git.scottworley.com Git - trustix-integration-tests/blob - checks/one-publisher.nix

   1 { lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
   2 , writeText, }:
   3 let
   4   inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;
   5
   6   trustixModule = trustixSrc + "/nixos";
   7
   8   trustixKeyConfig = writeText "trustixKeyConfig" ''
   9     { pkgs, ... }: {
  10       config = {
  11         system.activationScripts.trustix-create-key = '''
  12           if [[ ! -e /keys/trustix-priv ]];then
  13             mkdir -p /keys
  14             ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
  15           fi
  16         ''';
  17       };
  18     }
  19   '';
  20
  21   publisherConfig = writeText "publisherConfig" ''
  22     {
  23       services.trustix = {
  24         enable = true;
  25         signers.aisha-snakeoil = {
  26           type = "ed25519";
  27           ed25519 = { private-key-path = "/keys/trustix-priv"; };
  28         };
  29         publishers = [{
  30           signer = "aisha-snakeoil";
  31           protocol = "nix";
  32           publicKey = {
  33             type = "ed25519";
  34             pub = "@pubkey@";
  35           };
  36         }];
  37       };
  38     }
  39   '';
  40
  41   mkConfig = writeShellScript "mkConfig" ''
  42     set -euxo pipefail
  43     mkdir -p /etc/nixos
  44     ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix
  45     cat > /etc/nixos/configuration.nix <<EOF
  46     {
  47       imports = [
  48         ${../lib/nixosTest-rebuild-switch.nix}
  49         ${trustixModule}
  50         ${trustixKeyConfig}
  51         ./publisher.nix
  52       ];
  53     }
  54     EOF
  55   '';
  56
  57 in nixosTest {
  58   name = "one-publisher";
  59   nodes = {
  60     alisha = { pkgs, ... }: {
  61       imports = [
  62         ../lib/nixosTest-rebuild-switch.nix
  63         trustixModule
  64         "${trustixKeyConfig}"
  65       ];
  66       system.extraDependencies = [
  67         pkgs.hello.inputDerivation
  68         pkgs.remarshal # For building trustix-config.toml
  69         (nixos {
  70           imports = [
  71             ../lib/nixosTest-rebuild-switch.nix
  72             trustixModule
  73             "${trustixKeyConfig}"
  74             "${publisherConfig}"
  75           ];
  76         }).toplevel
  77       ];
  78       virtualisation.diskSize = "1000";
  79       virtualisation.memorySize = "1G";
  80     };
  81   };
  82   testScript = ''
  83     alisha.wait_for_file("/keys/trustix-pub")
  84     alisha.succeed(
  85         "${mkConfig}",
  86         "nixos-rebuild switch --show-trace",
  87     )
  88     alisha.succeed("nix-build '<nixpkgs>' -A hello")
  89   '';
  90 }