Merge remote-tracking branch 'origin/develop' into INDATA-152

hunleyd · hunleyd · commit c198de41e416 · 2025-12-04T09:33:31.000-05:00
* origin/develop: chore: prevent loopback ssh connections (#1959) chore: rename infra repo (#1958) chore: [ansible/vars] bumping admin-api version (#1960) fix: reserve the port for postgres_exporter with sysctl (#1953) chore: Update PostgREST setup and versions (#1955) Bump PostgREST to 14.1 (#1909)
diff --git a/README.md b/README.md
@@ -294,7 +294,7 @@ This is the same PostgreSQL build that powers [Supabase](https://supabase.io), b
 | Goodie | Version | Description |
 | ------------- | :-------------: | ------------- |
 | [PgBouncer](https://www.pgbouncer.org/) | [1.19.0](http://www.pgbouncer.org/changelog.html#pgbouncer-119x) | Set up Connection Pooling. |
-| [PostgREST](https://postgrest.org/en/stable/) | [v13.0.4](https://github.com/PostgREST/postgrest/releases/tag/v13.0.4) | Instantly transform your database into an RESTful API. |
+| [PostgREST](https://postgrest.org/en/stable/) | [v14.1](https://github.com/PostgREST/postgrest/releases/tag/v14.1) | Instantly transform your database into an RESTful API. |
 | [WAL-G](https://github.com/wal-g/wal-g#wal-g) | [v2.0.1](https://github.com/wal-g/wal-g/releases/tag/v2.0.1) | Tool for physical database backup and recovery. | -->
 
 
diff --git a/ansible/tasks/setup-postgrest.yml b/ansible/tasks/setup-postgrest.yml
@@ -4,9 +4,11 @@
     state: 'present'
 
 - name: PostgREST - add Postgres PPA gpg key
-  ansible.builtin.apt_key:
+  ansible.builtin.get_url:
+    dest: /etc/apt/trusted.gpg.d/ppdg.asc
+    force: true
+    mode: '0644'
     url: 'https://www.postgresql.org/media/keys/ACCC4CF8.asc'
-    state: 'present'
 
 - name: PostgREST - add Postgres PPA main
   ansible.builtin.apt_repository:
@@ -30,9 +32,9 @@
     msg: "Installed libpq5 version: {{ ansible_facts['packages']['libpq5'][0]['version'] }}"
 
 - name: PostgREST - remove Postgres PPA gpg key
-  ansible.builtin.apt_key:
+  ansible.builtin.file:
+    path: /etc/apt/trusted.gpg.d/ppdg.asc
     state: 'absent'
-    url: 'https://www.postgresql.org/media/keys/ACCC4CF8.asc'
 
 - name: PostgREST - remove Postgres PPA
   ansible.builtin.apt_repository:
@@ -58,7 +60,7 @@
       {%- if platform == "arm64" -%}
         ubuntu-aarch64
       {%- elif platform == "amd64" -%}
-        inux-static-x86-64
+        linux-static-x86-64
       {%- endif -%}
 
 - name: PostgREST - unpack archive in /opt
diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml
@@ -64,6 +64,18 @@
         dest: '/etc/apt/apt.conf.d/10periodic'
         src: 'files/apt_periodic'
 
+    - name: Set local ssh policy
+      ansible.builtin.copy:
+        content: |
+          Match Address 127.0.0.1,::1
+            ForceCommand /bin/false
+            DisableForwarding yes
+            PermitTunnel no
+        dest: /etc/ssh/sshd_config.d/local.conf
+        mode: '0644'
+        owner: 'root'
+        group: 'root'
+
 - name: Install other useful tools
   ansible.builtin.apt:
     pkg:
@@ -154,6 +166,13 @@
         value: 60
         state: 'present'
 
+    # postgres_exporter runs on port 9187 and postgresT occasionlly chooses it as random srcport
+    - name: Set net.ipv4.ip_local_reserved_ports=9187
+      ansible.builtin.sysctl:
+        name: 'net.ipv4.ip_local_reserved_ports'
+        value: 9187
+        state: 'present'
+
 - name: Execute tasks when (debpkg_mode or nixpkg_mode)
   when:
     - (debpkg_mode or nixpkg_mode)
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.6.0.014-orioledb"
-  postgres17: "17.6.1.057"
-  postgres15: "15.14.1.057"
+  postgresorioledb-17: "17.6.0.017-orioledb"
+  postgres17: "17.6.1.060"
+  postgres15: "15.14.1.060"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
@@ -21,9 +21,9 @@ pgbouncer_release_checksum: sha256:af0b05e97d0e1fd9ad45fe00ea6d2a934c63075f67f7e
 # The checksum can be found under "Assets", in the GitHub release page for each version.
 # The binaries used are: ubuntu-aarch64 and linux-static.
 # https://github.com/PostgREST/postgrest/releases
-postgrest_release: 13.0.5
-postgrest_arm_release_checksum: sha256:7b4eafdaf76bc43b57f603109d460a838f89f949adccd02f452ca339f9a0a0d4
-postgrest_x86_release_checksum: sha256:05be2bd48abee6c1691fc7c5d005023466c6989e41a4fc7d1302b8212adb88b5
+postgrest_release: 14.1
+postgrest_arm_release_checksum: sha256:68885d936873059b946afadaae697467daedacd7d8e697a80b7f0f6881c9c92f
+postgrest_x86_release_checksum: sha256:bdab6ab3389ca0d6c1f3b8363491674dbca71875c3f30261d92d8fecdde35277
 
 gotrue_release: 2.182.1
 gotrue_release_checksum: sha1:38a12109ad62df32460d88e4c7b2a475b88e7865
@@ -53,7 +53,7 @@ postgres_exporter_release_checksum:
   arm64: sha256:29ba62d538b92d39952afe12ee2e1f4401250d678ff4b354ff2752f4321c87a0
   amd64: sha256:cb89fc5bf4485fb554e0d640d9684fae143a4b2d5fa443009bd29c59f9129e84
 
-adminapi_release: "0.93.0"
+adminapi_release: "0.93.1"
 adminmgr_release: "0.32.3"
 supabase_admin_agent_release: 1.6.0
 supabase_admin_agent_splay: 30s
diff --git a/migrations/README.md b/migrations/README.md
@@ -38,7 +38,7 @@ nix run github:supabase/postgres/mybranch#dbmate-tool -- --version 15
 - supabase/postgres
 - supabase/supabase
 - supabase/cli
-- supabase/infrastructure (internal)
+- supabase/platform (internal)
 
 aiming to provide a single source of truth for migrations on the platform that can be depended upon by those components. For more information on goals see [the RFC](https://www.notion.so/supabase/Centralize-SQL-Migrations-cd3847ae027d4f2bba9defb2cc82f69a)
 
@@ -48,8 +48,8 @@ aiming to provide a single source of truth for migrations on the platform that c
 
 Migrations were pulled (in order) from:
 
-1. [init-scripts/postgres](https://github.com/supabase/infrastructure/tree/develop/init-scripts/postgres) => [db/init-scripts](db/init-scripts)
-2. [init-scripts/migrations](https://github.com/supabase/infrastructure/tree/develop/init-scripts/migrations) => [db/migrations](db/migrations)
+1. [init-scripts/postgres](https://github.com/supabase/platform/tree/develop/init-scripts/postgres) => [db/init-scripts](db/init-scripts)
+2. [init-scripts/migrations](https://github.com/supabase/platform/tree/develop/init-scripts/migrations) => [db/migrations](db/migrations)
 
 For compatibility with hosted projects, we include [migrate.sh](migrate.sh) that executes migrations in the same order as ami build:
 
diff --git a/migrations/db/migrations/20220317095840_pg_graphql.sql b/migrations/db/migrations/20220317095840_pg_graphql.sql
@@ -1,7 +1,7 @@
 -- migrate:up
 create schema if not exists graphql_public;
 
--- obsolete signature: https://github.com/supabase/infrastructure/pull/5524/files
+-- obsolete signature: https://github.com/supabase/platform/pull/5524/files
 drop function if exists graphql_public.graphql(text, text, jsonb);
 -- GraphQL Placeholder Entrypoint
 create or replace function graphql_public.graphql(
