fixing nix flake check and test.yml for vault/pgsodium work

.github/workflows/test.yml

@@ -76,7 +76,7 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
       - name: verify schema.sql is committed
         run: |
-          nix run github:supabase/postgres/${{ github.sha }}#dbmate-tool -- --version ${{ env.PGMAJOR }}
+          nix run github:supabase/postgres/${{ github.sha }}#dbmate-tool -- --version ${{ env.PGMAJOR }} --flake-url github:supabase/postgres/${{ github.sha }}
           if ! git diff --exit-code --quiet migrations/schema-${{ env.PGMAJOR }}.sql; then
             echo "Detected changes in schema.sql:"
             git diff migrations/schema-${{ env.PGMAJOR }}.sql

.gitignore

@@ -23,4 +23,4 @@ result*
 .idea/
 .vscode/
 
-migrations/db/schema*.sql
+db/schema.sql

ansible/files/postgresql_config/postgresql.conf.j2

@@ -688,7 +688,7 @@ default_text_search_config = 'pg_catalog.english'
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 
-shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter'	# (change requires restart)
+shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter, supabase_vault'	# (change requires restart)
 jit_provider = 'llvmjit'		# JIT library to use
 
 # - Other Defaults -

flake.nix

@@ -571,42 +571,49 @@
             sqlTests = ./nix/tests/smoke;
             pg_prove = pkgs.perlPackages.TAPParserSourceHandlerpgTAP;
             pg_regress = basePackages.pg_regress;
-            getkey-script = pkgs.writeScriptBin "pgsodium-getkey" ''
-              #!${pkgs.bash}/bin/bash
-              set -euo pipefail
-
-              TMPDIR_BASE=$(mktemp -d)
-
-              if [[ "$(uname)" == "Darwin" ]]; then
-                KEY_DIR="/private/tmp/pgsodium"
-              else
-                KEY_DIR="''${PGSODIUM_KEY_DIR:-$TMPDIR_BASE/pgsodium}"
-              fi
-              KEY_FILE="$KEY_DIR/pgsodium.key"
-
-              if ! mkdir -p "$KEY_DIR" 2>/dev/null; then
-                echo "Error: Could not create key directory $KEY_DIR" >&2
-                exit 1
-              fi
-              chmod 1777 "$KEY_DIR"
-
-              if [[ ! -f "$KEY_FILE" ]]; then
-                if ! (dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -A n -t x1 | tr -d ' \n' > "$KEY_FILE"); then
-                  if ! (openssl rand -hex 32 > "$KEY_FILE"); then
-                    echo "00000000000000000000000000000000" > "$KEY_FILE"
-                    echo "Warning: Using fallback key" >&2
+            getkey-script = pkgs.stdenv.mkDerivation {
+              name = "pgsodium-getkey";
+              buildCommand = ''
+                mkdir -p $out/bin
+                cat > $out/bin/pgsodium-getkey << 'EOF'
+                #!${pkgs.bash}/bin/bash
+                set -euo pipefail
+
+                TMPDIR_BASE=$(mktemp -d)
+
+                if [[ "$(uname)" == "Darwin" ]]; then
+                  KEY_DIR="/private/tmp/pgsodium"
+                else
+                  KEY_DIR="''${PGSODIUM_KEY_DIR:-$TMPDIR_BASE/pgsodium}"
+                fi
+                KEY_FILE="$KEY_DIR/pgsodium.key"
+
+                if ! mkdir -p "$KEY_DIR" 2>/dev/null; then
+                  echo "Error: Could not create key directory $KEY_DIR" >&2
+                  exit 1
+                fi
+                chmod 1777 "$KEY_DIR"
+
+                if [[ ! -f "$KEY_FILE" ]]; then
+                  if ! (dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -A n -t x1 | tr -d ' \n' > "$KEY_FILE"); then
+                    if ! (openssl rand -hex 32 > "$KEY_FILE"); then
+                      echo "00000000000000000000000000000000" > "$KEY_FILE"
+                      echo "Warning: Using fallback key" >&2
+                    fi
                   fi
+                  chmod 644 "$KEY_FILE"
                 fi
-                chmod 644 "$KEY_FILE"
-              fi
-
-              if [[ -f "$KEY_FILE" && -r "$KEY_FILE" ]]; then
-                cat "$KEY_FILE"
-              else
-                echo "Error: Cannot read key file $KEY_FILE" >&2
-                exit 1
-              fi
-            '';
+
+                if [[ -f "$KEY_FILE" && -r "$KEY_FILE" ]]; then
+                  cat "$KEY_FILE"
+                else
+                  echo "Error: Cannot read key file $KEY_FILE" >&2
+                  exit 1
+                fi
+                EOF
+                chmod +x $out/bin/pgsodium-getkey
+              '';
+            };
 
             # Use the shared setup but with a test-specific name
             start-postgres-server-bin = makePostgresDevSetup {
@@ -675,6 +682,8 @@
               echo "listen_addresses = '*'" >> "$PGTAP_CLUSTER"/postgresql.conf
               echo "port = 5435" >> "$PGTAP_CLUSTER"/postgresql.conf
               echo "host all all 127.0.0.1/32 trust" >> $PGTAP_CLUSTER/pg_hba.conf
+              echo "Checking shared_preload_libraries setting:"
+              grep -rn "shared_preload_libraries" "$PGTAP_CLUSTER"/postgresql.conf
               # Remove timescaledb if running orioledb-17 check
               echo "I AM ${pgpkg.version}===================================================="
               if [[ "${pgpkg.version}" == *"17"* ]]; then

migrations/schema-15.sql

@@ -44,27 +44,6 @@ CREATE SCHEMA graphql_public;
 CREATE SCHEMA pgbouncer;
 
 
---
--- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: -
---
-
-CREATE SCHEMA pgsodium;
-
-
---
--- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: -
---
-
-CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium;
-
-
---
--- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: -
---
-
-COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.';
-
-
 --
 -- Name: realtime; Type: SCHEMA; Schema: -; Owner: -
 --
@@ -574,28 +553,6 @@ END
 $$;
 
 
---
--- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
---
-
-CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
-    LANGUAGE plpgsql
-    AS $$
-		BEGIN
-		        new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
-			CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
-			  pgsodium.crypto_aead_det_encrypt(
-				pg_catalog.convert_to(new.secret, 'utf8'),
-				pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
-				new.key_id::uuid,
-				new.nonce
-			  ),
-				'base64') END END;
-		RETURN new;
-		END;
-		$$;
-
-
 SET default_tablespace = '';
 
 SET default_table_access_method = heap;
@@ -782,30 +739,6 @@ CREATE TABLE storage.objects (
 );
 
 
---
--- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
---
-
-CREATE VIEW vault.decrypted_secrets AS
- SELECT secrets.id,
-    secrets.name,
-    secrets.description,
-    secrets.secret,
-        CASE
-            WHEN (secrets.secret IS NULL) THEN NULL::text
-            ELSE
-            CASE
-                WHEN (secrets.key_id IS NULL) THEN NULL::text
-                ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secrets.secret, 'base64'::text), convert_to(((((secrets.id)::text || secrets.description) || (secrets.created_at)::text) || (secrets.updated_at)::text), 'utf8'::name), secrets.key_id, secrets.nonce), 'utf8'::name)
-            END
-        END AS decrypted_secret,
-    secrets.key_id,
-    secrets.nonce,
-    secrets.created_at,
-    secrets.updated_at
-   FROM vault.secrets;
-
-
 --
 -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
 --

migrations/schema-orioledb-17.sql

@@ -45,27 +45,6 @@ CREATE SCHEMA graphql_public;
 CREATE SCHEMA pgbouncer;
 
 
---
--- Name: pgsodium; Type: SCHEMA; Schema: -; Owner: -
---
-
-CREATE SCHEMA pgsodium;
-
-
---
--- Name: pgsodium; Type: EXTENSION; Schema: -; Owner: -
---
-
-CREATE EXTENSION IF NOT EXISTS pgsodium WITH SCHEMA pgsodium;
-
-
---
--- Name: EXTENSION pgsodium; Type: COMMENT; Schema: -; Owner: -
---
-
-COMMENT ON EXTENSION pgsodium IS 'Pgsodium is a modern cryptography library for Postgres.';
-
-
 --
 -- Name: realtime; Type: SCHEMA; Schema: -; Owner: -
 --
@@ -589,28 +568,6 @@ END
 $$;
 
 
---
--- Name: secrets_encrypt_secret_secret(); Type: FUNCTION; Schema: vault; Owner: -
---
-
-CREATE FUNCTION vault.secrets_encrypt_secret_secret() RETURNS trigger
-    LANGUAGE plpgsql
-    AS $$
-		BEGIN
-		        new.secret = CASE WHEN new.secret IS NULL THEN NULL ELSE
-			CASE WHEN new.key_id IS NULL THEN NULL ELSE pg_catalog.encode(
-			  pgsodium.crypto_aead_det_encrypt(
-				pg_catalog.convert_to(new.secret, 'utf8'),
-				pg_catalog.convert_to((new.id::text || new.description::text || new.created_at::text || new.updated_at::text)::text, 'utf8'),
-				new.key_id::uuid,
-				new.nonce
-			  ),
-				'base64') END END;
-		RETURN new;
-		END;
-		$$;
-
-
 SET default_tablespace = '';
 
 SET default_table_access_method = orioledb;
@@ -797,30 +754,6 @@ CREATE TABLE storage.objects (
 );
 
 
---
--- Name: decrypted_secrets; Type: VIEW; Schema: vault; Owner: -
---
-
-CREATE VIEW vault.decrypted_secrets AS
- SELECT id,
-    name,
-    description,
-    secret,
-        CASE
-            WHEN (secret IS NULL) THEN NULL::text
-            ELSE
-            CASE
-                WHEN (key_id IS NULL) THEN NULL::text
-                ELSE convert_from(pgsodium.crypto_aead_det_decrypt(decode(secret, 'base64'::text), convert_to(((((id)::text || description) || (created_at)::text) || (updated_at)::text), 'utf8'::name), key_id, nonce), 'utf8'::name)
-            END
-        END AS decrypted_secret,
-    key_id,
-    nonce,
-    created_at,
-    updated_at
-   FROM vault.secrets;
-
-
 --
 -- Name: refresh_tokens id; Type: DEFAULT; Schema: auth; Owner: -
 --