feat(dashboard-api): supabase auth users sync background runner

.env.gcp.template

@@ -77,6 +77,9 @@ CLICKHOUSE_CLUSTER_SIZE=1
 
 # Dashboard API instance count (default: 0)
 DASHBOARD_API_COUNT=
+# Additional dashboard-api env vars passed directly to the Nomad job (default: {})
+# Example: '{"SUPABASE_AUTH_USER_SYNC_ENABLED":"true"}'
+DASHBOARD_API_ENV_VARS=
 
 # Filestore cache for builds shared across cluster (default:false)
 FILESTORE_CACHE_ENABLED=

iac/modules/job-dashboard-api/jobs/dashboard-api.hcl

@@ -82,6 +82,10 @@ job "dashboard-api" {
         SUPABASE_JWT_SECRETS                   = "${supabase_jwt_secrets}"
         OTEL_COLLECTOR_GRPC_ENDPOINT           = "${otel_collector_grpc_endpoint}"
         LOGS_COLLECTOR_ADDRESS                 = "${logs_collector_address}"
+
+        %{ for key, val in env }
+        ${ key }   = "${ val }"
+        %{ endfor }
       }
 
       config {

iac/modules/job-dashboard-api/main.tf

@@ -1,3 +1,7 @@
+locals {
+  env = { for key, value in var.env : key => value if value != null && value != "" }
+}
+
 resource "nomad_job" "dashboard_api" {
   jobspec = templatefile("${path.module}/jobs/dashboard-api.hcl", {
     update_stanza = var.update_stanza
@@ -15,6 +19,7 @@ resource "nomad_job" "dashboard_api" {
     auth_db_read_replica_connection_string = var.auth_db_read_replica_connection_string
     clickhouse_connection_string           = var.clickhouse_connection_string
     supabase_jwt_secrets                   = var.supabase_jwt_secrets
+    env                                    = local.env
 
     subdomain = "dashboard-api"
 

iac/modules/job-dashboard-api/variables.tf

@@ -44,6 +44,11 @@ variable "supabase_jwt_secrets" {
   sensitive = true
 }
 
+variable "env" {
+  type    = map(string)
+  default = {}
+}
+
 variable "otel_collector_grpc_port" {
   type    = number
   default = 4317

iac/provider-gcp/Makefile

@@ -75,6 +75,7 @@ tf_vars := \
 	$(call tfvar, LOKI_BOOT_DISK_TYPE) \
 	$(call tfvar, LOKI_USE_V13_SCHEMA_FROM) \
 	$(call tfvar, DASHBOARD_API_COUNT) \
+	$(call tfvar, DASHBOARD_API_ENV_VARS) \
 	$(call tfvar, DEFAULT_PERSISTENT_VOLUME_TYPE) \
 	$(call tfvar, PERSISTENT_VOLUME_TYPES) \
 	$(call tfvar, DB_MAX_OPEN_CONNECTIONS) \

iac/provider-gcp/api.tf

@@ -27,6 +27,23 @@ resource "google_secret_manager_secret_version" "postgres_read_replica_connectio
   }
 }
 
+resource "google_secret_manager_secret" "auth_db_connection_string" {
+  secret_id = "${var.prefix}auth-db-connection-string"
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "auth_db_connection_string" {
+  secret      = google_secret_manager_secret.auth_db_connection_string.name
+  secret_data = " "
+
+  lifecycle {
+    ignore_changes = [secret_data]
+  }
+}
+
 resource "random_password" "api_secret" {
   length  = 32
   special = false

iac/provider-gcp/main.tf

@@ -224,6 +224,7 @@ module "nomad" {
   api_secret                                             = random_password.api_secret.result
   custom_envs_repository_name                            = google_artifact_registry_repository.custom_environments_repository.name
   postgres_connection_string_secret_name                 = module.init.postgres_connection_string_secret_name
+  auth_db_connection_string_secret_version               = google_secret_manager_secret_version.auth_db_connection_string
   postgres_read_replica_connection_string_secret_version = google_secret_manager_secret_version.postgres_read_replica_connection_string
   supabase_jwt_secrets_secret_name                       = module.init.supabase_jwt_secret_name
   posthog_api_key_secret_name                            = module.init.posthog_api_key_secret_name
@@ -264,7 +265,8 @@ module "nomad" {
   otel_collector_resources_cpu_count = var.otel_collector_resources_cpu_count
 
   # Dashboard API
-  dashboard_api_count = var.dashboard_api_count
+  dashboard_api_count    = var.dashboard_api_count
+  dashboard_api_env_vars = var.dashboard_api_env_vars
 
   # Docker reverse proxy
   docker_reverse_proxy_port                = var.docker_reverse_proxy_port

iac/provider-gcp/nomad/main.tf

@@ -10,6 +10,10 @@ data "google_secret_manager_secret_version" "postgres_connection_string" {
   secret = var.postgres_connection_string_secret_name
 }
 
+data "google_secret_manager_secret_version" "auth_db_connection_string" {
+  secret = var.auth_db_connection_string_secret_version.secret
+}
+
 data "google_secret_manager_secret_version" "postgres_read_replica_connection_string" {
   secret = var.postgres_read_replica_connection_string_secret_version.secret
 }
@@ -131,10 +135,11 @@ module "dashboard_api" {
   image = data.google_artifact_registry_docker_image.dashboard_api_image[0].self_link
 
   postgres_connection_string             = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
-  auth_db_connection_string              = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
+  auth_db_connection_string              = trimspace(data.google_secret_manager_secret_version.auth_db_connection_string.secret_data)
   auth_db_read_replica_connection_string = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data)
   clickhouse_connection_string           = local.clickhouse_connection_string
   supabase_jwt_secrets                   = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data)
+  env                                    = var.dashboard_api_env_vars
 
   otel_collector_grpc_port = var.otel_collector_grpc_port
   logs_proxy_port          = var.logs_proxy_port

iac/provider-gcp/nomad/variables.tf

@@ -175,6 +175,10 @@ variable "postgres_connection_string_secret_name" {
   type = string
 }
 
+variable "auth_db_connection_string_secret_version" {
+  type = any
+}
+
 variable "postgres_read_replica_connection_string_secret_version" {
   type = any
 }
@@ -453,6 +457,11 @@ variable "dashboard_api_count" {
   default = 0
 }
 
+variable "dashboard_api_env_vars" {
+  type    = map(string)
+  default = {}
+}
+
 variable "volume_token_issuer" {
   type = string
 }

iac/provider-gcp/variables.tf

@@ -228,6 +228,11 @@ variable "dashboard_api_count" {
   default = 0
 }
 
+variable "dashboard_api_env_vars" {
+  type    = map(string)
+  default = {}
+}
+
 variable "docker_reverse_proxy_port" {
   type = object({
     name        = string

packages/dashboard-api/go.mod

@@ -23,6 +23,7 @@ require (
 	github.com/jackc/pgx/v5 v5.7.5
 	github.com/oapi-codegen/gin-middleware v1.0.2
 	github.com/oapi-codegen/runtime v1.1.1
+	github.com/stretchr/testify v1.11.1
 	go.uber.org/zap v1.27.1
 )
 
@@ -117,7 +118,6 @@ require (
 	github.com/shirou/gopsutil/v4 v4.25.9 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/testcontainers/testcontainers-go v0.40.0 // indirect
 	github.com/testcontainers/testcontainers-go/modules/postgres v0.39.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect

packages/dashboard-api/internal/cfg/model.go

@@ -1,8 +1,6 @@
 package cfg
 
-import (
-	"github.com/caarlos0/env/v11"
-)
+import "github.com/caarlos0/env/v11"
 
 type Config struct {
 	Port                       int      `env:"PORT"                                         envDefault:"3010"`
@@ -12,6 +10,8 @@ type Config struct {
 
 	AuthDBConnectionString            string `env:"AUTH_DB_CONNECTION_STRING"`
 	AuthDBReadReplicaConnectionString string `env:"AUTH_DB_READ_REPLICA_CONNECTION_STRING"`
+
+	SupabaseAuthUserSyncEnabled bool `env:"SUPABASE_AUTH_USER_SYNC_ENABLED" envDefault:"false"`
 }
 
 func Parse() (Config, error) {

packages/dashboard-api/internal/supabaseauthusersync/config.go

@@ -0,0 +1,28 @@
+package supabaseauthusersync
+
+import "time"
+
+const (
+	defaultBatchSize    int32         = 50
+	defaultPollInterval time.Duration = 2 * time.Second
+	defaultLockTimeout  time.Duration = 2 * time.Minute
+	defaultMaxAttempts  int32         = 20
+)
+
+type Config struct {
+	Enabled      bool
+	BatchSize    int32
+	PollInterval time.Duration
+	LockTimeout  time.Duration
+	MaxAttempts  int32
+}
+
+func DefaultConfig() Config {
+	return Config{
+		Enabled:      false,
+		BatchSize:    defaultBatchSize,
+		PollInterval: defaultPollInterval,
+		LockTimeout:  defaultLockTimeout,
+		MaxAttempts:  defaultMaxAttempts,
+	}
+}