update db init script to set proper permissions for RO user

Author: Roman Plevka

scripts/db_init/init-user-db.sh

@@ -1,10 +1,20 @@
 #!/bin/bash
 set -e
 
+# Create the telemetry database and the telemetry role
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
     CREATE DATABASE telemetry;
-    CREATE ROLE telemetry WITH LOGIN PASSWORD 'changeme';
-    GRANT CONNECT ON DATABASE telemetry TO telemetry;
-    GRANT USAGE ON SCHEMA public TO telemetry;
-    GRANT SELECT ON ALL TABLES IN SCHEMA public TO telemetry;
+    CREATE ROLE ${POSTGRES_RO_USER:-telemetry} WITH LOGIN PASSWORD '${POSTGRES_RO_PASSWORD:-changeme}';
+    GRANT CONNECT ON DATABASE telemetry TO ${POSTGRES_RO_USER:-telemetry};
 EOSQL
+
+# Connect to the telemetry database to set up permissions and triggers
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "telemetry" <<-EOSQL
+    GRANT USAGE ON SCHEMA public TO ${POSTGRES_RO_USER:-telemetry};
+
+    -- Grant SELECT privileges on existing tables
+    GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${POSTGRES_RO_USER:-telemetry};
+
+    -- Set default privileges for future tables created by the postgres user
+    ALTER DEFAULT PRIVILEGES FOR USER ${POSTGRES_USER} IN SCHEMA public GRANT SELECT ON TABLES TO ${POSTGRES_RO_USER:-telemetry};
+EOSQL

scripts/db_init/setup_db.sh

@@ -1,2 +1,12 @@
 podman network create rekuper
-podman run --name rekuper_db --network rekuper --rm -e POSTGRES_PASSWORD=changeme -v ./init-user-db.sh:/docker-entrypoint-initdb.d/init-user-db.sh:z -p 25432:5432 postgres:17
+podman run \
+    --rm \
+    --name rekuper_db \
+    --network rekuper \
+    -e POSTGRES_USER=postgres \
+    -e POSTGRES_PASSWORD=changeme \
+    -e POSTGRES_RO_USER=telemetry \
+    -e POSTGRES_RO_PASSWORD=fero \
+    -v ./init-user-db.sh:/docker-entrypoint-initdb.d/init-user-db.sh:z \
+    -p 25432:5432 \
+    postgres:17 postgres -c log_statement=all