From c4b863644df1bad188af4c7f14c85dba080e95ba Mon Sep 17 00:00:00 2001
From: Bobbie Soedirgo <bobbie@soedirgo.dev>
Date: Mon, 27 Oct 2025 15:08:11 -0400
Subject: [PATCH 1/4] fix: update ext custom scripts to follow changes in Salt

---
 .../pgmq/after-create.sql                     | 16 ++++++++++---
 .../supabase_vault/after-create.sql           | 23 +++++++++++++------
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql
index f625c9fb3..701fce45b 100644
--- a/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql
+++ b/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql
@@ -1,6 +1,7 @@
 do $$
 declare
   extoid oid := (select oid from pg_extension where extname = 'pgmq');
+  extversion text := (select extversion from pg_extension where extname = 'pgmq');
   r record;
   cls pg_class%rowtype;
 begin
@@ -18,8 +19,13 @@ begin
     physical backups everywhere
 */
 -- Detach and delete the official function
-alter extension pgmq drop function pgmq.drop_queue(TEXT);
-drop function pgmq.drop_queue(TEXT);
+if extversion = '1.4.4' then
+  alter extension pgmq drop function pgmq.drop_queue;
+  drop function pgmq.drop_queue;
+else -- 1.5.1+
+  alter extension pgmq drop function pgmq.drop_queue(TEXT);
+  drop function pgmq.drop_queue(TEXT);
+end if;
 
 -- Create and reattach the patched function
 CREATE FUNCTION pgmq.drop_queue(queue_name TEXT)
@@ -134,7 +140,11 @@ BEGIN
 END;
 $func$ LANGUAGE plpgsql;
 
-alter extension pgmq add function pgmq.drop_queue(TEXT);
+if extversion = '1.4.4' then
+  alter extension pgmq add function pgmq.drop_queue;
+else -- 1.5.1+
+  alter extension pgmq add function pgmq.drop_queue(TEXT);
+end if;
 
 
   update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';
diff --git a/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
index f5c728428..234aeedc5 100644
--- a/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
+++ b/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
@@ -1,8 +1,17 @@
-grant usage on schema vault to postgres with grant option;
-grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
-grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+do $$
+declare
+  extversion text := (select extversion from pg_extension where extname = 'supabase_vault');
+begin
+  set local search_path = '';
 
--- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
-grant usage on schema vault to service_role;
-grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
-grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
+  if extversion != '0.2.8' then
+    grant usage on schema vault to postgres with grant option;
+    grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+
+    -- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
+    grant usage on schema vault to service_role;
+    grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
+  end if;
+end $$;

From 0aaa1cab4d50990054b8b8005f8f9c77dd03dd8f Mon Sep 17 00:00:00 2001
From: Bobbie Soedirgo <bobbie@soedirgo.dev>
Date: Tue, 28 Oct 2025 15:33:07 -0400
Subject: [PATCH 2/4] fix: include changes to search_path manipulation

---
 .../pgmq/after-create.sql                                  | 7 +++++--
 .../supabase_vault/after-create.sql                        | 6 +++++-
 nix/tests/expected/pgmq.out                                | 7 +++++++
 nix/tests/expected/vault.out                               | 7 +++++++
 nix/tests/sql/pgmq.sql                                     | 3 +++
 nix/tests/sql/vault.sql                                    | 3 +++
 6 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql
index 701fce45b..1581d93ca 100644
--- a/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql
+++ b/ansible/files/postgresql_extension_custom_scripts/pgmq/after-create.sql
@@ -2,11 +2,11 @@ do $$
 declare
   extoid oid := (select oid from pg_extension where extname = 'pgmq');
   extversion text := (select extversion from pg_extension where extname = 'pgmq');
+  search_path text := (select current_setting('search_path'));
   r record;
   cls pg_class%rowtype;
 begin
-
-  set local search_path = '';
+  perform set_config('search_path', '', true);
 
 /*
     Override the pgmq.drop_queue to check if relevant tables are owned
@@ -180,4 +180,7 @@ end if;
 
     end if;
   end loop;
+
+  -- restore configs
+  perform set_config('search_path', search_path, true);
 end $$;
diff --git a/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
index 234aeedc5..47a3b9ec8 100644
--- a/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
+++ b/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
@@ -1,8 +1,9 @@
 do $$
 declare
   extversion text := (select extversion from pg_extension where extname = 'supabase_vault');
+  search_path text := (select current_setting('search_path'));
 begin
-  set local search_path = '';
+  perform set_config('search_path', '', true);
 
   if extversion != '0.2.8' then
     grant usage on schema vault to postgres with grant option;
@@ -14,4 +15,7 @@ begin
     grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
     grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
   end if;
+
+  -- restore configs
+  perform set_config('search_path', search_path, true);
 end $$;
diff --git a/nix/tests/expected/pgmq.out b/nix/tests/expected/pgmq.out
index c2d5d3eec..5314e226c 100644
--- a/nix/tests/expected/pgmq.out
+++ b/nix/tests/expected/pgmq.out
@@ -200,3 +200,10 @@ order by
  pgmq        | validate_queue_name           | postgres
 (40 rows)
 
+-- assert search_path is preserved after after-create script is run
+show search_path;
+            search_path            
+-----------------------------------
+ "$user", public, auth, extensions
+(1 row)
+
diff --git a/nix/tests/expected/vault.out b/nix/tests/expected/vault.out
index 4ffb68664..0b1276736 100644
--- a/nix/tests/expected/vault.out
+++ b/nix/tests/expected/vault.out
@@ -97,3 +97,10 @@ ORDER BY
  vault  | secrets | secrets_pkey     | supabase_admin | Unique
 (2 rows)
 
+-- assert search_path is preserved after after-create script is run
+show search_path;
+            search_path            
+-----------------------------------
+ "$user", public, auth, extensions
+(1 row)
+
diff --git a/nix/tests/sql/pgmq.sql b/nix/tests/sql/pgmq.sql
index dffb108bf..ef2d6d31d 100644
--- a/nix/tests/sql/pgmq.sql
+++ b/nix/tests/sql/pgmq.sql
@@ -101,3 +101,6 @@ where
   n.nspname = 'pgmq'
 order by
   p.proname;
+
+-- assert search_path is preserved after after-create script is run
+show search_path;
diff --git a/nix/tests/sql/vault.sql b/nix/tests/sql/vault.sql
index 81f4d22fb..c547c0c5e 100644
--- a/nix/tests/sql/vault.sql
+++ b/nix/tests/sql/vault.sql
@@ -51,3 +51,6 @@ WHERE
 ORDER BY
     t.relname,
     i.relname;
+
+-- assert search_path is preserved after after-create script is run
+show search_path;

From 025c676e305fe8e1cbb83963cdd88fe52b6459d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Roche?= <jfroche@pyxel.be>
Date: Tue, 11 Nov 2025 14:27:43 +0100
Subject: [PATCH 3/4] fix: nixos test running pg_regress for pgmq

Configure default `search_path` parameter for postgresql running in the
nixos test environment.
---
 nix/ext/pgmq/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nix/ext/pgmq/default.nix b/nix/ext/pgmq/default.nix
index f1b288ce8..32a7354e2 100644
--- a/nix/ext/pgmq/default.nix
+++ b/nix/ext/pgmq/default.nix
@@ -100,6 +100,9 @@ buildEnv {
 
   passthru = {
     inherit versions numberOfVersions;
+    defaultSettings = {
+      search_path = "\"$user\", public, auth, extensions";
+    };
     pname = "${pname}-all";
     version =
       "multi-" + lib.concatStringsSep "-" (map (v: lib.replaceStrings [ "." ] [ "-" ] v) versions);

From 97e305e8950371ec706c453fbf854ed86fc23beb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Roche?= <jfroche@pyxel.be>
Date: Tue, 11 Nov 2025 14:27:43 +0100
Subject: [PATCH 4/4] fix: nixos test running pg_regress for vault

Configure default `search_path` parameter for postgresql running in the nixos test environment.
---
 nix/ext/tests/vault.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nix/ext/tests/vault.nix b/nix/ext/tests/vault.nix
index f5cbd8724..7b16247a5 100644
--- a/nix/ext/tests/vault.nix
+++ b/nix/ext/tests/vault.nix
@@ -84,6 +84,7 @@ self.inputs.nixpkgs.lib.nixos.runTest {
         settings = {
           "shared_preload_libraries" = "${pname},pgsodium";
           "pgsodium.getkey_script" = vaultGetKey;
+          "search_path" = "\"$user\", public, auth, extensions";
           "vault.getkey_script" = vaultGetKey;
         };
       };