supabase · yvan-sraka · Aug 12, 2025 · Sep 19, 2025
@@ -13,7 +13,7 @@
           dest: "00-schema.sql",
         }
       - { source: "stat_extension.sql", dest: "01-extension.sql" }
-    
+
   environment:
     PATH: /usr/lib/postgresql/bin:{{ ansible_env.PATH }}
 
@@ -29,13 +29,6 @@
     - name: Install Postgres from source
       import_tasks: tasks/setup-postgres.yml
 
-    - name: Install PgBouncer
-      import_tasks: tasks/setup-pgbouncer.yml
-      tags:
-        - install-pgbouncer
-        - install-supabase-internal
-      when: debpkg_mode or nixpkg_mode
-
     - name: Install WAL-G
       import_tasks: tasks/setup-wal-g.yml
       when: debpkg_mode or nixpkg_mode or stage2_nix
@@ -46,7 +39,7 @@
         - install-gotrue
         - install-supabase-internal
       when: debpkg_mode or nixpkg_mode
-  
+
     - name: Install PostgREST
       import_tasks: tasks/setup-postgrest.yml
       tags:
@@ -96,7 +89,7 @@
         src: files/apt_periodic
         dest: /etc/apt/apt.conf.d/10periodic
       when: debpkg_mode or nixpkg_mode
-      
+
     - name: Transfer init SQL files
       copy:
         src: files/{{ item.source }}
@@ -131,13 +124,13 @@
       tags:
         - install-supabase-internal
       when: debpkg_mode or stage2_nix
-      
+
     - name: Finalize AMI
       import_tasks: tasks/finalize-ami.yml
       tags:
         - install-supabase-internal
       when: debpkg_mode or nixpkg_mode
-      
+
     - name: Enhance fail2ban
       import_tasks: tasks/setup-fail2ban.yml
       when: debpkg_mode or nixpkg_mode
@@ -218,7 +211,7 @@
         systemctl stop postgresql.service
       when: stage2_nix
 
-    - name: Remove osquery    
+    - name: Remove osquery
       become: yes
       shell: |
         sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove osquery"

@@ -13,10 +13,6 @@ postgres_release:
   postgres17: "17.6.1.003-nixpkgs-4"
   postgres15: "15.14.1.003-nixpkgs-4"
 
-# Non Postgres Extensions
-pgbouncer_release: "1.19.0"
-pgbouncer_release_checksum: sha256:af0b05e97d0e1fd9ad45fe00ea6d2a934c63075f67f7e2ccef2ca59e3d8ce682
-
 # The checksum can be found under "Assets", in the GitHub release page for each version.
 # The binaries used are: ubuntu-aarch64 and linux-static.
 # https://github.com/PostgREST/postgrest/releases

@@ -315,6 +315,9 @@
             inherit self;
             inherit pkgs;
           })
-        );
+        )
+        // pkgs.lib.optionalAttrs (pkgs.stdenv.hostPlatform.isLinux) {
+          inherit (self'.packages) ansible-test run-testinfra docker-image-ubuntu;
+        };
     };
 }
@@ -1,12 +1,14 @@
 { self, inputs, ... }:
 let
   mkModules = system: [
+    self.systemModules.pgbouncer
     self.systemModules.postgres
     (
       { pkgs, ... }:
       {
         services.nginx.enable = true;
         nixpkgs.hostPlatform = system;
+        supabase.services.pgbouncer.enable = true;
         supabase.services.postgres = {
           enable = true;
           package = self.packages.${system}."psql_17/bin";

@@ -6,6 +6,7 @@
   flake = {
     systemModules = {
       postgres = ./postgres;
+      pgbouncer = ./pgbouncer.nix;
     };
   };
 }
@@ -0,0 +1,6 @@
+{ lib, ... }:
+{
+  options.networking.firewall = lib.mkOption {
+    type = lib.types.attrs;
+  };
+}
@@ -0,0 +1,96 @@
+{
+  lib,
+  pkgs,
+  nixosModulesPath,
+  system,
+  config,
+  ...
+}:
+let
+  cfg = config.supabase.services.pgbouncer;
+
+  # From https://github.com/mightyiam/catppuccin-nix/blob/main/modules/lib/default.nix#L78-L89
+  fromINI =
+    file:
+    let
+      json = pkgs.runCommand "converted.json" { } ''
+        ${lib.getExe pkgs.jc} --ini < ${file} > $out
+      '';
+    in
+    builtins.fromJSON (builtins.readFile json);
+in
+{
+  imports = [
+    # TODO: actually open the ports it needs with ufw
+    ./dummy-firewall.nix
+  ]
+  ++ map (path: nixosModulesPath + path) [
+    "/services/databases/pgbouncer.nix"
+  ];
+
+  options = {
+    supabase.services.pgbouncer = {
+      enable = lib.mkEnableOption "Whether to enable PostgreSQL connection pooler.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.etc = {
+      # By default allow ssl connections.
+      "/etc/pgbouncer-custom/ssl-config.ini".text = ''
+        client_tls_sslmode = allow
+      '';
+    };
+
+    # Nixpkgs pgbouncer systemd service is quite what we had set up by ansible before:
+    #
+    # [Service]
+    # Type=notify
+    # User=pgbouncer
+    # ExecStart=/usr/local/bin/pgbouncer /etc/pgbouncer/pgbouncer.ini
+    # ExecReload=/bin/kill -HUP $MAINPID
+    # KillSignal=SIGINT
+    # LimitNOFILE=65536
+    # Restart=always
+    # RestartSec=5
+    services.pgbouncer = {
+      enable = true;
+      package =
+        (import (fetchTarball {
+          # pgbouncer v1.19.0
+          url = "https://github.com/NixOS/nixpkgs/archive/db7534df5fb9b7dfd3404ec26d977997ff2cc1a0.tar.gz";
+          sha256 = "sha256:0lrsnz80a3jfjdyjs4njipvmq34w6wjr5ql645z1l1s9f9cyvk0g";
+        }) { system = system; }).pgbouncer;
+      settings =
+        let
+          iniJson = fromINI ./pgbouncer/pgbouncer.ini;
+        in
+        iniJson
+        // {
+          pgbouncer = iniJson.pgbouncer // {
+            # jc --ini treat all values as strings, so we must manually convert
+            # every numeric option to its expected type for NixOS module validation ...
+            default_pool_size = lib.toInt iniJson.pgbouncer.default_pool_size;
+            listen_port = lib.toInt iniJson.pgbouncer.listen_port;
+          };
+        };
+      user = "pgbouncer"; # n.b. this is the nixpkgs default, but since everything depends on it ...
+      group = "pgbouncer"; # ... we might as well be explicit here!
+    };
+    systemd.services.pgbouncer = {
+      wantedBy = lib.mkForce [
+        "system-manager.target"
+      ];
+    };
+
+    # TODO: double check if all these are really needed
+    systemd.tmpfiles.rules = [
+      "d /run/pgbouncer                                    2775 pgbouncer postgres  - -"
+      "d /etc/pgbouncer-custom                             0775 pgbouncer pgbouncer - -"
+      "C /etc/pgbouncer/userlist.txt                       0700 pgbouncer pgbouncer - -"
+      "C /etc/pgbouncer-custom/custom-overrides.ini        0664 pgbouncer pgbouncer - -"
+      "C /etc/pgbouncer-custom/generated-optimizations.ini 0664 pgbouncer pgbouncer - -"
+      "C /etc/pgbouncer-custom/ssl-config.ini              0664 pgbouncer pgbouncer - -"
+    ];
+  };
+}
@@ -359,6 +359,8 @@ default_pool_size = 15
 ;; Read additional config from other file
 ;%include /etc/pgbouncer/pgbouncer-other.ini
 
-%include /etc/pgbouncer-custom/generated-optimizations.ini
-%include /etc/pgbouncer-custom/custom-overrides.ini
-%include /etc/pgbouncer-custom/ssl-config.ini
+;; TODO: I have no idea how to include these files, since there're not defined in this repo,
+;; jc --ini isn't able to parse %include, and settings.pgbouncer doesn't have a way to add those either.
+; %include /etc/pgbouncer-custom/generated-optimizations.ini
+; %include /etc/pgbouncer-custom/custom-overrides.ini
+; %include /etc/pgbouncer-custom/ssl-config.ini