From c2be365df2d69f819adc0b109964296753226ff2 Mon Sep 17 00:00:00 2001
From: Jonas Thelemann <e-mail@jonas-thelemann.de>
Date: Wed, 26 Feb 2025 01:51:42 +0100
Subject: [PATCH] feat(postgres): create roles in entrypoint

---
 src/development/stack.yml                     |  6 ++--
 .../additional-databases.sh                   | 32 +++++++++++++++----
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/development/stack.yml b/src/development/stack.yml
index 4f216852..b7814dfb 100644
--- a/src/development/stack.yml
+++ b/src/development/stack.yml
@@ -332,14 +332,16 @@ services:
     secrets:
       - postgres_db
       - postgres_password
+      - postgres_role_grafana_password
+      - postgres_role_grafana_username
       - postgres_user
     # sysctls:
-    #   # Prevent Docker Swarm from killing pg-amqp-bridge connections (https://github.com/moby/moby/issues/31208)
+    #   # Prevent Docker Swarm from killing connections (https://github.com/moby/moby/issues/31208)
     #   - net.ipv4.tcp_keepalive_time=600
     #   - net.ipv4.tcp_keepalive_intvl=30
     #   - net.ipv4.tcp_keepalive_probes=10
     volumes:
-      - /run/:/run/ # Make PGSQL socket available. # #DARGSTACK-REMOVE
+      - /run/:/run/ # make PGSQL socket available # #DARGSTACK-REMOVE
       - postgres_data:/var/lib/postgresql/data/
       - ../production/configurations/postgres/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d/:ro
   prometheus:
diff --git a/src/production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh b/src/production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh
index b19bc50f..c4dbf646 100755
--- a/src/production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh
+++ b/src/production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh
@@ -4,20 +4,38 @@ set -eu
 
 username="$(cat /run/secrets/postgres_user)"
 
-create_database() {
-    create_database_database=$1
-    echo "Creating user and database '$create_database_database'"
+create_database_and_role() {
+    db_name="$1"
+    password_file="/run/secrets/postgres_role_${db_name}_password"
+    username_file="/run/secrets/postgres_role_${db_name}_username"
+
+    if [ ! -f "$password_file" ]; then
+        echo "[WARN] Password file for '$db_name' not found, skipping creation" >&2
+        return
+    fi
+
+    if [ ! -f "$username_file" ]; then
+        echo "[WARN] Username file for '$db_name' not found, skipping creation" >&2
+        return
+    fi
+
+    db_password="$(tr -d '\n' < "$password_file")"
+    db_username="$(tr -d '\n' < "$username_file")"
+
+    echo "[INFO] Creating user and database: '$db_name'"
+
     psql -v ON_ERROR_STOP=1 --username "$username" --dbname "postgres" <<-EOSQL
-        CREATE DATABASE "$create_database_database";
+        CREATE ROLE "$db_username" WITH LOGIN PASSWORD '$db_password';
+        CREATE DATABASE "$db_name" OWNER "$db_username";
 EOSQL
 }
 
 if [ -n "${POSTGRES_ADDITIONAL_DBS:-}" ]; then
-    echo "Additional database creation requested: $POSTGRES_ADDITIONAL_DBS"
+    echo "[INFO] Additional database creation requested: $POSTGRES_ADDITIONAL_DBS"
 
     for db in $POSTGRES_ADDITIONAL_DBS; do
-        create_database "$db"
+        create_database_and_role "$db"
     done
 
-    echo "Multiple databases created"
+    echo "[INFO] Multiple databases and roles created"
 fi