From c954e9a60b7ddaff23f6fdc4f4e900f9c96a30ff Mon Sep 17 00:00:00 2001 From: Copple <10214025+kiwicopple@users.noreply.github.com> Date: Wed, 29 Apr 2020 21:17:22 +0800 Subject: [PATCH 01/22] Final spelling --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ed45b2ab2..684cb8093 100644 --- a/README.md +++ b/README.md @@ -24,11 +24,11 @@ See all installation instructions in the [repo wiki](https://github.com/supabase ## Motivation -After talking to a lot of techies, we've found that most believe Postgres is the best (operational) database but they *still* choose other databases. This is overwhelmingly because "the other one was quicker/easier". Our goal is to make it quick and simple to get started with Postgres, so that we never hear that excuse again. +After talking to a lot of techies, we've found that most believe Postgres is the best (operational) database but they *still* choose other databases. This is overwhelmingly because "the other one was quicker/easier". Our goal is to make it fast and simple to get started with Postgres, so that we never hear that excuse again. -Our secondary goal is to show off some of the features that are particularly exciting about Postgres to convince new developers to choose it over other database (a decision which we hope they will appreciate when they start scaling). +Our secondary goal is to show off a few of Postgres' most exciting features. This is to convince new developers to choose it over other database (a decision we hope they'll appreciate once they start scaling). -This is also the same build we offer at [Supabase](https://supabase.io), and everything we do is opensource. This repo makes it easy to *install* Postgres, Supabase makes it easy to *use* Postgres. +Finally, this is the same build we offer at [Supabase](https://supabase.io), and everything we do is opensource. This repo makes it easy to *install* Postgres, Supabase makes it easy to *use* Postgres. ## Roadmap From ca0ff49278cefe78bc7de87c1588c25145ea9c60 Mon Sep 17 00:00:00 2001 From: Copple <10214025+kiwicopple@users.noreply.github.com> Date: Wed, 29 Apr 2020 21:40:22 +0800 Subject: [PATCH 02/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 684cb8093..d97b94004 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Supabase Postgres +# Postgres + goodies Unmodified Postgres with some useful plugins. Our goal with this repo is not to modify Postgres, but to provide some of the most common extensions with a one-click install. From 338380ff24a7e2347d887e46baaa749601800b5c Mon Sep 17 00:00:00 2001 From: Angelico Date: Thu, 30 Apr 2020 17:42:27 +0800 Subject: [PATCH 03/22] supabase/postgres Docker version --- docker/Dockerfile | 23 +++++++++++++++++++++++ docker/docker-compose.yml | 9 +++++++++ docker/mnt/init-permissions.sh | 8 ++++++++ 3 files changed, 40 insertions(+) create mode 100644 docker/Dockerfile create mode 100644 docker/docker-compose.yml create mode 100644 docker/mnt/init-permissions.sh diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 000000000..f7ca3d246 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,23 @@ +FROM postgres:12 + +# install postgis +ENV POSTGIS_MAJOR 3 +ENV POSTGIS_VERSION 3.0.0+dfsg-2~exp1.pgdg100+1 +RUN apt-get update \ + && apt-cache showpkg postgresql-$PG_MAJOR-postgis-$POSTGIS_MAJOR \ + && apt-get install -y --no-install-recommends \ + postgresql-$PG_MAJOR-postgis-$POSTGIS_MAJOR \ + postgresql-$PG_MAJOR-postgis-$POSTGIS_MAJOR-scripts \ + && apt-get install software-properties-common -y \ + && apt-get install git -y \ + && apt-get install build-essential -y \ + && rm -rf /var/lib/apt/lists/* + +# install pgtap +ENV PGTAP_VERSION v1.1.0 +RUN git clone git://github.com/theory/pgtap.git \ + && cd pgtap && git checkout tags/$PGTAP_VERSION \ + && make install + +RUN mkdir -p /docker-entrypoint-initdb.d +ADD ./mnt /docker-entrypoint-initdb.d/ \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml new file mode 100644 index 000000000..ce82819b7 --- /dev/null +++ b/docker/docker-compose.yml @@ -0,0 +1,9 @@ +version: '3' + +services: + db: + image: supabase/postgres + ports: + - "6543:5432" + environment: + POSTGRES_PASSWORD: postgres \ No newline at end of file diff --git a/docker/mnt/init-permissions.sh b/docker/mnt/init-permissions.sh new file mode 100644 index 000000000..c2a1c64e1 --- /dev/null +++ b/docker/mnt/init-permissions.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -e + +echo "host replication $POSTGRES_USER 0.0.0.0/0 trust" >> $PGDATA/pg_hba.conf +echo "shared_preload_libraries = 'pg_stat_statements'" >> $PGDATA/postgresql.conf +echo "pg_stat_statements.max = 10000" >> $PGDATA/postgresql.conf +echo "pg_stat_statements.track = all" >> $PGDATA/postgresql.conf +echo "wal_level=logical" >> $PGDATA/postgresql.conf \ No newline at end of file From 8b5dfed331276433e1fa92fa7a04a6ffe9aa0cd1 Mon Sep 17 00:00:00 2001 From: awalias Date: Fri, 1 May 2020 16:24:30 +0800 Subject: [PATCH 04/22] adding replication slots and wal senders --- docker/mnt/init-permissions.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docker/mnt/init-permissions.sh b/docker/mnt/init-permissions.sh index c2a1c64e1..7ccda73e0 100644 --- a/docker/mnt/init-permissions.sh +++ b/docker/mnt/init-permissions.sh @@ -5,4 +5,6 @@ echo "host replication $POSTGRES_USER 0.0.0.0/0 trust" >> $PGDATA/pg_hba.conf echo "shared_preload_libraries = 'pg_stat_statements'" >> $PGDATA/postgresql.conf echo "pg_stat_statements.max = 10000" >> $PGDATA/postgresql.conf echo "pg_stat_statements.track = all" >> $PGDATA/postgresql.conf -echo "wal_level=logical" >> $PGDATA/postgresql.conf \ No newline at end of file +echo "wal_level=logical" >> $PGDATA/postgresql.conf +echo "max_replication_slots=5" >> $PGDATA/postgresql.conf +echo "max_wal_senders=5" >> $PGDATA/postgresql.conf From 042d542f8d5257a6c474e53f89ef4044f3e43398 Mon Sep 17 00:00:00 2001 From: Copple <10214025+kiwicopple@users.noreply.github.com> Date: Mon, 4 May 2020 09:17:41 +0800 Subject: [PATCH 05/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d97b94004..cb7056176 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Unmodified Postgres with some useful plugins. Our goal with this repo is not to - ✅ Ubuntu 18.04 (Bionic) - ✅ [pg-contrib-12](https://www.postgresql.org/docs/12/contrib.html). Because everyone should enable `pg_stat_statements`. - ⏳ **readonly** role. A readonly role set up by default for the public schema. -- ✅ [wal_level](https://www.postgresql.org/docs/current/runtime-config-wal.html) = logical. Ready for replication. +- ⏳ [wal_level](https://www.postgresql.org/docs/current/runtime-config-wal.html) = logical and [max_replication_slots](https://www.postgresql.org/docs/current/runtime-config-replication.html) = 5. Ready for replication. - ✅ [PostGIS](https://postgis.net/). Postgres' most popular extension - support for geographic objects. - ✅ [pgTAP](https://pgtap.org/). Unit Testing for Postgres - ⏳ [plv8](https://github.com/plv8/plv8) - [coming soon](https://github.com/supabase/postgres/issues/5#issuecomment-621129147). Write in Javascript functions in Postgres. From 5091af27edde0bc793d107a6d7e7fbae8981737f Mon Sep 17 00:00:00 2001 From: awalias Date: Mon, 4 May 2020 15:24:24 +0800 Subject: [PATCH 06/22] added pg replication slots to ansible playbook --- ansible/vars.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/vars.yml b/ansible/vars.yml index 2970d0d1f..014a822f3 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -1,5 +1,7 @@ postgresql_version: 12 postgresql_wal_level: "logical" +postgresql_max_wal_senders: 10 +postgresql_max_replication_slots: 5 postgresql_listen_addresses: - "*" From 1f4c8693ea8379555fd7a700696a9abac22fcaec Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 5 May 2020 10:52:22 +0800 Subject: [PATCH 07/22] Standardising max_wal_senders value --- docker/mnt/init-permissions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/mnt/init-permissions.sh b/docker/mnt/init-permissions.sh index 7ccda73e0..88102ce79 100644 --- a/docker/mnt/init-permissions.sh +++ b/docker/mnt/init-permissions.sh @@ -7,4 +7,4 @@ echo "pg_stat_statements.max = 10000" >> $PGDATA/postgresql.conf echo "pg_stat_statements.track = all" >> $PGDATA/postgresql.conf echo "wal_level=logical" >> $PGDATA/postgresql.conf echo "max_replication_slots=5" >> $PGDATA/postgresql.conf -echo "max_wal_senders=5" >> $PGDATA/postgresql.conf +echo "max_wal_senders=10" >> $PGDATA/postgresql.conf From fd2c7f20e8b1b938670a71184f51bd1905afbbde Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 5 May 2020 10:53:14 +0800 Subject: [PATCH 08/22] Putting a tick on setting up of max_replications_slots on README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cb7056176..d1ae295f3 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Unmodified Postgres with some useful plugins. Our goal with this repo is not to - ✅ Ubuntu 18.04 (Bionic) - ✅ [pg-contrib-12](https://www.postgresql.org/docs/12/contrib.html). Because everyone should enable `pg_stat_statements`. - ⏳ **readonly** role. A readonly role set up by default for the public schema. -- ⏳ [wal_level](https://www.postgresql.org/docs/current/runtime-config-wal.html) = logical and [max_replication_slots](https://www.postgresql.org/docs/current/runtime-config-replication.html) = 5. Ready for replication. +- ✅ [wal_level](https://www.postgresql.org/docs/current/runtime-config-wal.html) = logical and [max_replication_slots](https://www.postgresql.org/docs/current/runtime-config-replication.html) = 5. Ready for replication. - ✅ [PostGIS](https://postgis.net/). Postgres' most popular extension - support for geographic objects. - ✅ [pgTAP](https://pgtap.org/). Unit Testing for Postgres - ⏳ [plv8](https://github.com/plv8/plv8) - [coming soon](https://github.com/supabase/postgres/issues/5#issuecomment-621129147). Write in Javascript functions in Postgres. From 9416c3df1d7ed815d27fa8331573660b5f904074 Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 5 May 2020 16:01:57 +0800 Subject: [PATCH 09/22] Docker solution to readonly user # 11 --- docker/mnt/00-schema.sql | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 docker/mnt/00-schema.sql diff --git a/docker/mnt/00-schema.sql b/docker/mnt/00-schema.sql new file mode 100644 index 000000000..1ce28ded0 --- /dev/null +++ b/docker/mnt/00-schema.sql @@ -0,0 +1,14 @@ +-- Strip everyone on rights to the public schema except for the user postgres +REVOKE ALL ON schema public FROM public; +GRANT ALL ON schema public TO postgres; + + +-- Provide read only access to the schema and its current content +CREATE ROLE public_readonly; +GRANT CONNECT ON DATABASE postgres TO public_readonly; +GRANT USAGE ON SCHEMA public TO public_readonly; +GRANT SELECT ON ALL TABLES IN SCHEMA public TO public_readonly; + +-- Provide read only access to future tables in the schema +ALTER DEFAULT PRIVILEGES IN SCHEMA public +GRANT SELECT ON TABLES TO public_readonly; \ No newline at end of file From a5cdffbacb4e4c15641a591f8f3902142b20fd93 Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 5 May 2020 16:02:58 +0800 Subject: [PATCH 10/22] Docker solution to plpython #9 --- docker/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index f7ca3d246..ee39f0b7f 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -19,5 +19,9 @@ RUN git clone git://github.com/theory/pgtap.git \ && cd pgtap && git checkout tags/$PGTAP_VERSION \ && make install +# install plpython3 +RUN apt-get update \ + && apt-get install postgresql-plpython3-12 -y + RUN mkdir -p /docker-entrypoint-initdb.d ADD ./mnt /docker-entrypoint-initdb.d/ \ No newline at end of file From d676a6818b459be017422b6bde7290fd53d8caa1 Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 5 May 2020 18:51:36 +0800 Subject: [PATCH 11/22] Docker solution to plv8 #8 --- docker/Dockerfile | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index ee39f0b7f..6fbff7a98 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -23,5 +23,42 @@ RUN git clone git://github.com/theory/pgtap.git \ RUN apt-get update \ && apt-get install postgresql-plpython3-12 -y +# install plv8 +ENV PLV8_VERSION=2.3.13 \ + PLV8_SHASUM="1a96c559d98ad757e7494bf7301f0e6b0dd2eec6066ad76ed36cc13fec4f2390" + +RUN buildDependencies="build-essential \ + ca-certificates \ + curl \ + git-core \ + python \ + gpp \ + cpp \ + pkg-config \ + apt-transport-https \ + cmake \ + libc++-dev \ + libc++abi-dev \ + postgresql-server-dev-$PG_MAJOR" \ + && runtimeDependencies="libc++1 \ + libtinfo5 \ + libc++abi1" \ + && apt-get update \ + && apt-get install -y --no-install-recommends ${buildDependencies} ${runtimeDependencies} \ + && mkdir -p /tmp/build \ + && curl -o /tmp/build/v$PLV8_VERSION.tar.gz -SL "https://github.com/plv8/plv8/archive/v${PLV8_VERSION}.tar.gz" \ + && cd /tmp/build \ + && echo $PLV8_SHASUM v$PLV8_VERSION.tar.gz | sha256sum -c \ + && tar -xzf /tmp/build/v$PLV8_VERSION.tar.gz -C /tmp/build/ \ + && cd /tmp/build/plv8-$PLV8_VERSION \ + && make static \ + && make install \ + && strip /usr/lib/postgresql/${PG_MAJOR}/lib/plv8-${PLV8_VERSION}.so \ + && rm -rf /root/.vpython_cipd_cache /root/.vpython-root \ + && apt-get clean \ + && apt-get remove -y ${buildDependencies} \ + && apt-get autoremove -y \ + && rm -rf /tmp/build /var/lib/apt/lists/* + RUN mkdir -p /docker-entrypoint-initdb.d ADD ./mnt /docker-entrypoint-initdb.d/ \ No newline at end of file From 7e6f8093d0311f9c9c74ee40f63b5e8631ae3965 Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 5 May 2020 20:56:25 +0800 Subject: [PATCH 12/22] Packer solution to plpython #9 --- ansible/tasks/setup-extensions.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml index 547af74a2..20c7de2bb 100644 --- a/ansible/tasks/setup-extensions.yml +++ b/ansible/tasks/setup-extensions.yml @@ -35,4 +35,10 @@ make: chdir: /tmp/pgtap-1.1.0 target: install - become: yes \ No newline at end of file + become: yes + +- name: Install plpython + apt: + pkg: postgresql-plpython3-12 + update_cache: yes + cache_valid_time: 3600 \ No newline at end of file From da5a47745870d0851424abc0b7e79a0af6ef797d Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 5 May 2020 20:56:44 +0800 Subject: [PATCH 13/22] Packer solution for readonly user #11 --- ansible/playbook.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 46a243686..0923face1 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -13,6 +13,23 @@ tasks: - include_tasks: tasks/setup-extensions.yml + - name: Dump SQL script + copy: + dest: /tmp/00-schema.sql + src: ../docker/mnt/00-schema.sql + + - name: Set up readonly user for the public schema + become: yes + become_user: postgres + postgresql_query: + db: postgres + path_to_script: /tmp/00-schema.sql + + - name: Delete SQL script + file: + path: /tmp/00-schema.sql + state: absent + - name: Set up password for superadmin postgres become: yes become_user: postgres From f94eb156e7f4ab150e911467509a4c43d4e1606b Mon Sep 17 00:00:00 2001 From: Angelico Date: Thu, 7 May 2020 10:09:41 +0800 Subject: [PATCH 14/22] Packer solution to plv8 #8 --- ansible/tasks/setup-extensions.yml | 60 +++++++++++++++++++++++++++++- ansible/tasks/setup-system.yml | 6 --- digitalOcean.json | 4 +- 3 files changed, 60 insertions(+), 10 deletions(-) diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml index 20c7de2bb..09314b1c1 100644 --- a/ansible/tasks/setup-extensions.yml +++ b/ansible/tasks/setup-extensions.yml @@ -18,7 +18,7 @@ cache_valid_time: 3600 when: postgresql_version >= 10 -- name: pgTAP - download latest releas +- name: pgTAP - download latest release get_url: url: "https://github.com/theory/pgtap/archive/{{ pgtap_release }}.tar.gz" dest: /tmp @@ -41,4 +41,60 @@ apt: pkg: postgresql-plpython3-12 update_cache: yes - cache_valid_time: 3600 \ No newline at end of file + cache_valid_time: 3600 + +- name: plv8 - download & install dependencies + apt: + pkg: + - build-essential + - ca-certificates + - curl + - git-core + - python + - gpp + - cpp + - pkg-config + - apt-transport-https + - cmake + - libc++-dev + - libc++abi-dev + - postgresql-server-dev-12 + - libc++1 + - libtinfo5 + - libc++abi1 + update_cache: yes + install_recommends: no + +- name: plv8 - download latest release + git: + repo: https://github.com/plv8/plv8.git + dest: /tmp/plv8 + version: r3.0alpha + become: yes + +- name: plv8 - build + make: + chdir: /tmp/plv8 + become: yes + +- name: plv8 - install + make: + chdir: /tmp/plv8 + target: install + become: yes + +- name: plv8 - remove build dependencies + apt: + pkg: + - ca-certificates + - curl + - git-core + - python + - gpp + - cpp + - pkg-config + - apt-transport-https + - cmake + - libc++-dev + - libc++abi-dev + - postgresql-server-dev-12 diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml index f976ba225..018f92297 100644 --- a/ansible/tasks/setup-system.yml +++ b/ansible/tasks/setup-system.yml @@ -4,15 +4,9 @@ apt: update_cache=yes upgrade=yes # SEE http://archive.vn/DKJjs#parameter-upgrade -- name: add universe repository for bionic - apt_repository: - repo: deb http://archive.ubuntu.com/ubuntu bionic universe - state: present - - name: Install essentials apt: pkg: - - build-essential - ufw update_cache: yes cache_valid_time: 3600 diff --git a/digitalOcean.json b/digitalOcean.json index 0dcb65637..387526d9f 100644 --- a/digitalOcean.json +++ b/digitalOcean.json @@ -8,9 +8,9 @@ "api_token": "{{user `do_token`}}", "image": "ubuntu-18-04-x64", "region": "{{user `region`}}", - "size": "512mb", + "size": "s-1vcpu-1gb", "ssh_username": "root", - "snapshot_name": "supabase-postgresql-0.0.8" + "snapshot_name": "supabase-postgresql-0.0.11" }], "provisioners": [ { From a97b00cc9201f8b0104b10392608f0d50ab62c4a Mon Sep 17 00:00:00 2001 From: Angelico Date: Thu, 7 May 2020 14:56:36 +0800 Subject: [PATCH 15/22] Docker solution now runs r3.0alpha version of v8 as well #8 --- docker/Dockerfile | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 6fbff7a98..47bf48b4b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -24,8 +24,7 @@ RUN apt-get update \ && apt-get install postgresql-plpython3-12 -y # install plv8 -ENV PLV8_VERSION=2.3.13 \ - PLV8_SHASUM="1a96c559d98ad757e7494bf7301f0e6b0dd2eec6066ad76ed36cc13fec4f2390" +ENV PLV8_VERSION=r3.0alpha RUN buildDependencies="build-essential \ ca-certificates \ @@ -46,14 +45,12 @@ RUN buildDependencies="build-essential \ && apt-get update \ && apt-get install -y --no-install-recommends ${buildDependencies} ${runtimeDependencies} \ && mkdir -p /tmp/build \ - && curl -o /tmp/build/v$PLV8_VERSION.tar.gz -SL "https://github.com/plv8/plv8/archive/v${PLV8_VERSION}.tar.gz" \ && cd /tmp/build \ - && echo $PLV8_SHASUM v$PLV8_VERSION.tar.gz | sha256sum -c \ - && tar -xzf /tmp/build/v$PLV8_VERSION.tar.gz -C /tmp/build/ \ - && cd /tmp/build/plv8-$PLV8_VERSION \ + && git clone https://github.com/plv8/plv8.git \ + && cd plv8 \ + && git checkout ${PLV8_VERSION} \ && make static \ && make install \ - && strip /usr/lib/postgresql/${PG_MAJOR}/lib/plv8-${PLV8_VERSION}.so \ && rm -rf /root/.vpython_cipd_cache /root/.vpython-root \ && apt-get clean \ && apt-get remove -y ${buildDependencies} \ From 4a05f08e88d33287e87ea97ea5b9193128ff5ceb Mon Sep 17 00:00:00 2001 From: Angelico Date: Thu, 7 May 2020 15:29:24 +0800 Subject: [PATCH 16/22] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d1ae295f3..7ab96acd4 100644 --- a/README.md +++ b/README.md @@ -7,12 +7,12 @@ Unmodified Postgres with some useful plugins. Our goal with this repo is not to - ✅ Postgres [12](https://www.postgresql.org/about/news/1976/). Includes [generated columns](https://www.postgresql.org/docs/12/ddl-generated-columns.html) and [JSON path](https://www.postgresql.org/docs/12/functions-json.html#FUNCTIONS-SQLJSON-PATH) support - ✅ Ubuntu 18.04 (Bionic) - ✅ [pg-contrib-12](https://www.postgresql.org/docs/12/contrib.html). Because everyone should enable `pg_stat_statements`. -- ⏳ **readonly** role. A readonly role set up by default for the public schema. +- ✅ **readonly** role. A readonly role set up by default for the public schema. - ✅ [wal_level](https://www.postgresql.org/docs/current/runtime-config-wal.html) = logical and [max_replication_slots](https://www.postgresql.org/docs/current/runtime-config-replication.html) = 5. Ready for replication. - ✅ [PostGIS](https://postgis.net/). Postgres' most popular extension - support for geographic objects. - ✅ [pgTAP](https://pgtap.org/). Unit Testing for Postgres -- ⏳ [plv8](https://github.com/plv8/plv8) - [coming soon](https://github.com/supabase/postgres/issues/5#issuecomment-621129147). Write in Javascript functions in Postgres. -- ⏳ [plpython3u](https://www.postgresql.org/docs/current/plpython-python23.html) - [coming soon](https://github.com/supabase/postgres/issues/5#issuecomment-621129797). Python3 enabled by default. Write in Python functions in Postgres. +- ✅ [plv8](https://github.com/plv8/plv8) - Write in Javascript functions in Postgres. +- ✅ [plpython3u](https://www.postgresql.org/docs/current/plpython-python23.html) - Python3 enabled by default. Write in Python functions in Postgres. ## Install From 424eeb88093b0025fbf714949c7fcd9a2d65285a Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 12 May 2020 19:43:10 +0800 Subject: [PATCH 17/22] Making sure ansible works for DO & AWS --- ansible/tasks/setup-extensions.yml | 1 - ansible/tasks/setup-system.yml | 10 +++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml index 09314b1c1..66c8542d7 100644 --- a/ansible/tasks/setup-extensions.yml +++ b/ansible/tasks/setup-extensions.yml @@ -50,7 +50,6 @@ - ca-certificates - curl - git-core - - python - gpp - cpp - pkg-config diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml index 018f92297..bb235ea82 100644 --- a/ansible/tasks/setup-system.yml +++ b/ansible/tasks/setup-system.yml @@ -4,15 +4,23 @@ apt: update_cache=yes upgrade=yes # SEE http://archive.vn/DKJjs#parameter-upgrade +- name: add universe repository for bionic + apt_repository: + repo: deb http://archive.ubuntu.com/ubuntu bionic universe + state: present + - name: Install essentials apt: pkg: - ufw + - python3 + - python3-pip update_cache: yes cache_valid_time: 3600 - name: Install psycopg2 to enable ansible postgreSQL features - pip: name=psycopg2-binary + pip: + name: psycopg2-binary - name: System - Create services.slice template: From c0d9388501dab3046aeaee2471862ddd4ae1c5ca Mon Sep 17 00:00:00 2001 From: Angelico Date: Tue, 12 May 2020 19:49:27 +0800 Subject: [PATCH 18/22] AWS marketplace approved configuration --- amazon.json | 8 ++++---- scripts/02-credentials_cleanup.sh | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 scripts/02-credentials_cleanup.sh diff --git a/amazon.json b/amazon.json index e164bdf57..9fe177a50 100644 --- a/amazon.json +++ b/amazon.json @@ -3,6 +3,7 @@ "aws_access_key": "", "aws_secret_key": "", "region": "", + "ami": "", "name": "" }, "builders": [{ @@ -10,14 +11,12 @@ "access_key": "{{user `aws_access_key`}}", "secret_key": "{{user `aws_secret_key`}}", "region": "{{user `region`}}", - "source_ami": "ami-0f7719e8b7ba25c61", - "instance_type": "t2.micro", + "source_ami": "{{user `ami`}}", + "instance_type": "t2.large", "ssh_username": "ubuntu", "ami_name": "{{user `name`}}", "launch_block_device_mappings": [{ "device_name": "/dev/sda1", - "encrypted": true, - "kms_key_id": "44e7e739-21f1-4678-829e-d1ac63d121b4", "iops": 400, "volume_type": "io1", "volume_size": 8, @@ -35,6 +34,7 @@ "type": "shell", "scripts": [ "scripts/01-test", + "scripts/02-credentials_cleanup.sh", "scripts/90-cleanup.sh", "scripts/91-log_cleanup.sh", "scripts/99-img_check.sh" diff --git a/scripts/02-credentials_cleanup.sh b/scripts/02-credentials_cleanup.sh new file mode 100644 index 000000000..d1b359a66 --- /dev/null +++ b/scripts/02-credentials_cleanup.sh @@ -0,0 +1 @@ +sudo rm /home/ubuntu/.ssh/authorized_keys \ No newline at end of file From 06837933cee0b3a35a05cf86792355d1fe8f74da Mon Sep 17 00:00:00 2001 From: Angelico Date: Fri, 15 May 2020 16:59:47 +0800 Subject: [PATCH 19/22] Cleanup: delete unnecessary files --- ansible/files/ACCC4CF8.asc | 77 ----------------------------- ansible/files/kong.conf.j2 | 7 --- ansible/files/kong.service.j2 | 20 -------- ansible/files/postgresql.service.j2 | 5 -- ansible/files/postgrest.service.j2 | 17 ------- ansible/files/supabase.service.j2 | 24 --------- 6 files changed, 150 deletions(-) delete mode 100644 ansible/files/ACCC4CF8.asc delete mode 100644 ansible/files/kong.conf.j2 delete mode 100644 ansible/files/kong.service.j2 delete mode 100644 ansible/files/postgresql.service.j2 delete mode 100644 ansible/files/postgrest.service.j2 delete mode 100644 ansible/files/supabase.service.j2 diff --git a/ansible/files/ACCC4CF8.asc b/ansible/files/ACCC4CF8.asc deleted file mode 100644 index 8480576ec..000000000 --- a/ansible/files/ACCC4CF8.asc +++ /dev/null @@ -1,77 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja -UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V -G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4 -bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi -c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC -IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh -hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U -A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3 -RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj -Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2 -AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB -tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD -BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A -CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO -xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY -kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3 -z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ -Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf -Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy -2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0 -B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T -7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi -vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b -ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOI -RgQQEQgABgUCTpdI7gAKCRDFr3dKWFELWqaPAKD1TtT5c3sZz92Fj97KYmqbNQZP -+ACfSC6+hfvlj4GxmUjp1aepoVTo3weJAhwEEAEIAAYFAk6XSQsACgkQTFprqxLS -p64F8Q//cCcutwrH50UoRFejg0EIZav6LUKejC6kpLeubbEtuaIH3r2zMblPGc4i -+eMQKo/PqyQrceRXeNNlqO6/exHozYi2meudxa6IudhwJIOn1MQykJbNMSC2sGUp -1W5M1N5EYgt4hy+qhlfnD66LR4G+9t5FscTJSy84SdiOuqgCOpQmPkVRm1HX5X1+ -dmnzMOCk5LHHQuiacV0qeGO7JcBCVEIDr+uhU1H2u5GPFNHm5u15n25tOxVivb94 -xg6NDjouECBH7cCVuW79YcExH/0X3/9G45rjdHlKPH1OIUJiiX47OTxdG3dAbB4Q -fnViRJhjehFscFvYWSqXo3pgWqUsEvv9qJac2ZEMSz9x2mj0ekWxuM6/hGWxJdB+ -+985rIelPmc7VRAXOjIxWknrXnPCZAMlPlDLu6+vZ5BhFX0Be3y38f7GNCxFkJzl -hWZ4Cj3WojMj+0DaC1eKTj3rJ7OJlt9S9xnO7OOPEUTGyzgNIDAyCiu8F4huLPaT -ape6RupxOMHZeoCVlqx3ouWctelB2oNXcxxiQ/8y+21aHfD4n/CiIFwDvIQjl7dg -mT3u5Lr6yxuosR3QJx1P6rP5ZrDTP9khT30t+HZCbvs5Pq+v/9m6XDmi+NlU7Zuh -Ehy97tL3uBDgoL4b/5BpFL5U9nruPlQzGq1P9jj40dxAaDAX/WKJAj0EEwEIACcC -GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8ACgkQf8x9RqzM -TPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv4E/M+HPIJ4wd -nBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9OU351gm3YQct -AMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJyX3vkWdJSMwC/ -LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/WB4AIj3VohIG -kWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT26pzTiuApWM3k -/9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAypEhaLmXNkg4zD -kH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCSlmgyWsR40EPP -YvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lfH65P64dukxeR -GteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMrR910qvwYfd/4 -6rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs+bfiQpJG1p7e -B8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY++JAj0EEwEIACcC -GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEACgkQf8x9RqzM -TPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/ArBECjFTBwi/j9 -NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoSxiVr6GQ3YXMb -OGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXObiiZT38l55pp/ -BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtHvwKcA02wwjLe -LXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+wpu6YwVCicxB -Y59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMAKOLhNFUrSQ2m -+3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDeariFF9yC+5bL -tnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5hUWNr+y0i01L -jGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qbiNqCChveIm8m -Yr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7dR8tSyUJ9poDw -gw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJAj0EEwEIACcC -GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0ACgkQf8x9RqzM -TPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWayUIG4Sv6pH6h -m8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0VlkIfg7GUw3Tz -voGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExPZyliUnHdipei -4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0UM4Btgu1Sf3nn -JcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K2+EYJuIBsYUN -orOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307SidEbSnvO5ezNe -mE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2Nm13cmkxYjQ4Z -gMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYeN4D88sLYpFh3 -paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbzoRM3dyGP889a -OyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD5wmrrhN94kby -Gtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3Y= -=DA1T ------END PGP PUBLIC KEY BLOCK----- diff --git a/ansible/files/kong.conf.j2 b/ansible/files/kong.conf.j2 deleted file mode 100644 index 1c97388f2..000000000 --- a/ansible/files/kong.conf.j2 +++ /dev/null @@ -1,7 +0,0 @@ -database = off -declarative_config = /etc/kong/kong.yml - -# plugins defined in the dockerfile -plugins = request-transformer,cors,key-auth - -proxy_listen = 0.0.0.0:80 reuseport backlog=16384, 0.0.0.0:443 http2 ssl reuseport backlog=16834 diff --git a/ansible/files/kong.service.j2 b/ansible/files/kong.service.j2 deleted file mode 100644 index a4b08c55e..000000000 --- a/ansible/files/kong.service.j2 +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Kong server -After=supabase.service postgrest.service -Requires=supabase.service postgrest.service - -[Service] -Type=forking -ExecStart=/usr/local/bin/kong start -c /etc/kong/kong.conf -ExecStop=/usr/local/bin/kong stop -Restart=always -User=kong -Slice=services.slice - -# The kong user is unpriviledged and thus not permited to bind on ports < 1024 -# Via systemd we grant the process a set of priviledges to bind to 80/443 -# See http://archive.vn/36zJU -AmbientCapabilities=CAP_NET_BIND_SERVICE - -[Install] -WantedBy=multi-user.target diff --git a/ansible/files/postgresql.service.j2 b/ansible/files/postgresql.service.j2 deleted file mode 100644 index d1b8e5f0a..000000000 --- a/ansible/files/postgresql.service.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# This is an additive override for the service files generated by the postgresql -# installation. Systemd will pick this directive up and append it to the default -# service definitions /lib/systemd/system/postgresql* -[Service] -Slice=slices.service diff --git a/ansible/files/postgrest.service.j2 b/ansible/files/postgrest.service.j2 deleted file mode 100644 index edbed4e16..000000000 --- a/ansible/files/postgrest.service.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=PostgREST -{% if install_postgresql|bool %} -Requires=postgresql.service -After=postgresql.service -{% endif %} - -[Service] -Type=simple -ExecStart=/opt/postgrest /etc/postgrest.conf -Restart=always -User=postgrest - -Slice=services.slice - -[Install] -WantedBy=multi-user.target diff --git a/ansible/files/supabase.service.j2 b/ansible/files/supabase.service.j2 deleted file mode 100644 index c17d6163b..000000000 --- a/ansible/files/supabase.service.j2 +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Supabase Realtime server -{% if install_postgresql|bool %} -Requires=postgresql.service -After=postgresql.service -{% endif %} - -[Service] -Type=simple -ExecStart=/opt/supabase/server/_build/prod/rel/realtime/bin/realtime start -Restart=always - -# User for the build, and service -User=supabase -EnvironmentFile=/etc/supabase.env - -# Not specified in the supabase server docs but startup will fail if the HOME environmental -# variable is not set. -Environment="HOME=/home/supabase" - -Slice=services.slice - -[Install] -WantedBy=multi-user.target From 63d368c5db0c98474fbb81a28839a26199dbb5c7 Mon Sep 17 00:00:00 2001 From: Angelico Date: Fri, 15 May 2020 17:06:34 +0800 Subject: [PATCH 20/22] Docker: Add pgAudit --- docker/Dockerfile | 14 ++++++++++++++ docker/mnt/init-permissions.sh | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 47bf48b4b..50d945112 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -23,6 +23,20 @@ RUN git clone git://github.com/theory/pgtap.git \ RUN apt-get update \ && apt-get install postgresql-plpython3-12 -y +# install pgAudit +RUN pgAuditDependencies="postgresql-server-dev-$PG_MAJOR \ + libssl-dev \ + libkrb5-dev \ + git-core" \ + && apt-get update \ + && apt-get install -y --no-install-recommends ${pgAuditDependencies} \ + && cd /tmp \ + && git clone https://github.com/pgaudit/pgaudit.git \ + && cd pgaudit \ + && git checkout master \ + && make check USE_PGXS=1 \ + && make install USE_PGXS=1 + # install plv8 ENV PLV8_VERSION=r3.0alpha diff --git a/docker/mnt/init-permissions.sh b/docker/mnt/init-permissions.sh index 88102ce79..3f1f106d9 100644 --- a/docker/mnt/init-permissions.sh +++ b/docker/mnt/init-permissions.sh @@ -2,9 +2,14 @@ set -e echo "host replication $POSTGRES_USER 0.0.0.0/0 trust" >> $PGDATA/pg_hba.conf -echo "shared_preload_libraries = 'pg_stat_statements'" >> $PGDATA/postgresql.conf +echo "shared_preload_libraries = 'pg_stat_statements, pgaudit'" >> $PGDATA/postgresql.conf echo "pg_stat_statements.max = 10000" >> $PGDATA/postgresql.conf echo "pg_stat_statements.track = all" >> $PGDATA/postgresql.conf echo "wal_level=logical" >> $PGDATA/postgresql.conf echo "max_replication_slots=5" >> $PGDATA/postgresql.conf echo "max_wal_senders=10" >> $PGDATA/postgresql.conf +echo "log_destination='csvlog'" >> $PGDATA/postgresql.conf +echo "logging_collector=on" >> $PGDATA/postgresql.conf +echo "log_filename='postgresql.log'" >> $PGDATA/postgresql.conf +echo "log_rotation_age=0" >> $PGDATA/postgresql.conf +echo "log_rotation_size=0" >> $PGDATA/postgresql.conf From b7c2e0a9df584bb1c46df565272c6a15a0651b5a Mon Sep 17 00:00:00 2001 From: Angelico Date: Fri, 15 May 2020 17:08:30 +0800 Subject: [PATCH 21/22] #15 Ansible: adding security updates & pgAudit --- ansible/files/apt_periodic | 4 ++++ ansible/playbook.yml | 12 +++++------- ansible/tasks/setup-extensions.yml | 31 ++++++++++++++++++++++++++++++ ansible/tasks/setup-system.yml | 7 +++++++ ansible/vars.yml | 12 ++++++++---- 5 files changed, 55 insertions(+), 11 deletions(-) create mode 100644 ansible/files/apt_periodic diff --git a/ansible/files/apt_periodic b/ansible/files/apt_periodic new file mode 100644 index 000000000..75870203d --- /dev/null +++ b/ansible/files/apt_periodic @@ -0,0 +1,4 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; \ No newline at end of file diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 0923face1..209426605 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -29,14 +29,12 @@ file: path: /tmp/00-schema.sql state: absent - - - name: Set up password for superadmin postgres - become: yes - become_user: postgres - postgresql_user: - name: postgres - password: "{{ postgres_superadmin_password }}" + - name: Adjust APT update intervals + copy: + src: files/apt_periodic + dest: /etc/apt/apt.conf.d/10periodic + - name: UFW - Allow SSH connections ufw: rule: allow diff --git a/ansible/tasks/setup-extensions.yml b/ansible/tasks/setup-extensions.yml index 66c8542d7..5b1ac56f2 100644 --- a/ansible/tasks/setup-extensions.yml +++ b/ansible/tasks/setup-extensions.yml @@ -43,6 +43,37 @@ update_cache: yes cache_valid_time: 3600 +- name: pgAudit - download & install dependencies + apt: + pkg: + - postgresql-server-dev-12 + - libssl-dev + - libkrb5-dev + update_cache: yes + install_recommends: no + +- name: pgAudit - download latest release + git: + repo: https://github.com/pgaudit/pgaudit.git + dest: /tmp/pgaudit + become: yes + +- name: pgAudit - build + make: + chdir: /tmp/pgaudit + target: check + params: + USE_PGXS: 1 + become: yes + +- name: pgAudit - install + make: + chdir: /tmp/pgaudit + target: install + params: + USE_PGXS: 1 + become: yes + - name: plv8 - download & install dependencies apt: pkg: diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml index bb235ea82..3661710a1 100644 --- a/ansible/tasks/setup-system.yml +++ b/ansible/tasks/setup-system.yml @@ -13,11 +13,18 @@ apt: pkg: - ufw + - fail2ban + - unattended-upgrades - python3 - python3-pip update_cache: yes cache_valid_time: 3600 +- name: Adjust APT update intervals + copy: + src: files/apt_periodic + dest: /etc/apt/apt.conf.d/10periodic + - name: Install psycopg2 to enable ansible postgreSQL features pip: name: psycopg2-binary diff --git a/ansible/vars.yml b/ansible/vars.yml index 014a822f3..f62d78a7e 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -11,12 +11,16 @@ postgresql_ext_install_dev_headers: yes # Warning: Make sure the postgresql & postgis versions are compatible with one another postgresql_ext_postgis_version: 3 -postgresql_shared_preload_libraries: [pg_stat_statements] +postgresql_shared_preload_libraries: [pg_stat_statements, pgaudit] postgresql_pg_hba_custom: - {type: "host", database: "all", user: "all", address: "0.0.0.0/0", method: "md5" } -postgres_superadmin_password: "a1b2c3d4e5f6g7" - pgtap_release: v1.1.0 -pgtap_release_checksum: sha1:cca57708e723de18735a723b774577dc52f6f31e \ No newline at end of file +pgtap_release_checksum: sha1:cca57708e723de18735a723b774577dc52f6f31e + +postgresql_log_destination: "csvlog" +postgresql_logging_collector: on +postgresql_log_filename: "postgresql.log" +postgresql_log_rotation_age: 0 +postgresql_log_rotation_size: 0 \ No newline at end of file From a4d5ddb57ba5f43afc613fa473356dcefba1b616 Mon Sep 17 00:00:00 2001 From: Angelico Date: Fri, 15 May 2020 17:09:12 +0800 Subject: [PATCH 22/22] 0.12.0 --- digitalOcean.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/digitalOcean.json b/digitalOcean.json index 387526d9f..beadd80d5 100644 --- a/digitalOcean.json +++ b/digitalOcean.json @@ -10,7 +10,7 @@ "region": "{{user `region`}}", "size": "s-1vcpu-1gb", "ssh_username": "root", - "snapshot_name": "supabase-postgresql-0.0.11" + "snapshot_name": "supabase-postgresql-0.12.0" }], "provisioners": [ {