From 7aaeffdddeaf2ce08102092fcffaca636008d183 Mon Sep 17 00:00:00 2001
From: ulfrxdev <r.rafal.r9@gmail.com>
Date: Wed, 1 Apr 2026 18:53:41 +0200
Subject: [PATCH] Add central postgres database

---
 stacks/postgres/docker-compose.yaml        | 42 ++++++++++++++++++++++
 stacks/postgres/init/create-service-dbs.sh | 31 ++++++++++++++++
 stacks/postgres/init/entrypoint.sh         |  6 ++++
 3 files changed, 79 insertions(+)
 create mode 100644 stacks/postgres/docker-compose.yaml
 create mode 100755 stacks/postgres/init/create-service-dbs.sh
 create mode 100755 stacks/postgres/init/entrypoint.sh

diff --git a/stacks/postgres/docker-compose.yaml b/stacks/postgres/docker-compose.yaml
new file mode 100644
index 0000000..9ae1aef
--- /dev/null
+++ b/stacks/postgres/docker-compose.yaml
@@ -0,0 +1,42 @@
+services:
+  db:
+    image: postgres@sha256:035b9ab53cfa147d7202b61f5f7782b939ae815b7d6bc81c96b7b42ff1fca950
+    container_name: postgres
+    restart: unless-stopped
+    entrypoint: ["/bin/bash", "/init/entrypoint.sh"]
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+    volumes:
+      - postgres_data:/var/lib/postgresql
+      - ./init:/init:ro
+    networks:
+      - homelab_db
+    secrets:
+      - postgres_password
+      - authentik_postgres_password
+      - gitea_postgres_password
+    healthcheck:
+      interval: 30s
+      retries: 5
+      start_period: 20s
+      test:
+        - CMD-SHELL
+        - pg_isready -U postgres
+      timeout: 5s
+
+volumes:
+  postgres_data:
+    driver: local
+
+networks:
+  homelab_db:
+    name: homelab_db
+
+secrets:
+  postgres_password:
+    environment: POSTGRES_PASSWORD
+  authentik_postgres_password:
+    environment: AUTHENTIK_POSTGRES_PASSWORD
+  gitea_postgres_password:
+    environment: GITEA_POSTGRES_PASSWORD
diff --git a/stacks/postgres/init/create-service-dbs.sh b/stacks/postgres/init/create-service-dbs.sh
new file mode 100755
index 0000000..539574e
--- /dev/null
+++ b/stacks/postgres/init/create-service-dbs.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+until pg_isready -U "$POSTGRES_USER" -q; do sleep 1; done
+
+for secret_file in /run/secrets/*_postgres_password; do
+  [ -f "$secret_file" ] || continue
+  [ "$secret_file" = "/run/secrets/postgres_password" ] && continue
+
+  service="$(basename "$secret_file" _postgres_password)"
+  password="$(cat "$secret_file")"
+
+  echo "Ensuring database and user for '$service'..."
+
+  psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-SQL
+    DO \$\$
+    BEGIN
+      IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '$service') THEN
+        CREATE ROLE "$service" WITH LOGIN PASSWORD '$password';
+      ELSE
+        ALTER ROLE "$service" WITH PASSWORD '$password';
+      END IF;
+    END
+    \$\$;
+
+    SELECT 'CREATE DATABASE "$service" OWNER "$service"'
+    WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$service')\gexec
+SQL
+done
+
+touch /tmp/init_complete
diff --git a/stacks/postgres/init/entrypoint.sh b/stacks/postgres/init/entrypoint.sh
new file mode 100755
index 0000000..7dd7c43
--- /dev/null
+++ b/stacks/postgres/init/entrypoint.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -euo pipefail
+
+/init/create-service-dbs.sh &
+
+exec docker-entrypoint.sh postgres