supabase · jfroche · Aug 4, 2025 · Nov 11, 2025 · Aug 4, 2025 · Aug 12, 2025
@@ -0,0 +1,44 @@
+---
+profile: production
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option are parsed relative to the CWD of execution.
+exclude_paths:
+  - .cache/  # implicit unless exclude_paths is defined in config
+  - .github/
+  - ansible/files/
+  - ansible/manifest-playbook.yml
+  - ansible/playbook.yml
+  - ansible/tasks/
+  - audit-specs/
+  - nix/mkdocs.yml
+
+use_default_rules: true
+enable_list:
+  - args
+  - empty-string-compare
+  - no-log-password
+  - no-same-owner
+warn_list:
+  - experimental
+skip_list:
+  - name[casing]
+  - name[prefix]
+  - yaml[line-length]
+  - var-naming[no-role-prefix]
+
+# Offline mode disables installation of requirements.yml
+offline: false
+
+# Make the output more readable
+parseable: true
+
+# Define required Ansible's variables to satisfy syntax check
+# extra_vars:
+
+# List of additional kind:pattern to be added at the top of the default
+# match list, first match determines the file kind.
+kinds:
+  - tasks: "ansible/tasks/*.yml"
+  - vars: "ansible/vars.yml"
@@ -0,0 +1,27 @@
+name: Ansible Test
+
+on:
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+
+jobs:
+  ansible-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'true'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Run Ansible Test
+        run: nix run .#ansible-test
@@ -0,0 +1,98 @@
+name: Ansible Test Image CI
+
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  build-and-push:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/develop'
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+    runs-on: ${{ matrix.arch == 'amd64' && 'blacksmith-16vcpu-ubuntu-2404' || 'blacksmith-16vcpu-ubuntu-2404-arm' }}
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
+      - name: Install Nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: true
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build Docker image with Nix
+        run: |
+          echo "Building ansible-test Docker image for ${{ matrix.arch }}..."
+          IMAGE_PATH=$(nix build .#docker-ansible-test --print-out-paths)
+          echo "IMAGE_PATH=$IMAGE_PATH" >> "$GITHUB_ENV"
+
+      - name: Load and push Docker image
+        run: |
+          echo "Loading Docker image..."
+          docker load < "$IMAGE_PATH"
+          docker tag supabase/ansible-test:latest supabase/ansible-test:latest-${{ matrix.arch }}
+          docker push supabase/ansible-test:latest-${{ matrix.arch }}
+
+  create-manifest:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/develop'
+    needs: build-and-push
+    runs-on: 'blacksmith-4vcpu-ubuntu-2404'
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Create and push multi-arch manifest
+        run: |
+          docker manifest create supabase/ansible-test:latest \
+            supabase/ansible-test:latest-amd64 \
+            supabase/ansible-test:latest-arm64
+          docker manifest push supabase/ansible-test:latest
+
+  run-ansible-tests:
+    if: github.event_name == 'pull_request' || success()
+    needs: create-manifest
+    runs-on: 'blacksmith-16vcpu-ubuntu-2404'
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
+      - name: Install Nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: true
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Ansible tests
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+        run: |
+          docker pull supabase/ansible-test:latest &
+          nix run .#ansible-test
@@ -0,0 +1,27 @@
+name: Check System Manager
+
+on:
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+
+jobs:
+  check-system-manager:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'true'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Run check-system-manager
+        run: nix run .#check-system-manager
@@ -0,0 +1 @@
+../files
@@ -1,78 +1,82 @@
-- name: nginx - system user
+---
+- name: Nginx - system user
   ansible.builtin.user:
-    name: 'nginx'
-    state: 'present'
+    name: nginx
+    state: present
 
 # Kong installation steps from http://archive.vn/3HRQx
-- name: nginx - system dependencies
+- name: Nginx - system dependencies
   ansible.builtin.apt:
     pkg:
       - libpcre3-dev
       - libssl-dev
       - openssl
       - zlib1g-dev
 
-- name: nginx - download source
+- name: Nginx - download source
   ansible.builtin.get_url:
     checksum: "{{ nginx_release_checksum }}"
-    dest: '/tmp/nginx-{{ nginx_release }}.tar.gz'
-    url: "https://nginx.org/download/nginx-{{ nginx_release }}.tar.gz"
+    dest: /tmp/nginx-{{ nginx_release }}.tar.gz
+    url: https://nginx.org/download/nginx-{{ nginx_release }}.tar.gz
+    mode: '0640'
 
-- name: nginx - unpack archive
+- name: Nginx - unpack archive
   ansible.builtin.unarchive:
-    dest: '/tmp'
+    dest: /tmp
     remote_src: true
-    src: "/tmp/nginx-{{ nginx_release }}.tar.gz"
+    src: /tmp/nginx-{{ nginx_release }}.tar.gz
 
-- name: nginx - configure
+- name: Nginx - configure
   ansible.builtin.command:
     argv:
-      - ./configure 
-      - --prefix=/usr/local/nginx 
-      - --conf-path=/etc/nginx/nginx.conf 
-      - --with-http_ssl_module 
-      - --with-http_realip_module 
+      - ./configure
+      - --prefix=/usr/local/nginx
+      - --conf-path=/etc/nginx/nginx.conf
+      - --with-http_ssl_module
+      - --with-http_realip_module
       - --with-threads
+    creates: /tmp/nginx-{{ nginx_release }}/Makefile
   args:
-    chdir: "/tmp/nginx-{{ nginx_release }}"
+    chdir: /tmp/nginx-{{ nginx_release }}
   become: true
 
-- name: nginx - build and install
+- name: Nginx - build and install
   community.general.make:
-    chdir: "/tmp/nginx-{{ nginx_release }}"
+    chdir: /tmp/nginx-{{ nginx_release }}
     jobs: "{{ parallel_jobs | default(omit) }}"
     target: "{{ make_target }}"
   become: true
   loop:
-    - 'build'
-    - 'install'
+    - build
+    - install
   loop_control:
-    loop_var: 'make_target'
+    loop_var: make_target
 
-- name: nginx - hand over ownership of /etc/nginx and /usr/local/nginx to user nginx
+- name: Nginx - hand over ownership of /etc/nginx and /usr/local/nginx to user nginx
   ansible.builtin.file:
-    owner: 'nginx'
+    owner: nginx
     path: "{{ nginx_dir_item }}"
     recurse: true
   loop:
     - /etc/nginx
     - /usr/local/nginx
   loop_control:
-    loop_var: 'nginx_dir_item'
+    loop_var: nginx_dir_item
 
 # [warn] ulimit is currently set to "1024". For better performance set it to at least
 # "4096" using "ulimit -n"
-- name: nginx - bump up ulimit
+- name: Nginx - bump up ulimit
   community.general.pam_limits:
-    domain: 'nginx'
-    limit_item: 'nofile'
-    limit_type: 'soft'
-    value: '4096'
+    domain: nginx
+    limit_item: nofile
+    limit_type: soft
+    value: "4096"
 
-- name: nginx - create service file
+- name: Nginx - create service file
   ansible.builtin.template:
-    dest: '/etc/systemd/system/nginx.service'
-    src: 'files/nginx.service.j2'
+    dest: /etc/systemd/system/nginx.service
+    src: files/nginx.service.j2
+    mode: '0644'
 
 # Keep it dormant for the timebeing
 

@@ -0,0 +1,11 @@
+---
+- name: Check if nix is installed
+  ansible.builtin.command: which nix
+  register: nix_installed
+  failed_when: nix_installed.rc != 0
+  ignore_errors: true
+
+- name: Install nix
+  ansible.builtin.shell: curl --proto '=https' --tlsv1.2 -sSf -L https://artifacts.nixos.org/experimental-installer | sh -s -- install --no-confirm --extra-conf 'substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com' --extra-conf 'trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY='
+  when: nix_installed.rc != 0
+  become: true
@@ -0,0 +1,7 @@
+---
+- name: Deploy system manager
+  ansible.builtin.shell: |
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    cd /tmp
+    nix run --accept-flake-config /flake#system-manager -- switch --flake /flake
+  become: true