diff --git a/Dockerfile-15 b/Dockerfile-15 index f1b0f4558..53297b837 100644 --- a/Dockerfile-15 +++ b/Dockerfile-15 @@ -160,7 +160,7 @@ COPY --from=walg /tmp/wal-g /usr/local/bin/ # # Initialise configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf -COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf_15.j2 /etc/postgresql/pg_hba.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/supautils.conf.j2 /etc/postgresql-custom/supautils.conf diff --git a/Dockerfile-17 b/Dockerfile-17 index 7db870ad8..6628de29c 100644 --- a/Dockerfile-17 +++ b/Dockerfile-17 @@ -161,6 +161,8 @@ COPY --from=walg /tmp/wal-g /usr/local/bin/ # # Initialise configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/supautils.conf.j2 /etc/postgresql-custom/supautils.conf diff --git a/Dockerfile-orioledb-17 b/Dockerfile-orioledb-17 index 0df0b9df0..e693a23fa 100644 --- a/Dockerfile-orioledb-17 +++ b/Dockerfile-orioledb-17 @@ -161,6 +161,8 @@ COPY --from=walg /tmp/wal-g /usr/local/bin/ # # Initialise configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/supautils.conf.j2 /etc/postgresql-custom/supautils.conf diff --git a/ansible/files/postgresql_config/pg_hba.conf.j2 b/ansible/files/postgresql_config/pg_hba.conf.j2 index 9cafd4146..3831612ed 100755 --- a/ansible/files/postgresql_config/pg_hba.conf.j2 +++ b/ansible/files/postgresql_config/pg_hba.conf.j2 @@ -1,94 +1,42 @@ # PostgreSQL Client Authentication Configuration File # =================================================== # -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. A short -# synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTIONS] -# host DATABASE USER ADDRESS METHOD [OPTIONS] -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a -# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a -# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a -# non-GSSAPI socket. -# -# DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). -# -# USER can be "all", a user name, a group name prefixed with "+", or a -# comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names -# from a separate file. -# -# ADDRESS specifies the set of hosts the record matches. It can be a -# host name, or it is made up of an IP address and a CIDR mask that is -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. A host name -# that starts with a dot (.) matches a suffix of the actual host name. -# Alternatively, you can write an IP address and netmask in separate -# columns to specify the set of hosts. Instead of a CIDR-address, you -# can write "samehost" to match any of the server's own IP addresses, -# or "samenet" to match any address in any subnet that the server is -# directly connected to. -# -# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", -# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". -# Note that "password" sends passwords in clear text; "md5" or -# "scram-sha-256" are preferred since they send encrypted passwords. -# -# OPTIONS are a set of options for the authentication in the format -# NAME=VALUE. The available options depend on the different -# authentication methods -- refer to the "Client Authentication" -# section in the documentation for a list of which options are -# available for which authentication methods. -# -# Database and user names containing spaces, commas, quotes and other -# special characters must be quoted. Quoting one of the keywords -# "all", "sameuser", "samerole" or "replication" makes the name lose -# its special character, and just match a database or username with -# that name. -# -# This file is read on server startup and when the server receives a -# SIGHUP signal. If you edit the file on a running system, you have to -# SIGHUP the server for the changes to take effect, run "pg_ctl reload", -# or execute "SELECT pg_reload_conf()". -# -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make PostgreSQL -# listen on a non-local interface via the listen_addresses -# configuration parameter, or via the -i or -h command line switches. +# This file uses the include directive to selectively +# enable features. When present, the included files will +# take effect and order of precedence determines which auth +# rules are applied. # TYPE DATABASE USER ADDRESS METHOD # trust local connections local all supabase_admin scram-sha-256 local all all peer map=supabase_map + +# route for just-in-time access +include_if_exists pg_hba_pam_local.conf + +# trust localhost connections host all all 127.0.0.1/32 trust host all all ::1/128 trust -# IPv4 external connections +# local network does not use just-in-time host all all 10.0.0.0/8 scram-sha-256 -host all all 172.16.0.0/12 scram-sha-256 +host all all 172.16.0.0/12 scram-sha-256 host all all 192.168.0.0/16 scram-sha-256 -host all all 0.0.0.0/0 scram-sha-256 -# IPv6 external connections -host all all ::0/0 scram-sha-256 +# if ssl is enforced, these files will exist and take precedence +include_if_exists pg_hba_users_public_ssl.conf +include_if_exists pg_hba_pam_public_ssl.conf +include_if_exists pg_hba_public_ssl.conf + +# otherwise, non ssl enforced rules will apply +include_if_exists pg_hba_users_public.conf +include_if_exists pg_hba_pam_public.conf +include_if_exists pg_hba_public.conf + +# replication specific routes +host replication supabase_replication_admin 0.0.0.0/0 scram-sha-256 +host replication supabase_replication_admin ::0/0 scram-sha-256 + +# ultimately fallback to the original if none of the above exist +include_if_exists pg_hba.conf.orig diff --git a/ansible/files/postgresql_config/pg_hba.conf_15.j2 b/ansible/files/postgresql_config/pg_hba.conf_15.j2 new file mode 100644 index 000000000..9fb1a688d --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba.conf_15.j2 @@ -0,0 +1,95 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a +# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a +# non-GSSAPI socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + +# TYPE DATABASE USER ADDRESS METHOD + +# trust local connections +local all supabase_admin scram-sha-256 +local all all peer map=supabase_map +host all all 127.0.0.1/32 trust +host all all ::1/128 trust + +# IPv4 external connections +host all all 10.0.0.0/8 scram-sha-256 +host all all 172.16.0.0/12 scram-sha-256 +host all all 192.168.0.0/16 scram-sha-256 +host all all 0.0.0.0/0 scram-sha-256 + +# IPv6 external connections +host all all ::0/0 scram-sha-256 + diff --git a/ansible/files/postgresql_config/pg_hba_public.conf.j2 b/ansible/files/postgresql_config/pg_hba_public.conf.j2 new file mode 100644 index 000000000..80c54d2be --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba_public.conf.j2 @@ -0,0 +1,2 @@ +host all all 0.0.0.0/0 scram-sha-256 +host all all ::0/0 scram-sha-256 diff --git a/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 b/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 new file mode 100644 index 000000000..ccc167984 --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 @@ -0,0 +1,11 @@ +host all pgbouncer 0.0.0.0/0 scram-sha-256 +host all supabase_admin 0.0.0.0/0 scram-sha-256 +host all supabase_auth_admin 0.0.0.0/0 scram-sha-256 +host all supabase_storage_admin 0.0.0.0/0 scram-sha-256 +host all supabase_replication_admin 0.0.0.0/0 scram-sha-256 + +host all pgbouncer ::0/0 scram-sha-256 +host all supabase_admin ::0/0 scram-sha-256 +host all supabase_auth_admin ::0/0 scram-sha-256 +host all supabase_storage_admin ::0/0 scram-sha-256 +host all supabase_replication_admin ::0/0 scram-sha-256 diff --git a/ansible/tasks/setup-pgbouncer.yml b/ansible/tasks/setup-pgbouncer.yml index 4381ba24d..4b3f9f1b6 100644 --- a/ansible/tasks/setup-pgbouncer.yml +++ b/ansible/tasks/setup-pgbouncer.yml @@ -108,6 +108,8 @@ - name: Grant pg_hba and pgbouncer grp perm for adminapi updates shell: | chmod g+w /etc/postgresql/pg_hba.conf + chmod g+w /etc/postgresql/pg_hba_users_public.conf + chmod g+w /etc/postgresql/pg_hba_public.conf chmod g+w /etc/pgbouncer-custom/ssl-config.ini # Add fail2ban filter diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 2fe302488..09245daf8 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -140,12 +140,35 @@ when: debpkg_mode or nixpkg_mode # Add pg_hba.conf -- name: import pg_hba.conf +- name: import pg_hba.conf psql_15 template: - src: files/postgresql_config/pg_hba.conf.j2 + src: files/postgresql_config/pg_hba.conf_15.j2 dest: /etc/postgresql/pg_hba.conf group: postgres - when: debpkg_mode or nixpkg_mode + when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int == 15) + +- name: create pg_hba.conf with includes + when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int != 15) + block: + - name: import pg_hba.conf + template: + src: files/postgresql_config/pg_hba.conf.j2 + dest: /etc/postgresql/pg_hba.conf + group: postgres + + # Add pg_hba_public.conf + - name: import pg_hba_public.conf + template: + src: files/postgresql_config/pg_hba_public.conf.j2 + dest: /etc/postgresql/pg_hba_public.conf + group: postgres + + # Add pg_hba_users_public.conf + - name: import pg_hba_users_public.conf + template: + src: files/postgresql_config/pg_hba_users_public.conf.j2 + dest: /etc/postgresql/pg_hba_users_public.conf + group: postgres # Add pg_ident.conf - name: import pg_ident.conf diff --git a/ansible/vars.yml b/ansible/vars.yml index 011045f8a..23d447c15 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.024-orioledb" - postgres17: "17.6.1.003" - postgres15: "15.14.1.003" + postgresorioledb-17: "17.5.1.025-orioledb" + postgres17: "17.6.1.004" + postgres15: "15.14.1.004" # Non Postgres Extensions pgbouncer_release: "1.19.0" diff --git a/nix/checks.nix b/nix/checks.nix index 7e791b253..105cbbc21 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -76,6 +76,7 @@ PGSODIUM_GETKEY = "${getkey-script}/bin/pgsodium-getkey"; PGSQL_DEFAULT_PORT = pgPort; }; + version = majorVersion; }; getVersionArg = diff --git a/nix/packages/default.nix b/nix/packages/default.nix index fca05a10a..1bbaeb508 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -57,6 +57,7 @@ start-server = pkgs-lib.makePostgresDevSetup { inherit pkgs; name = "start-postgres-server"; + version = activeVersion; }; switch-ext-version = pkgs.callPackage ./switch-ext-version.nix { inherit (self'.packages) overlayfs-on-package; diff --git a/nix/packages/lib.nix b/nix/packages/lib.nix index 971909162..03d42dfcd 100644 --- a/nix/packages/lib.nix +++ b/nix/packages/lib.nix @@ -6,6 +6,7 @@ supabase-groonga, system, pgroonga, + lib, }: { makePostgresDevSetup = @@ -13,58 +14,80 @@ pkgs, name, extraSubstitutions ? { }, + version, }: let - paths = { - migrationsDir = builtins.path { - name = "migrations"; - path = ../../migrations/db; - }; - postgresqlSchemaSql = builtins.path { - name = "postgresql-schema"; - path = ../tools/postgresql_schema.sql; - }; - pgbouncerAuthSchemaSql = builtins.path { - name = "pgbouncer-auth-schema"; - path = ../../ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql; - }; - statExtensionSql = builtins.path { - name = "stat-extension"; - path = ../../ansible/files/stat_extension.sql; - }; - pgconfigFile = builtins.path { - name = "postgresql.conf"; - path = ../../ansible/files/postgresql_config/postgresql.conf.j2; - }; - supautilsConfigFile = builtins.path { - name = "supautils.conf"; - path = ../../ansible/files/postgresql_config/supautils.conf.j2; - }; - loggingConfigFile = builtins.path { - name = "logging.conf"; - path = ../../ansible/files/postgresql_config/postgresql-csvlog.conf; - }; - readReplicaConfigFile = builtins.path { - name = "readreplica.conf"; - path = ../../ansible/files/postgresql_config/custom_read_replica.conf.j2; - }; - pgHbaConfigFile = builtins.path { - name = "pg_hba.conf"; - path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; - }; - pgIdentConfigFile = builtins.path { - name = "pg_ident.conf"; - path = ../../ansible/files/postgresql_config/pg_ident.conf.j2; - }; - postgresqlExtensionCustomScriptsPath = builtins.path { - name = "extension-custom-scripts"; - path = ../../ansible/files/postgresql_extension_custom_scripts; - }; - getkeyScript = builtins.path { - name = "pgsodium_getkey.sh"; - path = ../tests/util/pgsodium_getkey.sh; - }; - }; + paths = + { + migrationsDir = builtins.path { + name = "migrations"; + path = ../../migrations/db; + }; + postgresqlSchemaSql = builtins.path { + name = "postgresql-schema"; + path = ../tools/postgresql_schema.sql; + }; + pgbouncerAuthSchemaSql = builtins.path { + name = "pgbouncer-auth-schema"; + path = ../../ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql; + }; + statExtensionSql = builtins.path { + name = "stat-extension"; + path = ../../ansible/files/stat_extension.sql; + }; + pgconfigFile = builtins.path { + name = "postgresql.conf"; + path = ../../ansible/files/postgresql_config/postgresql.conf.j2; + }; + supautilsConfigFile = builtins.path { + name = "supautils.conf"; + path = ../../ansible/files/postgresql_config/supautils.conf.j2; + }; + loggingConfigFile = builtins.path { + name = "logging.conf"; + path = ../../ansible/files/postgresql_config/postgresql-csvlog.conf; + }; + readReplicaConfigFile = builtins.path { + name = "readreplica.conf"; + path = ../../ansible/files/postgresql_config/custom_read_replica.conf.j2; + }; + pgIdentConfigFile = builtins.path { + name = "pg_ident.conf"; + path = ../../ansible/files/postgresql_config/pg_ident.conf.j2; + }; + postgresqlExtensionCustomScriptsPath = builtins.path { + name = "extension-custom-scripts"; + path = ../../ansible/files/postgresql_extension_custom_scripts; + }; + getkeyScript = builtins.path { + name = "pgsodium_getkey.sh"; + path = ../tests/util/pgsodium_getkey.sh; + }; + } + // ( + if version == "15" then + { + pgHbaConfigFile = builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf_15.j2; + }; + } + else + { + pgHbaConfigFile = builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; + }; + pgHbaUsersPublicConfigFile = builtins.path { + name = "pg_hba_users_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_users_public.conf.j2; + }; + pgHbaPublicConfigFile = builtins.path { + name = "pg_hba_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_public.conf.j2; + }; + } + ); localeArchive = if pkgs.stdenv.isDarwin then @@ -107,31 +130,52 @@ ; } '' - mkdir -p $out/bin $out/etc/postgresql-custom $out/etc/postgresql $out/extension-custom-scripts + mkdir -p $out/bin $out/etc/postgresql-custom $out/etc/postgresql $out/extension-custom-scripts - # Copy config files with error handling - cp ${paths.supautilsConfigFile} $out/etc/postgresql-custom/supautils.conf || { echo "Failed to copy supautils.conf"; exit 1; } - cp ${paths.pgconfigFile} $out/etc/postgresql/postgresql.conf || { echo "Failed to copy postgresql.conf"; exit 1; } - cp ${paths.loggingConfigFile} $out/etc/postgresql-custom/logging.conf || { echo "Failed to copy logging.conf"; exit 1; } - cp ${paths.readReplicaConfigFile} $out/etc/postgresql-custom/read-replica.conf || { echo "Failed to copy read-replica.conf"; exit 1; } - cp ${paths.pgHbaConfigFile} $out/etc/postgresql/pg_hba.conf || { echo "Failed to copy pg_hba.conf"; exit 1; } - cp ${paths.pgIdentConfigFile} $out/etc/postgresql/pg_ident.conf || { echo "Failed to copy pg_ident.conf"; exit 1; } - cp -r ${paths.postgresqlExtensionCustomScriptsPath}/* $out/extension-custom-scripts/ || { echo "Failed to copy custom scripts"; exit 1; } + # Copy config files with error handling + cp ${paths.supautilsConfigFile} $out/etc/postgresql-custom/supautils.conf || { echo "Failed to copy supautils.conf"; exit 1; } + cp ${paths.pgconfigFile} $out/etc/postgresql/postgresql.conf || { echo "Failed to copy postgresql.conf"; exit 1; } + cp ${paths.loggingConfigFile} $out/etc/postgresql-custom/logging.conf || { echo "Failed to copy logging.conf"; exit 1; } + cp ${paths.readReplicaConfigFile} $out/etc/postgresql-custom/read-replica.conf || { echo "Failed to copy read-replica.conf"; exit 1; } + cp ${paths.pgHbaConfigFile} $out/etc/postgresql/pg_hba.conf || { echo "Failed to copy pg_hba.conf"; exit 1; } - echo "Copy operation completed" - chmod 644 $out/etc/postgresql-custom/supautils.conf - chmod 644 $out/etc/postgresql/postgresql.conf - chmod 644 $out/etc/postgresql-custom/logging.conf - chmod 644 $out/etc/postgresql/pg_hba.conf + # these shouldn't exist on psql_15 + ${lib.optionalString (paths ? pgHbaUsersPublicConfigFile) '' + cp ${paths.pgHbaUsersPublicConfigFile} $out/etc/postgresql/pg_hba_users_public.conf || { echo "Failed to copy pg_hba_users_public.conf"; exit 1; } + ''} + ${ + lib.optionalString (paths ? pgHbaPublicConfigFile) '' + cp ${paths.pgHbaPublicConfigFile} $out/etc/postgresql/pg_hba_public.conf || { echo "Failed to copy pg_hba_public.conf"; exit 1; } + '' + } + cp ${paths.pgIdentConfigFile} $out/etc/postgresql/pg_ident.conf || { echo "Failed to copy pg_ident.conf"; exit 1; } + cp -r ${paths.postgresqlExtensionCustomScriptsPath}/* $out/extension-custom-scripts/ || { echo "Failed to copy custom scripts"; exit 1; } - substitute ${../tools/run-server.sh.in} $out/bin/start-postgres-server \ - ${ - builtins.concatStringsSep " " ( - builtins.attrValues ( - builtins.mapAttrs (name: value: "--subst-var-by '${name}' '${value}'") substitutions - ) - ) - } - chmod +x $out/bin/start-postgres-server + echo "Copy operation completed" + chmod 644 $out/etc/postgresql-custom/supautils.conf + chmod 644 $out/etc/postgresql/postgresql.conf + chmod 644 $out/etc/postgresql-custom/logging.conf + chmod 644 $out/etc/postgresql/pg_hba.conf + + ${ + lib.optionalString (paths ? pgHbaUsersPublicConfigFile) '' + chmod 644 $out/etc/postgresql/pg_hba_users_public.conf + '' + } + ${ + lib.optionalString (paths ? pgHbaPublicConfigFile) '' + chmod 644 $out/etc/postgresql/pg_hba_public.conf + '' + } + + substitute ${../tools/run-server.sh.in} $out/bin/start-postgres-server \ + ${ + builtins.concatStringsSep " " ( + builtins.attrValues ( + builtins.mapAttrs (name: value: "--subst-var-by '${name}' '${value}'") substitutions + ) + ) + } + chmod +x $out/bin/start-postgres-server ''; } diff --git a/nix/tools/run-server.sh.in b/nix/tools/run-server.sh.in index 182cbe554..5b719cf1a 100644 --- a/nix/tools/run-server.sh.in +++ b/nix/tools/run-server.sh.in @@ -213,7 +213,17 @@ fi # Copy configuration files echo "NOTE: patching postgresql.conf files" -cp "$PG_HBA_FILE" "$DATDIR/pg_hba.conf" +if [ "$VERSION" = "15" ]; then + cp $(dirname "$PG_HBA_FILE")/pg_hba.conf_15* "$DATDIR/pg_hba.conf" +else + cp "${PG_HBA_FILE}" "$DATDIR/pg_hba.conf" + # copy extra hba_*.conf files over + extra_hba_files=( ${PG_HBA_FILE%pg_hba.conf}pg_hba*.conf* ) + for f in "${extra_hba_files[@]}"; do + base=$(basename "$f") + cp "$f" "$DATDIR/${base%%.conf*}.conf" + done +fi cp "$PG_IDENT_FILE" "$DATDIR/pg_ident.conf" cp "$READREPL_CONFIG_FILE" "$DATDIR/read-replica.conf" mkdir -p "$DATDIR/extension-custom-scripts"