Allow arbitrary characters in passwords

This converts some shell scripted commands to small golang tools
("aio-container-tools") in order to ensure proper string handling.

In effect database passwords now can contain all characters, even emojis
and quotes.

AI-assistant: Copilot v1.0.7 (Claude Sonnet 4.6)

Signed-off-by: Pablo Zmdl <pablo@nextcloud.com>

Containers/postgresql/Dockerfile

@@ -1,8 +1,18 @@
 # syntax=docker/dockerfile:latest
+FROM docker.io/library/golang:alpine AS aio-container-tools-builder
+
+# hadolint ignore=DL3022
+COPY --from=aio-container-tools . /tmp/aio-container-tools/
+RUN cd /tmp/aio-container-tools \
+ && go build -o /usr/local/bin/aio-pg-init ./cmd/aio-pg-init \
+ && go build -o /usr/local/bin/aio-pg-healthcheck ./cmd/aio-pg-healthcheck
+
 # From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
 FROM postgres:17.9-alpine
 
 COPY --chmod=775 start.sh /start.sh
+COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-init /usr/local/bin/aio-pg-init
+COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-healthcheck /usr/local/bin/aio-pg-healthcheck
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
 

Containers/postgresql/healthcheck.sh

@@ -2,6 +2,4 @@
 
 test -f "/mnt/data/backup-is-running" && exit 0
 
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
-
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
+POSTGRES_PORT=11000 /usr/local/bin/aio-pg-healthcheck debug || exec /usr/local/bin/aio-pg-healthcheck

Containers/postgresql/init-user-db.sh

@@ -3,12 +3,7 @@ set -ex
 
 touch "$DUMP_DIR/initialization.failed"
 
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
-	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
-	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
-	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
-EOSQL
+POSTGRES_DB_OWNER="oc_$POSTGRES_USER" /usr/local/bin/aio-pg-init
 
 rm "$DUMP_DIR/initialization.failed"
 

Containers/postgresql/start.sh

@@ -4,6 +4,7 @@
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
+# TODO: Do we need this? It's not used anywhere visible
 export PGPASSWORD="$POSTGRES_PASSWORD"
 
 # Don't start database as long as backup is running
@@ -85,7 +86,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     exec docker-entrypoint.sh postgres &
 
     # Wait for creation
-    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
+    while ! env POSTGRES_PORT=11000 POSTGRES_USER="oc_$POSTGRES_USER" /usr/local/bin/aio-pg-healthcheck; do
         echo "Waiting for the database to start."
         sleep 5
     done
@@ -107,12 +108,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
         exit 1
     elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
         DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
-            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
-            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
-            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
-EOSQL
+        POSTGRES_DB_OWNER="$DB_OWNER" /usr/local/bin/aio-pg-init
     fi
 
     # Restore database