[trustix-integration-tests] / checks / one-publisher.nix

{ lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
, writeText, }:
let
  inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;

  trustixModule = trustixSrc + "/nixos";

  trustixKeyConfig = writeText "trustixKeyConfig" ''
    { pkgs, ... }: {
      config = {
        system.activationScripts.trustix-create-key = '''
          if [[ ! -e /keys/trustix-priv ]];then
            mkdir -p /keys
            ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
          fi
        ''';
      };
    }
  '';

  publisherConfig = writeText "publisherConfig" ''
    {
      services.trustix = {
        enable = true;
        signers.aisha-snakeoil = {
          type = "ed25519";
          ed25519 = { private-key-path = "/keys/trustix-priv"; };
        };
        publishers = [{
          signer = "aisha-snakeoil";
          protocol = "nix";
          publicKey = {
            type = "ed25519";
            pub = "@pubkey@";
          };
        }];
      };
    }
  '';

  mkConfig = writeShellScript "mkConfig" ''
    set -euxo pipefail
    mkdir -p /etc/nixos
    ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix
    cat > /etc/nixos/configuration.nix <<EOF
    {
      imports = [
        ${../lib/nixosTest-rebuild-switch.nix}
        ${trustixModule}
        ${trustixKeyConfig}
        ./publisher.nix
      ];
    }
    EOF
  '';

in nixosTest {
  name = "one-publisher";
  nodes = {
    alisha = { pkgs, ... }: {
      imports = [
        ../lib/nixosTest-rebuild-switch.nix
        trustixModule
        "${trustixKeyConfig}"
      ];
      system.extraDependencies = [
        pkgs.hello.inputDerivation
        pkgs.remarshal # For building trustix-config.toml
        (nixos {
          imports = [
            ../lib/nixosTest-rebuild-switch.nix
            trustixModule
            "${trustixKeyConfig}"
            "${publisherConfig}"
          ];
        }).toplevel
      ];
      virtualisation.diskSize = "1000";
      virtualisation.memorySize = "1G";
    };
  };
  testScript = ''
    alisha.wait_for_file("/keys/trustix-pub")
    alisha.succeed(
        "${mkConfig}",
        "nixos-rebuild switch --show-trace",
    )
    alisha.succeed("nix-build '<nixpkgs>' -A hello")
  '';
}
Commit	Line	Data
578e32b3 SW	1	{ lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
	2	, writeText, }:
	3	let
	4	inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;
	5
	6	trustixModule = trustixSrc + "/nixos";
	7
	8	trustixKeyConfig = writeText "trustixKeyConfig" ''
	9	{ pkgs, ... }: {
	10	config = {
	11	system.activationScripts.trustix-create-key = '''
	12	if [[ ! -e /keys/trustix-priv ]];then
	13	mkdir -p /keys
	14	''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
	15	fi
	16	''';
	17	};
	18	}
	19	'';
	20
	21	publisherConfig = writeText "publisherConfig" ''
	22	{
	23	services.trustix = {
	24	enable = true;
	25	signers.aisha-snakeoil = {
	26	type = "ed25519";
	27	ed25519 = { private-key-path = "/keys/trustix-priv"; };
	28	};
	29	publishers = [{
	30	signer = "aisha-snakeoil";
	31	protocol = "nix";
	32	publicKey = {
	33	type = "ed25519";
	34	pub = "@pubkey@";
	35	};
	36	}];
	37	};
	38	}
	39	'';
	40
	41	mkConfig = writeShellScript "mkConfig" ''
	42	set -euxo pipefail
	43	mkdir -p /etc/nixos
	44	${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix
	45	cat > /etc/nixos/configuration.nix <<EOF
	46	{
	47	imports = [
	48	${../lib/nixosTest-rebuild-switch.nix}
	49	${trustixModule}
	50	${trustixKeyConfig}
	51	./publisher.nix
	52	];
	53	}
	54	EOF
	55	'';
	56
	57	in nixosTest {
	58	name = "one-publisher";
	59	nodes = {
	60	alisha = { pkgs, ... }: {
	61	imports = [
	62	../lib/nixosTest-rebuild-switch.nix
	63	trustixModule
	64	"${trustixKeyConfig}"
65	];
66	system.extraDependencies = [
67	pkgs.hello.inputDerivation
68	pkgs.remarshal # For building trustix-config.toml
69	(nixos {
70	imports = [
71	../lib/nixosTest-rebuild-switch.nix
72	trustixModule
73	"${trustixKeyConfig}"
74	"${publisherConfig}"
75	];
76	}).toplevel
77	];
78	virtualisation.diskSize = "1000";
79	virtualisation.memorySize = "1G";
80	};
81	};
82	testScript = ''
83	alisha.wait_for_file("/keys/trustix-pub")
84	alisha.succeed(
85	"${mkConfig}",
86	"nixos-rebuild switch --show-trace",
87	)
88	alisha.succeed("nix-build '<nixpkgs>' -A hello")
89	'';
90	}