From 0d4b0780e7b716ef83d50df06bf22fa74a582b45 Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Mon, 19 Jul 2021 14:18:10 -0700 Subject: [PATCH] Initial attempt at a subscriber with a local binary cache This doesn't work yet due to https://github.com/tweak/trustix/issue/24 --- checks/one-publisher.nix | 120 +++++++++++++++++++++++++++---- lib/nixosTest-rebuild-switch.nix | 3 +- 2 files changed, 107 insertions(+), 16 deletions(-) diff --git a/checks/one-publisher.nix b/checks/one-publisher.nix index 2099047..7ecec8f 100644 --- a/checks/one-publisher.nix +++ b/checks/one-publisher.nix @@ -18,6 +18,19 @@ let } ''; + binaryCacheKeyConfig = writeText "binaryCacheKeyConfig" '' + { pkgs, ... }: { + config = { + system.activationScripts.trustix-create-key = ''' + if [[ ! -e /keys/cache-priv-key.pem ]];then + mkdir -p /keys + ''${pkgs.nix}/bin/nix-store --generate-binary-cache-key clint /keys/cache-priv-key.pem /keys/cache-pub-key.pem + fi + '''; + }; + } + ''; + publisherConfig = writeText "publisherConfig" '' { services.trustix = { @@ -31,29 +44,62 @@ let protocol = "nix"; publicKey = { type = "ed25519"; - pub = "@pubkey@"; + pub = "@trustixPubKey@"; }; }]; }; } ''; - mkConfig = writeShellScript "mkConfig" '' - set -euxo pipefail - mkdir -p /etc/nixos - ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix - cat > /etc/nixos/configuration.nix < /etc/nixos/local.nix + cat > /etc/nixos/configuration.nix <' -A hello") + + clint.wait_for_file("/keys/cache-priv-key.pem") + clint.succeed( + "${ + mkConfig { + config = clientConfig; + trustixPubKeyPath = "/keys/alisha-signing-pub"; + binaryCachePubKeyPath = "/keys/cache-priv-key.pem"; + } + }", + "nixos-rebuild switch --show-trace", + ) + clint.succeed("nix-build '' -A hello") ''; } diff --git a/lib/nixosTest-rebuild-switch.nix b/lib/nixosTest-rebuild-switch.nix index b98875b..f862fc1 100644 --- a/lib/nixosTest-rebuild-switch.nix +++ b/lib/nixosTest-rebuild-switch.nix @@ -9,7 +9,8 @@ (modulesPath + "/virtualisation/qemu-vm.nix") ]; - nix.binaryCaches = lib.mkForce [ ]; + nix.binaryCaches = lib.mkOverride 90 [ ]; + nix.binaryCachePublicKeys = lib.mkOverride 90 [ ]; nix.extraOptions = '' hashed-mirrors = connect-timeout = 1 -- 2.44.1