Files
Gebos/nix/hosts/db-host.nix
T
Lars Nolden 2ce68cb098
deploy / deploy (push) Successful in 5m57s
check / flake-check (push) Failing after 35m52s
Wire schema v1 into a manual Supabase migration and vendor the real stack
- Move db/schema.sql to supabase/migrations/ as the first supabase CLI
  migration (manual `db push` only, no automated runner); re-add the
  gebos_ingest role + grants there since init.sql never re-runs
- Add gebos-postgres-passwords oneshot on db-host: syncs role passwords
  from sops (LoadCredential, journal-safe), makes supabase_admin
  SUPERUSER and hands the auth schema to supabase_auth_admin to match
  the upstream supabase/postgres image; add pg_hba rule for 10.0.0.0/8
- Vendor the official docker-compose (studio/kong/auth/rest/meta only,
  external Postgres, loopback Studio with no Kong dashboard route) plus
  kong.yml (trimmed) and kong-entrypoint.sh (verbatim); tested: compose
  config, Kong config parse, migration applied on TimescaleDB pg17
- Document decisions as ADRs 0001-0004 (migrations, passwords, vendored
  stack, JWT API keys incl. verify/mint procedure)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-08 22:33:50 +02:00

29 lines
1.0 KiB
Nix

{ config, lib, pkgs, ... }:
{
# Postgres data lives on the dedicated second disk (/dev/sdb), not the OS disk.
# The shared hardware-configuration.nix + sda disk layout come from ./default.nix.
imports = [ ./hardware-configurations/db-data-disk.nix ];
networking.hostName = "db-host";
services.gebos.secrets.postgresAdmin = true;
# The gebos-postgres-passwords oneshot (gebos-postgres.nix) also syncs the
# shared Supabase service-role password and the ingester's password, so
# db-host needs those keys rendered into its env file too.
services.gebos.secrets.supabase = true;
services.gebos.secrets.ingester = true;
services.gebos.postgres = {
enable = true;
listenAddresses = [ "0.0.0.0" ];
# Telemetry, auth, _supavisor, _analytics live in the same cluster.
# See nix/supabase/init.sql for schema/role bootstrap.
};
# Postgres exposed only to the app-host and mqtt-ingest private addresses.
networking.firewall.extraInputRules = ''
ip saddr { 10.0.0.0/8 } tcp dport 5432 accept
'';
}