Add Dawarich stack

apps/dawarich/postgres/initdb/20-grafana-readonly.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+set -eu
+
+GRAFANA_USER="${GRAFANA_DB_USER:-dawarich_grafana_ro}"
+GRAFANA_PASSWORD="$(cat /run/secrets/dawarich_grafana_ro_password)"
+
+sql_ident() {
+  printf '"%s"' "$(printf '%s' "$1" | sed 's/"/""/g')"
+}
+
+sql_literal() {
+  printf "'%s'" "$(printf '%s' "$1" | sed "s/'/''/g")"
+}
+
+DB_IDENT="$(sql_ident "$POSTGRES_DB")"
+USER_IDENT="$(sql_ident "$GRAFANA_USER")"
+USER_LITERAL="$(sql_literal "$GRAFANA_USER")"
+PASSWORD_LITERAL="$(sql_literal "$GRAFANA_PASSWORD")"
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<EOSQL
+DO \$\$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = ${USER_LITERAL}) THEN
+    EXECUTE 'CREATE ROLE ${USER_IDENT} LOGIN PASSWORD ${PASSWORD_LITERAL}';
+  ELSE
+    EXECUTE 'ALTER ROLE ${USER_IDENT} WITH LOGIN PASSWORD ${PASSWORD_LITERAL}';
+  END IF;
+END
+\$\$;
+
+GRANT CONNECT ON DATABASE ${DB_IDENT} TO ${USER_IDENT};
+GRANT USAGE ON SCHEMA public TO ${USER_IDENT};
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${USER_IDENT};
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${USER_IDENT};
+EOSQL