active_postgres 0.9.0 → 0.9.2

data/lib/active_postgres/components/repmgr.rb

@@ -85,6 +85,22 @@ module ActivePostgres
             execute :sudo, 'DEBIAN_FRONTEND=noninteractive', 'apt-get', 'install', '-y', '-qq',
                     "postgresql-#{version}-repmgr"
           end
+          install_postgres_sudoers(host)
+        end
+      end
+
+      def install_postgres_sudoers(host)
+        version = config.version
+        sudoers_line = "postgres ALL=(ALL) NOPASSWD: /usr/bin/systemctl start postgresql@#{version}-main, " \
+                       "/usr/bin/systemctl stop postgresql@#{version}-main, " \
+                       "/usr/bin/systemctl restart postgresql@#{version}-main, " \
+                       "/usr/bin/systemctl reload postgresql@#{version}-main, " \
+                       "/usr/bin/systemctl status postgresql@#{version}-main"
+        ssh_executor.execute_on_host(host) do
+          upload! StringIO.new("#{sudoers_line}\n"), '/tmp/postgres-repmgr-sudoers'
+          execute :sudo, 'cp', '/tmp/postgres-repmgr-sudoers', '/etc/sudoers.d/postgres-repmgr'
+          execute :sudo, 'chmod', '440', '/etc/sudoers.d/postgres-repmgr'
+          execute :rm, '-f', '/tmp/postgres-repmgr-sudoers'
         end
       end
 
@@ -247,6 +263,7 @@ module ActivePostgres
         effective_replication_password = replication_user == repmgr_user ? repmgr_password : replication_password
 
         ensure_primary_registered
+        ensure_primary_replication_ready(repmgr_password, effective_replication_password)
 
         setup_pgpass_file(standby_host, repmgr_password, replication_password: effective_replication_password,
                                                       primary_ip: primary_replication_host)
@@ -399,9 +416,42 @@ module ActivePostgres
         end
 
         register_standby_with_primary(standby_host)
+        setup_inter_node_ssh
         enable_repmgrd_if_configured(standby_host, repmgr_config)
       end
 
+      def setup_inter_node_ssh
+        dns_config = dns_failover_config
+        key_path = dns_config && dns_config[:ssh_key_path] || '/var/lib/postgresql/.ssh/active_postgres_dns'
+        postgres_user = config.postgres_user
+        all_hosts = config.all_hosts
+        pub_keys = {}
+
+        all_hosts.each do |host|
+          ssh_executor.execute_on_host(host) do
+            pub_keys[host] = capture(:sudo, '-u', postgres_user, 'cat', "#{key_path}.pub").strip
+          end
+        end
+
+        all_hosts.each do |host|
+          ssh_executor.execute_on_host(host) do
+            other_keys = pub_keys.reject { |h, _| h == host }.values
+            other_keys.each do |key|
+              next if key.to_s.empty?
+
+              upload! StringIO.new("#{key}\n"), '/tmp/pg_peer_key.pub'
+              execute :sudo, '-u', postgres_user, 'bash', '-c',
+                      "grep -qxF -f /tmp/pg_peer_key.pub /var/lib/postgresql/.ssh/authorized_keys 2>/dev/null || cat /tmp/pg_peer_key.pub >> /var/lib/postgresql/.ssh/authorized_keys"
+              execute :rm, '-f', '/tmp/pg_peer_key.pub'
+            end
+
+            peer_ips = all_hosts.reject { |h| h == host }.map { |h| config.replication_host_for(h) }
+            scan_cmd = "ssh-keyscan #{peer_ips.join(' ')} >> /var/lib/postgresql/.ssh/known_hosts 2>/dev/null || true"
+            execute :sudo, '-u', postgres_user, 'bash', '-c', scan_cmd
+          end
+        end
+      end
+
       def setup_dns_failover
         dns_config = dns_failover_config
         return unless dns_config
@@ -424,6 +474,8 @@ module ActivePostgres
           authorize_dns_keys(dns_server, dns_user, pub_keys.values.compact)
         end
 
+        setup_inter_node_ssh
+
         config.all_hosts.each do |host|
           install_dns_failover_script(host, dns_config, dns_private_ips, dns_user, dns_ssh_key_path, ssh_strict_host_key)
         end
@@ -512,12 +564,16 @@ module ActivePostgres
       def install_dns_failover_script(host, dns_config, dns_servers, dns_user, dns_ssh_key_path, ssh_strict_host_key)
         return if dns_servers.empty?
 
-        domain = dns_config[:domain] || 'mesh'
-        primary_record = dns_config[:primary_record] || "db-primary.#{domain}"
-        replica_record = dns_config[:replica_record] || "db-replica.#{domain}"
+        domains = normalize_dns_domains(dns_config)
+        primary_records = normalize_dns_records(dns_config[:primary_records] || dns_config[:primary_record],
+                                               default_prefix: 'db-primary',
+                                               domains: domains)
+        replica_records = normalize_dns_records(dns_config[:replica_records] || dns_config[:replica_record],
+                                               default_prefix: 'db-replica',
+                                               domains: domains)
 
-        _ = primary_record
-        _ = replica_record
+        _ = primary_records
+        _ = replica_records
         _ = dns_servers
         _ = dns_user
         _ = dns_ssh_key_path
@@ -527,6 +583,19 @@ module ActivePostgres
                         mode: '755', owner: 'root:root')
       end
 
+      def normalize_dns_domains(dns_config)
+        domains = Array(dns_config[:domains] || dns_config[:domain]).map(&:to_s).map(&:strip).reject(&:empty?)
+        domains = ['mesh'] if domains.empty?
+        domains
+      end
+
+      def normalize_dns_records(value, default_prefix:, domains:)
+        records = Array(value).map(&:to_s).map(&:strip).reject(&:empty?)
+        return records unless records.empty?
+
+        domains.map { |domain| "#{default_prefix}.#{domain}" }
+      end
+
       def normalize_dns_host_key_verification(value)
         normalized = case value
                      when Symbol
@@ -859,6 +928,33 @@ module ActivePostgres
         is_registered
       end
 
+      def ensure_primary_replication_ready(repmgr_password, effective_replication_password)
+        host = config.primary_host
+        repmgr_user = config.repmgr_user
+        repmgr_db = config.repmgr_database
+        replication_user = config.replication_user
+        repmgr_component = self
+        executor = ssh_executor
+
+        puts '  Ensuring repmgr user has correct password and privileges on primary...'
+
+        ssh_executor.execute_on_host(host) do
+          repmgr_sql = repmgr_component.send(:build_repmgr_setup_sql, repmgr_user, repmgr_db, repmgr_password)
+          executor.run_sql_on_backend(self, repmgr_sql, postgres_user: 'postgres', port: 5432, tuples_only: false,
+                                           capture: false)
+
+          if replication_user != repmgr_user
+            repl_sql = repmgr_component.send(:build_replication_user_sql, replication_user, effective_replication_password)
+            executor.run_sql_on_backend(self, repl_sql, postgres_user: 'postgres', port: 5432, tuples_only: false,
+                                             capture: false)
+          end
+
+          info '✓ Primary replication user is ready'
+        end
+
+        setup_pgpass_file(host, repmgr_password, replication_password: effective_replication_password)
+      end
+
       def regenerate_ssl_certs(host, version)
         ssl_config = config.component_config(:ssl)
         ssl_cert = secrets.resolve('ssl_cert')
@@ -994,9 +1090,9 @@ module ActivePostgres
           'DO $$',
           'BEGIN',
           "  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '#{repmgr_user}') THEN",
-          "    CREATE USER #{repmgr_user} WITH SUPERUSER PASSWORD '#{escaped_password}';",
+          "    CREATE USER #{repmgr_user} WITH SUPERUSER REPLICATION PASSWORD '#{escaped_password}';",
           '  ELSE',
-          "    ALTER USER #{repmgr_user} WITH SUPERUSER PASSWORD '#{escaped_password}';",
+          "    ALTER USER #{repmgr_user} WITH SUPERUSER REPLICATION PASSWORD '#{escaped_password}';",
           '  END IF;',
           'END $$;',
           '',

data/lib/active_postgres/configuration.rb

@@ -96,15 +96,32 @@ module ActivePostgres
       # Validate required secrets if components are enabled
       raise Error, 'Missing replication_password secret' if component_enabled?(:repmgr) && !secrets_config['replication_password']
       raise Error, 'Missing monitoring_password secret' if component_enabled?(:monitoring) && !secrets_config['monitoring_password']
+      if component_enabled?(:monitoring)
+        grafana_config = component_config(:monitoring)[:grafana] || {}
+        if grafana_config[:enabled] && !secrets_config['grafana_admin_password']
+          raise Error, 'Missing grafana_admin_password secret'
+        end
+        if grafana_config[:enabled] && grafana_config[:host].to_s.strip.empty?
+          raise Error, 'monitoring.grafana.host is required when grafana is enabled'
+        end
+      end
+      if component_enabled?(:pgbackrest)
+        pg_config = component_config(:pgbackrest)
+        retention_full = pg_config[:retention_full]
+        retention_archive = pg_config[:retention_archive]
+        if retention_full && retention_archive && retention_archive.to_i < retention_full.to_i
+          raise Error, 'pgbackrest.retention_archive must be >= retention_full for PITR safety'
+        end
+      end
 
         if component_enabled?(:repmgr)
           dns_failover = component_config(:repmgr)[:dns_failover]
           if dns_failover && dns_failover[:enabled]
-            domain = dns_failover[:domain].to_s.strip
+            domains = Array(dns_failover[:domains] || dns_failover[:domain]).map(&:to_s).map(&:strip).reject(&:empty?)
             servers = Array(dns_failover[:dns_servers])
             provider = (dns_failover[:provider] || 'dnsmasq').to_s.strip
 
-            raise Error, 'dns_failover.domain is required when enabled' if domain.empty?
+            raise Error, 'dns_failover.domain or dns_failover.domains is required when enabled' if domains.empty?
             raise Error, 'dns_failover.dns_servers is required when enabled' if servers.empty?
             raise Error, "Unsupported dns_failover provider '#{provider}'" unless provider == 'dnsmasq'
 

data/lib/active_postgres/generators/active_postgres/install_generator.rb

@@ -113,6 +113,7 @@ module ActivePostgres
         puts "  replication_password: \"#{generate_secure_password}\""
         puts "  repmgr_password: \"#{generate_secure_password}\""
         puts "  monitoring_password: \"#{generate_secure_password}\""
+        puts "  grafana_admin_password: \"#{generate_secure_password}\""
         puts
         puts '🔐 Secure passwords have been auto-generated above.'
         puts '📌 Update primary_host and replica_host with your actual IPs after provisioning.'

data/lib/active_postgres/generators/active_postgres/templates/postgres.yml.erb

@@ -59,6 +59,15 @@ shared: &shared
     monitoring:
       enabled: false
       # user: postgres_exporter
+      # node_exporter: true
+      # node_exporter_port: 9100
+      # node_exporter_listen_address: 10.8.0.10
+      # grafana:
+      #   enabled: true
+      #   host: grafana.example.com
+      #   listen_address: 10.8.0.10
+      #   port: 3000
+      #   prometheus_url: http://prometheus.example.com:9090
     
     ssl:
       enabled: false
@@ -98,5 +107,6 @@ production:
     replication_password: rails_credentials:postgres.replication_password
     repmgr_password: rails_credentials:postgres.repmgr_password
     monitoring_password: rails_credentials:postgres.monitoring_password
+    # grafana_admin_password: rails_credentials:postgres.grafana_admin_password
     pgbouncer_password: rails_credentials:postgres.password
     app_password: rails_credentials:postgres.password

data/lib/active_postgres/health_checker.rb

@@ -13,7 +13,21 @@ module ActivePostgres
     end
 
     private def create_executor
-      DirectExecutor.new(config, quiet: true)
+      if use_ssh_executor?
+        SSHExecutor.new(config, quiet: true)
+      else
+        DirectExecutor.new(config, quiet: true)
+      end
+    end
+
+    def use_ssh_executor?
+      mode = ENV['ACTIVE_POSTGRES_STATUS_MODE'].to_s.strip.downcase
+      return true if mode == 'ssh'
+      return false if mode == 'direct'
+
+      return false if %w[localhost 127.0.0.1 ::1].include?(config.primary_host.to_s)
+
+      true
     end
 
     def show_status
@@ -312,13 +326,21 @@ module ActivePostgres
     end
 
     def check_pgbouncer_direct(host)
-      require 'socket'
-      connection_host = config.connection_host_for(host)
-      pgbouncer_port = config.component_config(:pgbouncer)[:listen_port] || 6432
+      if ssh_executor.respond_to?(:execute_on_host)
+        status = nil
+        ssh_executor.execute_on_host(host) do
+          status = capture(:systemctl, 'is-active', 'pgbouncer', raise_on_non_zero_exit: false).to_s.strip
+        end
+        status == 'active'
+      else
+        require 'socket'
+        connection_host = config.connection_host_for(host)
+        pgbouncer_port = config.component_config(:pgbouncer)[:listen_port] || 6432
 
-      socket = TCPSocket.new(connection_host, pgbouncer_port)
-      socket.close
-      true
+        socket = TCPSocket.new(connection_host, pgbouncer_port)
+        socket.close
+        true
+      end
     rescue StandardError
       false
     end

data/lib/active_postgres/installer.rb

@@ -91,6 +91,15 @@ module ActivePostgres
       puts '✓ Restore complete'
     end
 
+    def run_restore_at(target_time, target_action: 'promote')
+      puts "==> Restoring to #{target_time} (PITR)..."
+
+      component = Components::PgBackRest.new(config, ssh_executor, secrets)
+      component.run_restore_at(target_time, target_action: target_action)
+
+      puts '✓ Restore complete'
+    end
+
     def list_backups
       component = Components::PgBackRest.new(config, ssh_executor, secrets)
       component.list_backups

data/lib/active_postgres/overview.rb

@@ -0,0 +1,351 @@
+require 'shellwords'
+require 'timeout'
+
+module ActivePostgres
+  class Overview
+    DEFAULT_TIMEOUT = 10
+
+    def initialize(config)
+      @config = config
+      @executor = SSHExecutor.new(config, quiet: true)
+      @health_checker = HealthChecker.new(config)
+    end
+
+    def show
+      puts
+      puts "ActivePostgres Control Tower (#{config.environment})"
+      puts '=' * 70
+      puts
+
+      health_checker.show_status
+
+      show_system_stats
+      show_repmgr_cluster if config.component_enabled?(:repmgr)
+      show_pgbouncer_targets if config.component_enabled?(:pgbouncer)
+      show_dns_status if dns_failover_enabled?
+      show_backups if config.component_enabled?(:pgbackrest)
+
+      puts
+    end
+
+    private
+
+    attr_reader :config, :executor, :health_checker
+
+    def show_repmgr_cluster
+      output = nil
+      postgres_user = config.postgres_user
+      with_timeout('repmgr cluster') do
+        executor.execute_on_host(config.primary_host) do
+          output = capture(:sudo, '-u', postgres_user, 'repmgr', '-f', '/etc/repmgr.conf',
+                           'cluster', 'show', raise_on_non_zero_exit: false).to_s
+        end
+      end
+
+      puts '==> repmgr cluster'
+      puts LogSanitizer.sanitize(output) if output && !output.strip.empty?
+      puts
+    rescue StandardError => e
+      puts "==> repmgr cluster (error: #{e.message})"
+      puts
+    end
+
+    def show_system_stats
+      hosts = config.all_hosts
+      return if hosts.empty?
+
+      paths = system_stat_paths
+
+      puts '==> System stats (DB nodes)'
+      hosts.each do |host|
+        label = config.node_label_for(host)
+        stats = fetch_system_stats(host, paths)
+        if stats.nil?
+          puts "  #{host}#{label ? " (#{label})" : ''}: unavailable"
+          next
+        end
+
+        mem_used_kb = stats[:mem_total_kb] - stats[:mem_avail_kb]
+        mem_pct = stats[:mem_total_kb].positive? ? (mem_used_kb.to_f / stats[:mem_total_kb] * 100).round : 0
+
+        puts "  #{host}#{label ? " (#{label})" : ''}: load #{stats[:loadavg]} | cpu #{stats[:cpu]}% | " \
+             "mem #{format_kb(mem_used_kb)}/#{format_kb(stats[:mem_total_kb])} (#{mem_pct}%)"
+
+        stats[:disks].each do |disk|
+          puts "    disk #{disk[:mount]}: #{format_kb(disk[:used_kb])}/#{format_kb(disk[:total_kb])} (#{disk[:use_pct]})"
+        end
+      end
+      puts
+    rescue StandardError => e
+      puts "==> System stats (error: #{e.message})"
+      puts
+    end
+
+    def show_pgbouncer_targets
+      puts '==> PgBouncer targets'
+      config.all_hosts.each do |host|
+        status = pgbouncer_status(host)
+        target = pgbouncer_target(host)
+        puts "  #{host}: #{status} -> #{target || 'unknown'}"
+      end
+      puts
+    end
+
+    def pgbouncer_status(host)
+      status = nil
+      executor.execute_on_host(host) do
+        status = capture(:systemctl, 'is-active', 'pgbouncer', raise_on_non_zero_exit: false).to_s.strip
+      end
+      status == 'active' ? '✓ running' : '✗ down'
+    rescue StandardError
+      '✗ down'
+    end
+
+    def pgbouncer_target(host)
+      ini = nil
+      executor.execute_on_host(host) do
+        ini = capture(:sudo, 'cat', '/etc/pgbouncer/pgbouncer.ini', raise_on_non_zero_exit: false).to_s
+      end
+      ini[/^\* = host=([^\s]+)/, 1]
+    rescue StandardError
+      nil
+    end
+
+    def show_dns_status
+      dns_config = dns_failover_config
+      dns_servers = normalize_dns_servers(dns_config[:dns_servers])
+      dns_user = (dns_config[:dns_user] || config.user).to_s
+
+      primary_records = normalize_dns_records(dns_config[:primary_records] || dns_config[:primary_record],
+                                              default_prefix: 'db-primary',
+                                              domains: normalize_dns_domains(dns_config))
+      replica_records = normalize_dns_records(dns_config[:replica_records] || dns_config[:replica_record],
+                                              default_prefix: 'db-replica',
+                                              domains: normalize_dns_domains(dns_config))
+      records = primary_records + replica_records
+
+      puts '==> DNS (dnsmasq)'
+      puts "  Servers: #{dns_servers.map { |s| s[:ssh_host] }.join(', ')}"
+
+      record_map = Hash.new { |h, k| h[k] = [] }
+      dns_servers.each do |server|
+        content = dnsmasq_config(server[:ssh_host], dns_user)
+        next if content.to_s.strip.empty?
+
+        content.each_line do |line|
+          next unless line.start_with?('address=/')
+
+          match = line.strip.match(%r{\Aaddress=/([^/]+)/(.+)\z})
+          next unless match
+
+          name = match[1]
+          ip = match[2]
+          next unless records.include?(name)
+
+          record_map[name] << ip
+        end
+      end
+
+      records.uniq.each do |record|
+        ips = record_map[record].uniq
+        display = ips.empty? ? 'missing' : ips.join(', ')
+        warn_suffix = if primary_records.include?(record) && ips.size > 1
+                        ' ⚠️'
+                      else
+                        ''
+                      end
+        puts "  #{record}: #{display}#{warn_suffix}"
+      end
+      puts
+    rescue StandardError => e
+      puts "==> DNS (error: #{e.message})"
+      puts
+    end
+
+    def dnsmasq_config(host, dns_user)
+      content = nil
+      with_timeout("dnsmasq #{host}") do
+        executor.execute_on_host_as(host, dns_user) do
+          content = capture(:sudo, 'sh', '-c',
+                            'cat /etc/dnsmasq.d/active_postgres.conf 2>/dev/null || ' \
+                            'cat /etc/dnsmasq.d/messhy.conf 2>/dev/null || true',
+                            raise_on_non_zero_exit: false).to_s
+        end
+      end
+      content
+    rescue StandardError
+      nil
+    end
+
+    def normalize_dns_servers(raw_servers)
+      Array(raw_servers).map do |server|
+        if server.is_a?(Hash)
+          ssh_host = server[:ssh_host] || server['ssh_host'] || server[:host] || server['host']
+          private_ip = server[:private_ip] || server['private_ip'] || server[:ip] || server['ip']
+          private_ip ||= ssh_host
+          ssh_host ||= private_ip
+          { ssh_host: ssh_host.to_s, private_ip: private_ip.to_s }
+        else
+          value = server.to_s
+          { ssh_host: value, private_ip: value }
+        end
+      end
+    end
+
+    def normalize_dns_domains(dns_config)
+      Array(dns_config[:domains] || dns_config[:domain]).map(&:to_s).map(&:strip).reject(&:empty?)
+    end
+
+    def normalize_dns_records(value, default_prefix:, domains:)
+      records = Array(value).map(&:to_s).map(&:strip).reject(&:empty?)
+      return records unless records.empty?
+
+      domains = ['mesh'] if domains.empty?
+      domains.map { |domain| "#{default_prefix}.#{domain}" }
+    end
+
+    def show_backups
+      output = nil
+      postgres_user = config.postgres_user
+      with_timeout('pgbackrest info') do
+        executor.execute_on_host(config.primary_host) do
+          output = capture(:sudo, '-u', postgres_user, 'pgbackrest', 'info',
+                           raise_on_non_zero_exit: false).to_s
+        end
+      end
+
+      puts '==> Backups (pgBackRest)'
+      puts output if output && !output.strip.empty?
+      puts
+    rescue StandardError => e
+      puts "==> Backups (error: #{e.message})"
+      puts
+    end
+
+    def fetch_system_stats(host, paths)
+      output = nil
+      with_timeout("system stats #{host}") do
+        ssh_executor = executor
+        safe_paths = paths.map { |p| Shellwords.escape(p) }.join(' ')
+        script = <<~'BASH'
+          set -e
+          loadavg=$(cut -d' ' -f1-3 /proc/loadavg)
+
+          read _ user nice system idle iowait irq softirq steal _ _ < /proc/stat
+          sleep 0.2
+          read _ user2 nice2 system2 idle2 iowait2 irq2 softirq2 steal2 _ _ < /proc/stat
+
+          total1=$((user + nice + system + idle + iowait + irq + softirq + steal))
+          total2=$((user2 + nice2 + system2 + idle2 + iowait2 + irq2 + softirq2 + steal2))
+          total=$((total2 - total1))
+          idle_delta=$((idle2 + iowait2 - idle - iowait))
+
+          cpu=0
+          if [ "$total" -gt 0 ]; then
+            cpu=$(( (100 * (total - idle_delta)) / total ))
+          fi
+
+          mem_total=$(awk '/MemTotal/ {print $2}' /proc/meminfo)
+          mem_avail=$(awk '/MemAvailable/ {print $2}' /proc/meminfo)
+
+          echo "loadavg=${loadavg}"
+          echo "cpu=${cpu}"
+          echo "mem_total_kb=${mem_total}"
+          echo "mem_avail_kb=${mem_avail}"
+        BASH
+
+        ssh_executor.execute_on_host(host) do
+          output = capture(:bash, '-lc', "#{script}\n df -kP #{safe_paths} 2>/dev/null | tail -n +2 | " \
+                                        "awk '{print \"disk=\" $6 \"|\" $2 \"|\" $3 \"|\" $4 \"|\" $5}'",
+                           raise_on_non_zero_exit: false).to_s
+        end
+      end
+
+      parse_system_stats(output)
+    rescue StandardError
+      nil
+    end
+
+    def parse_system_stats(output)
+      stats = { disks: [] }
+      output.to_s.each_line do |line|
+        line = line.strip
+        next if line.empty?
+
+        if line.start_with?('loadavg=')
+          stats[:loadavg] = line.split('=', 2)[1]
+        elsif line.start_with?('cpu=')
+          stats[:cpu] = line.split('=', 2)[1].to_i
+        elsif line.start_with?('mem_total_kb=')
+          stats[:mem_total_kb] = line.split('=', 2)[1].to_i
+        elsif line.start_with?('mem_avail_kb=')
+          stats[:mem_avail_kb] = line.split('=', 2)[1].to_i
+        elsif line.start_with?('disk=')
+          _, payload = line.split('=', 2)
+          mount, total, used, _avail, pct = payload.split('|')
+          stats[:disks] << {
+            mount: mount,
+            total_kb: total.to_i,
+            used_kb: used.to_i,
+            use_pct: pct
+          }
+        end
+      end
+
+      stats[:loadavg] ||= 'n/a'
+      stats[:cpu] ||= 0
+      stats[:mem_total_kb] ||= 0
+      stats[:mem_avail_kb] ||= 0
+      stats
+    end
+
+    def format_kb(kb)
+      kb = kb.to_f
+      gb = kb / 1024 / 1024
+      return format('%.1fG', gb) if gb >= 1
+
+      mb = kb / 1024
+      format('%.0fM', mb)
+    end
+
+    def system_stat_paths
+      paths = ['/']
+      paths << '/var/lib/postgresql'
+      repo_path = pgbackrest_repo_path
+      paths << repo_path if repo_path
+      paths.compact.uniq
+    end
+
+    def pgbackrest_repo_path
+      return nil unless config.component_enabled?(:pgbackrest)
+
+      pg_config = config.component_config(:pgbackrest)
+      return pg_config[:repo_path] if pg_config[:repo_path]
+
+      pg_config[:repo_type].to_s == 'local' ? '/var/lib/pgbackrest' : '/backups'
+    end
+
+    def dns_failover_config
+      repmgr_config = config.component_config(:repmgr)
+      dns_config = repmgr_config[:dns_failover]
+      return nil unless dns_config && dns_config[:enabled]
+
+      dns_config
+    end
+
+    def dns_failover_enabled?
+      dns_failover_config != nil
+    end
+
+    def overview_timeout
+      value = ENV.fetch('ACTIVE_POSTGRES_OVERVIEW_TIMEOUT', DEFAULT_TIMEOUT.to_s).to_i
+      value.positive? ? value : DEFAULT_TIMEOUT
+    end
+
+    def with_timeout(label)
+      Timeout.timeout(overview_timeout) { yield }
+    rescue Timeout::Error
+      raise StandardError, "#{label} timed out after #{overview_timeout}s"
+    end
+  end
+end

data/lib/active_postgres/secrets.rb

@@ -81,6 +81,8 @@ module ActivePostgres
     end
 
     def fetch_from_rails_credentials(key_path)
+      ensure_rails_credentials_available
+
       return nil unless defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application
 
       keys = key_path.split('.').map(&:to_sym)
@@ -89,6 +91,22 @@ module ActivePostgres
       nil
     end
 
+    def ensure_rails_credentials_available
+      return if @rails_boot_attempted
+      return if defined?(::Rails) && ::Rails.respond_to?(:application) && ::Rails.application
+
+      @rails_boot_attempted = true
+
+      # Try loading just the Rails application (without full initialization)
+      # This makes Rails.application available for credential access
+      if File.exist?('./config/application.rb')
+        require './config/application'
+      end
+    rescue StandardError
+      # Rails boot failed — CLI running outside a Rails project
+      nil
+    end
+
     def execute_command(command)
       # Preserve RAILS_ENV if set
       env_prefix = ENV['RAILS_ENV'] ? "RAILS_ENV=#{ENV['RAILS_ENV']} " : ''