nixpkgs/nixos/tests/postgrest.nix

{ lib, ... }:
{
  name = "postgrest";

  meta = {
    maintainers = with lib.maintainers; [ wolfgangwalther ];
  };

  nodes.machine =
    {
      config,
      lib,
      pkgs,
      ...
    }:
    {
      services.postgresql = {
        enable = true;
        initialScript = pkgs.writeText "init.sql" ''
          CREATE ROLE postgrest LOGIN NOINHERIT;
          CREATE ROLE anon ROLE postgrest;

          CREATE ROLE postgrest_with_password LOGIN NOINHERIT PASSWORD 'password';
          CREATE ROLE authenticated ROLE postgrest_with_password;
        '';
      };

      services.postgrest = {
        enable = true;
        settings = {
          admin-server-port = 3001;
          db-anon-role = "anon";
          db-uri.dbname = "postgres";
        };
      };

      specialisation.withSecrets.configuration = {
        services.postgresql.enableTCPIP = true;
        services.postgrest = {
          pgpassFile = "/run/secrets/.pgpass";
          jwtSecretFile = "/run/secrets/jwt.secret";
          settings.db-uri.host = "localhost";
          settings.db-uri.user = "postgrest_with_password";
          settings.server-port = 3000;
          settings.server-unix-socket = null;
        };
      };
    };

  extraPythonPackages = p: [ p.pyjwt ];

  testScript =
    { nodes, ... }:
    let
      withSecrets = "${nodes.machine.system.build.toplevel}/specialisation/withSecrets";
    in
    ''
      import jwt

      machine.wait_for_unit("postgresql.service")

      def wait_for_postgrest():
          machine.wait_for_unit("postgrest.service")
          machine.wait_until_succeeds("curl --fail -s http://localhost:3001/ready", timeout=30)

      with subtest("anonymous access"):
          wait_for_postgrest()
          machine.succeed(
            "curl --fail-with-body --no-progress-meter --unix-socket /run/postgrest/postgrest.sock http://localhost",
            timeout=2
          )

      machine.execute("""
        mkdir -p /run/secrets
        echo "*:*:*:*:password" > /run/secrets/.pgpass
        echo reallyreallyreallyreallyverysafe > /run/secrets/jwt.secret
      """)

      with subtest("authenticated access"):
          machine.succeed("${withSecrets}/bin/switch-to-configuration test >&2")
          wait_for_postgrest()
          token = jwt.encode({ "role": "authenticated" }, "reallyreallyreallyreallyverysafe")
          machine.succeed(
            f"curl --fail-with-body --no-progress-meter -H 'Authorization: Bearer {token}' http://localhost:3000",
            timeout=2
          )
    '';
}
nixos/postgrest: init module 2025-03-28 17:09:32 +01:00			`{ lib, ... }:`
			`{`
			`name = "postgrest";`

			`meta = {`
			`maintainers = with lib.maintainers; [ wolfgangwalther ];`
			`};`

			`nodes.machine =`
			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
			`{`
			`services.postgresql = {`
			`enable = true;`
			`initialScript = pkgs.writeText "init.sql" ''`
			`CREATE ROLE postgrest LOGIN NOINHERIT;`
			`CREATE ROLE anon ROLE postgrest;`

			`CREATE ROLE postgrest_with_password LOGIN NOINHERIT PASSWORD 'password';`
			`CREATE ROLE authenticated ROLE postgrest_with_password;`
			`'';`
			`};`

			`services.postgrest = {`
			`enable = true;`
			`settings = {`
			`admin-server-port = 3001;`
			`db-anon-role = "anon";`
			`db-uri.dbname = "postgres";`
			`};`
			`};`

			`specialisation.withSecrets.configuration = {`
			`services.postgresql.enableTCPIP = true;`
			`services.postgrest = {`
			`pgpassFile = "/run/secrets/.pgpass";`
			`jwtSecretFile = "/run/secrets/jwt.secret";`
			`settings.db-uri.host = "localhost";`
			`settings.db-uri.user = "postgrest_with_password";`
			`settings.server-port = 3000;`
			`settings.server-unix-socket = null;`
			`};`
			`};`
			`};`

			`extraPythonPackages = p: [ p.pyjwt ];`

			`testScript =`
			`{ nodes, ... }:`
			`let`
			`withSecrets = "${nodes.machine.system.build.toplevel}/specialisation/withSecrets";`
			`in`
			`''`
			`import jwt`

			`machine.wait_for_unit("postgresql.service")`

			`def wait_for_postgrest():`
			`machine.wait_for_unit("postgrest.service")`
			`machine.wait_until_succeeds("curl --fail -s http://localhost:3001/ready", timeout=30)`

			`with subtest("anonymous access"):`
			`wait_for_postgrest()`
			`machine.succeed(`
			`"curl --fail-with-body --no-progress-meter --unix-socket /run/postgrest/postgrest.sock http://localhost",`
			`timeout=2`
			`)`

			`machine.execute("""`
			`mkdir -p /run/secrets`
			`echo "::::password" > /run/secrets/.pgpass`
			`echo reallyreallyreallyreallyverysafe > /run/secrets/jwt.secret`
			`""")`

			`with subtest("authenticated access"):`
			`machine.succeed("${withSecrets}/bin/switch-to-configuration test >&2")`
			`wait_for_postgrest()`
			`token = jwt.encode({ "role": "authenticated" }, "reallyreallyreallyreallyverysafe")`
			`machine.succeed(`
			`f"curl --fail-with-body --no-progress-meter -H 'Authorization: Bearer {token}' http://localhost:3000",`
			`timeout=2`
			`)`
			`'';`
			`}`