(WIP) feat: deploy gotrue using system manager

Author: yvan-sraka

ansible/files/gotrue-optimizations.service.j2

@@ -24,9 +24,6 @@ postgrest_release: "13.0.5"
 postgrest_arm_release_checksum: sha256:7b4eafdaf76bc43b57f603109d460a838f89f949adccd02f452ca339f9a0a0d4
 postgrest_x86_release_checksum: sha256:05be2bd48abee6c1691fc7c5d005023466c6989e41a4fc7d1302b8212adb88b5
 
-gotrue_release: 2.179.0
-gotrue_release_checksum: sha1:e985fce00b2720b747e6a04420910015c4967121
-
 aws_cli_release: "2.23.11"
 
 salt_minion_version: 3007

ansible/files/gotrue.service.j2

@@ -33,7 +33,15 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     system-manager = {
-      url = "github:numtide/system-manager";
+      # FIXME: remove custom branch when this PR is merged:
+      # https://github.com/numtide/system-manager/pull/266
+      url = "github:numtide/system-manager/users";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    gotrue = {
+      # FIXME: remove custom fork when this PR is merged:
+      # https://github.com/supabase/auth/pull/2166
+      url = "github:yvan-sraka/auth";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };

ansible/vars.yml

@@ -1,9 +1,11 @@
 { self, inputs, ... }:
 let
   mkModules = system: [
+    self.systemModules.gotrue
     ({
       services.nginx.enable = true;
       nixpkgs.hostPlatform = system;
+      supabase.services.gotrue.enable = true;
     })
   ];
 

flake.lock

@@ -4,6 +4,8 @@
 {
   imports = [ ./tests ];
   flake = {
-    systemModules = { };
+    systemModules = {
+      gotrue = ./gotrue.nix;
+    };
   };
 }

flake.nix

@@ -0,0 +1,38 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.supabase.services.gotrue;
+in
+{
+  options = {
+    supabase.services.gotrue = {
+      enable = lib.mkEnableOption "Supabase (gotrue) authentication service";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    self.inputs.gotrue.module.enable = true;
+
+    # TODO: supabase-admin-api haven't been turned into a system-manager module yet:
+    #
+    # systemd.services.gotrue-optimizations = {
+    #   description = "gotrue (auth) optimizations";
+    #   wantedBy = [ "gotrue.service" ];
+    #   serviceConfig = {
+    #     Type = "oneshot";
+    #     # we don't want failures from this command to cause PG startup to fail
+    #     ExecStart = "/bin/bash -c '/opt/supabase-admin-api optimize auth --destination-config-file-path /etc/gotrue/gotrue.generated.env ; exit 0'";
+    #     ExecStartPost = "/bin/bash -c 'cp -a /etc/gotrue/gotrue.generated.env /etc/auth.d/20_generated.env ; exit 0'";
+    #     User = "postgrest";
+    #   };
+    # };
+
+    # TODO: that's what the activation script was doing:
+    # cp $out/etc/auth.env /etc/auth.d/20_generated.env
+    # chown gotrue:gotrue /etc/auth.d/20_generated.env
+    # chmod 600 /etc/auth.d/20_generated.env
+  };
+}

nix/systemConfigs.nix

@@ -0,0 +1,11 @@
+# from time import sleep
+
+
+def test_gotrue_service(host):
+    # sleep(5000) # Handy for interactive debugging (with docker exec -it $CONTAINER_ID /bin/bash)
+    assert host.service("gotrue.service").is_valid
+    assert host.service("gotrue.service").is_running, (
+        "Auth service should be running but failed: {}".format(
+            host.run("systemctl status gotrue.service").stdout
+        )
+    )