ubicloud/rhizome/postgres/bin/configure

#!/bin/env ruby
# frozen_string_literal: true

require "json"
require_relative "../../common/lib/util"
require_relative "../lib/pgbouncer_setup"

if ARGV.count != 1
  fail "Wrong number of arguments. Expected 1, Given #{ARGV.count}"
end

v = ARGV[0]
configure_hash = JSON.parse($stdin.read)

# Update /etc/hosts
hosts = <<-HOSTS
127.0.0.1 localhost
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
#{configure_hash["hosts"]}
HOSTS
safe_write_to_file("/etc/hosts", hosts)

# Update postgresql.conf
configs = configure_hash["configs"].map { |k, v| "#{k} = #{v}" }.join("\n")
safe_write_to_file("/etc/postgresql/#{v}/main/conf.d/001-service.conf", configs)

# Update postgresql.conf with custom settings
user_configs = configure_hash["user_config"].map { |k, v| "#{k} = #{v}" }.join("\n")
safe_write_to_file("/etc/postgresql/#{v}/main/conf.d/099-user.conf", user_configs)

# Update pg_hba.conf
private_subnets = configure_hash["private_subnets"].flat_map {
  [
    "host    all             all             #{_1["net4"]}                     scram-sha-256",
    "host    all             all             #{_1["net6"]}                     scram-sha-256"
  ]
}.join("\n")

pg_hba_entries = <<-PG_HBA
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file.

# TYPE  DATABASE        USER            ADDRESS                 METHOD
# Database administrative login by Unix domain socket
local   all             postgres                                peer map=system2postgres
local   all             pgbouncer                               peer map=system2pgbouncer

# Allow connections from localhost with ubi_monitoring OS user as
# ubi_monitoring database user. This will be used by postgres_exporter
# to scrape metrics and expose them to prometheus.
local   all             ubi_monitoring                          peer

# "local" is for Unix domain socket connections only
# Use SCRAM authentication for all local connections to allow pgbouncer
# passthrough to work for all non-unix users
local   all             all                                     scram-sha-256
# IPv4 local connections:
host    all             all             127.0.0.1/32            scram-sha-256
# IPv6 local connections:
host    all             all             ::1/128                 scram-sha-256

# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            scram-sha-256
host    replication     all             ::1/128                 scram-sha-256

# Allow connections from private subnet with SCRAM authentication
#{private_subnets}

# Allow replication connection using special replication user for
# HA standbys
hostssl replication     ubi_replication all                     cert map=standby2replication

# Allow connections from public internet with md5 authentication
# Note that if the password is encrypted as scram-sha-256, PostgreSQL
# still uses scram-sha-256 for authentication.
host    all             all             all                     md5
PG_HBA
safe_write_to_file("/etc/postgresql/#{v}/main/pg_hba.conf", pg_hba_entries)

identity = configure_hash["identity"]
pg_ident_entries = <<-PG_IDENT
# PostgreSQL User Name Maps
# =========================
#
# Refer to the PostgreSQL documentation, chapter "Client
# Authentication" for a complete description.
# MAPNAME             SYSTEM-USERNAME         PG-USERNAME
system2postgres       postgres                postgres
system2pgbouncer      postgres                pgbouncer
system2postgres       ubi                     postgres
standby2replication   #{identity}             ubi_replication
PG_IDENT
safe_write_to_file("/etc/postgresql/#{v}/main/pg_ident.conf", pg_ident_entries)

# Create drop-in directory for postgresql@.service to override
# the default systemd service file with a custom ExecStartPre to configure hugepages.
r "mkdir -p /etc/systemd/system/postgresql@.service.d"
execstartpre_hugepages_conf = <<-HUGEPAGES_CONF
[Service]
ExecStartPre=/home/ubi/postgres/bin/configure-hugepages %i
HUGEPAGES_CONF
safe_write_to_file("/etc/systemd/system/postgresql@.service.d/hugepages.conf", execstartpre_hugepages_conf)

# Reload the postmaster to apply changes
r "pg_ctlcluster #{v} main reload || pg_ctlcluster #{v} main restart"

pgbouncer_setup = PgBouncerSetup.new(v, configure_hash["configs"]["max_connections"], configure_hash["pgbouncer_instances"], configure_hash["pgbouncer_user_config"])
pgbouncer_setup.setup