Idempotent PostgreSQL provisioning as a Python package (wrapping portable shell scripts)

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Scr1ptcat from gravatar.com Scr1ptcat

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: John Jenkins
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

pg-provision

PyPI - Version Python Versions

Idempotent PostgreSQL provisioning as a Python package wrapping portable shell scripts.

Install

pip install pg-provision

Quick start

Show usage (pass‑through to shell script):

pgprovision --help

Dry run (no privileged operations):

pgprovision --dry-run

Root or passwordless sudo is required for changes. The CLI auto‑invokes sudo -n when needed.

Common scenarios (copy/paste)

1) Hardened (RHEL/Rocky/Alma): socket‑only, local peer auth

No TCP listener; UNIX socket is gated by a dedicated group; OS users are mapped to DB roles via pg_ident. Good default for single‑host services.

pgprovision \
  --repo pgdg \
  --listen-addresses '' \
  --socket-only \
  --unix-socket-group pgclients \
  --unix-socket-permissions 0770 \
  --local-peer-map localmap \
  --local-map-entry alice:app_rw \
  --local-map-entry bob:analytics \
  --admin-group-role dba_group \
  --admin-dbrole dba

Notes

  • --listen-addresses '' disables TCP; only UNIX sockets are used.
  • --unix-socket-group controls who can connect locally; members are added automatically.
  • --local-map-entry OSUSER:DBROLE writes pg_ident.conf and ensures DB roles exist.
  • Optional safety switch once your admin path works:
pgprovision --disable-postgres-login

2) Hardened (RHEL/Rocky/Alma): loopback‑only TCP (localhost)

Keep TCP on 127.0.0.1/::1 only; pair with peer mappings (for local tooling) or layer your own auth later.

pgprovision \
  --repo pgdg \
  --listen-addresses localhost \
  --port 5432 \
  --local-peer-map localmap \
  --local-map-entry serviceuser:service_role

3) Permissive (Ubuntu): listen on all interfaces for a trusted LAN

Opens the server to a private IPv4 range (add IPv6 if needed). This example does not create credentials; bring your own auth model.

pgprovision \
  --repo pgdg \
  --listen-addresses '*' \
  --allowed-cidr 192.168.0.0/16 \
  --allow-network

Add IPv6:

pgprovision \
  --repo pgdg \
  --listen-addresses '*' \
  --allowed-cidr 192.168.0.0/16 \
  --allowed-cidr-v6 'fd00::/8' \
  --allow-network

Network exposure without an explicit auth strategy is risky. Use this only on trusted networks and add your own authentication/authorization controls.

4) TLS‑required server (certs pre‑positioned)

Enables TLS. The script fails early if server.crt/server.key are absent in the active data_directory.

pgprovision \
  --repo pgdg \
  --listen-addresses '*' \
  --allowed-cidr 10.0.0.0/8 \
  --allow-network \
  --enable-tls

5) Reproducible runs via env‑file (no secrets)

Keep knobs in a file. Any flag‑backed var can live here.

/etc/pgprovision.env:

PG_VERSION=16
REPO_KIND=pgdg
LISTEN_ADDRESSES=localhost
PORT=5432
ALLOW_NETWORK=false

Run:

pgprovision --env-file /etc/pgprovision.env

(You can still pass additional flags on the command line for things like peer mappings.)

6) Custom data directory + pg_stat_statements

pgprovision \
  --repo pgdg \
  --data-dir /data/postgres/16/main \
  --init-pg-stat-statements

After restart, the script attempts CREATE EXTENSION IF NOT EXISTS pg_stat_statements;.

OS Guides

Notes

  • Linux-only. Commands that modify the system require root or passwordless sudo.
  • See the test guides for end-to-end provisioning scenarios.

Secrets

For non-interactive provisioning without leaking passwords, prefer a file-based secret and avoid passing passwords on the command line:

CREATE_PASSWORD_FILE=/run/secrets/pgpass \
pgprovision --create-user app --create-db app

This prevents secrets from appearing in argv or logs.

Project Links

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Scr1ptcat from gravatar.com Scr1ptcat

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: John Jenkins
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

0.2.5

This version

0.2.4.post1

0.2.4

0.2.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pg_provision-0.2.4.post1.tar.gz (34.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pg_provision-0.2.4.post1-py3-none-any.whl (20.4 kB view details)

Uploaded Python 3

File details

Details for the file pg_provision-0.2.4.post1.tar.gz.

File metadata

  • Download URL: pg_provision-0.2.4.post1.tar.gz
  • Upload date:
  • Size: 34.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pg_provision-0.2.4.post1.tar.gz
Algorithm Hash digest
SHA256 4df8b2896c41c412b66666b53da0937c2b72c480620ddd9c5aac550574b18c8b
MD5 2e5800cbffba404e5a5053bb2d6a056b
BLAKE2b-256 670c1a005b44ab83aba06da3acad452e7973dd939c0d900b0db3525132a5b649

See more details on using hashes here.

Provenance

The following attestation bundles were made for pg_provision-0.2.4.post1.tar.gz:

Publisher: ci.yml on Scr1ptcat/pg-provision

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pg_provision-0.2.4.post1-py3-none-any.whl.

File metadata

File hashes

Hashes for pg_provision-0.2.4.post1-py3-none-any.whl
Algorithm Hash digest
SHA256 04df5242e33215aa541806d38ed3c038cdcfb2f71b0fbdf1f905cb1c4a1f7636
MD5 4944932d564bbdc9cba2c45628d906ab
BLAKE2b-256 b624baaf6eeebf3c54c69f0e1708e379cd7339ff87c77a61a833d4a115ac6744

See more details on using hashes here.

Provenance

The following attestation bundles were made for pg_provision-0.2.4.post1-py3-none-any.whl:

Publisher: ci.yml on Scr1ptcat/pg-provision

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page