Try enabling the trustix service in the subscriber?

[trustix-integration-tests] / checks / one-publisher.nix
diff --git a/checks/one-publisher.nix b/checks/one-publisher.nix

index 2099047c4db75cd38e0ab054d049fb29fd4a586c..c24d3a991e720b47284d81fec09de0bb8e70b08e 100644 (file)
--- a/checks/one-publisher.nix
+++ b/checks/one-publisher.nix
@@ -18,6 +18,19 @@ let
      }
    '';
  
      }
    '';
  
+  binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" ''
+    { pkgs, ... }: {
+      config = {
+        system.activationScripts.trustix-create-key = '''
+          if [[ ! -e /keys/cache-priv-key.pem ]];then
+            mkdir -p /keys
+            ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem
+          fi
+        ''';
+      };
+    }
+  '';
+
    publisherConfig = writeText "publisherConfig" ''
      {
        services.trustix = {
    publisherConfig = writeText "publisherConfig" ''
      {
        services.trustix = {
@@ -31,29 +44,69 @@ let
            protocol = "nix";
            publicKey = {
              type = "ed25519";
            protocol = "nix";
            publicKey = {
              type = "ed25519";
-            pub = "@pubkey@";
+            pub = "@trustixPubKey@";
            };
          }];
        };
      }
    '';
  
            };
          }];
        };
      }
    '';
  
-  mkConfig = writeShellScript "mkConfig" ''
-    set -euxo pipefail
-    mkdir -p /etc/nixos
-    ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix
-    cat > /etc/nixos/configuration.nix <<EOF
-    {
-      imports = [
-        ${../lib/nixosTest-rebuild-switch.nix}
-        ${trustixModule}
-        ${trustixKeyConfig}
-        ./publisher.nix
-      ];
+  log-local-builds = writeShellScript "log-local-builds" ''
+    echo "$OUT_PATHS" >> /var/log/local-builds
+  '';
+
+  clientConfig = writeText "clientConfig" ''
+    { lib, ... }: {
+      services.trustix-nix-cache = {
+        enable = true;
+        private-key = "/keys/cache-priv-key.pem";
+        port = 9001;
+      };
+      nix = {
+        binaryCaches = lib.mkForce [ "http//localhost:9001" ];
+        binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
+      };
+      services.trustix = {
+        enable = true;  # Fails with and without: https://github.com/tweak/trustix/issue/24
+        subscribers = [{
+          protocol = "nix";
+          publicKey = {
+            type = "ed25519";
+            pub = "@trustixPubKey@";
+          };
+        }];
+        remotes = [ "grpc+http://alisha/" ];
+        deciders.nix = {
+          engine = "percentage";
+          percentage.minimum = 66;
+        };
+      };
+      nix.extraOptions = '''
+        post-build-hook = ${log-local-builds}
+      ''';
      }
      }
-    EOF
    '';
  
    '';
  
+  mkConfig =
+    { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }:
+    writeShellScript "mkConfig" ''
+      set -euxo pipefail
+      mkdir -p /etc/nixos
+      ${gnused}/bin/sed "
+        s,@trustixPubKey@,$(< ${trustixPubKeyPath}),
+        s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}),
+        " ${config} > /etc/nixos/local.nix
+      cat > /etc/nixos/configuration.nix <<EOF
+      {
+        imports = [
+          ${../lib/nixosTest-rebuild-switch.nix}
+          ${trustixModule}
+          ./local.nix
+        ];
+      }
+      EOF
+    '';
+
  in nixosTest {
    name = "one-publisher";
    nodes = {
  in nixosTest {
    name = "one-publisher";
    nodes = {
@@ -78,13 +131,64 @@ in nixosTest {
        virtualisation.diskSize = "1000";
        virtualisation.memorySize = "1G";
      };
        virtualisation.diskSize = "1000";
        virtualisation.memorySize = "1G";
      };
+    clint = { pkgs, ... }: {
+      imports = [
+        ../lib/nixosTest-rebuild-switch.nix
+        trustixModule
+        "${binaryCacheKeyConfig}"
+      ];
+      system.extraDependencies = [
+        pkgs.hello.inputDerivation
+        pkgs.remarshal # For building trustix-config.toml
+        (nixos {
+          imports = [
+            ../lib/nixosTest-rebuild-switch.nix
+            trustixModule
+            "${binaryCacheKeyConfig}"
+            "${clientConfig}"
+          ];
+        }).toplevel
+      ];
+      virtualisation.diskSize = "1000";
+      virtualisation.memorySize = "1G";
+    };
    };
    testScript = ''
    };
    testScript = ''
+    from os import getenv
+    from threading import Thread
+
      alisha.wait_for_file("/keys/trustix-pub")
      alisha.wait_for_file("/keys/trustix-pub")
+    alisha.copy_from_vm("/keys/trustix-pub")
+    clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")
+
+    clint.wait_for_file("/keys/cache-priv-key.pem")
+    clint_thread = Thread(
+        target=lambda: clint.succeed(
+            "${
+              mkConfig {
+                config = clientConfig;
+                trustixPubKeyPath = "/keys/alisha-signing-pub";
+                binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
+              }
+            }",
+            "nixos-rebuild switch --show-trace",
+        )
+    )
+    clint_thread.start()
+
      alisha.succeed(
      alisha.succeed(
-        "${mkConfig}",
+        "${
+          mkConfig {
+            config = publisherConfig;
+            trustixPubKeyPath = "/keys/trustix-pub";
+          }
+        }",
          "nixos-rebuild switch --show-trace",
      )
      alisha.succeed("nix-build '<nixpkgs>' -A hello")
          "nixos-rebuild switch --show-trace",
      )
      alisha.succeed("nix-build '<nixpkgs>' -A hello")
+
+    clint_thread.join()
+    clint.succeed("nix-build '<nixpkgs>' -A hello")
+    clint.fail("grep hello /var/log/local-builds")
    '';
  }
    '';
  }