{"id":31787168,"url":"https://github.com/usepa/pg-provision","last_synced_at":"2026-05-18T19:02:42.379Z","repository":{"id":317468122,"uuid":"1062841827","full_name":"USEPA/pg-provision","owner":"USEPA","description":"This is a read only mirror of canonical source: https://github.com/Scr1ptcat/pg-provision. Please submit issues/PRs upstream.","archived":false,"fork":false,"pushed_at":"2025-10-01T02:48:41.000Z","size":115,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-01T04:25:05.467Z","etag":null,"topics":["administration","database","idempotency"],"latest_commit_sha":null,"homepage":"https://github.com/Scr1ptcat/pg-provision","language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/USEPA.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-23T20:03:55.000Z","updated_at":"2025-10-01T01:31:00.000Z","dependencies_parsed_at":"2025-10-01T04:25:07.203Z","dependency_job_id":"d1befb31-ee75-4504-a304-cc83d1664f82","html_url":"https://github.com/USEPA/pg-provision","commit_stats":null,"previous_names":["usepa/pg-provision"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/USEPA/pg-provision","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/USEPA%2Fpg-provision","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/USEPA%2Fpg-provision/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/USEPA%2Fpg-provision/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/USEPA%2Fpg-provision/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/USEPA","download_url":"https://codeload.github.com/USEPA/pg-provision/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/USEPA%2Fpg-provision/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279004065,"owners_count":26083667,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["administration","database","idempotency"],"created_at":"2025-10-10T13:54:08.734Z","updated_at":"2025-10-10T13:54:11.624Z","avatar_url":"https://github.com/USEPA.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pg-provision\n\n[![PyPI - Version](https://img.shields.io/pypi/v/pg-provision.svg)](https://pypi.org/project/pg-provision/) [![Python Versions](https://img.shields.io/pypi/pyversions/pg-provision.svg)](https://pypi.org/project/pg-provision/)\n\nIdempotent PostgreSQL provisioning as a Python package wrapping portable shell scripts.\n\n## Install\n\n```\npip install pg-provision\n```\n\n## Quick start\n\nShow usage (pass‑through to shell script):\n\n```bash\npgprovision --help\n```\n\nDry run (no privileged operations):\n\n```bash\npgprovision --dry-run\n```\n\n\u003e Root or passwordless sudo is required for changes. The CLI auto‑invokes `sudo -n` when needed.\n\n## Common scenarios (copy/paste)\n\n### 1) **Hardened (RHEL/Rocky/Alma): socket‑only, local peer auth**\n\nNo TCP listener; UNIX socket is gated by a dedicated group; OS users are mapped to DB roles via `pg_ident`. Good default for single‑host services.\n\n```bash\npgprovision \\\n  --repo pgdg \\\n  --listen-addresses '' \\\n  --socket-only \\\n  --unix-socket-group pgclients \\\n  --unix-socket-permissions 0770 \\\n  --local-peer-map localmap \\\n  --local-map-entry alice:app_rw \\\n  --local-map-entry bob:analytics \\\n  --admin-group-role dba_group \\\n  --admin-dbrole dba\n```\n\n**Notes**\n\n- `--listen-addresses ''` disables TCP; only UNIX sockets are used.\n- `--unix-socket-group` controls who can connect locally; members are added automatically.\n- `--local-map-entry OSUSER:DBROLE` writes `pg_ident.conf` and ensures DB roles exist.\n- Optional safety switch once your admin path works:\n\n```bash\npgprovision --disable-postgres-login\n```\n\n______________________________________________________________________\n\n### 2) **Hardened (RHEL/Rocky/Alma): loopback‑only TCP (localhost)**\n\nKeep TCP on `127.0.0.1`/`::1` only; pair with peer mappings (for local tooling) or layer your own auth later.\n\n```bash\npgprovision \\\n  --repo pgdg \\\n  --listen-addresses localhost \\\n  --port 5432 \\\n  --local-peer-map localmap \\\n  --local-map-entry serviceuser:service_role\n```\n\n______________________________________________________________________\n\n### 3) **Permissive (Ubuntu): listen on all interfaces for a trusted LAN**\n\nOpens the server to a private IPv4 range (add IPv6 if needed). This example **does not** create credentials; bring your own auth model.\n\n```bash\npgprovision \\\n  --repo pgdg \\\n  --listen-addresses '*' \\\n  --allowed-cidr 192.168.0.0/16 \\\n  --allow-network\n```\n\nAdd IPv6:\n\n```bash\npgprovision \\\n  --repo pgdg \\\n  --listen-addresses '*' \\\n  --allowed-cidr 192.168.0.0/16 \\\n  --allowed-cidr-v6 'fd00::/8' \\\n  --allow-network\n```\n\n\u003e Network exposure without an explicit auth strategy is risky. Use this only on trusted networks and add your own authentication/authorization controls.\n\n______________________________________________________________________\n\n### 4) **TLS‑required server (certs pre‑positioned)**\n\nEnables TLS. The script fails early if `server.crt`/`server.key` are absent in the active `data_directory`.\n\n```bash\npgprovision \\\n  --repo pgdg \\\n  --listen-addresses '*' \\\n  --allowed-cidr 10.0.0.0/8 \\\n  --allow-network \\\n  --enable-tls\n```\n\n______________________________________________________________________\n\n### 5) **Reproducible runs via env‑file (no secrets)**\n\nKeep knobs in a file. Any flag‑backed var can live here.\n\n`/etc/pgprovision.env`:\n\n```bash\nPG_VERSION=16\nREPO_KIND=pgdg\nLISTEN_ADDRESSES=localhost\nPORT=5432\nALLOW_NETWORK=false\n```\n\nRun:\n\n```bash\npgprovision --env-file /etc/pgprovision.env\n```\n\n(You can still pass additional flags on the command line for things like peer mappings.)\n\n______________________________________________________________________\n\n### 6) **Custom data directory + pg_stat_statements**\n\n```bash\npgprovision \\\n  --repo pgdg \\\n  --data-dir /data/postgres/16/main \\\n  --init-pg-stat-statements\n```\n\nAfter restart, the script attempts `CREATE EXTENSION IF NOT EXISTS pg_stat_statements;`.\n\n______________________________________________________________________\n\n## OS Guides\n\n- Ubuntu: [docs/test-plan-ubuntu.md](docs/test-plan-ubuntu.md)\n- RHEL/Rocky/Alma: [docs/test-plan-rhel.md](docs/test-plan-rhel.md)\n\n### Self‑Heal on Ubuntu (PGDG)\n\nOn Ubuntu/Debian with PGDG, packaging normally creates a default `main` cluster. If that metadata is broken (e.g., `pg_lsclusters` errors, `/etc/postgresql/\u003cver\u003e/main` owned by root, or `data_directory` missing), pg‑provision can self‑heal before applying HBA/profile/role changes.\n\n- Non‑destructive: it never deletes a directory that looks like a real PGDATA (has `PG_VERSION` and `global/pg_control`).\n- If a valid PGDATA exists, it rebuilds Debian metadata to point at it (adoption), then starts the service.\n- Default behavior is on; disable with `--no-self-heal` or `SELF_HEAL=false`.\n- See `docs/test-plan-ubuntu.md` for self‑heal scenarios.\n\n### Self‑Heal on RHEL (PGDG)\n\nOn RHEL family (RHEL/Rocky/Alma/Fedora/Amazon Linux), the provisioner preflights the cluster and will adopt an existing valid `PGDATA` by setting a systemd override (`Environment=PGDATA=…`) and ensuring permissions/SELinux context. If no valid data exists, it initializes a fresh cluster using packaging helpers (`postgresql-setup`) or `initdb`.\n\n- Non‑destructive: never deletes a directory that looks like a real PGDATA.\n- See `docs/test-plan-rhel.md` for self‑heal scenarios.\n\n## Notes\n\n- Linux-only. Commands that modify the system require root or passwordless sudo.\n- See the test guides for end-to-end provisioning scenarios.\n\n### Secrets\n\nFor non-interactive provisioning without leaking passwords, prefer a file-based secret and avoid passing passwords on the command line:\n\n```\nCREATE_PASSWORD_FILE=/run/secrets/pgpass \\\npgprovision --create-user app --create-db app\n```\n\nThis prevents secrets from appearing in argv or logs.\n\n## Project Links\n\n- PyPI: https://pypi.org/project/pg-provision/\n- Release 0.2.5: https://pypi.org/project/pg-provision/0.2.5/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fusepa%2Fpg-provision","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fusepa%2Fpg-provision","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fusepa%2Fpg-provision/lists"}