supabase
diff --git a/‎amazon.json
+4-4 b/‎amazon.json
+4-4
diff --git a/‎ansible/files/ACCC4CF8.asc
-77 b/‎ansible/files/ACCC4CF8.asc
-77
diff --git a/‎ansible/files/apt_periodic
+4 b/‎ansible/files/apt_periodic
+4
diff --git a/‎ansible/files/kong.conf.j2
-7 b/‎ansible/files/kong.conf.j2
-7
diff --git a/‎ansible/files/kong.service.j2
-20 b/‎ansible/files/kong.service.j2
-20
diff --git a/‎ansible/files/postgresql.service.j2
-5 b/‎ansible/files/postgresql.service.j2
-5
diff --git a/‎ansible/files/postgrest.service.j2
-17 b/‎ansible/files/postgrest.service.j2
-17
diff --git a/‎ansible/files/supabase.service.j2
-24 b/‎ansible/files/supabase.service.j2
-24
diff --git a/‎ansible/playbook.yml
+5-7 b/‎ansible/playbook.yml
+5-7
diff --git a/‎ansible/tasks/setup-extensions.yml
+31-1 b/‎ansible/tasks/setup-extensions.yml
+31-1
diff --git a/‎ansible/tasks/setup-system.yml
+16-1 b/‎ansible/tasks/setup-system.yml
+16-1
diff --git a/‎ansible/vars.yml
+8-4 b/‎ansible/vars.yml
+8-4
diff --git a/‎digitalOcean.json
+1-1 b/‎digitalOcean.json
+1-1
diff --git a/‎docker/Dockerfile
+14 b/‎docker/Dockerfile
+14
diff --git a/‎docker/mnt/init-permissions.sh
+6-1 b/‎docker/mnt/init-permissions.sh
+6-1
diff --git a/‎scripts/02-credentials_cleanup.sh
+1 b/‎scripts/02-credentials_cleanup.sh
+1
@@ -3,21 +3,20 @@
     "aws_access_key": "",
     "aws_secret_key": "",
     "region": "",
+    "ami": "",
     "name": ""
   },
   "builders": [{
     "type": "amazon-ebs",
     "access_key": "{{user `aws_access_key`}}",
     "secret_key": "{{user `aws_secret_key`}}",
     "region": "{{user `region`}}",
-    "source_ami": "ami-0f7719e8b7ba25c61",
-    "instance_type": "t2.micro",
+    "source_ami": "{{user `ami`}}",
+    "instance_type": "t2.large",
     "ssh_username": "ubuntu",
     "ami_name": "{{user `name`}}",
     "launch_block_device_mappings": [{
       "device_name": "/dev/sda1",
-      "encrypted": true,
-      "kms_key_id": "44e7e739-21f1-4678-829e-d1ac63d121b4",
       "iops": 400,
       "volume_type": "io1",
       "volume_size": 8,
@@ -35,6 +34,7 @@
       "type": "shell",
       "scripts": [
         "scripts/01-test",
+        "scripts/02-credentials_cleanup.sh",
         "scripts/90-cleanup.sh",
         "scripts/91-log_cleanup.sh",
         "scripts/99-img_check.sh"
 
@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
@@ -29,14 +29,12 @@
       file:
         path: /tmp/00-schema.sql
         state: absent
-
-    - name: Set up password for superadmin postgres
-      become: yes
-      become_user: postgres
-      postgresql_user:
-        name: postgres
-        password: "{{ postgres_superadmin_password }}"
 
+    - name: Adjust APT update intervals
+      copy: 
+        src: files/apt_periodic
+        dest: /etc/apt/apt.conf.d/10periodic
+
     - name: UFW - Allow SSH connections
       ufw:
         rule: allow
 
@@ -43,14 +43,44 @@
     update_cache: yes
     cache_valid_time: 3600
 
+- name: pgAudit - download & install dependencies
+  apt:
+    pkg:
+      - postgresql-server-dev-12
+      - libssl-dev
+      - libkrb5-dev
+    update_cache: yes
+    install_recommends: no
+
+- name: pgAudit - download latest release
+  git:
+    repo: https://github.com/pgaudit/pgaudit.git
+    dest: /tmp/pgaudit
+  become: yes
+
+- name: pgAudit - build
+  make: 
+    chdir: /tmp/pgaudit
+    target: check
+    params:
+      USE_PGXS: 1
+  become: yes
+
+- name: pgAudit - install
+  make:
+    chdir: /tmp/pgaudit
+    target: install
+    params:
+      USE_PGXS: 1
+  become: yes
+
 - name: plv8 - download & install dependencies
   apt:
     pkg:
       - build-essential
       - ca-certificates
       - curl
       - git-core
-      - python
       - gpp
       - cpp
       - pkg-config
 
@@ -4,15 +4,30 @@
   apt: update_cache=yes upgrade=yes
   # SEE http://archive.vn/DKJjs#parameter-upgrade
 
+- name: add universe repository for bionic
+  apt_repository: 
+    repo: deb http://archive.ubuntu.com/ubuntu bionic universe
+    state: present
+
 - name: Install essentials
   apt:
     pkg:
       - ufw
+      - fail2ban
+      - unattended-upgrades
+      - python3
+      - python3-pip
     update_cache: yes
     cache_valid_time: 3600
 
+- name: Adjust APT update intervals
+  copy: 
+    src: files/apt_periodic
+    dest: /etc/apt/apt.conf.d/10periodic
+
 - name: Install psycopg2 to enable ansible postgreSQL features
-  pip: name=psycopg2-binary
+  pip: 
+    name: psycopg2-binary
 
 - name: System - Create services.slice
   template:
 
@@ -11,12 +11,16 @@ postgresql_ext_install_dev_headers: yes
 # Warning: Make sure the postgresql & postgis versions are compatible with one another
 postgresql_ext_postgis_version: 3
 
-postgresql_shared_preload_libraries: [pg_stat_statements]
+postgresql_shared_preload_libraries: [pg_stat_statements, pgaudit]
 
 postgresql_pg_hba_custom:
   - {type: "host", database: "all", user: "all", address: "0.0.0.0/0", method: "md5" }
 
-postgres_superadmin_password: "a1b2c3d4e5f6g7"
-
 pgtap_release: v1.1.0
-pgtap_release_checksum: sha1:cca57708e723de18735a723b774577dc52f6f31e
+pgtap_release_checksum: sha1:cca57708e723de18735a723b774577dc52f6f31e
+
+postgresql_log_destination: "csvlog"
+postgresql_logging_collector: on
+postgresql_log_filename: "postgresql.log"
+postgresql_log_rotation_age: 0
+postgresql_log_rotation_size: 0
@@ -10,7 +10,7 @@
     "region": "{{user `region`}}",
     "size": "s-1vcpu-1gb",
     "ssh_username": "root",
-    "snapshot_name": "supabase-postgresql-0.0.11"
+    "snapshot_name": "supabase-postgresql-0.12.0"
   }],
   "provisioners": [
     {
 
@@ -23,6 +23,20 @@ RUN git clone git://github.com/theory/pgtap.git \
 RUN apt-get update \ 
       && apt-get install postgresql-plpython3-12 -y
 
+# install pgAudit
+RUN pgAuditDependencies="postgresql-server-dev-$PG_MAJOR \
+    libssl-dev \
+    libkrb5-dev \
+    git-core" \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends ${pgAuditDependencies} \
+    && cd /tmp \
+    && git clone https://github.com/pgaudit/pgaudit.git \
+    && cd pgaudit \
+    && git checkout master \ 
+    && make check USE_PGXS=1 \
+    && make install USE_PGXS=1 
+
 # install plv8
 ENV PLV8_VERSION=r3.0alpha
 
 
@@ -2,9 +2,14 @@
 set -e
 
 echo "host replication $POSTGRES_USER 0.0.0.0/0 trust" >> $PGDATA/pg_hba.conf
-echo "shared_preload_libraries = 'pg_stat_statements'" >> $PGDATA/postgresql.conf
+echo "shared_preload_libraries = 'pg_stat_statements, pgaudit'" >> $PGDATA/postgresql.conf
 echo "pg_stat_statements.max = 10000" >> $PGDATA/postgresql.conf
 echo "pg_stat_statements.track = all" >> $PGDATA/postgresql.conf
 echo "wal_level=logical" >> $PGDATA/postgresql.conf
 echo "max_replication_slots=5" >> $PGDATA/postgresql.conf
 echo "max_wal_senders=10" >> $PGDATA/postgresql.conf
+echo "log_destination='csvlog'" >> $PGDATA/postgresql.conf
+echo "logging_collector=on" >> $PGDATA/postgresql.conf
+echo "log_filename='postgresql.log'" >> $PGDATA/postgresql.conf
+echo "log_rotation_age=0" >> $PGDATA/postgresql.conf
+echo "log_rotation_size=0" >> $PGDATA/postgresql.conf
@@ -0,0 +1 @@
+sudo rm /home/ubuntu/.ssh/authorized_keys
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	"region": "{{user `region`}}",
`11`	`11`	`"size": "s-1vcpu-1gb",`
`12`	`12`	`"ssh_username": "root",`
`13`		`- "snapshot_name": "supabase-postgresql-0.0.11"`
	`13`	`+ "snapshot_name": "supabase-postgresql-0.12.0"`
`14`	`14`	`}],`
`15`	`15`	`"provisioners": [`
`16`	`16`	`{`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+sudo rm /home/ubuntu/.ssh/authorized_keys`