fix: remove postinst migrations, let app handle schema via sqlx

Root cause: postinst ran sqlx migrate as postgres (superuser), creating ALL
database objects owned by postgres. When pm-web connects as patch_manager, it
cannot ALTER TABLE during migrations because it does not own them. The
reassign_ownership() function never worked because REASSIGN OWNED BY postgres
TO patch_manager fails for superuser-owned objects.

Fix: Create the database owned by patch_manager (already done) and run all
migrations as patch_manager via PGPASSWORD auth. When all objects are owned by
patch_manager from the start, pm-web can ALTER them during upgrades.

Changes:
- Add psql_run_as_pm() helper that authenticates as patch_manager via PGPASSWORD
- Replace all psql_run_db calls in apply_migrations() with psql_run_as_pm
- Remove reassign_ownership() function entirely (it never worked)
- Remove reassign_ownership call from main()
- Add ALTER DEFAULT PRIVILEGES FOR ROLE postgres in setup_database() as safety
  net for any future migration that might run as postgres
- Upgrade GRANT USAGE/CREATE to GRANT ALL PRIVILEGES on schema public
- Keep pgcrypto extension creation as postgres (requires superuser)
- Renumber sections after removing reassign_ownership

Proven on live LPM system: service active, port 443 listening, all tables
owned by patch_manager.

Cargo.toml

@@ -12,7 +12,7 @@ members = [
 ]
 
 [workspace.package]
-version = "1.1.9"
+version = "1.1.12"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 license = "MIT"

debian/changelog

@@ -1,3 +1,21 @@
+linux-patch-manager (1.1.12-1) unstable; urgency=low
+
+  * Release v1.1.12
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 22:14:03 -0500
+
+linux-patch-manager (1.1.11-1) unstable; urgency=low
+
+  * Release v1.1.11
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 15:57:10 -0500
+
+linux-patch-manager (1.1.10-1) unstable; urgency=low
+
+  * Release v1.1.10
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 14:11:31 -0500
+
 linux-patch-manager (1.1.9-1) unstable; urgency=low
 
   * Release v1.1.9

debian/control

@@ -1,5 +1,5 @@
 Package: linux-patch-manager
-Version: 1.1.9-1
+Version: 1.1.12-1
 Architecture: amd64
 Maintainer: Moon Dragon <echo@moon-dragon.us>
 Installed-Size: 45000

debian/postinst

@@ -7,6 +7,9 @@ set -e
 # Fully automated: apt install ./linux-patch-manager_X.X.X-1_amd64.deb
 # results in a running service with a printed admin password.
 # All steps are idempotent (safe to re-run on upgrade).
+#
+# Migrations are handled by the application via sqlx on startup.
+# This script only creates the database, user, and grants.
 # =============================================================================
 
 RED='\033[0;31m'
@@ -22,7 +25,6 @@ error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }
 DB_NAME="patch_manager"
 DB_USER="patch_manager"
 CONFIG_DIR="/etc/patch-manager"
-MIGRATION_DIR="/usr/share/patch-manager/migrations"
 ADMIN_PASSWORD_FILE="/etc/patch-manager/admin-password.txt"
 
 # ---------------------------------------------------------------------------
@@ -34,7 +36,7 @@ psql_run() {
 }
 
 psql_run_db() {
-    # Run SQL against the patch_manager database
+    # Run SQL against the patch_manager database as postgres superuser
     sudo -u postgres psql -v ON_ERROR_STOP=1 -d "${DB_NAME}" "$@" 2>/dev/null
 }
 
@@ -89,7 +91,7 @@ wait_for_postgresql() {
 }
 
 # ---------------------------------------------------------------------------
-# 4. Create PostgreSQL user and database (idempotent)
+# 4. Create PostgreSQL user, database, and grants (idempotent)
 # ---------------------------------------------------------------------------
 setup_database() {
     info "Setting up PostgreSQL database and user..."
@@ -140,84 +142,145 @@ setup_database() {
         info "Database '${DB_NAME}' already exists, skipping creation."
     fi
 
-    # Grant permissions (idempotent)
-    psql_run_db -c "GRANT USAGE ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
-    psql_run_db -c "GRANT CREATE ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
-    psql_run_db -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};" 2>/dev/null || true
-}
-
-# ---------------------------------------------------------------------------
-# 5. Apply database migrations (idempotent)
-# ---------------------------------------------------------------------------
-apply_migrations() {
-    info "Applying database migrations..."
-
-    # Ensure pgcrypto extension is available
+    # Ensure pgcrypto extension is available (required by application migrations)
     psql_run_db -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" 2>/dev/null || true
 
-    # Create migration tracking table if not exists
-    psql_run_db <<'MIGSQL'
-CREATE TABLE IF NOT EXISTS _migrations (
-    id          SERIAL PRIMARY KEY,
-    filename    TEXT    NOT NULL UNIQUE,
-    applied_at  TIMESTAMPTZ NOT NULL DEFAULT now()
-);
-MIGSQL
+    # Grant full permissions so patch_manager owns and manages all objects
+    psql_run_db -c "GRANT ALL PRIVILEGES ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
+    psql_run_db -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};" 2>/dev/null || true
+    # If any future migration runs as postgres, ensure objects are still accessible by patch_manager
+    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON TABLES TO ${DB_USER};" 2>/dev/null || true
+    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON SEQUENCES TO ${DB_USER};" 2>/dev/null || true
+    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON FUNCTIONS TO ${DB_USER};" 2>/dev/null || true
+}
 
-    # Handle upgrade from pre-migration-tracking versions:
-    # If tables exist but _migrations is empty, mark all existing migrations as applied.
-    local migration_count
-    migration_count=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM _migrations;" 2>/dev/null || echo "0")
-    migration_count="${migration_count// /}"
+# ---------------------------------------------------------------------------
+# 5. Write config.toml with DB URL
+# ---------------------------------------------------------------------------
+# Handles three scenarios:
+#   1. No config file → create from example with real DB password
+#   2. Config exists with CHANGEME → replace CHANGEME with real DB password
+#   3. Config exists with real password → leave it alone (upgrade)
+# ---------------------------------------------------------------------------
+write_config() {
+    local config_file="${CONFIG_DIR}/config.toml"
 
-    local tables_exist
-    tables_exist=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='users';" 2>/dev/null || echo "0")
-    tables_exist="${tables_exist// /}"
-
-    if [[ "${migration_count}" == "0" && "${tables_exist}" -gt 0 ]]; then
-        info "Existing database detected — marking all shipped migrations as already applied."
-        for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
-            local fname
-            fname=$(basename "${sql_file}")
-            psql_run_db -c "INSERT INTO _migrations (filename) VALUES ('${fname}') ON CONFLICT (filename) DO NOTHING;" 2>/dev/null || true
-        done
+    # Resolve the DB password to use: from setup_database() or generate fresh.
+    local db_password=""
+    if [[ -f /tmp/.pm-db-password-new ]]; then
+        db_password=$(cat /tmp/.pm-db-password-new)
     fi
 
-    # Apply each migration in sorted order, skipping already-applied ones
-    local applied=0
-    local skipped=0
-    for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
-        local fname
-        fname=$(basename "${sql_file}")
-
-        local already_applied
-        already_applied=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM _migrations WHERE filename='${fname}';" 2>/dev/null || echo "0")
-        already_applied="${already_applied// /}"
-
-        if [[ "${already_applied}" -gt 0 ]]; then
-            skipped=$((skipped + 1))
-            continue
-        fi
-
-        info "  Applying migration: ${fname}"
-        if psql_run_db -f "${sql_file}"; then
-            psql_run_db -c "INSERT INTO _migrations (filename) VALUES ('${fname}');" 2>/dev/null || true
-            applied=$((applied + 1))
+    if [[ -f "${config_file}" ]]; then
+        # Check if the config still has the CHANGEME placeholder
+        if grep -q 'CHANGEME' "${config_file}"; then
+            if [[ -z "${db_password}" ]]; then
+                # No password from setup_database() — generate a fresh one
+                db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
+                psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
+            fi
+            info "Replacing CHANGEME placeholder in existing config with real DB password."
+            sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
         else
-            error "  Failed to apply migration: ${fname}"
-            return 1
+            info "Config file ${config_file} already exists with a real password, leaving it unchanged."
+            return 0
         fi
-    done
-
-    if [[ "${applied}" -gt 0 ]]; then
-        info "Applied ${applied} new migration(s), skipped ${skipped} already applied."
     else
-        info "All migrations up to date (${skipped} already applied)."
+        # No config file — create from example
+        if [[ -z "${db_password}" ]]; then
+            db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
+            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
+        fi
+
+        info "Writing configuration file..."
+        cp /usr/share/patch-manager/config.example.toml "${config_file}"
+        sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
+    fi
+
+    chown patch-manager:patch-manager "${config_file}"
+    chmod 640 "${config_file}"
+    info "Configuration written to ${config_file}"
+}
+
+# ---------------------------------------------------------------------------
+# 6. Generate JWT keys (idempotent)
+# Only generates if missing; regenerates verify.pem from signing.pem if lost.
+# ---------------------------------------------------------------------------
+generate_jwt_keys() {
+    if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then
+        info "Generating Ed25519 JWT signing key..."
+        openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null
+        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
+        chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem"
+        chmod 600 "${CONFIG_DIR}/jwt/signing.pem"
+        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
+        info "JWT keys generated."
+    elif [[ ! -f "${CONFIG_DIR}/jwt/verify.pem" ]]; then
+        info "Regenerating missing JWT verification key from existing signing key..."
+        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
+        chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/verify.pem"
+        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
+        info "JWT verification key regenerated."
+    else
+        info "JWT keys already exist, skipping."
     fi
 }
 
 # ---------------------------------------------------------------------------
-# 6. Generate admin password and update database
+# 7. Enable and start services
+# ---------------------------------------------------------------------------
+enable_and_start_services() {
+    systemctl daemon-reload
+
+    # Enable the target (which pulls in web + worker)
+    systemctl enable patch-manager.target 2>/dev/null || true
+
+    # Enable individual services so they survive a reboot
+    systemctl enable patch-manager-web.service patch-manager-worker.service 2>/dev/null || true
+
+    # Start or restart services
+    if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
+        info "Restarting patch-manager services (upgrade)..."
+        systemctl restart patch-manager.target 2>/dev/null || true
+    else
+        info "Starting patch-manager services..."
+        systemctl start patch-manager.target 2>/dev/null || true
+    fi
+}
+
+# ---------------------------------------------------------------------------
+# 8. Wait for pm-web service to be healthy
+# The application runs database migrations via sqlx on startup.
+# We must wait for it to be ready before generating the admin password,
+# since the users table won't exist until migrations complete.
+# ---------------------------------------------------------------------------
+wait_for_service_healthy() {
+    info "Waiting for pm-web service to become healthy (migrations run on startup)..."
+    local retries=30
+    local delay=1
+    local i
+    for ((i = 1; i <= retries; i++)); do
+        # Check if the service is active
+        if systemctl is-active --quiet patch-manager-web.service 2>/dev/null; then
+            # Service is active — try a health check on the HTTPS port
+            if curl -skf https://localhost:443/ >/dev/null 2>&1 || \
+               curl -skf https://localhost:8443/ >/dev/null 2>&1; then
+                info "pm-web is healthy."
+                return 0
+            fi
+        fi
+        warn "pm-web not ready yet (attempt ${i}/${retries}), waiting ${delay}s..."
+        sleep "${delay}"
+    done
+    error "pm-web did not become healthy after $((retries * delay)) seconds."
+    error "Admin password generation may fail because the users table may not exist yet."
+    return 1
+}
+
+# ---------------------------------------------------------------------------
+# 9. Generate admin password and update database
+# Must run AFTER the service has started and run migrations,
+# because the users table is created by sqlx migrations.
 # ---------------------------------------------------------------------------
 generate_admin_password() {
     info "Generating admin password..."
@@ -268,100 +331,6 @@ generate_admin_password() {
     fi
 }
 
-# ---------------------------------------------------------------------------
-# 7. Write config.toml with DB URL
-# ---------------------------------------------------------------------------
-# Handles three scenarios:
-#   1. No config file → create from example with real DB password
-#   2. Config exists with CHANGEME → replace CHANGEME with real DB password
-#   3. Config exists with real password → leave it alone (upgrade)
-# ---------------------------------------------------------------------------
-write_config() {
-    local config_file="${CONFIG_DIR}/config.toml"
-
-    # Resolve the DB password to use: from setup_database() or generate fresh.
-    local db_password=""
-    if [[ -f /tmp/.pm-db-password-new ]]; then
-        db_password=$(cat /tmp/.pm-db-password-new)
-    fi
-
-    if [[ -f "${config_file}" ]]; then
-        # Check if the config still has the CHANGEME placeholder
-        if grep -q 'CHANGEME' "${config_file}"; then
-            if [[ -z "${db_password}" ]]; then
-                # No password from setup_database() — generate a fresh one
-                db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
-                psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
-            fi
-            info "Replacing CHANGEME placeholder in existing config with real DB password."
-            sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
-        else
-            info "Config file ${config_file} already exists with a real password, leaving it unchanged."
-            return 0
-        fi
-    else
-        # No config file — create from example
-        if [[ -z "${db_password}" ]]; then
-            db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
-            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
-        fi
-
-        info "Writing configuration file..."
-        cp /usr/share/patch-manager/config.example.toml "${config_file}"
-        sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
-    fi
-
-    chown patch-manager:patch-manager "${config_file}"
-    chmod 640 "${config_file}"
-    info "Configuration written to ${config_file}"
-}
-
-# ---------------------------------------------------------------------------
-# 8. Generate JWT keys (idempotent)
-# Only generates if missing; regenerates verify.pem from signing.pem if lost.
-# ---------------------------------------------------------------------------
-generate_jwt_keys() {
-    if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then
-        info "Generating Ed25519 JWT signing key..."
-        openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null
-        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
-        chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem"
-        chmod 600 "${CONFIG_DIR}/jwt/signing.pem"
-        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
-        info "JWT keys generated."
-    elif [[ ! -f "${CONFIG_DIR}/jwt/verify.pem" ]]; then
-        info "Regenerating missing JWT verification key from existing signing key..."
-        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
-        chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/verify.pem"
-        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
-        info "JWT verification key regenerated."
-    else
-        info "JWT keys already exist, skipping."
-    fi
-}
-
-# ---------------------------------------------------------------------------
-# 9. Enable and start services
-# ---------------------------------------------------------------------------
-enable_and_start_services() {
-    systemctl daemon-reload
-
-    # Enable the target (which pulls in web + worker)
-    systemctl enable patch-manager.target 2>/dev/null || true
-
-    # Enable individual services so they survive a reboot
-    systemctl enable patch-manager-web.service patch-manager-worker.service 2>/dev/null || true
-
-    # Start or restart services
-    if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
-        info "Restarting patch-manager services (upgrade)..."
-        systemctl restart patch-manager.target 2>/dev/null || true
-    else
-        info "Starting patch-manager services..."
-        systemctl start patch-manager.target 2>/dev/null || true
-    fi
-}
-
 # ---------------------------------------------------------------------------
 # 10. Install backup cron (idempotent)
 # ---------------------------------------------------------------------------
@@ -381,11 +350,11 @@ case "$1" in
         create_directories
         wait_for_postgresql
         setup_database
-        apply_migrations
-        generate_admin_password
         write_config
         generate_jwt_keys
         enable_and_start_services
+        wait_for_service_healthy
+        generate_admin_password
         install_backup_cron
 
         # Clean up temp file

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "patch-manager-ui",
   "private": true,
-  "version": "1.1.9",
+  "version": "1.1.12",
   "type": "module",
   "scripts": {
     "dev": "vite",

scripts/build-package.sh

@@ -22,7 +22,7 @@ warn()  { echo -e "${YELLOW}[WARN]${NC}  $*"; }
 error() { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
 
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-VERSION="1.1.9"
+VERSION="1.1.12"
 RELEASE="1"
 PKG_NAME="linux-patch-manager"
 DEB_NAME="${PKG_NAME}_${VERSION}-${RELEASE}_amd64.deb"