feat: postgres hooks
This commit is contained in:
@@ -102,7 +102,8 @@ in {
|
||||
|
||||
# Consolidated SQL bundles for the `hectic` schema. Single source of truth
|
||||
# for everything that creates objects in the `hectic` namespace, used by
|
||||
# migrator (init-time), db-tool (postgres-init), and pkgs.hectic.postgres-secrets.
|
||||
# migrator (init-time) and db-tool (postgres-init + hydrate). Consumers apply
|
||||
# the full bundle via lib/hook/apply-hectic-bundle.sh.
|
||||
#
|
||||
# The whole hectic system shares one `versionString`; `hectic-version.sql`
|
||||
# registers (`'hectic'`, versionString) into `hectic.version` and raises an
|
||||
@@ -126,6 +127,7 @@ in {
|
||||
secret = static ./hook/sql/hectic-secret.sql;
|
||||
migration = static ./hook/sql/hectic-migration.sql;
|
||||
inheritance = static ./hook/sql/hectic-inheritance.sql;
|
||||
applyBundleScript = ./hook/apply-hectic-bundle.sh;
|
||||
};
|
||||
|
||||
# Back-compat alias. Prefer `self.lib.hectic.inheritance`.
|
||||
|
||||
58
lib/hook/apply-hectic-bundle.sh
Normal file
58
lib/hook/apply-hectic-bundle.sh
Normal file
@@ -0,0 +1,58 @@
|
||||
#!/bin/dash
|
||||
# Applies the full hectic SQL bundle to a PostgreSQL database, in order:
|
||||
# 1. version (hard-fails on version mismatch)
|
||||
# 2. secret (hectic.secret table + load_secrets_from_env + get_secret)
|
||||
# 3. migration (hectic.migration table + domains + sha256_lower trigger)
|
||||
# 4. inheritance (created_at/updated_at/immutable enforcement triggers)
|
||||
#
|
||||
# Idempotent: each SQL file uses IF NOT EXISTS / CREATE OR REPLACE.
|
||||
#
|
||||
# Required env (caller injects from Nix):
|
||||
# HECTIC_VERSION_SQL - path to hectic-version.sql (substituted)
|
||||
# HECTIC_SECRET_SQL - path to hectic-secret.sql
|
||||
# HECTIC_MIGRATION_SQL - path to hectic-migration.sql
|
||||
# HECTIC_INHERITANCE_SQL - path to hectic-inheritance.sql
|
||||
#
|
||||
# Usage:
|
||||
# apply_hectic_bundle <PGURL> [<DOTENV_CONTENT>]
|
||||
#
|
||||
# If DOTENV_CONTENT is non-empty, it is loaded into hectic.secret via
|
||||
# hectic.load_secrets_from_env() after the bundle is applied.
|
||||
|
||||
apply_hectic_bundle() {
|
||||
pgurl="${1:-}"
|
||||
env_content="${2:-}"
|
||||
|
||||
if [ -z "$pgurl" ]; then
|
||||
printf '%s\n' 'apply-hectic-bundle: PGURL is required (arg 1)' >&2
|
||||
return 3
|
||||
fi
|
||||
|
||||
for var in HECTIC_VERSION_SQL HECTIC_SECRET_SQL HECTIC_MIGRATION_SQL HECTIC_INHERITANCE_SQL; do
|
||||
eval "val=\${$var:-}"
|
||||
if [ -z "$val" ]; then
|
||||
printf '%s\n' "apply-hectic-bundle: $var not set" >&2
|
||||
return 3
|
||||
fi
|
||||
if [ ! -r "$val" ]; then
|
||||
printf '%s\n' "apply-hectic-bundle: $var not readable: $val" >&2
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
|
||||
psql "$pgurl" -v ON_ERROR_STOP=1 -f "$HECTIC_VERSION_SQL" || return 1
|
||||
psql "$pgurl" -v ON_ERROR_STOP=1 -f "$HECTIC_SECRET_SQL" || return 1
|
||||
psql "$pgurl" -v ON_ERROR_STOP=1 -f "$HECTIC_MIGRATION_SQL" || return 1
|
||||
psql "$pgurl" -v ON_ERROR_STOP=1 -f "$HECTIC_INHERITANCE_SQL" || return 1
|
||||
|
||||
if [ -n "$env_content" ]; then
|
||||
# Dollar-quote with $ps_env$ tag to preserve all content verbatim.
|
||||
psql "$pgurl" -v ON_ERROR_STOP=1 <<SQL || return 1
|
||||
SELECT hectic.load_secrets_from_env(\$ps_env\$
|
||||
$env_content
|
||||
\$ps_env\$);
|
||||
SQL
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
Reference in New Issue
Block a user