]> git.scottworley.com Git - trustix-integration-tests/blob - checks/one-publisher.nix
b661624c0f476e184bd43f8b30c5d9e6d3ccf67a
[trustix-integration-tests] / checks / one-publisher.nix
1 { lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
2 , writeText, }:
3 let
4 inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;
5
6 trustixModule = trustixSrc + "/nixos";
7
8 trustixKeyConfig = writeText "trustixKeyConfig" ''
9 { pkgs, ... }: {
10 config = {
11 system.activationScripts.trustix-create-key = '''
12 if [[ ! -e /keys/trustix-priv ]];then
13 mkdir -p /keys
14 ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
15 fi
16 ''';
17 };
18 }
19 '';
20
21 binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" ''
22 { pkgs, ... }: {
23 config = {
24 system.activationScripts.trustix-create-key = '''
25 if [[ ! -e /keys/cache-priv-key.pem ]];then
26 mkdir -p /keys
27 ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem
28 fi
29 ''';
30 };
31 }
32 '';
33
34 publisherConfig = writeText "publisherConfig" ''
35 {
36 services.trustix = {
37 enable = true;
38 signers.aisha-snakeoil = {
39 type = "ed25519";
40 ed25519 = { private-key-path = "/keys/trustix-priv"; };
41 };
42 publishers = [{
43 signer = "aisha-snakeoil";
44 protocol = "nix";
45 publicKey = {
46 type = "ed25519";
47 pub = "@trustixPubKey@";
48 };
49 }];
50 };
51 }
52 '';
53
54 log-local-builds = writeShellScript "log-local-builds" ''
55 echo "$OUT_PATHS" >> /var/log/local-builds
56 '';
57
58 clientConfig = writeText "clientConfig" ''
59 { lib, ... }: {
60 services.trustix-nix-cache = {
61 enable = true;
62 private-key = "/keys/cache-priv-key.pem";
63 port = 9001;
64 };
65 nix = {
66 binaryCaches = lib.mkForce [ "http//localhost:9001" ];
67 binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
68 };
69 services.trustix = {
70 subscribers = [{
71 protocol = "nix";
72 publicKey = {
73 type = "ed25519";
74 pub = "@trustixPubKey@";
75 };
76 }];
77 remotes = [ "grpc+http://alisha/" ];
78 deciders.nix = {
79 engine = "percentage";
80 percentage.minimum = 66;
81 };
82 };
83 nix.extraOptions = '''
84 post-build-hook = ${log-local-builds}
85 ''';
86 }
87 '';
88
89 mkConfig =
90 { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }:
91 writeShellScript "mkConfig" ''
92 set -euxo pipefail
93 mkdir -p /etc/nixos
94 ${gnused}/bin/sed "
95 s,@trustixPubKey@,$(< ${trustixPubKeyPath}),
96 s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}),
97 " ${config} > /etc/nixos/local.nix
98 cat > /etc/nixos/configuration.nix <<EOF
99 {
100 imports = [
101 ${../lib/nixosTest-rebuild-switch.nix}
102 ${trustixModule}
103 ./local.nix
104 ];
105 }
106 EOF
107 '';
108
109 in nixosTest {
110 name = "one-publisher";
111 nodes = {
112 alisha = { pkgs, ... }: {
113 imports = [
114 ../lib/nixosTest-rebuild-switch.nix
115 trustixModule
116 "${trustixKeyConfig}"
117 ];
118 system.extraDependencies = [
119 pkgs.hello.inputDerivation
120 pkgs.remarshal # For building trustix-config.toml
121 (nixos {
122 imports = [
123 ../lib/nixosTest-rebuild-switch.nix
124 trustixModule
125 "${trustixKeyConfig}"
126 "${publisherConfig}"
127 ];
128 }).toplevel
129 ];
130 virtualisation.diskSize = "1000";
131 virtualisation.memorySize = "1G";
132 };
133 clint = { pkgs, ... }: {
134 imports = [
135 ../lib/nixosTest-rebuild-switch.nix
136 trustixModule
137 "${binaryCacheKeyConfig}"
138 ];
139 system.extraDependencies = [
140 pkgs.hello.inputDerivation
141 pkgs.remarshal # For building trustix-config.toml
142 (nixos {
143 imports = [
144 ../lib/nixosTest-rebuild-switch.nix
145 trustixModule
146 "${binaryCacheKeyConfig}"
147 "${clientConfig}"
148 ];
149 }).toplevel
150 ];
151 virtualisation.diskSize = "1000";
152 virtualisation.memorySize = "1G";
153 };
154 };
155 testScript = ''
156 from os import getenv
157
158 alisha.wait_for_file("/keys/trustix-pub")
159 alisha.copy_from_vm("/keys/trustix-pub")
160 clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")
161
162 alisha.succeed(
163 "${
164 mkConfig {
165 config = publisherConfig;
166 trustixPubKeyPath = "/keys/trustix-pub";
167 }
168 }",
169 "nixos-rebuild switch --show-trace",
170 )
171 alisha.succeed("nix-build '<nixpkgs>' -A hello")
172
173 clint.wait_for_file("/keys/cache-priv-key.pem")
174 clint.succeed(
175 "${
176 mkConfig {
177 config = clientConfig;
178 trustixPubKeyPath = "/keys/alisha-signing-pub";
179 binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
180 }
181 }",
182 "nixos-rebuild switch --show-trace",
183 )
184 clint.succeed("nix-build '<nixpkgs>' -A hello")
185 clint.fail("grep hello /var/log/local-builds")
186 '';
187 }