From 5be45c37e642a02c0b8ef9c00e1e9cbebfdfd65e Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 14:00:07 -0400 Subject: [PATCH 01/19] feat(ansible): add pgBackRest tasks and configurations --- .../pgbackrest_config/computed_globals.conf | 8 ++ .../files/pgbackrest_config/pgbackrest.conf | 17 +++++ ansible/files/pgbackrest_config/repo1.conf | 14 ++++ .../files/pgbackrest_config/repo1_async.conf | 2 + .../pgbackrest_config/repo1_encrypted.conf | 3 + ansible/playbook.yml | 4 + ansible/tasks/setup-pgbackrest.yml | 74 +++++++++++++++++++ 7 files changed, 122 insertions(+) create mode 100644 ansible/files/pgbackrest_config/computed_globals.conf create mode 100644 ansible/files/pgbackrest_config/pgbackrest.conf create mode 100644 ansible/files/pgbackrest_config/repo1.conf create mode 100644 ansible/files/pgbackrest_config/repo1_async.conf create mode 100644 ansible/files/pgbackrest_config/repo1_encrypted.conf create mode 100644 ansible/tasks/setup-pgbackrest.yml diff --git a/ansible/files/pgbackrest_config/computed_globals.conf b/ansible/files/pgbackrest_config/computed_globals.conf new file mode 100644 index 000000000..a1b92e934 --- /dev/null +++ b/ansible/files/pgbackrest_config/computed_globals.conf @@ -0,0 +1,8 @@ +[global] +# process-max = 1 + +[archive-get] +# process-max = 1 + +[archive-push] +# process-max = 1 diff --git a/ansible/files/pgbackrest_config/pgbackrest.conf b/ansible/files/pgbackrest_config/pgbackrest.conf new file mode 100644 index 000000000..92cefc13f --- /dev/null +++ b/ansible/files/pgbackrest_config/pgbackrest.conf @@ -0,0 +1,17 @@ +[global] +archive-async = n +archive-copy = y +backup-standby = prefer +compress-type = zst +delta = y +expire-auto = n +link-all = y +log-level-console = info +log-level-file = detail +log-subprocess = y +resume = n +start-fast = y +[supabase] +pg1-path = /var/lib/postgresql/data +pg1-socket-path = /run/postgresql +pg1-user = supabase_admin diff --git a/ansible/files/pgbackrest_config/repo1.conf b/ansible/files/pgbackrest_config/repo1.conf new file mode 100644 index 000000000..d34274932 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1.conf @@ -0,0 +1,14 @@ +[supabase] +repo1-block = y +repo1-bundle = y +# repo1-path = +repo1-retention-diff = 1 +repo1-retention-full = 28 +repo1-retention-full-type = time +repo1-retention-history = 0 +# repo1-s3-bucket= +# repo1-s3-endpoint= +repo1-s3-key-type = auto +# repo1-s3-region = +repo1-storage-upload-chunk-size = 10MiB +repo1-type = s3 diff --git a/ansible/files/pgbackrest_config/repo1_async.conf b/ansible/files/pgbackrest_config/repo1_async.conf new file mode 100644 index 000000000..e5f8846e2 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_async.conf @@ -0,0 +1,2 @@ +[supabase] +# archive-async = y diff --git a/ansible/files/pgbackrest_config/repo1_encrypted.conf b/ansible/files/pgbackrest_config/repo1_encrypted.conf new file mode 100644 index 000000000..8b7b7bbd5 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_encrypted.conf @@ -0,0 +1,3 @@ +[supabase] +# repo-cipher-pass = {{ generated pass }} +# repo-cipher-type = aes-256-cbc diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 0991a813a..f0115d61a 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -40,6 +40,10 @@ import_tasks: tasks/setup-wal-g.yml when: debpkg_mode or nixpkg_mode or stage2_nix + - name: Install pgBackRest + import_tasks: tasks/setup-pgbackrest.yml + when: debpkg_mode or nixpkg_mode or stage2_nix + - name: Install Gotrue import_tasks: tasks/setup-gotrue.yml tags: diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml new file mode 100644 index 000000000..52725e48d --- /dev/null +++ b/ansible/tasks/setup-pgbackrest.yml @@ -0,0 +1,74 @@ +- name: Create pgBackRest group + group: + name: pgbackrest + state: present + when: nixpkg_mode + +- name: Create pgBackRest user + user: + name: pgbackrest + comment: pgBackRest user + group: pgbackrest + groups: pgbackrest, postgres + shell: /sbin/nologin + system: true + home: /var/lib/pgbackrest + when: nixpkg_mode + +- name: Install pgBackRest + become: yes + shell: | + sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" + when: stage2_nix + +- name: Create needed directories for pgBackRest + file: + path: "{{ backrest_dir }}" + state: directory + owner: pgbackrest + group: postgres + mode: '0770' + loop: + - /etc/pgbackrest/conf.d + - /var/lib/pgbackrest + - /var/spool/pgbackrest + - /var/log/pgbackrest + loop_control: + loop_var: backrest_dir + when: nixpkg_mode + +- name: Symlink pgbackrest.conf + file: + path: /etc/pgbackrest/pgbackrest.conf + src: /etc/pgbackrest.conf + type: link + force: true + +- name: Move pgBackRest files to /etc/pgbackrest + copy: + dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" + group: postgres + mode: '0644' + owner: pgbackrest + src: "files/pgbackrest_config/{{ conf_item['name'] }}" + loop: + - {name: computed_globals.conf, path: conf.d} + - {name: pgbackrest.conf, path: ''} + - {name: repo1_async.conf, path: conf.d} + - {name: repo1_encrypted.conf, path: conf.d} + - {name: repo1.conf, path: conf.d} + loop_control: + loop_var: conf_item + when: stage2_nix + +- name: Symlink pgBackRest binary + file: + path: /usr/bin/pgbackrest + src: /var/lib/postgresql/.nix.profile/bin/pgbackrest + type: link + +- name: Sticky bit the pgBackRest binary + file: + path: /var/lib/postgresql/nix.profile/bin/pgbackrest + mode: '4755' + become: true From 32ffedef3fd6132d9e56118fe41fe8252adb7790 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 14:57:51 -0400 Subject: [PATCH 02/19] fix(setup-pgbackrest.yml): update nix install path --- ansible/tasks/setup-pgbackrest.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 52725e48d..ffa8ef4b0 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -16,7 +16,8 @@ when: nixpkg_mode - name: Install pgBackRest - become: yes + become: true + become_user: pgbackrest shell: | sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" when: stage2_nix @@ -28,12 +29,12 @@ owner: pgbackrest group: postgres mode: '0770' - loop: + loop: - /etc/pgbackrest/conf.d - /var/lib/pgbackrest - /var/spool/pgbackrest - /var/log/pgbackrest - loop_control: + loop_control: loop_var: backrest_dir when: nixpkg_mode @@ -45,7 +46,7 @@ force: true - name: Move pgBackRest files to /etc/pgbackrest - copy: + copy: dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" group: postgres mode: '0644' @@ -62,13 +63,13 @@ when: stage2_nix - name: Symlink pgBackRest binary - file: + file: path: /usr/bin/pgbackrest - src: /var/lib/postgresql/.nix.profile/bin/pgbackrest + src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest type: link - name: Sticky bit the pgBackRest binary - file: - path: /var/lib/postgresql/nix.profile/bin/pgbackrest + file: + path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest mode: '4755' become: true From 16c6474b22c5d17053175d1bf076fa5b004e1c21 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 15:01:10 -0400 Subject: [PATCH 03/19] fix(setup-pgbackrest.yml): fix file module --- ansible/tasks/setup-pgbackrest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index ffa8ef4b0..d89212d4b 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -42,7 +42,7 @@ file: path: /etc/pgbackrest/pgbackrest.conf src: /etc/pgbackrest.conf - type: link + state: link force: true - name: Move pgBackRest files to /etc/pgbackrest @@ -66,7 +66,7 @@ file: path: /usr/bin/pgbackrest src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest - type: link + state: link - name: Sticky bit the pgBackRest binary file: From 9bb0eb88ce2e1645d264fe7671106e074fe1de0e Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 15:25:48 -0400 Subject: [PATCH 04/19] fix(setup-pgbackrest.yml): errant indentation fix --- ansible/tasks/setup-pgbackrest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index d89212d4b..a0395107f 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -70,6 +70,6 @@ - name: Sticky bit the pgBackRest binary file: - path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest + path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest mode: '4755' become: true From 56e3d228265c2c84f7390073c7af99af24f6aea0 Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Thu, 30 Oct 2025 10:17:15 -0400 Subject: [PATCH 05/19] fix(setup-pgbackrest): adjust as per Sam --- ansible/tasks/setup-pgbackrest.yml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index a0395107f..73935705b 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -62,14 +62,20 @@ loop_var: conf_item when: stage2_nix -- name: Symlink pgBackRest binary - file: - path: /usr/bin/pgbackrest - src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest - state: link +- name: Configure sudoers for pgBackRest + ansible.builtin.lineinfile: + create: yes + line: 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' + mode: '0440' + path: '/etc/sudoers.d/pgbackrest' + validate: 'visudo -cf %s' -- name: Sticky bit the pgBackRest binary - file: - path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest - mode: '4755' - become: true +- name: Create pgBackRest wrapper script + ansible.builtin.copy: + content: | + #!/bin/bash + exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$@" + dest: '/usr/bin/pgbackrest' + group: 'root' + mode: '0755' + owner: 'root' From 6b71d69def7c84d60cf3367adc2f0ffeb61b4255 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Thu, 30 Oct 2025 10:57:13 -0400 Subject: [PATCH 06/19] style(setup-pgbackrest.yml): ansible-lint --- ansible/tasks/setup-pgbackrest.yml | 33 +++++++++++++++--------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index a0395107f..0d29b29cd 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -1,34 +1,35 @@ - name: Create pgBackRest group - group: + ansible.builtin.group: name: pgbackrest state: present when: nixpkg_mode - name: Create pgBackRest user - user: - name: pgbackrest + ansible.builtin.user: comment: pgBackRest user group: pgbackrest groups: pgbackrest, postgres + home: /var/lib/pgbackrest + name: pgbackrest shell: /sbin/nologin system: true - home: /var/lib/pgbackrest when: nixpkg_mode - name: Install pgBackRest become: true become_user: pgbackrest - shell: | + ansible.builtin.shell: | sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" + changed_when: true when: stage2_nix - name: Create needed directories for pgBackRest - file: - path: "{{ backrest_dir }}" - state: directory - owner: pgbackrest + ansible.legacy.file: group: postgres mode: '0770' + owner: pgbackrest + path: "{{ backrest_dir }}" + state: directory loop: - /etc/pgbackrest/conf.d - /var/lib/pgbackrest @@ -39,16 +40,16 @@ when: nixpkg_mode - name: Symlink pgbackrest.conf - file: + ansible.legacy.file: + force: true path: /etc/pgbackrest/pgbackrest.conf src: /etc/pgbackrest.conf state: link - force: true - name: Move pgBackRest files to /etc/pgbackrest - copy: - dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" + ansible.legacy.copy: group: postgres + dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" mode: '0644' owner: pgbackrest src: "files/pgbackrest_config/{{ conf_item['name'] }}" @@ -63,13 +64,13 @@ when: stage2_nix - name: Symlink pgBackRest binary - file: + ansible.legacy.file: path: /usr/bin/pgbackrest src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest state: link - name: Sticky bit the pgBackRest binary - file: - path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest + ansible.legacy.file: mode: '4755' + path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest become: true From b19122852dfb1e24f79d0f2f00eb35fbe315e758 Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Wed, 12 Nov 2025 15:31:27 -0500 Subject: [PATCH 07/19] fix(setup-pgbackrest): Sanitize pgbackrest wrapper script arguments The pgbackrest wrapper script now sanitizes arguments passed to it. This change removes potentially sensitive or command-injection-vulnerable arguments such as `--cmd`, `--repo-host-cmd`, and `--config` before executing the pgbackrest command. This enhances security by preventing accidental exposure of sensitive information. --- ansible/tasks/setup-pgbackrest.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 84d7c6ea8..817b61e34 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -75,7 +75,9 @@ ansible.builtin.copy: content: | #!/bin/bash - exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$@" + _raw_args="$@" + _sanitized_args=$(echo $_raw_args | sed -e 's/--cmd=[^ ]*//g; s/--repo-host-cmd=[^ ]*//g; s/--config=[^ ]*//g' ) + exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$_sanitized_args" dest: '/usr/bin/pgbackrest' group: 'root' mode: '0755' From b2235186d1a4c730420bd617bac852445d20c174 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Fri, 14 Nov 2025 09:45:18 -0500 Subject: [PATCH 08/19] feat(setup-pgbackrest.yml): add pgbackrest to sudoers --- ansible/tasks/setup-pgbackrest.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 817b61e34..9ef1cf1d6 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -15,6 +15,15 @@ system: true when: nixpkg_mode +- name: Allow pgBackRest to run commands + copy: + dest: /etc/sudoers.d/pgbackrest + owner: root + group: root + mode: '0440' + content: | + pgbackrest ALL=(ALL) NOPASSWD: /usr/bin/pgbackrest + - name: Install pgBackRest become: true become_user: pgbackrest From fb412bacc912225e9f488dd223f2cd228e6ec3d3 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr <69092730+jchancojr@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:13:33 -0500 Subject: [PATCH 09/19] Update ansible/files/pgbackrest_config/pgbackrest.conf Co-authored-by: Douglas J Hunley --- ansible/files/pgbackrest_config/pgbackrest.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/files/pgbackrest_config/pgbackrest.conf b/ansible/files/pgbackrest_config/pgbackrest.conf index 92cefc13f..f11db6ed9 100644 --- a/ansible/files/pgbackrest_config/pgbackrest.conf +++ b/ansible/files/pgbackrest_config/pgbackrest.conf @@ -11,6 +11,7 @@ log-level-file = detail log-subprocess = y resume = n start-fast = y + [supabase] pg1-path = /var/lib/postgresql/data pg1-socket-path = /run/postgresql From 7a50d3b236d6c6ef1bdf0c5f534b8eda5f2b5565 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr <69092730+jchancojr@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:13:47 -0500 Subject: [PATCH 10/19] Update ansible/playbook.yml Co-authored-by: Douglas J Hunley --- ansible/playbook.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 691bf8bcd..dad007f38 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -41,8 +41,10 @@ when: debpkg_mode or nixpkg_mode or stage2_nix - name: Install pgBackRest - import_tasks: tasks/setup-pgbackrest.yml - when: debpkg_mode or nixpkg_mode or stage2_nix + import_tasks: + file: tasks/setup-pgbackrest.yml + when: + - debpkg_mode or nixpkg_mode or stage2_nix - name: Install Gotrue import_tasks: tasks/setup-gotrue.yml From 865da58f634164aa5246da07a26dc0ef0c7f04ae Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr <69092730+jchancojr@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:14:19 -0500 Subject: [PATCH 11/19] Apply suggestions from code review Co-authored-by: Douglas J Hunley --- ansible/tasks/setup-pgbackrest.yml | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 9ef1cf1d6..5afe92b86 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -2,7 +2,8 @@ ansible.builtin.group: name: pgbackrest state: present - when: nixpkg_mode + when: + - nixpkg_mode - name: Create pgBackRest user ansible.builtin.user: @@ -13,10 +14,11 @@ name: pgbackrest shell: /sbin/nologin system: true - when: nixpkg_mode + when: + - nixpkg_mode - name: Allow pgBackRest to run commands - copy: + ansible.builtin.copy: dest: /etc/sudoers.d/pgbackrest owner: root group: root @@ -25,12 +27,13 @@ pgbackrest ALL=(ALL) NOPASSWD: /usr/bin/pgbackrest - name: Install pgBackRest - become: true - become_user: pgbackrest ansible.builtin.shell: | sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" + become: true + become_user: pgbackrest changed_when: true - when: stage2_nix + when: + - stage2_nix - name: Create needed directories for pgBackRest ansible.legacy.file: @@ -46,7 +49,8 @@ - /var/log/pgbackrest loop_control: loop_var: backrest_dir - when: nixpkg_mode + when: + - nixpkg_mode - name: Symlink pgbackrest.conf ansible.legacy.file: @@ -70,7 +74,8 @@ - {name: repo1.conf, path: conf.d} loop_control: loop_var: conf_item - when: stage2_nix + when: + - stage2_nix - name: Configure sudoers for pgBackRest ansible.builtin.lineinfile: From 6d74ce5bcb17109e7e3876de630400f289173a7c Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Fri, 14 Nov 2025 11:24:02 -0500 Subject: [PATCH 12/19] fix(setup-pgbackrest.yml): allow postgres user to run pgbackrest cmds --- ansible/tasks/setup-pgbackrest.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 5afe92b86..2fe6d9fac 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -17,14 +17,22 @@ when: - nixpkg_mode -- name: Allow pgBackRest to run commands - ansible.builtin.copy: +- name: Allow postgres to run pgBackRest commands as pgbackrest + ansible.builtin.lineinfile: + create: yes + line: 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/pgbackrest' dest: /etc/sudoers.d/pgbackrest - owner: root - group: root mode: '0440' - content: | - pgbackrest ALL=(ALL) NOPASSWD: /usr/bin/pgbackrest + path: '/etc/sudoers.d/pgbackrest' + validate: 'visudo -cf %s' + +- name: Configure sudoers for pgBackRest + ansible.builtin.lineinfile: + create: yes + line: 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' + mode: '0440' + path: '/etc/sudoers.d/pgbackrest' + validate: 'visudo -cf %s' - name: Install pgBackRest ansible.builtin.shell: | @@ -77,14 +85,6 @@ when: - stage2_nix -- name: Configure sudoers for pgBackRest - ansible.builtin.lineinfile: - create: yes - line: 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' - mode: '0440' - path: '/etc/sudoers.d/pgbackrest' - validate: 'visudo -cf %s' - - name: Create pgBackRest wrapper script ansible.builtin.copy: content: | From dc709b7022857ae66911a2681baa3f950abb51e9 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Fri, 14 Nov 2025 12:08:58 -0500 Subject: [PATCH 13/19] fix(setup-pgbackrest.yml): add /usr/bin/bash to sudoers task --- ansible/tasks/setup-pgbackrest.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 2fe6d9fac..32c63ef26 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -17,22 +17,18 @@ when: - nixpkg_mode -- name: Allow postgres to run pgBackRest commands as pgbackrest - ansible.builtin.lineinfile: - create: yes - line: 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/pgbackrest' - dest: /etc/sudoers.d/pgbackrest - mode: '0440' - path: '/etc/sudoers.d/pgbackrest' - validate: 'visudo -cf %s' - - name: Configure sudoers for pgBackRest ansible.builtin.lineinfile: create: yes - line: 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' + line: "{{ item }}" mode: '0440' path: '/etc/sudoers.d/pgbackrest' validate: 'visudo -cf %s' + loop: + - 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' + - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/pgbackrest' + - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' + - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/nix' - name: Install pgBackRest ansible.builtin.shell: | From f7b9c6069d791c89b9c753cf450df1a22987d2ff Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 14 Nov 2025 13:12:09 -0500 Subject: [PATCH 14/19] Update ansible/tasks/setup-pgbackrest.yml --- ansible/tasks/setup-pgbackrest.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 32c63ef26..f0b9852cb 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -29,6 +29,8 @@ - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/pgbackrest' - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/nix' + - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' + - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/nix'``` - name: Install pgBackRest ansible.builtin.shell: | From 1d62a99c173a96487c6e1f428bba0435e79809ce Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Fri, 14 Nov 2025 13:34:41 -0500 Subject: [PATCH 15/19] Update ansible/tasks/setup-pgbackrest.yml --- ansible/tasks/setup-pgbackrest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index f0b9852cb..ce4a859e9 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -30,7 +30,7 @@ - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/nix' - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' - - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/nix'``` + - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/nix' - name: Install pgBackRest ansible.builtin.shell: | From 4d2c41ae668d043f4fb3434e7a4c9d93df1c39a0 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Mon, 17 Nov 2025 11:51:21 -0500 Subject: [PATCH 16/19] test(osquery): remove osquery bits to unblock AMI builds --- ansible/files/permission_check.py | 14 ++++++------ ansible/playbook.yml | 36 +++++++++++++++---------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/ansible/files/permission_check.py b/ansible/files/permission_check.py index 22e881f11..8cb11b58b 100644 --- a/ansible/files/permission_check.py +++ b/ansible/files/permission_check.py @@ -161,13 +161,13 @@ # This program depends on osquery being installed on the system # Function to run osquery -def run_osquery(query): - process = subprocess.Popen( - ["osqueryi", "--json", query], stdout=subprocess.PIPE, stderr=subprocess.PIPE - ) - output, error = process.communicate() - return output.decode("utf-8") - +#def run_osquery(query): +# process = subprocess.Popen( +# ["osqueryi", "--json", query], stdout=subprocess.PIPE, stderr=subprocess.PIPE +# ) +# output, error = process.communicate() +# return output.decode("utf-8") +# def parse_json(json_str): try: diff --git a/ansible/playbook.yml b/ansible/playbook.yml index dad007f38..5ab43b56e 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -210,19 +210,19 @@ apt autoremove -y --purge snapd when: stage2_nix - - name: Install osquery from nixpkgs binary cache - become: yes - shell: | - sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:nixos/nixpkgs/f98ec4f73c762223d62bee706726138cb6ea27cc#osquery" - when: stage2_nix - - - name: Run osquery permission checks - become: yes - shell: | - systemctl start postgresql.service - sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py {{ '--qemu' if qemu_mode is defined else '' }}" - systemctl stop postgresql.service - when: stage2_nix + # - name: Install osquery from nixpkgs binary cache + # become: yes + # shell: | + # sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:nixos/nixpkgs/f98ec4f73c762223d62bee706726138cb6ea27cc#osquery" + # when: stage2_nix + + # - name: Run osquery permission checks + # become: yes + # shell: | + # systemctl start postgresql.service + # sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py {{ '--qemu' if qemu_mode is defined else '' }}" + # systemctl stop postgresql.service + # when: stage2_nix - name: Run fail2ban configuration checks become: yes @@ -232,11 +232,11 @@ systemctl stop fail2ban.service when: stage2_nix - - name: Remove osquery - become: yes - shell: | - sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery" - when: stage2_nix + # - name: Remove osquery + # become: yes + # shell: | + # sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery" + # when: stage2_nix - name: nix collect garbage become: yes From 9dac53abdd938d162ac02b9bbee190d38cfadd67 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Mon, 17 Nov 2025 12:26:16 -0500 Subject: [PATCH 17/19] test(osquery): undo previous exclusion of osquery --- ansible/files/permission_check.py | 14 ++++++------ ansible/playbook.yml | 36 +++++++++++++++---------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/ansible/files/permission_check.py b/ansible/files/permission_check.py index 8cb11b58b..22e881f11 100644 --- a/ansible/files/permission_check.py +++ b/ansible/files/permission_check.py @@ -161,13 +161,13 @@ # This program depends on osquery being installed on the system # Function to run osquery -#def run_osquery(query): -# process = subprocess.Popen( -# ["osqueryi", "--json", query], stdout=subprocess.PIPE, stderr=subprocess.PIPE -# ) -# output, error = process.communicate() -# return output.decode("utf-8") -# +def run_osquery(query): + process = subprocess.Popen( + ["osqueryi", "--json", query], stdout=subprocess.PIPE, stderr=subprocess.PIPE + ) + output, error = process.communicate() + return output.decode("utf-8") + def parse_json(json_str): try: diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 5ab43b56e..f179a0adc 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -210,19 +210,19 @@ apt autoremove -y --purge snapd when: stage2_nix - # - name: Install osquery from nixpkgs binary cache - # become: yes - # shell: | - # sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:nixos/nixpkgs/f98ec4f73c762223d62bee706726138cb6ea27cc#osquery" - # when: stage2_nix - - # - name: Run osquery permission checks - # become: yes - # shell: | - # systemctl start postgresql.service - # sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py {{ '--qemu' if qemu_mode is defined else '' }}" - # systemctl stop postgresql.service - # when: stage2_nix + - name: Install osquery from nixpkgs binary cache + become: yes + shell: | + sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:nixos/nixpkgs/f98ec4f73c762223d62bee706726138cb6ea27cc#osquery" + when: stage2_nix + + - name: Run osquery permission checks + become: yes + shell: | + systemctl start postgresql.service + sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py {{ '--qemu' if qemu_mode is defined else '' }}" + systemctl stop postgresql.service + when: stage2_nix - name: Run fail2ban configuration checks become: yes @@ -232,11 +232,11 @@ systemctl stop fail2ban.service when: stage2_nix - # - name: Remove osquery - # become: yes - # shell: | - # sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery" - # when: stage2_nix + - name: Remove osquery + become: yes + shell: | + sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery" + when: stage2_nix - name: nix collect garbage become: yes From 19c238df4689840cebbefe2e156851e2e239289c Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Mon, 17 Nov 2025 13:09:03 -0500 Subject: [PATCH 18/19] fix(ansible): remove errant syntax --- ansible/playbook.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/ansible/playbook.yml b/ansible/playbook.yml index f179a0adc..dad007f38 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -210,19 +210,19 @@ apt autoremove -y --purge snapd when: stage2_nix - - name: Install osquery from nixpkgs binary cache - become: yes - shell: | - sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:nixos/nixpkgs/f98ec4f73c762223d62bee706726138cb6ea27cc#osquery" - when: stage2_nix - - - name: Run osquery permission checks - become: yes - shell: | - systemctl start postgresql.service - sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py {{ '--qemu' if qemu_mode is defined else '' }}" - systemctl stop postgresql.service - when: stage2_nix + - name: Install osquery from nixpkgs binary cache + become: yes + shell: | + sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:nixos/nixpkgs/f98ec4f73c762223d62bee706726138cb6ea27cc#osquery" + when: stage2_nix + + - name: Run osquery permission checks + become: yes + shell: | + systemctl start postgresql.service + sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py {{ '--qemu' if qemu_mode is defined else '' }}" + systemctl stop postgresql.service + when: stage2_nix - name: Run fail2ban configuration checks become: yes @@ -232,11 +232,11 @@ systemctl stop fail2ban.service when: stage2_nix - - name: Remove osquery - become: yes - shell: | - sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery" - when: stage2_nix + - name: Remove osquery + become: yes + shell: | + sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery" + when: stage2_nix - name: nix collect garbage become: yes From 852f716b16b9124bbc278f2abf6f120a22105ca2 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Fri, 21 Nov 2025 11:39:59 -0500 Subject: [PATCH 19/19] build(vars.yml): update ami suffix for testing --- ansible/vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index a7e55c0a9..b72a349f4 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.6.0.011-orioledb" - postgres17: "17.6.1.054" - postgres15: "15.14.1.054" + postgresorioledb-17: "17.6.0.011-orioledb-PSQL773" + postgres17: "17.6.1.054-PSQL773" + postgres15: "15.14.1.054-PSQL773" # Non Postgres Extensions pgbouncer_release: 1.19.0