From 578e32b36eff2f3b2c381f9ca658c6e8b79aefe0 Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Wed, 14 Jul 2021 23:48:09 -0700 Subject: [PATCH] Get publisher running inside a nixosTest --- checks/one-publisher.nix | 90 ++++++++++++++++++++++++++++++++ flake.lock | 44 ++++++++++++++++ flake.nix | 36 +++++++++++++ lib/nixosTest-rebuild-switch.nix | 41 +++++++++++++++ lib/prefetchNiv.nix | 38 ++++++++++++++ 5 files changed, 249 insertions(+) create mode 100644 checks/one-publisher.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 lib/nixosTest-rebuild-switch.nix create mode 100644 lib/prefetchNiv.nix diff --git a/checks/one-publisher.nix b/checks/one-publisher.nix new file mode 100644 index 0000000..2099047 --- /dev/null +++ b/checks/one-publisher.nix @@ -0,0 +1,90 @@ +{ lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript +, writeText, }: +let + inherit (lib) filterAttrs hasPrefix mapAttrsToList optional; + + trustixModule = trustixSrc + "/nixos"; + + trustixKeyConfig = writeText "trustixKeyConfig" '' + { pkgs, ... }: { + config = { + system.activationScripts.trustix-create-key = ''' + if [[ ! -e /keys/trustix-priv ]];then + mkdir -p /keys + ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub + fi + '''; + }; + } + ''; + + publisherConfig = writeText "publisherConfig" '' + { + services.trustix = { + enable = true; + signers.aisha-snakeoil = { + type = "ed25519"; + ed25519 = { private-key-path = "/keys/trustix-priv"; }; + }; + publishers = [{ + signer = "aisha-snakeoil"; + protocol = "nix"; + publicKey = { + type = "ed25519"; + pub = "@pubkey@"; + }; + }]; + }; + } + ''; + + mkConfig = writeShellScript "mkConfig" '' + set -euxo pipefail + mkdir -p /etc/nixos + ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix + cat > /etc/nixos/configuration.nix <' -A hello") + ''; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..41c4e6d --- /dev/null +++ b/flake.lock @@ -0,0 +1,44 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1616174264, + "narHash": "sha256-88Pu2xh1p2tixNxdijfqoCqq9ymkEx0d6jc7ycWavLo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f5e8bdd07d1afaabf6b37afc5497b1e498b8046f", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f5e8bdd07d1afaabf6b37afc5497b1e498b8046f", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "trustix": "trustix" + } + }, + "trustix": { + "flake": false, + "locked": { + "lastModified": 1625664295, + "narHash": "sha256-oF9A6dcQbD0o3hPqidJYIDnKgZ5qcfUVaIvIu1eJ594=", + "owner": "tweag", + "repo": "trustix", + "rev": "299705170a49737624c3536283709c1af7322e34", + "type": "github" + }, + "original": { + "owner": "tweag", + "repo": "trustix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..52c92da --- /dev/null +++ b/flake.nix @@ -0,0 +1,36 @@ +{ + description = "Integration tests for trustix"; + + inputs = { + # nixpkgs.follows = "trustix/nixpkgs"; # When trustix becomes a flake + # Until then: + nixpkgs.url = + "github:nixos/nixpkgs/f5e8bdd07d1afaabf6b37afc5497b1e498b8046f"; + + trustix = { + url = "github:tweag/trustix"; + flake = false; + }; + }; + + outputs = { self, nixpkgs, trustix, }: + let + inherit (nixpkgs.lib) genAttrs; + supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ]; + forAllSystems = genAttrs supportedSystems; + + in { + + lib = { prefetchNiv = import ./lib/prefetchNiv.nix; }; + + checks = forAllSystems (system: { + one-publisher = nixpkgs.legacyPackages."${system}".callPackage + ./checks/one-publisher.nix { + trustixSrc = (nixpkgs.legacyPackages."${system}".callPackage + self.lib.prefetchNiv { }) trustix; + trustix = (import trustix).packages.trustix; + }; + }); + + }; +} diff --git a/lib/nixosTest-rebuild-switch.nix b/lib/nixosTest-rebuild-switch.nix new file mode 100644 index 0000000..b98875b --- /dev/null +++ b/lib/nixosTest-rebuild-switch.nix @@ -0,0 +1,41 @@ +# NixOS configuration that allows a nixosTest virtual machine to "nixos-rebuild switch". +# You'll also need to include the config's system.build.toplevel in system.extraDependencies. + +{ lib, pkgs, modulesPath, ... }: { + imports = [ + (modulesPath + "/installer/cd-dvd/channel.nix") + (modulesPath + "/profiles/base.nix") + (modulesPath + "/testing/test-instrumentation.nix") + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; + + nix.binaryCaches = lib.mkForce [ ]; + nix.extraOptions = '' + hashed-mirrors = + connect-timeout = 1 + ''; + + system.extraDependencies = with pkgs; [ + # List of packages from installer test + curl # To diagnose fetch requests + desktop-file-utils + docbook5 + docbook_xsl_ns + grub + libxml2.bin + libxslt.bin + nixos-artwork.wallpapers.simple-dark-gray-bottom + ntp + perlPackages.ListCompare + perlPackages.XMLLibXML + shared-mime-info + stdenvNoCC + sudo + texinfo + unionfs-fuse + xorg.lndir + ]; + + # Don't try to install bootloaders in a VM + boot.loader.grub.devices = lib.mkForce [ "nodev" ]; +} diff --git a/lib/prefetchNiv.nix b/lib/prefetchNiv.nix new file mode 100644 index 0000000..f732e30 --- /dev/null +++ b/lib/prefetchNiv.nix @@ -0,0 +1,38 @@ +# Pre-fetch niv-controlled sources so that we can use a niv-using package +# inside a nixosTest. + +{ lib, stdenvNoCC, niv, runCommand, system, }: +src: +let + inherit (lib) attrNames concatStringsSep filterAttrs hasPrefix mapAttrsToList; + nivSources = filterAttrs (name: _: !(hasPrefix "__" name)) + (import (src + "/nix/sources.nix")); +in stdenvNoCC.mkDerivation { + name = "niv-prefetched-source"; + inherit src; + nativeBuildInputs = [ niv ]; + buildPhase = '' + ${concatStringsSep "\n" (mapAttrsToList (name: info: + "niv modify ${name} --attribute url=file://${ + if info.type == "tarball" then + # Because niv + # * fetches nixpkgs with builtin.fetchTarball, even with + # --attribute builtin=false (it has to, to get fetchzip), and + # * only keeps the hash of the unpacked archive, + # we have to let niv unpack it and verify the hash, then pack it back + # up. :( Unpacking nixpkgs ends up being most of the test's disk space + # and I/O. If/when trustix switches from niv to flakes, this can all go + # away--the test can just use the host's store paths directly. + runCommand "niv-src-tarball-${name}.tar.gz" { } '' + cd $(dirname ${info.outPath}) + tar czf $out --hard-dereference --sort=name $(basename ${info.outPath}) + '' + else + info.outPath + }") nivSources)} + ''; + installPhase = '' + mkdir $out + cp -r * $out + ''; +} -- 2.44.1