active_postgres 0.8.0 → 0.9.0

data/lib/active_postgres/configuration.rb

@@ -2,7 +2,8 @@ require 'yaml'
 
 module ActivePostgres
   class Configuration
-    attr_reader :environment, :version, :user, :ssh_key, :primary, :standbys, :components, :secrets_config, :database_config
+    attr_reader :environment, :version, :user, :ssh_key, :ssh_host_key_verification, :primary, :standbys, :components, :secrets_config,
+                :database_config
 
     def initialize(config_hash, environment = 'development')
       @environment = environment
@@ -13,6 +14,9 @@ module ActivePostgres
       @version = env_config['version'] || 18
       @user = env_config['user'] || 'ubuntu'
       @ssh_key = File.expand_path(env_config['ssh_key'] || '~/.ssh/id_rsa')
+      @ssh_host_key_verification = normalize_ssh_host_key_verification(
+        env_config['ssh_host_key_verification'] || env_config['ssh_verify_host_key']
+      )
 
       @primary = env_config['primary'] || {}
       @standbys = env_config['standby'] || []
@@ -91,6 +95,29 @@ module ActivePostgres
 
       # Validate required secrets if components are enabled
       raise Error, 'Missing replication_password secret' if component_enabled?(:repmgr) && !secrets_config['replication_password']
+      raise Error, 'Missing monitoring_password secret' if component_enabled?(:monitoring) && !secrets_config['monitoring_password']
+
+        if component_enabled?(:repmgr)
+          dns_failover = component_config(:repmgr)[:dns_failover]
+          if dns_failover && dns_failover[:enabled]
+            domain = dns_failover[:domain].to_s.strip
+            servers = Array(dns_failover[:dns_servers])
+            provider = (dns_failover[:provider] || 'dnsmasq').to_s.strip
+
+            raise Error, 'dns_failover.domain is required when enabled' if domain.empty?
+            raise Error, 'dns_failover.dns_servers is required when enabled' if servers.empty?
+            raise Error, "Unsupported dns_failover provider '#{provider}'" unless provider == 'dnsmasq'
+
+            servers.each do |server|
+              next unless server.is_a?(Hash)
+
+              ssh_host = server['ssh_host'] || server[:ssh_host] || server['host'] || server[:host]
+              private_ip = server['private_ip'] || server[:private_ip] || server['ip'] || server[:ip]
+              raise Error, 'dns_failover.dns_servers entries must include host/ssh_host or private_ip' if
+                (ssh_host.nil? || ssh_host.to_s.strip.empty?) && (private_ip.nil? || private_ip.to_s.strip.empty?)
+            end
+          end
+        end
 
       true
     end
@@ -108,6 +135,10 @@ module ActivePostgres
       component_config(:repmgr)[:database] || 'repmgr'
     end
 
+    def replication_user
+      component_config(:repmgr)[:replication_user] || 'replication'
+    end
+
     def pgbouncer_user
       component_config(:pgbouncer)[:user] || 'pgbouncer'
     end
@@ -195,5 +226,22 @@ module ActivePostgres
         value
       end
     end
+
+    def normalize_ssh_host_key_verification(value)
+      return :always if value.nil?
+
+      normalized = case value
+                   when Symbol
+                     value
+                   else
+                     value.to_s.strip.downcase.tr('-', '_').to_sym
+                   end
+
+      return :always if normalized == :always
+      return :accept_new if %i[accept_new acceptnew new].include?(normalized)
+
+      raise Error,
+            "Invalid ssh_host_key_verification '#{value}'. Use 'always' or 'accept_new'."
+    end
   end
 end

data/lib/active_postgres/connection_pooler.rb

@@ -321,10 +321,7 @@ module ActivePostgres
           WHERE passwd IS NOT NULL
         SQL
 
-        upload! StringIO.new(sql), '/tmp/get_all_users.sql'
-        execute :chmod, '644', '/tmp/get_all_users.sql'
-        userlist = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_all_users.sql').strip
-        execute :rm, '-f', '/tmp/get_all_users.sql'
+        userlist = @ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
         unless userlist.include?(pgbouncer_user)
           pgbouncer_pass = SecureRandom.hex(16)
@@ -335,10 +332,7 @@ module ActivePostgres
             "GRANT CONNECT ON DATABASE postgres TO #{pgbouncer_user};"
           ].join("\n")
 
-          upload! StringIO.new(sql), '/tmp/create_pgbouncer_user.sql'
-          execute :chmod, '644', '/tmp/create_pgbouncer_user.sql'
-          execute :sudo, '-u', postgres_user, 'psql', '-f', '/tmp/create_pgbouncer_user.sql'
-          execute :rm, '-f', '/tmp/create_pgbouncer_user.sql'
+          @ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user, tuples_only: false, capture: false)
 
           sql = <<~SQL.strip
             SELECT passwd
@@ -346,10 +340,7 @@ module ActivePostgres
             WHERE usename = '#{pgbouncer_user}'
           SQL
 
-          upload! StringIO.new(sql), '/tmp/get_pgbouncer_pass.sql'
-          execute :chmod, '644', '/tmp/get_pgbouncer_pass.sql'
-          encrypted = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_pgbouncer_pass.sql').strip
-          execute :rm, '-f', '/tmp/get_pgbouncer_pass.sql'
+          encrypted = @ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
           userlist += "\n\"#{pgbouncer_user}\" \"#{encrypted}\""
         end

data/lib/active_postgres/credentials.rb

@@ -2,8 +2,8 @@ module ActivePostgres
   class Credentials
     def self.get(key_path)
       # Try to get from Rails credentials if Rails is available
-      if defined?(Rails) && Rails.respond_to?(:application) && Rails.application
-        value = Rails.application.credentials.dig(*key_path.split('.').map(&:to_sym))
+      if defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application
+        value = ::Rails.application.credentials.dig(*key_path.split('.').map(&:to_sym))
         return value if value
       end
 
@@ -11,7 +11,7 @@ module ActivePostgres
     end
 
     def self.available?
-      defined?(Rails) && Rails.respond_to?(:application) && Rails.application&.credentials
+      defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application&.credentials
     end
   end
 end

data/lib/active_postgres/direct_executor.rb

@@ -83,8 +83,7 @@ module ActivePostgres
       path = value.sub('rails_credentials:', '')
       keys = path.split('.').map(&:to_sym)
 
-      credentials = Rails.application.credentials
-      keys.reduce(credentials) { |obj, key| obj&.dig(key) }
+      Rails.application.credentials.dig(*keys)
     rescue NameError
       nil
     end

data/lib/active_postgres/generators/active_postgres/install_generator.rb

@@ -112,6 +112,7 @@ module ActivePostgres
         puts "  superuser_password: \"#{generate_secure_password}\""
         puts "  replication_password: \"#{generate_secure_password}\""
         puts "  repmgr_password: \"#{generate_secure_password}\""
+        puts "  monitoring_password: \"#{generate_secure_password}\""
         puts
         puts '🔐 Secure passwords have been auto-generated above.'
         puts '📌 Update primary_host and replica_host with your actual IPs after provisioning.'

data/lib/active_postgres/generators/active_postgres/templates/postgres.yml.erb

@@ -11,6 +11,8 @@ shared: &shared
   version: 18
   user: ubuntu
   ssh_key: ~/.ssh/id_rsa
+  # SSH host key verification: always (strict) or accept_new (first connection)
+  ssh_host_key_verification: always
 
   components:
     core:
@@ -31,17 +33,32 @@ shared: &shared
       # Optional: Override default repmgr user/database
       # user: repmgr
       # database: repmgr
+      # replication_user: replication
+      # dns_failover:
+      #   enabled: true
+      #   provider: dnsmasq
+      #   domain: mesh.internal
+      #   dns_servers:
+      #     - host: 18.170.173.14
+      #       private_ip: 10.8.0.10
+      #     - host: 98.85.183.175
+      #       private_ip: 10.8.0.110
+      #   primary_record: db-primary.mesh.internal
+      #   replica_record: db-replica.mesh.internal
 
     pgbouncer:
       enabled: false
       # Optional: Override default pgbouncer user
       # user: pgbouncer
+      # follow_primary: true
+      # follow_primary_interval: 5
     
     pgbackrest:
       enabled: false
     
     monitoring:
       enabled: false
+      # user: postgres_exporter
     
     ssl:
       enabled: false
@@ -80,6 +97,6 @@ production:
     superuser_password: rails_credentials:postgres.superuser_password
     replication_password: rails_credentials:postgres.replication_password
     repmgr_password: rails_credentials:postgres.repmgr_password
+    monitoring_password: rails_credentials:postgres.monitoring_password
     pgbouncer_password: rails_credentials:postgres.password
     app_password: rails_credentials:postgres.password
-

data/lib/active_postgres/rollback_manager.rb

@@ -113,12 +113,10 @@ module ActivePostgres
 
     def register_database_removal(host, database_name)
       postgres_user = config.postgres_user
+      executor = ssh_executor
       register("Drop database #{database_name} on #{host}", host: host) do
         sql = "DROP DATABASE IF EXISTS #{database_name};"
-        upload! StringIO.new(sql), '/tmp/drop_database.sql'
-        execute :chmod, '644', '/tmp/drop_database.sql'
-        execute :sudo, '-u', postgres_user, 'psql', '-f', '/tmp/drop_database.sql'
-        execute :rm, '-f', '/tmp/drop_database.sql'
+        executor.run_sql_on_backend(self, sql, postgres_user: postgres_user, tuples_only: false, capture: false)
       rescue StandardError
         nil
       end
@@ -126,12 +124,10 @@ module ActivePostgres
 
     def register_postgres_user_removal(host, username)
       postgres_user = config.postgres_user
+      executor = ssh_executor
       register("Drop PostgreSQL user #{username} on #{host}", host: host) do
         sql = "DROP USER IF EXISTS #{username};"
-        upload! StringIO.new(sql), '/tmp/drop_user.sql'
-        execute :chmod, '644', '/tmp/drop_user.sql'
-        execute :sudo, '-u', postgres_user, 'psql', '-f', '/tmp/drop_user.sql'
-        execute :rm, '-f', '/tmp/drop_user.sql'
+        executor.run_sql_on_backend(self, sql, postgres_user: postgres_user, tuples_only: false, capture: false)
       rescue StandardError
         nil
       end

data/lib/active_postgres/secrets.rb

@@ -15,7 +15,7 @@ module ActivePostgres
       return nil unless secret_value
 
       resolved = resolve_secret_value(secret_value)
-      @cache[secret_key] = resolved
+      @cache[secret_key] = resolved unless resolved.nil?
       resolved
     end
 
@@ -25,6 +25,21 @@ module ActivePostgres
       end
     end
 
+    def resolve_value(value)
+      case value
+      when Hash
+        value.each_with_object({}) do |(k, v), result|
+          result[k] = resolve_value(v)
+        end
+      when Array
+        value.map { |v| resolve_value(v) }
+      when String
+        resolve_secret_value(value)
+      else
+        value
+      end
+    end
+
     def cache_to_files(directory = '.secrets')
       require 'fileutils'
 
@@ -45,9 +60,10 @@ module ActivePostgres
 
     def resolve_secret_value(value)
       case value
-      when /^rails_credentials:(.+)$/
+      when /^(rails_credentials|credentials):(.+)$/
         # Rails credentials: rails_credentials:postgres.superuser_password
-        key_path = ::Regexp.last_match(1)
+        # Alias: credentials:postgres.superuser_password
+        key_path = ::Regexp.last_match(2).to_s.strip
         fetch_from_rails_credentials(key_path)
       when /^\$\((.+)\)$/
         # Command execution: $(op read "op://...")
@@ -65,10 +81,12 @@ module ActivePostgres
     end
 
     def fetch_from_rails_credentials(key_path)
-      return nil unless Credentials.available?
+      return nil unless defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application
 
       keys = key_path.split('.').map(&:to_sym)
-      Rails.application.credentials.dig(*keys)
+      ::Rails.application.credentials.dig(*keys)
+    rescue StandardError
+      nil
     end
 
     def execute_command(command)

data/lib/active_postgres/ssh_executor.rb

@@ -22,6 +22,10 @@ module ActivePostgres
       on("#{config.user}@#{host}", &)
     end
 
+    def execute_on_host_as(host, user, &)
+      on("#{user}@#{host}", &)
+    end
+
     def execute_on_primary(&)
       execute_on_host(config.primary_host, &)
     end
@@ -94,7 +98,7 @@ module ActivePostgres
 
         info 'Configuring PostgreSQL apt repository...'
         pgdg_repo = "'echo \"deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] " \
-                    'http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > ' \
+                    'https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > ' \
                     "/etc/apt/sources.list.d/pgdg.list'"
         execute :sudo, 'sh', '-c', pgdg_repo
 
@@ -200,24 +204,42 @@ module ActivePostgres
       result
     end
 
-    def run_sql(host, sql)
+    def run_sql(host, sql, postgres_user: config.postgres_user, port: nil, database: nil, tuples_only: true,
+                capture: true)
       result = nil
-      postgres_user = config.postgres_user
+      executor = self
       execute_on_host(host) do
-        # Use a temporary file to avoid shell escaping issues with special characters
-        temp_file = "/tmp/query_#{SecureRandom.hex(8)}.sql"
-        upload! StringIO.new(sql), temp_file
-        execute :chmod, '644', temp_file
-
-        begin
-          result = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', temp_file)
-        ensure
-          execute :rm, '-f', temp_file
-        end
+        backend = self
+        result = executor.run_sql_on_backend(backend, sql,
+                                    postgres_user: postgres_user,
+                                    port: port,
+                                    database: database,
+                                    tuples_only: tuples_only,
+                                    capture: capture)
       end
       result
     end
 
+    def run_sql_on_backend(backend, sql, postgres_user: config.postgres_user, port: nil, database: nil,
+                           tuples_only: true, capture: true)
+      # Use a temporary file to avoid shell escaping issues with special characters
+      temp_file = "/tmp/active_postgres_#{SecureRandom.hex(8)}.sql"
+      backend.upload! StringIO.new(sql), temp_file
+      backend.execute :chmod, '600', temp_file
+      backend.execute :sudo, 'chown', "#{postgres_user}:#{postgres_user}", temp_file
+
+      cmd = [:sudo, '-u', postgres_user, 'psql']
+      cmd << '-t' if tuples_only
+      cmd += ['-p', port.to_s] if port
+      cmd += ['-d', database.to_s] if database
+      cmd += ['-f', temp_file]
+
+      result = capture ? backend.capture(*cmd) : backend.execute(*cmd)
+      result
+    ensure
+      backend.execute :sudo, 'rm', '-f', temp_file
+    end
+
     def ensure_cluster_exists(host, version)
       execute_on_host(host) do
         data_dir = "/var/lib/postgresql/#{version}/main"
@@ -280,7 +302,7 @@ module ActivePostgres
           keys_only: true,
           forward_agent: false,
           auth_methods: ['publickey'],
-          verify_host_key: :accept_new,
+          verify_host_key: config.ssh_host_key_verification || :always,
           timeout: 10,
           number_of_password_prompts: 0
         }

data/lib/active_postgres/version.rb

@@ -1,3 +1,3 @@
 module ActivePostgres
-  VERSION = '0.8.0'.freeze
+  VERSION = '0.9.0'.freeze
 end

data/lib/tasks/postgres.rake

@@ -372,6 +372,15 @@ namespace :postgres do
       installer.setup_component('monitoring')
     end
 
+    desc 'Setup only pgBackRest backups'
+    task pgbackrest: :environment do
+      require 'active_postgres'
+
+      config = ActivePostgres::Configuration.load
+      installer = ActivePostgres::Installer.new(config)
+      installer.setup_component('pgbackrest')
+    end
+
     desc 'Setup only repmgr'
     task repmgr: :environment do
       require 'active_postgres'
@@ -412,10 +421,7 @@ namespace :postgres do
             WHERE rolname = '#{user}'
           SQL
 
-          upload! StringIO.new(sql), '/tmp/get_user_hash.sql'
-          execute :chmod, '644', '/tmp/get_user_hash.sql'
-          user_hash = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_user_hash.sql').strip
-          execute :rm, '-f', '/tmp/get_user_hash.sql'
+          user_hash = ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
           if user_hash && !user_hash.empty?
             userlist_entries << user_hash

data/lib/tasks/rotate_credentials.rake

@@ -26,10 +26,7 @@ namespace :postgres do
         escaped_password = new_password.gsub("'", "''")
 
         sql = "ALTER USER #{app_user} WITH PASSWORD '#{escaped_password}';"
-        upload! StringIO.new(sql), '/tmp/rotate_password.sql'
-        execute :chmod, '644', '/tmp/rotate_password.sql'
-        execute :sudo, '-u', 'postgres', 'psql', '-f', '/tmp/rotate_password.sql'
-        execute :rm, '-f', '/tmp/rotate_password.sql'
+        ssh_executor.run_sql_on_backend(self, sql, postgres_user: 'postgres', tuples_only: false, capture: false)
 
         puts "✓ Updated PostgreSQL password for #{app_user}"
       end
@@ -48,10 +45,7 @@ namespace :postgres do
               WHERE rolname = '#{user}'
             SQL
 
-            upload! StringIO.new(sql), '/tmp/get_user_hash.sql'
-            execute :chmod, '644', '/tmp/get_user_hash.sql'
-            user_hash = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_user_hash.sql').strip
-            execute :rm, '-f', '/tmp/get_user_hash.sql'
+            user_hash = ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
             userlist_entries << user_hash if user_hash && !user_hash.empty?
           end
@@ -128,10 +122,7 @@ namespace :postgres do
           escaped_password = new_password.gsub("'", "''")
 
           sql = "ALTER USER #{username} WITH PASSWORD '#{escaped_password}';"
-          upload! StringIO.new(sql), '/tmp/rotate_password.sql'
-          execute :chmod, '644', '/tmp/rotate_password.sql'
-          execute :sudo, '-u', 'postgres', 'psql', '-f', '/tmp/rotate_password.sql'
-          execute :rm, '-f', '/tmp/rotate_password.sql'
+          ssh_executor.run_sql_on_backend(self, sql, postgres_user: 'postgres', tuples_only: false, capture: false)
         end
 
         puts "✓ Updated #{username}"
@@ -152,10 +143,7 @@ namespace :postgres do
               WHERE rolname = '#{user}'
             SQL
 
-            upload! StringIO.new(sql), '/tmp/get_user_hash.sql'
-            execute :chmod, '644', '/tmp/get_user_hash.sql'
-            user_hash = capture(:sudo, '-u', postgres_user, 'psql', '-t', '-f', '/tmp/get_user_hash.sql').strip
-            execute :rm, '-f', '/tmp/get_user_hash.sql'
+            user_hash = ssh_executor.run_sql_on_backend(self, sql, postgres_user: postgres_user).to_s.strip
 
             userlist_entries << user_hash if user_hash && !user_hash.empty?
           end

data/templates/pg_hba.conf.erb

@@ -39,9 +39,12 @@
   repmgr_network = pg_hba_rules.find { |r| r[:type] == 'host' && r[:address] && !r[:address].start_with?('127.0.0.1') }&.dig(:address) || '10.8.0.0/24'
   repmgr_user = config.repmgr_user
   repmgr_db = config.repmgr_database
+  replication_user = config.replication_user
 %>
 host    replication     <%= repmgr_user %>          <%= repmgr_network %>          scram-sha-256
+<% if replication_user && replication_user != repmgr_user %>
+host    replication     <%= replication_user %>          <%= repmgr_network %>          scram-sha-256
+<% end %>
 host    <%= repmgr_db %>          <%= repmgr_user %>          <%= repmgr_network %>          scram-sha-256
 <% end %>
 
-

data/templates/pgbackrest.conf.erb

@@ -16,6 +16,21 @@ repo1-s3-endpoint=s3.<%= pgbackrest_config[:s3_region] || 'us-east-1' %>.amazona
 repo1-s3-key=<%= secrets_obj.resolve('s3_access_key') %>
 repo1-s3-key-secret=<%= secrets_obj.resolve('s3_secret_key') %>
 <% end %>
+<% elsif pgbackrest_config[:repo_type] == 'gcs' %>
+repo1-type=gcs
+repo1-path=<%= pgbackrest_config[:repo_path] || '/backups' %>
+repo1-gcs-bucket=<%= pgbackrest_config[:gcs_bucket] %>
+<% if secrets_obj.resolve('gcs_key_file') %>
+repo1-gcs-key=<%= secrets_obj.resolve('gcs_key_file') %>
+<% end %>
+<% elsif pgbackrest_config[:repo_type] == 'azure' %>
+repo1-type=azure
+repo1-path=<%= pgbackrest_config[:repo_path] || '/backups' %>
+repo1-azure-container=<%= pgbackrest_config[:azure_container] %>
+<% if secrets_obj.resolve('azure_account') %>
+repo1-azure-account=<%= secrets_obj.resolve('azure_account') %>
+repo1-azure-key=<%= secrets_obj.resolve('azure_key') %>
+<% end %>
 <% else %>
 # Local storage
 repo1-path=<%= pgbackrest_config[:repo_path] || '/var/lib/pgbackrest' %>
@@ -35,9 +50,22 @@ repo1-cipher-type=aes-256-cbc
 repo1-cipher-pass=<%= secrets_obj.resolve('backup_encryption_key') %>
 <% end %>
 
+# Logging
+log-level-console=info
+log-level-file=detail
+log-path=/var/log/pgbackrest
+
+# Process settings
+process-max=<%= pgbackrest_config[:process_max] || 2 %>
+
+# Start/Stop (for consistent backups)
+start-fast=y
+stop-auto=y
+
 [main]
 pg1-path=/var/lib/postgresql/<%= config.version %>/main
 pg1-port=5432
 pg1-socket-path=/var/run/postgresql
+pg1-user=<%= config.postgres_user %>
 
 

data/templates/pgbouncer-follow-primary.service.erb

@@ -0,0 +1,8 @@
+[Unit]
+Description=Update PgBouncer target to current PostgreSQL primary
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/pgbouncer-follow-primary

data/templates/pgbouncer-follow-primary.timer.erb

@@ -0,0 +1,11 @@
+[Unit]
+Description=Run pgbouncer-follow-primary periodically
+
+[Timer]
+OnBootSec=10s
+OnUnitActiveSec=<%= interval %>s
+AccuracySec=1s
+Unit=pgbouncer-follow-primary.service
+
+[Install]
+WantedBy=timers.target

data/templates/pgbouncer.ini.erb

@@ -49,8 +49,10 @@ log_pooler_errors = <%= pgbouncer_config[:log_pooler_errors] || 1 %>
 client_tls_sslmode = require
 client_tls_key_file = /etc/pgbouncer/server.key
 client_tls_cert_file = /etc/pgbouncer/server.crt
+<% if has_ca_cert %>
 client_tls_ca_file = /etc/pgbouncer/ca.crt
 <% end %>
+<% end %>
 
 # Process management
 <% if pgbouncer_config[:pidfile] %>

data/templates/pgbouncer_follow_primary.sh.erb

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPMGR_CONF="<%= repmgr_conf %>"
+PGBOUNCER_INI="/etc/pgbouncer/pgbouncer.ini"
+PGBOUNCER_SERVICE="pgbouncer"
+LOG_TAG="pgbouncer-follow-primary"
+
+cluster_csv=$(/usr/bin/sudo -u <%= postgres_user %> env HOME=/var/lib/postgresql \
+  repmgr -f "$REPMGR_CONF" cluster show --csv 2>/dev/null || true)
+if [[ -z "$cluster_csv" ]]; then
+  exit 0
+fi
+
+primary_conninfo=$(printf "%s\n" "$cluster_csv" | awk -F',' 'NR>1 && tolower($3) ~ /primary/ {print $NF; exit}')
+if [[ -z "$primary_conninfo" ]]; then
+  exit 0
+fi
+
+primary_host=$(printf "%s" "$primary_conninfo" | sed -n 's/.*host=\\([^ ]*\\).*/\\1/p')
+if [[ -z "$primary_host" ]]; then
+  exit 0
+fi
+
+current_host=$(awk -F'host=' '/^\\* = host=/{print $2}' "$PGBOUNCER_INI" | awk '{print $1}')
+if [[ -z "$current_host" ]]; then
+  exit 0
+fi
+
+if [[ "$current_host" != "$primary_host" ]]; then
+  /usr/bin/sed -i -E "s/^(\\* = host=)[^ ]+/\\1${primary_host}/" "$PGBOUNCER_INI"
+  /usr/bin/systemctl reload "$PGBOUNCER_SERVICE"
+  /usr/bin/logger -t "$LOG_TAG" "Updated PgBouncer primary target to ${primary_host}"
+fi

data/templates/postgresql.conf.erb

@@ -44,9 +44,13 @@ wal_compression = <%= pg_config[:wal_compression] %>
 <% end %>
 <% if pg_config[:archive_mode] %>
 archive_mode = <%= pg_config[:archive_mode] %>
+<% elsif config.component_enabled?(:pgbackrest) %>
+archive_mode = on
 <% end %>
 <% if pg_config[:archive_command] %>
 archive_command = '<%= pg_config[:archive_command] %>'
+<% elsif config.component_enabled?(:pgbackrest) %>
+archive_command = 'pgbackrest --stanza=main archive-push %p'
 <% end %>
 <% if pg_config[:shared_memory_type] %>
 shared_memory_type = <%= pg_config[:shared_memory_type] %>

data/templates/repmgr.conf.erb

@@ -15,14 +15,14 @@ node_name='<%= node_label %>'
   # conninfo describes how OTHER nodes connect to THIS node
   repmgr_host = config.replication_host_for(host)
 %>
-conninfo='host=<%= repmgr_host %> user=<%= config.repmgr_user %> dbname=<%= config.repmgr_database %> password=<%= secrets_obj.resolve('repmgr_password') %> connect_timeout=2'
+conninfo='host=<%= repmgr_host %> user=<%= config.repmgr_user %> dbname=<%= config.repmgr_database %> connect_timeout=2'
 data_directory='/var/lib/postgresql/<%= config.version %>/main'
 
 <% if host == config.primary_host %>
-failover=automatic
+failover=<%= repmgr_config[:auto_failover] == false ? 'manual' : 'automatic' %>
 priority=<%= repmgr_config[:priority] || 100 %>
 <% else %>
-failover=automatic
+failover=<%= repmgr_config[:auto_failover] == false ? 'manual' : 'automatic' %>
 priority=<%= repmgr_config[:priority] || 100 %>
 promote_command='repmgr standby promote -f /etc/repmgr.conf'
 follow_command='repmgr standby follow -f /etc/repmgr.conf --upstream-node-id=%n'
@@ -38,3 +38,7 @@ log_file='/var/log/postgresql/repmgr.log'
 monitoring_history=yes
 monitor_interval_secs=5
 
+<% if repmgr_config[:dns_failover] && repmgr_config[:dns_failover][:enabled] %>
+event_notification_command='/usr/local/bin/active-postgres-dns-failover'
+event_notifications='<%= repmgr_config[:dns_failover][:events] || 'repmgrd_failover_promote,standby_promote,standby_switchover,standby_follow' %>'
+<% end %>