From 2683ed12348d22d0425c6e2823d9ebc5dbcbf0b4 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 13 Oct 2025 10:59:05 +0200 Subject: [PATCH 1/3] chore: systemd hardening ProtectHome and InaccessiblePaths to senstive internal locations --- ansible/files/postgresql_config/postgresql.service.j2 | 2 ++ ansible/vars.yml | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ansible/files/postgresql_config/postgresql.service.j2 b/ansible/files/postgresql_config/postgresql.service.j2 index 4cc138ec7..33e7a8414 100644 --- a/ansible/files/postgresql_config/postgresql.service.j2 +++ b/ansible/files/postgresql_config/postgresql.service.j2 @@ -22,7 +22,9 @@ OOMScoreAdjust=-1000 EnvironmentFile=-/etc/environment.d/postgresql.env LimitNOFILE=16384 {% if supabase_internal is defined %} +ProtectHome=yes ReadOnlyPaths=/etc +InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/lib/cloud {% endif %} [Install] WantedBy=multi-user.target diff --git a/ansible/vars.yml b/ansible/vars.yml index 0a9e3bd8f..0f77b1820 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.042-orioledb" - postgres17: "17.6.1.021" - postgres15: "15.14.1.021" + postgresorioledb-17: "17.5.1.043-orioledb" + postgres17: "17.6.1.022" + postgres15: "15.14.1.022" # Non Postgres Extensions pgbouncer_release: 1.19.0 From acb8214813c1a96788b408ef9392cde9ee43b661 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 13 Oct 2025 11:11:28 +0200 Subject: [PATCH 2/3] Apply suggestion from @pcnc Co-authored-by: Paul Cioanca --- ansible/files/postgresql_config/postgresql.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/files/postgresql_config/postgresql.service.j2 b/ansible/files/postgresql_config/postgresql.service.j2 index 33e7a8414..900a3d15f 100644 --- a/ansible/files/postgresql_config/postgresql.service.j2 +++ b/ansible/files/postgresql_config/postgresql.service.j2 @@ -24,7 +24,7 @@ LimitNOFILE=16384 {% if supabase_internal is defined %} ProtectHome=yes ReadOnlyPaths=/etc -InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/lib/cloud +InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/lib/cloud -/var/cache/supabase-admin-agent {% endif %} [Install] WantedBy=multi-user.target From 24ed674899559a302b26e693e8a99b3404d65a2d Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 13 Oct 2025 11:51:44 +0200 Subject: [PATCH 3/3] chore: more paths --- ansible/files/postgresql_config/postgresql.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/files/postgresql_config/postgresql.service.j2 b/ansible/files/postgresql_config/postgresql.service.j2 index 900a3d15f..30bbd5f6d 100644 --- a/ansible/files/postgresql_config/postgresql.service.j2 +++ b/ansible/files/postgresql_config/postgresql.service.j2 @@ -23,8 +23,8 @@ EnvironmentFile=-/etc/environment.d/postgresql.env LimitNOFILE=16384 {% if supabase_internal is defined %} ProtectHome=yes -ReadOnlyPaths=/etc -InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/lib/cloud -/var/cache/supabase-admin-agent +ReadOnlyPaths=/etc /opt +InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/lib/cloud -/var/cache/supabase-admin-agent -/opt/saltstack -/etc/salt {% endif %} [Install] WantedBy=multi-user.target