Enable system manager

.github/actions/nix-install-ephemeral/action.yml

@@ -48,6 +48,8 @@ runs:
           substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
           trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
           ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
+          extra-experimental-features = auto-allocate-uids cgroups
+          auto-allocate-uids = true
           max-jobs = 4
           extra-system-features = kvm
     - name: Setup KVM permissions

ansible/playbook.yml

@@ -146,7 +146,11 @@
       tags:
         - install-supabase-internal
       when: debpkg_mode or nixpkg_mode
-
+
+    - name: deploy system-manager
+      import_tasks: tasks/setup-system-manager.yml
+      when: debpkg_mode or stage2_nix
+
     - name: Enhance fail2ban
       import_tasks: tasks/setup-fail2ban.yml
       when: debpkg_mode or nixpkg_mode

ansible/tasks/setup-nix.yml

@@ -0,0 +1,11 @@
+---
+- name: Check if nix is installed
+  ansible.builtin.command: which nix
+  register: nix_installed
+  failed_when: nix_installed.rc != 0
+  ignore_errors: true
+
+- name: Install nix
+  ansible.builtin.shell: curl --proto '=https' --tlsv1.2 -sSf -L https://artifacts.nixos.org/experimental-installer | sh -s -- install --no-confirm --extra-conf 'substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com' --extra-conf 'trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY='
+  when: nix_installed.rc != 0
+  become: true

ansible/tasks/setup-system-manager.yml

@@ -0,0 +1,14 @@
+---
+- name: Install system-manager from binary cache
+  ansible.builtin.shell: |
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    nix profile add --accept-flake-config "github:supabase/postgres/{{ git_commit_sha }}#system-manager"
+  become: true
+
+- name: Build and activate system-manager config
+  ansible.builtin.shell: |
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    STORE_PATH=$(nix build --accept-flake-config --no-link --print-out-paths "github:supabase/postgres/{{ git_commit_sha }}#systemConfigs.$(nix eval --raw nixpkgs#system).default")
+    system-manager register --store-path "$STORE_PATH" --sudo
+    system-manager activate --store-path "$STORE_PATH" --sudo
+  become: true

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.6.0.061-orioledb"
-  postgres17: "17.6.1.104"
-  postgres15: "15.14.1.104"
+  postgresorioledb-17: "17.6.0.053-orioledb-sysmg-2"
+  postgres17: "17.6.1.096-sysmg-2"
+  postgres15: "15.14.1.096-sysmg-2"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.25.1

audit-specs/baselines/ami-build/user.yml

@@ -6,14 +6,14 @@ user:
   root:
     exists: true
     home: /root
-    shell: /bin/bash
+    shell: /run/system-manager/sw/bin/bash
   ubuntu:
     exists: true
     home: /home/ubuntu
     shell: /bin/bash
   nobody:
     exists: true
-    shell: /usr/sbin/nologin
+    shell: /run/system-manager/sw/bin/nologin
 
   # PostgreSQL ecosystem
   postgres:

flake.nix

@@ -33,6 +33,8 @@
     rust-overlay.url = "github:oxalica/rust-overlay";
     treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
     treefmt-nix.url = "github:numtide/treefmt-nix";
+    system-manager.inputs.nixpkgs.follows = "nixpkgs";
+    system-manager.url = "github:numtide/system-manager";
   };
 
   outputs =
@@ -55,6 +57,8 @@
         nix/nixpkgs.nix
         nix/packages
         nix/overlays
+        nix/systemModules
+        nix/systemConfigs.nix
       ];
     });
 }

nix/docs/README.md

@@ -19,6 +19,7 @@ learn how to play with `postgres` in the [build guide](./build-postgres.md).
 - **[Start Client/Server](./start-client-server.md)** - Running PostgreSQL client and server
 - **[Docker](./docker.md)** - Docker integration and usage
 - **[Docker Image Size Analyzer](./image-size-analyzer-usage.md)** - Tool to analyze the Docker image sizes
+- **[System Manager](./system-manager.md)** - Declarative system configuration with system-manager
 - **[Use direnv](./use-direnv.md)** - Development environment with direnv
 - **[Pre-commit Hooks](./pre-commit-hooks.md)** - Automatic formatting and code checks before commits
 - **[Nix Formatter](./nix-formatter.md)** - Code formatting with treefmt

nix/docs/nix-directory-structure.md

@@ -22,7 +22,9 @@ nix/
  ├── ext/                     # PostgreSQL extensions
  ├── overlays/                # Nixpkgs overlays
  ├── packages/                # Custom packages
- └── postgresql/              # PostgreSQL packages
+ ├── postgresql/              # PostgreSQL packages
+ ├── systemConfigs.nix        # system-manager configuration definitions
+ └── systemModules/           # system-manager service modules
 ```
 
 ## Module Descriptions
@@ -150,6 +152,20 @@ Nixpkgs overlays for package customization:
 - `cargo-pgrx-0-11-3.nix` - PGRX toolchain overlay
 - `psql_16-oriole.nix` - OrioleDB PostgreSQL variant
 
+#### `nix/systemConfigs.nix`
+
+System configuration definitions for [system-manager](https://github.com/numtide/system-manager).
+Calls `system-manager.lib.makeSystemConfig` to produce a configuration for each supported architecture (`aarch64-linux`, `x86_64-linux`) from the enabled modules.
+See [System manager](./system-manager.md) for details.
+
+#### `nix/systemModules/`
+
+Service module definitions managed by system-manager:
+
+- `default.nix` - Module registry that exports modules under `flake.systemModules`
+- Individual `.nix` files - Service modules (e.g. nginx) loaded via `flake-parts-lib.importApply`
+- `tests/default.nix` - Container-based tests using `makeContainerTest`
+
 #### `nix/cargo-pgrx/`
 
 Rust-based PostgreSQL extension building: