From a6689a3137f29d6c5142af5a44b8e31b0508421b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Roche?= <jfroche@pyxel.be>
Date: Mon, 27 Oct 2025 23:36:36 +0100
Subject: [PATCH 1/3] feat: migrate from the DetSys Nix installer to the
 official Nix installer

Pin nix to v2.32.2

chore: bump to release
---
 Dockerfile-15                                      | 14 +++++++-------
 Dockerfile-17                                      | 11 ++++++-----
 Dockerfile-orioledb-17                             | 11 ++++++-----
 .../pg_upgrade_scripts/initiate.sh                 |  9 +++++----
 ansible/vars.yml                                   |  6 +++---
 ebssurrogate/scripts/qemu-bootstrap-nix.sh         | 12 +++++++-----
 scripts/nix-provision.sh                           | 10 ++++++----
 7 files changed, 40 insertions(+), 33 deletions(-)

diff --git a/Dockerfile-15 b/Dockerfile-15
index d6b25b0c5..357119c4c 100644
--- a/Dockerfile-15
+++ b/Dockerfile-15
@@ -52,19 +52,19 @@ RUN apt update -y && apt install -y \
 
 RUN adduser --system  --home /var/lib/postgresql --no-create-home --shell /bin/bash --group --gecos "PostgreSQL administrator" postgres
 RUN adduser --system  --no-create-home --shell /bin/bash --group  wal-g
-RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
---init none \
---no-confirm \
---extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \
---extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-
+RUN cat <<EOF > /tmp/extra-nix.conf
+extra-experimental-features = nix-command flakes
+extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
+extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
+EOF
+RUN curl -L https://releases.nixos.org/nix/nix-2.32.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 
 COPY . /nixpg
 
 WORKDIR /nixpg
 
-RUN nix profile install .#psql_15/bin 
+RUN nix profile install .#psql_15/bin
 
 RUN nix store gc
 
diff --git a/Dockerfile-17 b/Dockerfile-17
index c4c3d00e2..9cf39713d 100644
--- a/Dockerfile-17
+++ b/Dockerfile-17
@@ -54,11 +54,12 @@ RUN apt update -y && apt install -y \
 
 RUN adduser --system  --home /var/lib/postgresql --no-create-home --shell /bin/bash --group --gecos "PostgreSQL administrator" postgres
 RUN adduser --system  --no-create-home --shell /bin/bash --group  wal-g
-RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
---init none \
---no-confirm \
---extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \
---extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+RUN cat <<EOF > /tmp/extra-nix.conf
+extra-experimental-features = nix-command flakes
+extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
+extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
+EOF
+RUN curl -L https://releases.nixos.org/nix/nix-2.32.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 
diff --git a/Dockerfile-orioledb-17 b/Dockerfile-orioledb-17
index 28647298a..53d64cae8 100644
--- a/Dockerfile-orioledb-17
+++ b/Dockerfile-orioledb-17
@@ -54,11 +54,12 @@ RUN apt update -y && apt install -y \
 
 RUN adduser --system  --home /var/lib/postgresql --no-create-home --shell /bin/bash --group --gecos "PostgreSQL administrator" postgres
 RUN adduser --system  --no-create-home --shell /bin/bash --group  wal-g
-RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
---init none \
---no-confirm \
---extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \
---extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+RUN cat <<EOF > /tmp/extra-nix.conf
+extra-experimental-features = nix-command flakes
+extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
+extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
+EOF
+RUN curl -L https://releases.nixos.org/nix/nix-2.32.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
index 1a602efd7..446cd2797 100755
--- a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
+++ b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -289,10 +289,11 @@ function initiate_upgrade {
                         --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
                     else
                         echo "1.1.1. Installing Nix using the official installer"
-
-                        curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \
-                        --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \
-                        --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+                        sh <(curl -L https://releases.nixos.org/nix/nix-2.32.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+extra-experimental-features = nix-command flakes
+extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
+extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
+EXTRA_NIX_CONF
                     fi
                 else 
                     echo "1.1. Nix is installed; moving on."
diff --git a/ansible/vars.yml b/ansible/vars.yml
index b6d56a417..dc2af3b7a 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.064-orioledb"
-  postgres17: "17.6.1.043"
-  postgres15: "15.14.1.043"
+  postgresorioledb-17: "17.5.1.050-orioledb-inst-1"
+  postgres17: "17.6.1.029-inst-1"
+  postgres15: "15.14.1.029-inst-1"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
index b64cf9faf..332cd3354 100755
--- a/ebssurrogate/scripts/qemu-bootstrap-nix.sh
+++ b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
@@ -82,11 +82,13 @@ execute_playbook
 ####################
 
 function install_nix() {
-	sudo su -c "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \
-    --extra-conf \"substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com\" \
-    --extra-conf \"trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\" " -s /bin/bash root
-	. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-
+    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.32.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+extra-experimental-features = nix-command flakes
+extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
+extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
+EXTRA_NIX_CONF" -s /bin/bash root
+    #shellcheck disable=SC1091
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
 }
 
 function execute_stage2_playbook {
diff --git a/scripts/nix-provision.sh b/scripts/nix-provision.sh
index f114bc6bb..9fbd37153 100644
--- a/scripts/nix-provision.sh
+++ b/scripts/nix-provision.sh
@@ -23,11 +23,13 @@ function install_packages {
 
 
 function install_nix() {
-    sudo su -c "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \
-    --extra-conf \"substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com\" \
-    --extra-conf \"trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\" " -s /bin/bash root
+    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.32.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+extra-experimental-features = nix-command flakes
+extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
+extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
+EXTRA_NIX_CONF" -s /bin/bash root
+    #shellcheck disable=SC1091
     . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-
 }
 
 

From b90a5a19a148ad7d9550041a0af82d2c03c3ddc6 Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Mon, 10 Nov 2025 16:35:55 -0500
Subject: [PATCH 2/3] chore: bump to release

---
 ansible/vars.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/vars.yml b/ansible/vars.yml
index dc2af3b7a..f394fcf1e 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.050-orioledb-inst-1"
-  postgres17: "17.6.1.029-inst-1"
-  postgres15: "15.14.1.029-inst-1"
+  postgresorioledb-17: "17.5.1.065-orioledb"
+  postgres17: "17.6.1.044"
+  postgres15: "15.14.1.044"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0

From fcc28b5b77c26ebbcee68670fa7bc59b1a5cdfeb Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Mon, 10 Nov 2025 16:50:15 -0500
Subject: [PATCH 3/3] chore: no release, just a core change but not related to
 features in release

---
 ansible/vars.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/vars.yml b/ansible/vars.yml
index f394fcf1e..b6d56a417 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.065-orioledb"
-  postgres17: "17.6.1.044"
-  postgres15: "15.14.1.044"
+  postgresorioledb-17: "17.5.1.064-orioledb"
+  postgres17: "17.6.1.043"
+  postgres15: "15.14.1.043"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0