{ lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript , writeText, }: let inherit (lib) filterAttrs hasPrefix mapAttrsToList optional; trustixModule = trustixSrc + "/nixos"; trustixKeyConfig = writeText "trustixKeyConfig" '' { pkgs, ... }: { config = { system.activationScripts.trustix-create-key = ''' if [[ ! -e /keys/trustix-priv ]];then mkdir -p /keys ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub fi '''; }; } ''; binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" '' { pkgs, ... }: { config = { system.activationScripts.trustix-create-key = ''' if [[ ! -e /keys/cache-priv-key.pem ]];then mkdir -p /keys ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem fi '''; }; } ''; publisherConfig = writeText "publisherConfig" '' { services.trustix = { enable = true; signers.aisha-snakeoil = { type = "ed25519"; ed25519 = { private-key-path = "/keys/trustix-priv"; }; }; publishers = [{ signer = "aisha-snakeoil"; protocol = "nix"; publicKey = { type = "ed25519"; pub = "@trustixPubKey@"; }; }]; }; } ''; clientConfig = writeText "clientConfig" '' { lib, ... }: { services.trustix-nix-cache = { enable = true; private-key = "/keys/cache-priv-key.pem"; port = 9001; }; nix = { binaryCaches = lib.mkForce [ "http//localhost:9001" ]; binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ]; }; services.trustix = { subscribers = [{ protocol = "nix"; publicKey = { type = "ed25519"; pub = "@trustixPubKey@"; }; }]; remotes = [ "grpc+http://alisha/" ]; deciders.nix = { engine = "percentage"; percentage.minimum = 66; }; }; } ''; mkConfig = { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }: writeShellScript "mkConfig" '' set -euxo pipefail mkdir -p /etc/nixos ${gnused}/bin/sed " s,@trustixPubKey@,$(< ${trustixPubKeyPath}), s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}), " ${config} > /etc/nixos/local.nix cat > /etc/nixos/configuration.nix <' -A hello") clint.wait_for_file("/keys/cache-priv-key.pem") clint.succeed( "${ mkConfig { config = clientConfig; trustixPubKeyPath = "/keys/alisha-signing-pub"; binaryCachePubKeyPath = "/keys/cache-priv-key.pem"; } }", "nixos-rebuild switch --show-trace", ) clint.succeed("nix-build '' -A hello") ''; }