89 lines
		
	
	
		
			2.5 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			89 lines
		
	
	
		
			2.5 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| { lib, ... }:
 | |
| {
 | |
|   name = "postgrest";
 | |
| 
 | |
|   meta = {
 | |
|     maintainers = with lib.maintainers; [ wolfgangwalther ];
 | |
|   };
 | |
| 
 | |
|   nodes.machine =
 | |
|     {
 | |
|       config,
 | |
|       lib,
 | |
|       pkgs,
 | |
|       ...
 | |
|     }:
 | |
|     {
 | |
|       services.postgresql = {
 | |
|         enable = true;
 | |
|         initialScript = pkgs.writeText "init.sql" ''
 | |
|           CREATE ROLE postgrest LOGIN NOINHERIT;
 | |
|           CREATE ROLE anon ROLE postgrest;
 | |
| 
 | |
|           CREATE ROLE postgrest_with_password LOGIN NOINHERIT PASSWORD 'password';
 | |
|           CREATE ROLE authenticated ROLE postgrest_with_password;
 | |
|         '';
 | |
|       };
 | |
| 
 | |
|       services.postgrest = {
 | |
|         enable = true;
 | |
|         settings = {
 | |
|           admin-server-port = 3001;
 | |
|           db-anon-role = "anon";
 | |
|           db-uri.dbname = "postgres";
 | |
|         };
 | |
|       };
 | |
| 
 | |
|       specialisation.withSecrets.configuration = {
 | |
|         services.postgresql.enableTCPIP = true;
 | |
|         services.postgrest = {
 | |
|           pgpassFile = "/run/secrets/.pgpass";
 | |
|           jwtSecretFile = "/run/secrets/jwt.secret";
 | |
|           settings.db-uri.host = "localhost";
 | |
|           settings.db-uri.user = "postgrest_with_password";
 | |
|           settings.server-port = 3000;
 | |
|           settings.server-unix-socket = null;
 | |
|         };
 | |
|       };
 | |
|     };
 | |
| 
 | |
|   extraPythonPackages = p: [ p.pyjwt ];
 | |
| 
 | |
|   testScript =
 | |
|     { nodes, ... }:
 | |
|     let
 | |
|       withSecrets = "${nodes.machine.system.build.toplevel}/specialisation/withSecrets";
 | |
|     in
 | |
|     ''
 | |
|       import jwt
 | |
| 
 | |
|       machine.wait_for_unit("postgresql.service")
 | |
| 
 | |
|       def wait_for_postgrest():
 | |
|           machine.wait_for_unit("postgrest.service")
 | |
|           machine.wait_until_succeeds("curl --fail -s http://localhost:3001/ready", timeout=30)
 | |
| 
 | |
|       with subtest("anonymous access"):
 | |
|           wait_for_postgrest()
 | |
|           machine.succeed(
 | |
|             "curl --fail-with-body --no-progress-meter --unix-socket /run/postgrest/postgrest.sock http://localhost",
 | |
|             timeout=2
 | |
|           )
 | |
| 
 | |
|       machine.execute("""
 | |
|         mkdir -p /run/secrets
 | |
|         echo "*:*:*:*:password" > /run/secrets/.pgpass
 | |
|         echo reallyreallyreallyreallyverysafe > /run/secrets/jwt.secret
 | |
|       """)
 | |
| 
 | |
|       with subtest("authenticated access"):
 | |
|           machine.succeed("${withSecrets}/bin/switch-to-configuration test >&2")
 | |
|           wait_for_postgrest()
 | |
|           token = jwt.encode({ "role": "authenticated" }, "reallyreallyreallyreallyverysafe")
 | |
|           machine.succeed(
 | |
|             f"curl --fail-with-body --no-progress-meter -H 'Authorization: Bearer {token}' http://localhost:3000",
 | |
|             timeout=2
 | |
|           )
 | |
|     '';
 | |
| }
 | 
