Initial attempt at a subscriber with a local binary cache

author Scott Worley <scottworley@scottworley.com>

Mon, 19 Jul 2021 21:18:10 +0000 (14:18 -0700)

committer Scott Worley <scottworley@scottworley.com>

Tue, 20 Jul 2021 00:01:24 +0000 (17:01 -0700)
author Scott Worley <scottworley@scottworley.com>
Mon, 19 Jul 2021 21:18:10 +0000 (14:18 -0700)
committer Scott Worley <scottworley@scottworley.com>
Tue, 20 Jul 2021 00:01:24 +0000 (17:01 -0700)
diff --git a/checks/one-publisher.nix b/checks/one-publisher.nix

index 2099047c4db75cd38e0ab054d049fb29fd4a586c..7ecec8fb125135fd7e512bd6b82202f15460bf3a 100644 (file)
--- a/checks/one-publisher.nix
+++ b/checks/one-publisher.nix
@@ -18,6 +18,19 @@ let
      }
    '';
  
+  binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" ''
+    { pkgs, ... }: {
+      config = {
+        system.activationScripts.trustix-create-key = '''
+          if [[ ! -e /keys/cache-priv-key.pem ]];then
+            mkdir -p /keys
+            ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem
+          fi
+        ''';
+      };
+    }
+  '';
+
    publisherConfig = writeText "publisherConfig" ''
      {
        services.trustix = {
@@ -31,29 +44,62 @@ let
            protocol = "nix";
            publicKey = {
              type = "ed25519";
-            pub = "@pubkey@";
+            pub = "@trustixPubKey@";
            };
          }];
        };
      }
    '';
  
-  mkConfig = writeShellScript "mkConfig" ''
-    set -euxo pipefail
-    mkdir -p /etc/nixos
-    ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix
-    cat > /etc/nixos/configuration.nix <<EOF
-    {
-      imports = [
-        ${../lib/nixosTest-rebuild-switch.nix}
-        ${trustixModule}
-        ${trustixKeyConfig}
-        ./publisher.nix
-      ];
+  clientConfig = writeText "clientConfig" ''
+    { lib, ... }: {
+      services.trustix-nix-cache = {
+        enable = true;
+        private-key = "/keys/cache-priv-key.pem";
+        port = 9001;
+      };
+      nix = {
+        binaryCaches = lib.mkForce [ "http//localhost:9001" ];
+        binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
+      };
+      services.trustix = {
+        subscribers = [{
+          protocol = "nix";
+          publicKey = {
+            type = "ed25519";
+            pub = "@trustixPubKey@";
+          };
+        }];
+        remotes = [ "grpc+http://alisha/" ];
+        deciders.nix = {
+          engine = "percentage";
+          percentage.minimum = 66;
+        };
+      };
+
      }
-    EOF
    '';
  
+  mkConfig =
+    { config, trustixPubKeyPath, binaryCachePubKeyPath ? "/dev/null", }:
+    writeShellScript "mkConfig" ''
+      set -euxo pipefail
+      mkdir -p /etc/nixos
+      ${gnused}/bin/sed "
+        s,@trustixPubKey@,$(< ${trustixPubKeyPath}),
+        s,@binaryCachePubKey@,$(< ${binaryCachePubKeyPath}),
+        " ${config} > /etc/nixos/local.nix
+      cat > /etc/nixos/configuration.nix <<EOF
+      {
+        imports = [
+          ${../lib/nixosTest-rebuild-switch.nix}
+          ${trustixModule}
+          ./local.nix
+        ];
+      }
+      EOF
+    '';
+
  in nixosTest {
    name = "one-publisher";
    nodes = {
@@ -78,13 +124,57 @@ in nixosTest {
        virtualisation.diskSize = "1000";
        virtualisation.memorySize = "1G";
      };
+    clint = { pkgs, ... }: {
+      imports = [
+        ../lib/nixosTest-rebuild-switch.nix
+        trustixModule
+        "${binaryCacheKeyConfig}"
+      ];
+      system.extraDependencies = [
+        pkgs.hello.inputDerivation
+        pkgs.remarshal # For building trustix-config.toml
+        (nixos {
+          imports = [
+            ../lib/nixosTest-rebuild-switch.nix
+            trustixModule
+            "${binaryCacheKeyConfig}"
+            "${clientConfig}"
+          ];
+        }).toplevel
+      ];
+      virtualisation.diskSize = "1000";
+      virtualisation.memorySize = "1G";
+    };
    };
    testScript = ''
+    from os import getenv
+
      alisha.wait_for_file("/keys/trustix-pub")
+    alisha.copy_from_vm("/keys/trustix-pub")
+    clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")
+
      alisha.succeed(
-        "${mkConfig}",
+        "${
+          mkConfig {
+            config = publisherConfig;
+            trustixPubKeyPath = "/keys/trustix-pub";
+          }
+        }",
          "nixos-rebuild switch --show-trace",
      )
      alisha.succeed("nix-build '<nixpkgs>' -A hello")
+
+    clint.wait_for_file("/keys/cache-priv-key.pem")
+    clint.succeed(
+        "${
+          mkConfig {
+            config = clientConfig;
+            trustixPubKeyPath = "/keys/alisha-signing-pub";
+            binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
+          }
+        }",
+        "nixos-rebuild switch --show-trace",
+    )
+    clint.succeed("nix-build '<nixpkgs>' -A hello")
    '';
  }
diff --git a/lib/nixosTest-rebuild-switch.nix b/lib/nixosTest-rebuild-switch.nix

index b98875bc3f98100634cf409703742b22e9d05df4..f862fc1f82b687c6d917874be89f51aa6beee464 100644 (file)
--- a/lib/nixosTest-rebuild-switch.nix
+++ b/lib/nixosTest-rebuild-switch.nix
@@ -9,7 +9,8 @@
      (modulesPath + "/virtualisation/qemu-vm.nix")
    ];
  
-  nix.binaryCaches = lib.mkForce [ ];
+  nix.binaryCaches = lib.mkOverride 90 [ ];
+  nix.binaryCachePublicKeys = lib.mkOverride 90 [ ];
    nix.extraOptions = ''
      hashed-mirrors =
      connect-timeout = 1
author	Scott Worley <scottworley@scottworley.com>
	Mon, 19 Jul 2021 21:18:10 +0000 (14:18 -0700)
committer	Scott Worley <scottworley@scottworley.com>
	Tue, 20 Jul 2021 00:01:24 +0000 (17:01 -0700)
checks/one-publisher.nix		patch \| blob \| blame \| history
lib/nixosTest-rebuild-switch.nix		patch \| blob \| blame \| history