feat: initial release

.dockerignore

@@ -0,0 +1,5 @@
+# Don't include anything into context
+*
+
+# Except for wal-g wrapper
+!walg-wrapper.sh

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+
+[*.{js,json,yml,ts}]
+charset = utf-8
+indent_style = space
+indent_size = 2

.github/workflows/release.yml

@@ -0,0 +1,60 @@
+name: Release
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Collect image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # @todo: elaborate on a better approach to versioning
+          tags: |
+            type=raw,value=16
+            type=raw,value=latest
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          sbom: true 
+          provenance: mode=max
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          annotations: ${{ steps.meta.outputs.annotations }}
+
+      - name: Attest
+        id: attest
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.gitignore

@@ -0,0 +1,14 @@
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+*.code-workspace
+.history/
+*.app
+.snapshots/*
+
+.env
+.env.*
+
+docker-compose.yml

Dockerfile

@@ -0,0 +1,65 @@
+# syntax=docker/dockerfile:1
+# check=skip=SecretsUsedInArgOrEnv;error=true
+FROM postgres:16-bookworm
+
+# Install Peg dependencies
+RUN <<-EOF
+    set -x
+
+    # Install curl, ca-certifcates, and B4CKSP4CE Root CA
+    apt update
+    apt install -y curl ca-certificates
+    mkdir -p /usr/share/ca-certificates/bksp
+    curl -fSsl https://ca.bksp.in/root/bksp-root.crt -o /usr/share/ca-certificates/bksp/B4CKSP4CE_Root_CA.crt
+    echo "bksp/B4CKSP4CE_Root_CA.crt" | tee -a /etc/ca-certificates.conf
+    update-ca-certificates
+
+    # Determine WALG download URL and digest depending on architecture
+    ARCH=$(uname -m)
+    if [ "$ARCH" = "aarch64" ]; then
+        WALG_URL="https://github.com/wal-g/wal-g/releases/download/v3.0.3/wal-g-pg-ubuntu20.04-aarch64"
+        WALG_SHA256="3aec9024959319468ac637ea4b2e215fe20511672669969077733ee5c3fd1466"
+    elif [ "$ARCH" = "x86_64" ]; then
+        WALG_URL="https://github.com/wal-g/wal-g/releases/download/v3.0.3/wal-g-pg-ubuntu-20.04-amd64"
+        WALG_SHA256="0b46652f23fb4d09fa08f3d536b72806e597c4e20d0a09d960d6337bc2368e8b"
+    else
+        echo "Unsupported architecture"
+        exit 1
+    fi
+
+    # Download wal-g and verify its checksum
+    curl -fsSL -o "/usr/local/bin/wal-g" "$WALG_URL"
+    echo "${WALG_SHA256}  /usr/local/bin/wal-g" | sha256sum -c -
+    chmod +x /usr/local/bin/wal-g
+
+    # Tidy up
+    apt clean
+    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
+EOF
+
+# Define B4CKSP4CE-specific environment variables
+ENV \
+    # Prefer unix socket connection for wal-g 
+    PGHOST=/var/run/postgresql \
+    # Set Governance Object Lock for 10 years by default
+    S3_RETENTION_MODE="GOVERNANCE" \
+    S3_RETENTION_PERIOD=315569520 \
+    # Expect encryption key to be in Base64
+    WALG_LIBSODIUM_KEY_TRANSFORM="base64" \
+    # Set default compression method to zstd
+    WALG_COMPRESSION_METHOD="zstd" \
+    # Use Yandex Cloud as default storage
+    AWS_ENDPOINT="https://storage.yandexcloud.net"
+
+# Enable pg_isready healthcheck
+HEALTHCHECK --interval=10s --start-period=10s --timeout=5s --retries=5 CMD [ "pg_isready" ]
+
+# Copy wal-g wrapper, ensuring it is executable
+COPY ./walg-wrapper.sh /usr/local/bin/walg-wrapper.sh
+RUN chmod +x /usr/local/bin/walg-wrapper.sh
+
+# Drop privileges to postgres user
+USER postgres
+
+# Append WAL configuration to default postgresql.conf
+ENV POSTGRES_INITDB_ARGS="-c archive_mode=always -c archive_timeout=1h -c archive_command='walg-wrapper.sh wal-push /var/lib/postgresql/data/%p' -c restore_command='walg-wrapper.sh wal-fetch %f /var/lib/postgresql/data/%p'"