move folder and add supavisor

2026-03-03 00:41:48 +07:00
parent ecd2d56975
commit c01fea1c51
12 changed files with 4 additions and 1 deletions
--- a/02-supabase/utils/db-passwd.sh
+++ b/02-supabase/utils/db-passwd.sh
@@ -0,0 +1,157 @@
+#!/bin/sh
+#
+# Portions of this code are derived from Inder Singh's update-db-pass.sh
+# Copyright 2025 Inder Singh. Licensed under Apache License 2.0.
+# Original source:
+# https://github.com/singh-inder/supabase-automated-self-host/blob/main/docker/update-db-pass.sh
+#
+# GitHub discussion here:
+# https://github.com/supabase/supabase/issues/22605#issuecomment-3323382144
+#
+# Changed:
+# - POSIX shell compatibility
+# - No hardcoded values for database service and admin user
+# - Use .env for the admin user and database service port
+# - Does _not_ set password for supabase_read_only_user (this role is not
+#   supposed to have a password)
+# - Print all values and confirm before updating
+# - Stop on any errors
+#
+# Heads up:
+# - Updating _analytics.source_backends is not needed after PR logflare#2069
+# - Newer Logflare versions use a different table and update connection string
+#
+
+set -e
+
+if ! docker compose version > /dev/null 2>&1; then
+    echo "Docker Compose not found."
+    exit 1
+fi
+
+if [ ! -f .env ]; then
+    echo "Missing .env file. Exiting."
+    exit 1
+fi
+
+# Generate random hex-only password to avoid issues with SQL/shell
+new_passwd="$(openssl rand -hex 16)"
+# If replacing with a custom password, avoid using @/?#:&
+# https://supabase.com/docs/guides/database/postgres/roles#passwords
+# new_passwd="d0notUseSpecialSymbolsForPq123-"
+
+# Check Postgres service
+db_image_prefix="supabase.postgres:"
+
+compose_output=$(docker compose ps \
+  --format '{{.Image}}\t{{.Service}}\t{{.Status}}' 2>/dev/null | \
+  grep -m1 "^$db_image_prefix" || true)
+
+if [ -z "$compose_output" ]; then
+    echo "Postgres container not found. Exiting."
+    exit 1
+fi
+
+db_image=$(echo "$compose_output" | cut -f1)
+db_srv_name=$(echo "$compose_output" | cut -f2)
+db_srv_status=$(echo "$compose_output" | cut -f3)
+
+case "$db_srv_status" in
+    Up*)
+        ;;
+    *)
+        echo "Postgres container status: $db_srv_status"
+        echo "Exiting."
+        exit 1
+        ;;
+esac
+
+db_srv_port=$(grep "^POSTGRES_PORT=" .env | cut -d '=' -f 2)
+port_source=" (.env):"
+if [ -z "$db_srv_port" ]; then
+    db_srv_port="5432"
+    port_source=" (default):"
+fi
+
+db_admin_user="supabase_admin"
+
+echo ""
+echo "*** Check configuration below before updating database passwords! ***"
+echo ""
+echo "Service name: $db_srv_name"
+echo "Service status: $db_srv_status"
+echo "Service port${port_source} $db_srv_port"
+echo "Image: $db_image"
+echo ""
+echo "Admin user: $db_admin_user"
+
+if ! test -t 0; then
+    echo ""
+    echo "Running non-interactively. Not updating passwords."
+    exit 0
+fi
+
+echo "New database password: $new_passwd"
+echo ""
+
+printf "Update database passwords? (y/N) "
+read -r REPLY
+case "$REPLY" in
+    [Yy])
+        ;;
+    *)
+        echo "Canceled. Not updating passwords."
+        exit 0
+        ;;
+esac
+
+echo "Updating passwords..."
+echo "Connecting to the database service container..."
+
+docker compose exec -T "$db_srv_name" psql -U "$db_admin_user" -d "_supabase" -v ON_ERROR_STOP=1 <<EOF
+alter user anon with password '${new_passwd}';
+alter user authenticated with password '${new_passwd}';
+alter user authenticator with password '${new_passwd}';
+alter user dashboard_user with password '${new_passwd}';
+alter user pgbouncer with password '${new_passwd}';
+alter user postgres with password '${new_passwd}';
+alter user service_role with password '${new_passwd}';
+alter user supabase_admin with password '${new_passwd}';
+alter user supabase_auth_admin with password '${new_passwd}';
+alter user supabase_functions_admin with password '${new_passwd}';
+alter user supabase_replication_admin with password '${new_passwd}';
+alter user supabase_storage_admin with password '${new_passwd}';
+
+DROP SCHEMA _supavisor CASCADE;
+create schema if not exists _supavisor;
+alter schema _supavisor owner to supabase_admin;
+
+DO \$\$
+BEGIN
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.tables
+    WHERE table_schema = '_analytics'
+      AND table_name = 'source_backends'
+  ) THEN
+    UPDATE _analytics.source_backends
+    SET config = jsonb_set(
+      config,
+      '{url}',
+      '"postgresql://${db_admin_user}:${new_passwd}@${db_srv_name}:${db_srv_port}/postgres"',
+      false
+    )
+    WHERE type = 'postgres';
+  END IF;
+END
+\$\$;
+EOF
+
+echo "Updating POSTGRES_PASSWORD in .env..."
+sed -i.old "s|^POSTGRES_PASSWORD=.*$|POSTGRES_PASSWORD=$new_passwd|" .env
+
+echo ""
+echo "Success. To update and restart containers use:"
+echo ""
+echo "docker compose up -d --force-recreate"
+echo ""
--- a/02-supabase/utils/generate-keys.sh
+++ b/02-supabase/utils/generate-keys.sh
@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# Portions of this code are derived from Inder Singh's setup.sh shell script.
+# Copyright 2025 Inder Singh. Licensed under Apache License 2.0.
+# Original source: https://github.com/singh-inder/supabase-automated-self-host/blob/main/setup.sh
+#
+
+set -e
+
+gen_hex() {
+    openssl rand -hex "$1"
+}
+
+gen_base64() {
+    openssl rand -base64 "$1"
+}
+
+base64_url_encode() {
+    openssl enc -base64 -A | tr '+/' '-_' | tr -d '='
+}
+
+gen_token() {
+    payload=$1
+    payload_base64=$(printf %s "$payload" | base64_url_encode)
+    header_base64=$(printf %s "$header" | base64_url_encode)
+    signed_content="${header_base64}.${payload_base64}"
+    signature=$(printf %s "$signed_content" | openssl dgst -binary -sha256 -hmac "$jwt_secret" | base64_url_encode)
+    printf '%s' "${signed_content}.${signature}"
+}
+
+if ! command -v openssl >/dev/null 2>&1; then
+    echo "Error: openssl is required but not found."
+    exit 1
+fi
+
+jwt_secret="$(gen_base64 30)"
+
+# Used in get_token()
+header='{"alg":"HS256","typ":"JWT"}'
+iat=$(date +%s)
+exp=$((iat + 5 * 3600 * 24 * 365)) # 5 years
+
+# Normalizes JSON formatting so that the token matches https://www.jwt.io/ results
+anon_payload="{\"role\":\"anon\",\"iss\":\"supabase\",\"iat\":$iat,\"exp\":$exp}"
+service_role_payload="{\"role\":\"service_role\",\"iss\":\"supabase\",\"iat\":$iat,\"exp\":$exp}"
+
+#echo "anon_payload=$anon_payload"
+#echo "service_role_payload=$service_role_payload"
+
+anon_key=$(gen_token "$anon_payload")
+service_role_key=$(gen_token "$service_role_payload")
+
+secret_key_base=$(gen_base64 48)
+vault_enc_key=$(gen_hex 16)
+pg_meta_crypto_key=$(gen_base64 24)
+
+logflare_public_access_token=$(gen_base64 24)
+logflare_private_access_token=$(gen_base64 24)
+
+s3_protocol_access_key_id=$(gen_hex 16)
+s3_protocol_access_key_secret=$(gen_hex 32)
+
+minio_root_password=$(gen_hex 16)
+
+echo ""
+echo "JWT_SECRET=${jwt_secret}"
+echo ""
+#echo "Issued at: $iat"
+#echo "Expire: $exp"
+echo "ANON_KEY=${anon_key}"
+echo "SERVICE_ROLE_KEY=${service_role_key}"
+echo ""
+echo "SECRET_KEY_BASE=${secret_key_base}"
+echo "VAULT_ENC_KEY=${vault_enc_key}"
+echo "PG_META_CRYPTO_KEY=${pg_meta_crypto_key}"
+echo "LOGFLARE_PUBLIC_ACCESS_TOKEN=${logflare_public_access_token}"
+echo "LOGFLARE_PRIVATE_ACCESS_TOKEN=${logflare_private_access_token}"
+echo "S3_PROTOCOL_ACCESS_KEY_ID=${s3_protocol_access_key_id}"
+echo "S3_PROTOCOL_ACCESS_KEY_SECRET=${s3_protocol_access_key_secret}"
+echo "MINIO_ROOT_PASSWORD=${minio_root_password}"
+echo ""
+
+postgres_password=$(gen_hex 16)
+dashboard_password=$(gen_hex 16)
+
+echo "POSTGRES_PASSWORD=${postgres_password}"
+echo "DASHBOARD_PASSWORD=${dashboard_password}"
+echo ""
+
+if ! test -t 0; then
+    echo "Running non-interactively. Skipping .env update."
+    exit 0
+fi
+
+printf "Update .env file? (y/N) "
+read -r REPLY
+case "$REPLY" in
+    [Yy])
+        ;;
+    *)
+        echo "Not updating .env"
+        exit 0
+        ;;
+esac
+
+echo "Updating .env..."
+
+sed \
+    -i.old \
+    -e "s|^JWT_SECRET=.*$|JWT_SECRET=${jwt_secret}|" \
+    -e "s|^ANON_KEY=.*$|ANON_KEY=${anon_key}|" \
+    -e "s|^SERVICE_ROLE_KEY=.*$|SERVICE_ROLE_KEY=${service_role_key}|" \
+    -e "s|^SECRET_KEY_BASE=.*$|SECRET_KEY_BASE=${secret_key_base}|" \
+    -e "s|^VAULT_ENC_KEY=.*$|VAULT_ENC_KEY=${vault_enc_key}|" \
+    -e "s|^PG_META_CRYPTO_KEY=.*$|PG_META_CRYPTO_KEY=${pg_meta_crypto_key}|" \
+    -e "s|^LOGFLARE_PUBLIC_ACCESS_TOKEN=.*$|LOGFLARE_PUBLIC_ACCESS_TOKEN=${logflare_public_access_token}|" \
+    -e "s|^LOGFLARE_PRIVATE_ACCESS_TOKEN=.*$|LOGFLARE_PRIVATE_ACCESS_TOKEN=${logflare_private_access_token}|" \
+    -e "s|^S3_PROTOCOL_ACCESS_KEY_ID=.*$|S3_PROTOCOL_ACCESS_KEY_ID=${s3_protocol_access_key_id}|" \
+    -e "s|^S3_PROTOCOL_ACCESS_KEY_SECRET=.*$|S3_PROTOCOL_ACCESS_KEY_SECRET=${s3_protocol_access_key_secret}|" \
+    -e "s|^MINIO_ROOT_PASSWORD=.*$|MINIO_ROOT_PASSWORD=${minio_root_password}|" \
+    -e "s|^POSTGRES_PASSWORD=.*$|POSTGRES_PASSWORD=${postgres_password}|" \
+    -e "s|^DASHBOARD_PASSWORD=.*$|DASHBOARD_PASSWORD=${dashboard_password}|" \
+    .env