57 lines
No EOL
1.3 KiB
Markdown
57 lines
No EOL
1.3 KiB
Markdown
# Database Setup
|
|
|
|
## Manual Migrations
|
|
|
|
This directory contains SQL migrations that require superuser access and are applied manually.
|
|
|
|
## Applying Migrations
|
|
|
|
### Apply with psql:
|
|
|
|
```bash
|
|
# Connect as superuser
|
|
psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/01-app-role.sql
|
|
```
|
|
|
|
### Environment Variables
|
|
|
|
- `DATABASE_URL` - Application connection (as `tia_app` role)
|
|
- `DATABASE_URL_SUPERUSER` - Superuser connection (for migrations only)
|
|
|
|
## Migration 01: App Role
|
|
|
|
File: `01-app-role.sql`
|
|
|
|
Creates `tia_app` role for application connections.
|
|
|
|
**Before applying:**
|
|
1. Change the password in the SQL file to a strong random value:
|
|
```sql
|
|
CREATE ROLE tia_app WITH LOGIN PASSWORD 'your-secure-random-password';
|
|
```
|
|
|
|
2. Update `DATABASE_URL` in Dokploy to use `tia_app`:
|
|
```
|
|
postgresql://tia_app:your-password@host:5432/tia
|
|
```
|
|
|
|
**Apply:**
|
|
```bash
|
|
psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/01-app-role.sql
|
|
```
|
|
|
|
**After applying:**
|
|
- Test application works with new role
|
|
- Verify `tia_app` can SELECT/INSERT/UPDATE/DELETE
|
|
- Verify `tia_app` CANNOT DROP tables, CREATE TABLE, or ALTER ROLE
|
|
|
|
## Migration 02: Enable RLS
|
|
|
|
File: `02-enable-rls.sql`
|
|
|
|
Enables Row-Level Security on all family-scoped tables.
|
|
|
|
**Apply after H2.1 and H2.2 are complete:**
|
|
```bash
|
|
psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/02-enable-rls.sql
|
|
``` |