[trustix-integration-tests] / checks / one-publisher.nix

{ lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
, writeText, }:
let
  inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;

  trustixModule = trustixSrc + "/nixos";

  trustixKeyConfig = writeText "trustixKeyConfig" ''
    { pkgs, ... }: {
      config = {
        system.activationScripts.trustix-create-key = '''
          if [[ ! -e /keys/trustix-priv ]];then
            mkdir -p /keys
            ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
          fi
        ''';
      };
    }
  '';

  binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" ''
    { pkgs, ... }: {
      config = {
        system.activationScripts.trustix-create-key = '''
          if [[ ! -e /keys/cache-priv-key.pem ]];then
            mkdir -p /keys
            ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem
          fi
        ''';
      };
    }
  '';

  publisherConfig = writeText "publisherConfig" ''
    {
      services.trustix = {
        enable = true;
        signers.aisha-snakeoil = {
          type = "ed25519";
          ed25519 = { private-key-path = "/keys/trustix-priv"; };
        };
        publishers = [{
          signer = "aisha-snakeoil";
          protocol = "nix";
          publicKey = {
            type = "ed25519";
            pub = "@trustixPubKey@";
          };
        }];
      };
    }
  '';

  log-local-builds = writeShellScript "log-local-builds" ''
    echo "$OUT_PATHS" >> /var/log/local-builds
  '';

  clientConfig = writeText "clientConfig" ''
    { lib, ... }: {
      services.trustix-nix-cache = {
        enable = true;
        private-key = "/keys/cache-priv-key.pem";
        port = 9001;
      };
      nix = {
        binaryCaches = lib.mkForce [ "http//localhost:9001" ];
        binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
      };
      services.trustix = {
        enable = true;  # Fails with and without: https://github.com/tweak/trustix/issue/24
        subscribers = [{
          protocol = "nix";
          publicKey = {
            type = "ed25519";
            pub = "@trustixPubKey@";
          };
        }];
        remotes = [ "grpc+http://alisha/" ];
        deciders.nix = {
          engine = "percentage";
          percentage.minimum = 66;
        };
      };
      nix.extraOptions = '''
        post-build-hook = ${log-local-builds}
      ''';
    }
  '';

  mkConfig =
    { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }:
    writeShellScript "mkConfig" ''
      set -euxo pipefail
      mkdir -p /etc/nixos
      ${gnused}/bin/sed "
        s,@trustixPubKey@,$(< ${trustixPubKeyPath}),
        s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}),
        " ${config} > /etc/nixos/local.nix
      cat > /etc/nixos/configuration.nix <<EOF
      {
        imports = [
          ${../lib/nixosTest-rebuild-switch.nix}
          ${trustixModule}
          ./local.nix
        ];
      }
      EOF
    '';

in nixosTest {
  name = "one-publisher";
  nodes = {
    alisha = { pkgs, ... }: {
      imports = [
        ../lib/nixosTest-rebuild-switch.nix
        trustixModule
        "${trustixKeyConfig}"
      ];
      system.extraDependencies = [
        pkgs.hello.inputDerivation
        pkgs.remarshal # For building trustix-config.toml
        (nixos {
          imports = [
            ../lib/nixosTest-rebuild-switch.nix
            trustixModule
            "${trustixKeyConfig}"
            "${publisherConfig}"
          ];
        }).toplevel
      ];
      virtualisation.diskSize = "1000";
      virtualisation.memorySize = "1G";
    };
    clint = { pkgs, ... }: {
      imports = [
        ../lib/nixosTest-rebuild-switch.nix
        trustixModule
        "${binaryCacheKeyConfig}"
      ];
      system.extraDependencies = [
        pkgs.hello.inputDerivation
        pkgs.remarshal # For building trustix-config.toml
        (nixos {
          imports = [
            ../lib/nixosTest-rebuild-switch.nix
            trustixModule
            "${binaryCacheKeyConfig}"
            "${clientConfig}"
          ];
        }).toplevel
      ];
      virtualisation.diskSize = "1000";
      virtualisation.memorySize = "1G";
    };
  };
  testScript = ''
    from os import getenv
    from threading import Thread

    alisha.wait_for_file("/keys/trustix-pub")
    alisha.copy_from_vm("/keys/trustix-pub")
    clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")

    clint.wait_for_file("/keys/cache-priv-key.pem")
    clint_thread = Thread(
        target=lambda: clint.succeed(
            "${
              mkConfig {
                config = clientConfig;
                trustixPubKeyPath = "/keys/alisha-signing-pub";
                binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
              }
            }",
            "nixos-rebuild switch --show-trace",
        )
    )
    clint_thread.start()

    alisha.succeed(
        "${
          mkConfig {
            config = publisherConfig;
            trustixPubKeyPath = "/keys/trustix-pub";
          }
        }",
        "nixos-rebuild switch --show-trace",
    )
    alisha.succeed("nix-build '<nixpkgs>' -A hello")

    clint_thread.join()
    clint.succeed("nix-build '<nixpkgs>' -A hello")
    clint.fail("grep hello /var/log/local-builds")
  '';
}
Commit	Line	Data
578e32b3 SW	1	{ lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
	2	, writeText, }:
	3	let
	4	inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;
	5
	6	trustixModule = trustixSrc + "/nixos";
	7
	8	trustixKeyConfig = writeText "trustixKeyConfig" ''
	9	{ pkgs, ... }: {
	10	config = {
	11	system.activationScripts.trustix-create-key = '''
	12	if [[ ! -e /keys/trustix-priv ]];then
	13	mkdir -p /keys
	14	''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
	15	fi
	16	''';
	17	};
	18	}
	19	'';
	20
0d4b0780 SW	21	binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" ''
	22	{ pkgs, ... }: {
	23	config = {
	24	system.activationScripts.trustix-create-key = '''
	25	if [[ ! -e /keys/cache-priv-key.pem ]];then
	26	mkdir -p /keys
	27	''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem
	28	fi
	29	''';
	30	};
	31	}
	32	'';
	33
578e32b3 SW	34	publisherConfig = writeText "publisherConfig" ''
	35	{
	36	services.trustix = {
	37	enable = true;
	38	signers.aisha-snakeoil = {
	39	type = "ed25519";
	40	ed25519 = { private-key-path = "/keys/trustix-priv"; };
	41	};
	42	publishers = [{
	43	signer = "aisha-snakeoil";
	44	protocol = "nix";
	45	publicKey = {
	46	type = "ed25519";
0d4b0780	47	pub = "@trustixPubKey@";
578e32b3 SW	48	};
	49	}];
	50	};
	51	}
	52	'';
	53
c5557e80 SW	54	log-local-builds = writeShellScript "log-local-builds" ''
	55	echo "$OUT_PATHS" >> /var/log/local-builds
	56	'';
	57
0d4b0780 SW	58	clientConfig = writeText "clientConfig" ''
	59	{ lib, ... }: {
	60	services.trustix-nix-cache = {
	61	enable = true;
	62	private-key = "/keys/cache-priv-key.pem";
	63	port = 9001;
	64	};
	65	nix = {
	66	binaryCaches = lib.mkForce [ "http//localhost:9001" ];
	67	binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
	68	};
	69	services.trustix = {
10dab29e	70	enable = true; # Fails with and without: https://github.com/tweak/trustix/issue/24
0d4b0780 SW	71	subscribers = [{
	72	protocol = "nix";
	73	publicKey = {
	74	type = "ed25519";
	75	pub = "@trustixPubKey@";
	76	};
	77	}];
	78	remotes = [ "grpc+http://alisha/" ];
	79	deciders.nix = {
	80	engine = "percentage";
	81	percentage.minimum = 66;
	82	};
	83	};
c5557e80 SW	84	nix.extraOptions = '''
	85	post-build-hook = ${log-local-builds}
	86	''';
578e32b3	87	}
578e32b3 SW	88	'';
578e32b3 SW	89
0d4b0780 SW	90	mkConfig =
	91	{ config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }:
	92	writeShellScript "mkConfig" ''
	93	set -euxo pipefail
	94	mkdir -p /etc/nixos
	95	${gnused}/bin/sed "
	96	s,@trustixPubKey@,$(< ${trustixPubKeyPath}),
	97	s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}),
	98	" ${config} > /etc/nixos/local.nix
	99	cat > /etc/nixos/configuration.nix <<EOF
	100	{
	101	imports = [
	102	${../lib/nixosTest-rebuild-switch.nix}
	103	${trustixModule}
	104	./local.nix
	105	];
	106	}
	107	EOF
	108	'';
	109
578e32b3 SW	110	in nixosTest {
	111	name = "one-publisher";
	112	nodes = {
	113	alisha = { pkgs, ... }: {
	114	imports = [
	115	../lib/nixosTest-rebuild-switch.nix
	116	trustixModule
	117	"${trustixKeyConfig}"
	118	];
	119	system.extraDependencies = [
	120	pkgs.hello.inputDerivation
	121	pkgs.remarshal # For building trustix-config.toml
	122	(nixos {
	123	imports = [
	124	../lib/nixosTest-rebuild-switch.nix
	125	trustixModule
	126	"${trustixKeyConfig}"
	127	"${publisherConfig}"
	128	];
	129	}).toplevel
	130	];
	131	virtualisation.diskSize = "1000";
	132	virtualisation.memorySize = "1G";
	133	};
0d4b0780 SW	134	clint = { pkgs, ... }: {
	135	imports = [
	136	../lib/nixosTest-rebuild-switch.nix
	137	trustixModule
	138	"${binaryCacheKeyConfig}"
	139	];
	140	system.extraDependencies = [
	141	pkgs.hello.inputDerivation
	142	pkgs.remarshal # For building trustix-config.toml
	143	(nixos {
	144	imports = [
	145	../lib/nixosTest-rebuild-switch.nix
	146	trustixModule
	147	"${binaryCacheKeyConfig}"
	148	"${clientConfig}"
	149	];
	150	}).toplevel
	151	];
	152	virtualisation.diskSize = "1000";
	153	virtualisation.memorySize = "1G";
	154	};
578e32b3 SW	155	};
578e32b3 SW	156	testScript = ''
0d4b0780	157	from os import getenv
6046efab	158	from threading import Thread
0d4b0780	159
578e32b3	160	alisha.wait_for_file("/keys/trustix-pub")
0d4b0780 SW	161	alisha.copy_from_vm("/keys/trustix-pub")
	162	clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")
	163
6046efab SW	164	clint.wait_for_file("/keys/cache-priv-key.pem")
	165	clint_thread = Thread(
	166	target=lambda: clint.succeed(
	167	"${
	168	mkConfig {
	169	config = clientConfig;
	170	trustixPubKeyPath = "/keys/alisha-signing-pub";
	171	binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
	172	}
	173	}",
	174	"nixos-rebuild switch --show-trace",
	175	)
	176	)
	177	clint_thread.start()
	178
578e32b3	179	alisha.succeed(
0d4b0780 SW	180	"${
	181	mkConfig {
	182	config = publisherConfig;
	183	trustixPubKeyPath = "/keys/trustix-pub";
	184	}
	185	}",
578e32b3 SW	186	"nixos-rebuild switch --show-trace",
	187	)
	188	alisha.succeed("nix-build '<nixpkgs>' -A hello")
0d4b0780	189
6046efab	190	clint_thread.join()
0d4b0780	191	clint.succeed("nix-build '<nixpkgs>' -A hello")
c5557e80	192	clint.fail("grep hello /var/log/local-builds")
578e32b3 SW	193	'';
578e32b3 SW	194	}