From 1d8859132a5ea678f17b8a342152236abdae4d39 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 15 Aug 2025 15:00:07 +0200 Subject: [PATCH 01/10] feat: switch to include directives in pg_hba Using include directives makes changing the pg_hba.conf on the fly more flexible. Enabling / disabling ssl enforcement for example only requires creating or removing a file, leaving the pg_hba.conf untouched. Allowing for more repeatable and stable processes and no need for regex based replace or custom parsers. This will also support the just-in-time access work by allowing jit to be dynamically enabled/disabled --- Dockerfile-15 | 2 + Dockerfile-17 | 2 + Dockerfile-orioledb-17 | 2 + .../files/postgresql_config/pg_hba.conf.j2 | 106 +++++------------- .../postgresql_config/pg_hba_public.conf.j2 | 2 + .../pg_hba_users_public.conf.j2 | 11 ++ ansible/tasks/setup-pgbouncer.yml | 2 + ansible/tasks/setup-postgres.yml | 16 +++ nix/packages/lib.nix | 12 ++ 9 files changed, 76 insertions(+), 79 deletions(-) create mode 100644 ansible/files/postgresql_config/pg_hba_public.conf.j2 create mode 100644 ansible/files/postgresql_config/pg_hba_users_public.conf.j2 diff --git a/Dockerfile-15 b/Dockerfile-15 index f1b0f4558..8097fd771 100644 --- a/Dockerfile-15 +++ b/Dockerfile-15 @@ -161,6 +161,8 @@ COPY --from=walg /tmp/wal-g /usr/local/bin/ # # Initialise configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/supautils.conf.j2 /etc/postgresql-custom/supautils.conf diff --git a/Dockerfile-17 b/Dockerfile-17 index 7db870ad8..6628de29c 100644 --- a/Dockerfile-17 +++ b/Dockerfile-17 @@ -161,6 +161,8 @@ COPY --from=walg /tmp/wal-g /usr/local/bin/ # # Initialise configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/supautils.conf.j2 /etc/postgresql-custom/supautils.conf diff --git a/Dockerfile-orioledb-17 b/Dockerfile-orioledb-17 index 0df0b9df0..e693a23fa 100644 --- a/Dockerfile-orioledb-17 +++ b/Dockerfile-orioledb-17 @@ -161,6 +161,8 @@ COPY --from=walg /tmp/wal-g /usr/local/bin/ # # Initialise configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/supautils.conf.j2 /etc/postgresql-custom/supautils.conf diff --git a/ansible/files/postgresql_config/pg_hba.conf.j2 b/ansible/files/postgresql_config/pg_hba.conf.j2 index 9cafd4146..3831612ed 100755 --- a/ansible/files/postgresql_config/pg_hba.conf.j2 +++ b/ansible/files/postgresql_config/pg_hba.conf.j2 @@ -1,94 +1,42 @@ # PostgreSQL Client Authentication Configuration File # =================================================== # -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. A short -# synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTIONS] -# host DATABASE USER ADDRESS METHOD [OPTIONS] -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a -# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a -# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a -# non-GSSAPI socket. -# -# DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). -# -# USER can be "all", a user name, a group name prefixed with "+", or a -# comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names -# from a separate file. -# -# ADDRESS specifies the set of hosts the record matches. It can be a -# host name, or it is made up of an IP address and a CIDR mask that is -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. A host name -# that starts with a dot (.) matches a suffix of the actual host name. -# Alternatively, you can write an IP address and netmask in separate -# columns to specify the set of hosts. Instead of a CIDR-address, you -# can write "samehost" to match any of the server's own IP addresses, -# or "samenet" to match any address in any subnet that the server is -# directly connected to. -# -# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", -# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". -# Note that "password" sends passwords in clear text; "md5" or -# "scram-sha-256" are preferred since they send encrypted passwords. -# -# OPTIONS are a set of options for the authentication in the format -# NAME=VALUE. The available options depend on the different -# authentication methods -- refer to the "Client Authentication" -# section in the documentation for a list of which options are -# available for which authentication methods. -# -# Database and user names containing spaces, commas, quotes and other -# special characters must be quoted. Quoting one of the keywords -# "all", "sameuser", "samerole" or "replication" makes the name lose -# its special character, and just match a database or username with -# that name. -# -# This file is read on server startup and when the server receives a -# SIGHUP signal. If you edit the file on a running system, you have to -# SIGHUP the server for the changes to take effect, run "pg_ctl reload", -# or execute "SELECT pg_reload_conf()". -# -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make PostgreSQL -# listen on a non-local interface via the listen_addresses -# configuration parameter, or via the -i or -h command line switches. +# This file uses the include directive to selectively +# enable features. When present, the included files will +# take effect and order of precedence determines which auth +# rules are applied. # TYPE DATABASE USER ADDRESS METHOD # trust local connections local all supabase_admin scram-sha-256 local all all peer map=supabase_map + +# route for just-in-time access +include_if_exists pg_hba_pam_local.conf + +# trust localhost connections host all all 127.0.0.1/32 trust host all all ::1/128 trust -# IPv4 external connections +# local network does not use just-in-time host all all 10.0.0.0/8 scram-sha-256 -host all all 172.16.0.0/12 scram-sha-256 +host all all 172.16.0.0/12 scram-sha-256 host all all 192.168.0.0/16 scram-sha-256 -host all all 0.0.0.0/0 scram-sha-256 -# IPv6 external connections -host all all ::0/0 scram-sha-256 +# if ssl is enforced, these files will exist and take precedence +include_if_exists pg_hba_users_public_ssl.conf +include_if_exists pg_hba_pam_public_ssl.conf +include_if_exists pg_hba_public_ssl.conf + +# otherwise, non ssl enforced rules will apply +include_if_exists pg_hba_users_public.conf +include_if_exists pg_hba_pam_public.conf +include_if_exists pg_hba_public.conf + +# replication specific routes +host replication supabase_replication_admin 0.0.0.0/0 scram-sha-256 +host replication supabase_replication_admin ::0/0 scram-sha-256 + +# ultimately fallback to the original if none of the above exist +include_if_exists pg_hba.conf.orig diff --git a/ansible/files/postgresql_config/pg_hba_public.conf.j2 b/ansible/files/postgresql_config/pg_hba_public.conf.j2 new file mode 100644 index 000000000..80c54d2be --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba_public.conf.j2 @@ -0,0 +1,2 @@ +host all all 0.0.0.0/0 scram-sha-256 +host all all ::0/0 scram-sha-256 diff --git a/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 b/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 new file mode 100644 index 000000000..ccc167984 --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 @@ -0,0 +1,11 @@ +host all pgbouncer 0.0.0.0/0 scram-sha-256 +host all supabase_admin 0.0.0.0/0 scram-sha-256 +host all supabase_auth_admin 0.0.0.0/0 scram-sha-256 +host all supabase_storage_admin 0.0.0.0/0 scram-sha-256 +host all supabase_replication_admin 0.0.0.0/0 scram-sha-256 + +host all pgbouncer ::0/0 scram-sha-256 +host all supabase_admin ::0/0 scram-sha-256 +host all supabase_auth_admin ::0/0 scram-sha-256 +host all supabase_storage_admin ::0/0 scram-sha-256 +host all supabase_replication_admin ::0/0 scram-sha-256 diff --git a/ansible/tasks/setup-pgbouncer.yml b/ansible/tasks/setup-pgbouncer.yml index 4381ba24d..4b3f9f1b6 100644 --- a/ansible/tasks/setup-pgbouncer.yml +++ b/ansible/tasks/setup-pgbouncer.yml @@ -108,6 +108,8 @@ - name: Grant pg_hba and pgbouncer grp perm for adminapi updates shell: | chmod g+w /etc/postgresql/pg_hba.conf + chmod g+w /etc/postgresql/pg_hba_users_public.conf + chmod g+w /etc/postgresql/pg_hba_public.conf chmod g+w /etc/pgbouncer-custom/ssl-config.ini # Add fail2ban filter diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 2fe302488..83551c368 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -147,6 +147,22 @@ group: postgres when: debpkg_mode or nixpkg_mode +# Add pg_hba_public.conf +- name: import pg_hba_public.conf + template: + src: files/postgresql_config/pg_hba_public.conf.j2 + dest: /etc/postgresql/pg_hba_public.conf + group: postgres + when: debpkg_mode or nixpkg_mode + +# Add pg_hba_users_public.conf +- name: import pg_hba_users_public.conf + template: + src: files/postgresql_config/pg_hba_users_public.conf.j2 + dest: /etc/postgresql/pg_hba_users_public.conf + group: postgres + when: debpkg_mode or nixpkg_mode + # Add pg_ident.conf - name: import pg_ident.conf template: diff --git a/nix/packages/lib.nix b/nix/packages/lib.nix index 971909162..cb6914cfa 100644 --- a/nix/packages/lib.nix +++ b/nix/packages/lib.nix @@ -52,6 +52,14 @@ name = "pg_hba.conf"; path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; }; + pgHbaUsersPublicConfigFile = builtins.path { + name = "pg_hba_users_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_users_public.conf.j2; + }; + pgHbaPublicConfigFile = builtins.path { + name = "pg_hba_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_public.conf.j2; + }; pgIdentConfigFile = builtins.path { name = "pg_ident.conf"; path = ../../ansible/files/postgresql_config/pg_ident.conf.j2; @@ -115,6 +123,8 @@ cp ${paths.loggingConfigFile} $out/etc/postgresql-custom/logging.conf || { echo "Failed to copy logging.conf"; exit 1; } cp ${paths.readReplicaConfigFile} $out/etc/postgresql-custom/read-replica.conf || { echo "Failed to copy read-replica.conf"; exit 1; } cp ${paths.pgHbaConfigFile} $out/etc/postgresql/pg_hba.conf || { echo "Failed to copy pg_hba.conf"; exit 1; } + cp ${paths.pgHbaUsersPublicConfigFile} $out/etc/postgresql/pg_hba_users_public.conf || { echo "Failed to copy pg_hba_users_public.conf"; exit 1; } + cp ${paths.pgHbaPublicConfigFile} $out/etc/postgresql/pg_hba_public.conf || { echo "Failed to copy pg_hba_public.conf"; exit 1; } cp ${paths.pgIdentConfigFile} $out/etc/postgresql/pg_ident.conf || { echo "Failed to copy pg_ident.conf"; exit 1; } cp -r ${paths.postgresqlExtensionCustomScriptsPath}/* $out/extension-custom-scripts/ || { echo "Failed to copy custom scripts"; exit 1; } @@ -123,6 +133,8 @@ chmod 644 $out/etc/postgresql/postgresql.conf chmod 644 $out/etc/postgresql-custom/logging.conf chmod 644 $out/etc/postgresql/pg_hba.conf + chmod 644 $out/etc/postgresql/pg_hba_users_public.conf + chmod 644 $out/etc/postgresql/pg_hba_public.conf substitute ${../tools/run-server.sh.in} $out/bin/start-postgres-server \ ${ From ed4afad1b2f3a7e2f61e3193332699191d5abe99 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 18 Aug 2025 11:05:08 +0200 Subject: [PATCH 02/10] chore: postgres 15 doesnt support include directive --- Dockerfile-15 | 4 +- .../files/postgresql_config/pg_hba.conf_15.j2 | 94 +++++++++++++++++++ nix/packages/lib.nix | 58 ++++++++---- 3 files changed, 137 insertions(+), 19 deletions(-) create mode 100644 ansible/files/postgresql_config/pg_hba.conf_15.j2 diff --git a/Dockerfile-15 b/Dockerfile-15 index 8097fd771..53297b837 100644 --- a/Dockerfile-15 +++ b/Dockerfile-15 @@ -160,9 +160,7 @@ COPY --from=walg /tmp/wal-g /usr/local/bin/ # # Initialise configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf -COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf -COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf -COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf_15.j2 /etc/postgresql/pg_hba.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/supautils.conf.j2 /etc/postgresql-custom/supautils.conf diff --git a/ansible/files/postgresql_config/pg_hba.conf_15.j2 b/ansible/files/postgresql_config/pg_hba.conf_15.j2 new file mode 100644 index 000000000..9cc98a54b --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba.conf_15.j2 @@ -0,0 +1,94 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a +# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a +# non-GSSAPI socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + +# TYPE DATABASE USER ADDRESS METHOD + +# trust local connections +local all supabase_admin scram-sha-256 +local all all peer map=supabase_map +host all all 127.0.0.1/32 trust +host all all ::1/128 trust + +# IPv4 external connections +host all all 10.0.0.0/8 scram-sha-256 +host all all 172.16.0.0/12 scram-sha-256 +host all all 192.168.0.0/16 scram-sha-256 +host all all 0.0.0.0/0 scram-sha-256 + +# IPv6 external connections +host all all ::0/0 scram-sha-256 \ No newline at end of file diff --git a/nix/packages/lib.nix b/nix/packages/lib.nix index cb6914cfa..e08191c62 100644 --- a/nix/packages/lib.nix +++ b/nix/packages/lib.nix @@ -48,18 +48,33 @@ name = "readreplica.conf"; path = ../../ansible/files/postgresql_config/custom_read_replica.conf.j2; }; - pgHbaConfigFile = builtins.path { - name = "pg_hba.conf"; - path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; - }; - pgHbaUsersPublicConfigFile = builtins.path { - name = "pg_hba_users_public.conf"; - path = ../../ansible/files/postgresql_config/pg_hba_users_public.conf.j2; - }; - pgHbaPublicConfigFile = builtins.path { - name = "pg_hba_public.conf"; - path = ../../ansible/files/postgresql_config/pg_hba_public.conf.j2; - }; + pgHbaConfigFile = + if pkgs == psql_15 then + builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf_15.j2; + } + else + builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; + }; + pgHbaUsersPublicConfigFile = + if pkgs != psql_15 then + builtins.path { + name = "pg_hba_users_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_users_public.conf.j2; + } + else + null; + pgHbaPublicConfigFile = + if pkgs != psql_15 then + builtins.path { + name = "pg_hba_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_public.conf.j2; + } + else + null; pgIdentConfigFile = builtins.path { name = "pg_ident.conf"; path = ../../ansible/files/postgresql_config/pg_ident.conf.j2; @@ -123,8 +138,14 @@ cp ${paths.loggingConfigFile} $out/etc/postgresql-custom/logging.conf || { echo "Failed to copy logging.conf"; exit 1; } cp ${paths.readReplicaConfigFile} $out/etc/postgresql-custom/read-replica.conf || { echo "Failed to copy read-replica.conf"; exit 1; } cp ${paths.pgHbaConfigFile} $out/etc/postgresql/pg_hba.conf || { echo "Failed to copy pg_hba.conf"; exit 1; } - cp ${paths.pgHbaUsersPublicConfigFile} $out/etc/postgresql/pg_hba_users_public.conf || { echo "Failed to copy pg_hba_users_public.conf"; exit 1; } - cp ${paths.pgHbaPublicConfigFile} $out/etc/postgresql/pg_hba_public.conf || { echo "Failed to copy pg_hba_public.conf"; exit 1; } + + # these shouldn't exist on psql_15 + if [ -n "${toString paths.pgHbaUsersPublicConfigFile}" ]; then + cp ${paths.pgHbaUsersPublicConfigFile} $out/etc/postgresql/pg_hba_users_public.conf || { echo "Failed to copy pg_hba_users_public.conf"; exit 1; } + fi + if [ -n "${toString paths.pgHbaPublicConfigFile}" ]; then + cp ${paths.pgHbaPublicConfigFile} $out/etc/postgresql/pg_hba_public.conf || { echo "Failed to copy pg_hba_public.conf"; exit 1; } + fi cp ${paths.pgIdentConfigFile} $out/etc/postgresql/pg_ident.conf || { echo "Failed to copy pg_ident.conf"; exit 1; } cp -r ${paths.postgresqlExtensionCustomScriptsPath}/* $out/extension-custom-scripts/ || { echo "Failed to copy custom scripts"; exit 1; } @@ -133,8 +154,13 @@ chmod 644 $out/etc/postgresql/postgresql.conf chmod 644 $out/etc/postgresql-custom/logging.conf chmod 644 $out/etc/postgresql/pg_hba.conf - chmod 644 $out/etc/postgresql/pg_hba_users_public.conf - chmod 644 $out/etc/postgresql/pg_hba_public.conf + + if [ -n "${toString paths.pgHbaUsersPublicConfigFile}" ]; then + chmod 644 $out/etc/postgresql/pg_hba_users_public.conf + fi + if [ -n "${toString paths.pgHbaPublicConfigFile}" ]; then + chmod 644 $out/etc/postgresql/pg_hba_public.conf + fi substitute ${../tools/run-server.sh.in} $out/bin/start-postgres-server \ ${ From 444e001dcdac717f861bfef0c7f28b621d0c6fb7 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 18 Aug 2025 12:28:46 +0200 Subject: [PATCH 03/10] chore: version checks --- nix/packages/lib.nix | 217 ++++++++++++++++++++++--------------------- 1 file changed, 112 insertions(+), 105 deletions(-) diff --git a/nix/packages/lib.nix b/nix/packages/lib.nix index e08191c62..20ed05387 100644 --- a/nix/packages/lib.nix +++ b/nix/packages/lib.nix @@ -15,79 +15,80 @@ extraSubstitutions ? { }, }: let - paths = { - migrationsDir = builtins.path { - name = "migrations"; - path = ../../migrations/db; - }; - postgresqlSchemaSql = builtins.path { - name = "postgresql-schema"; - path = ../tools/postgresql_schema.sql; - }; - pgbouncerAuthSchemaSql = builtins.path { - name = "pgbouncer-auth-schema"; - path = ../../ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql; - }; - statExtensionSql = builtins.path { - name = "stat-extension"; - path = ../../ansible/files/stat_extension.sql; - }; - pgconfigFile = builtins.path { - name = "postgresql.conf"; - path = ../../ansible/files/postgresql_config/postgresql.conf.j2; - }; - supautilsConfigFile = builtins.path { - name = "supautils.conf"; - path = ../../ansible/files/postgresql_config/supautils.conf.j2; - }; - loggingConfigFile = builtins.path { - name = "logging.conf"; - path = ../../ansible/files/postgresql_config/postgresql-csvlog.conf; - }; - readReplicaConfigFile = builtins.path { - name = "readreplica.conf"; - path = ../../ansible/files/postgresql_config/custom_read_replica.conf.j2; - }; - pgHbaConfigFile = - if pkgs == psql_15 then - builtins.path { - name = "pg_hba.conf"; - path = ../../ansible/files/postgresql_config/pg_hba.conf_15.j2; - } - else - builtins.path { - name = "pg_hba.conf"; - path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; - }; - pgHbaUsersPublicConfigFile = - if pkgs != psql_15 then - builtins.path { - name = "pg_hba_users_public.conf"; - path = ../../ansible/files/postgresql_config/pg_hba_users_public.conf.j2; + inherit (lib) versions getVersion; + pgVersion = versions.major (getVersion postgresPkg); + + paths = + { + migrationsDir = builtins.path { + name = "migrations"; + path = ../../migrations/db; + }; + postgresqlSchemaSql = builtins.path { + name = "postgresql-schema"; + path = ../tools/postgresql_schema.sql; + }; + pgbouncerAuthSchemaSql = builtins.path { + name = "pgbouncer-auth-schema"; + path = ../../ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql; + }; + statExtensionSql = builtins.path { + name = "stat-extension"; + path = ../../ansible/files/stat_extension.sql; + }; + pgconfigFile = builtins.path { + name = "postgresql.conf"; + path = ../../ansible/files/postgresql_config/postgresql.conf.j2; + }; + supautilsConfigFile = builtins.path { + name = "supautils.conf"; + path = ../../ansible/files/postgresql_config/supautils.conf.j2; + }; + loggingConfigFile = builtins.path { + name = "logging.conf"; + path = ../../ansible/files/postgresql_config/postgresql-csvlog.conf; + }; + readReplicaConfigFile = builtins.path { + name = "readreplica.conf"; + path = ../../ansible/files/postgresql_config/custom_read_replica.conf.j2; + }; + pgIdentConfigFile = builtins.path { + name = "pg_ident.conf"; + path = ../../ansible/files/postgresql_config/pg_ident.conf.j2; + }; + postgresqlExtensionCustomScriptsPath = builtins.path { + name = "extension-custom-scripts"; + path = ../../ansible/files/postgresql_extension_custom_scripts; + }; + getkeyScript = builtins.path { + name = "pgsodium_getkey.sh"; + path = ../tests/util/pgsodium_getkey.sh; + }; + } + // ( + if pgVersion == "15" then + { + pgHbaConfigFile = builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf_15.j2; + }; } else - null; - pgHbaPublicConfigFile = - if pkgs != psql_15 then - builtins.path { - name = "pg_hba_public.conf"; - path = ../../ansible/files/postgresql_config/pg_hba_public.conf.j2; + { + pgHbaConfigFile = builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; + }; + pgHbaUsersPublicConfigFile = builtins.path { + name = "pg_hba_users_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_users_public.conf.j2; + }; + pgHbaPublicConfigFile = builtins.path { + name = "pg_hba_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_public.conf.j2; + }; } - else - null; - pgIdentConfigFile = builtins.path { - name = "pg_ident.conf"; - path = ../../ansible/files/postgresql_config/pg_ident.conf.j2; - }; - postgresqlExtensionCustomScriptsPath = builtins.path { - name = "extension-custom-scripts"; - path = ../../ansible/files/postgresql_extension_custom_scripts; - }; - getkeyScript = builtins.path { - name = "pgsodium_getkey.sh"; - path = ../tests/util/pgsodium_getkey.sh; - }; - }; + ); localeArchive = if pkgs.stdenv.isDarwin then @@ -130,46 +131,52 @@ ; } '' - mkdir -p $out/bin $out/etc/postgresql-custom $out/etc/postgresql $out/extension-custom-scripts + mkdir -p $out/bin $out/etc/postgresql-custom $out/etc/postgresql $out/extension-custom-scripts - # Copy config files with error handling - cp ${paths.supautilsConfigFile} $out/etc/postgresql-custom/supautils.conf || { echo "Failed to copy supautils.conf"; exit 1; } - cp ${paths.pgconfigFile} $out/etc/postgresql/postgresql.conf || { echo "Failed to copy postgresql.conf"; exit 1; } - cp ${paths.loggingConfigFile} $out/etc/postgresql-custom/logging.conf || { echo "Failed to copy logging.conf"; exit 1; } - cp ${paths.readReplicaConfigFile} $out/etc/postgresql-custom/read-replica.conf || { echo "Failed to copy read-replica.conf"; exit 1; } - cp ${paths.pgHbaConfigFile} $out/etc/postgresql/pg_hba.conf || { echo "Failed to copy pg_hba.conf"; exit 1; } + # Copy config files with error handling + cp ${paths.supautilsConfigFile} $out/etc/postgresql-custom/supautils.conf || { echo "Failed to copy supautils.conf"; exit 1; } + cp ${paths.pgconfigFile} $out/etc/postgresql/postgresql.conf || { echo "Failed to copy postgresql.conf"; exit 1; } + cp ${paths.loggingConfigFile} $out/etc/postgresql-custom/logging.conf || { echo "Failed to copy logging.conf"; exit 1; } + cp ${paths.readReplicaConfigFile} $out/etc/postgresql-custom/read-replica.conf || { echo "Failed to copy read-replica.conf"; exit 1; } + cp ${paths.pgHbaConfigFile} $out/etc/postgresql/pg_hba.conf || { echo "Failed to copy pg_hba.conf"; exit 1; } - # these shouldn't exist on psql_15 - if [ -n "${toString paths.pgHbaUsersPublicConfigFile}" ]; then + # these shouldn't exist on psql_15 + ${lib.optionalString (paths ? pgHbaUsersPublicConfigFile) '' cp ${paths.pgHbaUsersPublicConfigFile} $out/etc/postgresql/pg_hba_users_public.conf || { echo "Failed to copy pg_hba_users_public.conf"; exit 1; } - fi - if [ -n "${toString paths.pgHbaPublicConfigFile}" ]; then - cp ${paths.pgHbaPublicConfigFile} $out/etc/postgresql/pg_hba_public.conf || { echo "Failed to copy pg_hba_public.conf"; exit 1; } - fi - cp ${paths.pgIdentConfigFile} $out/etc/postgresql/pg_ident.conf || { echo "Failed to copy pg_ident.conf"; exit 1; } - cp -r ${paths.postgresqlExtensionCustomScriptsPath}/* $out/extension-custom-scripts/ || { echo "Failed to copy custom scripts"; exit 1; } + ''} + ${ + lib.optionalString (paths ? pgHbaPublicConfigFile) '' + cp ${paths.pgHbaPublicConfigFile} $out/etc/postgresql/pg_hba_public.conf || { echo "Failed to copy pg_hba_public.conf"; exit 1; } + '' + } + cp ${paths.pgIdentConfigFile} $out/etc/postgresql/pg_ident.conf || { echo "Failed to copy pg_ident.conf"; exit 1; } + cp -r ${paths.postgresqlExtensionCustomScriptsPath}/* $out/extension-custom-scripts/ || { echo "Failed to copy custom scripts"; exit 1; } - echo "Copy operation completed" - chmod 644 $out/etc/postgresql-custom/supautils.conf - chmod 644 $out/etc/postgresql/postgresql.conf - chmod 644 $out/etc/postgresql-custom/logging.conf - chmod 644 $out/etc/postgresql/pg_hba.conf + echo "Copy operation completed" + chmod 644 $out/etc/postgresql-custom/supautils.conf + chmod 644 $out/etc/postgresql/postgresql.conf + chmod 644 $out/etc/postgresql-custom/logging.conf + chmod 644 $out/etc/postgresql/pg_hba.conf - if [ -n "${toString paths.pgHbaUsersPublicConfigFile}" ]; then - chmod 644 $out/etc/postgresql/pg_hba_users_public.conf - fi - if [ -n "${toString paths.pgHbaPublicConfigFile}" ]; then - chmod 644 $out/etc/postgresql/pg_hba_public.conf - fi + ${ + lib.optionalString (paths ? pgHbaUsersPublicConfigFile) '' + chmod 644 $out/etc/postgresql/pg_hba_users_public.conf + '' + } + ${ + lib.optionalString (paths ? pgHbaPublicConfigFile) '' + chmod 644 $out/etc/postgresql/pg_hba_public.conf + '' + } - substitute ${../tools/run-server.sh.in} $out/bin/start-postgres-server \ - ${ - builtins.concatStringsSep " " ( - builtins.attrValues ( - builtins.mapAttrs (name: value: "--subst-var-by '${name}' '${value}'") substitutions - ) - ) - } - chmod +x $out/bin/start-postgres-server + substitute ${../tools/run-server.sh.in} $out/bin/start-postgres-server \ + ${ + builtins.concatStringsSep " " ( + builtins.attrValues ( + builtins.mapAttrs (name: value: "--subst-var-by '${name}' '${value}'") substitutions + ) + ) + } + chmod +x $out/bin/start-postgres-server ''; } From 9d71b5f4f394807bf21b5a0cd55d169563362719 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 18 Aug 2025 13:24:20 +0200 Subject: [PATCH 04/10] chore: check version by name --- nix/packages/lib.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/nix/packages/lib.nix b/nix/packages/lib.nix index 20ed05387..b511c5302 100644 --- a/nix/packages/lib.nix +++ b/nix/packages/lib.nix @@ -6,6 +6,7 @@ supabase-groonga, system, pgroonga, + lib, }: { makePostgresDevSetup = @@ -15,8 +16,14 @@ extraSubstitutions ? { }, }: let - inherit (lib) versions getVersion; - pgVersion = versions.major (getVersion postgresPkg); + pgVersion = + if name == psql_15 then + "15" + else if name == psql_17 then + "17" + else + "unknown"; + version = builtins.trace "pgpkg.version is: ${pgVersion} from ${name} " pgVersion; paths = { @@ -66,7 +73,7 @@ }; } // ( - if pgVersion == "15" then + if pgVersion == "15" || version == "15" then { pgHbaConfigFile = builtins.path { name = "pg_hba.conf"; From 91080c21e6ff770a6c38d327d5d86d80b4cc3325 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 18 Aug 2025 15:49:53 +0200 Subject: [PATCH 05/10] chore: include lib --- nix/checks.nix | 1 + nix/packages/lib.nix | 12 ++---------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/nix/checks.nix b/nix/checks.nix index 7e791b253..105cbbc21 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -76,6 +76,7 @@ PGSODIUM_GETKEY = "${getkey-script}/bin/pgsodium-getkey"; PGSQL_DEFAULT_PORT = pgPort; }; + version = majorVersion; }; getVersionArg = diff --git a/nix/packages/lib.nix b/nix/packages/lib.nix index b511c5302..03d42dfcd 100644 --- a/nix/packages/lib.nix +++ b/nix/packages/lib.nix @@ -14,17 +14,9 @@ pkgs, name, extraSubstitutions ? { }, + version, }: let - pgVersion = - if name == psql_15 then - "15" - else if name == psql_17 then - "17" - else - "unknown"; - version = builtins.trace "pgpkg.version is: ${pgVersion} from ${name} " pgVersion; - paths = { migrationsDir = builtins.path { @@ -73,7 +65,7 @@ }; } // ( - if pgVersion == "15" || version == "15" then + if version == "15" then { pgHbaConfigFile = builtins.path { name = "pg_hba.conf"; From fe04fca37cde55331698f816ad465792692b32f2 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 18 Aug 2025 17:56:23 +0200 Subject: [PATCH 06/10] chore: set active version --- nix/packages/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/packages/default.nix b/nix/packages/default.nix index fca05a10a..1bbaeb508 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -57,6 +57,7 @@ start-server = pkgs-lib.makePostgresDevSetup { inherit pkgs; name = "start-postgres-server"; + version = activeVersion; }; switch-ext-version = pkgs.callPackage ./switch-ext-version.nix { inherit (self'.packages) overlayfs-on-package; From ce6839961db67983838025edbfa0e275894c87d8 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 19 Aug 2025 09:54:29 +0200 Subject: [PATCH 07/10] chore: fix run-server to be pg_hba version aware --- nix/tools/run-server.sh.in | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nix/tools/run-server.sh.in b/nix/tools/run-server.sh.in index 182cbe554..5b719cf1a 100644 --- a/nix/tools/run-server.sh.in +++ b/nix/tools/run-server.sh.in @@ -213,7 +213,17 @@ fi # Copy configuration files echo "NOTE: patching postgresql.conf files" -cp "$PG_HBA_FILE" "$DATDIR/pg_hba.conf" +if [ "$VERSION" = "15" ]; then + cp $(dirname "$PG_HBA_FILE")/pg_hba.conf_15* "$DATDIR/pg_hba.conf" +else + cp "${PG_HBA_FILE}" "$DATDIR/pg_hba.conf" + # copy extra hba_*.conf files over + extra_hba_files=( ${PG_HBA_FILE%pg_hba.conf}pg_hba*.conf* ) + for f in "${extra_hba_files[@]}"; do + base=$(basename "$f") + cp "$f" "$DATDIR/${base%%.conf*}.conf" + done +fi cp "$PG_IDENT_FILE" "$DATDIR/pg_ident.conf" cp "$READREPL_CONFIG_FILE" "$DATDIR/read-replica.conf" mkdir -p "$DATDIR/extension-custom-scripts" From 845208fd97d856fd199cc7e56465957f4a83b958 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Thu, 21 Aug 2025 13:02:06 +0200 Subject: [PATCH 08/10] chore: patch ansible playbook for psql_15 --- ansible/tasks/setup-postgres.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 83551c368..78bc847eb 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -140,12 +140,19 @@ when: debpkg_mode or nixpkg_mode # Add pg_hba.conf +- name: import pg_hba.conf psql_15 + template: + src: files/postgresql_config/pg_hba.conf_15.j2 + dest: /etc/postgresql/pg_hba.conf + group: postgres + when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int == 15) + - name: import pg_hba.conf template: src: files/postgresql_config/pg_hba.conf.j2 dest: /etc/postgresql/pg_hba.conf group: postgres - when: debpkg_mode or nixpkg_mode + when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int != 15) # Add pg_hba_public.conf - name: import pg_hba_public.conf @@ -153,7 +160,7 @@ src: files/postgresql_config/pg_hba_public.conf.j2 dest: /etc/postgresql/pg_hba_public.conf group: postgres - when: debpkg_mode or nixpkg_mode + when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int != 15) # Add pg_hba_users_public.conf - name: import pg_hba_users_public.conf @@ -161,7 +168,7 @@ src: files/postgresql_config/pg_hba_users_public.conf.j2 dest: /etc/postgresql/pg_hba_users_public.conf group: postgres - when: debpkg_mode or nixpkg_mode + when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int != 15) # Add pg_ident.conf - name: import pg_ident.conf From 9490f9543eebdd529ba83c4d84b725fb2351ee5b Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Thu, 21 Aug 2025 15:41:36 +0200 Subject: [PATCH 09/10] chore: pg_hba must have newline --- ansible/files/postgresql_config/pg_hba.conf_15.j2 | 3 ++- ansible/vars.yml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ansible/files/postgresql_config/pg_hba.conf_15.j2 b/ansible/files/postgresql_config/pg_hba.conf_15.j2 index 9cc98a54b..9fb1a688d 100644 --- a/ansible/files/postgresql_config/pg_hba.conf_15.j2 +++ b/ansible/files/postgresql_config/pg_hba.conf_15.j2 @@ -91,4 +91,5 @@ host all all 192.168.0.0/16 scram-sha-256 host all all 0.0.0.0/0 scram-sha-256 # IPv6 external connections -host all all ::0/0 scram-sha-256 \ No newline at end of file +host all all ::0/0 scram-sha-256 + diff --git a/ansible/vars.yml b/ansible/vars.yml index 011045f8a..23d447c15 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.024-orioledb" - postgres17: "17.6.1.003" - postgres15: "15.14.1.003" + postgresorioledb-17: "17.5.1.025-orioledb" + postgres17: "17.6.1.004" + postgres15: "15.14.1.004" # Non Postgres Extensions pgbouncer_release: "1.19.0" From 9a840bfa8a371181024d22f4832fb58d2b830dc1 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Wed, 27 Aug 2025 16:08:41 +0200 Subject: [PATCH 10/10] chore: rebase and use block for condition --- ansible/tasks/setup-postgres.yml | 42 ++++++++++++++++---------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 78bc847eb..09245daf8 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -147,28 +147,28 @@ group: postgres when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int == 15) -- name: import pg_hba.conf - template: - src: files/postgresql_config/pg_hba.conf.j2 - dest: /etc/postgresql/pg_hba.conf - group: postgres - when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int != 15) - -# Add pg_hba_public.conf -- name: import pg_hba_public.conf - template: - src: files/postgresql_config/pg_hba_public.conf.j2 - dest: /etc/postgresql/pg_hba_public.conf - group: postgres - when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int != 15) - -# Add pg_hba_users_public.conf -- name: import pg_hba_users_public.conf - template: - src: files/postgresql_config/pg_hba_users_public.conf.j2 - dest: /etc/postgresql/pg_hba_users_public.conf - group: postgres +- name: create pg_hba.conf with includes when: (debpkg_mode or nixpkg_mode) and (postgresql_major | int != 15) + block: + - name: import pg_hba.conf + template: + src: files/postgresql_config/pg_hba.conf.j2 + dest: /etc/postgresql/pg_hba.conf + group: postgres + + # Add pg_hba_public.conf + - name: import pg_hba_public.conf + template: + src: files/postgresql_config/pg_hba_public.conf.j2 + dest: /etc/postgresql/pg_hba_public.conf + group: postgres + + # Add pg_hba_users_public.conf + - name: import pg_hba_users_public.conf + template: + src: files/postgresql_config/pg_hba_users_public.conf.j2 + dest: /etc/postgresql/pg_hba_users_public.conf + group: postgres # Add pg_ident.conf - name: import pg_ident.conf