diff --git a/Dockerfile-15 b/Dockerfile-15 index aec6e8364..d3efaed69 100644 --- a/Dockerfile-15 +++ b/Dockerfile-15 @@ -126,7 +126,7 @@ RUN chown -R postgres:postgres /usr/lib/postgresql && \ # Setup configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf -COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf_15.j2 /etc/postgresql/pg_hba.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/conf.d /etc/postgresql-custom/conf.d COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf diff --git a/Dockerfile-17 b/Dockerfile-17 index 121d0557a..d072aa90a 100644 --- a/Dockerfile-17 +++ b/Dockerfile-17 @@ -128,6 +128,8 @@ RUN chown -R postgres:postgres /usr/lib/postgresql && \ # Setup configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/conf.d /etc/postgresql-custom/conf.d COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf diff --git a/Dockerfile-multigres b/Dockerfile-multigres index 2549d727a..aacc94366 100644 --- a/Dockerfile-multigres +++ b/Dockerfile-multigres @@ -127,7 +127,7 @@ RUN mkdir -p \ /etc/postgresql-custom COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf -COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf_15.j2 /etc/postgresql/pg_hba.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/conf.d /etc/postgresql-custom/conf.d COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf diff --git a/Dockerfile-orioledb-17 b/Dockerfile-orioledb-17 index 3cf7a533b..0df8b4009 100644 --- a/Dockerfile-orioledb-17 +++ b/Dockerfile-orioledb-17 @@ -128,6 +128,8 @@ RUN chown -R postgres:postgres /usr/lib/postgresql && \ # Setup configs COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql.conf.j2 /etc/postgresql/postgresql.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba.conf.j2 /etc/postgresql/pg_hba.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_users_public.conf.j2 /etc/postgresql/pg_hba_users_public.conf +COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_hba_public.conf.j2 /etc/postgresql/pg_hba_public.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/pg_ident.conf.j2 /etc/postgresql/pg_ident.conf COPY --chown=postgres:postgres ansible/files/postgresql_config/conf.d /etc/postgresql-custom/conf.d COPY --chown=postgres:postgres ansible/files/postgresql_config/postgresql-stdout-log.conf /etc/postgresql/logging.conf diff --git a/ansible/files/postgresql_config/pg_hba.conf.j2 b/ansible/files/postgresql_config/pg_hba.conf.j2 index 9cafd4146..0b7489e61 100755 --- a/ansible/files/postgresql_config/pg_hba.conf.j2 +++ b/ansible/files/postgresql_config/pg_hba.conf.j2 @@ -1,94 +1,35 @@ # PostgreSQL Client Authentication Configuration File # =================================================== # -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. A short -# synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTIONS] -# host DATABASE USER ADDRESS METHOD [OPTIONS] -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a -# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a -# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a -# non-GSSAPI socket. -# -# DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). -# -# USER can be "all", a user name, a group name prefixed with "+", or a -# comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names -# from a separate file. -# -# ADDRESS specifies the set of hosts the record matches. It can be a -# host name, or it is made up of an IP address and a CIDR mask that is -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. A host name -# that starts with a dot (.) matches a suffix of the actual host name. -# Alternatively, you can write an IP address and netmask in separate -# columns to specify the set of hosts. Instead of a CIDR-address, you -# can write "samehost" to match any of the server's own IP addresses, -# or "samenet" to match any address in any subnet that the server is -# directly connected to. -# -# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", -# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". -# Note that "password" sends passwords in clear text; "md5" or -# "scram-sha-256" are preferred since they send encrypted passwords. -# -# OPTIONS are a set of options for the authentication in the format -# NAME=VALUE. The available options depend on the different -# authentication methods -- refer to the "Client Authentication" -# section in the documentation for a list of which options are -# available for which authentication methods. -# -# Database and user names containing spaces, commas, quotes and other -# special characters must be quoted. Quoting one of the keywords -# "all", "sameuser", "samerole" or "replication" makes the name lose -# its special character, and just match a database or username with -# that name. -# -# This file is read on server startup and when the server receives a -# SIGHUP signal. If you edit the file on a running system, you have to -# SIGHUP the server for the changes to take effect, run "pg_ctl reload", -# or execute "SELECT pg_reload_conf()". -# -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make PostgreSQL -# listen on a non-local interface via the listen_addresses -# configuration parameter, or via the -i or -h command line switches. +# This file uses the include directive to selectively +# enable features. When present, the included files will +# take effect and order of precedence determines which auth +# rules are applied. # TYPE DATABASE USER ADDRESS METHOD # trust local connections local all supabase_admin scram-sha-256 local all all peer map=supabase_map + +include_if_exists pg_hba_pam_local.conf + host all all 127.0.0.1/32 trust host all all ::1/128 trust -# IPv4 external connections host all all 10.0.0.0/8 scram-sha-256 -host all all 172.16.0.0/12 scram-sha-256 +host all all 172.16.0.0/12 scram-sha-256 host all all 192.168.0.0/16 scram-sha-256 -host all all 0.0.0.0/0 scram-sha-256 -# IPv6 external connections -host all all ::0/0 scram-sha-256 +# if ssl is enforced, these files will exist and take precedence +include_if_exists pg_hba_users_public_ssl.conf +include_if_exists pg_hba_pam_public_ssl.conf +include_if_exists pg_hba_public_ssl.conf + +# otherwise, non ssl enforced rules will apply +include_if_exists pg_hba_users_public.conf +include_if_exists pg_hba_pam_public.conf +include_if_exists pg_hba_public.conf + +host replication supabase_replication_admin 0.0.0.0/0 scram-sha-256 +host replication supabase_replication_admin ::0/0 scram-sha-256 diff --git a/ansible/files/postgresql_config/pg_hba.conf_15.j2 b/ansible/files/postgresql_config/pg_hba.conf_15.j2 new file mode 100644 index 000000000..9fb1a688d --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba.conf_15.j2 @@ -0,0 +1,95 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a +# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a +# non-GSSAPI socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + +# TYPE DATABASE USER ADDRESS METHOD + +# trust local connections +local all supabase_admin scram-sha-256 +local all all peer map=supabase_map +host all all 127.0.0.1/32 trust +host all all ::1/128 trust + +# IPv4 external connections +host all all 10.0.0.0/8 scram-sha-256 +host all all 172.16.0.0/12 scram-sha-256 +host all all 192.168.0.0/16 scram-sha-256 +host all all 0.0.0.0/0 scram-sha-256 + +# IPv6 external connections +host all all ::0/0 scram-sha-256 + diff --git a/ansible/files/postgresql_config/pg_hba_public.conf.j2 b/ansible/files/postgresql_config/pg_hba_public.conf.j2 new file mode 100644 index 000000000..80c54d2be --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba_public.conf.j2 @@ -0,0 +1,2 @@ +host all all 0.0.0.0/0 scram-sha-256 +host all all ::0/0 scram-sha-256 diff --git a/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 b/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 new file mode 100644 index 000000000..ccc167984 --- /dev/null +++ b/ansible/files/postgresql_config/pg_hba_users_public.conf.j2 @@ -0,0 +1,11 @@ +host all pgbouncer 0.0.0.0/0 scram-sha-256 +host all supabase_admin 0.0.0.0/0 scram-sha-256 +host all supabase_auth_admin 0.0.0.0/0 scram-sha-256 +host all supabase_storage_admin 0.0.0.0/0 scram-sha-256 +host all supabase_replication_admin 0.0.0.0/0 scram-sha-256 + +host all pgbouncer ::0/0 scram-sha-256 +host all supabase_admin ::0/0 scram-sha-256 +host all supabase_auth_admin ::0/0 scram-sha-256 +host all supabase_storage_admin ::0/0 scram-sha-256 +host all supabase_replication_admin ::0/0 scram-sha-256 diff --git a/ansible/tasks/setup-pgbouncer.yml b/ansible/tasks/setup-pgbouncer.yml index 06925c6ad..270b9e7c5 100644 --- a/ansible/tasks/setup-pgbouncer.yml +++ b/ansible/tasks/setup-pgbouncer.yml @@ -92,7 +92,7 @@ owner: 'pgbouncer' path: '/etc/pgbouncer/userlist.txt' state: 'touch' - + - name: import /etc/tmpfiles.d/pgbouncer.conf ansible.builtin.template: dest: '/etc/tmpfiles.d/pgbouncer.conf' diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index be6fa0840..ae34b9dd7 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -155,14 +155,13 @@ loop_control: loop_var: 'pg_config_item' - - name: import postgresql.conf, pg_hba.conf, and pg_ident.conf + - name: import postgresql.conf and pg_ident.conf ansible.builtin.template: dest: '/etc/postgresql/{{ pg_config_item }}' group: 'postgres' src: 'files/postgresql_config/{{ pg_config_item }}.j2' loop: - 'postgresql.conf' - - 'pg_hba.conf' - 'pg_ident.conf' loop_control: loop_var: 'pg_config_item' @@ -179,7 +178,7 @@ block: - name: Check if psql_version is psql_15 ansible.builtin.set_fact: - is_psql_15: "{{ psql_version in ['psql_15'] }}" + is_psql_15: "{{ psql_version == 'psql_15' or postgresql_major | int == 15 }}" - name: create placeholder pam config file: @@ -190,6 +189,36 @@ mode: 0664 when: not is_psql_15 + - name: import pg_hba.conf psql_15 + ansible.builtin.template: + dest: /etc/postgresql/pg_hba.conf + src: files/postgresql_config/pg_hba.conf_15.j2 + group: postgres + when: is_psql_15 + + - name: create pg_hba.conf with includes + when: not is_psql_15 + block: + - name: import pg_hba.conf + ansible.builtin.template: + dest: /etc/postgresql/pg_hba.conf + src: files/postgresql_config/pg_hba.conf.j2 + group: postgres + + # Add pg_hba_public.conf + - name: import pg_hba_public.conf + ansible.builtin.template: + dest: /etc/postgresql/pg_hba_public.conf + src: files/postgresql_config/pg_hba_public.conf.j2 + group: postgres + + # Add pg_hba_users_public.conf + - name: import pg_hba_users_public.conf + ansible.builtin.template: + dest: /etc/postgresql/pg_hba_users_public.conf + src: files/postgresql_config/pg_hba_users_public.conf.j2 + group: postgres + # Install extensions before init - name: Install Postgres extensions ansible.builtin.import_tasks: @@ -376,7 +405,7 @@ dest: '/var/lib/postgresql/.bashrc' line: "{{ lang_item }}" become: true - loop: + loop: - 'export LOCALE_ARCHIVE=/usr/lib/locale/locale-archive' - 'export LANG="en_US.UTF-8"' - 'export LANGUAGE="en_US.UTF-8"' diff --git a/ansible/tasks/test-image.yml b/ansible/tasks/test-image.yml index ea6e157b6..ea9cddb1b 100644 --- a/ansible/tasks/test-image.yml +++ b/ansible/tasks/test-image.yml @@ -16,9 +16,8 @@ become: true become_user: 'postgres' loop: - - { in: "^(shared_preload_libraries = '.*)pgsodium(.*')", out: '\1\2' } - - { in: "^(shared_preload_libraries = '.*)supabase_vault(.*')", out: '\1\2' } - - { in: "^(shared_preload_libraries = '.*)*supabase_vault(.*')", out: '\1\2' } + - { in: "^(shared_preload_libraries = '[^']*),\\s*pgsodium", out: '\1' } + - { in: "^(shared_preload_libraries = '[^']*),\\s*supabase_vault", out: '\1' } - { in: '^(pgsodium\.getkey_script=)', out: '#\1' } loop_control: loop_var: 'regx' diff --git a/ansible/vars.yml b/ansible/vars.yml index 8d612b970..863a9dcfa 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.6.0.061-orioledb" - postgres17: "17.6.1.104" - postgres15: "15.14.1.104" + postgresorioledb-17: "17.6.0.061-orioledb-hba" + postgres17: "17.6.1.104-hba" + postgres15: "15.14.1.104-hba" # Non Postgres Extensions pgbouncer_release: 1.25.1 diff --git a/nix/checks.nix b/nix/checks.nix index 0cf9ed999..f738119ba 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -163,6 +163,7 @@ PGSODIUM_GETKEY = "${getkey-script}/bin/pgsodium-getkey"; PGSQL_DEFAULT_PORT = pgPort; }; + version = majorVersion; }; getVersionArg = diff --git a/nix/ext/tests/lib.nix b/nix/ext/tests/lib.nix index 9c268f35f..3e9e5c5e3 100644 --- a/nix/ext/tests/lib.nix +++ b/nix/ext/tests/lib.nix @@ -48,7 +48,18 @@ let mkdir -p $out/conf.d $out/extension-custom-scripts # Copy ansible config files (make writable so we can append/modify later) - cp ${ansibleConfigDir}/pg_hba.conf.j2 $out/pg_hba.conf + ${ + if majorVersion == "15" then + '' + cp ${ansibleConfigDir}/pg_hba.conf_15.j2 $out/pg_hba.conf + '' + else + '' + cp ${ansibleConfigDir}/pg_hba.conf.j2 $out/pg_hba.conf + cp ${ansibleConfigDir}/pg_hba_public.conf.j2 $out/pg_hba_public.conf + cp ${ansibleConfigDir}/pg_hba_users_public.conf.j2 $out/pg_hba_users_public.conf + '' + } cp ${ansibleConfigDir}/pg_ident.conf.j2 $out/pg_ident.conf chmod u+w $out/pg_hba.conf $out/pg_ident.conf diff --git a/nix/packages/default.nix b/nix/packages/default.nix index 7b1a6ea54..c364c2303 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -86,6 +86,7 @@ inherit pkgs; name = "start-postgres-server"; pgroonga = self'.legacyPackages."psql_${activeVersion}".exts.pgroonga; + version = activeVersion; }; switch-ext-version = pkgs.callPackage ./switch-ext-version.nix { inherit (self'.packages) overlayfs-on-package; diff --git a/nix/packages/lib.nix b/nix/packages/lib.nix index 23e600796..ab78a7a9b 100644 --- a/nix/packages/lib.nix +++ b/nix/packages/lib.nix @@ -5,6 +5,7 @@ defaults, supabase-groonga, stdenv, + lib, }: { makePostgresDevSetup = @@ -13,9 +14,10 @@ name, pgroonga, extraSubstitutions ? { }, + version, }: let - paths = { + basePaths = { migrationsDir = builtins.path { name = "migrations"; path = ../../migrations/db; @@ -52,10 +54,6 @@ name = "readreplica.conf"; path = ../../ansible/files/postgresql_config/custom_read_replica.conf; }; - pgHbaConfigFile = builtins.path { - name = "pg_hba.conf"; - path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; - }; pgIdentConfigFile = builtins.path { name = "pg_ident.conf"; path = ../../ansible/files/postgresql_config/pg_ident.conf.j2; @@ -69,6 +67,30 @@ path = ../tests/util/pgsodium_getkey.sh; }; }; + extraPaths = + if version == "15" then + { + pgHbaConfigFile = builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf_15.j2; + }; + } + else + { + pgHbaConfigFile = builtins.path { + name = "pg_hba.conf"; + path = ../../ansible/files/postgresql_config/pg_hba.conf.j2; + }; + pgHbaUsersPublicConfigFile = builtins.path { + name = "pg_hba_users_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_users_public.conf.j2; + }; + pgHbaPublicConfigFile = builtins.path { + name = "pg_hba_public.conf"; + path = ../../ansible/files/postgresql_config/pg_hba_public.conf.j2; + }; + }; + paths = basePaths // extraPaths; localeArchive = if pkgs.stdenv.isDarwin then @@ -126,6 +148,17 @@ cp ${paths.loggingConfigFile} $out/etc/postgresql-custom/logging.conf || { echo "Failed to copy logging.conf"; exit 1; } cp ${paths.readReplicaConfigFile} $out/etc/postgresql-custom/read-replica.conf || { echo "Failed to copy read-replica.conf"; exit 1; } cp ${paths.pgHbaConfigFile} $out/etc/postgresql/pg_hba.conf || { echo "Failed to copy pg_hba.conf"; exit 1; } + + # these shouldn't exist on psql_15 + ${lib.optionalString (paths ? pgHbaUsersPublicConfigFile) '' + cp ${paths.pgHbaUsersPublicConfigFile} $out/etc/postgresql/pg_hba_users_public.conf || { echo "Failed to copy pg_hba_users_public.conf"; exit 1; } + chmod 644 $out/etc/postgresql/pg_hba_users_public.conf + ''} + ${lib.optionalString (paths ? pgHbaPublicConfigFile) '' + cp ${paths.pgHbaPublicConfigFile} $out/etc/postgresql/pg_hba_public.conf || { echo "Failed to copy pg_hba_public.conf"; exit 1; } + chmod 644 $out/etc/postgresql/pg_hba_public.conf + ''} + cp ${paths.pgIdentConfigFile} $out/etc/postgresql/pg_ident.conf || { echo "Failed to copy pg_ident.conf"; exit 1; } cp -r ${paths.postgresqlExtensionCustomScriptsPath}/* $out/extension-custom-scripts/ || { echo "Failed to copy custom scripts"; exit 1; } diff --git a/nix/tools/run-server.sh.in b/nix/tools/run-server.sh.in index 333f062bc..938990380 100644 --- a/nix/tools/run-server.sh.in +++ b/nix/tools/run-server.sh.in @@ -34,10 +34,10 @@ start_postgres() { # Start the server pg_ctl start -D "$DATDIR" -l "$LOG_FILE" \ -o "--config-file=$DATDIR/postgresql.conf -p $PORTNO -k $DATDIR/tmp" - + # Give it a moment to write logs sleep 1 - + # Check server status and logs if ! pg_ctl status -D "$DATDIR"; then echo "PostgreSQL failed to start. Full logs:" @@ -192,7 +192,7 @@ export LC_CTYPE=en_US.UTF-8 export KEY_FILE="$DATDIR/pgsodium.key" echo "KEY_FILE: $KEY_FILE" echo "KEY_FILE contents:" -cat "$KEY_FILE" +cat "$KEY_FILE" echo "PGSODIUM_GETKEY_SCRIPT: $PGSODIUM_GETKEY_SCRIPT" echo "NOTE: using port $PORTNO for server" @@ -213,7 +213,17 @@ fi # Copy configuration files echo "NOTE: patching postgresql.conf files" -cp "$PG_HBA_FILE" "$DATDIR/pg_hba.conf" +if [ "$VERSION" = "15" ]; then + cp $(dirname "$PG_HBA_FILE")/pg_hba.conf_15* "$DATDIR/pg_hba.conf" +else + cp "${PG_HBA_FILE}" "$DATDIR/pg_hba.conf" + # copy extra hba_*.conf files over + extra_hba_files=( ${PG_HBA_FILE%pg_hba.conf}pg_hba_*.conf* ) + for f in "${extra_hba_files[@]}"; do + base=$(basename "$f") + cp "$f" "$DATDIR/${base%%.conf*}.conf" + done +fi cp "$PG_IDENT_FILE" "$DATDIR/pg_ident.conf" # Copy entire conf.d directory from postgresql_config POSTGRESQL_CONFIG_DIR="@POSTGRESQL_CONFIG_DIR@" @@ -260,16 +270,16 @@ orioledb_config_items() { # macOS specific configuration echo "macOS detected, applying macOS specific configuration" ls -la "$DATDIR" - + # Use perl instead of sed for macOS perl -pi -e 's/ timescaledb,//g' "$DATDIR/postgresql.conf" perl -pi -e 's/db_user_namespace = off/#db_user_namespace = off/g' "$DATDIR/postgresql.conf" - + perl -pi -e 's/ timescaledb,//g' "$DATDIR/supautils.conf" perl -pi -e 's/ plv8,//g' "$DATDIR/supautils.conf" perl -pi -e 's/ pgjwt,//g' "$DATDIR/supautils.conf" perl -pi -e 's/(shared_preload_libraries\s*=\s*'\''.*?)'\''/\1, orioledb'\''/' "$DATDIR/postgresql.conf" - + echo "default_table_access_method = 'orioledb'" >> "$DATDIR/postgresql.conf" elif [[ "$VERSION" == "17" && "$CURRENT_SYSTEM" != "aarch64-darwin" ]]; then echo "non-macos pg 17 conf" @@ -297,7 +307,7 @@ export GRN_PLUGINS_DIR=$GROONGA/lib/groonga/plugins # Start postgres mkdir -p "$DATDIR/tmp" -chmod 1777 "$DATDIR/tmp" +chmod 1777 "$DATDIR/tmp" start_postgres "daemon" # Wait for PostgreSQL to start @@ -377,6 +387,6 @@ stop_postgres # Step 4: Restart PostgreSQL in the foreground (with log output visible) or as a daemon if [ "$DAEMONIZE" = true ]; then start_postgres "daemon" -else +else start_postgres "foreground" fi