(WIP) feat: deploy pgbouncer using system manager

Author: yvan-sraka

ansible/playbook.yml

@@ -13,7 +13,7 @@
           dest: "00-schema.sql",
         }
       - { source: "stat_extension.sql", dest: "01-extension.sql" }
-    
+
   environment:
     PATH: /usr/lib/postgresql/bin:{{ ansible_env.PATH }}
 
@@ -29,13 +29,6 @@
     - name: Install Postgres from source
       import_tasks: tasks/setup-postgres.yml
 
-    - name: Install PgBouncer
-      import_tasks: tasks/setup-pgbouncer.yml
-      tags:
-        - install-pgbouncer
-        - install-supabase-internal
-      when: debpkg_mode or nixpkg_mode
-
     - name: Install WAL-G
       import_tasks: tasks/setup-wal-g.yml
       when: debpkg_mode or nixpkg_mode or stage2_nix
@@ -46,7 +39,7 @@
         - install-gotrue
         - install-supabase-internal
       when: debpkg_mode or nixpkg_mode
-  
+
     - name: Install PostgREST
       import_tasks: tasks/setup-postgrest.yml
       tags:
@@ -96,7 +89,7 @@
         src: files/apt_periodic
         dest: /etc/apt/apt.conf.d/10periodic
       when: debpkg_mode or nixpkg_mode
-      
+
     - name: Transfer init SQL files
       copy:
         src: files/{{ item.source }}
@@ -131,13 +124,13 @@
       tags:
         - install-supabase-internal
       when: debpkg_mode or stage2_nix
-      
+
     - name: Finalize AMI
       import_tasks: tasks/finalize-ami.yml
       tags:
         - install-supabase-internal
       when: debpkg_mode or nixpkg_mode
-      
+
     - name: Enhance fail2ban
       import_tasks: tasks/setup-fail2ban.yml
       when: debpkg_mode or nixpkg_mode
@@ -218,7 +211,7 @@
         systemctl stop postgresql.service
       when: stage2_nix
 
-    - name: Remove osquery    
+    - name: Remove osquery
       become: yes
       shell: |
         sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery"

ansible/tasks/setup-pgbouncer.yml

@@ -13,10 +13,6 @@ postgres_release:
   postgres17: "17.6.1.003-nixpkgs-4"
   postgres15: "15.14.1.003-nixpkgs-4"
 
-# Non Postgres Extensions
-pgbouncer_release: "1.19.0"
-pgbouncer_release_checksum: sha256:af0b05e97d0e1fd9ad45fe00ea6d2a934c63075f67f7e2ccef2ca59e3d8ce682
-
 # The checksum can be found under "Assets", in the GitHub release page for each version.
 # The binaries used are: ubuntu-aarch64 and linux-static.
 # https://github.com/PostgREST/postgrest/releases

ansible/vars.yml

@@ -1,9 +1,11 @@
 { self, inputs, ... }:
 let
   mkModules = system: [
+    self.systemModules.pgbouncer
     ({
       services.nginx.enable = true;
       nixpkgs.hostPlatform = system;
+      supabase.services.pgbouncer.enable = true;
     })
   ];
 

nix/systemConfigs.nix

@@ -4,6 +4,8 @@
 {
   imports = [ ./tests ];
   flake = {
-    systemModules = { };
+    systemModules = {
+      pgbouncer = ./pgbouncer.nix;
+    };
   };
 }

nix/systemModules/default.nix

@@ -0,0 +1,6 @@
+{ lib, ... }:
+{
+  options.networking.firewall = lib.mkOption {
+    type = lib.types.attrs;
+  };
+}

nix/systemModules/dummy-firewall.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  nixosModulesPath,
+  system,
+  config,
+  ...
+}:
+let
+  cfg = config.supabase.services.pgbouncer;
+in
+{
+  imports = [
+    # TODO: actually open the ports it needs with ufw
+    ./dummy-firewall.nix
+  ]
+  ++ map (path: nixosModulesPath + path) [
+    "/services/databases/pgbouncer.nix"
+  ];
+
+  options = {
+    supabase.services.pgbouncer = {
+      enable = lib.mkEnableOption "Whether to enable PostgreSQL connection pooler.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.pgbouncer = {
+      enable = true;
+      package =
+        (import (fetchTarball {
+          # pgbouncer v1.19.0
+          url = "https://github.com/NixOS/nixpkgs/archive/db7534df5fb9b7dfd3404ec26d977997ff2cc1a0.tar.gz";
+          sha256 = "sha256:0lrsnz80a3jfjdyjs4njipvmq34w6wjr5ql645z1l1s9f9cyvk0g";
+        }) { system = system; }).pgbouncer;
+    };
+    systemd.services.pgbouncer = {
+      wantedBy = lib.mkForce [
+        "system-manager.target"
+      ];
+    };
+  };
+}

nix/systemModules/pgbouncer.nix

@@ -0,0 +1,25 @@
+# from time import sleep
+
+
+def test_pgbouncer_service(host):
+    # sleep(5000)  # Handy for interactive debugging (with docker exec -it $CONTAINER_ID /bin/bash)
+    assert host.service("pgbouncer.service").is_valid
+    assert host.service("pgbouncer.service").is_running, (
+        "Auth service should be running but failed: {}".format(
+            host.run("systemctl status pgbouncer.service").stdout
+        )
+    )
+
+
+# FIXME: AssertionError: Auth service should be running but failed: × pgbouncer.service - PgBouncer - PostgreSQL connection pooler
+#        Loaded: loaded (/etc/systemd/system/pgbouncer.service; enabled; preset: enabled)
+#        Active: failed (Result: exit-code) since Fri 2025-09-19 12:36:00 UTC; 12s ago
+#       Process: 372 ExecStart=/nix/store/bcj53gxm9i2y4hd21jr7zpi2r1hw8wlq-pgbouncer-1.24.1/bin/pgbouncer /etc/pgbouncer/pgbouncer.ini (code=exited, status=217/USER)
+#      Main PID: 372 (code=exited, status=217/USER)
+#           CPU: 4ms
+#
+#   Sep 19 12:36:00 f803c2922bff systemd[1]: Starting pgbouncer.service - PgBouncer - PostgreSQL connection pooler...
+#   Sep 19 12:36:00 f803c2922bff (gbouncer)[372]: pgbouncer.service: Failed to determine user credentials: No such process
+#   Sep 19 12:36:00 f803c2922bff systemd[1]: pgbouncer.service: Main process exited, code=exited, status=217/USER
+#   Sep 19 12:36:00 f803c2922bff systemd[1]: pgbouncer.service: Failed with result 'exit-code'.
+#   Sep 19 12:36:00 f803c2922bff systemd[1]: Failed to start pgbouncer.service - PgBouncer - PostgreSQL connection pooler.