migrate host-agent from SQLite to PostgreSQL; fix startup race condition

- Replace SQLite with pgx driver for PostgreSQL connection
- Update schema.sql with PostgreSQL syntax (SERIAL, BOOLEAN, $1 params)
- Add DATABASE_URL config, derived from postgres module settings
- Use sqlmock for unit tests instead of real database dependency
- Add bloud-db-init user service to create host-agent database
- Fix Authentik startup: depend on bloud-db-init for prestart hooks
- Skip DB connection in configure.go for apps without configurators
- Remove unused hosts and config tables from schema

Author: d-buckner

README.md

@@ -47,15 +47,27 @@ Self-hosting is overwhelming. Setting up Immich, Nextcloud, and Jellyfin takes h
 
 Bloud combines declarative configuration with a dependency graph and idempotent reconciliation to eliminate manual setup.
 
-**Integration Graph** - Each app declares what it needs: "I need PostgreSQL", "I support OAuth". Bloud builds a dependency graph from these declarations. Enable Miniflux, and the graph knows it needs a PostgreSQL database and Authentik OAuth. Enable any app with OAuth support, and it gets wired to Authentik automatically.
+### Integration Graph
 
-**Idempotent Reconciliation** - Instead of fragile setup scripts that run once, Bloud uses Go configurators that reconcile desired state. They run on every startup: "Miniflux should have this OAuth provider configured. Does it? No? Add it. Yes? Move on." This means partial failures self-heal, and you can add new apps without re-running setup for existing ones.
+Each app declares what it needs: "I need PostgreSQL", "I support OAuth". Bloud builds a dependency graph from these declarations. Enable Miniflux, and the graph knows it needs a PostgreSQL database and Authentik OAuth. Enable any app with OAuth support, and it gets wired to Authentik automatically.
 
-**Declarative Everything** - Apps are defined in `metadata.yaml` (what it needs) and `module.nix` (how to run it). Enable an app in your Nix config, rebuild, and NixOS generates the systemd units, creates the container, provisions the database, generates OAuth credentials, and starts everything in the right order.
+### Idempotent Reconciliation
 
-**Shared Infrastructure** - Instead of each app running its own PostgreSQL, all apps share one instance. Bloud creates databases and users automatically. Same for Redis. Fewer containers, less RAM, simpler backups.
+Instead of fragile setup scripts that run once, Bloud uses Go configurators that reconcile desired state. They run on every startup: "Miniflux should have this OAuth provider configured. Does it? No? Add it. Yes? Move on." This means partial failures self-heal, and you can add new apps without re-running setup for existing ones.
 
-**Health-Aware Startup** - The graph also determines startup order. Services declare dependencies with health checks. PostgreSQL starts first and becomes healthy. Then Authentik. Then apps that need both. Systemd handles the orchestration.
+### Declarative Everything
+
+Apps are defined in `metadata.yaml` (what it needs) and `module.nix` (how to run it). Enable an app in your Nix config, rebuild, and NixOS generates the systemd units, creates the container, provisions the database, generates OAuth credentials, and starts everything in the right order.
+
+### Shared Infrastructure
+
+Instead of each app running its own PostgreSQL, all apps share one instance. Bloud creates databases and users automatically. Same for Redis. Fewer containers, less RAM, simpler backups.
+
+### Health-Aware Startup
+
+The graph also determines startup order. Services declare dependencies with health checks. PostgreSQL starts first and becomes healthy. Then Authentik. Then apps that need both. Systemd handles the orchestration.
+
+---
 
 The result: enable apps in a config file, rebuild, and the system figures out what to provision, how to connect everything, and what order to start it.
 

apps/authentik/module.nix

@@ -146,8 +146,10 @@ in
         network = "apps-net";
         dependsOn = [ "apps-network" "apps-postgres" "apps-redis" ];
         userns = "keep-id";
-        extraAfter = [ "authentik-db-init.service" ];
-        extraRequires = [ "authentik-db-init.service" ];
+        # bloud-db-init creates the host-agent database (needed by prestart hook)
+        # authentik-db-init creates the authentik database (needed by server)
+        extraAfter = [ "bloud-db-init.service" "authentik-db-init.service" ];
+        extraRequires = [ "bloud-db-init.service" "authentik-db-init.service" ];
         waitFor = [
           { container = "apps-postgres"; command = "pg_isready -U ${postgresUser}"; }
           { container = "apps-redis"; command = "redis-cli ping"; }
@@ -182,8 +184,10 @@ in
         network = "apps-net";
         dependsOn = [ "apps-network" "apps-postgres" "apps-redis" ];
         userns = "keep-id";
-        extraAfter = [ "authentik-db-init.service" ];
-        extraRequires = [ "authentik-db-init.service" ];
+        # bloud-db-init creates the host-agent database (needed by prestart hook)
+        # authentik-db-init creates the authentik database (needed by worker)
+        extraAfter = [ "bloud-db-init.service" "authentik-db-init.service" ];
+        extraRequires = [ "bloud-db-init.service" "authentik-db-init.service" ];
         waitFor = [
           { container = "apps-postgres"; command = "pg_isready -U ${postgresUser}"; }
           { container = "apps-redis"; command = "redis-cli ping"; }

nixos/bloud.nix

@@ -98,6 +98,47 @@ in
       };
     };
 
+    # Initialize the bloud database (required for app configurator hooks)
+    # Apps with configurators should add this to their After= dependencies
+    systemd.user.services.bloud-db-init = {
+      description = "Initialize bloud database for host-agent";
+      after = [ "podman-apps-postgres.service" ];
+      requires = [ "podman-apps-postgres.service" ];
+      wantedBy = [ "bloud-apps.target" ];
+      before = [ "bloud-apps.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = pkgs.writeShellScript "bloud-db-init" ''
+          set -e
+
+          # Wait for postgres to be ready (with timeout)
+          echo "Waiting for PostgreSQL to be ready..."
+          for i in $(seq 1 30); do
+            if ${pkgs.podman}/bin/podman exec apps-postgres pg_isready -U ${config.bloud.apps.postgres.user} > /dev/null 2>&1; then
+              echo "PostgreSQL is ready"
+              break
+            fi
+            if [ $i -eq 30 ]; then
+              echo "Timeout waiting for PostgreSQL"
+              exit 1
+            fi
+            sleep 2
+          done
+
+          # Create database if not exists
+          if ! ${pkgs.podman}/bin/podman exec apps-postgres psql -U ${config.bloud.apps.postgres.user} -tc "SELECT 1 FROM pg_database WHERE datname = 'bloud'" | grep -q 1; then
+            echo "Creating bloud database..."
+            ${pkgs.podman}/bin/podman exec apps-postgres psql -U ${config.bloud.apps.postgres.user} -c "CREATE DATABASE bloud"
+            ${pkgs.podman}/bin/podman exec apps-postgres psql -U ${config.bloud.apps.postgres.user} -c "GRANT ALL PRIVILEGES ON DATABASE bloud TO ${config.bloud.apps.postgres.user}"
+            echo "Database created successfully"
+          else
+            echo "Database bloud already exists"
+          fi
+        '';
+      };
+    };
+
     # Helper commands
     environment.systemPackages = [
       (pkgs.writeShellScriptBin "bloud-test" ''

nixos/modules/host-agent.nix

@@ -2,10 +2,14 @@
 
 let
   cfg = config.bloud.host-agent;
+  postgresCfg = config.bloud.apps.postgres;
 
   userHome = "/home/${cfg.user}";
   defaultDataDir = "${userHome}/.local/share/bloud";
 
+  # Build database URL from postgres config
+  databaseURL = "postgres://${postgresCfg.user}:${postgresCfg.password}@localhost:5432/bloud?sslmode=disable";
+
   # For initial development, we'll use a manually built binary
   # The binary should be built and placed at /tmp/host-agent
   # Later: Use buildGoModule for proper Nix packaging
@@ -40,28 +44,73 @@ in
     dataDir = lib.mkOption {
       type = lib.types.str;
       default = defaultDataDir;
-      description = "Directory for host agent data (SQLite, configs, catalog)";
+      description = "Directory for host agent data (configs, catalog)";
     };
   };
 
   config = lib.mkIf cfg.enable {
     # Create data directories
     system.activationScripts.bloud-host-agent-dirs = lib.stringAfter [ "users" ] ''
-      mkdir -p ${cfg.dataDir}/{state,nixos/apps,catalog}
+      mkdir -p ${cfg.dataDir}/{nixos/apps,catalog}
       chown -R ${cfg.user}:users ${cfg.dataDir}
     '';
 
+    # Database initialization service
+    systemd.services.bloud-host-agent-db-init = {
+      description = "Initialize bloud host-agent database";
+      after = [ "podman-apps-postgres.service" ];
+      requires = [ "podman-apps-postgres.service" ];
+      before = [ "bloud-host-agent.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        User = cfg.user;
+        Group = "users";
+        ExecStart = pkgs.writeShellScript "bloud-db-init" ''
+          set -e
+
+          # Wait for postgres to be ready
+          echo "Waiting for PostgreSQL to be ready..."
+          for i in $(seq 1 30); do
+            if ${pkgs.podman}/bin/podman exec apps-postgres pg_isready -U ${postgresCfg.user} > /dev/null 2>&1; then
+              echo "PostgreSQL is ready"
+              break
+            fi
+            if [ $i -eq 30 ]; then
+              echo "Timeout waiting for PostgreSQL"
+              exit 1
+            fi
+            sleep 2
+          done
+
+          # Create database if not exists
+          if ! ${pkgs.podman}/bin/podman exec apps-postgres psql -U ${postgresCfg.user} -tc "SELECT 1 FROM pg_database WHERE datname = 'bloud'" | grep -q 1; then
+            echo "Creating bloud database..."
+            ${pkgs.podman}/bin/podman exec apps-postgres psql -U ${postgresCfg.user} -c "CREATE DATABASE bloud"
+            ${pkgs.podman}/bin/podman exec apps-postgres psql -U ${postgresCfg.user} -c "GRANT ALL PRIVILEGES ON DATABASE bloud TO ${postgresCfg.user}"
+            echo "Database created successfully"
+          else
+            echo "Database bloud already exists"
+          fi
+        '';
+      };
+    };
+
     # systemd service (system-wide, NOT user service)
     # Runs as user but system-wide so it can manage system state
     systemd.services.bloud-host-agent = {
       description = "Bloud Host Agent - App Management & Web UI";
-      after = [ "network-online.target" ];
+      after = [ "network-online.target" "bloud-host-agent-db-init.service" ];
       wants = [ "network-online.target" ];
+      requires = [ "bloud-host-agent-db-init.service" ];
       wantedBy = [ "multi-user.target" ];
 
       environment = {
         BLOUD_PORT = toString cfg.port;
         BLOUD_DATA_DIR = cfg.dataDir;
+        DATABASE_URL = databaseURL;
       };
 
       serviceConfig = {

package.json

@@ -7,7 +7,7 @@
     "services/host-agent/web"
   ],
   "scripts": {
-    "setup": "npm install && npm run cli:build && echo '\n✓ Setup complete! Run ./bloud start to begin development.'",
+    "setup": "npm install && npm run cli:build",
     "cli:build": "cd cli && go build -o ../bloud .",
     "dev": "turbo run dev",
     "build": "turbo run build",

services/host-agent/cmd/host-agent/configure.go

@@ -35,8 +35,26 @@ func runConfigure(args []string) int {
 
 	cfg := config.Load()
 
-	// Initialize database (read-only for configure commands)
-	database, err := db.InitDB(cfg.DataDir)
+	// Create and populate registry first to check if app has a configurator
+	registry := configurator.NewRegistry(logger)
+	appconfig.RegisterAll(registry, cfg)
+
+	// For prestart/poststart, check if app has a configurator before initializing DB
+	// This avoids chicken-and-egg problems for infrastructure apps (postgres, redis)
+	if action == "prestart" || action == "poststart" {
+		if len(args) < 2 {
+			fmt.Fprintf(os.Stderr, "Usage: bloud-agent configure %s <app-name>\n", action)
+			return 1
+		}
+		appName := args[1]
+		if registry.Get(appName) == nil {
+			logger.Debug("no configurator registered, skipping", "app", appName)
+			return 0
+		}
+	}
+
+	// Initialize database (required for apps with configurators)
+	database, err := db.InitDB(cfg.DatabaseURL)
 	if err != nil {
 		logger.Error("failed to initialize database", "error", err)
 		return 1
@@ -46,26 +64,14 @@ func runConfigure(args []string) int {
 	// Create app store
 	appStore := store.NewAppStore(database)
 
-	// Create and populate registry
-	registry := configurator.NewRegistry(logger)
-	appconfig.RegisterAll(registry, cfg)
-
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
 
 	switch action {
 	case "prestart":
-		if len(args) < 2 {
-			fmt.Fprintln(os.Stderr, "Usage: bloud-agent configure prestart <app-name>")
-			return 1
-		}
 		return runPreStart(ctx, args[1], registry, appStore, cfg.DataDir, cfg, logger)
 
 	case "poststart":
-		if len(args) < 2 {
-			fmt.Fprintln(os.Stderr, "Usage: bloud-agent configure poststart <app-name>")
-			return 1
-		}
 		return runPostStart(ctx, args[1], registry, appStore, cfg.DataDir, logger)
 
 	case "reconcile":

services/host-agent/cmd/host-agent/main.go

@@ -51,7 +51,7 @@ func runServer() {
 	)
 
 	// Initialize database
-	database, err := db.InitDB(cfg.DataDir)
+	database, err := db.InitDB(cfg.DatabaseURL)
 	if err != nil {
 		logger.Error("failed to initialize database", "error", err)
 		os.Exit(1)
@@ -117,3 +117,4 @@ func runServer() {
 
 	logger.Info("server stopped gracefully")
 }
+

services/host-agent/go.mod

@@ -4,35 +4,35 @@ go 1.24.0
 
 require (
 	codeberg.org/d-buckner/bloud-v3/apps v0.0.0
+	github.com/DATA-DOG/go-sqlmock v1.5.2
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/cors v1.2.2
+	github.com/jackc/pgx/v5 v5.7.2
 	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/stretchr/testify v1.11.1
 	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/sqlite v1.42.2
 )
 
 replace codeberg.org/d-buckner/bloud-v3/apps => ../../apps
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/google/uuid v1.6.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
-	modernc.org/libc v1.66.10 // indirect
-	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.11.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 )