Skip to content

feat: a nix package, config and devShell for supabase-auth #2020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

feat: a nix package, config and devShell for supabase-auth #2020

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1e183ac
feat: a nix package, comfig and devShell for supabase-auth
samrose May 12, 2025
82701a9
feat: create an activation script and systemd service
samrose May 17, 2025
19bbc3a
feat: package and activation
samrose May 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,4 @@ www/.DS_Store
www/node_modules
npm-debug.log
.data
result
61 changes: 61 additions & 0 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

272 changes: 272 additions & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,272 @@
{
description = "Supabase Auth Service with Nix modules and steps";

inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils";
};

outputs = { self, nixpkgs, flake-utils }:
let
systems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];

forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);

mkAuthConfig = system:
let
pkgs = nixpkgs.legacyPackages.${system};
lib = pkgs.lib;

# Go package
auth-service = pkgs.buildGoModule {
pname = "supabase-auth";
version = "0.1.0";
src = ./.;

vendorHash = "sha256-QBQUUFWT3H3L7ajFV8cgi0QREXnm0ReIisD+4ACfLZQ=";

buildFlags = [ "-tags" "netgo" ];
doCheck = false;

# Specify the main package
subPackages = [ "." ];

# Specify the output binary name
postInstall = ''
mv $out/bin/auth $out/bin/supabase-auth
'';
};

# Evaluate both the auth and steps modules
config = lib.evalModules {
modules = [
./nix/auth-module.nix
./nix/steps-module.nix
{
_module.args.pkgs = pkgs;
auth = {
enable = true;
package = auth-service;
port = 9999;
settings = {
GOTRUE_DB_DRIVER = "postgres";
GOTRUE_SITE_URL = "http://localhost:3000";
SITE_URL = "http://localhost:3000";
GOTRUE_API_EXTERNAL_URL = "http://localhost:9999";
API_EXTERNAL_URL = "http://localhost:9999";
GOTRUE_DB_HOST = "localhost";
GOTRUE_DB_PORT = "5432";
GOTRUE_DB_NAME = "postgres";
GOTRUE_DB_USER = "postgres";
GOTRUE_DB_PASSWORD = "postgres";
DATABASE_URL = "postgres://postgres:postgres@localhost:5432/postgres";
GOTRUE_JWT_SECRET = "your-super-secret-jwt-token-with-at-least-32-characters-long";
GOTRUE_JWT_EXP = "3600";
GOTRUE_JWT_DEFAULT_GROUP_NAME = "authenticated";
GOTRUE_DISABLE_SIGNUP = "false";
GOTRUE_MAILER_AUTOCONFIRM = "true";
GOTRUE_SMTP_ADMIN_EMAIL = "[email protected]";
GOTRUE_SMTP_HOST = "localhost";
GOTRUE_SMTP_PORT = "2500";
GOTRUE_SMTP_USER = "";
GOTRUE_SMTP_PASS = "";
GOTRUE_SMTP_SENDER_NAME = "Supabase";
};
};
steps = {
enable = true;
};
}
];
};

authConfigOutput = pkgs.stdenv.mkDerivation {
name = "auth-config";
src = ./.;
buildInputs = [ pkgs.bash auth-service ];

buildPhase = ''
mkdir -p $out/etc $out/bin $out/lib/systemd/system

# Write the auth configuration
cat > $out/etc/auth.env <<EOF
# Auth configuration generated by Nix
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name}=${value}") config.config.auth.settings)}
EOF

# Write the systemd unit file
cat > $out/lib/systemd/system/gotrue.service <<EOF
[Unit]
Description=Gotrue

[Service]
Type=simple
WorkingDirectory=/opt/gotrue
ExecStart=/opt/gotrue/gotrue --config-dir /etc/auth.d
User=gotrue
Restart=always
RestartSec=3

MemoryAccounting=true
MemoryMax=50%

EnvironmentFile=-/etc/gotrue.generated.env
EnvironmentFile=/etc/gotrue.env
EnvironmentFile=-/etc/gotrue.overrides.env

Slice=services.slice

[Install]
WantedBy=multi-user.target
EOF

# Write a script to manage the auth service
cat > $out/bin/manage-auth <<EOF
#!/bin/sh

case "\$1" in
start)
echo "Starting auth service..."
${auth-service}/bin/supabase-auth -c $out/etc/auth.env
# Execute steps if enabled
${lib.optionalString config.config.steps.enable (lib.concatStringsSep "\n" config.config.steps.commands)}
;;
stop)
echo "Stopping auth service..."
pkill -f "supabase-auth"
;;
restart)
echo "Restarting auth service..."
pkill -f "supabase-auth"
${auth-service}/bin/supabase-auth -c $out/etc/auth.env
;;
status)
if pgrep -f "supabase-auth" > /dev/null; then
echo "Auth service is running"
else
echo "Auth service is not running"
fi
;;
*)
echo "Usage: \$0 {start|stop|restart|status}"
exit 1
;;
esac
EOF
chmod +x $out/bin/manage-auth

# Write the activation script
cat > $out/bin/activate <<EOF
#!/bin/sh
set -e

# Create necessary directories
mkdir -p /opt/gotrue
mkdir -p /etc/auth.d
mkdir -p /etc/gotrue

# Set proper ownership
chown -R gotrue:gotrue /opt/gotrue
chown -R gotrue:gotrue /etc/auth.d
chown -R gotrue:gotrue /etc/gotrue

# Set proper permissions
chmod 775 /opt/gotrue
chmod 775 /etc/auth.d
chmod 775 /etc/gotrue

# Copy the binary to the correct location
cp ${auth-service}/bin/supabase-auth /opt/gotrue/gotrue
chown gotrue:gotrue /opt/gotrue/gotrue
chmod 755 /opt/gotrue/gotrue

# Copy the systemd unit file
cp $out/lib/systemd/system/gotrue.service /etc/systemd/system/
chmod 644 /etc/systemd/system/gotrue.service

# Copy the environment file to the correct location
cp $out/etc/auth.env /etc/auth.d/20_generated.env
chown gotrue:gotrue /etc/auth.d/20_generated.env
chmod 600 /etc/auth.d/20_generated.env

# Create symlinks for easy access from nix profile
mkdir -p /usr/local/bin
mkdir -p /usr/local/share/gotrue

# Create symlinks to the nix profile locations
ln -sf "\$NIX_PROFILE/bin/manage-auth" /usr/local/bin/gotrue-manage
ln -sf "\$NIX_PROFILE/share/gotrue/gotrue.service" /usr/local/share/gotrue/gotrue.service
ln -sf "\$NIX_PROFILE/bin/activate" /usr/local/bin/auth-activate
ln -sf "\$NIX_PROFILE/bin/gotrue" /usr/local/bin/gotrue

# Allow UFW connections to GoTrue metrics exporter if UFW is installed
if command -v ufw >/dev/null 2>&1; then
ufw allow 9122/tcp comment "GoTrue metrics exporter"
echo "Added UFW rule for GoTrue metrics exporter"
fi

# Reload systemd
systemctl daemon-reload

# Enable and start the service
systemctl enable gotrue.service
systemctl restart gotrue.service

echo "Gotrue service has been activated and started"
echo "You can manage the service using: gotrue-manage {start|stop|restart|status}"
echo "The following commands are available:"
echo " gotrue-manage - Manage the Gotrue service"
echo " auth-activate - Run this activation script again"
echo " gotrue - The auth service binary"
EOF
chmod +x $out/bin/activate

# Create symlinks to the systemd unit files for easy access
mkdir -p $out/share/gotrue
ln -s $out/lib/systemd/system/gotrue.service $out/share/gotrue/gotrue.service

# Copy the auth binary to the package's bin directory
cp ${auth-service}/bin/supabase-auth $out/bin/gotrue
chmod +x $out/bin/gotrue
'';

installPhase = "true";
};

in
{
packages = {
default = authConfigOutput;
};
devShells.default = pkgs.mkShell {
buildInputs = [
pkgs.bash
auth-service
pkgs.go
pkgs.gopls
pkgs.gotools
pkgs.go-outline
pkgs.gocode
pkgs.gopkgs
pkgs.godef
pkgs.golint
pkgs.delve
];
shellHook = ''
echo "Build with: nix build ."
echo "Result will be in ./result"
echo "Auth service version: ${auth-service.version}"
'';
};
};
in
{
packages = forAllSystems (system: (mkAuthConfig system).packages);
devShells = forAllSystems (system: (mkAuthConfig system).devShells);
};
}
Loading
Loading