|
1 | 1 | { |
2 | | - description = "Supabase Auth Service with Nix modules and steps"; |
3 | | - |
4 | 2 | inputs = { |
5 | 3 | nixpkgs.url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"; |
6 | | - flake-utils.url = "github:numtide/flake-utils"; |
| 4 | + blueprint.url = "github:numtide/blueprint"; |
| 5 | + blueprint.inputs.nixpkgs.follows = "nixpkgs"; |
7 | 6 | }; |
8 | 7 |
|
9 | 8 | outputs = |
10 | | - { |
11 | | - self, |
12 | | - nixpkgs, |
13 | | - flake-utils, |
14 | | - }: |
15 | | - let |
16 | | - systems = [ |
17 | | - "x86_64-linux" |
18 | | - "aarch64-linux" |
19 | | - "x86_64-darwin" |
20 | | - "aarch64-darwin" |
21 | | - ]; |
22 | | - |
23 | | - forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); |
24 | | - |
25 | | - mkAuthConfig = |
26 | | - system: |
27 | | - let |
28 | | - pkgs = nixpkgs.legacyPackages.${system}; |
29 | | - lib = pkgs.lib; |
30 | | - |
31 | | - # Go package |
32 | | - auth-service = pkgs.buildGoModule { |
33 | | - pname = "supabase-auth"; |
34 | | - version = "0.1.0"; |
35 | | - src = ./.; |
36 | | - |
37 | | - vendorHash = "sha256-knYvNkEVffWisvb4Dhm5qqtqQ4co9MGoNt6yH6dUll8="; |
38 | | - |
39 | | - buildFlags = [ |
40 | | - "-tags" |
41 | | - "netgo" |
42 | | - ]; |
43 | | - doCheck = false; |
44 | | - |
45 | | - # Specify the main package |
46 | | - subPackages = [ "." ]; |
47 | | - |
48 | | - # Specify the output binary name |
49 | | - postInstall = '' |
50 | | - mv $out/bin/auth $out/bin/supabase-auth |
51 | | - ''; |
52 | | - }; |
53 | | - |
54 | | - # Evaluate both the auth and steps modules |
55 | | - config = lib.evalModules { |
56 | | - modules = [ |
57 | | - ./nix/auth-module.nix |
58 | | - ./nix/steps-module.nix |
59 | | - { |
60 | | - _module.args.pkgs = pkgs; |
61 | | - auth = { |
62 | | - enable = true; |
63 | | - package = auth-service; |
64 | | - port = 9999; |
65 | | - settings = { |
66 | | - GOTRUE_DB_DRIVER = "postgres"; |
67 | | - GOTRUE_SITE_URL = "http://localhost:3000"; |
68 | | - SITE_URL = "http://localhost:3000"; |
69 | | - GOTRUE_API_EXTERNAL_URL = "http://localhost:9999"; |
70 | | - API_EXTERNAL_URL = "http://localhost:9999"; |
71 | | - GOTRUE_DB_HOST = "localhost"; |
72 | | - GOTRUE_DB_PORT = "5432"; |
73 | | - GOTRUE_DB_NAME = "postgres"; |
74 | | - GOTRUE_DB_USER = "postgres"; |
75 | | - GOTRUE_DB_PASSWORD = "postgres"; |
76 | | - DATABASE_URL = "postgres://postgres:postgres@localhost:5432/postgres"; |
77 | | - GOTRUE_JWT_SECRET = "your-super-secret-jwt-token-with-at-least-32-characters-long"; |
78 | | - GOTRUE_JWT_EXP = "3600"; |
79 | | - GOTRUE_JWT_DEFAULT_GROUP_NAME = "authenticated"; |
80 | | - GOTRUE_DISABLE_SIGNUP = "false"; |
81 | | - GOTRUE_MAILER_AUTOCONFIRM = "true"; |
82 | | - GOTRUE_SMTP_ADMIN_EMAIL = "[email protected]"; |
83 | | - GOTRUE_SMTP_HOST = "localhost"; |
84 | | - GOTRUE_SMTP_PORT = "2500"; |
85 | | - GOTRUE_SMTP_USER = ""; |
86 | | - GOTRUE_SMTP_PASS = ""; |
87 | | - GOTRUE_SMTP_SENDER_NAME = "Supabase"; |
88 | | - }; |
89 | | - }; |
90 | | - steps = { |
91 | | - enable = true; |
92 | | - }; |
93 | | - } |
94 | | - ]; |
95 | | - }; |
96 | | - |
97 | | - authConfigOutput = pkgs.stdenv.mkDerivation { |
98 | | - name = "auth-config"; |
99 | | - src = ./.; |
100 | | - buildInputs = [ |
101 | | - pkgs.bash |
102 | | - auth-service |
103 | | - ]; |
104 | | - |
105 | | - buildPhase = '' |
106 | | - mkdir -p $out/etc $out/bin $out/lib/systemd/system |
107 | | -
|
108 | | - # Write the auth configuration |
109 | | - cat > $out/etc/auth.env <<EOF |
110 | | - # Auth configuration generated by Nix |
111 | | - ${lib.concatStringsSep "\n" ( |
112 | | - lib.mapAttrsToList (name: value: "${name}=${value}") config.config.auth.settings |
113 | | - )} |
114 | | - EOF |
115 | | -
|
116 | | - # Write the systemd unit file |
117 | | - cat > $out/lib/systemd/system/gotrue.service <<EOF |
118 | | - [Unit] |
119 | | - Description=Gotrue |
120 | | -
|
121 | | - [Service] |
122 | | - Type=simple |
123 | | - WorkingDirectory=/opt/gotrue |
124 | | - ExecStart=/opt/gotrue/gotrue --config-dir /etc/auth.d |
125 | | - User=gotrue |
126 | | - Restart=always |
127 | | - RestartSec=3 |
128 | | -
|
129 | | - MemoryAccounting=true |
130 | | - MemoryMax=50% |
131 | | -
|
132 | | - EnvironmentFile=-/etc/gotrue.generated.env |
133 | | - EnvironmentFile=/etc/gotrue.env |
134 | | - EnvironmentFile=-/etc/gotrue.overrides.env |
135 | | -
|
136 | | - Slice=services.slice |
137 | | -
|
138 | | - [Install] |
139 | | - WantedBy=multi-user.target |
140 | | - EOF |
141 | | -
|
142 | | - # Write a script to manage the auth service |
143 | | - cat > $out/bin/manage-auth <<EOF |
144 | | - #!/bin/sh |
145 | | -
|
146 | | - case "\$1" in |
147 | | - start) |
148 | | - echo "Starting auth service..." |
149 | | - ${auth-service}/bin/supabase-auth -c $out/etc/auth.env |
150 | | - # Execute steps if enabled |
151 | | - ${lib.optionalString config.config.steps.enable ( |
152 | | - lib.concatStringsSep "\n" config.config.steps.commands |
153 | | - )} |
154 | | - ;; |
155 | | - stop) |
156 | | - echo "Stopping auth service..." |
157 | | - pkill -f "supabase-auth" |
158 | | - ;; |
159 | | - restart) |
160 | | - echo "Restarting auth service..." |
161 | | - pkill -f "supabase-auth" |
162 | | - ${auth-service}/bin/supabase-auth -c $out/etc/auth.env |
163 | | - ;; |
164 | | - status) |
165 | | - if pgrep -f "supabase-auth" > /dev/null; then |
166 | | - echo "Auth service is running" |
167 | | - else |
168 | | - echo "Auth service is not running" |
169 | | - fi |
170 | | - ;; |
171 | | - *) |
172 | | - echo "Usage: \$0 {start|stop|restart|status}" |
173 | | - exit 1 |
174 | | - ;; |
175 | | - esac |
176 | | - EOF |
177 | | - chmod +x $out/bin/manage-auth |
178 | | -
|
179 | | - # Write the activation script |
180 | | - cat > $out/bin/activate <<EOF |
181 | | - #!/bin/sh |
182 | | - set -e |
183 | | -
|
184 | | - # Create necessary directories |
185 | | - mkdir -p /opt/gotrue |
186 | | - mkdir -p /etc/auth.d |
187 | | - mkdir -p /etc/gotrue |
188 | | -
|
189 | | - # Set proper ownership |
190 | | - chown -R gotrue:gotrue /opt/gotrue |
191 | | - chown -R gotrue:gotrue /etc/auth.d |
192 | | - chown -R gotrue:gotrue /etc/gotrue |
193 | | -
|
194 | | - # Set proper permissions |
195 | | - chmod 775 /opt/gotrue |
196 | | - chmod 775 /etc/auth.d |
197 | | - chmod 775 /etc/gotrue |
198 | | -
|
199 | | - # Copy the binary to the correct location |
200 | | - cp ${auth-service}/bin/supabase-auth /opt/gotrue/gotrue |
201 | | - chown gotrue:gotrue /opt/gotrue/gotrue |
202 | | - chmod 755 /opt/gotrue/gotrue |
203 | | -
|
204 | | - # Copy the systemd unit file |
205 | | - cp $out/lib/systemd/system/gotrue.service /etc/systemd/system/ |
206 | | - chmod 644 /etc/systemd/system/gotrue.service |
207 | | -
|
208 | | - # Copy the environment file to the correct location |
209 | | - cp $out/etc/auth.env /etc/auth.d/20_generated.env |
210 | | - chown gotrue:gotrue /etc/auth.d/20_generated.env |
211 | | - chmod 600 /etc/auth.d/20_generated.env |
212 | | -
|
213 | | - # Create symlinks for easy access from nix profile |
214 | | - mkdir -p /usr/local/bin |
215 | | - mkdir -p /usr/local/share/gotrue |
216 | | -
|
217 | | - # Create symlinks to the nix profile locations |
218 | | - ln -sf "\$NIX_PROFILE/bin/manage-auth" /usr/local/bin/gotrue-manage |
219 | | - ln -sf "\$NIX_PROFILE/share/gotrue/gotrue.service" /usr/local/share/gotrue/gotrue.service |
220 | | - ln -sf "\$NIX_PROFILE/bin/activate" /usr/local/bin/auth-activate |
221 | | - ln -sf "\$NIX_PROFILE/bin/gotrue" /usr/local/bin/gotrue |
222 | | -
|
223 | | - # Allow UFW connections to GoTrue metrics exporter if UFW is installed |
224 | | - if command -v ufw >/dev/null 2>&1; then |
225 | | - ufw allow 9122/tcp comment "GoTrue metrics exporter" |
226 | | - echo "Added UFW rule for GoTrue metrics exporter" |
227 | | - fi |
228 | | -
|
229 | | - # Reload systemd |
230 | | - systemctl daemon-reload |
231 | | -
|
232 | | - # Enable and start the service |
233 | | - systemctl enable gotrue.service |
234 | | - systemctl restart gotrue.service |
235 | | -
|
236 | | - echo "Gotrue service has been activated and started" |
237 | | - echo "You can manage the service using: gotrue-manage {start|stop|restart|status}" |
238 | | - echo "The following commands are available:" |
239 | | - echo " gotrue-manage - Manage the Gotrue service" |
240 | | - echo " auth-activate - Run this activation script again" |
241 | | - echo " gotrue - The auth service binary" |
242 | | - EOF |
243 | | - chmod +x $out/bin/activate |
244 | | -
|
245 | | - # Create symlinks to the systemd unit files for easy access |
246 | | - mkdir -p $out/share/gotrue |
247 | | - ln -s $out/lib/systemd/system/gotrue.service $out/share/gotrue/gotrue.service |
248 | | -
|
249 | | - # Copy the auth binary to the package's bin directory |
250 | | - cp ${auth-service}/bin/supabase-auth $out/bin/gotrue |
251 | | - chmod +x $out/bin/gotrue |
252 | | - ''; |
253 | | - |
254 | | - installPhase = "true"; |
255 | | - }; |
256 | | - |
257 | | - in |
258 | | - { |
259 | | - packages = { |
260 | | - default = authConfigOutput; |
261 | | - }; |
262 | | - devShells.default = pkgs.mkShell { |
263 | | - buildInputs = [ |
264 | | - pkgs.bash |
265 | | - auth-service |
266 | | - pkgs.go |
267 | | - pkgs.gopls |
268 | | - pkgs.gotools |
269 | | - pkgs.go-outline |
270 | | - pkgs.gocode-gomod |
271 | | - pkgs.gopkgs |
272 | | - pkgs.godef |
273 | | - pkgs.golint |
274 | | - pkgs.delve |
275 | | - ]; |
276 | | - shellHook = '' |
277 | | - echo "Build with: nix build ." |
278 | | - echo "Result will be in ./result" |
279 | | - echo "Auth service version: ${auth-service.version}" |
280 | | - ''; |
281 | | - }; |
282 | | - }; |
283 | | - in |
284 | | - { |
285 | | - packages = forAllSystems (system: (mkAuthConfig system).packages); |
286 | | - devShells = forAllSystems (system: (mkAuthConfig system).devShells); |
287 | | - formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt-tree); |
| 9 | + inputs: |
| 10 | + inputs.blueprint { |
| 11 | + inherit inputs; |
| 12 | + prefix = "nix/"; |
288 | 13 | }; |
289 | 14 | } |
0 commit comments