Merge upstream/master and add PostgreSQL 18/PostGIS 3.6

Author: jeremi

.github/workflows/ci.yaml

@@ -10,7 +10,7 @@ on:
     branches:
       - master
   schedule:
-    # See https://crontab.guru/monthly
+    # Monthly
     - cron: 0 0 1 * *
 
 jobs:
@@ -19,35 +19,31 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        pg_version:
-          - "16"
-          - "15"
-          # - "13"
-        platform:
-          - "amd64"
-          - "arm64"
+        pg_version: ["18", "17", "16", "15"]
+        platform: ["amd64", "arm64"]
 
     env:
-      PG_LATEST: "16"
+      PG_LATEST: "18"
+
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
         if: matrix.platform != 'amd64'
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: ${{ matrix.platform }}
 
       - name: Get build date
         id: date
-        run: echo "date=$(date --rfc-3339 ns)" >> $GITHUB_OUTPUT
+        run: echo "date=$(date --rfc-3339=ns)" >> "$GITHUB_OUTPUT"
 
       - name: Get latest tag
         id: tag-latest
         if: matrix.pg_version == env.PG_LATEST
-        run: echo "tag=${{ matrix.platform == 'amd64' && ' latest' || format(' latest-{0}', matrix.platform) }}" >> $GITHUB_OUTPUT
+        run: echo "tag=${{ matrix.platform == 'amd64' && ' latest' || format(' latest-{0}', matrix.platform) }}" >> "$GITHUB_OUTPUT"
 
-      - name: Build image Postgres
+      - name: Build Postgres image
         id: buildpg
         uses: redhat-actions/buildah-build@v2
         with:
@@ -62,7 +58,7 @@ jobs:
             VCS_REF=${{ github.sha }}
             BASE_TAG=${{ matrix.pg_version }}-alpine
 
-      - name: Push image Postgres to GHCR
+      - name: Push Postgres image to GHCR
         uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ steps.buildpg.outputs.image }}
@@ -71,27 +67,26 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build image PostGIS
+      - name: Build PostGIS image
         id: buildpgis
         uses: redhat-actions/buildah-build@v2
         with:
           image: postgis-autoconf
-          tags: ${{ matrix.platform == 'amd64' && format('{0}-alpine', matrix.pg_version) || format('{0}-alpine-{1}', matrix.pg_version, matrix.platform) }}${{ steps.tag-latest.output.tag || '' }}
+          tags: ${{ matrix.platform == 'amd64' && format('{0}-alpine', matrix.pg_version) || format('{0}-alpine-{1}', matrix.pg_version, matrix.platform) }}${{ steps.tag-latest.outputs.tag || '' }}
           context: .
           platforms: linux/${{ matrix.platform }}
           containerfiles: |
             Dockerfile-GIS
           build-args: |
-            BUILD_DATE=${{ steps.date.output.date }}
+            BUILD_DATE=${{ steps.date.outputs.date }}
             VCS_REF=${{ github.sha }}
             BASE_TAG=${{ matrix.pg_version }}-alpine
 
-      - name: Push image PostGIS to GHCR
+      - name: Push PostGIS image to GHCR
         uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ steps.buildpgis.outputs.image }}
           tags: ${{ steps.buildpgis.outputs.tags }}
           registry: ghcr.io/openspp
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      

Dockerfile

@@ -1,7 +1,9 @@
 ARG BASE_TAG
 FROM docker.io/postgres:${BASE_TAG}
+
 ENTRYPOINT [ "/autoconf-entrypoint" ]
 CMD []
+
 ENV CERTS="{}" \
     CONF_EXTRA="" \
     LAN_AUTH_METHOD=md5 \
@@ -15,25 +17,46 @@ ENV CERTS="{}" \
     WAN_DATABASES='["all"]' \
     WAN_HBA_TPL="{connection} {db} {user} {cidr} {meth}" \
     WAN_TLS=1 \
-    WAN_USERS='["all"]'
-RUN apk add --no-cache python3 \
-    && mkdir -p /etc/postgres \
-    && chmod a=rwx /etc/postgres
-RUN apk add --no-cache py3-netifaces
+    WAN_USERS='["all"]' \
+    HBA_EXTRA_RULES=""
+
+# Base runtime deps + pgvector (if available) + writable config dir
+RUN set -eux; \
+    apk add --no-cache python3 py3-netifaces; \
+    if [ "${PG_MAJOR:-0}" -ge 12 ]; then \
+        apk add --no-cache "postgresql${PG_MAJOR}-pgvector" || apk add --no-cache postgresql-pgvector || true; \
+        if [ -d "/usr/share/postgresql${PG_MAJOR}/extension" ]; then \
+            cp /usr/share/postgresql${PG_MAJOR}/extension/vector* /usr/local/share/postgresql/extension/; \
+        elif [ -d "/usr/share/postgresql/extension" ]; then \
+            cp /usr/share/postgresql/extension/vector* /usr/local/share/postgresql/extension/; \
+        fi; \
+        so_path=$(find /usr/lib -name vector.so | head -n 1); \
+        if [ -n "${so_path}" ]; then \
+            cp "${so_path}" /usr/local/lib/postgresql/; \
+        fi; \
+    fi; \
+    mkdir -p /etc/postgres; \
+    chmod a=rwx /etc/postgres
+
 COPY autoconf-entrypoint /
 
-RUN apk add --no-cache -t .build \
-    postgresql-dev postgresql-contrib \
-    curl-dev libcurl \
-    wget jq cmake build-base ca-certificates py3-pip pipx && \
-    pipx ensurepath && \
-	pipx install pgxnclient && \
-    export PATH=$PATH:/root/.local/bin && \
-    pgxn install pg_qualstats && \
-    pgxn install pg_stat_kcache && \
-    pgxn install pg_track_settings && \
-    pgxn install powa && \
-    pgxn install postgresql_anonymizer && \
+# Optional pgxn extensions (best-effort to keep build working on new PG majors)
+RUN set -eux; \
+    apk add --no-cache -t .build \
+        "postgresql${PG_MAJOR}-dev" "postgresql${PG_MAJOR}-contrib" \
+        curl-dev libcurl \
+        wget jq cmake build-base ca-certificates py3-pip pipx \
+      || apk add --no-cache -t .build \
+        postgresql-dev postgresql-contrib \
+        curl-dev libcurl \
+        wget jq cmake build-base ca-certificates py3-pip pipx; \
+    pipx ensurepath; \
+    export PATH="$PATH:/root/.local/bin"; \
+    for ext in pg_qualstats pg_stat_kcache pg_track_settings powa postgresql_anonymizer; do \
+        if ! pgxn install "$ext"; then \
+            echo "WARN: skipping $ext (pgxn install failed)" >&2; \
+        fi; \
+    done; \
     apk del .build
 
 # Metadata

Dockerfile-GIS

@@ -14,12 +14,8 @@ FROM ghcr.io/openspp/postgres-autoconf:${BASE_TAG}
 #    pgxn install postgresql_anonymizer && \
 #    apk del .build
 
-ENV POSTGIS_VERSION 3.4.1
-ENV POSTGIS_SHA256 473c09cbeb68c6e39c882c35e716994d2f8c1e614611162ef3d2a54716cbb74c
-
-ENV DOCKER_PG_LLVM_DEPS \
-		llvm15-dev \
-		clang15
+ENV POSTGIS_VERSION 3.6.1
+ENV POSTGIS_SHA256 849391e75488a749663fbc8d63b846d063d387d286c04dea062820476f84c8f6
 
 RUN set -eux \
     && apk add --no-cache --virtual .fetch-deps \
@@ -86,7 +82,7 @@ RUN set -eux \
     && mkdir /tempdb \
     && chown -R postgres:postgres /tempdb \
     && su postgres -c 'pg_ctl -D /tempdb init' \
-    && su postgres -c 'pg_ctl -D /tempdb -c -l /tmp/logfile -o '-F' start ' \
+    && su postgres -c "pg_ctl -D /tempdb -c -l /tmp/logfile -o '-F' start" \
     && cd regress \
     && make -j$(nproc) check RUNTESTFLAGS=--extension   PGUSER=postgres \
     \
@@ -132,4 +128,3 @@ RUN set -eux \
 
 COPY ./initdb-postgis.sh /docker-entrypoint-initdb.d/10_postgis.sh
 COPY ./update-postgis.sh /usr/local/bin
-

README.md

@@ -1,12 +1,19 @@
 # PostgreSQL Auto-Conf
 
+OpenSPP-flavoured fork of [Tecnativa/docker-postgres-autoconf](https://github.com/Tecnativa/docker-postgres-autoconf) with:
+
+- Support for PostgreSQL 18 (latest) plus 15/16/17 builds.
+- Optional PostGIS image built from source (3.6.x as of Nov 2025).
+- Extra pgxn extensions (powa, pg_qualstats, pg_stat_kcache, pg_track_settings, postgresql_anonymizer) preinstalled on the base image when available for the target PostgreSQL version.
+- New upstream features: pgvector packaged for PG ≥ 12 and `HBA_EXTRA_RULES` support.
+
 ## What
 
 Image that configures Postgres before starting it.
 
 ## Why
 
-To automate dealing with specific users accessing from specific networks to a postgres server.
+To automate dealing with specific users accessing from specific networks to a Postgres server.
 
 ## How
 
@@ -35,7 +42,7 @@ JSON object with some or all of these keys:
 - `server.cert.pem`: PEM contents for Postgres' `ssl_cert_file` parameter. The Postgres server will identify himself and encrypt the connection with this certificate.
 - `server.key.pem`: PEM contents for Postgres' `ssl_key_file` parameter. The Postgres server will identify himself and encrypt the connection with this private key.
 
-If you pass `server.cert.pem`, you should pass `server.key.pem` too, and viceversa, or TLS encryption will not be properly configured. You also need both of them if you use `client.ca.cert.pem`.
+If you pass `server.cert.pem`, you should pass `server.key.pem` too, and vice versa, or TLS encryption will not be properly configured. You also need both of them if you use `client.ca.cert.pem`.
 
 It is safer to mount files with secrets instead of passing a JSON string in an env variable. You can mount the equivalents:
 
@@ -67,7 +74,7 @@ Some placeholders can be expanded. See the [`Dockerfile`][] to know them.
 
 #### `LAN_TLS`
 
-Wether to enable or not TLS in LAN connections.
+Whether to enable or not TLS in LAN connections.
 
 #### `LAN_USERS`
 
@@ -93,8 +100,27 @@ Some placeholders can be expanded. See the [`Dockerfile`][] to know them.
 
 #### `WAN_TLS`
 
-Wether to enable or not TLS in WAN connections.
+Whether to enable or not TLS in WAN connections.
 
 #### `WAN_USERS`
 
 Users allowed to connect from WAN.
+
+#### `HBA_EXTRA_RULES`
+
+JSON array of additional `pg_hba.conf` rules to append. Each array element should be a string representing a valid `pg_hba.conf` line.
+
+Example `HBA_EXTRA_RULES` format in an `.env` file:
+
+```
+HBA_EXTRA_RULES=["host all all 192.168.1.0/24 md5", "hostssl mydb myuser 10.0.0.0/8 scram-sha-256"]
+```
+
+This adds the following lines to `pg_hba.conf`:
+
+```
+host all all 192.168.1.0/24 md5
+hostssl mydb myuser 10.0.0.0/8 scram-sha-256
+```
+
+[`Dockerfile`]: https://github.com/openspp/docker-postgres-autoconf/blob/master/Dockerfile

autoconf-entrypoint

@@ -9,6 +9,7 @@ from itertools import product
 
 import netifaces
 
+
 SUPPORTED_CERTS = {
     "ssl_ca_file": "client.ca.cert.pem",
     "ssl_cert_file": "server.cert.pem",
@@ -33,6 +34,7 @@ WAN_USERS = json.loads(os.environ["WAN_USERS"])
 PGSSLCERT = os.environ.get("PGSSLCERT")
 PGSSLKEY = os.environ.get("PGSSLKEY")
 PGSSLROOTCERT = os.environ.get("PGSSLROOTCERT")
+HBA_EXTRA_RULES = os.environ.get("HBA_EXTRA_RULES", "")
 
 # Configuration file templates
 CONF_FOLDER = "/etc/postgres"
@@ -50,17 +52,20 @@ local all all trust
 local replication all trust
 
 # LAN/WAN autogenerated configurations
+{extra_hba}
 {extra_conf}
 """
 WAN_CIDRS = ("0.0.0.0/0", "::0/0")
 
 # Configuration helpers
 hba_conf = []
 ssl_conf = []
+extra_hba = []
 
 
 def permissions_fix(filename, client=False):
     """Make :param:`filename` be owned by root user and postgres group."""
+
     shutil.chown(filename, "root", "postgres")
     if client:
         os.chmod(filename, stat.S_IRUSR | stat.S_IWUSR)
@@ -86,6 +91,17 @@ for filen in (PGSSLCERT, PGSSLKEY, PGSSLROOTCERT):
 if ssl_conf:
     ssl_conf.append("ssl = on")
 
+# Parse extra rules for pg_hba.conf
+extra_hba_rules = []
+if HBA_EXTRA_RULES:
+    try:
+        extra_hba_rules = json.loads(HBA_EXTRA_RULES)
+        if not isinstance(extra_hba_rules, list):
+            raise ValueError("HBA_EXTRA_RULES must be a JSON array")
+    except json.JSONDecodeError:
+        print("Invalid JSON in HBA_EXTRA_RULES", file=sys.stderr)
+        sys.exit(1)
+
 # Generate LAN auth configuration
 for interface in netifaces.interfaces():
     for type_, addresses in netifaces.ifaddresses(interface).items():
@@ -123,6 +139,13 @@ if WAN_CONNECTION != "hostssl" or ssl_conf:
             )
         )
 
+# Append extra rules to extra_hba
+for rule in extra_hba_rules:
+    if not isinstance(rule, str):
+        print("Each rule in HBA_EXTRA_RULES must be a string", file=sys.stderr)
+        sys.exit(1)
+    extra_hba.append(rule)
+
 # Write postgres configuration files
 with open(CONF_FILE, "w") as conf_file:
     conf_file.write(
@@ -132,7 +155,9 @@ with open(CONF_FILE, "w") as conf_file:
     )
 permissions_fix(CONF_FILE)
 with open(HBA_FILE, "w") as conf_file:
-    conf_file.write(HBA_TPL.format(extra_conf="\n".join(hba_conf)))
+    conf_file.write(
+        HBA_TPL.format(extra_hba="\n".join(extra_hba), extra_conf="\n".join(hba_conf))
+    )
 permissions_fix(HBA_FILE)
 
 # Continue normal execution

tests/certgen

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# See https://www.postgresql.org/docs/current/ssl-tcp.html#SSL-CERTIFICATE-CREATION
+
+domain="${1:-example.com}"
+client_name="${2:-test_user}"
+
+### Server certificates (to encrypt connection)
+
+# Generate server Certificate Signing Request (CSR) and Private Key (PK) for
+# the Certificate Authority (CA)
+openssl req -new -text -out server.ca.csr.pem -newkey rsa:4096 -nodes \
+    -keyout server.ca.key.pem -subj "/CN=server.ca.$domain"
+# Generate server CA certificate
+openssl x509 -req -in server.ca.csr.pem -text -days 3650 -extensions v3_ca \
+    -signkey server.ca.key.pem -out server.ca.cert.pem
+# Generate server CSR and private key
+openssl req -new -nodes -text -out server.csr.pem -newkey rsa:4096 \
+    -keyout server.key.pem -subj "/CN=$domain"
+# Generate server certificate signed by the server CA
+openssl x509 -req -in server.csr.pem -text -days 3650 \
+    -CA server.ca.cert.pem -CAkey server.ca.key.pem -CAcreateserial \
+    -out server.cert.pem
+
+### Client certificatess (for cert auth instead of password)
+
+# Generate CSR and PK for client CA
+openssl req -new -text -out client.ca.csr.pem -newkey rsa:4096 -nodes \
+    -keyout client.ca.key.pem -subj "/CN=client.ca.$domain"
+# Generate client CA certificate
+openssl x509 -req -in client.ca.csr.pem -text -days 3650 -extensions v3_ca \
+    -signkey client.ca.key.pem -out client.ca.cert.pem
+# Generate client CSR and private key
+openssl req -new -nodes -text -out client.csr.pem -newkey rsa:4096 -nodes \
+    -keyout client.key.pem -subj "/CN=$client_name"
+# Generate client certificate signed by the client CA
+openssl x509 -req -in client.csr.pem -text -days 3650 \
+    -CA client.ca.cert.pem -CAkey client.ca.key.pem -CAcreateserial \
+    -out client.cert.pem
+
+### Final touches
+
+# Fix permissions
+chmod u=rw,go= *.pem
+# Delete CSR, no longer needed
+rm *.csr.pem

tests/ci-requirements.txt

@@ -0,0 +1,2 @@
+plumbum
+pre-commit