Add basic nixos test

jfroche · yvan-sraka · commit 739087f66afa · 2025-09-22T14:03:57.000+02:00
Only test that the service starts for now.
diff --git a/.gitignore b/.gitignore
@@ -17,4 +17,6 @@ www/.DS_Store
 www/node_modules
 npm-debug.log
 .data
+
 result
+.nixos-test-history
diff --git a/nix/checks/nixos.nix b/nix/checks/nixos.nix
@@ -0,0 +1,60 @@
+{
+  pkgs,
+  flake,
+  perSystem,
+  ...
+}:
+flake.inputs.nixpkgs.lib.nixos.runTest {
+  name = "auth";
+  hostPkgs = pkgs;
+  node.specialArgs = { inherit flake perSystem; };
+  nodes.server =
+    { config, ... }:
+    {
+      imports = [
+        (import flake.nixosModules.auth)
+      ];
+
+      virtualisation = {
+        forwardPorts = [
+          {
+            from = "host";
+            host.port = 13022;
+            guest.port = 22;
+          }
+        ];
+      };
+      services.openssh = {
+        enable = true;
+      };
+
+      services.auth.enable = true;
+
+      services.postgresql = {
+        enable = true;
+        enableTCPIP = true;
+        initialScript = pkgs.writeText "init-postgres-with-password" ''
+          CREATE USER supabase_admin LOGIN CREATEROLE CREATEDB REPLICATION BYPASSRLS;
+
+          -- Supabase super admin
+          CREATE USER supabase_auth_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION PASSWORD 'secret';
+          CREATE SCHEMA IF NOT EXISTS auth AUTHORIZATION supabase_auth_admin;
+          GRANT CREATE ON DATABASE postgres TO supabase_auth_admin;
+          ALTER USER supabase_auth_admin SET search_path = 'auth';
+        '';
+        authentication = ''
+          host supabase_auth_admin postgres samenet scram-sha-256
+        '';
+      };
+    };
+  testScript =
+    { nodes, ... }:
+    ''
+      start_all()
+
+      server.wait_for_unit("multi-user.target")
+      server.wait_for_unit("postgresql.service")
+
+      server.wait_for_unit("gotrue.service")
+    '';
+}
diff --git a/nix/modules/nixos/auth.nix b/nix/modules/nixos/auth.nix
@@ -0,0 +1,126 @@
+{
+  pkgs,
+  lib,
+  config,
+  perSystem,
+  ...
+}:
+let
+  cfg = config.services.auth;
+  gotrue = perSystem.self.default;
+  default_settings = rec {
+    API_EXTERNAL_URL = "http://localhost:9999";
+    DB_HOST = "localhost";
+    DB_NAME = "postgres";
+    DB_PASSWORD = "secret";
+    DB_PORT = "5432";
+    DB_USER = "supabase_auth_admin";
+    DISABLE_SIGNUP = "false";
+    DATABASE_URL = "postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}";
+    GOTRUE_API_EXTERNAL_URL = "http://localhost:9999";
+    GOTRUE_DB_DRIVER = "postgres";
+    GOTRUE_DB_HOST = DB_HOST;
+    GOTRUE_DB_NAME = DB_NAME;
+    GOTRUE_DB_PASSWORD = DB_PASSWORD;
+    GOTRUE_DB_PORT = DB_PORT;
+    GOTRUE_DB_USER = DB_USER;
+    GOTRUE_DISABLE_SIGNUP = "false";
+    GOTRUE_JWT_DEFAULT_GROUP_NAME = "authenticated";
+    GOTRUE_JWT_EXP = "3600";
+    GOTRUE_JWT_SECRET = "your-super-secret-jwt-token-with-at-least-32-characters-long";
+    GOTRUE_MAILER_AUTOCONFIRM = "true";
+    GOTRUE_SITE_URL = "http://localhost:3000";
+    GOTRUE_SMTP_ADMIN_EMAIL = "admin@example.com";
+    GOTRUE_SMTP_HOST = "localhost";
+    GOTRUE_SMTP_PASS = "";
+    GOTRUE_SMTP_PORT = "2500";
+    GOTRUE_SMTP_SENDER_NAME = "Supabase";
+    GOTRUE_SMTP_USER = "";
+    JWT_DEFAULT_GROUP_NAME = "authenticated";
+    JWT_EXP = "3600";
+    JWT_SECRET = "your-super-secret-jwt-token-with-at-least-32-characters-long";
+    MAILER_AUTOCONFIRM = "true";
+    SITE_URL = "http://localhost:3000";
+    SMTP_ADMIN_EMAIL = "admin@example.com";
+    SMTP_HOST = "localhost";
+    SMTP_PASS = "";
+    SMTP_PORT = "2500";
+    SMTP_SENDER_NAME = "Supabase";
+    SMTP_USER = "";
+  };
+  auth_env = pkgs.writeText "auth.env" (
+    lib.concatStringsSep "\n" (
+      (lib.mapAttrsToList (name: value: "${name}=${value}") (default_settings // cfg.settings))
+    )
+  );
+in
+{
+  options.services.auth = {
+    enable = lib.mkEnableOption "Supabase Auth Service";
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.callPackage ../../package.nix { };
+      description = "The Supabase Auth package to use.";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 9999;
+      description = "Port to run the auth service on.";
+    };
+
+    settings = lib.mkOption {
+      type = lib.types.attrs;
+      default = { };
+      description = "Configuration settings for the auth service.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 9122 ];
+
+    users.users.gotrue = {
+      isSystemUser = true;
+      description = "gotrue service user";
+      group = "gotrue";
+    };
+    users.groups.gotrue = { };
+
+    systemd.services.gotrue = {
+      description = "gotrue (auth)";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        WorkingDirectory = "/opt/gotrue";
+        ExecStart = "${gotrue}/bin/gotrue --config-dir /etc/auth.d";
+        User = "gotrue";
+        Restart = "always";
+        RestartSec = 3;
+        MemoryAccounting = true;
+        MemoryMax = "50%";
+        Slice = "services.slice";
+        EnvironmentFile = [
+          "/etc/gotrue/auth.env"
+          "-/etc/gotrue.generated.env"
+          "-/etc/gotrue.overrides.env"
+        ];
+        # preStart = ''
+        #   pg_isready -h ${config.auth.settings.DB_HOST} -p ${config.auth.settings.DB_PORT} -U ${config.auth.settings.DB_USER}; do sleep 1; done
+        # '';
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /etc/auth.d 0755 gotrue gotrue -"
+      "d /opt/gotrue 0755 gotrue gotrue -"
+      "C /etc/gotrue/auth.env 0440 gotrue gotrue - ${auth_env}"
+    ];
+  };
+}
+
+# TODO: initialization steps as activation script?
+# - Wait for database to be ready:
+#   until pg_isready -h ${config.auth.settings.DB_HOST} -p ${config.auth.settings.DB_PORT} -U ${config.auth.settings.DB_USER}; do sleep 1; done
+# - Run migrations if they exist:
+#   if [ -d migrations ]; then go run main.go migrate up; fi
diff --git a/nix/modules/nixosModules/auth.nix b/nix/modules/nixosModules/auth.nix
diff --git a/nix/package.nix b/nix/package.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }:
 pkgs.buildGoModule {
   pname = "supabase-auth";
-  version = "0.1.0";
+  version = "2.180.0";
   src = ./..;
 
   vendorHash = "sha256-knYvNkEVffWisvb4Dhm5qqtqQ4co9MGoNt6yH6dUll8=";
@@ -10,6 +10,8 @@ pkgs.buildGoModule {
     "-tags"
     "netgo"
   ];
+
+  # we cannot run test in the sandbox as tests rely on postgresql tcp connection
   doCheck = false;
 
   subPackages = [ "." ];
