X-Git-Url: http://git.scottworley.com/trustix-integration-tests/blobdiff_plain/578e32b36eff2f3b2c381f9ca658c6e8b79aefe0..c5557e80db6b143ff7f6bff308398ff526b2a908:/checks/one-publisher.nix?ds=inline diff --git a/checks/one-publisher.nix b/checks/one-publisher.nix index 2099047..b661624 100644 --- a/checks/one-publisher.nix +++ b/checks/one-publisher.nix @@ -18,6 +18,19 @@ let } ''; + binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" '' + { pkgs, ... }: { + config = { + system.activationScripts.trustix-create-key = ''' + if [[ ! -e /keys/cache-priv-key.pem ]];then + mkdir -p /keys + ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem + fi + '''; + }; + } + ''; + publisherConfig = writeText "publisherConfig" '' { services.trustix = { @@ -31,29 +44,68 @@ let protocol = "nix"; publicKey = { type = "ed25519"; - pub = "@pubkey@"; + pub = "@trustixPubKey@"; }; }]; }; } ''; - mkConfig = writeShellScript "mkConfig" '' - set -euxo pipefail - mkdir -p /etc/nixos - ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix - cat > /etc/nixos/configuration.nix <> /var/log/local-builds + ''; + + clientConfig = writeText "clientConfig" '' + { lib, ... }: { + services.trustix-nix-cache = { + enable = true; + private-key = "/keys/cache-priv-key.pem"; + port = 9001; + }; + nix = { + binaryCaches = lib.mkForce [ "http//localhost:9001" ]; + binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ]; + }; + services.trustix = { + subscribers = [{ + protocol = "nix"; + publicKey = { + type = "ed25519"; + pub = "@trustixPubKey@"; + }; + }]; + remotes = [ "grpc+http://alisha/" ]; + deciders.nix = { + engine = "percentage"; + percentage.minimum = 66; + }; + }; + nix.extraOptions = ''' + post-build-hook = ${log-local-builds} + '''; } - EOF ''; + mkConfig = + { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }: + writeShellScript "mkConfig" '' + set -euxo pipefail + mkdir -p /etc/nixos + ${gnused}/bin/sed " + s,@trustixPubKey@,$(< ${trustixPubKeyPath}), + s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}), + " ${config} > /etc/nixos/local.nix + cat > /etc/nixos/configuration.nix <' -A hello") + + clint.wait_for_file("/keys/cache-priv-key.pem") + clint.succeed( + "${ + mkConfig { + config = clientConfig; + trustixPubKeyPath = "/keys/alisha-signing-pub"; + binaryCachePubKeyPath = "/keys/cache-priv-key.pem"; + } + }", + "nixos-rebuild switch --show-trace", + ) + clint.succeed("nix-build '' -A hello") + clint.fail("grep hello /var/log/local-builds") ''; }