git.scottworley.com Git - trustix-integration-tests/blob - checks/one-publisher.nix

   1 { lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
   2 , writeText, }:
   3 let
   4   inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;
   5
   6   trustixModule = trustixSrc + "/nixos";
   7
   8   trustixKeyConfig = writeText "trustixKeyConfig" ''
   9     { pkgs, ... }: {
  10       config = {
  11         system.activationScripts.trustix-create-key = '''
  12           if [[ ! -e /keys/trustix-priv ]];then
  13             mkdir -p /keys
  14             ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
  15           fi
  16         ''';
  17       };
  18     }
  19   '';
  20
  21   binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" ''
  22     { pkgs, ... }: {
  23       config = {
  24         system.activationScripts.trustix-create-key = '''
  25           if [[ ! -e /keys/cache-priv-key.pem ]];then
  26             mkdir -p /keys
  27             ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem
  28           fi
  29         ''';
  30       };
  31     }
  32   '';
  33
  34   publisherConfig = writeText "publisherConfig" ''
  35     {
  36       services.trustix = {
  37         enable = true;
  38         signers.aisha-snakeoil = {
  39           type = "ed25519";
  40           ed25519 = { private-key-path = "/keys/trustix-priv"; };
  41         };
  42         publishers = [{
  43           signer = "aisha-snakeoil";
  44           protocol = "nix";
  45           publicKey = {
  46             type = "ed25519";
  47             pub = "@trustixPubKey@";
  48           };
  49         }];
  50       };
  51     }
  52   '';
  53
  54   clientConfig = writeText "clientConfig" ''
  55     { lib, ... }: {
  56       services.trustix-nix-cache = {
  57         enable = true;
  58         private-key = "/keys/cache-priv-key.pem";
  59         port = 9001;
  60       };
  61       nix = {
  62         binaryCaches = lib.mkForce [ "http//localhost:9001" ];
  63         binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
  64       };
  65       services.trustix = {
  66         subscribers = [{
  67           protocol = "nix";
  68           publicKey = {
  69             type = "ed25519";
  70             pub = "@trustixPubKey@";
  71           };
  72         }];
  73         remotes = [ "grpc+http://alisha/" ];
  74         deciders.nix = {
  75           engine = "percentage";
  76           percentage.minimum = 66;
  77         };
  78       };
  79
  80     }
  81   '';
  82
  83   mkConfig =
  84     { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }:
  85     writeShellScript "mkConfig" ''
  86       set -euxo pipefail
  87       mkdir -p /etc/nixos
  88       ${gnused}/bin/sed "
  89         s,@trustixPubKey@,$(< ${trustixPubKeyPath}),
  90         s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}),
  91         " ${config} > /etc/nixos/local.nix
  92       cat > /etc/nixos/configuration.nix <<EOF
  93       {
  94         imports = [
  95           ${../lib/nixosTest-rebuild-switch.nix}
  96           ${trustixModule}
  97           ./local.nix
  98         ];
  99       }
 100       EOF
 101     '';
 102
 103 in nixosTest {
 104   name = "one-publisher";
 105   nodes = {
 106     alisha = { pkgs, ... }: {
 107       imports = [
 108         ../lib/nixosTest-rebuild-switch.nix
 109         trustixModule
 110         "${trustixKeyConfig}"
 111       ];
 112       system.extraDependencies = [
 113         pkgs.hello.inputDerivation
 114         pkgs.remarshal # For building trustix-config.toml
 115         (nixos {
 116           imports = [
 117             ../lib/nixosTest-rebuild-switch.nix
 118             trustixModule
 119             "${trustixKeyConfig}"
 120             "${publisherConfig}"
 121           ];
 122         }).toplevel
 123       ];
 124       virtualisation.diskSize = "1000";
 125       virtualisation.memorySize = "1G";
 126     };
 127     clint = { pkgs, ... }: {
 128       imports = [
 129         ../lib/nixosTest-rebuild-switch.nix
 130         trustixModule
 131         "${binaryCacheKeyConfig}"
 132       ];
 133       system.extraDependencies = [
 134         pkgs.hello.inputDerivation
 135         pkgs.remarshal # For building trustix-config.toml
 136         (nixos {
 137           imports = [
 138             ../lib/nixosTest-rebuild-switch.nix
 139             trustixModule
 140             "${binaryCacheKeyConfig}"
 141             "${clientConfig}"
 142           ];
 143         }).toplevel
 144       ];
 145       virtualisation.diskSize = "1000";
 146       virtualisation.memorySize = "1G";
 147     };
 148   };
 149   testScript = ''
 150     from os import getenv
 151
 152     alisha.wait_for_file("/keys/trustix-pub")
 153     alisha.copy_from_vm("/keys/trustix-pub")
 154     clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")
 155
 156     alisha.succeed(
 157         "${
 158           mkConfig {
 159             config = publisherConfig;
 160             trustixPubKeyPath = "/keys/trustix-pub";
 161           }
 162         }",
 163         "nixos-rebuild switch --show-trace",
 164     )
 165     alisha.succeed("nix-build '<nixpkgs>' -A hello")
 166
 167     clint.wait_for_file("/keys/cache-priv-key.pem")
 168     clint.succeed(
 169         "${
 170           mkConfig {
 171             config = clientConfig;
 172             trustixPubKeyPath = "/keys/alisha-signing-pub";
 173             binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
 174           }
 175         }",
 176         "nixos-rebuild switch --show-trace",
 177     )
 178     clint.succeed("nix-build '<nixpkgs>' -A hello")
 179   '';
 180 }