feat: add ansible task testing infrastructure based on Docker and pytest

This complements the existing AMI tests in testinfra by providing
a faster feedback loops for Ansible development without requiring a full
VM.

We are also using testinfra to validate that the Ansible tasks have the
desired effect.

It is based on Docker, it can be run locally (e.g. macOS) or in CI.

Note that this approach is not intended to replace the AMI tests, but
rather to provide a more efficient way to test Ansible tasks during
development.

You can run the tests using `nix run -L .\#ansible-test`

Author: jfroche

.github/actionlint.yaml

@@ -0,0 +1,7 @@
+self-hosted-runner:
+  labels:
+    - aarch64-darwin
+    - aarch64-linux
+    - blacksmith-4vcpu-ubuntu-2404
+    - blacksmith-16vcpu-ubuntu-2404
+    - blacksmith-32vcpu-ubuntu-2404

.github/actions/nix-install-ephemeral/action.yml

@@ -0,0 +1,46 @@
+name: 'Install Nix on ephemeral runners'
+description: 'Installs Nix and sets up AWS credentials to push to the Nix binary cache'
+inputs:
+  push-to-cache:
+    description: 'Whether to push build outputs to the Nix binary cache'
+    required: false
+    default: 'false'
+runs:
+  using: 'composite'
+  steps:
+    - name: aws-creds
+      uses: aws-actions/configure-aws-credentials@v4
+      if: ${{ inputs.push-to-cache == 'true' }}
+      with:
+        role-to-assume: ${{ env.DEV_AWS_ROLE }}
+        aws-region: "us-east-1"
+        output-credentials: true
+        role-duration-seconds: 7200
+    - name: Setup AWS credentials for Nix
+      if: ${{ inputs.push-to-cache == 'true' }}
+      shell: bash
+      run: |
+        sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
+        sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
+        sudo -H aws configure set aws_session_token $AWS_SESSION_TOKEN
+        sudo mkdir -p /etc/nix
+        sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
+        cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
+        #!/usr/bin/env bash
+        set -euo pipefail
+        set -f
+
+        export IFS=' '
+        /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key' $OUT_PATHS
+        EOF
+        sudo chmod +x /etc/nix/upload-to-cache.sh
+      env:
+        NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
+    - name: Install nix
+      uses: cachix/install-nix-action@v31
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.31.2/install
+        extra_nix_config: |
+          substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
+          trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}

.github/workflows/ansible-tests.yml

@@ -0,0 +1,98 @@
+name: Ansible Test Image CI
+
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  build-and-push:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/develop'
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+    runs-on: ${{ matrix.arch == 'amd64' && 'blacksmith-16vcpu-ubuntu-2404' || 'blacksmith-16vcpu-ubuntu-2404-arm' }}
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
+      - name: Install Nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: true
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build Docker image with Nix
+        run: |
+          echo "Building ansible-test Docker image for ${{ matrix.arch }}..."
+          IMAGE_PATH=$(nix build .#docker-ansible-test --print-out-paths)
+          echo "IMAGE_PATH=$IMAGE_PATH" >> "$GITHUB_ENV"
+
+      - name: Load and push Docker image
+        run: |
+          echo "Loading Docker image..."
+          docker load < "$IMAGE_PATH"
+          docker tag supabase/ansible-test:latest supabase/ansible-test:latest-${{ matrix.arch }}
+          docker push supabase/ansible-test:latest-${{ matrix.arch }}
+
+  create-manifest:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/develop'
+    needs: build-and-push
+    runs-on: 'blacksmith-4vcpu-ubuntu-2404'
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Create and push multi-arch manifest
+        run: |
+          docker manifest create supabase/ansible-test:latest \
+            supabase/ansible-test:latest-amd64 \
+            supabase/ansible-test:latest-arm64
+          docker manifest push supabase/ansible-test:latest
+
+  run-ansible-tests:
+    if: github.event_name == 'pull_request' || success()
+    needs: create-manifest
+    runs-on: 'blacksmith-16vcpu-ubuntu-2404'
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
+      - name: Install Nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: true
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Ansible tests
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+        run: |
+          docker pull supabase/ansible-test:latest &
+          nix run .#ansible-test

ansible/tasks/files

@@ -0,0 +1 @@
+../files

ansible/tests/conftest.py

@@ -0,0 +1,82 @@
+import pytest
+import subprocess
+import testinfra
+from rich.console import Console
+
+console = Console()
+
+
+def pytest_addoption(parser):
+    parser.addoption(
+        "--flake-dir",
+        action="store",
+        help="Directory containing the current flake",
+    )
+
+    parser.addoption(
+        "--docker-image",
+        action="store",
+        help="Docker image and tag to use for testing",
+    )
+
+
+@pytest.fixture(scope="module")
+def host(request):
+    flake_dir = request.config.getoption("--flake-dir")
+    if not flake_dir:
+        pytest.fail("--flake-dir option is required")
+    docker_image = request.config.getoption("--docker-image")
+    docker_id = (
+        subprocess.check_output(
+            [
+                "docker",
+                "run",
+                "--privileged",
+                "--cap-add",
+                "SYS_ADMIN",
+                "--security-opt",
+                "seccomp=unconfined",
+                "--cgroup-parent=docker.slice",
+                "--cgroupns",
+                "private",
+                "-v",
+                f"{flake_dir}:/flake",
+                "-d",
+                docker_image,
+            ]
+        )
+        .decode()
+        .strip()
+    )
+    yield testinfra.get_host("docker://" + docker_id)
+    subprocess.check_call(["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL)
+
+
+@pytest.fixture(scope="module")
+def run_ansible_playbook(host):
+    def _run_playbook(playbook_name, verbose=False):
+        cmd = [
+            "ANSIBLE_HOST_KEY_CHECKING=False",
+            "ansible-playbook",
+            "--connection=local",
+        ]
+        if verbose:
+            cmd.append("-vvv")
+        cmd.extend(
+            [
+                "-i",
+                "localhost,",
+                "--extra-vars",
+                "@/flake/ansible/vars.yml",
+                f"/flake/ansible/tests/{playbook_name}",
+            ]
+        )
+        result = host.run(" ".join(cmd))
+        if result.failed:
+            console.log(result.stdout)
+            console.log(result.stderr)
+            pytest.fail(
+                f"Ansible playbook {playbook_name} failed with return code {result.rc}"
+            )
+
+    return _run_playbook

ansible/tests/nginx.yaml

@@ -0,0 +1,14 @@
+---
+- hosts: localhost
+  tasks:
+  - name: Install dependencies
+    apt:
+      pkg:
+        - build-essential
+      update_cache: yes
+  - import_tasks: ../tasks/setup-nginx.yml
+  - name: Start Nginx service
+    service:
+      name: nginx
+      state: started
+      enabled: yes

ansible/tests/test_nginx.py

@@ -0,0 +1,11 @@
+import pytest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def run_ansible(run_ansible_playbook):
+    run_ansible_playbook("nginx.yaml")
+
+
+def test_nginx_service(host):
+    assert host.service("nginx.service").is_valid
+    assert host.service("nginx.service").is_running

nix/hooks.nix

@@ -1,4 +1,8 @@
 { inputs, ... }:
+let
+  ghWorkflows = builtins.attrNames (builtins.readDir ../.github/workflows);
+  lintedWorkflows = [ "ansible-test.yml" ];
+in
 {
   imports = [ inputs.git-hooks.flakeModule ];
   perSystem =
@@ -8,6 +12,12 @@
         check.enable = true;
         settings = {
           hooks = {
+            actionlint = {
+              enable = true;
+              excludes = builtins.filter (name: !builtins.elem name lintedWorkflows) ghWorkflows;
+              verbose = true;
+            };
+
             treefmt = {
               enable = true;
               package = config.treefmt.build.wrapper;

nix/packages/ansible-test.nix

@@ -0,0 +1,23 @@
+{ self, pkgs }:
+pkgs.writeShellApplication {
+  name = "ansible-test";
+  runtimeInputs = with pkgs; [
+    (python3.withPackages (
+      ps: with ps; [
+        requests
+        pytest
+        pytest-testinfra
+        pytest-xdist
+        rich
+      ]
+    ))
+  ];
+  text = ''
+    echo "Running Ansible tests..."
+    FLAKE_DIR=${self}
+    pytest -x -p no:cacheprovider -s -v "$@" $FLAKE_DIR/ansible/tests --flake-dir=$FLAKE_DIR --docker-image=supabase/ansible-test:latest "$@"
+  '';
+  meta = {
+    description = "Ansible test runner";
+  };
+}

nix/packages/default.nix

@@ -30,8 +30,13 @@
       packages = (
         {
           build-test-ami = pkgs.callPackage ./build-test-ami.nix { };
+          ansible-test = pkgs.callPackage ./ansible-test.nix { inherit self; };
           cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { };
           dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; };
+          docker-ansible-test = pkgs.callPackage ./docker-ansible-test.nix {
+            inherit (self'.packages) docker-image-ubuntu;
+          };
+          docker-image-ubuntu = pkgs.callPackage ./docker-ubuntu.nix { };
           docs = pkgs.callPackage ./docs.nix { };
           supabase-groonga = pkgs.callPackage ./groonga { };
           http-mock-server = pkgs.callPackage ./http-mock-server.nix { };