diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 0991a813a..f31e9d525 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -34,7 +34,7 @@ tags: - install-pgbouncer - install-supabase-internal - when: debpkg_mode or nixpkg_mode + when: debpkg_mode or nixpkg_mode or stage2_nix - name: Install WAL-G import_tasks: tasks/setup-wal-g.yml diff --git a/ansible/tasks/setup-nginx.yml b/ansible/tasks/setup-nginx.yml index 77fb7707a..476663141 100644 --- a/ansible/tasks/setup-nginx.yml +++ b/ansible/tasks/setup-nginx.yml @@ -5,6 +5,7 @@ - name: nginx - system dependencies apt: pkg: + - build-essential - openssl - libpcre3-dev - libssl-dev diff --git a/ansible/tasks/setup-pgbouncer.yml b/ansible/tasks/setup-pgbouncer.yml index 4381ba24d..87b54c6b3 100644 --- a/ansible/tasks/setup-pgbouncer.yml +++ b/ansible/tasks/setup-pgbouncer.yml @@ -1,52 +1,10 @@ -# PgBouncer -- name: PgBouncer - download & install dependencies - apt: - pkg: - - build-essential - - libssl-dev - - pkg-config - - libevent-dev - - libsystemd-dev - update_cache: yes - cache_valid_time: 3600 - -- name: PgBouncer - download latest release - get_url: - url: "https://www.pgbouncer.org/downloads/files/{{ pgbouncer_release }}/pgbouncer-{{ pgbouncer_release }}.tar.gz" - dest: /tmp/pgbouncer-{{ pgbouncer_release }}.tar.gz - checksum: "{{ pgbouncer_release_checksum }}" - timeout: 60 - -- name: PgBouncer - unpack archive - unarchive: - remote_src: yes - src: /tmp/pgbouncer-{{ pgbouncer_release }}.tar.gz - dest: /tmp - become: yes - -- name: PgBouncer - configure - shell: - cmd: "./configure --prefix=/usr/local --with-systemd" - chdir: /tmp/pgbouncer-{{ pgbouncer_release }} - become: yes - -- name: PgBouncer - build - make: - chdir: /tmp/pgbouncer-{{ pgbouncer_release }} - become: yes - -- name: PgBouncer - install - make: - chdir: /tmp/pgbouncer-{{ pgbouncer_release }} - target: install - become: yes - - name: Create pgbouncer user user: name: pgbouncer shell: /bin/false comment: PgBouncer user groups: postgres,ssl-cert + when: nixpkg_mode - name: PgBouncer - create a directory if it does not exist file: @@ -55,6 +13,7 @@ owner: pgbouncer group: pgbouncer mode: '0700' + when: nixpkg_mode - name: PgBouncer - create a directory if it does not exist file: @@ -65,6 +24,7 @@ mode: '0775' with_items: - '/etc/pgbouncer-custom' + when: nixpkg_mode - name: create placeholder config files file: @@ -77,6 +37,7 @@ - 'generated-optimizations.ini' - 'custom-overrides.ini' - 'ssl-config.ini' + when: nixpkg_mode - name: PgBouncer - adjust pgbouncer.ini copy: @@ -84,6 +45,7 @@ dest: /etc/pgbouncer/pgbouncer.ini owner: pgbouncer mode: '0700' + when: nixpkg_mode - name: PgBouncer - create a directory if it does not exist file: @@ -91,12 +53,14 @@ state: touch owner: pgbouncer mode: '0700' - + when: nixpkg_mode + - name: import /etc/tmpfiles.d/pgbouncer.conf template: src: files/pgbouncer_config/tmpfiles.d-pgbouncer.conf.j2 dest: /etc/tmpfiles.d/pgbouncer.conf become: yes + when: nixpkg_mode - name: PgBouncer - By default allow ssl connections. become: yes @@ -104,11 +68,13 @@ dest: /etc/pgbouncer-custom/ssl-config.ini content: | client_tls_sslmode = allow + when: nixpkg_mode - name: Grant pg_hba and pgbouncer grp perm for adminapi updates shell: | chmod g+w /etc/postgresql/pg_hba.conf chmod g+w /etc/pgbouncer-custom/ssl-config.ini + when: nixpkg_mode # Add fail2ban filter - name: import jail.d/pgbouncer.conf @@ -116,12 +82,14 @@ src: files/fail2ban_config/jail-pgbouncer.conf.j2 dest: /etc/fail2ban/jail.d/pgbouncer.conf become: yes + when: nixpkg_mode - name: import filter.d/pgbouncer.conf template: src: files/fail2ban_config/filter-pgbouncer.conf.j2 dest: /etc/fail2ban/filter.d/pgbouncer.conf become: yes + when: nixpkg_mode # Add systemd file for PgBouncer - name: PgBouncer - import postgresql.service @@ -129,7 +97,15 @@ src: files/pgbouncer_config/pgbouncer.service.j2 dest: /etc/systemd/system/pgbouncer.service become: yes + when: nixpkg_mode + +- name: install pgbouncer from supabase nix binary cache + become: yes + shell: | + sudo -u pgbouncer bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile add github:supabase/postgres/{{ git_commit_sha }}#pgbouncer" + when: stage2_nix - name: PgBouncer - reload systemd systemd: daemon_reload: yes + when: stage2_nix diff --git a/ansible/vars.yml b/ansible/vars.yml index 2fc0ff36f..db63f5ded 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -15,7 +15,7 @@ postgres_release: postgres15: 15.14.1.013 # Non Postgres Extensions -pgbouncer_release: 1.19.0 +pgbouncer_release: 1.24.1 pgbouncer_release_checksum: sha256:af0b05e97d0e1fd9ad45fe00ea6d2a934c63075f67f7e2ccef2ca59e3d8ce682 # The checksum can be found under "Assets", in the GitHub release page for each version. diff --git a/nix/checks.nix b/nix/checks.nix index 74b50a84f..538e6158b 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -149,7 +149,7 @@ ) filteredSqlTests; sortedTestList = builtins.sort (a: b: a < b) testList; in - pkgs.runCommand "postgres-${pgpkg.version}-check-harness" + pkgs.runCommand "postgres-${pgpkg.version}-ch" { nativeBuildInputs = with pkgs; [ coreutils diff --git a/nix/ext/versions.json b/nix/ext/versions.json index fe34cb814..b9b73126b 100644 --- a/nix/ext/versions.json +++ b/nix/ext/versions.json @@ -6,7 +6,7 @@ ], "hash": "sha256-+N/CXm4arRgvhglanfvO0FNOBUWV5RL8mn/9FpNvcjY=" }, - "1.6.1": { + "1.6": { "postgresql": [ "15", "17" diff --git a/nix/packages/default.nix b/nix/packages/default.nix index f297c8359..8d105f179 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -34,6 +34,7 @@ cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { }; dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; }; docs = pkgs.callPackage ./docs.nix { }; + pgbouncer = pkgs.callPackage ../pgbouncer.nix { }; supabase-groonga = pkgs.callPackage ./groonga { }; http-mock-server = pkgs.callPackage ./http-mock-server.nix { }; local-infra-bootstrap = pkgs.callPackage ./local-infra-bootstrap.nix { }; diff --git a/nix/pgbouncer.nix b/nix/pgbouncer.nix new file mode 100644 index 000000000..af6b31cd4 --- /dev/null +++ b/nix/pgbouncer.nix @@ -0,0 +1,46 @@ +{ + lib, + stdenv, + fetchurl, + openssl, + libevent, + c-ares, + pkg-config, + systemd, + nixosTests, +}: + +stdenv.mkDerivation rec { + pname = "pgbouncer"; + version = "1.24.1"; + + src = fetchurl { + url = "https://www.pgbouncer.org/downloads/files/${version}/${pname}-${version}.tar.gz"; + hash = "sha256-2nKjq6EwcodtBVo+WN1Kukpd5O1hSOcwMxhSRVmP0+A="; + }; + + nativeBuildInputs = [ pkg-config ]; + buildInputs = [ + libevent + openssl + c-ares + ] ++ lib.optional stdenv.hostPlatform.isLinux systemd; + enableParallelBuilding = true; + configureFlags = lib.optional stdenv.hostPlatform.isLinux "--with-systemd"; + + passthru.tests = { + pgbouncer = nixosTests.pgbouncer; + }; + + meta = with lib; { + homepage = "https://www.pgbouncer.org/"; + mainProgram = "pgbouncer"; + description = "Lightweight connection pooler for PostgreSQL"; + changelog = "https://github.com/pgbouncer/pgbouncer/releases/tag/pgbouncer_${ + replaceStrings [ "." ] [ "_" ] version + }"; + license = licenses.isc; + maintainers = with maintainers; [ _1000101 ]; + platforms = platforms.all; + }; +} diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index 42442de18..0b864acc1 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -10,6 +10,7 @@ from ec2instanceconnectcli.EC2InstanceConnectKey import EC2InstanceConnectKey from time import sleep import paramiko +from pathlib import Path # if EXECUTION_ID is not set, use a default value that includes the user and hostname RUN_ID = os.environ.get( @@ -144,6 +145,34 @@ anon_key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicm9sZSI6ImFub24iLCJpYXQiOjE2OTYyMjQ5NjYsImV4cCI6MjAxMTgwMDk2Nn0.QW95aRPA-4QuLzuvaIeeoFKlJP9J2hvAIpJ3WJ6G5zo" service_role_key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTY5NjIyNDk2NiwiZXhwIjoyMDExODAwOTY2fQ.Om7yqv15gC3mLGitBmvFRB3M4IsLsX9fXzTQnFM7lu0" supabase_admin_key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicm9sZSI6InN1cGFiYXNlX2FkbWluIiwiaWF0IjoxNjk2MjI0OTY2LCJleHAiOjIwMTE4MDA5NjZ9.jrD3j2rBWiIx0vhVZzd1CXFv7qkAP392nBMadvXxk1c" + + +def load_expected_pgbouncer_version() -> str: + repo_root = Path(__file__).resolve().parent.parent + ansible_vars = repo_root / "ansible" / "vars.yml" + if ansible_vars.exists(): + with ansible_vars.open() as f: + for raw_line in f: + line = raw_line.strip() + if line.startswith("pgbouncer_release:"): + return line.split(":", 1)[1].strip().strip('"') + + nix_file = repo_root / "nix" / "pgbouncer.nix" + if nix_file.exists(): + with nix_file.open() as f: + for raw_line in f: + line = raw_line.strip() + if line.startswith("version ="): + value = line.split("=", 1)[1].strip() + return value.strip(";").strip('"') + + raise RuntimeError( + "Could not determine expected PgBouncer version from configuration files" + ) + + +EXPECTED_PGBOUNCER_VERSION = load_expected_pgbouncer_version() +PGBOUNCER_BINARY = "/nix/var/nix/profiles/per-user/pgbouncer/profile/bin/pgbouncer" init_json_content = f""" {{ "jwt_secret": "my_jwt_secret_which_is_not_so_secret", @@ -199,7 +228,7 @@ def get_ssh_connection(instance_ip, ssh_identity_file, max_retries=10): else: raise Exception("SSH test command failed") - except Exception as e: + except Exception: if attempt == max_retries - 1: raise logger.warning(