From d1b6678cd3d4500bcbdc6314dec7fe73551c7541 Mon Sep 17 00:00:00 2001 From: Crispy1975 <12525875+Crispy1975@users.noreply.github.com> Date: Thu, 2 Apr 2026 14:19:00 +0100 Subject: [PATCH 1/3] feat: additional config for pgbackrest - pgdata-signal: add remove-pid action to remove stale postmaster.pid via the constrained wrapper rather than a broad sudo rm entry, keeping the sudoers scope limited to this script --- ansible/files/adminapi.sudoers.conf | 4 ++ .../files/pgbackrest_config/pgbackrest.conf | 7 +-- .../pgbackrest_config/pgbackrest.logrotate | 9 ++++ .../files/postgresql_config/pg_hba.conf.j2 | 2 +- .../supabase_admin_agent_config/pgdata-chown | 37 +++++++++++++++ .../supabase_admin_agent_config/pgdata-signal | 45 +++++++++++++++++++ .../tasks/internal/supabase-admin-agent.yml | 24 ++++++++++ ansible/tasks/setup-pgbackrest.yml | 19 +++++++- 8 files changed, 139 insertions(+), 8 deletions(-) create mode 100644 ansible/files/pgbackrest_config/pgbackrest.logrotate create mode 100644 ansible/files/supabase_admin_agent_config/pgdata-chown create mode 100644 ansible/files/supabase_admin_agent_config/pgdata-signal diff --git a/ansible/files/adminapi.sudoers.conf b/ansible/files/adminapi.sudoers.conf index 904377c293..ec6a2b3192 100644 --- a/ansible/files/adminapi.sudoers.conf +++ b/ansible/files/adminapi.sudoers.conf @@ -15,6 +15,10 @@ Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl st %adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/common.sh %adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/pgsodium_getkey.sh %adminapi ALL= NOPASSWD: /usr/bin/systemctl daemon-reload +%adminapi ALL= NOPASSWD: /usr/local/lib/supabase-admin-agent/pgdata-chown +%adminapi ALL=(postgres) NOPASSWD: /usr/local/lib/supabase-admin-agent/pgdata-signal +%adminapi ALL= NOPASSWD: /usr/bin/systemctl start postgresql.service +%adminapi ALL= NOPASSWD: /usr/bin/systemctl stop postgresql.service %adminapi ALL= NOPASSWD: /usr/bin/systemctl reload postgresql.service %adminapi ALL= NOPASSWD: /usr/bin/systemctl restart postgresql.service %adminapi ALL= NOPASSWD: /usr/bin/systemctl show -p NRestarts postgresql.service diff --git a/ansible/files/pgbackrest_config/pgbackrest.conf b/ansible/files/pgbackrest_config/pgbackrest.conf index f11db6ed95..f94dde0e9e 100644 --- a/ansible/files/pgbackrest_config/pgbackrest.conf +++ b/ansible/files/pgbackrest_config/pgbackrest.conf @@ -4,15 +4,10 @@ archive-copy = y backup-standby = prefer compress-type = zst delta = y -expire-auto = n +expire-auto = y link-all = y log-level-console = info log-level-file = detail log-subprocess = y resume = n start-fast = y - -[supabase] -pg1-path = /var/lib/postgresql/data -pg1-socket-path = /run/postgresql -pg1-user = supabase_admin diff --git a/ansible/files/pgbackrest_config/pgbackrest.logrotate b/ansible/files/pgbackrest_config/pgbackrest.logrotate new file mode 100644 index 0000000000..333f7c90a1 --- /dev/null +++ b/ansible/files/pgbackrest_config/pgbackrest.logrotate @@ -0,0 +1,9 @@ +/var/log/pgbackrest/*.log { + daily + rotate 7 + compress + delaycompress + missingok + notifempty + create 0660 pgbackrest postgres +} diff --git a/ansible/files/postgresql_config/pg_hba.conf.j2 b/ansible/files/postgresql_config/pg_hba.conf.j2 index 9cafd4146e..5bcd2aaccb 100755 --- a/ansible/files/postgresql_config/pg_hba.conf.j2 +++ b/ansible/files/postgresql_config/pg_hba.conf.j2 @@ -79,7 +79,7 @@ # TYPE DATABASE USER ADDRESS METHOD # trust local connections -local all supabase_admin scram-sha-256 +local all supabase_admin trust local all all peer map=supabase_map host all all 127.0.0.1/32 trust host all all ::1/128 trust diff --git a/ansible/files/supabase_admin_agent_config/pgdata-chown b/ansible/files/supabase_admin_agent_config/pgdata-chown new file mode 100644 index 0000000000..74d979435d --- /dev/null +++ b/ansible/files/supabase_admin_agent_config/pgdata-chown @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# pgdata-chown — transfers PGDATA ownership for pgBackRest restore operations. +# +# Called via sudo by supabase-admin-agent (running as adminapi). Only two +# actions are accepted, and the target path must resolve to /data/pgdata or a +# path beneath it. realpath(1) is used to expand symlinks before the check, +# which prevents directory-traversal attacks (e.g. /data/pgdata/../../etc/sudoers). +# +# Usage: pgdata-chown +set -euo pipefail + +if [[ $# -ne 2 ]]; then + echo "usage: pgdata-chown " >&2 + exit 1 +fi + +ACTION="$1" +TARGET="$2" + +REAL=$(realpath "$TARGET") +if [[ "$REAL" != "/data/pgdata" && "$REAL" != /data/pgdata/* ]]; then + echo "error: '${TARGET}' resolves to '${REAL}', which is not under /data/pgdata" >&2 + exit 1 +fi + +case "$ACTION" in + to-pgbackrest) + exec /usr/bin/chown -R pgbackrest:pgbackrest "$REAL" + ;; + to-postgres) + exec /usr/bin/chown -R postgres:postgres "$REAL" + ;; + *) + echo "error: unknown action '${ACTION}'; expected to-pgbackrest or to-postgres" >&2 + exit 1 + ;; +esac diff --git a/ansible/files/supabase_admin_agent_config/pgdata-signal b/ansible/files/supabase_admin_agent_config/pgdata-signal new file mode 100644 index 0000000000..94a80a7024 --- /dev/null +++ b/ansible/files/supabase_admin_agent_config/pgdata-signal @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +# pgdata-signal — creates or removes PostgreSQL signal files and stale pid files. +# Called via sudo (as postgres) by supabase-admin-agent (running as adminapi). +# +# All file paths are hardcoded to prevent path injection. No external +# path argument is accepted. +# +# Usage: pgdata-signal +# pgdata-signal remove-pid +set -euo pipefail + +# Special-case: remove-pid removes the stale postmaster.pid file that would +# prevent PostgreSQL from starting after a restore. Handled as a single-arg +# command to keep the sudoers entry scoped to this script rather than allowing +# a broad "rm" entry. +if [[ $# -eq 1 && "$1" == "remove-pid" ]]; then + exec /usr/bin/rm -f "/data/pgdata/postmaster.pid" +fi + +if [[ $# -ne 2 ]]; then + echo "usage: pgdata-signal " >&2 + echo " pgdata-signal remove-pid" >&2 + exit 1 +fi + +ACTION="$1" +SIGNAL_TYPE="$2" + +case "$SIGNAL_TYPE" in + recovery) FILE="/data/pgdata/recovery.signal" ;; + standby) FILE="/data/pgdata/standby.signal" ;; + *) + echo "error: unknown signal type '${SIGNAL_TYPE}'; expected recovery or standby" >&2 + exit 1 + ;; +esac + +case "$ACTION" in + create) exec /usr/bin/touch "$FILE" ;; + remove) exec /usr/bin/rm -f "$FILE" ;; + *) + echo "error: unknown action '${ACTION}'; expected create or remove" >&2 + exit 1 + ;; +esac diff --git a/ansible/tasks/internal/supabase-admin-agent.yml b/ansible/tasks/internal/supabase-admin-agent.yml index 0dfc4427ae..266b915aaf 100644 --- a/ansible/tasks/internal/supabase-admin-agent.yml +++ b/ansible/tasks/internal/supabase-admin-agent.yml @@ -31,6 +31,30 @@ dest: /etc/sudoers.d/supabase-admin-agent mode: "0440" +- name: supabase-admin-agent - pgbackrest helper scripts dir + file: + path: /usr/local/lib/supabase-admin-agent + state: directory + owner: root + group: root + mode: "0755" + +- name: supabase-admin-agent - pgdata-chown script + copy: + src: files/supabase_admin_agent_config/pgdata-chown + dest: /usr/local/lib/supabase-admin-agent/pgdata-chown + owner: root + group: root + mode: "0700" + +- name: supabase-admin-agent - pgdata-signal script + copy: + src: files/supabase_admin_agent_config/pgdata-signal + dest: /usr/local/lib/supabase-admin-agent/pgdata-signal + owner: root + group: root + mode: "0700" + - name: Setting arch (x86) set_fact: arch: "x86" diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 53b4602813..6c44cfd51b 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -48,7 +48,6 @@ path: "{{ backrest_dir }}" state: directory loop: - - /etc/pgbackrest/conf.d - /var/lib/pgbackrest - /var/spool/pgbackrest - /var/log/pgbackrest @@ -57,6 +56,16 @@ when: - nixpkg_mode +- name: Create pgBackRest conf.d directory with setgid + ansible.legacy.file: + group: postgres + mode: '02770' + owner: pgbackrest + path: /etc/pgbackrest/conf.d + state: directory + when: + - nixpkg_mode + - name: Symlink pgbackrest.conf ansible.legacy.file: force: true @@ -82,6 +91,14 @@ when: - stage2_nix +- name: pgBackRest - logrotate config + ansible.legacy.copy: + src: files/pgbackrest_config/pgbackrest.logrotate + dest: /etc/logrotate.d/pgbackrest + owner: root + group: root + mode: '0644' + - name: Create pgBackRest wrapper script ansible.builtin.copy: content: | From 892ca921ba59e30034ed46e6c52c2f09641c462b Mon Sep 17 00:00:00 2001 From: Crispy1975 <12525875+Crispy1975@users.noreply.github.com> Date: Fri, 3 Apr 2026 16:12:47 +0100 Subject: [PATCH 2/3] fix: address pgbackrest PR review feedback - pgdata-chown: simplify case; use group=postgres consistently for both ownership targets (pgbackrest:postgres and postgres:postgres) - pgdata-signal: consolidate recovery/standby case into single pattern - pgdata-signal: deploy at mode 0755 so postgres can execute via sudo -u - setup-pgbackrest.yml: combine dir creation into single task with dict loop; conf.d gets 02770 setgid, others get default 0770 - setup-pgbackrest.yml: sort logrotate task keys alphabetically --- .../supabase_admin_agent_config/pgdata-chown | 7 ++---- .../supabase_admin_agent_config/pgdata-signal | 3 +-- .../tasks/internal/supabase-admin-agent.yml | 2 +- ansible/tasks/setup-pgbackrest.yml | 25 ++++++------------- 4 files changed, 12 insertions(+), 25 deletions(-) diff --git a/ansible/files/supabase_admin_agent_config/pgdata-chown b/ansible/files/supabase_admin_agent_config/pgdata-chown index 74d979435d..05af5bd7d9 100644 --- a/ansible/files/supabase_admin_agent_config/pgdata-chown +++ b/ansible/files/supabase_admin_agent_config/pgdata-chown @@ -24,11 +24,8 @@ if [[ "$REAL" != "/data/pgdata" && "$REAL" != /data/pgdata/* ]]; then fi case "$ACTION" in - to-pgbackrest) - exec /usr/bin/chown -R pgbackrest:pgbackrest "$REAL" - ;; - to-postgres) - exec /usr/bin/chown -R postgres:postgres "$REAL" + to-pgbackrest|to-postgres) + exec /usr/bin/chown -R "${ACTION:3}:postgres" "$REAL" ;; *) echo "error: unknown action '${ACTION}'; expected to-pgbackrest or to-postgres" >&2 diff --git a/ansible/files/supabase_admin_agent_config/pgdata-signal b/ansible/files/supabase_admin_agent_config/pgdata-signal index 94a80a7024..15552b36f2 100644 --- a/ansible/files/supabase_admin_agent_config/pgdata-signal +++ b/ansible/files/supabase_admin_agent_config/pgdata-signal @@ -27,8 +27,7 @@ ACTION="$1" SIGNAL_TYPE="$2" case "$SIGNAL_TYPE" in - recovery) FILE="/data/pgdata/recovery.signal" ;; - standby) FILE="/data/pgdata/standby.signal" ;; + recovery|standby) FILE="/data/pgdata/${SIGNAL_TYPE}.signal" ;; *) echo "error: unknown signal type '${SIGNAL_TYPE}'; expected recovery or standby" >&2 exit 1 diff --git a/ansible/tasks/internal/supabase-admin-agent.yml b/ansible/tasks/internal/supabase-admin-agent.yml index 266b915aaf..365ef2ab0a 100644 --- a/ansible/tasks/internal/supabase-admin-agent.yml +++ b/ansible/tasks/internal/supabase-admin-agent.yml @@ -53,7 +53,7 @@ dest: /usr/local/lib/supabase-admin-agent/pgdata-signal owner: root group: root - mode: "0700" + mode: "0755" - name: Setting arch (x86) set_fact: diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 6c44cfd51b..3f89b4e8c9 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -43,29 +43,20 @@ - name: Create needed directories for pgBackRest ansible.legacy.file: group: postgres - mode: '0770' + mode: "{{ backrest_dir['mode'] | default('0770', true) }}" owner: pgbackrest - path: "{{ backrest_dir }}" + path: "{{ backrest_dir['dir'] }}" state: directory loop: - - /var/lib/pgbackrest - - /var/spool/pgbackrest - - /var/log/pgbackrest + - {dir: /etc/pgbackrest/conf.d, mode: '02770'} + - {dir: /var/lib/pgbackrest} + - {dir: /var/spool/pgbackrest} + - {dir: /var/log/pgbackrest} loop_control: loop_var: backrest_dir when: - nixpkg_mode -- name: Create pgBackRest conf.d directory with setgid - ansible.legacy.file: - group: postgres - mode: '02770' - owner: pgbackrest - path: /etc/pgbackrest/conf.d - state: directory - when: - - nixpkg_mode - - name: Symlink pgbackrest.conf ansible.legacy.file: force: true @@ -93,11 +84,11 @@ - name: pgBackRest - logrotate config ansible.legacy.copy: - src: files/pgbackrest_config/pgbackrest.logrotate dest: /etc/logrotate.d/pgbackrest - owner: root group: root mode: '0644' + owner: root + src: files/pgbackrest_config/pgbackrest.logrotate - name: Create pgBackRest wrapper script ansible.builtin.copy: From abe09f7242c736bad5a0e5bcf5d29566813c8935 Mon Sep 17 00:00:00 2001 From: Crispy1975 <12525875+Crispy1975@users.noreply.github.com> Date: Fri, 3 Apr 2026 16:54:26 +0100 Subject: [PATCH 3/3] fix: add missing pgbackrest sudoers entries and pre-create log files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three gaps found by cross-referencing SAA commands against Ansible: 1. adminapi.sudoers.conf: add two entries so adminapi can call the pgbackrest binary via the wrapper. - NewRunner() path: wrapper calls sudo -u pgbackrest , requires adminapi -> pgbackrest NOPASSWD for the real binary path. - NewRunnerAs("pgbackrest") path: SAA does sudo -n -u pgbackrest /usr/bin/pgbackrest, requires adminapi -> pgbackrest NOPASSWD for the wrapper path. 2. setup-pgbackrest.yml: add pgbackrest -> pgbackrest sudoers entry for the real binary. When NewRunnerAs runs the wrapper as the pgbackrest user, the wrapper still calls sudo -u pgbackrest internally; without this entry that inner sudo fails. 3. setup-pgbackrest.yml: pre-create the three SAA log files (saa-pgb.log, wal-push.log, wal-fetch.log) as pgbackrest:postgres 0660. SAA opens them with O_APPEND|O_WRONLY (no O_CREATE) — a missing file causes enable to fail immediately before any pgBackRest work. modification_time/access_time: preserve means the task is idempotent. --- ansible/files/adminapi.sudoers.conf | 2 ++ ansible/tasks/setup-pgbackrest.yml | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/ansible/files/adminapi.sudoers.conf b/ansible/files/adminapi.sudoers.conf index ec6a2b3192..dbc353e711 100644 --- a/ansible/files/adminapi.sudoers.conf +++ b/ansible/files/adminapi.sudoers.conf @@ -17,6 +17,8 @@ Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl st %adminapi ALL= NOPASSWD: /usr/bin/systemctl daemon-reload %adminapi ALL= NOPASSWD: /usr/local/lib/supabase-admin-agent/pgdata-chown %adminapi ALL=(postgres) NOPASSWD: /usr/local/lib/supabase-admin-agent/pgdata-signal +%adminapi ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest +%adminapi ALL=(pgbackrest) NOPASSWD: /usr/bin/pgbackrest %adminapi ALL= NOPASSWD: /usr/bin/systemctl start postgresql.service %adminapi ALL= NOPASSWD: /usr/bin/systemctl stop postgresql.service %adminapi ALL= NOPASSWD: /usr/bin/systemctl reload postgresql.service diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 3f89b4e8c9..1ef4bf8f83 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -30,6 +30,7 @@ - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/nix' - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' + - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' - name: Install pgBackRest ansible.builtin.shell: | @@ -57,6 +58,22 @@ when: - nixpkg_mode +- name: Pre-create pgBackRest SAA log files + ansible.builtin.file: + access_time: preserve + group: postgres + mode: '0660' + modification_time: preserve + owner: pgbackrest + path: "{{ item }}" + state: touch + loop: + - /var/log/pgbackrest/saa-pgb.log + - /var/log/pgbackrest/wal-push.log + - /var/log/pgbackrest/wal-fetch.log + when: + - nixpkg_mode + - name: Symlink pgbackrest.conf ansible.legacy.file: force: true