Sam/pg bouncer upgrade

ansible/playbook.yml

@@ -34,7 +34,7 @@
       tags:
         - install-pgbouncer
         - install-supabase-internal
-      when: debpkg_mode or nixpkg_mode
+      when: debpkg_mode or nixpkg_mode or stage2_nix
 
     - name: Install WAL-G
       import_tasks: tasks/setup-wal-g.yml

ansible/tasks/setup-nginx.yml

@@ -5,6 +5,7 @@
 - name: nginx - system dependencies
   apt:
     pkg:
+      - build-essential
       - openssl
       - libpcre3-dev
       - libssl-dev

ansible/tasks/setup-pgbouncer.yml

@@ -1,52 +1,10 @@
-# PgBouncer
-- name: PgBouncer - download & install dependencies
-  apt:
-    pkg:
-      - build-essential
-      - libssl-dev
-      - pkg-config
-      - libevent-dev
-      - libsystemd-dev
-    update_cache: yes
-    cache_valid_time: 3600
-
-- name: PgBouncer - download latest release
-  get_url:
-    url: "https://www.pgbouncer.org/downloads/files/{{ pgbouncer_release }}/pgbouncer-{{ pgbouncer_release }}.tar.gz"
-    dest: /tmp/pgbouncer-{{ pgbouncer_release }}.tar.gz
-    checksum: "{{ pgbouncer_release_checksum }}"
-    timeout: 60
-
-- name: PgBouncer - unpack archive
-  unarchive:
-    remote_src: yes
-    src: /tmp/pgbouncer-{{ pgbouncer_release }}.tar.gz
-    dest: /tmp
-  become: yes
-
-- name: PgBouncer - configure
-  shell:
-    cmd: "./configure --prefix=/usr/local --with-systemd"
-    chdir: /tmp/pgbouncer-{{ pgbouncer_release }}
-  become: yes
-
-- name: PgBouncer - build
-  make:
-    chdir: /tmp/pgbouncer-{{ pgbouncer_release }}
-  become: yes
-
-- name: PgBouncer - install
-  make:
-    chdir: /tmp/pgbouncer-{{ pgbouncer_release }}
-    target: install
-  become: yes
-
 - name: Create pgbouncer user
   user:
     name: pgbouncer
     shell: /bin/false
     comment: PgBouncer user
     groups: postgres,ssl-cert
+  when: nixpkg_mode
 
 - name: PgBouncer - create a directory if it does not exist
   file:
@@ -55,6 +13,7 @@
     owner: pgbouncer
     group: pgbouncer
     mode: '0700'
+  when: nixpkg_mode
 
 - name: PgBouncer - create a directory if it does not exist
   file:
@@ -65,6 +24,7 @@
     mode: '0775'
   with_items:
     - '/etc/pgbouncer-custom'
+  when: nixpkg_mode
 
 - name: create placeholder config files
   file:
@@ -77,59 +37,75 @@
     - 'generated-optimizations.ini'
     - 'custom-overrides.ini'
     - 'ssl-config.ini'
+  when: nixpkg_mode
 
 - name: PgBouncer - adjust pgbouncer.ini
   copy:
     src: files/pgbouncer_config/pgbouncer.ini.j2
     dest: /etc/pgbouncer/pgbouncer.ini
     owner: pgbouncer
     mode: '0700'
+  when: nixpkg_mode
 
 - name: PgBouncer - create a directory if it does not exist
   file:
     path: /etc/pgbouncer/userlist.txt
     state: touch
     owner: pgbouncer
     mode: '0700'
-
+  when: nixpkg_mode
+
 - name: import /etc/tmpfiles.d/pgbouncer.conf
   template:
     src: files/pgbouncer_config/tmpfiles.d-pgbouncer.conf.j2
     dest: /etc/tmpfiles.d/pgbouncer.conf
   become: yes
+  when: nixpkg_mode
 
 - name: PgBouncer - By default allow ssl connections.
   become: yes
   copy:
     dest: /etc/pgbouncer-custom/ssl-config.ini
     content: |
       client_tls_sslmode = allow
+  when: nixpkg_mode
 
 - name: Grant pg_hba and pgbouncer grp perm for adminapi updates
   shell: |
      chmod g+w /etc/postgresql/pg_hba.conf
      chmod g+w /etc/pgbouncer-custom/ssl-config.ini
+  when: nixpkg_mode
 
 # Add fail2ban filter
 - name: import jail.d/pgbouncer.conf
   template:
     src: files/fail2ban_config/jail-pgbouncer.conf.j2
     dest: /etc/fail2ban/jail.d/pgbouncer.conf
   become: yes
+  when: nixpkg_mode
 
 - name: import filter.d/pgbouncer.conf
   template:
     src: files/fail2ban_config/filter-pgbouncer.conf.j2
     dest: /etc/fail2ban/filter.d/pgbouncer.conf
   become: yes
+  when: nixpkg_mode
 
 # Add systemd file for PgBouncer
 - name: PgBouncer - import postgresql.service
   template:
     src: files/pgbouncer_config/pgbouncer.service.j2
     dest: /etc/systemd/system/pgbouncer.service
   become: yes
+  when: nixpkg_mode
+
+- name: install pgbouncer from supabase nix binary cache
+  become: yes
+  shell: |
+    sudo -u pgbouncer bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile add github:supabase/postgres/{{ git_commit_sha }}#pgbouncer"
+  when: stage2_nix
 
 - name: PgBouncer - reload systemd
   systemd:
     daemon_reload: yes
+  when: stage2_nix

ansible/vars.yml

@@ -15,7 +15,7 @@ postgres_release:
   postgres15: 15.14.1.013
 
 # Non Postgres Extensions
-pgbouncer_release: 1.19.0
+pgbouncer_release: 1.24.1
 pgbouncer_release_checksum: sha256:af0b05e97d0e1fd9ad45fe00ea6d2a934c63075f67f7e2ccef2ca59e3d8ce682
 
 # The checksum can be found under "Assets", in the GitHub release page for each version.

nix/checks.nix

@@ -149,7 +149,7 @@
               ) filteredSqlTests;
               sortedTestList = builtins.sort (a: b: a < b) testList;
             in
-            pkgs.runCommand "postgres-${pgpkg.version}-check-harness"
+            pkgs.runCommand "postgres-${pgpkg.version}-ch"
               {
                 nativeBuildInputs = with pkgs; [
                   coreutils

nix/ext/versions.json

@@ -6,7 +6,7 @@
       ],
       "hash": "sha256-+N/CXm4arRgvhglanfvO0FNOBUWV5RL8mn/9FpNvcjY="
     },
-    "1.6.1": {
+    "1.6": {
       "postgresql": [
         "15",
         "17"

nix/packages/default.nix

@@ -34,6 +34,7 @@
           cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { };
           dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; };
           docs = pkgs.callPackage ./docs.nix { };
+          pgbouncer = pkgs.callPackage ../pgbouncer.nix { };
           supabase-groonga = pkgs.callPackage ./groonga { };
           http-mock-server = pkgs.callPackage ./http-mock-server.nix { };
           local-infra-bootstrap = pkgs.callPackage ./local-infra-bootstrap.nix { };

nix/pgbouncer.nix

@@ -0,0 +1,46 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+  openssl,
+  libevent,
+  c-ares,
+  pkg-config,
+  systemd,
+  nixosTests,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pgbouncer";
+  version = "1.24.1";
+
+  src = fetchurl {
+    url = "https://www.pgbouncer.org/downloads/files/${version}/${pname}-${version}.tar.gz";
+    hash = "sha256-2nKjq6EwcodtBVo+WN1Kukpd5O1hSOcwMxhSRVmP0+A=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    libevent
+    openssl
+    c-ares
+  ] ++ lib.optional stdenv.hostPlatform.isLinux systemd;
+  enableParallelBuilding = true;
+  configureFlags = lib.optional stdenv.hostPlatform.isLinux "--with-systemd";
+
+  passthru.tests = {
+    pgbouncer = nixosTests.pgbouncer;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.pgbouncer.org/";
+    mainProgram = "pgbouncer";
+    description = "Lightweight connection pooler for PostgreSQL";
+    changelog = "https://github.com/pgbouncer/pgbouncer/releases/tag/pgbouncer_${
+      replaceStrings [ "." ] [ "_" ] version
+    }";
+    license = licenses.isc;
+    maintainers = with maintainers; [ _1000101 ];
+    platforms = platforms.all;
+  };
+}

testinfra/test_ami_nix.py

@@ -10,6 +10,7 @@
 from ec2instanceconnectcli.EC2InstanceConnectKey import EC2InstanceConnectKey
 from time import sleep
 import paramiko
+from pathlib import Path
 
 # if EXECUTION_ID is not set, use a default value that includes the user and hostname
 RUN_ID = os.environ.get(
@@ -144,6 +145,34 @@
 anon_key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicm9sZSI6ImFub24iLCJpYXQiOjE2OTYyMjQ5NjYsImV4cCI6MjAxMTgwMDk2Nn0.QW95aRPA-4QuLzuvaIeeoFKlJP9J2hvAIpJ3WJ6G5zo"
 service_role_key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTY5NjIyNDk2NiwiZXhwIjoyMDExODAwOTY2fQ.Om7yqv15gC3mLGitBmvFRB3M4IsLsX9fXzTQnFM7lu0"
 supabase_admin_key = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicm9sZSI6InN1cGFiYXNlX2FkbWluIiwiaWF0IjoxNjk2MjI0OTY2LCJleHAiOjIwMTE4MDA5NjZ9.jrD3j2rBWiIx0vhVZzd1CXFv7qkAP392nBMadvXxk1c"
+
+
+def load_expected_pgbouncer_version() -> str:
+    repo_root = Path(__file__).resolve().parent.parent
+    ansible_vars = repo_root / "ansible" / "vars.yml"
+    if ansible_vars.exists():
+        with ansible_vars.open() as f:
+            for raw_line in f:
+                line = raw_line.strip()
+                if line.startswith("pgbouncer_release:"):
+                    return line.split(":", 1)[1].strip().strip('"')
+
+    nix_file = repo_root / "nix" / "pgbouncer.nix"
+    if nix_file.exists():
+        with nix_file.open() as f:
+            for raw_line in f:
+                line = raw_line.strip()
+                if line.startswith("version ="):
+                    value = line.split("=", 1)[1].strip()
+                    return value.strip(";").strip('"')
+
+    raise RuntimeError(
+        "Could not determine expected PgBouncer version from configuration files"
+    )
+
+
+EXPECTED_PGBOUNCER_VERSION = load_expected_pgbouncer_version()
+PGBOUNCER_BINARY = "/nix/var/nix/profiles/per-user/pgbouncer/profile/bin/pgbouncer"
 init_json_content = f"""
 {{
   "jwt_secret": "my_jwt_secret_which_is_not_so_secret",
@@ -199,7 +228,7 @@ def get_ssh_connection(instance_ip, ssh_identity_file, max_retries=10):
             else:
                 raise Exception("SSH test command failed")
 
-        except Exception as e:
+        except Exception:
             if attempt == max_retries - 1:
                 raise
             logger.warning(