- Move db/schema.sql to supabase/migrations/ as the first supabase CLI
migration (manual `db push` only, no automated runner); re-add the
gebos_ingest role + grants there since init.sql never re-runs
- Add gebos-postgres-passwords oneshot on db-host: syncs role passwords
from sops (LoadCredential, journal-safe), makes supabase_admin
SUPERUSER and hands the auth schema to supabase_auth_admin to match
the upstream supabase/postgres image; add pg_hba rule for 10.0.0.0/8
- Vendor the official docker-compose (studio/kong/auth/rest/meta only,
external Postgres, loopback Studio with no Kong dashboard route) plus
kong.yml (trimmed) and kong-entrypoint.sh (verbatim); tested: compose
config, Kong config parse, migration applied on TimescaleDB pg17
- Document decisions as ADRs 0001-0004 (migrations, passwords, vendored
stack, JWT API keys incl. verify/mint procedure)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Lays out the agreed shape from the design discussion: one flake at the
root with three nixosConfigurations (mqtt-ingest, db-host, app-host),
vendored Supabase docker-compose pointed at the external db-host,
Caddy → Kong → PostgREST/GoTrue, a Go MQTT→Postgres ingester stub,
deploy-rs node map, and a Gitea Actions workflow that deploys in
db → app → ingest order on push to main.
No real implementation yet — every host module has TODOs marking the
gaps (real hardware config, actual hostnames, HiveMQ packaging,
vendor the full upstream Supabase compose, etc.).