feat: deploy postgresql using system-manager

jfroche · jfroche · commit b06a79789cc7 · 2025-09-12T18:49:36.000+02:00
diff --git a/ansible/tests/conftest.py b/ansible/tests/conftest.py
@@ -59,18 +59,21 @@ def _run_playbook(playbook_name, verbose=False):
         ]
         if verbose:
             cmd.append("-vvv")
-        cmd.extend([
-            "-i",
-            "localhost,",
-            "--extra-vars",
-            "@/flake/ansible/vars.yml",
-            f"/flake/ansible/tests/{playbook_name}",
-        ])
+        cmd.extend(
+            [
+                "-i",
+                "localhost,",
+                "--extra-vars",
+                "@/flake/ansible/vars.yml",
+                f"/flake/ansible/tests/{playbook_name}",
+            ]
+        )
         result = host.run(" ".join(cmd))
         if result.failed:
             console.log(result.stdout)
             console.log(result.stderr)
             raise pytest.fail(
                 f"Ansible playbook {playbook_name} failed with return code {result.rc}"
             )
+
     return _run_playbook
diff --git a/ansible/tests/test_nix.py b/ansible/tests/test_nix.py
@@ -9,5 +9,6 @@ def run_ansible(run_ansible_playbook):
 def test_nix_service(host):
     assert host.service("nix-daemon.service").is_running
 
+
 def test_envoy_service(host):
     assert host.service("envoy.service").is_running
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -33,7 +33,8 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     system-manager = {
-      url = "github:numtide/system-manager";
+      url = "github:numtide/system-manager/users";
+      #url = "git+file:///home/jfroche/projects/numtide/system-manager/fix/return-tmpfile-error";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
diff --git a/nix/config.nix b/nix/config.nix
@@ -14,6 +14,74 @@ let
         type = lib.types.str;
         default = "supabase_admin";
       };
+      settings = lib.mkOption {
+        type = lib.types.attrs;
+        default = {
+          authentication_timeout = "1min";
+          "auto_explain.log_min_duration" = "10s";
+          checkpoint_completion_target = "0.5";
+          checkpoint_flush_after = "256kB";
+          cluster_name = "main";
+          "cron.database_name" = "postgres";
+          default_text_search_config = "pg_catalog.english";
+          effective_cache_size = "128MB";
+          extra_float_digits = "0";
+          include = "/etc/postgresql-custom/read-replica.conf";
+          jit = "off";
+          jit_provider = "llvmjit";
+          lc_messages = "en_US.UTF-8";
+          lc_monetary = "en_US.UTF-8";
+          lc_numeric = "en_US.UTF-8";
+          lc_time = "en_US.UTF-8";
+          listen_addresses = "*";
+          log_destination = "stderr";
+          log_line_prefix = "%h %m [%p] %q%u@%d ";
+          log_statement = "ddl";
+          log_timezone = "UTC";
+          max_replication_slots = "5";
+          max_slot_wal_keep_size = "4096";
+          max_wal_senders = "10";
+          password_encryption = "scram-sha-256";
+          port = 5432;
+          row_security = "on";
+          shared_buffers = "128MB";
+          ssl = "off";
+          ssl_ca_file = "";
+          ssl_cert_file = "";
+          ssl_ciphers = "HIGH:MEDIUM:+3DES:!aNULL";
+          ssl_crl_dir = "";
+          ssl_crl_file = "";
+          ssl_dh_params_file = "";
+          ssl_ecdh_curve = "prime256v1";
+          ssl_key_file = "";
+          ssl_max_protocol_version = "";
+          ssl_min_protocol_version = "TLSv1.2";
+          ssl_passphrase_command = "";
+          ssl_passphrase_command_supports_reload = "off";
+          ssl_prefer_server_ciphers = "on";
+          timezone = "UTC";
+          wal_level = "logical";
+        };
+      };
+      authentication = lib.mkOption {
+        type = lib.types.lines;
+        default = ''
+          # trust local connections
+          local all  supabase_admin     scram-sha-256
+          local all  all                peer map=supabase_map
+          host  all  all  127.0.0.1/32  trust
+          host  all  all  ::1/128       trust
+
+          # IPv4 external connections
+          host  all  all  10.0.0.0/8  scram-sha-256
+          host  all  all  172.16.0.0/12  scram-sha-256
+          host  all  all  192.168.0.0/16  scram-sha-256
+          host  all  all  0.0.0.0/0     scram-sha-256
+
+          # IPv6 external connections
+          host  all  all  ::0/0     scram-sha-256
+        '';
+      };
     };
   };
   postgresqlVersion = lib.types.submodule {
@@ -24,7 +92,7 @@ let
   };
   supabaseSubmodule = lib.types.submodule {
     options = {
-      defaults = lib.mkOption { type = postgresqlDefaults; };
+      postgres.defaults = lib.mkOption { type = postgresqlDefaults; };
       supportedPostgresVersions = lib.mkOption {
         type = lib.types.attrsOf (lib.types.attrsOf postgresqlVersion);
         default = { };
@@ -38,7 +106,7 @@ in
       supabase = lib.mkOption { type = supabaseSubmodule; };
     };
     config.supabase = {
-      defaults = { };
+      postgres.defaults = { };
       supportedPostgresVersions = {
         postgres = {
           "15" = {
diff --git a/nix/packages/default.nix b/nix/packages/default.nix
@@ -46,6 +46,7 @@
           pg-restore = pkgs.callPackage ./pg-restore.nix { psql_15 = self'.packages."psql_15/bin"; };
           pg_prove = pkgs.perlPackages.TAPParserSourceHandlerpgTAP;
           pg_regress = makePgRegress activeVersion;
+          pgsodium_getkey_readonly = pkgs.callPackage ./pgsodium_getkey_readonly.nix { };
           run-testinfra = pkgs.callPackage ./run-testinfra.nix { };
           show-commands = pkgs.callPackage ./show-commands.nix { };
           start-client = pkgs.callPackage ./start-client.nix {
diff --git a/nix/packages/pgsodium_getkey_readonly.nix b/nix/packages/pgsodium_getkey_readonly.nix
@@ -0,0 +1,20 @@
+{
+  coreutils,
+  writeShellApplication,
+}:
+writeShellApplication {
+  name = "pgsodium-getkey-readonly";
+  runtimeInputs = [ coreutils ];
+  text = ''
+    KEY_FILE=/etc/postgresql-custom/pgsodium_root.key
+
+    # On the hosted platform, the root key is generated and managed for each project
+    # If for some reason the key is missing, we want to fail loudly,
+    # rather than generating a new one.
+    if [[ ! -f "''${KEY_FILE}" ]]; then
+        echo "Key file ''${KEY_FILE} does not exist." >&2
+        exit 1
+    fi
+    cat "$KEY_FILE"
+  '';
+}
diff --git a/nix/systemConfigs.nix b/nix/systemConfigs.nix
@@ -1,9 +1,14 @@
 { self, inputs, ... }:
 let
   mkModules = system: [
+    self.systemModules.postgres
     ({
       services.nginx.enable = true;
       nixpkgs.hostPlatform = system;
+      supabase.services.postgres = {
+        enable = true;
+        package = self.packages.${system}."psql_17/bin";
+      };
     })
   ];
 
diff --git a/nix/systemModules/default.nix b/nix/systemModules/default.nix
@@ -4,6 +4,8 @@
 {
   imports = [ ./tests ];
   flake = {
-    systemModules = { };
+    systemModules = {
+      postgres = ./postgres;
+    };
   };
 }
diff --git a/nix/systemModules/postgres/default.nix b/nix/systemModules/postgres/default.nix
diff --git a/nix/systemModules/tests/test_postgres.py b/nix/systemModules/tests/test_postgres.py

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@`
`4`	`4`	`{`
`5`	`5`	`imports = [ ./tests ];`
`6`	`6`	`flake = {`
`7`		`- systemModules = { };`
	`7`	`+ systemModules = {`
	`8`	`+ postgres = ./postgres;`
	`9`	`+ };`
`8`	`10`	`};`
`9`	`11`	`}`