Compose-Stack-Stabilisierungen + Gitea-Registry-Image
- App-Image wird jetzt aus Gitea-Container-Registry gepullt (git.kgva.ch/karim/rapport-app:main) — kein lokaler Build mehr noetig. build:-Section bleibt fuer Dev-Workflow. - DB-Port nur noch auf 127.0.0.1 gebunden — kein direkter LAN-Zugriff zur Postgres mehr (Kong-Proxy ist der einzige Weg). - DB-Healthcheck: start_period 30s + 20 retries — Migrations + Schema-Init brauchen beim Erst-Start laenger als 50s. - Realtime: DB_AFTER_CONNECT_QUERY zeigt jetzt auf 'realtime' (ohne Underscore). - App-Image-HEALTHCHECK: wget http://127.0.0.1/ statt localhost (IPv6-Fall). - Init-Setup: zz-rapport-post-init.sh statt 00-init.sh, plus rapport-migrations als separater Mount unter /rapport-migrations.
This commit is contained in:
@@ -1,64 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Postgres-Init-Script — läuft beim ersten Start des db-Containers.
|
||||
#
|
||||
# 1. Legt die Supabase-Standard-Rollen an (anon, authenticated, service_role,
|
||||
# supabase_auth_admin, supabase_storage_admin, authenticator).
|
||||
# Diese referenzieren die in den Rapport-Migrations definierten Policies.
|
||||
# 2. Wendet alle Rapport-Migrations aus ./migrations/ in alphabetischer
|
||||
# Reihenfolge an.
|
||||
#
|
||||
# Nach diesem Script ist die DB einsatzbereit.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
echo "→ Supabase-Standard-Rollen anlegen…"
|
||||
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres <<-EOSQL
|
||||
-- Standard-Rollen (idempotent)
|
||||
do \$\$ begin
|
||||
if not exists (select 1 from pg_roles where rolname = 'anon') then
|
||||
create role anon nologin noinherit;
|
||||
end if;
|
||||
if not exists (select 1 from pg_roles where rolname = 'authenticated') then
|
||||
create role authenticated nologin noinherit;
|
||||
end if;
|
||||
if not exists (select 1 from pg_roles where rolname = 'service_role') then
|
||||
create role service_role nologin noinherit bypassrls;
|
||||
end if;
|
||||
if not exists (select 1 from pg_roles where rolname = 'authenticator') then
|
||||
execute format('create role authenticator noinherit login password %L', current_setting('rapport.postgres_password', true));
|
||||
end if;
|
||||
if not exists (select 1 from pg_roles where rolname = 'supabase_auth_admin') then
|
||||
execute format('create role supabase_auth_admin login password %L', current_setting('rapport.postgres_password', true));
|
||||
end if;
|
||||
if not exists (select 1 from pg_roles where rolname = 'supabase_storage_admin') then
|
||||
execute format('create role supabase_storage_admin login password %L', current_setting('rapport.postgres_password', true));
|
||||
end if;
|
||||
if not exists (select 1 from pg_roles where rolname = 'supabase_admin') then
|
||||
execute format('create role supabase_admin superuser login password %L', current_setting('rapport.postgres_password', true));
|
||||
end if;
|
||||
end \$\$;
|
||||
|
||||
grant anon to authenticator;
|
||||
grant authenticated to authenticator;
|
||||
grant service_role to authenticator;
|
||||
|
||||
-- auth-Schema (für GoTrue)
|
||||
create schema if not exists auth authorization supabase_auth_admin;
|
||||
|
||||
-- storage-Schema (für Storage-Service)
|
||||
create schema if not exists storage authorization supabase_storage_admin;
|
||||
|
||||
-- pgcrypto + andere Extensions
|
||||
create extension if not exists pgcrypto;
|
||||
create extension if not exists "uuid-ossp";
|
||||
EOSQL
|
||||
|
||||
echo "→ Rapport-Migrations applizieren…"
|
||||
for f in /docker-entrypoint-initdb.d/migrations/*.sql; do
|
||||
if [ -f "$f" ]; then
|
||||
echo " → $(basename "$f")"
|
||||
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres -f "$f"
|
||||
fi
|
||||
done
|
||||
|
||||
echo "✓ DB-Initialisierung abgeschlossen."
|
||||
Executable
+39
@@ -0,0 +1,39 @@
|
||||
#!/usr/bin/env bash
|
||||
# Wird als LETZTES File in /docker-entrypoint-initdb.d/ ausgeführt — nach den
|
||||
# supabase-internen Init-Scripts (auth-schema, storage-schema, postgrest-roles,
|
||||
# realtime-schema, supabase_admin-Setup, etc.). Erst hier kann auf auth.users
|
||||
# als FK-Target referenziert werden.
|
||||
#
|
||||
# Applies die Rapport-Schema-Migrations aus /rapport-migrations/ als
|
||||
# supabase_admin (Default-Superuser des supabase/postgres-Image).
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Die supabase-internen Rollen werden vom Image mit Default-Passwörtern angelegt.
|
||||
# GoTrue, PostgREST, Realtime und Storage verbinden sich aber mit POSTGRES_PASSWORD —
|
||||
# daher müssen wir die Passwörter angleichen, sonst SASL/MD5-Auth-Fehler.
|
||||
echo "→ Setze Passwörter für Supabase-Service-Rollen auf POSTGRES_PASSWORD…"
|
||||
psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -d "${POSTGRES_DB:-postgres}" <<EOF
|
||||
alter user authenticator with password '${POSTGRES_PASSWORD}';
|
||||
alter user supabase_auth_admin with password '${POSTGRES_PASSWORD}';
|
||||
alter user supabase_storage_admin with password '${POSTGRES_PASSWORD}';
|
||||
alter user supabase_replication_admin with password '${POSTGRES_PASSWORD}';
|
||||
alter user supabase_read_only_user with password '${POSTGRES_PASSWORD}';
|
||||
EOF
|
||||
echo "✓ Service-Rollen-Passwörter aktualisiert."
|
||||
|
||||
MIG_DIR=/rapport-migrations
|
||||
|
||||
if [ ! -d "$MIG_DIR" ]; then
|
||||
echo "→ $MIG_DIR fehlt — Rapport-Migrations werden NICHT angewendet."
|
||||
echo " Run scripts/sync-migrations.sh vor docker compose up."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "→ Apply Rapport-Migrations als supabase_admin…"
|
||||
for sql in "$MIG_DIR"/*.sql; do
|
||||
[ -f "$sql" ] || continue
|
||||
echo " ▸ $(basename "$sql")"
|
||||
psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -d "${POSTGRES_DB:-postgres}" -f "$sql"
|
||||
done
|
||||
echo "✓ Rapport-Schema bereit."
|
||||
Reference in New Issue
Block a user