-
-
Notifications
You must be signed in to change notification settings - Fork 238
Expand file tree
/
Copy pathadminapi.sudoers.conf
More file actions
48 lines (47 loc) · 4.09 KB
/
adminapi.sudoers.conf
File metadata and controls
48 lines (47 loc) · 4.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service, /bin/systemctl try-restart envoy.service
Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.service, /bin/systemctl restart kong.service, /bin/systemctl disable kong.service, /bin/systemctl enable kong.service, /bin/systemctl reload kong.service, /bin/systemctl try-restart kong.service
Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service, /bin/systemctl try-restart postgrest.service
Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl reload gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service, /bin/systemctl try-restart gotrue.service
Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl stop pgbouncer.service, /bin/systemctl restart pgbouncer.service, /bin/systemctl disable pgbouncer.service, /bin/systemctl enable pgbouncer.service, /bin/systemctl reload pgbouncer.service, /bin/systemctl try-restart pgbouncer.service
%adminapi ALL= NOPASSWD: /root/grow_fs.sh
%adminapi ALL= NOPASSWD: /root/mount-volume.sh
%adminapi ALL= NOPASSWD: /root/unmount-volume.sh
%adminapi ALL= NOPASSWD: /root/manage_readonly_mode.sh
%adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/prepare.sh
%adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/initiate.sh
%adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/complete.sh
%adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/check.sh
%adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/common.sh
%adminapi ALL= NOPASSWD: /etc/adminapi/pg_upgrade_scripts/pgsodium_getkey.sh
%adminapi ALL= NOPASSWD: /usr/bin/systemctl daemon-reload
# pgBackRest wrapper scripts: constrained helpers called by supabase-admin-agent.
# pgdata-chown runs as root (default); pgdata-signal runs as postgres so it can
# create/remove signal files owned by that user.
%adminapi ALL= NOPASSWD: /usr/local/lib/supabase-admin-agent/pgdata-chown
%adminapi ALL=(postgres) NOPASSWD: /usr/local/lib/supabase-admin-agent/pgdata-signal
# pgBackRest binary entries support two sudo chains used by supabase-admin-agent:
# NewRunner() — adminapi → /usr/bin/pgbackrest wrapper → sudo -u pgbackrest real_binary
# NewRunnerAs() — adminapi → sudo -u pgbackrest /usr/bin/pgbackrest → sudo -u pgbackrest real_binary
# Both paths require the wrapper entry; NewRunner() additionally needs the real binary entry
# because the wrapper itself calls sudo to drop privileges to the pgbackrest user.
%adminapi ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest
%adminapi ALL=(pgbackrest) NOPASSWD: /usr/bin/pgbackrest
# pgBackRest restore stops PostgreSQL, restores PGDATA, then starts PostgreSQL.
%adminapi ALL= NOPASSWD: /usr/bin/systemctl start postgresql.service
%adminapi ALL= NOPASSWD: /usr/bin/systemctl stop postgresql.service
%adminapi ALL= NOPASSWD: /usr/bin/systemctl reload postgresql.service
%adminapi ALL= NOPASSWD: /usr/bin/systemctl restart postgresql.service
%adminapi ALL= NOPASSWD: /usr/bin/systemctl show -p NRestarts postgresql.service
%adminapi ALL= NOPASSWD: /usr/bin/systemctl restart adminapi.service
%adminapi ALL= NOPASSWD: /usr/bin/systemctl is-active commence-backup.service
%adminapi ALL= NOPASSWD: /usr/bin/systemctl start commence-backup.service
%adminapi ALL= NOPASSWD: /bin/systemctl daemon-reload
%adminapi ALL= NOPASSWD: /bin/systemctl restart services.slice
%adminapi ALL= NOPASSWD: /usr/sbin/nft -f /etc/nftables/supabase_managed.conf
%adminapi ALL= NOPASSWD: /usr/bin/admin-mgr
%adminapi ALL= NOPASSWD: /usr/sbin/netplan apply
%adminapi ALL= NOPASSWD: ENVOY
%adminapi ALL= NOPASSWD: KONG
%adminapi ALL= NOPASSWD: POSTGREST
%adminapi ALL= NOPASSWD: GOTRUE
%adminapi ALL= NOPASSWD: PGBOUNCER