]> git.scottworley.com Git - trustix-integration-tests/blob - checks/one-publisher.nix
7ecec8fb125135fd7e512bd6b82202f15460bf3a
[trustix-integration-tests] / checks / one-publisher.nix
1 { lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
2 , writeText, }:
3 let
4 inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;
5
6 trustixModule = trustixSrc + "/nixos";
7
8 trustixKeyConfig = writeText "trustixKeyConfig" ''
9 { pkgs, ... }: {
10 config = {
11 system.activationScripts.trustix-create-key = '''
12 if [[ ! -e /keys/trustix-priv ]];then
13 mkdir -p /keys
14 ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
15 fi
16 ''';
17 };
18 }
19 '';
20
21 binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" ''
22 { pkgs, ... }: {
23 config = {
24 system.activationScripts.trustix-create-key = '''
25 if [[ ! -e /keys/cache-priv-key.pem ]];then
26 mkdir -p /keys
27 ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem
28 fi
29 ''';
30 };
31 }
32 '';
33
34 publisherConfig = writeText "publisherConfig" ''
35 {
36 services.trustix = {
37 enable = true;
38 signers.aisha-snakeoil = {
39 type = "ed25519";
40 ed25519 = { private-key-path = "/keys/trustix-priv"; };
41 };
42 publishers = [{
43 signer = "aisha-snakeoil";
44 protocol = "nix";
45 publicKey = {
46 type = "ed25519";
47 pub = "@trustixPubKey@";
48 };
49 }];
50 };
51 }
52 '';
53
54 clientConfig = writeText "clientConfig" ''
55 { lib, ... }: {
56 services.trustix-nix-cache = {
57 enable = true;
58 private-key = "/keys/cache-priv-key.pem";
59 port = 9001;
60 };
61 nix = {
62 binaryCaches = lib.mkForce [ "http//localhost:9001" ];
63 binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
64 };
65 services.trustix = {
66 subscribers = [{
67 protocol = "nix";
68 publicKey = {
69 type = "ed25519";
70 pub = "@trustixPubKey@";
71 };
72 }];
73 remotes = [ "grpc+http://alisha/" ];
74 deciders.nix = {
75 engine = "percentage";
76 percentage.minimum = 66;
77 };
78 };
79
80 }
81 '';
82
83 mkConfig =
84 { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }:
85 writeShellScript "mkConfig" ''
86 set -euxo pipefail
87 mkdir -p /etc/nixos
88 ${gnused}/bin/sed "
89 s,@trustixPubKey@,$(< ${trustixPubKeyPath}),
90 s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}),
91 " ${config} > /etc/nixos/local.nix
92 cat > /etc/nixos/configuration.nix <<EOF
93 {
94 imports = [
95 ${../lib/nixosTest-rebuild-switch.nix}
96 ${trustixModule}
97 ./local.nix
98 ];
99 }
100 EOF
101 '';
102
103 in nixosTest {
104 name = "one-publisher";
105 nodes = {
106 alisha = { pkgs, ... }: {
107 imports = [
108 ../lib/nixosTest-rebuild-switch.nix
109 trustixModule
110 "${trustixKeyConfig}"
111 ];
112 system.extraDependencies = [
113 pkgs.hello.inputDerivation
114 pkgs.remarshal # For building trustix-config.toml
115 (nixos {
116 imports = [
117 ../lib/nixosTest-rebuild-switch.nix
118 trustixModule
119 "${trustixKeyConfig}"
120 "${publisherConfig}"
121 ];
122 }).toplevel
123 ];
124 virtualisation.diskSize = "1000";
125 virtualisation.memorySize = "1G";
126 };
127 clint = { pkgs, ... }: {
128 imports = [
129 ../lib/nixosTest-rebuild-switch.nix
130 trustixModule
131 "${binaryCacheKeyConfig}"
132 ];
133 system.extraDependencies = [
134 pkgs.hello.inputDerivation
135 pkgs.remarshal # For building trustix-config.toml
136 (nixos {
137 imports = [
138 ../lib/nixosTest-rebuild-switch.nix
139 trustixModule
140 "${binaryCacheKeyConfig}"
141 "${clientConfig}"
142 ];
143 }).toplevel
144 ];
145 virtualisation.diskSize = "1000";
146 virtualisation.memorySize = "1G";
147 };
148 };
149 testScript = ''
150 from os import getenv
151
152 alisha.wait_for_file("/keys/trustix-pub")
153 alisha.copy_from_vm("/keys/trustix-pub")
154 clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")
155
156 alisha.succeed(
157 "${
158 mkConfig {
159 config = publisherConfig;
160 trustixPubKeyPath = "/keys/trustix-pub";
161 }
162 }",
163 "nixos-rebuild switch --show-trace",
164 )
165 alisha.succeed("nix-build '<nixpkgs>' -A hello")
166
167 clint.wait_for_file("/keys/cache-priv-key.pem")
168 clint.succeed(
169 "${
170 mkConfig {
171 config = clientConfig;
172 trustixPubKeyPath = "/keys/alisha-signing-pub";
173 binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
174 }
175 }",
176 "nixos-rebuild switch --show-trace",
177 )
178 clint.succeed("nix-build '<nixpkgs>' -A hello")
179 '';
180 }