# yaml-language-server: $schema=https://schema.zeabur.app/template.json
apiVersion: zeabur.com/v1
kind: Template
metadata:
    name: zawa-pg-tls
spec:
    description: PostgreSQL 18 + pgvector + self-signed TLS — fork of Zeabur 773OAW with TLS baked into the image.
    tags:
        - Database
    readme: |
        zawa custom Postgres image ([ghcr.io/jigsawye/zawa-pg](https://github.com/jigsawye/zawa-pg)).

        Template is a direct fork of Zeabur marketplace template 773OAW (PostgreSQL with pgvector). Service definition (id, ports, volume, instructions, env order, configs file) is copied verbatim so the Zeabur dashboard treats this as a first-class Postgres service — Database tab, auto backup, exposed `POSTGRES_*` variables all work.

        Differences from 773OAW:
        - Image: `ghcr.io/jigsawye/zawa-pg:latest` — PG 18 + pgvector + self-signed TLS auto-generated on first boot, regenerated 30 days before expiry.
        - Two extra env vars: `SSL_SAN` (SAN list baked into the cert) and `LOG_TO_STDOUT` (unify stderr into Zeabur log stream).

        ## Connection

        - **Inter-service**: reference `${POSTGRES_CONNECTION_STRING}`. Self-signed TLS is enabled but not required by the server, so internal traffic over the Zeabur private network works without `sslmode`.
        - **External (Vercel, local psql)**: use the instruction-provided URL and append `?sslmode=require` for encrypted transport. `verify-full` requires distributing the root CA — see the [zawa-pg LE upgrade path](https://github.com/jigsawye/zawa-pg#lets-encrypt-upgrade-path) for the Let's Encrypt swap when needed.

        ## Restoring a backup

        Same flow as 773OAW: download + extract the backup `data.sql`, then run `<PostgreSQL Connect Command> < data.sql`. Restoring will replace the existing user password — strip `CREATE ROLE` / `ALTER ROLE` from the dump beforehand if you want to keep the current password.
    services:
        - name: postgresql
          icon: https://cdn.zeabur.com/marketplace/postgresql.svg
          template: PREBUILT
          spec:
            id: postgresql
            source:
                image: ghcr.io/jigsawye/zawa-pg:latest
            ports:
                - id: database
                  port: 5432
                  type: TCP
            volumes:
                - id: data
                  dir: /var/lib/postgresql/18/docker
            instructions:
                - title: Connection String
                  content: postgresql://${POSTGRES_USERNAME}:${POSTGRES_PASSWORD}@${PORT_FORWARDED_HOSTNAME}:${DATABASE_PORT_FORWARDED_PORT}/${POSTGRES_DATABASE}
                - title: PostgreSQL Connect Command
                  content: psql "postgresql://${POSTGRES_USERNAME}:${POSTGRES_PASSWORD}@${PORT_FORWARDED_HOSTNAME}:${DATABASE_PORT_FORWARDED_PORT}/${POSTGRES_DATABASE}"
                - title: PostgreSQL username
                  content: ${POSTGRES_USERNAME}
                - title: PostgresSQL password
                  content: ${POSTGRES_PASSWORD}
                - title: PostgresSQL database
                  content: ${POSTGRES_DATABASE}
                - title: PostgreSQL host
                  content: ${PORT_FORWARDED_HOSTNAME}
                - title: PostgreSQL port
                  content: ${DATABASE_PORT_FORWARDED_PORT}
            env:
                LOG_TO_STDOUT:
                    default: "true"
                PGDATA:
                    default: /var/lib/postgresql/18/docker/pgdata
                POSTGRES_CONNECTION_STRING:
                    default: postgresql://${POSTGRES_USERNAME}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DATABASE}
                    expose: true
                POSTGRES_DATABASE:
                    default: ${POSTGRES_DB}
                    expose: true
                POSTGRES_DB:
                    default: zawa
                POSTGRES_HOST:
                    default: ${CONTAINER_HOSTNAME}
                    expose: true
                POSTGRES_PASSWORD:
                    default: ${PASSWORD}
                    expose: true
                POSTGRES_PORT:
                    default: ${DATABASE_PORT}
                    expose: true
                POSTGRES_URI:
                    default: ${POSTGRES_CONNECTION_STRING}
                    expose: true
                POSTGRES_USER:
                    default: zawa
                POSTGRES_USERNAME:
                    default: ${POSTGRES_USER}
                    expose: true
                SSL_SAN:
                    default: DNS:localhost
            configs:
                - path: /etc/postgresql/postgresql.conf
                  template: |
                    # https://github.com/postgres/postgres/blob/master/src/backend/utils/misc/postgresql.conf.sample
                    listen_addresses = '*'
                    max_connections = 256
                    shared_buffers = 256MB
                    dynamic_shared_memory_type = posix
                    max_wal_size = 1GB
                    min_wal_size = 80MB
                    log_timezone = 'UTC'
                    datestyle = 'iso, mdy'
                    timezone = 'UTC'
                    lc_messages = 'en_US.UTF-8'
                    lc_monetary = 'en_US.UTF-8'
                    lc_numeric = 'en_US.UTF-8'
                    lc_time = 'en_US.UTF-8'
                    default_text_search_config = 'pg_catalog.english'
                  permission: null
                  envsubst: null
localization:
    es-ES:
        description: PostgreSQL 18 + pgvector + TLS autofirmado — fork de Zeabur 773OAW, TLS integrado en la imagen.
        readme: |
            Imagen PG autohospedada ([ghcr.io/jigsawye/zawa-pg](https://github.com/jigsawye/zawa-pg)).

            Plantilla fork directa de 773OAW (PostgreSQL with pgvector). La definición del servicio se copia tal cual. Diferencias: imagen reemplazada por `ghcr.io/jigsawye/zawa-pg:latest` y dos env vars añadidos (`SSL_SAN`, `LOG_TO_STDOUT`).
    ja-JP:
        description: PostgreSQL 18 + pgvector + 自己署名 TLS — Zeabur 773OAW のフォーク、TLS 内蔵 image。
        readme: |
            自前ホスト PG イメージ（[ghcr.io/jigsawye/zawa-pg](https://github.com/jigsawye/zawa-pg)）。

            テンプレートは 773OAW（PostgreSQL with pgvector）の直接フォーク。サービス定義はそのまま。差分は image を `ghcr.io/jigsawye/zawa-pg:latest` に置き換え、`SSL_SAN` と `LOG_TO_STDOUT` の 2 つの env を追加のみ。
    zh-CN:
        description: PostgreSQL 18 + pgvector + 自签 TLS — Zeabur 773OAW 的 fork，TLS 内建在 image。
        readme: |
            zawa 自架 PG image（[ghcr.io/jigsawye/zawa-pg](https://github.com/jigsawye/zawa-pg)）。

            Template 是 Zeabur marketplace 773OAW（PostgreSQL with pgvector）的直接 fork，service 定义一字不动。仅差异：image 换成 `ghcr.io/jigsawye/zawa-pg:latest`、多两个环境变数（`SSL_SAN`、`LOG_TO_STDOUT`）。
    zh-TW:
        description: PostgreSQL 18 + pgvector + 自簽 TLS — Zeabur 773OAW 的 fork，TLS 內建在 image。
        readme: |
            zawa 自架 PG image（[ghcr.io/jigsawye/zawa-pg](https://github.com/jigsawye/zawa-pg)）。

            Template 是 Zeabur marketplace 773OAW（PostgreSQL with pgvector）的直接 fork，service 定義（id / ports / volume / instructions / env 順序 / configs 檔）一字不動，讓 Zeabur dashboard 把這當「正規 Postgres service」處理 — Database tab、auto backup、exposed `POSTGRES_*` 變數全部 work。

            跟 773OAW 的差異：
            - Image：`ghcr.io/jigsawye/zawa-pg:latest` — PG 18 + pgvector + 首次啟動自動產自簽 TLS cert，cert 過期 30 天前自動重簽
            - 多兩個 env 變數：`SSL_SAN`（cert SAN 列表）、`LOG_TO_STDOUT`（stderr 統一進 Zeabur log）

            ## 連線

            - **服務間互連**：reference `${POSTGRES_CONNECTION_STRING}`。自簽 TLS 雖開但 server 不強制，內網流量直接連無需 `sslmode`。
            - **外部（Vercel、local psql）**：用 instruction 給的 URL，後面加 `?sslmode=require` 取加密。要 `verify-full` 得分發 root CA — 換 Let's Encrypt 流程見 [zawa-pg LE upgrade path](https://github.com/jigsawye/zawa-pg#lets-encrypt-upgrade-path)。

            ## 還原備份

            跟 773OAW 一樣：從備份區下載解壓 `data.sql`，跑 `<PostgreSQL Connect Command> < data.sql`。**還原會覆蓋現有使用者密碼** — 想保留就先把 `CREATE ROLE` / `ALTER ROLE` 從 dump 拿掉。