added a read only user to database setup script

docker-compose.jsonnet

@@ -94,6 +94,8 @@
   db_super_password:: "postgres", // Must not contain ' or \ as these are not escaped.
   db_replication_user:: "replicate", // if empty, don't allow replication
   db_replication_password:: "standby", // don't use default in production. Must not contain ' or \ as these are not escaped.
+  db_readonly_user:: "vst-ro", // if empty, don't have a readonly account
+  db_readonly_password:: "volunteer", // don't use default in production. Must not contain ' or \ as these are not escaped.  
   db_standby:: false, // set to true to have this database replicate another server
 
   // Path to a JSON file containing google credentials for cutter as keys
@@ -354,6 +356,8 @@
         WUBLOADER_PASSWORD: $.db_args.password,
         REPLICATION_USER: $.db_replication_user,
         REPLICATION_PASSWORD: $.db_replication_password,
+        READONLY_USER: $.db_readonly_user,
+        READONLY_PASSWORD: $.db_readonly_password,
         MASTER_NODE: $.db_args.host,
       },
       volumes: ["%s:/mnt/database" % $.database_path, "%s:/mnt/wubloader" % $.segments_path],

postgres/setup.sh

@@ -108,3 +108,16 @@ if [ -a /mnt/wubloader/editors.csv ]; then
 	EOF
 fi
 
+if [ -n "READONLY_USER" ]; then
+	echo "Creating $READONLY_USER"
+	# allow $READONLY_USER to connect remotely
+	echo "host all $READONLY_USER all md5" >> "$PGDATA/pg_hba.conf"
+	psql -v ON_ERROR_STOP=1 -U $POSTGRES_USER -d $POSTGRES_DB <<-EOSQL
+
+	CREATE USER $READONLY_USER WITH CONNECTION LIMIT 50 LOGIN PASSWORD '$READONLY_PASSWORD';
+	GRANT CONNECT ON DATABASE $POSTGRES_DB TO $READONLY_USER;
+	GRANT USAGE ON SCHEMA public TO $READONLY_USER;
+	GRANT SELECT ON ALL TABLES IN SCHEMA public TO $READONLY_USER;
+
+	EOSQL
+fi