movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 14:10:33 +03:00
Code Activity
nixpkgs/nixos/tests/postgrest.nix
Wolfgang Walther 41c5662cbe
nixos/postgresql: move postStart into separate unit 
This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.

To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.

Resolves #400018

Co-authored-by: Marcel <me@m4rc3l.de>
2025-06-24 15:26:47 +02:00

88 lines
2.5 KiB
Nix
Raw Blame History

{ lib, ... }:
{
name = "postgrest";
meta = {
maintainers = with lib.maintainers; [ wolfgangwalther ];
};
nodes.machine =
{
config,
lib,
pkgs,
...
}:
{
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "init.sql" ''
CREATE ROLE postgrest LOGIN NOINHERIT;
CREATE ROLE anon ROLE postgrest;
CREATE ROLE postgrest_with_password LOGIN NOINHERIT PASSWORD 'password';
CREATE ROLE authenticated ROLE postgrest_with_password;
'';
};
services.postgrest = {
enable = true;
settings = {
admin-server-port = 3001;
db-anon-role = "anon";
db-uri.dbname = "postgres";
};
};
specialisation.withSecrets.configuration = {
services.postgresql.enableTCPIP = true;
services.postgrest = {
pgpassFile = "/run/secrets/.pgpass";
jwtSecretFile = "/run/secrets/jwt.secret";
settings.db-uri.host = "localhost";
settings.db-uri.user = "postgrest_with_password";
settings.server-port = 3000;
settings.server-unix-socket = null;
};
};
};
extraPythonPackages = p: [ p.pyjwt ];
testScript =
{ nodes, ... }:
let
withSecrets = "${nodes.machine.system.build.toplevel}/specialisation/withSecrets";
in
''
import jwt
machine.wait_for_unit("postgresql.target")
def wait_for_postgrest():
machine.wait_for_unit("postgrest.service")
machine.wait_until_succeeds("curl --fail -s http://localhost:3001/ready", timeout=30)
with subtest("anonymous access"):
wait_for_postgrest()
machine.succeed(
"curl --fail-with-body --no-progress-meter --unix-socket /run/postgrest/postgrest.sock http://localhost",
timeout=2
)
machine.execute("""
mkdir -p /run/secrets
echo "*:*:*:*:password" > /run/secrets/.pgpass
echo reallyreallyreallyreallyverysafe > /run/secrets/jwt.secret
""")
with subtest("authenticated access"):
machine.succeed("${withSecrets}/bin/switch-to-configuration test >&2")
wait_for_postgrest()
token = jwt.encode({ "role": "authenticated" }, "reallyreallyreallyreallyverysafe")
machine.succeed(
f"curl --fail-with-body --no-progress-meter -H 'Authorization: Bearer {token}' http://localhost:3000",
timeout=2
)
'';
}
View git blame Copy permalink