Enhance postgres init scripts and interior cf tunnel

envs/ci/postgres-init.sh

@@ -1,9 +1,10 @@
 #!/bin/bash
+set -eo pipefail
 
 psql -U ${POSTGRES_USER} <<-END
 
+-- SUPERUSER is needed to create extensions. Remember to revoke it when not needed!
 CREATE USER ${SERVICE_DATABASE_USER} WITH
-    CREATEROLE
     SUPERUSER
     PASSWORD '${SERVICE_DATABASE_PASSWORD}';
 
@@ -16,11 +17,13 @@ CREATE DATABASE ${SERVICE_DATABASE_NAME}_TEST WITH
 CREATE USER ${SERVICE_DATABASE_READONLY_USER} WITH
     PASSWORD '${SERVICE_DATABASE_READONLY_PASSWORD}';
 
+\c ${SERVICE_DATABASE_NAME}
+
 GRANT CONNECT ON DATABASE ${SERVICE_DATABASE_NAME} TO ${SERVICE_DATABASE_READONLY_USER};
 
 GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER};
 
 ALTER DEFAULT PRIVILEGES FOR USER ${SERVICE_DATABASE_USER} IN SCHEMA public
 GRANT SELECT ON TABLES TO ${SERVICE_DATABASE_READONLY_USER};
 
-END
+END

envs/dev/postgres-init.sh

@@ -1,9 +1,10 @@
 #!/bin/bash
+set -eo pipefail
 
 psql -U ${POSTGRES_USER} <<-END
 
+-- SUPERUSER is needed to create extensions. Remember to revoke it when not needed!
 CREATE USER ${SERVICE_DATABASE_USER} WITH
-    CREATEROLE
     SUPERUSER
     PASSWORD '${SERVICE_DATABASE_PASSWORD}';
 
@@ -16,11 +17,13 @@ CREATE DATABASE ${SERVICE_DATABASE_NAME}_TEST WITH
 CREATE USER ${SERVICE_DATABASE_READONLY_USER} WITH
     PASSWORD '${SERVICE_DATABASE_READONLY_PASSWORD}';
 
+\c ${SERVICE_DATABASE_NAME}
+
 GRANT CONNECT ON DATABASE ${SERVICE_DATABASE_NAME} TO ${SERVICE_DATABASE_READONLY_USER};
 
 GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER};
 
 ALTER DEFAULT PRIVILEGES FOR USER ${SERVICE_DATABASE_USER} IN SCHEMA public
 GRANT SELECT ON TABLES TO ${SERVICE_DATABASE_READONLY_USER};
 
-END
+END

envs/prod/cloudflared-int.yaml

@@ -1,5 +1,12 @@
 tunnel:
 credentials-file: /etc/cloudflared/certs/.json
+originRequest:
+  access:
+    required: true
+    teamName:
+    audTag:
+      - ... # Metabase
+      - ... # Asynqmon
 
 ingress:
   - hostname: api.

envs/prod/postgres-init.sh

@@ -1,9 +1,10 @@
 #!/bin/bash
+set -eo pipefail
 
 psql -U ${POSTGRES_USER} <<-END
 
+-- SUPERUSER is needed to create extensions. Remember to revoke it when not needed!
 CREATE USER ${SERVICE_DATABASE_USER} WITH
-    CREATEROLE
     SUPERUSER
     PASSWORD '${SERVICE_DATABASE_PASSWORD}';
 
@@ -16,11 +17,13 @@ CREATE DATABASE ${SERVICE_DATABASE_NAME}_TEST WITH
 CREATE USER ${SERVICE_DATABASE_READONLY_USER} WITH
     PASSWORD '${SERVICE_DATABASE_READONLY_PASSWORD}';
 
+\c ${SERVICE_DATABASE_NAME}
+
 GRANT CONNECT ON DATABASE ${SERVICE_DATABASE_NAME} TO ${SERVICE_DATABASE_READONLY_USER};
 
 GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER};
 
 ALTER DEFAULT PRIVILEGES FOR USER ${SERVICE_DATABASE_USER} IN SCHEMA public
 GRANT SELECT ON TABLES TO ${SERVICE_DATABASE_READONLY_USER};
 
-END
+END