Separate QuantEngine database deployment
This commit is contained in:
@@ -15,6 +15,8 @@ env:
|
||||
DEPLOY_USER: kjh2064
|
||||
SERVICE_NAME: quantengine
|
||||
DOTNET_VERSION: '10.0.x'
|
||||
QUANTENGINE_DB_NAME: quantenginedb
|
||||
QUANTENGINE_DB_USER: quantengine_app
|
||||
TELEGRAM_BOT_TOKEN_DEFAULT: "8734507814:AAFyacLMai8GB4K-hQ_Nd3t3D01A-H1ZdV0"
|
||||
TELEGRAM_CHAT_ID_DEFAULT: "-5460205872"
|
||||
|
||||
@@ -97,6 +99,14 @@ jobs:
|
||||
chmod 600 ~/.ssh/id_ed25519
|
||||
ssh-keyscan -H ${{ env.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
|
||||
|
||||
- name: Prepare QuantEngine DB Env
|
||||
run: |
|
||||
mkdir -p ./deploy
|
||||
cat > ./deploy/quantengine.env <<EOF
|
||||
ConnectionStrings__DefaultConnection=Host=127.0.0.1;Database=${QUANTENGINE_DB_NAME};Username=${QUANTENGINE_DB_USER};Password=${{ secrets.QUANTENGINE_DB_PASSWORD }};Search Path=quantengine;
|
||||
EOF
|
||||
chmod 600 ./deploy/quantengine.env
|
||||
|
||||
- name: Package Artifact
|
||||
run: |
|
||||
tar -czf quantengine.tar.gz -C ./publish .
|
||||
@@ -143,10 +153,15 @@ jobs:
|
||||
quantengine.tar.gz "$DEPLOY_USER@$DEPLOY_HOST:/home/kjh2064/tmp/quantengine.tar.gz"
|
||||
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
|
||||
tools/deploy_quantengine.sh "$DEPLOY_USER@$DEPLOY_HOST:/home/kjh2064/tmp/deploy.sh"
|
||||
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
|
||||
deploy/quantengine.env "$DEPLOY_USER@$DEPLOY_HOST:/home/kjh2064/tmp/quantengine.env"
|
||||
|
||||
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
|
||||
"$DEPLOY_USER@$DEPLOY_HOST" "chmod +x /home/kjh2064/tmp/deploy.sh && CI_DEPLOY=1 /home/kjh2064/tmp/deploy.sh"
|
||||
|
||||
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 \
|
||||
"$DEPLOY_USER@$DEPLOY_HOST" "mkdir -p /home/kjh2064/.config && install -m 600 /home/kjh2064/tmp/quantengine.env /home/kjh2064/.config/quantengine.env && rm -f /home/kjh2064/tmp/quantengine.env"
|
||||
|
||||
echo "=== Verifying Loopback Health ==="
|
||||
loopback_headers=$(ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_ed25519 "$DEPLOY_USER@$DEPLOY_HOST" "curl -s -D - -o /dev/null http://127.0.0.1:5000/")
|
||||
echo "$loopback_headers"
|
||||
|
||||
@@ -9,7 +9,7 @@ This document outlines the security configuration, role definitions, and access
|
||||
The Quant Investment Engine operates strictly within the `quantengine` schema to prevent namespace pollution and protect system catalog tables.
|
||||
|
||||
* **Schema**: `quantengine`
|
||||
* **Default Database**: `giteadb`
|
||||
* **Default Database**: `quantenginedb`
|
||||
|
||||
---
|
||||
|
||||
@@ -22,7 +22,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* **Permissions**:
|
||||
```sql
|
||||
CREATE ROLE quantengine_owner WITH LOGIN PASSWORD 'OwnerPasswordSecure';
|
||||
GRANT ALL PRIVILEGES ON DATABASE giteadb TO quantengine_owner;
|
||||
GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_owner;
|
||||
GRANT ALL PRIVILEGES ON SCHEMA quantengine TO quantengine_owner;
|
||||
ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT ALL ON TABLES TO quantengine_owner;
|
||||
```
|
||||
@@ -32,7 +32,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* **Permissions**:
|
||||
```sql
|
||||
CREATE ROLE quantengine_app WITH LOGIN PASSWORD 'AppPasswordSecure';
|
||||
GRANT CONNECT ON DATABASE giteadb TO quantengine_app;
|
||||
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_app;
|
||||
GRANT USAGE ON SCHEMA quantengine TO quantengine_app;
|
||||
|
||||
-- Grant CRUD permissions on tables & sequences
|
||||
@@ -48,7 +48,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* **Permissions**:
|
||||
```sql
|
||||
CREATE ROLE quantengine_readonly WITH LOGIN PASSWORD 'ReadonlyPasswordSecure';
|
||||
GRANT CONNECT ON DATABASE giteadb TO quantengine_readonly;
|
||||
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_readonly;
|
||||
GRANT USAGE ON SCHEMA quantengine TO quantengine_readonly;
|
||||
|
||||
GRANT SELECT ON ALL TABLES IN SCHEMA quantengine TO quantengine_readonly;
|
||||
@@ -63,7 +63,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* Never store connection strings with plaintext passwords in version control.
|
||||
* `appsettings.json` must only contain placeholder configurations.
|
||||
* Inject the connection string at runtime using environment variables:
|
||||
`ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=giteadb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"`
|
||||
`ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"`
|
||||
|
||||
2. **Network Security**:
|
||||
* Bind PostgreSQL only to local interfaces (`127.0.0.1`) or secure private network interfaces.
|
||||
|
||||
@@ -46,8 +46,16 @@ builder.Services.AddAuthorizationCore();
|
||||
builder.Services.AddMudServices();
|
||||
|
||||
// PostgreSQL Dapper Setup
|
||||
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
|
||||
?? "Host=127.0.0.1;Database=giteadb;Username=gitea;Password=C8RFlZ9fdQrBA1vyLhLDS4v70I8dJfRS2ERJW4+zsS4=;Search Path=quantengine;";
|
||||
var configuredConnectionString = builder.Configuration.GetConnectionString("DefaultConnection");
|
||||
var fallbackConnectionString = "Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=CHANGE_ME;Search Path=quantengine;";
|
||||
var connectionString = string.IsNullOrWhiteSpace(configuredConnectionString) || configuredConnectionString.Contains("Password=;", StringComparison.OrdinalIgnoreCase)
|
||||
? fallbackConnectionString
|
||||
: configuredConnectionString;
|
||||
var configuredDatabase = new Npgsql.NpgsqlConnectionStringBuilder(connectionString).Database;
|
||||
if (!string.Equals(configuredDatabase, "quantenginedb", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
throw new InvalidOperationException("QuantEngine must use the quantenginedb PostgreSQL database.");
|
||||
}
|
||||
builder.Services.AddSingleton<IDbConnectionFactory>(new DbConnectionFactory(connectionString));
|
||||
builder.Services.AddSingleton<DbMigrator>();
|
||||
builder.Services.AddScoped<IWorkspaceRepository, WorkspaceRepository>();
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
},
|
||||
"AllowedHosts": "*",
|
||||
"ConnectionStrings": {
|
||||
"DefaultConnection": "Host=127.0.0.1;Database=giteadb;Username=gitea;Password=;Search Path=quantengine;"
|
||||
"DefaultConnection": "Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=;Search Path=quantengine;"
|
||||
},
|
||||
"AdminSettings": {
|
||||
"Username": "admin",
|
||||
|
||||
@@ -6,6 +6,7 @@ set -e
|
||||
|
||||
NGINX_CONF="/etc/nginx/sites-available/gitea-ip.conf"
|
||||
SERVICE_FILE="/etc/systemd/system/quantengine.service"
|
||||
APP_ENV_FILE="/home/kjh2064/.config/quantengine.env"
|
||||
|
||||
echo "========================================="
|
||||
echo "Configuring Host Infrastructure Services"
|
||||
@@ -61,6 +62,7 @@ User=kjh2064
|
||||
Environment=ASPNETCORE_ENVIRONMENT=Production
|
||||
Environment=ASPNETCORE_URLS=http://127.0.0.1:5000
|
||||
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
|
||||
EnvironmentFile=-/home/kjh2064/.config/quantengine.env
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
#!/usr/bin/env bash
|
||||
# Create the QuantEngine database and application role on the local PostgreSQL instance.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
DB_NAME="${DB_NAME:-quantenginedb}"
|
||||
DB_USER="${DB_USER:-quantengine_app}"
|
||||
DB_PASSWORD="${DB_PASSWORD:-CHANGE_ME}"
|
||||
DB_HOST="${DB_HOST:-127.0.0.1}"
|
||||
DB_PORT="${DB_PORT:-5432}"
|
||||
ADMIN_DB="${ADMIN_DB:-postgres}"
|
||||
SCHEMA_NAME="${SCHEMA_NAME:-quantengine}"
|
||||
|
||||
echo "Creating database and role for ${DB_NAME}..."
|
||||
sudo -u postgres psql -h "${DB_HOST}" -p "${DB_PORT}" -d "${ADMIN_DB}" -v ON_ERROR_STOP=1 <<SQL
|
||||
DO \$\$
|
||||
BEGIN
|
||||
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${DB_USER}') THEN
|
||||
CREATE ROLE ${DB_USER} LOGIN PASSWORD '${DB_PASSWORD}';
|
||||
ELSE
|
||||
ALTER ROLE ${DB_USER} WITH LOGIN PASSWORD '${DB_PASSWORD}';
|
||||
END IF;
|
||||
END
|
||||
\$\$;
|
||||
|
||||
DO \$\$
|
||||
BEGIN
|
||||
IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = '${DB_NAME}') THEN
|
||||
CREATE DATABASE ${DB_NAME} OWNER ${DB_USER};
|
||||
END IF;
|
||||
END
|
||||
\$\$;
|
||||
SQL
|
||||
|
||||
sudo -u postgres psql -h "${DB_HOST}" -p "${DB_PORT}" -d "${DB_NAME}" -v ON_ERROR_STOP=1 <<SQL
|
||||
CREATE SCHEMA IF NOT EXISTS ${SCHEMA_NAME} AUTHORIZATION ${DB_USER};
|
||||
GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};
|
||||
GRANT USAGE, CREATE ON SCHEMA ${SCHEMA_NAME} TO ${DB_USER};
|
||||
ALTER SCHEMA ${SCHEMA_NAME} OWNER TO ${DB_USER};
|
||||
SQL
|
||||
|
||||
APP_ENV_FILE="${APP_ENV_FILE:-/home/kjh2064/.config/quantengine.env}"
|
||||
|
||||
mkdir -p "$(dirname "${APP_ENV_FILE}")"
|
||||
cat > "${APP_ENV_FILE}" <<EOF
|
||||
ConnectionStrings__DefaultConnection=Host=127.0.0.1;Database=${DB_NAME};Username=${DB_USER};Password=${DB_PASSWORD};Search Path=${SCHEMA_NAME};
|
||||
EOF
|
||||
|
||||
chmod 600 "${APP_ENV_FILE}"
|
||||
|
||||
echo "Database setup completed: ${DB_NAME} / ${DB_USER}"
|
||||
echo "Wrote app env file: ${APP_ENV_FILE}"
|
||||
@@ -0,0 +1,22 @@
|
||||
DO $$
|
||||
BEGIN
|
||||
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'quantengine_app') THEN
|
||||
CREATE ROLE quantengine_app LOGIN PASSWORD 'CHANGE_ME';
|
||||
END IF;
|
||||
END
|
||||
$$;
|
||||
|
||||
DO $$
|
||||
BEGIN
|
||||
IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = 'quantenginedb') THEN
|
||||
CREATE DATABASE quantenginedb OWNER quantengine_app;
|
||||
END IF;
|
||||
END
|
||||
$$;
|
||||
|
||||
\connect quantenginedb
|
||||
|
||||
CREATE SCHEMA IF NOT EXISTS quantengine AUTHORIZATION quantengine_app;
|
||||
ALTER SCHEMA quantengine OWNER TO quantengine_app;
|
||||
GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_app;
|
||||
GRANT USAGE, CREATE ON SCHEMA quantengine TO quantengine_app;
|
||||
@@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
DB_HOST="${DB_HOST:-127.0.0.1}"
|
||||
DB_PORT="${DB_PORT:-5432}"
|
||||
DB_USER="${DB_USER:-quantengine_app}"
|
||||
DB_NAME="${DB_NAME:-quantenginedb}"
|
||||
|
||||
echo "Checking database availability..."
|
||||
psql "host=${DB_HOST} port=${DB_PORT} dbname=${DB_NAME} user=${DB_USER}" -Atc "select current_database(), current_schema();"
|
||||
echo "Checking core tables..."
|
||||
psql "host=${DB_HOST} port=${DB_PORT} dbname=${DB_NAME} user=${DB_USER}" -Atc "\dt quantengine.*"
|
||||
Reference in New Issue
Block a user