active_postgres 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c54d617bfe700f38f1be17b6ff66e630bde27185b0dfdbeae52ef9472a25fd2
-  data.tar.gz: 92b80059f95ce83b62de7b047c0827906314d43a737360b32c88de67b4b2b11f
+  metadata.gz: 503ec5557f2365458cfe544af059bb5636e82be153a58926978c62ff43384b6f
+  data.tar.gz: 20d9bad0c0cbde26d214d304f379854d8d8dd548f06f86462840dad56f0f4580
 SHA512:
-  metadata.gz: 2a55cf101289b0c3a7f88494b79abd6bd61d2f47d9946308da3612dc5be5334013d455c08ef923202679a14f0aba1a1749c33e8164c85f744e5ff32d2fe99776
-  data.tar.gz: 1c07e9b4fa3d29a6d11cf960d2836c930d64adca20104b8e2911b2d828e0c19b9e2e20d9b46d4491f22ea9b59b7cc56838c648b1dc1fc40351faece92043bfdd
+  metadata.gz: 26ad8c310458b4e4ecdce1586b98cce9b062260b060e8779481e965c3d2c3d092a93691956372dbf62bd3e138d2b68e97b9dc135748da8a5f4481b683d739c1b
+  data.tar.gz: c9ee9f54f725cf43398815a79c621579ac1dad70b36ab997a413905a8cd5222eea42ca0e3397928f26ccf48fc1f1c10da18d9aef31cabfd62eff4ab3aadd0f84

data/lib/active_postgres/components/base.rb

@@ -23,6 +23,16 @@ module ActivePostgres
 
       protected
 
+      def substitute_private_ip(pg_config, private_ip)
+        pg_config.transform_values do |value|
+          if value.is_a?(String)
+            value.gsub('${private_ip}', private_ip)
+          else
+            value
+          end
+        end
+      end
+
       def render_template(template_name, binding_context)
         template_path = File.join(ActivePostgres.root, 'templates', template_name)
         template = ERB.new(File.read(template_path), trim_mode: '-')

data/lib/active_postgres/components/core.rb

@@ -11,11 +11,16 @@ module ActivePostgres
         # See: create_application_user_and_database method called from deployment flow
 
         # Install on standbys
-        # If repmgr is enabled, only install packages (cluster will be cloned by repmgr)
-        # If repmgr is disabled, install everything including cluster creation
         config.standby_hosts.each do |host|
           if config.component_enabled?(:repmgr)
-            install_packages_only(host)
+            # Check if cluster already exists (config update vs fresh install)
+            if cluster_exists?(host)
+              # Existing cluster - just update configs
+              update_configs_on_host(host)
+            else
+              # Fresh install - only install packages, repmgr will clone the cluster
+              install_packages_only(host)
+            end
           else
             install_on_host(host, is_primary: false)
           end
@@ -62,6 +67,10 @@ module ActivePostgres
                     else
                       component_config[:postgresql] || {}
                     end
+
+        # Substitute ${private_ip} with the host's actual private IP
+        private_ip = config.replication_host_for(host)
+        pg_config = substitute_private_ip(pg_config, private_ip)
         _ = pg_config # Used in ERB template
 
         upload_template(host, 'postgresql.conf.erb', "/etc/postgresql/#{config.version}/main/postgresql.conf", binding,
@@ -92,6 +101,84 @@ module ActivePostgres
         ssh_executor.install_postgres(host, config.version)
       end
 
+      def cluster_exists?(host)
+        exists = false
+        version = config.version
+        ssh_executor.execute_on_host(host) do
+          exists = test(:sudo, 'test', '-d', "/var/lib/postgresql/#{version}/main/base")
+        end
+        exists
+      end
+
+      def update_configs_on_host(host)
+        puts "  Updating configs on #{host}..."
+
+        component_config = config.component_config(:core)
+
+        pg_config = if config.component_enabled?(:performance_tuning)
+                      tuned = calculate_tuned_settings(host, component_config)
+                      # Standbys must have replication-critical settings >= primary
+                      ensure_standby_compatible(tuned)
+                    else
+                      component_config[:postgresql] || {}
+                    end
+
+        private_ip = config.replication_host_for(host)
+        pg_config = substitute_private_ip(pg_config, private_ip)
+        _ = pg_config
+
+        upload_template(host, 'postgresql.conf.erb', "/etc/postgresql/#{config.version}/main/postgresql.conf", binding,
+                        owner: 'postgres:postgres')
+        upload_template(host, 'pg_hba.conf.erb', "/etc/postgresql/#{config.version}/main/pg_hba.conf", binding,
+                        owner: 'postgres:postgres')
+
+        ssh_executor.restart_postgres(host, config.version)
+      end
+
+      def ensure_standby_compatible(pg_config)
+        primary_settings = get_primary_replication_settings
+        return pg_config if primary_settings.empty?
+
+        adjustments = []
+
+        %i[max_connections max_worker_processes max_wal_senders
+           max_prepared_transactions max_locks_per_transaction].each do |setting|
+          primary_val = primary_settings[setting]
+          next unless primary_val
+
+          current_val = pg_config[setting]
+          if current_val.nil? || current_val.to_i < primary_val.to_i
+            adjustments << "#{setting}: #{current_val || 'unset'} → #{primary_val}"
+            pg_config[setting] = primary_val
+          end
+        end
+
+        if adjustments.any?
+          puts "  ⚠️  Adjusting standby settings to match primary minimum:"
+          adjustments.each { |adj| puts "      #{adj}" }
+        end
+
+        pg_config
+      end
+
+      def get_primary_replication_settings
+        @primary_replication_settings ||= begin
+          settings = {}
+          sql = "SELECT name || '=' || setting FROM pg_settings WHERE name IN ('max_connections', 'max_worker_processes', 'max_wal_senders', 'max_prepared_transactions', 'max_locks_per_transaction')"
+          result = ssh_executor.run_sql(config.primary_host, sql)
+          result.strip.split("\n").each do |line|
+            name, val = line.split('=')
+            next unless name && val
+
+            settings[name.strip.to_sym] = val.strip.to_i
+          end
+          settings
+        rescue StandardError => e
+          puts "  Warning: Could not get primary settings: #{e.message}"
+          {}
+        end
+      end
+
       def create_app_user_and_database(host)
         app_user = config.app_user
         app_database = config.app_database

data/lib/active_postgres/components/pgbouncer.rb

@@ -52,37 +52,50 @@ module ActivePostgres
       def install_on_host(host)
         puts "  Installing PgBouncer on #{host}..."
 
-        # Get user config
         user_config = config.component_config(:pgbouncer)
 
-        # Calculate optimal pool settings based on PostgreSQL max_connections
         max_connections = get_postgres_max_connections(host)
         optimal_pool = ConnectionPooler.calculate_optimal_pool_sizes(max_connections)
 
-        # Merge: user config overrides calculated settings
         pgbouncer_config = optimal_pool.merge(user_config)
-        _ = pgbouncer_config # Used in ERB template
+        ssl_enabled = config.component_enabled?(:ssl)
 
         puts "  Calculated pool settings for max_connections=#{max_connections}"
 
-        # Install package
         ssh_executor.execute_on_host(host) do
           execute :sudo, 'apt-get', 'install', '-y', '-qq', 'pgbouncer'
         end
 
-        # Upload configuration
         upload_template(host, 'pgbouncer.ini.erb', '/etc/pgbouncer/pgbouncer.ini', binding, mode: '644')
 
-        # Create userlist with postgres superuser and app user
+        setup_ssl_certs(host) if ssl_enabled
+
         create_userlist(host)
 
-        # Enable and start
         ssh_executor.execute_on_host(host) do
           execute :sudo, 'systemctl', 'enable', 'pgbouncer'
           execute :sudo, 'systemctl', 'restart', 'pgbouncer'
         end
       end
 
+      def setup_ssl_certs(host)
+        puts '  Setting up SSL certificates for PgBouncer...'
+        version = config.version
+
+        ssh_executor.execute_on_host(host) do
+          execute :sudo, 'cp', "/etc/postgresql/#{version}/main/server.crt", '/etc/pgbouncer/server.crt'
+          execute :sudo, 'cp', "/etc/postgresql/#{version}/main/server.key", '/etc/pgbouncer/server.key'
+          execute :sudo, 'chmod', '640', '/etc/pgbouncer/server.key'
+          execute :sudo, 'chown', 'postgres:postgres', '/etc/pgbouncer/server.key'
+          execute :sudo, 'chown', 'postgres:postgres', '/etc/pgbouncer/server.crt'
+        end
+
+        ssl_chain = secrets.resolve('ssl_chain')
+        if ssl_chain
+          ssh_executor.upload_file(host, ssl_chain, '/etc/pgbouncer/ca.crt', mode: '644', owner: 'postgres:postgres')
+        end
+      end
+
       def get_postgres_max_connections(host)
         # Try to get max_connections from running PostgreSQL
         postgres_user = config.postgres_user

data/lib/active_postgres/components/repmgr.rb

@@ -107,6 +107,9 @@ module ActivePostgres
 
         # Performance tuning is handled by the Core component
         pg_config = component_config[:postgresql] || {}
+        # Substitute ${private_ip} with the host's actual private IP
+        private_ip = config.replication_host_for(host)
+        pg_config = substitute_private_ip(pg_config, private_ip)
         _ = pg_config # Used in ERB template
 
         upload_template(host, 'postgresql.conf.erb', "/etc/postgresql/#{version}/main/postgresql.conf", binding,
@@ -307,6 +310,9 @@ module ActivePostgres
 
         # Performance tuning is handled by the Core component
         pg_config = component_config[:postgresql] || {}
+        # Substitute ${private_ip} with the standby's actual private IP
+        private_ip = config.replication_host_for(standby_host)
+        pg_config = substitute_private_ip(pg_config, private_ip)
         _ = pg_config # Used in ERB template
 
         ssh_executor.execute_on_host(standby_host) do

data/lib/active_postgres/components/ssl.rb

@@ -14,7 +14,6 @@ module ActivePostgres
       end
 
       def restart
-        # SSL doesn't have its own service, restart PostgreSQL
         ssh_executor.restart_postgres(config.primary_host)
 
         config.standby_hosts.each do |host|
@@ -37,7 +36,6 @@ module ActivePostgres
 
         ssh_executor.ensure_postgres_user(host)
 
-        # Ensure the PostgreSQL config directory exists
         ssh_executor.execute_on_host(host) do
           execute :sudo, 'mkdir', '-p', "/etc/postgresql/#{version}/main"
           execute :sudo, 'chown', 'postgres:postgres', "/etc/postgresql/#{version}/main"
@@ -47,17 +45,31 @@ module ActivePostgres
         ssl_key = secrets.resolve('ssl_key')
 
         if ssl_cert && ssl_key
-          puts '  Using SSL certificates from secrets...'
-          ssh_executor.upload_file(host, ssl_cert, "/etc/postgresql/#{version}/main/server.crt", mode: '644',
-                                                                                                 owner: 'postgres:postgres')
-          ssh_executor.upload_file(host, ssl_key, "/etc/postgresql/#{version}/main/server.key", mode: '600',
-                                                                                                owner: 'postgres:postgres')
+          install_custom_cert(host, ssl_cert, ssl_key, ssl_config)
         else
           puts '  Generating self-signed SSL certificates...'
           generate_self_signed_cert(host, ssl_config)
         end
       end
 
+      def install_custom_cert(host, ssl_cert, ssl_key, _ssl_config)
+        version = config.version
+        ssl_chain = secrets.resolve('ssl_chain')
+
+        puts '  Using SSL certificates from secrets...'
+
+        full_cert = if ssl_chain
+                      "#{ssl_cert.strip}\n#{ssl_chain.strip}\n"
+                    else
+                      ssl_cert
+                    end
+
+        ssh_executor.upload_file(host, full_cert, "/etc/postgresql/#{version}/main/server.crt",
+                                 mode: '644', owner: 'postgres:postgres')
+        ssh_executor.upload_file(host, ssl_key, "/etc/postgresql/#{version}/main/server.key",
+                                 mode: '600', owner: 'postgres:postgres')
+      end
+
       def generate_self_signed_cert(host, ssl_config)
         version = config.version
         cert_path = "/etc/postgresql/#{version}/main/server.crt"

data/lib/active_postgres/generators/active_postgres/templates/postgres.yml.erb

@@ -75,11 +75,11 @@ production:
       enabled: false  # Enable for HA with standbys
   
   # Secrets: Using Rails credentials (update via: rails credentials:edit)
-  # The $(command) syntax allows executing commands to fetch secrets
+  # The rails_credentials: prefix fetches values from Rails.application.credentials
   secrets:
-    superuser_password: $(rails runner "puts Rails.application.credentials.dig(:postgres, :superuser_password)")
-    replication_password: $(rails runner "puts Rails.application.credentials.dig(:postgres, :replication_password)")
-    repmgr_password: $(rails runner "puts Rails.application.credentials.dig(:postgres, :repmgr_password)")
-    pgbouncer_password: $(rails runner "puts Rails.application.credentials.dig(:postgres, :password)")
-    app_password: $(rails runner "puts Rails.application.credentials.dig(:postgres, :password)")
+    superuser_password: rails_credentials:postgres.superuser_password
+    replication_password: rails_credentials:postgres.replication_password
+    repmgr_password: rails_credentials:postgres.repmgr_password
+    pgbouncer_password: rails_credentials:postgres.password
+    app_password: rails_credentials:postgres.password
 

data/lib/active_postgres/ssh_executor.rb

@@ -280,7 +280,7 @@ module ActivePostgres
           keys_only: true,
           forward_agent: false,
           auth_methods: ['publickey'],
-          verify_host_key: :never,
+          verify_host_key: :accept_new,
           timeout: 10,
           number_of_password_prompts: 0
         }

data/lib/active_postgres/version.rb

@@ -1,3 +1,3 @@
 module ActivePostgres
-  VERSION = '0.5.0'.freeze
+  VERSION = '0.7.0'.freeze
 end

data/lib/tasks/postgres.rake

@@ -336,6 +336,24 @@ namespace :postgres do
   end
 
   namespace :setup do
+    desc 'Setup only core PostgreSQL (updates postgresql.conf and pg_hba.conf)'
+    task core: :environment do
+      require 'active_postgres'
+
+      config = ActivePostgres::Configuration.load
+      installer = ActivePostgres::Installer.new(config)
+      installer.setup_component('core')
+    end
+
+    desc 'Setup only SSL certificates'
+    task ssl: :environment do
+      require 'active_postgres'
+
+      config = ActivePostgres::Configuration.load
+      installer = ActivePostgres::Installer.new(config)
+      installer.setup_component('ssl')
+    end
+
     desc 'Setup only PgBouncer'
     task pgbouncer: :environment do
       require 'active_postgres'
@@ -508,6 +526,18 @@ namespace :postgres do
           key_valid = test('[ -f /etc/postgresql/*/main/server.key ]')
           if cert_valid && key_valid
             info '   Certificates: Present ✅'
+            cert_issuer = begin
+              capture(:sudo, 'openssl', 'x509', '-in', "/etc/postgresql/#{config.version}/main/server.crt",
+                      '-noout', '-issuer', '2>/dev/null').strip
+            rescue StandardError
+              nil
+            end
+            if cert_issuer
+              issuer_o = cert_issuer.match(/O\s*=\s*"?([^",\/]+)"?/)&.captures&.first
+              issuer_cn = cert_issuer.match(/CN\s*=\s*([^,\/]+)/)&.captures&.first
+              issuer_name = issuer_o || issuer_cn || cert_issuer.sub('issuer=', '')
+              info "   Issuer: #{issuer_name.strip}"
+            end
             results[:passed] << "#{label}: SSL enabled with certificates"
           else
             warn '   Certificates: Missing ⚠️'

data/templates/pgbouncer.ini.erb

@@ -44,6 +44,14 @@ log_connections = <%= pgbouncer_config[:log_connections] || 1 %>
 log_disconnections = <%= pgbouncer_config[:log_disconnections] || 1 %>
 log_pooler_errors = <%= pgbouncer_config[:log_pooler_errors] || 1 %>
 
+<% if ssl_enabled %>
+# Client TLS (incoming connections from Rails)
+client_tls_sslmode = require
+client_tls_key_file = /etc/pgbouncer/server.key
+client_tls_cert_file = /etc/pgbouncer/server.crt
+client_tls_ca_file = /etc/pgbouncer/ca.crt
+<% end %>
+
 # Process management
 <% if pgbouncer_config[:pidfile] %>
 pidfile = <%= pgbouncer_config[:pidfile] %>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: active_postgres
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.0
 platform: ruby
 authors:
 - BoringCache