nixos/postgrest: init module

2025-03-28 17:09:32 +01:00
parent 71740ceb69
commit 064432a519
6 changed files with 404 additions and 0 deletions
--- a/nixos/tests/postgrest.nix
+++ b/nixos/tests/postgrest.nix
@@ -0,0 +1,88 @@
+{ lib, ... }:
+{
+  name = "postgrest";
+
+  meta = {
+    maintainers = with lib.maintainers; [ wolfgangwalther ];
+  };
+
+  nodes.machine =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      services.postgresql = {
+        enable = true;
+        initialScript = pkgs.writeText "init.sql" ''
+          CREATE ROLE postgrest LOGIN NOINHERIT;
+          CREATE ROLE anon ROLE postgrest;
+
+          CREATE ROLE postgrest_with_password LOGIN NOINHERIT PASSWORD 'password';
+          CREATE ROLE authenticated ROLE postgrest_with_password;
+        '';
+      };
+
+      services.postgrest = {
+        enable = true;
+        settings = {
+          admin-server-port = 3001;
+          db-anon-role = "anon";
+          db-uri.dbname = "postgres";
+        };
+      };
+
+      specialisation.withSecrets.configuration = {
+        services.postgresql.enableTCPIP = true;
+        services.postgrest = {
+          pgpassFile = "/run/secrets/.pgpass";
+          jwtSecretFile = "/run/secrets/jwt.secret";
+          settings.db-uri.host = "localhost";
+          settings.db-uri.user = "postgrest_with_password";
+          settings.server-port = 3000;
+          settings.server-unix-socket = null;
+        };
+      };
+    };
+
+  extraPythonPackages = p: [ p.pyjwt ];
+
+  testScript =
+    { nodes, ... }:
+    let
+      withSecrets = "${nodes.machine.system.build.toplevel}/specialisation/withSecrets";
+    in
+    ''
+      import jwt
+
+      machine.wait_for_unit("postgresql.service")
+
+      def wait_for_postgrest():
+          machine.wait_for_unit("postgrest.service")
+          machine.wait_until_succeeds("curl --fail -s http://localhost:3001/ready", timeout=30)
+
+      with subtest("anonymous access"):
+          wait_for_postgrest()
+          machine.succeed(
+            "curl --fail-with-body --no-progress-meter --unix-socket /run/postgrest/postgrest.sock http://localhost",
+            timeout=2
+          )
+
+      machine.execute("""
+        mkdir -p /run/secrets
+        echo "*:*:*:*:password" > /run/secrets/.pgpass
+        echo reallyreallyreallyreallyverysafe > /run/secrets/jwt.secret
+      """)
+
+      with subtest("authenticated access"):
+          machine.succeed("${withSecrets}/bin/switch-to-configuration test >&2")
+          wait_for_postgrest()
+          token = jwt.encode({ "role": "authenticated" }, "reallyreallyreallyreallyverysafe")
+          machine.succeed(
+            f"curl --fail-with-body --no-progress-meter -H 'Authorization: Bearer {token}' http://localhost:3000",
+            timeout=2
+          )
+    '';
+}