Skip to main content

Add the PGDG repository

Install PostgreSQL 17

Verify the version:

Set password and create database

Create the three role tiers

Always use IN SCHEMA public (or the relevant schema) for grants, and set default privileges so future tables inherit the correct access automatically.

1. Superuser — full ownership

2. appuser — full CRUD on all tables (read, insert, update, delete)

3. appviewer — scoped access (mixed SELECT-only and read/write tables)

The exact list of which tables appviewer can access, and at which permission level (SELECT-only vs. SELECT/INSERT/UPDATE), is maintained in the J-Spider-Store-Backend repo docs. Check there before granting or revoking access for this role — do not assume the same table list applies across environments.
Never grant appviewer DELETE or DDL (CREATE/ALTER/DROP) privileges. If a new use case needs broader access, update the role definition in J-Spider-Store-Backend docs first, then apply the grant here.

Remote access

For remote database work (DBeaver, pgAdmin, TablePlus, etc.), do not expose PostgreSQL directly to the internet. Use an SSH tunnel through the VPS instead — Postgres stays bound to localhost and only the SSH port is reachable.

1. Confirm Postgres is listening on localhost only

2. Set up the SSH tunnel

DBeaver:
  1. New connection → PostgreSQL
  2. Main tab: Host localhost, Port 5432, Database prod_db, User/Password of the role you’re connecting as
  3. SSH tab: enable “Use SSH Tunnel” → Host/IP: your VPS IP, Port 22, User: your VPS SSH user, Auth: private key or password
  4. Test Connection — DBeaver tunnels the connection through SSH automatically
pgAdmin:
  1. New Server → Connection tab: Host localhost, Port 5432, Maintenance DB prod_db, Username/Password
  2. SSH Tunnel tab: enable tunneling → Tunnel host: VPS IP, Tunnel port 22, Username, Identity file (or password)
  3. Save

Useful checks