active_postgres 0.4.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dbeebfa934a6587194e20aa39a3d459b7db2568c996f4faec1b781d70a4254ee
-  data.tar.gz: 47867c12a1fbb44652da9a79bb775ce38aaf8ff7b527a0a14ce0e042ca091877
+  metadata.gz: cccb8eff8b3ff2ae0f3413bef89b81a1b5b487e474222a9ff3e85fc74e57c5e9
+  data.tar.gz: 05a21ba9f1a29b6b5d451b3c059fd6a15135b8d6ecd7bad7d6232e6c30a5d63a
 SHA512:
-  metadata.gz: cd6849746528e378cc7e5d3c7707b20d974dc44cc10e61f4600b7eaccbfd7c9793e20b8741ae7339ab866618aa7357ee6781bf4d7ba7ee0eff959ad9c0af1b24
-  data.tar.gz: fc7635c0908c5920e4f21f702badd030c305819b05e63e6a0a6b54793b563e7338738445d38f11e1269566afba9fb0e6efcbea436287ace088518f6bce42a777
+  metadata.gz: '05819a2a73506fb087831e9ad69b6901b8bd6f14f0559a8e08d8c7fbbbff5c20eabc616bf0c862dd95757dab18a52666d8c0c1c00a63dc23b2094849160ce80b'
+  data.tar.gz: 2733384099851358c38788c41f77768e7a781cd99b7492aa4c10c85758a520167ad954657e0842d7b55681b2f932515933e887706ba3e2d39a50c44fdbd1e7e5

data/lib/active_postgres/cluster_deployment_flow.rb

@@ -54,6 +54,9 @@ module ActivePostgres
 
       # Create application users AFTER repmgr to avoid being wiped by cluster recreation
       create_application_users_if_configured
+
+      # Update pgbouncer userlist AFTER app users are created so they can authenticate
+      update_pgbouncer_userlist if config.component_enabled?(:pgbouncer)
     end
 
     def list_next_steps
@@ -81,5 +84,12 @@ module ActivePostgres
       core_component = Components::Core.new(config, ssh_executor, secrets)
       core_component.create_application_users
     end
+
+    def update_pgbouncer_userlist
+      logger.task('Updating PgBouncer userlist with app users') do
+        component = Components::PgBouncer.new(config, ssh_executor, secrets)
+        component.update_userlist
+      end
+    end
   end
 end

data/lib/active_postgres/components/core.rb

@@ -11,11 +11,16 @@ module ActivePostgres
         # See: create_application_user_and_database method called from deployment flow
 
         # Install on standbys
-        # If repmgr is enabled, only install packages (cluster will be cloned by repmgr)
-        # If repmgr is disabled, install everything including cluster creation
         config.standby_hosts.each do |host|
           if config.component_enabled?(:repmgr)
-            install_packages_only(host)
+            # Check if cluster already exists (config update vs fresh install)
+            if cluster_exists?(host)
+              # Existing cluster - just update configs
+              update_configs_on_host(host)
+            else
+              # Fresh install - only install packages, repmgr will clone the cluster
+              install_packages_only(host)
+            end
           else
             install_on_host(host, is_primary: false)
           end
@@ -62,6 +67,10 @@ module ActivePostgres
                     else
                       component_config[:postgresql] || {}
                     end
+
+        # Substitute ${private_ip} with the host's actual private IP
+        private_ip = config.replication_host_for(host)
+        pg_config = substitute_private_ip(pg_config, private_ip)
         _ = pg_config # Used in ERB template
 
         upload_template(host, 'postgresql.conf.erb', "/etc/postgresql/#{config.version}/main/postgresql.conf", binding,
@@ -87,11 +96,99 @@ module ActivePostgres
         optimal_settings.merge(user_postgresql)
       end
 
+      def substitute_private_ip(pg_config, private_ip)
+        pg_config.transform_values do |value|
+          if value.is_a?(String)
+            value.gsub('${private_ip}', private_ip)
+          else
+            value
+          end
+        end
+      end
+
       def install_packages_only(host)
         puts "  Installing packages on #{host} (cluster will be created by repmgr)..."
         ssh_executor.install_postgres(host, config.version)
       end
 
+      def cluster_exists?(host)
+        exists = false
+        version = config.version
+        ssh_executor.execute_on_host(host) do
+          exists = test(:sudo, 'test', '-d', "/var/lib/postgresql/#{version}/main/base")
+        end
+        exists
+      end
+
+      def update_configs_on_host(host)
+        puts "  Updating configs on #{host}..."
+
+        component_config = config.component_config(:core)
+
+        pg_config = if config.component_enabled?(:performance_tuning)
+                      tuned = calculate_tuned_settings(host, component_config)
+                      # Standbys must have replication-critical settings >= primary
+                      ensure_standby_compatible(tuned)
+                    else
+                      component_config[:postgresql] || {}
+                    end
+
+        private_ip = config.replication_host_for(host)
+        pg_config = substitute_private_ip(pg_config, private_ip)
+        _ = pg_config
+
+        upload_template(host, 'postgresql.conf.erb', "/etc/postgresql/#{config.version}/main/postgresql.conf", binding,
+                        owner: 'postgres:postgres')
+        upload_template(host, 'pg_hba.conf.erb', "/etc/postgresql/#{config.version}/main/pg_hba.conf", binding,
+                        owner: 'postgres:postgres')
+
+        ssh_executor.restart_postgres(host, config.version)
+      end
+
+      def ensure_standby_compatible(pg_config)
+        primary_settings = get_primary_replication_settings
+        return pg_config if primary_settings.empty?
+
+        adjustments = []
+
+        %i[max_connections max_worker_processes max_wal_senders
+           max_prepared_transactions max_locks_per_transaction].each do |setting|
+          primary_val = primary_settings[setting]
+          next unless primary_val
+
+          current_val = pg_config[setting]
+          if current_val.nil? || current_val.to_i < primary_val.to_i
+            adjustments << "#{setting}: #{current_val || 'unset'} → #{primary_val}"
+            pg_config[setting] = primary_val
+          end
+        end
+
+        if adjustments.any?
+          puts "  ⚠️  Adjusting standby settings to match primary minimum:"
+          adjustments.each { |adj| puts "      #{adj}" }
+        end
+
+        pg_config
+      end
+
+      def get_primary_replication_settings
+        @primary_replication_settings ||= begin
+          settings = {}
+          sql = "SELECT name || '=' || setting FROM pg_settings WHERE name IN ('max_connections', 'max_worker_processes', 'max_wal_senders', 'max_prepared_transactions', 'max_locks_per_transaction')"
+          result = ssh_executor.run_sql(config.primary_host, sql)
+          result.strip.split("\n").each do |line|
+            name, val = line.split('=')
+            next unless name && val
+
+            settings[name.strip.to_sym] = val.strip.to_i
+          end
+          settings
+        rescue StandardError => e
+          puts "  Warning: Could not get primary settings: #{e.message}"
+          {}
+        end
+      end
+
       def create_app_user_and_database(host)
         app_user = config.app_user
         app_database = config.app_database

data/lib/active_postgres/components/pgbackrest.rb

@@ -4,14 +4,22 @@ module ActivePostgres
       def install
         puts 'Installing pgBackRest for backups...'
 
-        install_on_host(config.primary_host)
+        # Install on primary with full setup (stanza-create)
+        install_on_host(config.primary_host, create_stanza: true)
+
+        # Install on standbys (package + config only, no stanza-create)
+        config.standby_hosts.each do |host|
+          install_on_host(host, create_stanza: false)
+        end
       end
 
       def uninstall
         puts 'Uninstalling pgBackRest...'
 
-        ssh_executor.execute_on_host(config.primary_host) do
-          execute :sudo, 'apt-get', 'remove', '-y', 'pgbackrest'
+        config.all_hosts.each do |host|
+          ssh_executor.execute_on_host(host) do
+            execute :sudo, 'apt-get', 'remove', '-y', 'pgbackrest'
+          end
         end
       end
 
@@ -55,7 +63,7 @@ module ActivePostgres
 
       private
 
-      def install_on_host(host)
+      def install_on_host(host, create_stanza: true)
         puts "  Installing pgBackRest on #{host}..."
 
         pgbackrest_config = config.component_config(:pgbackrest)
@@ -86,7 +94,10 @@ module ActivePostgres
           execute :sudo, 'mkdir', '-p', '/var/spool/pgbackrest'
           execute :sudo, 'chown', "#{postgres_user}:#{postgres_user}", '/var/spool/pgbackrest'
 
-          execute :sudo, '-u', postgres_user, 'pgbackrest', '--stanza=main', 'stanza-create'
+          # Only create stanza on primary - standbys share the same backup repo
+          if create_stanza
+            execute :sudo, '-u', postgres_user, 'pgbackrest', '--stanza=main', 'stanza-create'
+          end
         end
       end
     end

data/lib/active_postgres/components/pgbouncer.rb

@@ -4,27 +4,49 @@ module ActivePostgres
       def install
         puts 'Installing PgBouncer for connection pooling...'
 
-        # Install on primary (can also install on standbys if needed)
-        install_on_host(config.primary_host)
+        config.all_hosts.each do |host|
+          install_on_host(host)
+        end
       end
 
       def uninstall
         puts 'Uninstalling PgBouncer...'
 
-        ssh_executor.execute_on_host(config.primary_host) do
-          execute :sudo, 'systemctl', 'stop', 'pgbouncer'
-          execute :sudo, 'apt-get', 'remove', '-y', 'pgbouncer'
+        config.all_hosts.each do |host|
+          ssh_executor.execute_on_host(host) do
+            execute :sudo, 'systemctl', 'stop', 'pgbouncer'
+            execute :sudo, 'apt-get', 'remove', '-y', 'pgbouncer'
+          end
         end
       end
 
       def restart
         puts 'Restarting PgBouncer...'
 
-        ssh_executor.execute_on_host(config.primary_host) do
-          execute :sudo, 'systemctl', 'restart', 'pgbouncer'
+        config.all_hosts.each do |host|
+          ssh_executor.execute_on_host(host) do
+            execute :sudo, 'systemctl', 'restart', 'pgbouncer'
+          end
         end
       end
 
+      def update_userlist
+        puts 'Updating PgBouncer userlist on all hosts...'
+
+        config.all_hosts.each do |host|
+          create_userlist(host)
+
+          ssh_executor.execute_on_host(host) do
+            execute :sudo, 'systemctl', 'reload', 'pgbouncer'
+          end
+        end
+      end
+
+      def install_on_standby(standby_host)
+        puts "Installing PgBouncer on standby #{standby_host}..."
+        install_on_host(standby_host)
+      end
+
       private
 
       def install_on_host(host)

data/lib/active_postgres/components/ssl.rb

@@ -14,7 +14,6 @@ module ActivePostgres
       end
 
       def restart
-        # SSL doesn't have its own service, restart PostgreSQL
         ssh_executor.restart_postgres(config.primary_host)
 
         config.standby_hosts.each do |host|
@@ -37,7 +36,6 @@ module ActivePostgres
 
         ssh_executor.ensure_postgres_user(host)
 
-        # Ensure the PostgreSQL config directory exists
         ssh_executor.execute_on_host(host) do
           execute :sudo, 'mkdir', '-p', "/etc/postgresql/#{version}/main"
           execute :sudo, 'chown', 'postgres:postgres', "/etc/postgresql/#{version}/main"
@@ -47,17 +45,31 @@ module ActivePostgres
         ssl_key = secrets.resolve('ssl_key')
 
         if ssl_cert && ssl_key
-          puts '  Using SSL certificates from secrets...'
-          ssh_executor.upload_file(host, ssl_cert, "/etc/postgresql/#{version}/main/server.crt", mode: '644',
-                                                                                                 owner: 'postgres:postgres')
-          ssh_executor.upload_file(host, ssl_key, "/etc/postgresql/#{version}/main/server.key", mode: '600',
-                                                                                                owner: 'postgres:postgres')
+          install_custom_cert(host, ssl_cert, ssl_key, ssl_config)
         else
           puts '  Generating self-signed SSL certificates...'
           generate_self_signed_cert(host, ssl_config)
         end
       end
 
+      def install_custom_cert(host, ssl_cert, ssl_key, _ssl_config)
+        version = config.version
+        ssl_chain = secrets.resolve('ssl_chain')
+
+        puts '  Using SSL certificates from secrets...'
+
+        full_cert = if ssl_chain
+                      "#{ssl_cert.strip}\n#{ssl_chain.strip}\n"
+                    else
+                      ssl_cert
+                    end
+
+        ssh_executor.upload_file(host, full_cert, "/etc/postgresql/#{version}/main/server.crt",
+                                 mode: '644', owner: 'postgres:postgres')
+        ssh_executor.upload_file(host, ssl_key, "/etc/postgresql/#{version}/main/server.key",
+                                 mode: '600', owner: 'postgres:postgres')
+      end
+
       def generate_self_signed_cert(host, ssl_config)
         version = config.version
         cert_path = "/etc/postgresql/#{version}/main/server.crt"

data/lib/active_postgres/generators/active_postgres/templates/database.active_postgres.yml.erb

@@ -0,0 +1 @@
+<%= ActivePostgres::Rails::DatabaseConfig.render_partial('production', app_name: boring_app_name).strip %>

data/lib/active_postgres/generators/active_postgres/templates/postgres.yml.erb

@@ -0,0 +1,85 @@
+# PostgreSQL High Availability Configuration
+# Generated by active_postgres
+#
+# 💡 Either:
+#   1. Edit this file manually with your database servers
+#   2. Use Terraform to auto-generate this file
+#
+# See: config/postgres.example.yml in gem for full examples
+
+shared: &shared
+  version: 18
+  user: ubuntu
+  ssh_key: ~/.ssh/id_rsa
+
+  components:
+    core:
+      locale: en_US.UTF-8
+      encoding: UTF8
+      # Optional: Override default PostgreSQL user and app database config
+      # postgres_user: postgres
+      # app_user: app
+      # app_database: app_production
+      postgresql:
+        listen_addresses: '*'
+        port: 5432
+        max_connections: 100
+        shared_buffers: 256MB
+
+    repmgr:
+      enabled: false
+      # Optional: Override default repmgr user/database
+      # user: repmgr
+      # database: repmgr
+
+    pgbouncer:
+      enabled: false
+      # Optional: Override default pgbouncer user
+      # user: pgbouncer
+    
+    pgbackrest:
+      enabled: false
+    
+    monitoring:
+      enabled: false
+    
+    ssl:
+      enabled: false
+
+development:
+  <<: *shared
+  primary:
+    host: localhost
+    port: 5432
+
+production:
+  <<: *shared
+
+  # TODO: Configure your primary database server
+  # host: Public IP for SSH deployment (like Kamal)
+  # private_ip: Private/VPC IP for database connections (optional, falls back to host)
+  primary:
+    host: YOUR_PRIMARY_PUBLIC_IP
+    private_ip: YOUR_PRIMARY_PRIVATE_IP
+    label: us-east-1
+
+  # TODO: Add standby servers for HA (optional)
+  # standby:
+  #   - host: YOUR_STANDBY_PUBLIC_IP
+  #     private_ip: YOUR_STANDBY_PRIVATE_IP
+  #     label: us-west-2
+  
+  # Enable components as needed
+  components:
+    repmgr:
+      enabled: false  # Enable for HA with standbys
+  
+  # Secrets: Using Rails credentials (update via: rails credentials:edit)
+  # The rails_credentials: prefix fetches values from Rails.application.credentials
+  secrets:
+    superuser_password: rails_credentials:postgres.superuser_password
+    replication_password: rails_credentials:postgres.replication_password
+    repmgr_password: rails_credentials:postgres.repmgr_password
+    pgbouncer_password: rails_credentials:postgres.password
+    app_password: rails_credentials:postgres.password
+

data/lib/active_postgres/health_checker.rb

@@ -51,6 +51,27 @@ module ActivePostgres
         end
       end
 
+      # Check pgbouncer on all hosts
+      if config.component_enabled?(:pgbouncer)
+        puts
+        puts '==> Checking PgBouncer...'
+        config.all_hosts.each do |host|
+          print "PgBouncer (#{host})... "
+          pgbouncer_ok = check_pgbouncer_running(host)
+          userlist_ok = check_pgbouncer_userlist(host)
+
+          if pgbouncer_ok && userlist_ok
+            puts '✓'
+          elsif pgbouncer_ok && !userlist_ok
+            puts '✗ (missing app user in userlist)'
+            all_ok = false
+          else
+            puts '✗'
+            all_ok = false
+          end
+        end
+      end
+
       puts
       if all_ok
         puts '✓ All checks passed'
@@ -99,7 +120,8 @@ module ActivePostgres
         label: primary_config&.dig('label') || '-',
         status: check_postgres_running(config.primary_host) ? '✓ running' : '✗ down',
         connections: get_connection_count(config.primary_host),
-        lag: '-'
+        lag: '-',
+        pgbouncer: check_pgbouncer_status(config.primary_host)
       }
 
       # Standbys
@@ -114,7 +136,8 @@ module ActivePostgres
           label: standby_config&.dig('label') || '-',
           status: running ? '✓ streaming' : '✗ down',
           connections: running ? get_connection_count(host) : 0,
-          lag: running ? get_replication_lag(host) : '-'
+          lag: running ? get_replication_lag(host) : '-',
+          pgbouncer: check_pgbouncer_status(host)
         }
       end
 
@@ -128,7 +151,7 @@ module ActivePostgres
     end
 
     def calculate_column_widths(nodes)
-      {
+      cols = {
         role: [4, nodes.map { |n| n[:role].length }.max].max,
         host: [4, nodes.map { |n| n[:host].length }.max].max,
         private_ip: [10, nodes.map { |n| n[:private_ip].to_s.length }.max].max,
@@ -137,12 +160,25 @@ module ActivePostgres
         conn: 5,
         lag: [3, nodes.map { |n| n[:lag].to_s.length }.max].max
       }
+
+      if config.component_enabled?(:pgbouncer)
+        cols[:pgbouncer] = [9, nodes.map { |n| n[:pgbouncer].to_s.length }.max].max
+      end
+
+      cols
     end
 
     def print_table_header(cols)
       fmt = "%-#{cols[:role]}s  %-#{cols[:host]}s  %-#{cols[:private_ip]}s  " \
             "%-#{cols[:label]}s  %-#{cols[:status]}s  %#{cols[:conn]}s  %#{cols[:lag]}s"
-      header = format(fmt, 'Role', 'Host', 'Private IP', 'Label', 'Status', 'Conn', 'Lag')
+      headers = %w[Role Host Private\ IP Label Status Conn Lag]
+
+      if cols[:pgbouncer]
+        fmt += "  %-#{cols[:pgbouncer]}s"
+        headers << 'PgBouncer'
+      end
+
+      header = format(fmt, *headers)
       puts header
       puts '-' * header.length
     end
@@ -150,8 +186,15 @@ module ActivePostgres
     def print_table_row(node, cols)
       fmt = "%-#{cols[:role]}s  %-#{cols[:host]}s  %-#{cols[:private_ip]}s  " \
             "%-#{cols[:label]}s  %-#{cols[:status]}s  %#{cols[:conn]}d  %#{cols[:lag]}s"
-      puts format(fmt, node[:role], node[:host], node[:private_ip], node[:label],
-                  node[:status], node[:connections], node[:lag])
+      values = [node[:role], node[:host], node[:private_ip], node[:label],
+                node[:status], node[:connections], node[:lag]]
+
+      if cols[:pgbouncer]
+        fmt += "  %-#{cols[:pgbouncer]}s"
+        values << node[:pgbouncer]
+      end
+
+      puts format(fmt, *values)
     end
 
     def print_components
@@ -240,5 +283,37 @@ module ActivePostgres
       mb = kb / 1024.0
       "#{mb.round(1)} MB"
     end
+
+    def check_pgbouncer_status(host)
+      return '-' unless config.component_enabled?(:pgbouncer)
+
+      ssh_executor.execute_on_host(host) do
+        result = capture(:sudo, 'systemctl', 'is-active', 'pgbouncer').strip
+        result == 'active' ? '✓ running' : '✗ down'
+      end
+    rescue StandardError
+      '✗ down'
+    end
+
+    def check_pgbouncer_running(host)
+      ssh_executor.execute_on_host(host) do
+        result = capture(:sudo, 'systemctl', 'is-active', 'pgbouncer').strip
+        result == 'active'
+      end
+    rescue StandardError
+      false
+    end
+
+    def check_pgbouncer_userlist(host)
+      app_user = config.app_user
+      return true unless app_user # No app user configured, skip check
+
+      ssh_executor.execute_on_host(host) do
+        userlist = capture(:sudo, 'cat', '/etc/pgbouncer/userlist.txt').strip
+        userlist.include?(app_user)
+      end
+    rescue StandardError
+      false
+    end
   end
 end

data/lib/active_postgres/ssh_executor.rb

@@ -280,7 +280,9 @@ module ActivePostgres
           keys_only: true,
           forward_agent: false,
           auth_methods: ['publickey'],
-          verify_host_key: :never
+          verify_host_key: :accept_new,
+          timeout: 10,
+          number_of_password_prompts: 0
         }
       end
     end

data/lib/active_postgres/standby_deployment_flow.rb

@@ -95,7 +95,7 @@ module ActivePostgres
     def deploy_pgbouncer
       logger.task('Setting up pgbouncer on standby') do
         component = Components::PgBouncer.new(config, ssh_executor, secrets)
-        component.install_on_standby(standby_host) if component.respond_to?(:install_on_standby)
+        component.install_on_standby(standby_host)
       end
     end
 

data/lib/active_postgres/version.rb

@@ -1,3 +1,3 @@
 module ActivePostgres
-  VERSION = '0.4.0'.freeze
+  VERSION = '0.6.0'.freeze
 end

data/lib/tasks/postgres.rake

@@ -336,6 +336,24 @@ namespace :postgres do
   end
 
   namespace :setup do
+    desc 'Setup only core PostgreSQL (updates postgresql.conf and pg_hba.conf)'
+    task core: :environment do
+      require 'active_postgres'
+
+      config = ActivePostgres::Configuration.load
+      installer = ActivePostgres::Installer.new(config)
+      installer.setup_component('core')
+    end
+
+    desc 'Setup only SSL certificates'
+    task ssl: :environment do
+      require 'active_postgres'
+
+      config = ActivePostgres::Configuration.load
+      installer = ActivePostgres::Installer.new(config)
+      installer.setup_component('ssl')
+    end
+
     desc 'Setup only PgBouncer'
     task pgbouncer: :environment do
       require 'active_postgres'
@@ -508,6 +526,18 @@ namespace :postgres do
           key_valid = test('[ -f /etc/postgresql/*/main/server.key ]')
           if cert_valid && key_valid
             info '   Certificates: Present ✅'
+            cert_issuer = begin
+              capture(:sudo, 'openssl', 'x509', '-in', "/etc/postgresql/#{config.version}/main/server.crt",
+                      '-noout', '-issuer', '2>/dev/null').strip
+            rescue StandardError
+              nil
+            end
+            if cert_issuer
+              issuer_o = cert_issuer.match(/O\s*=\s*"?([^",\/]+)"?/)&.captures&.first
+              issuer_cn = cert_issuer.match(/CN\s*=\s*([^,\/]+)/)&.captures&.first
+              issuer_name = issuer_o || issuer_cn || cert_issuer.sub('issuer=', '')
+              info "   Issuer: #{issuer_name.strip}"
+            end
             results[:passed] << "#{label}: SSL enabled with certificates"
           else
             warn '   Certificates: Missing ⚠️'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: active_postgres
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.6.0
 platform: ruby
 authors:
 - BoringCache
@@ -172,6 +172,8 @@ files:
 - lib/active_postgres/error_handler.rb
 - lib/active_postgres/failover.rb
 - lib/active_postgres/generators/active_postgres/install_generator.rb
+- lib/active_postgres/generators/active_postgres/templates/database.active_postgres.yml.erb
+- lib/active_postgres/generators/active_postgres/templates/postgres.yml.erb
 - lib/active_postgres/health_checker.rb
 - lib/active_postgres/installer.rb
 - lib/active_postgres/log_sanitizer.rb
@@ -218,7 +220,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.7.2
 specification_version: 4
 summary: PostgreSQL High Availability for Rails, made simple
 test_files: []