From bba65935ec49a2441f3c4d6e8ce0526f065ff722 Mon Sep 17 00:00:00 2001
From: Jakob Meier <comcloudway@ccw.icu>
Date: Mon, 4 Dec 2023 08:27:01 +0100
Subject: [PATCH] Fetch database schema from project repo instead of using
 local copy

When installing the latest version of a given package (instead of
upgrading), sourcehut assumes that you also use the newest schema.sql
file.
This means that when you are using an older schema version, database
migrations won't create the missing tables.
Instead we now fetch the latest database schema before running the
playbook to match the latest version.
---
 roles/builds.sr.ht/tasks/db.yml          |   6 +-
 roles/builds.sr.ht/templates/schema.psql | 168 --------------
 roles/git.sr.ht/tasks/db.yml             |   6 +-
 roles/git.sr.ht/templates/schema.psql    | 227 -------------------
 roles/hub.sr.ht/tasks/db.yml             |   6 +-
 roles/hub.sr.ht/templates/schema.psql    | 103 ---------
 roles/meta.sr.ht/tasks/db.yml            |   6 +-
 roles/meta.sr.ht/templates/schema.psql   | 265 -----------------------
 8 files changed, 12 insertions(+), 775 deletions(-)
 delete mode 100644 roles/builds.sr.ht/templates/schema.psql
 delete mode 100644 roles/git.sr.ht/templates/schema.psql
 delete mode 100644 roles/hub.sr.ht/templates/schema.psql
 delete mode 100644 roles/meta.sr.ht/templates/schema.psql

diff --git a/roles/builds.sr.ht/tasks/db.yml b/roles/builds.sr.ht/tasks/db.yml
index 4c049b5..0cd54da 100644
--- a/roles/builds.sr.ht/tasks/db.yml
+++ b/roles/builds.sr.ht/tasks/db.yml
@@ -1,7 +1,7 @@
 ---
-- name: Copy database schema to host
-  ansible.builtin.template:
-    src: schema.psql
+- name: Download database schema from git.sr.ht
+  ansible.builtin.get_url:
+    url: https://git.sr.ht/~sircmpwn/builds.sr.ht/blob/master/schema.sql
     dest: /tmp/buildssrht.psql
 
 - name: Create database
diff --git a/roles/builds.sr.ht/templates/schema.psql b/roles/builds.sr.ht/templates/schema.psql
deleted file mode 100644
index cb53ea7..0000000
--- a/roles/builds.sr.ht/templates/schema.psql
+++ /dev/null
@@ -1,168 +0,0 @@
-CREATE TYPE auth_method AS ENUM (
-	'OAUTH_LEGACY',
-	'OAUTH2',
-	'COOKIE',
-	'INTERNAL',
-	'WEBHOOK'
-);
-
-CREATE TYPE webhook_event AS ENUM (
-	'JOB_CREATED'
-);
-
-CREATE TYPE visibility AS ENUM (
-	'PUBLIC',
-	'UNLISTED',
-	'PRIVATE'
-);
-
-CREATE TABLE "user" (
-	id serial PRIMARY KEY,
-	username character varying(256) UNIQUE,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	oauth_token character varying(256),
-	oauth_token_expires timestamp without time zone,
-	email character varying(256) NOT NULL,
-	user_type character varying DEFAULT 'active_non_paying'::character varying NOT NULL,
-	url character varying(256),
-	location character varying(256),
-	bio character varying(4096),
-	oauth_token_scopes character varying DEFAULT 'profile'::character varying,
-	oauth_revocation_token character varying(256),
-	suspension_notice character varying(4096)
-);
-
-CREATE TABLE secret (
-	id serial PRIMARY KEY,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	uuid uuid NOT NULL,
-	name character varying(512),
-	from_user_id integer REFERENCES "user"(id) ON DELETE SET NULL,
-	-- Key secrets:
-	secret_type character varying NOT NULL,
-	secret bytea NOT NULL,
-	-- File secrets:
-	path character varying(512),
-	mode integer,
-	CONSTRAINT secret_user_id_uuid_unique UNIQUE (user_id, uuid)
-);
-
-CREATE INDEX ix_user_username ON "user" USING btree (username);
-
-CREATE TABLE job_group (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	note character varying(4096)
-);
-
-CREATE TABLE job (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	manifest character varying(16384) NOT NULL,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	job_group_id integer REFERENCES job_group(id) ON DELETE SET NULL,
-	note character varying(4096),
-	tags character varying,
-	runner character varying,
-	status character varying NOT NULL,
-	secrets boolean DEFAULT true NOT NULL,
-	image character varying(128),
-	visibility visibility NOT NULL
-);
-
-CREATE INDEX ix_job_owner_id ON job USING btree (owner_id);
-
-CREATE INDEX ix_job_job_group_id ON job USING btree (job_group_id);
-
-CREATE TABLE artifact (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	job_id integer NOT NULL REFERENCES job(id) ON DELETE CASCADE,
-	name character varying NOT NULL,
-	path character varying NOT NULL,
-	url character varying NOT NULL,
-	size integer NOT NULL
-);
-
-CREATE TABLE task (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	name character varying(256) NOT NULL,
-	status character varying NOT NULL,
-	job_id integer NOT NULL REFERENCES job(id) ON DELETE CASCADE
-);
-
-CREATE INDEX ix_task_job_id ON task USING btree (job_id);
-
-CREATE TABLE trigger (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	details character varying(4096) NOT NULL,
-	condition character varying NOT NULL,
-	trigger_type character varying NOT NULL,
-	job_id integer REFERENCES job(id) ON DELETE CASCADE,
-	job_group_id integer REFERENCES job_group(id) ON DELETE CASCADE
-);
-
--- GraphQL webhooks
-CREATE TABLE gql_user_wh_sub (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	events webhook_event[] NOT NULL,
-	url character varying NOT NULL,
-	query character varying NOT NULL,
-	auth_method auth_method NOT NULL,
-	token_hash character varying(128),
-	grants character varying,
-	client_id uuid,
-	expires timestamp without time zone,
-	node_id character varying,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	CONSTRAINT gql_user_wh_sub_auth_method_check
-		CHECK ((auth_method = ANY (ARRAY['OAUTH2'::auth_method, 'INTERNAL'::public.auth_method]))),
-	CONSTRAINT gql_user_wh_sub_check
-		CHECK (((auth_method = 'OAUTH2'::auth_method) = (token_hash IS NOT NULL))),
-	CONSTRAINT gql_user_wh_sub_check1
-		CHECK (((auth_method = 'OAUTH2'::auth_method) = (expires IS NOT NULL))),
-	CONSTRAINT gql_user_wh_sub_check2
-		CHECK (((auth_method = 'INTERNAL'::auth_method) = (node_id IS NOT NULL))),
-	CONSTRAINT gql_user_wh_sub_events_check
-		CHECK ((array_length(events, 1) > 0))
-);
-
-CREATE INDEX gql_user_wh_sub_token_hash_idx
-	ON gql_user_wh_sub
-	USING btree (token_hash);
-
-CREATE TABLE gql_user_wh_delivery (
-	id serial PRIMARY KEY,
-	uuid uuid NOT NULL,
-	date timestamp without time zone NOT NULL,
-	event webhook_event NOT NULL,
-	subscription_id integer NOT NULL
-		REFERENCES gql_user_wh_sub(id) ON DELETE CASCADE,
-	request_body character varying NOT NULL,
-	response_body character varying,
-	response_headers character varying,
-	response_status integer
-);
-
--- Legacy OAuth
-CREATE TABLE oauthtoken (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	expires timestamp without time zone NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	token_hash character varying(128) NOT NULL,
-	token_partial character varying(8) NOT NULL,
-	scopes character varying(512) NOT NULL
-);
diff --git a/roles/git.sr.ht/tasks/db.yml b/roles/git.sr.ht/tasks/db.yml
index 9a0c585..10543d4 100644
--- a/roles/git.sr.ht/tasks/db.yml
+++ b/roles/git.sr.ht/tasks/db.yml
@@ -1,7 +1,7 @@
 ---
-- name: Copy database schema to host
-  ansible.builtin.template:
-    src: schema.psql
+- name: Download database schema from git.sr.ht
+  ansible.builtin.get_url:
+    url: https://git.sr.ht/~sircmpwn/git.sr.ht/blob/master/schema.sql
     dest: /tmp/gitsrht.psql
 
 - name: Create database
diff --git a/roles/git.sr.ht/templates/schema.psql b/roles/git.sr.ht/templates/schema.psql
deleted file mode 100644
index 45a60b0..0000000
--- a/roles/git.sr.ht/templates/schema.psql
+++ /dev/null
@@ -1,227 +0,0 @@
-CREATE TYPE auth_method AS ENUM (
-	'OAUTH_LEGACY',
-	'OAUTH2',
-	'COOKIE',
-	'INTERNAL',
-	'WEBHOOK'
-);
-
-CREATE TYPE clone_status AS ENUM (
-	'NONE',
-	'IN_PROGRESS',
-	'COMPLETE',
-	'ERROR'
-);
-
-CREATE TYPE visibility AS ENUM (
-	'PUBLIC',
-	'PRIVATE',
-	'UNLISTED'
-);
-
-CREATE TYPE webhook_event AS ENUM (
-	'REPO_CREATED',
-	'REPO_UPDATE',
-	'REPO_DELETED'
-);
-
-CREATE TYPE owner_repo_name AS (
-	owner text,
-	repo_name text
-);
-
-CREATE TYPE owner_id_repo_name AS (
-	owner_id integer,
-	repo_name text
-);
-
-CREATE TABLE "user" (
-	id serial PRIMARY KEY,
-	username character varying(256) UNIQUE,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	email character varying(256) NOT NULL,
-	user_type character varying NOT NULL DEFAULT 'active_non_paying'::character varying,
-	url character varying(256),
-	location character varying(256),
-	bio character varying(4096),
-	suspension_notice character varying(4096),
-	-- TODO: Delete these
-	oauth_token character varying(256),
-	oauth_token_expires timestamp without time zone,
-	oauth_token_scopes character varying DEFAULT ''::character varying,
-	oauth_revocation_token character varying(256)
-);
-
-CREATE INDEX ix_user_username ON "user" USING btree (username);
-
-CREATE TABLE repository (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	name character varying(256) NOT NULL,
-	description character varying(1024),
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	path character varying(1024),
-	visibility visibility NOT NULL,
-	readme character varying,
-	clone_status clone_status NOT NULL,
-	clone_error character varying,
-	CONSTRAINT repository_check
-		CHECK (((clone_status = 'ERROR'::clone_status) <> (clone_error IS NULL))),
-	CONSTRAINT uq_repo_owner_id_name UNIQUE (owner_id, name)
-);
-
-CREATE TABLE access (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	repo_id integer NOT NULL REFERENCES repository(id) ON DELETE CASCADE,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	mode character varying NOT NULL,
-	CONSTRAINT uq_access_user_id_repo_id UNIQUE (user_id, repo_id)
-);
-
-CREATE TABLE artifacts (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	repo_id integer NOT NULL REFERENCES repository(id) ON DELETE CASCADE,
-	commit character varying NOT NULL,
-	filename character varying NOT NULL,
-	checksum character varying NOT NULL,
-	size integer NOT NULL,
-	CONSTRAINT repo_artifact_filename_unique UNIQUE (repo_id, filename)
-);
-
-CREATE TABLE redirect (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	name character varying(256) NOT NULL,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	path character varying(1024),
-	new_repo_id integer NOT NULL REFERENCES repository(id) ON DELETE CASCADE
-);
-
--- GraphQL webhooks
-CREATE TABLE gql_user_wh_sub (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	events webhook_event[] NOT NULL,
-	url character varying NOT NULL,
-	query character varying NOT NULL,
-	auth_method auth_method NOT NULL,
-	token_hash character varying(128),
-	grants character varying,
-	client_id uuid,
-	expires timestamp without time zone,
-	node_id character varying,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	CONSTRAINT gql_user_wh_sub_auth_method_check
-		CHECK ((auth_method = ANY (ARRAY['OAUTH2'::auth_method, 'INTERNAL'::auth_method]))),
-	CONSTRAINT gql_user_wh_sub_check
-		CHECK (((auth_method = 'OAUTH2'::auth_method) = (token_hash IS NOT NULL))),
-	CONSTRAINT gql_user_wh_sub_check1
-		CHECK (((auth_method = 'OAUTH2'::auth_method) = (expires IS NOT NULL))),
-	CONSTRAINT gql_user_wh_sub_check2
-		CHECK (((auth_method = 'INTERNAL'::auth_method) = (node_id IS NOT NULL))),
-	CONSTRAINT gql_user_wh_sub_events_check
-		CHECK ((array_length(events, 1) > 0))
-);
-
-CREATE INDEX gql_user_wh_sub_token_hash_idx
-	ON gql_user_wh_sub
-	USING btree (token_hash);
-
-CREATE TABLE gql_user_wh_delivery (
-	id serial PRIMARY KEY,
-	uuid uuid NOT NULL,
-	date timestamp without time zone NOT NULL,
-	event webhook_event NOT NULL,
-	subscription_id integer NOT NULL
-		REFERENCES gql_user_wh_sub(id) ON DELETE CASCADE,
-	request_body character varying NOT NULL,
-	response_body character varying,
-	response_headers character varying,
-	response_status integer
-);
-
--- Legacy SSH key table, to be fetched from meta.sr.ht instead (TODO: Remove)
-CREATE TABLE sshkey (
-	id serial PRIMARY KEY,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	meta_id integer NOT NULL,
-	key character varying(4096) NOT NULL,
-	fingerprint character varying(512) NOT NULL
-);
-
-CREATE INDEX ix_sshkey_key
-	ON sshkey
-	USING btree (md5((key)::text));
-
-CREATE UNIQUE INDEX ix_sshkey_meta_id
-	ON sshkey
-	USING btree (meta_id);
-
--- Legacy OAuth (TODO: Remove)
-CREATE TABLE oauthtoken (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	expires timestamp without time zone NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	token_hash character varying(128) NOT NULL,
-	token_partial character varying(8) NOT NULL,
-	scopes character varying(512) NOT NULL
-);
-
--- Legacy webhooks (TODO: Remove)
-CREATE TABLE user_webhook_subscription (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	url character varying(2048) NOT NULL,
-	events character varying NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	token_id integer REFERENCES oauthtoken(id) ON DELETE CASCADE
-);
-
-CREATE TABLE user_webhook_delivery (
-	id serial PRIMARY KEY,
-	uuid uuid NOT NULL,
-	created timestamp without time zone NOT NULL,
-	event character varying(256) NOT NULL,
-	url character varying(2048) NOT NULL,
-	payload character varying(65536) NOT NULL,
-	payload_headers character varying(16384) NOT NULL,
-	response character varying(65536),
-	response_status integer NOT NULL,
-	response_headers character varying(16384),
-	subscription_id integer NOT NULL
-		REFERENCES user_webhook_subscription(id) ON DELETE CASCADE
-);
-
-CREATE TABLE repo_webhook_subscription (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	url character varying(2048) NOT NULL,
-	events character varying NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	token_id integer REFERENCES oauthtoken(id) ON DELETE CASCADE,
-	repo_id integer REFERENCES repository(id) ON DELETE CASCADE,
-	sync boolean DEFAULT false NOT NULL
-);
-
-CREATE TABLE repo_webhook_delivery (
-	id serial PRIMARY KEY,
-	uuid uuid NOT NULL,
-	created timestamp without time zone NOT NULL,
-	event character varying(256) NOT NULL,
-	url character varying(2048) NOT NULL,
-	payload character varying(65536) NOT NULL,
-	payload_headers character varying(16384) NOT NULL,
-	response character varying(65536),
-	response_status integer NOT NULL,
-	response_headers character varying(16384),
-	subscription_id integer NOT NULL
-		REFERENCES repo_webhook_subscription(id) ON DELETE CASCADE
-);
diff --git a/roles/hub.sr.ht/tasks/db.yml b/roles/hub.sr.ht/tasks/db.yml
index edafb5d..4dbad0e 100644
--- a/roles/hub.sr.ht/tasks/db.yml
+++ b/roles/hub.sr.ht/tasks/db.yml
@@ -1,7 +1,7 @@
 ---
-- name: Copy database schema to host
-  ansible.builtin.template:
-    src: schema.psql
+- name: Download database schema from git.sr.ht
+  ansible.builtin.get_url:
+    url: https://git.sr.ht/~sircmpwn/hub.sr.ht/blob/master/schema.sql
     dest: /tmp/hubsrht.psql
 
 - name: Create database
diff --git a/roles/hub.sr.ht/templates/schema.psql b/roles/hub.sr.ht/templates/schema.psql
deleted file mode 100644
index 90a7437..0000000
--- a/roles/hub.sr.ht/templates/schema.psql
+++ /dev/null
@@ -1,103 +0,0 @@
-CREATE TYPE visibility AS ENUM (
-	'PUBLIC',
-	'PRIVATE',
-	'UNLISTED'
-);
-
-CREATE TABLE "user" (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	username character varying(256),
-	email character varying(256) NOT NULL,
-	user_type character varying NOT NULL,
-	url character varying(256),
-	location character varying(256),
-	bio character varying(4096),
-	suspension_notice character varying(4096),
-	oauth_token character varying(256),
-	oauth_token_expires timestamp without time zone,
-	oauth_token_scopes character varying,
-	oauth_revocation_token character varying(256)
-);
-
-CREATE UNIQUE INDEX ix_user_username ON "user" USING btree (username);
-
-CREATE TABLE project (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	name character varying(128) NOT NULL,
-	description character varying(512) NOT NULL,
-	website character varying,
-	visibility visibility DEFAULT 'UNLISTED'::visibility NOT NULL,
-	checklist_complete boolean DEFAULT false NOT NULL,
-	summary_repo_id integer,
-	tags character varying(16)[] DEFAULT '{}'::character varying[] NOT NULL
-);
-
-CREATE TABLE features (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	project_id integer NOT NULL REFERENCES project(id) ON DELETE CASCADE,
-	summary character varying NOT NULL
-);
-
-CREATE TABLE mailing_list (
-	id serial PRIMARY KEY,
-	remote_id integer NOT NULL,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	project_id integer NOT NULL REFERENCES project(id) ON DELETE CASCADE,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	name character varying(128) NOT NULL,
-	description character varying,
-	visibility visibility DEFAULT 'UNLISTED'::visibility NOT NULL
-);
-
-CREATE TABLE source_repo (
-	id serial PRIMARY KEY,
-	remote_id integer NOT NULL,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	project_id integer NOT NULL REFERENCES project(id) ON DELETE CASCADE,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	name character varying(128) NOT NULL,
-	description character varying,
-	repo_type character varying NOT NULL,
-	visibility visibility DEFAULT 'UNLISTED'::visibility NOT NULL,
-	CONSTRAINT project_source_repo_unique UNIQUE (project_id, remote_id, repo_type)
-);
-
-ALTER TABLE project
-	ADD CONSTRAINT project_summary_repo_id_fkey FOREIGN KEY (summary_repo_id) REFERENCES source_repo(id) ON DELETE CASCADE;
-
-CREATE TABLE tracker (
-	id serial PRIMARY KEY,
-	remote_id integer NOT NULL,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	project_id integer NOT NULL REFERENCES project(id) ON DELETE CASCADE,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	name character varying(128) NOT NULL,
-	description character varying,
-	visibility visibility DEFAULT 'UNLISTED'::visibility NOT NULL
-);
-
-CREATE TABLE event (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	project_id integer NOT NULL REFERENCES project(id) ON DELETE CASCADE,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	event_type character varying NOT NULL,
-	source_repo_id integer REFERENCES source_repo(id) ON DELETE CASCADE,
-	mailing_list_id integer REFERENCES mailing_list(id) ON DELETE CASCADE,
-	tracker_id integer REFERENCES tracker(id) ON DELETE CASCADE,
-	external_source character varying,
-	external_summary character varying,
-	external_details character varying,
-	external_summary_plain character varying,
-	external_details_plain character varying,
-	external_url character varying
-);
diff --git a/roles/meta.sr.ht/tasks/db.yml b/roles/meta.sr.ht/tasks/db.yml
index 42ffc42..33774e3 100644
--- a/roles/meta.sr.ht/tasks/db.yml
+++ b/roles/meta.sr.ht/tasks/db.yml
@@ -1,7 +1,7 @@
 ---
-- name: Copy database schema to host
-  ansible.builtin.template:
-    src: schema.psql
+- name: Download database schema from git.sr.ht
+  ansible.builtin.get_url:
+    url: https://git.sr.ht/~sircmpwn/meta.sr.ht/blob/master/schema.sql
     dest: /tmp/metasrht.psql
 
 - name: Create database
diff --git a/roles/meta.sr.ht/templates/schema.psql b/roles/meta.sr.ht/templates/schema.psql
deleted file mode 100644
index 269bfed..0000000
--- a/roles/meta.sr.ht/templates/schema.psql
+++ /dev/null
@@ -1,265 +0,0 @@
-CREATE TYPE auth_method AS ENUM (
-	'OAUTH_LEGACY',
-	'OAUTH2',
-	'COOKIE',
-	'INTERNAL',
-	'WEBHOOK'
-);
-
-CREATE TYPE webhook_event AS ENUM (
-	'PROFILE_UPDATE',
-	'PGP_KEY_ADDED',
-	'PGP_KEY_REMOVED',
-	'SSH_KEY_ADDED',
-	'SSH_KEY_REMOVED'
-);
-
-CREATE TABLE "user" (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	username character varying(256) NOT NULL UNIQUE,
-	password character varying(256) NOT NULL,
-	email character varying(256) NOT NULL UNIQUE,
-	new_email character varying(256),
-	user_type character varying NOT NULL,
-	confirmation_hash character varying(128),
-	url character varying(256),
-	location character varying(256),
-	bio character varying(4096),
-	pgp_key_id integer,
-	reset_hash character varying(128),
-	reset_expiry timestamp without time zone,
-	stripe_customer character varying(256),
-	payment_cents integer DEFAULT 0 NOT NULL,
-	payment_interval character varying DEFAULT 'monthly'::character varying,
-	payment_due timestamp without time zone,
-	welcome_emails integer DEFAULT 0 NOT NULL,
-	oauth_revocation_token character varying(256),
-	suspension_notice character varying(4096)
-);
-
-CREATE TABLE audit_log_entry (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	ip_address character varying(50) NOT NULL,
-	event_type character varying(256) NOT NULL,
-	details character varying(512)
-);
-
-CREATE TABLE invoice (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	cents integer NOT NULL,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	valid_thru timestamp without time zone NOT NULL,
-	source character varying(256) NOT NULL
-);
-
-CREATE TABLE pgpkey (
-	id serial PRIMARY KEY,
-	created timestamp without time zone,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	key character varying(32768) NOT NULL,
-	fingerprint bytea NOT NULL UNIQUE,
-	expiration timestamp without time zone
-);
-
-ALTER TABLE "user"
-	ADD CONSTRAINT user_pgp_key_id_fkey
-	FOREIGN KEY (pgp_key_id) REFERENCES pgpkey(id) ON DELETE SET NULL;
-
-CREATE TABLE sshkey (
-	id serial PRIMARY KEY,
-	created timestamp without time zone,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	key character varying(4096) NOT NULL,
-	fingerprint character varying(512) NOT NULL UNIQUE,
-	comment character varying(256),
-	last_used timestamp without time zone,
-	b64_key character varying(4096),
-	key_type character varying(256)
-);
-
-CREATE INDEX sshkey_md5_idx ON sshkey USING btree (md5((key)::text));
-
-CREATE TABLE user_auth_factor (
-	id serial PRIMARY KEY,
-	user_id integer NOT NULL UNIQUE REFERENCES "user"(id) ON DELETE CASCADE,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	factor_type character varying NOT NULL,
-	secret bytea,
-	extra json
-);
-
-CREATE TABLE user_notes (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	note character varying
-);
-
-CREATE TABLE reserved_usernames (
-    username varchar NOT NULL
-);
-
-CREATE INDEX reserved_usernames_ix ON reserved_usernames(username);
-
--- OAuth 2.0
-CREATE TABLE oauth2_client (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	owner_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	client_uuid uuid NOT NULL,
-	client_secret_hash character varying(128) NOT NULL,
-	client_secret_partial character varying(8) NOT NULL,
-	redirect_url character varying,
-	client_name character varying(256) NOT NULL,
-	client_description character varying,
-	client_url character varying,
-	revoked boolean DEFAULT false NOT NULL
-);
-
-CREATE TABLE oauth2_grant (
-	id serial PRIMARY KEY,
-	issued timestamp without time zone NOT NULL,
-	expires timestamp without time zone NOT NULL,
-	comment character varying,
-	token_hash character varying(128) NOT NULL,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	client_id integer REFERENCES oauth2_client(id) ON DELETE CASCADE
-);
-
--- GraphQL webhooks
-CREATE TABLE gql_profile_wh_sub (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	events webhook_event[] NOT NULL,
-	url character varying NOT NULL,
-	query character varying NOT NULL,
-	auth_method auth_method NOT NULL,
-	token_hash character varying(128),
-	grants character varying,
-	client_id uuid,
-	expires timestamp without time zone,
-	node_id character varying,
-	user_id integer NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
-	CONSTRAINT gql_profile_wh_sub_auth_method_check
-		CHECK ((auth_method = ANY(ARRAY['OAUTH2'::auth_method, 'INTERNAL'::auth_method]))),
-	CONSTRAINT gql_profile_wh_sub_check
-		CHECK (((auth_method = 'OAUTH2'::auth_method) = (token_hash IS NOT NULL))),
-	CONSTRAINT gql_profile_wh_sub_check1
-		CHECK (((auth_method = 'OAUTH2'::auth_method) = (expires IS NOT NULL))),
-	CONSTRAINT gql_profile_wh_sub_check2
-		CHECK (((auth_method = 'INTERNAL'::auth_method) = (node_id IS NOT NULL))),
-	CONSTRAINT gql_profile_wh_sub_events_check
-		CHECK ((array_length(events, 1) > 0))
-);
-
-CREATE INDEX gql_profile_wh_sub_token_hash_idx ON gql_profile_wh_sub USING btree (token_hash);
-
-CREATE TABLE gql_profile_wh_delivery (
-	id serial PRIMARY KEY,
-	uuid uuid NOT NULL,
-	date timestamp without time zone NOT NULL,
-	event webhook_event NOT NULL,
-	subscription_id integer NOT NULL
-		REFERENCES gql_profile_wh_sub(id) ON DELETE CASCADE,
-	request_body character varying NOT NULL,
-	response_body character varying,
-	response_headers character varying,
-	response_status integer
-);
-
--- Legacy OAuth (TODO: Remove these)
-CREATE TABLE oauthclient (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	client_name character varying(256) NOT NULL,
-	client_id character varying(16) NOT NULL,
-	client_secret_hash character varying(128) NOT NULL,
-	client_secret_partial character varying(8) NOT NULL,
-	redirect_uri character varying(256),
-	preauthorized boolean DEFAULT false NOT NULL
-);
-
-CREATE TABLE oauthscope (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	client_id integer NOT NULL REFERENCES oauthclient(id) ON DELETE CASCADE,
-	name character varying(256) NOT NULL,
-	description character varying(512) NOT NULL,
-	write boolean NOT NULL
-);
-
-CREATE TABLE oauthtoken (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	expires timestamp without time zone NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	client_id integer REFERENCES oauthclient(id) ON DELETE CASCADE,
-	token_hash character varying(128) NOT NULL,
-	token_partial character varying(8) NOT NULL,
-	scopes character varying(512) NOT NULL,
-	comment character varying(128)
-);
-
-CREATE TABLE revocationurl (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	token_id integer NOT NULL REFERENCES oauthtoken(id),
-	client_id integer NOT NULL REFERENCES oauthclient(id),
-	url character varying(2048) NOT NULL
-);
-
-CREATE TABLE delegatedscope (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	updated timestamp without time zone NOT NULL,
-	client_id integer NOT NULL REFERENCES oauthclient(id) ON DELETE CASCADE,
-	name character varying(256) NOT NULL,
-	description character varying(512) NOT NULL,
-	write boolean NOT NULL
-);
-
--- Legacy webhooks (TODO: Remove these)
-CREATE TABLE user_webhook_subscription (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	url character varying(2048) NOT NULL,
-	events character varying NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	token_id integer REFERENCES oauthtoken(id) ON DELETE CASCADE
-);
-
-CREATE TABLE user_webhook_delivery (
-	id serial PRIMARY KEY,
-	uuid uuid NOT NULL,
-	created timestamp without time zone NOT NULL,
-	event character varying(256) NOT NULL,
-	url character varying(2048) NOT NULL,
-	payload character varying(16384) NOT NULL,
-	payload_headers character varying(16384) NOT NULL,
-	response character varying(16384),
-	response_status integer NOT NULL,
-	response_headers character varying(16384),
-	subscription_id integer REFERENCES user_webhook_subscription(id) ON DELETE CASCADE
-);
-
-CREATE TABLE webhook_subscription (
-	id serial PRIMARY KEY,
-	created timestamp without time zone NOT NULL,
-	url character varying(2048) NOT NULL,
-	events character varying NOT NULL,
-	user_id integer REFERENCES "user"(id) ON DELETE CASCADE,
-	client_id integer REFERENCES oauthclient(id) ON DELETE CASCADE
-);
-- 
2.38.5