Merge infra changes to main

[buapebot]

Merges the infrastructure changes (db + backup services in docker-compose) from the branch that's been running on Portainer.

Summary by CodeRabbit

• Infrastructure Updates
  • PostgreSQL database service now available, providing persistent data storage with dedicated volume management and automatic restart capabilities
  • Automated backup service added, featuring secure cloud storage integration with hourly scheduled backups for reliable data protection
  • System dependencies enhanced for improved stability, compatibility, and security

[coderabbitai]

Warning

Rate limit exceeded

@buapebot has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 37 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8217717 and ec1dbe2.

📒 Files selected for processing (1)

• docker-compose.yml

📝 Walkthrough

Walkthrough

The pull request modifies Docker configuration files: the Dockerfile now installs OpenSSL and uses regular pnpm install instead of frozen-lockfile, while docker-compose.yml adds a PostgreSQL database service, a backup service with S3 integration, a persistent volume, and an external network for inter-service communication.

Changes

Cohort / File(s)	Summary
Dockerfile changes Dockerfile	Added OpenSSL installation via apk and replaced pnpm install --frozen-lockfile with standard pnpm install.
Docker Compose infrastructure docker-compose.yml	Added PostgreSQL database service (db) with shared memory and DDL logging, postgres-backup service with S3 integration, persistent tags-db volume, and external tags network; extended tags service to connect to the new network.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• infra: Change deployment setup #32: Overlapping changes to Dockerfile pnpm installation and docker-compose service/network configuration for the tags service.

Suggested reviewers

• Codeize

Poem

🐰 A database emerges, steady and true,
With backups to S3 shiny and new,
OpenSSL stands guard at the door,
Infrastructure blooms like never before! 🌱

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Merge infra changes to main' is vague and generic, using non-descriptive language that doesn't specify which infrastructure changes are being added.	Consider a more specific title that highlights the main changes, such as 'Add database and backup services to docker-compose' or 'Set up Postgres database and S3 backup service infrastructure'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch asleep/infra-changes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

docker-compose.yml (2)

40-41: Add healthcheck to db service and gate backup on readiness.

depends_on only enforces startup order; postgres-backup may attempt to connect before Postgres is ready. Add a healthcheck to the db service and use condition: service_healthy on the depends_on entry:

Example fix

db:
  image: postgres:17
  # ... existing config ...
  healthcheck:
    test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
    interval: 5s
    timeout: 3s
    retries: 10

postgres-backup:
  image: itbm/postgres-backup-s3
  depends_on:
    db:
      condition: service_healthy
  # ... rest of config ...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml` around lines 40 - 41, Add a Docker healthcheck to the db
service and change the depends_on for postgres-backup to wait for service
readiness; specifically, add a healthcheck block to the db service that runs
pg_isready (e.g., test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"],
interval, timeout, retries) and update the postgres-backup depends_on entry so
db uses condition: service_healthy instead of the simple list form, ensuring
postgres-backup only starts after db is reported healthy.

---

21-21: Pin Postgres to an immutable image reference.

At Line 21, postgres:17 is a floating major tag that pulls different patch versions on rebuilds. The current stable patch is 17.7. Pin to an immutable digest reference using:

image: postgres:17.7@sha256:<DIGEST>

Retrieve the digest using docker buildx imagetools inspect docker.io/library/postgres:17.7 and use the top-level Digest value for multi-architecture compatibility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml` at line 21, Replace the floating image tag "postgres:17"
with an immutable digest-pinned reference for multi-arch stability: use the
stable patch tag (17.7) and add the top-level digest so the image line becomes
postgres:17.7@sha256:<DIGEST>; obtain the correct sha256 digest by running
`docker buildx imagetools inspect docker.io/library/postgres:17.7` and using the
returned top-level Digest value, then update the image entry accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker-compose.yml`:
- Around line 32-33: The ports mapping "41006:5432" exposes Postgres on all host
interfaces; change the ports entry for the Postgres service to either remove the
mapping (keep DB internal to the Docker network) or bind to loopback by
replacing it with "127.0.0.1:41006:5432" (or similar host-only address) in the
ports list so it is not exposed to 0.0.0.0.
- Line 37: The docker-compose service uses an unpinned image name
"itbm/postgres-backup-s3" which defaults to latest; update the image field to a
specific, reproducible tag (for example "itbm/postgres-backup-s3:1.2.3" or the
GHCR variant "ghcr.io/itbm/postgresql-backup-s3:1.2.3") so the backup service
image is versioned and reproducible; change the image value in the
docker-compose entry where "image: itbm/postgres-backup-s3" appears to include
the chosen explicit tag.

In `@Dockerfile`:
- Line 11: Replace the non-deterministic install step in the Dockerfile: change
the RUN pnpm install invocation to enforce the lockfile by using the
--frozen-lockfile flag (update the RUN pnpm install line to RUN pnpm install
--frozen-lockfile) so the image build fails if the lockfile and manifest are out
of sync.

---

Nitpick comments:
In `@docker-compose.yml`:
- Around line 40-41: Add a Docker healthcheck to the db service and change the
depends_on for postgres-backup to wait for service readiness; specifically, add
a healthcheck block to the db service that runs pg_isready (e.g., test:
["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"], interval, timeout, retries) and
update the postgres-backup depends_on entry so db uses condition:
service_healthy instead of the simple list form, ensuring postgres-backup only
starts after db is reported healthy.
- Line 21: Replace the floating image tag "postgres:17" with an immutable
digest-pinned reference for multi-arch stability: use the stable patch tag
(17.7) and add the top-level digest so the image line becomes
postgres:17.7@sha256:<DIGEST>; obtain the correct sha256 digest by running
`docker buildx imagetools inspect docker.io/library/postgres:17.7` and using the
returned top-level Digest value, then update the image entry accordingly.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a430e0c and 8217717.

📒 Files selected for processing (2)

• Dockerfile
• docker-compose.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid exposing Postgres on all host interfaces by default.

At Line 33, "41006:5432" binds to 0.0.0.0, increasing attack surface. If host access is required, bind to loopback; otherwise keep DB internal to the Docker network.

Safer default

-    ports:
-      - "41006:5432"
+    ports:
+      - "127.0.0.1:41006:5432"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ports:
	- "41006:5432"
	ports:
	- "127.0.0.1:41006:5432"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml` around lines 32 - 33, The ports mapping "41006:5432"
exposes Postgres on all host interfaces; change the ports entry for the Postgres
service to either remove the mapping (keep DB internal to the Docker network) or
bind to loopback by replacing it with "127.0.0.1:41006:5432" (or similar
host-only address) in the ports list so it is not exposed to 0.0.0.0.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's find and read the docker-compose.yml file
find . -name "docker-compose.yml" -type f

Repository: buape/Tags

Length of output: 74

---

🏁 Script executed:

# Also search for any docker-compose files
find . -name "docker-compose*" -type f

Repository: buape/Tags

Length of output: 74

---

🌐 Web query:

itbm/postgres-backup-s3 docker image available tags versions registry

💡 Result:

Registries & image names

• GitHub Container Registry (GHCR): ghcr.io/itbm/postgresql-backup-s3 (this is where the current images/tags are published). [1]
• Docker Hub: itbm/postgresql-backup-s3 (older tags exist; Docker Hub page is hard to enumerate from HTML, but specific tag layer pages confirm the repo and tags). [4], [5]
• The upstream GitHub repo README historically references itbm/postgres-backup-s3 for docker run, but also shows itbm/postgresql-backup-s3 for Kubernetes examples—so you may see both names in the wild. [3]

Available tags / versions (confirmed)

GHCR (ghcr.io/itbm/postgresql-backup-s3)

Recent tags shown by GitHub Packages:

• latest
• 1.2.3, 1.2, 1
• 1.2.2
• 1.2.1
• 1.2.0
• 1.1.1, 1.1 [2]

Source-code release tags in the GitHub repo include (newest → older):

• v1.2.3, v1.2.2, v1.2.1, v1.2.0, v1.1.1, v1.1.0, v1.0.11, v1.0.10, v1.0.9, v1.0.8, … [6]

Docker Hub (itbm/postgresql-backup-s3)

Tags confirmed to exist (via layer pages):

• 1.0.8 [4]
• 1.0.9 [5]

---

Sources:
[1] [2] GitHub Packages (GHCR) container page for itbm/postgresql-backup-s3 (github.com)
[3] GitHub repo README (itbm/postgresql-backup-s3) (github.com)
[4] Docker Hub layer page for itbm/postgresql-backup-s3:1.0.8 (hub.docker.com)
[5] Docker Hub layer page for itbm/postgresql-backup-s3:1.0.9 (hub.docker.com)
[6] GitHub repo tags list (github.com)

Citations:

• 1: https://github.com/itbm/postgresql-backup-s3/pkgs/container/postgresql-backup-s3
• 2: https://github.com/itbm/postgresql-backup-s3?utm_source=openai
• 3: https://hub.docker.com/layers/itbm/postgresql-backup-s3/1.0.8/images/sha256-f9700a5d7d654307d79e6acc0c355d154360959d0ef98c6bbc1c89e2d86e9963?utm_source=openai
• 4: https://hub.docker.com/layers/itbm/postgresql-backup-s3/1.0.9/images/sha256-cd53c864bb03c3a949d81c6aa5ee57f539c0993b84ac5905e4207e8e3c031b87?context=explore&utm_source=openai
• 5: https://github.com/itbm/postgresql-backup-s3/tags

---

🏁 Script executed:

cat -n docker-compose.yml

Repository: buape/Tags

Length of output: 1908

---

🌐 Web query:

itbm postgresql-backup-s3 GitHub repo S3_REGION environment variable support changelog

💡 Result:

• Yes — S3_REGION is supported in itbm/postgresql-backup-s3. It’s documented as an environment variable (default us-west-1) in the repo README. [1]
• Implementation: the backup script maps it to AWS CLI’s region via AWS_DEFAULT_REGION=$S3_REGION. [2]
• “Changelog” / when it appeared: the repo doesn’t maintain a dedicated CHANGELOG.md or detailed release notes (GitHub release pages don’t show meaningful notes in the HTML view), but S3_REGION support is present at least as far back as tag v1.0.8 (May 24, 2021) in both the README and backup.sh. [3]

Sources:
[1] itbm/postgresql-backup-s3 README (env var table includes S3_REGION default us-west-1) (github.com)
[2] backup.sh on master (export AWS_DEFAULT_REGION=$S3_REGION) (raw.githubusercontent.com)
[3] v1.0.8 tag shows S3_REGION in README and backup.sh (raw.githubusercontent.com)

Citations:

• 1: https://github.com/itbm/postgresql-backup-s3
• 2: https://raw.githubusercontent.com/itbm/postgresql-backup-s3/master/backup.sh
• 3: https://raw.githubusercontent.com/itbm/postgresql-backup-s3/v1.0.8/backup.sh

---

Pin backup image to a specific version tag.

Line 37 uses itbm/postgres-backup-s3 without a tag, defaulting to latest, which is non-reproducible. Use an explicit version such as 1.2.3 or another stable release from the GHCR registry (all recent versions support S3_REGION and the environment variables used here).

Note: Consider updating the image reference to ghcr.io/itbm/postgresql-backup-s3:1.2.3 if using the officially maintained registry.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml` at line 37, The docker-compose service uses an unpinned
image name "itbm/postgres-backup-s3" which defaults to latest; update the image
field to a specific, reproducible tag (for example
"itbm/postgres-backup-s3:1.2.3" or the GHCR variant
"ghcr.io/itbm/postgresql-backup-s3:1.2.3") so the backup service image is
versioned and reproducible; change the image value in the docker-compose entry
where "image: itbm/postgres-backup-s3" appears to include the chosen explicit
tag.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

pnpm install --frozen-lockfile behavior lockfile changes documentation

💡 Result:

pnpm install --frozen-lockfile is meant for reproducible installs (especially CI):

• It will not create or update pnpm-lock.yaml. If pnpm would need to change the lockfile to complete the install, the command fails. [1]
• It fails if the lockfile is missing (because it’s not allowed to generate one). [1]
• In CI, this behavior is enabled by default (i.e., frozen-lockfile=true in CI when a lockfile is present), so CI installs will fail if the lockfile would need an update. [1]

What counts as “lockfile needs an update” / why it fails:

• Most commonly: someone changed a package.json (dependencies/versions/overrides, workspace packages, etc.) but didn’t run pnpm install and commit the updated lockfile, leading to ERR_PNPM_OUTDATED_LOCKFILE. [2]

How to resolve (typical workflow):

• Locally (or in a non-frozen step), run a normal install to refresh the lockfile, then commit it:
  • pnpm install (or explicitly pnpm install --no-frozen-lockfile) and commit the pnpm-lock.yaml changes. [2]

Sources:
[1] pnpm CLI docs: pnpm install → --frozen-lockfile behavior and CI default. (pnpm.cn)
[2] pnpm error docs: ERR_PNPM_OUTDATED_LOCKFILE cause + fix. (pnpm.cn)

Citations:

• 1: https://www.pnpm.cn/en/cli/install?utm_source=openai
• 2: https://www.pnpm.cn/en/errors?utm_source=openai

---

Use --frozen-lockfile for deterministic container image builds.

At Line 11, pnpm install without --frozen-lockfile can modify the lockfile during builds, breaking reproducibility. Even though pnpm defaults to frozen-lockfile behavior in CI environments with an existing lockfile, Dockerfile builds should explicitly enforce it to prevent dependency resolution drift across rebuilds of the same commit.

Proposed fix

-RUN pnpm install
+RUN pnpm install --frozen-lockfile

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN pnpm install
	RUN pnpm install --frozen-lockfile

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 11, Replace the non-deterministic install step in the
Dockerfile: change the RUN pnpm install invocation to enforce the lockfile by
using the --frozen-lockfile flag (update the RUN pnpm install line to RUN pnpm
install --frozen-lockfile) so the image build fails if the lockfile and manifest
are out of sync.