0.3.0
+ARG wrappers_release=0.4.5
 ARG hypopg_release=1.3.1
 ARG pgvector_release=0.4.0
 ARG pg_tle_release=1.3.2
@@ -67,6 +67,7 @@ WORKDIR /nixpg
 
 RUN nix profile install .#psql_15/bin 
 
+RUN nix store gc
 
 
 WORKDIR /

Dockerfile-kubernetes

@@ -2,7 +2,7 @@ FROM alpine:3.21
 
 ADD ./output-cloudimg/packer-cloudimg /disk/focal.qcow2
 
-RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client nftables cloud-utils-localds aavmf
+RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client nftables cloud-utils-localds aavmf virtiofsd
 # dev stuff
 # RUN apk add --no-cache iproute2
 

Dockerfile-orioledb-17

@@ -31,7 +31,7 @@ ARG pg_repack_release=1.4.8
 ARG vault_release=0.2.8
 ARG groonga_release=12.0.8
 ARG pgroonga_release=2.4.0
-ARG wrappers_release=0.3.0
+ARG wrappers_release=0.4.5
 ARG hypopg_release=1.3.1
 ARG pgvector_release=0.4.0
 ARG pg_tle_release=1.3.2
@@ -68,7 +68,7 @@ WORKDIR /nixpg
 
 RUN nix profile install .#psql_orioledb-17/bin 
 
-
+RUN nix store gc
 
 WORKDIR /
 

ansible/files/postgresql_config/supautils.conf.j2

@@ -9,6 +9,6 @@ supautils.privileged_extensions = 'address_standardizer, address_standardizer_da
 supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
-supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
+supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'

ansible/vars.yml

@@ -8,8 +8,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.042-orioledb"
-  postgres15: "15.8.1.048"
+  postgresorioledb-17: "17.0.1.048-orioledb"
+  postgres15: "15.8.1.055"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
@@ -22,8 +22,8 @@ postgrest_release: "12.2.3"
 postgrest_arm_release_checksum: sha1:fbfd6613d711ce1afa25c42d5df8f1b017f396f9
 postgrest_x86_release_checksum: sha1:61c513f91a8931be4062587b9d4a18b42acf5c05
 
-gotrue_release: 2.169.0
-gotrue_release_checksum: sha1:1419b94683aac7ddc30355408b8e8b79e61146c4
+gotrue_release: 2.170.0
+gotrue_release_checksum: sha1:a5741163de7d8da490c013cc8566c7210ed9f6fe
 
 aws_cli_release: "2.23.11"
 
@@ -52,7 +52,7 @@ postgres_exporter_release_checksum:
   arm64: sha256:29ba62d538b92d39952afe12ee2e1f4401250d678ff4b354ff2752f4321c87a0
   amd64: sha256:cb89fc5bf4485fb554e0d640d9684fae143a4b2d5fa443009bd29c59f9129e84
 
-adminapi_release: 0.74.0
+adminapi_release: 0.75.0
 adminmgr_release: 0.24.1
 
 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb"

ebssurrogate/scripts/qemu-bootstrap-nix.sh

@@ -145,4 +145,5 @@ install_nix
 execute_stage2_playbook
 # we do not want to ship an initialized DB as this is performed as needed
 rm -rf /data/pgdata
+clean_system
 cloud-init clean --logs

flake.nix

@@ -38,6 +38,9 @@
             # pull them from the overlays/ directory automatically, but we don't
             # want to have an arbitrary order, since it might matter. being
             # explicit is better.
+            (final: prev: {
+              xmrig = throw "The xmrig package has been explicitly disabled in this flake.";
+            })
             (import rust-overlay)
             (final: prev: {
               cargo-pgrx = final.callPackage ./nix/cargo-pgrx/default.nix {
@@ -565,6 +568,21 @@
               wrapProgram $out/bin/dbmate-tool \
                 --prefix PATH : ${pkgs.lib.makeBinPath [ pkgs.overmind pkgs.dbmate pkgs.nix pkgs.jq pkgs.yq ]}
             '';
+          show-commands = pkgs.runCommand "show-commands" {
+            nativeBuildInputs = [ pkgs.makeWrapper ];
+            buildInputs = [ pkgs.nushell ];
+          } ''
+            mkdir -p $out/bin
+            cat > $out/bin/show-commands << 'EOF'
+            #!${pkgs.nushell}/bin/nu
+            let json_output = (nix flake show --json --quiet --all-systems | from json)
+            let apps = ($json_output | get apps.${system})
+            $apps | transpose name info | select name | each { |it| echo $"Run this app with: nix run .#($it.name)" }
+            EOF
+            chmod +x $out/bin/show-commands
+            wrapProgram $out/bin/show-commands \
+              --prefix PATH : ${pkgs.nushell}/bin
+          '';
           update-readme = pkgs.runCommand "update-readme" {
             nativeBuildInputs = [ pkgs.makeWrapper ];
             buildInputs = [ pkgs.nushell ];
@@ -838,8 +856,8 @@
             start-server = mkApp "start-server" "start-postgres-server";
             start-client = mkApp "start-client" "start-postgres-client";
             start-replica = mkApp "start-replica" "start-postgres-replica";
-            migrate-postgres = mkApp "migrate-tool" "migrate-postgres";
-            sync-exts-versions = mkApp "sync-exts-versions" "sync-exts-versions";
+            # migrate-postgres = mkApp "migrate-tool" "migrate-postgres";
+            # sync-exts-versions = mkApp "sync-exts-versions" "sync-exts-versions";
             pg-restore = mkApp "pg-restore" "pg-restore";
             local-infra-bootstrap = mkApp "local-infra-bootstrap" "local-infra-bootstrap";
             dbmate-tool = mkApp "dbmate-tool" "dbmate-tool";

migrations/db/migrations/20250312095419_pgbouncer_ownership.sql

@@ -0,0 +1,5 @@
+-- migrate:up
+alter function pgbouncer.get_auth owner to supabase_admin;
+grant execute on function pgbouncer.get_auth(p_usename text) to postgres;
+
+-- migrate:down

nix/ext/wrappers/default.nix

@@ -4,29 +4,29 @@
 , openssl
 , pkg-config
 , postgresql
-, buildPgrxExtension_0_12_6
+, buildPgrxExtension_0_12_9
 , cargo
 , darwin
 , jq
 , rust-bin
 , git
 }:
 let
-  rustVersion = "1.80.0";
+  rustVersion = "1.81.0";
   cargo = rust-bin.stable.${rustVersion}.default;
 in
-buildPgrxExtension_0_12_6 rec {
+buildPgrxExtension_0_12_9 rec {
   pname = "supabase-wrappers";
-  version = "0.4.4";
+  version = "0.4.5";
   # update the following array when the wrappers version is updated
   # required to ensure that extensions update scripts from previous versions are generated
-  previousVersions = ["0.4.3" "0.4.2" "0.4.1" "0.4.0" "0.3.1" "0.3.0" "0.2.0" "0.1.19" "0.1.18" "0.1.17" "0.1.16" "0.1.15" "0.1.14" "0.1.12" "0.1.11" "0.1.10" "0.1.9" "0.1.8" "0.1.7" "0.1.6" "0.1.5" "0.1.4" "0.1.1" "0.1.0"];
+  previousVersions = ["0.4.4" "0.4.3" "0.4.2" "0.4.1" "0.4.0" "0.3.1" "0.3.0" "0.2.0" "0.1.19" "0.1.18" "0.1.17" "0.1.16" "0.1.15" "0.1.14" "0.1.12" "0.1.11" "0.1.10" "0.1.9" "0.1.8" "0.1.7" "0.1.6" "0.1.5" "0.1.4" "0.1.1" "0.1.0"];
   inherit postgresql;
   src = fetchFromGitHub {
     owner = "supabase";
     repo = "wrappers";
     rev = "v${version}";
-    hash = "sha256-QoGFJpq8PuvMM8SS+VZd7MlNl56uFivRjs1tCtwX+oE=";
+    hash = "sha256-IgDfVFROMCHYLZ/Iqj12MsQjPPCdRoH+3oi3Ki/iaRI=";
   };
 
   nativeBuildInputs = [ pkg-config cargo git ];

nix/tests/expected/security.out

@@ -7,26 +7,27 @@ from pg_catalog.pg_proc p
 where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin')
         and p.prosecdef = true
 order by 1,2;
- nspname  |            proname             
-----------+--------------------------------
- graphql  | get_schema_version
- graphql  | increment_schema_version
- pgsodium | disable_security_label_trigger
- pgsodium | enable_security_label_trigger
- pgsodium | get_key_by_id
- pgsodium | get_key_by_name
- pgsodium | get_named_keys
- pgsodium | mask_role
- pgsodium | update_mask
- public   | dblink_connect_u
- public   | dblink_connect_u
- public   | pgaudit_ddl_command_end
- public   | pgaudit_sql_drop
- public   | st_estimatedextent
- public   | st_estimatedextent
- public   | st_estimatedextent
- repack   | repack_trigger
- vault    | create_secret
- vault    | update_secret
-(19 rows)
+  nspname  |            proname             
+-----------+--------------------------------
+ graphql   | get_schema_version
+ graphql   | increment_schema_version
+ pgbouncer | get_auth
+ pgsodium  | disable_security_label_trigger
+ pgsodium  | enable_security_label_trigger
+ pgsodium  | get_key_by_id
+ pgsodium  | get_key_by_name
+ pgsodium  | get_named_keys
+ pgsodium  | mask_role
+ pgsodium  | update_mask
+ public    | dblink_connect_u
+ public    | dblink_connect_u
+ public    | pgaudit_ddl_command_end
+ public    | pgaudit_sql_drop
+ public    | st_estimatedextent
+ public    | st_estimatedextent
+ public    | st_estimatedextent
+ repack    | repack_trigger
+ vault     | create_secret
+ vault     | update_secret
+(20 rows)