Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Fix Dawarich Grafana readonly user init

Browse Source
This commit is contained in:
Micha
2026-06-22 19:01:39 +02:00
parent 658750bc19
commit 0f1e78e0ca
1 changed files with 14 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/dawarich/postgres/initdb/20-grafana-readonly.sh
+14 -25
View File
@@ -3,33 +3,22 @@ set -eu
GRAFANA_USER="${GRAFANA_DB_USER:-dawarich_grafana_ro}" GRAFANA_USER="${GRAFANA_DB_USER:-dawarich_grafana_ro}"
GRAFANA_PASSWORD="$(cat /run/secrets/dawarich_grafana_ro_password)" GRAFANA_PASSWORD="$(cat /run/secrets/dawarich_grafana_ro_password)"
export GRAFANA_USER GRAFANA_PASSWORD
sql_ident() { psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<'EOSQL'
printf '"%s"' "$(printf '%s' "$1" | sed 's/"/""/g')" \set grafana_user `printf %s "$GRAFANA_USER"`
} \set grafana_password `printf %s "$GRAFANA_PASSWORD"`
sql_literal() { SELECT format('CREATE ROLE %I LOGIN PASSWORD %L', :'grafana_user', :'grafana_password')
printf "'%s'" "$(printf '%s' "$1" | sed "s/'/''/g")" WHERE NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = :'grafana_user')
} \gexec
DB_IDENT="$(sql_ident "$POSTGRES_DB")" SELECT format('ALTER ROLE %I WITH LOGIN PASSWORD %L', :'grafana_user', :'grafana_password')
USER_IDENT="$(sql_ident "$GRAFANA_USER")" WHERE EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = :'grafana_user')
USER_LITERAL="$(sql_literal "$GRAFANA_USER")" \gexec
PASSWORD_LITERAL="$(sql_literal "$GRAFANA_PASSWORD")"
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<EOSQL SELECT format('GRANT CONNECT ON DATABASE %I TO %I', current_database(), :'grafana_user')\gexec
DO \$\$ SELECT format('GRANT USAGE ON SCHEMA public TO %I', :'grafana_user')\gexec
BEGIN SELECT format('GRANT SELECT ON ALL TABLES IN SCHEMA public TO %I', :'grafana_user')\gexec
IF NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = ${USER_LITERAL}) THEN SELECT format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO %I', :'grafana_user')\gexec
EXECUTE 'CREATE ROLE ${USER_IDENT} LOGIN PASSWORD ${PASSWORD_LITERAL}';
ELSE
EXECUTE 'ALTER ROLE ${USER_IDENT} WITH LOGIN PASSWORD ${PASSWORD_LITERAL}';
END IF;
END
\$\$;
GRANT CONNECT ON DATABASE ${DB_IDENT} TO ${USER_IDENT};
GRANT USAGE ON SCHEMA public TO ${USER_IDENT};
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${USER_IDENT};
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${USER_IDENT};
EOSQL EOSQL