Separate QuantEngine database deployment
WBS-9.3 - NULL Policy CI Gate / NULL Policy Validation (push) Failing after 6s
Quant Engine CI/CD Pipeline / validate-core (push) Failing after 11s
Quant Engine CI/CD Pipeline / validate-ui-and-storage (push) Has been skipped

This commit is contained in:
2026-07-01 13:55:03 +09:00
parent 3e7120c041
commit 6ed3de2749
8 changed files with 120 additions and 8 deletions
+15
View File
@@ -15,6 +15,8 @@ env:
DEPLOY_USER: kjh2064
SERVICE_NAME: quantengine
DOTNET_VERSION: '10.0.x'
QUANTENGINE_DB_NAME: quantenginedb
QUANTENGINE_DB_USER: quantengine_app
TELEGRAM_BOT_TOKEN_DEFAULT: "8734507814:AAFyacLMai8GB4K-hQ_Nd3t3D01A-H1ZdV0"
TELEGRAM_CHAT_ID_DEFAULT: "-5460205872"
@@ -97,6 +99,14 @@ jobs:
chmod 600 ~/.ssh/id_ed25519
ssh-keyscan -H ${{ env.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
- name: Prepare QuantEngine DB Env
run: |
mkdir -p ./deploy
cat > ./deploy/quantengine.env <<EOF
ConnectionStrings__DefaultConnection=Host=127.0.0.1;Database=${QUANTENGINE_DB_NAME};Username=${QUANTENGINE_DB_USER};Password=${{ secrets.QUANTENGINE_DB_PASSWORD }};Search Path=quantengine;
EOF
chmod 600 ./deploy/quantengine.env
- name: Package Artifact
run: |
tar -czf quantengine.tar.gz -C ./publish .
@@ -143,10 +153,15 @@ jobs:
quantengine.tar.gz "$DEPLOY_USER@$DEPLOY_HOST:/home/kjh2064/tmp/quantengine.tar.gz"
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
tools/deploy_quantengine.sh "$DEPLOY_USER@$DEPLOY_HOST:/home/kjh2064/tmp/deploy.sh"
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
deploy/quantengine.env "$DEPLOY_USER@$DEPLOY_HOST:/home/kjh2064/tmp/quantengine.env"
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
"$DEPLOY_USER@$DEPLOY_HOST" "chmod +x /home/kjh2064/tmp/deploy.sh && CI_DEPLOY=1 /home/kjh2064/tmp/deploy.sh"
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
"$DEPLOY_USER@$DEPLOY_HOST" "mkdir -p /home/kjh2064/.config && install -m 600 /home/kjh2064/tmp/quantengine.env /home/kjh2064/.config/quantengine.env && rm -f /home/kjh2064/tmp/quantengine.env"
echo "=== Verifying Loopback Health ==="
loopback_headers=$(ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 "$DEPLOY_USER@$DEPLOY_HOST" "curl -s -D - -o /dev/null http://127.0.0.1:5000/")
echo "$loopback_headers"
+5 -5
View File
@@ -9,7 +9,7 @@ This document outlines the security configuration, role definitions, and access
The Quant Investment Engine operates strictly within the `quantengine` schema to prevent namespace pollution and protect system catalog tables.
* **Schema**: `quantengine`
* **Default Database**: `giteadb`
* **Default Database**: `quantenginedb`
---
@@ -22,7 +22,7 @@ To ensure the principle of least privilege, we define three main database roles:
* **Permissions**:
```sql
CREATE ROLE quantengine_owner WITH LOGIN PASSWORD 'OwnerPasswordSecure';
GRANT ALL PRIVILEGES ON DATABASE giteadb TO quantengine_owner;
GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_owner;
GRANT ALL PRIVILEGES ON SCHEMA quantengine TO quantengine_owner;
ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT ALL ON TABLES TO quantengine_owner;
```
@@ -32,7 +32,7 @@ To ensure the principle of least privilege, we define three main database roles:
* **Permissions**:
```sql
CREATE ROLE quantengine_app WITH LOGIN PASSWORD 'AppPasswordSecure';
GRANT CONNECT ON DATABASE giteadb TO quantengine_app;
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_app;
GRANT USAGE ON SCHEMA quantengine TO quantengine_app;
-- Grant CRUD permissions on tables & sequences
@@ -48,7 +48,7 @@ To ensure the principle of least privilege, we define three main database roles:
* **Permissions**:
```sql
CREATE ROLE quantengine_readonly WITH LOGIN PASSWORD 'ReadonlyPasswordSecure';
GRANT CONNECT ON DATABASE giteadb TO quantengine_readonly;
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_readonly;
GRANT USAGE ON SCHEMA quantengine TO quantengine_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA quantengine TO quantengine_readonly;
@@ -63,7 +63,7 @@ To ensure the principle of least privilege, we define three main database roles:
* Never store connection strings with plaintext passwords in version control.
* `appsettings.json` must only contain placeholder configurations.
* Inject the connection string at runtime using environment variables:
`ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=giteadb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"`
`ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"`
2. **Network Security**:
* Bind PostgreSQL only to local interfaces (`127.0.0.1`) or secure private network interfaces.
+10 -2
View File
@@ -46,8 +46,16 @@ builder.Services.AddAuthorizationCore();
builder.Services.AddMudServices();
// PostgreSQL Dapper Setup
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
?? "Host=127.0.0.1;Database=giteadb;Username=gitea;Password=C8RFlZ9fdQrBA1vyLhLDS4v70I8dJfRS2ERJW4+zsS4=;Search Path=quantengine;";
var configuredConnectionString = builder.Configuration.GetConnectionString("DefaultConnection");
var fallbackConnectionString = "Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=CHANGE_ME;Search Path=quantengine;";
var connectionString = string.IsNullOrWhiteSpace(configuredConnectionString) || configuredConnectionString.Contains("Password=;", StringComparison.OrdinalIgnoreCase)
? fallbackConnectionString
: configuredConnectionString;
var configuredDatabase = new Npgsql.NpgsqlConnectionStringBuilder(connectionString).Database;
if (!string.Equals(configuredDatabase, "quantenginedb", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("QuantEngine must use the quantenginedb PostgreSQL database.");
}
builder.Services.AddSingleton<IDbConnectionFactory>(new DbConnectionFactory(connectionString));
builder.Services.AddSingleton<DbMigrator>();
builder.Services.AddScoped<IWorkspaceRepository, WorkspaceRepository>();
+1 -1
View File
@@ -7,7 +7,7 @@
},
"AllowedHosts": "*",
"ConnectionStrings": {
"DefaultConnection": "Host=127.0.0.1;Database=giteadb;Username=gitea;Password=;Search Path=quantengine;"
"DefaultConnection": "Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=;Search Path=quantengine;"
},
"AdminSettings": {
"Username": "admin",
+2
View File
@@ -6,6 +6,7 @@ set -e
NGINX_CONF="/etc/nginx/sites-available/gitea-ip.conf"
SERVICE_FILE="/etc/systemd/system/quantengine.service"
APP_ENV_FILE="/home/kjh2064/.config/quantengine.env"
echo "========================================="
echo "Configuring Host Infrastructure Services"
@@ -61,6 +62,7 @@ User=kjh2064
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=ASPNETCORE_URLS=http://127.0.0.1:5000
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
EnvironmentFile=-/home/kjh2064/.config/quantengine.env
[Install]
WantedBy=multi-user.target
+52
View File
@@ -0,0 +1,52 @@
#!/usr/bin/env bash
# Create the QuantEngine database and application role on the local PostgreSQL instance.
set -euo pipefail
DB_NAME="${DB_NAME:-quantenginedb}"
DB_USER="${DB_USER:-quantengine_app}"
DB_PASSWORD="${DB_PASSWORD:-CHANGE_ME}"
DB_HOST="${DB_HOST:-127.0.0.1}"
DB_PORT="${DB_PORT:-5432}"
ADMIN_DB="${ADMIN_DB:-postgres}"
SCHEMA_NAME="${SCHEMA_NAME:-quantengine}"
echo "Creating database and role for ${DB_NAME}..."
sudo -u postgres psql -h "${DB_HOST}" -p "${DB_PORT}" -d "${ADMIN_DB}" -v ON_ERROR_STOP=1 <<SQL
DO \$\$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${DB_USER}') THEN
CREATE ROLE ${DB_USER} LOGIN PASSWORD '${DB_PASSWORD}';
ELSE
ALTER ROLE ${DB_USER} WITH LOGIN PASSWORD '${DB_PASSWORD}';
END IF;
END
\$\$;
DO \$\$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = '${DB_NAME}') THEN
CREATE DATABASE ${DB_NAME} OWNER ${DB_USER};
END IF;
END
\$\$;
SQL
sudo -u postgres psql -h "${DB_HOST}" -p "${DB_PORT}" -d "${DB_NAME}" -v ON_ERROR_STOP=1 <<SQL
CREATE SCHEMA IF NOT EXISTS ${SCHEMA_NAME} AUTHORIZATION ${DB_USER};
GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};
GRANT USAGE, CREATE ON SCHEMA ${SCHEMA_NAME} TO ${DB_USER};
ALTER SCHEMA ${SCHEMA_NAME} OWNER TO ${DB_USER};
SQL
APP_ENV_FILE="${APP_ENV_FILE:-/home/kjh2064/.config/quantengine.env}"
mkdir -p "$(dirname "${APP_ENV_FILE}")"
cat > "${APP_ENV_FILE}" <<EOF
ConnectionStrings__DefaultConnection=Host=127.0.0.1;Database=${DB_NAME};Username=${DB_USER};Password=${DB_PASSWORD};Search Path=${SCHEMA_NAME};
EOF
chmod 600 "${APP_ENV_FILE}"
echo "Database setup completed: ${DB_NAME} / ${DB_USER}"
echo "Wrote app env file: ${APP_ENV_FILE}"
+22
View File
@@ -0,0 +1,22 @@
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'quantengine_app') THEN
CREATE ROLE quantengine_app LOGIN PASSWORD 'CHANGE_ME';
END IF;
END
$$;
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = 'quantenginedb') THEN
CREATE DATABASE quantenginedb OWNER quantengine_app;
END IF;
END
$$;
\connect quantenginedb
CREATE SCHEMA IF NOT EXISTS quantengine AUTHORIZATION quantengine_app;
ALTER SCHEMA quantengine OWNER TO quantengine_app;
GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_app;
GRANT USAGE, CREATE ON SCHEMA quantengine TO quantengine_app;
+13
View File
@@ -0,0 +1,13 @@
#!/usr/bin/env bash
set -euo pipefail
DB_HOST="${DB_HOST:-127.0.0.1}"
DB_PORT="${DB_PORT:-5432}"
DB_USER="${DB_USER:-quantengine_app}"
DB_NAME="${DB_NAME:-quantenginedb}"
echo "Checking database availability..."
psql "host=${DB_HOST} port=${DB_PORT} dbname=${DB_NAME} user=${DB_USER}" -Atc "select current_database(), current_schema();"
echo "Checking core tables..."
psql "host=${DB_HOST} port=${DB_PORT} dbname=${DB_NAME} user=${DB_USER}" -Atc "\dt quantengine.*"