Merge master into staging-next

2025-07-13 13:40:28 +03:00 · 2025-04-11 09:43:11 +00:00 · 2025-04-11 09:43:11 +00:00 · 5858ce00b1
commit 5858ce00b1
parent c25a303938 66290f9eb9
25 changed files with 525 additions and 144 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -1081,6 +1081,7 @@ in
    handleTest ./postfix-raise-smtpd-tls-security-level.nix
      { };
  postfixadmin = handleTest ./postfixadmin.nix { };
+  postgres-websockets = runTest ./postgres-websockets.nix;
  postgresql = handleTest ./postgresql { };
  postgrest = runTest ./postgrest.nix;
  powerdns = handleTest ./powerdns.nix { };
--- a/nixos/tests/postgres-websockets.nix
+++ b/nixos/tests/postgres-websockets.nix
@ -0,0 +1,84 @@
+{ lib, ... }:
+{
+  name = "postgres-websockets";
+
+  meta = {
+    maintainers = with lib.maintainers; [ wolfgangwalther ];
+  };
+
+  nodes.machine =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      environment.systemPackages = [ pkgs.websocat ];
+
+      services.postgresql = {
+        enable = true;
+        initialScript = pkgs.writeText "init.sql" ''
+          CREATE ROLE "postgres-websockets" LOGIN NOINHERIT;
+          CREATE ROLE "postgres-websockets_with_password" LOGIN NOINHERIT PASSWORD 'password';
+        '';
+      };
+
+      services.postgres-websockets = {
+        enable = true;
+        jwtSecretFile = "/run/secrets/jwt.secret";
+        environment.PGWS_DB_URI.dbname = "postgres";
+        environment.PGWS_LISTEN_CHANNEL = "websockets-listener";
+      };
+
+      specialisation.withPassword.configuration = {
+        services.postgresql.enableTCPIP = true;
+        services.postgres-websockets = {
+          pgpassFile = "/run/secrets/.pgpass";
+          environment.PGWS_DB_URI.host = "localhost";
+          environment.PGWS_DB_URI.user = "postgres-websockets_with_password";
+        };
+      };
+    };
+
+  extraPythonPackages = p: [ p.pyjwt ];
+
+  testScript =
+    { nodes, ... }:
+    let
+      withPassword = "${nodes.machine.system.build.toplevel}/specialisation/withPassword";
+    in
+    ''
+      machine.execute("""
+        mkdir -p /run/secrets
+        echo reallyreallyreallyreallyverysafe > /run/secrets/jwt.secret
+      """)
+
+      import jwt
+      token = jwt.encode({ "mode": "rw" }, "reallyreallyreallyreallyverysafe")
+
+      def test():
+          machine.wait_for_unit("postgresql.service")
+          machine.wait_for_unit("postgres-websockets.service")
+
+          machine.succeed(f"echo 'hi there' | websocat --no-close 'ws://localhost:3000/test/{token}' > output &")
+          machine.sleep(1)
+          machine.succeed("grep 'hi there' output")
+
+          machine.succeed("""
+            sudo -u postgres psql -c "SELECT pg_notify('websockets-listener', json_build_object('channel', 'test', 'event', 'message', 'payload', 'Hello World')::text);" >/dev/null
+          """)
+          machine.sleep(1)
+          machine.succeed("grep 'Hello World' output")
+
+      with subtest("without password"):
+          test()
+
+      with subtest("with password"):
+          machine.execute("""
+            echo "*:*:*:*:password" > /run/secrets/.pgpass
+          """)
+          machine.succeed("${withPassword}/bin/switch-to-configuration test >&2")
+          test()
+    '';
+}