From 856761d407372567c75a23136bde5d1505630a66 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Thu, 2 Apr 2026 15:19:57 +0200
Subject: [PATCH] fix: supabase connection

---
 hosts/web-arm/modules/supabase/default.nix     | 12 +++++-------
 hosts/web-arm/modules/supabase/env-generate.sh | 15 +++++++++------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/hosts/web-arm/modules/supabase/default.nix b/hosts/web-arm/modules/supabase/default.nix
index ce515a7..19df8bb 100644
--- a/hosts/web-arm/modules/supabase/default.nix
+++ b/hosts/web-arm/modules/supabase/default.nix
@@ -26,6 +26,7 @@ in
     "d /var/lib/supabase/snippets 0755 root root -"
   ];
 
+
   # --- Systemd services: network, env generation, and container ordering ---
   systemd.services =
     let
@@ -45,7 +46,7 @@ in
         "supabase-functions"
       ];
       mkContainerDeps = name: {
-        "docker-${name}" = {
+        "podman-${name}" = {
           after = [ "init-supabase-network.service" "supabase-env-generate.service" ];
           requires = [ "init-supabase-network.service" "supabase-env-generate.service" ];
         };
@@ -54,22 +55,19 @@ in
     lib.mkMerge (map mkContainerDeps containerNames ++ [
       {
         init-supabase-network = {
-          description = "Create supabase-net Docker network";
-          after = [ "docker.service" ];
-          requires = [ "docker.service" ];
+          description = "Create supabase-net Podman network";
           wantedBy = [ "multi-user.target" ];
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
             # '-' prefix tells systemd to ignore non-zero exit (network may already exist)
-            ExecStart = "-${pkgs.docker}/bin/docker network create supabase-net";
+            ExecStart = "-${pkgs.podman}/bin/podman network create supabase-net";
           };
         };
         supabase-env-generate = {
           description = "Generate Supabase per-container env files from SOPS secrets";
-          after = [ "docker.service" ];
-          requires = [ "docker.service" ];
           wantedBy = [ "multi-user.target" ];
+          path = [ pkgs.jq ];
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
diff --git a/hosts/web-arm/modules/supabase/env-generate.sh b/hosts/web-arm/modules/supabase/env-generate.sh
index 331bfdc..ecf4f1b 100644
--- a/hosts/web-arm/modules/supabase/env-generate.sh
+++ b/hosts/web-arm/modules/supabase/env-generate.sh
@@ -6,6 +6,9 @@ set -a
 source "$1"
 set +a
 
+# URL-encode password for use in connection strings
+PG_PASS_ENCODED=$(printf '%s' "$POSTGRES_PASSWORD" | jq -sRr @uri)
+
 cat > /run/supabase/db.env <<EOF
 POSTGRES_PASSWORD=$POSTGRES_PASSWORD
 PGPASSWORD=$POSTGRES_PASSWORD
@@ -16,18 +19,18 @@ cat > /run/supabase/analytics.env <<EOF
 DB_PASSWORD=$POSTGRES_PASSWORD
 LOGFLARE_PUBLIC_ACCESS_TOKEN=$LOGFLARE_PUBLIC_ACCESS_TOKEN
 LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN
-POSTGRES_BACKEND_URL=postgresql://supabase_admin:$POSTGRES_PASSWORD@db:5432/_supabase
+POSTGRES_BACKEND_URL=postgresql://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase
 EOF
 
 cat > /run/supabase/auth.env <<EOF
 GOTRUE_JWT_SECRET=$JWT_SECRET
-GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$POSTGRES_PASSWORD@db:5432/postgres
+GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$PG_PASS_ENCODED@db:5432/postgres
 EOF
 
 cat > /run/supabase/rest.env <<EOF
 PGRST_JWT_SECRET=$JWT_SECRET
 PGRST_APP_SETTINGS_JWT_SECRET=$JWT_SECRET
-PGRST_DB_URI=postgres://authenticator:$POSTGRES_PASSWORD@db:5432/postgres
+PGRST_DB_URI=postgres://authenticator:$PG_PASS_ENCODED@db:5432/postgres
 EOF
 
 cat > /run/supabase/realtime.env <<EOF
@@ -41,7 +44,7 @@ cat > /run/supabase/storage.env <<EOF
 ANON_KEY=$ANON_KEY
 SERVICE_KEY=$SERVICE_ROLE_KEY
 AUTH_JWT_SECRET=$JWT_SECRET
-DATABASE_URL=postgres://supabase_storage_admin:$POSTGRES_PASSWORD@db:5432/postgres
+DATABASE_URL=postgres://supabase_storage_admin:$PG_PASS_ENCODED@db:5432/postgres
 S3_PROTOCOL_ACCESS_KEY_ID=$S3_PROTOCOL_ACCESS_KEY_ID
 S3_PROTOCOL_ACCESS_KEY_SECRET=$S3_PROTOCOL_ACCESS_KEY_SECRET
 EOF
@@ -52,7 +55,7 @@ CRYPTO_KEY=$PG_META_CRYPTO_KEY
 EOF
 
 cat > /run/supabase/studio.env <<EOF
-POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+POSTGRES_PASSWORD=$PG_PASS_ENCODED
 PG_META_CRYPTO_KEY=$PG_META_CRYPTO_KEY
 SUPABASE_ANON_KEY=$ANON_KEY
 SUPABASE_SERVICE_KEY=$SERVICE_ROLE_KEY
@@ -75,7 +78,7 @@ EOF
 
 cat > /run/supabase/pooler.env <<EOF
 POSTGRES_PASSWORD=$POSTGRES_PASSWORD
-DATABASE_URL=ecto://supabase_admin:$POSTGRES_PASSWORD@db:5432/_supabase
+DATABASE_URL=ecto://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase
 SECRET_KEY_BASE=$SECRET_KEY_BASE
 VAULT_ENC_KEY=$VAULT_ENC_KEY
 API_JWT_SECRET=$JWT_SECRET