diff --git a/modules/flake-parts/packages.postbuildstepper/default.nix b/modules/flake-parts/packages.postbuildstepper/default.nix index 3675f88..3ac5ceb 100644 --- a/modules/flake-parts/packages.postbuildstepper/default.nix +++ b/modules/flake-parts/packages.postbuildstepper/default.nix @@ -2,7 +2,6 @@ # System independent arguments. self, inputs, - lib, ... }: { @@ -11,14 +10,16 @@ # Arguments specific to the `perSystem` context. pkgs, self', + system ? pkgs.system, + lib, ... }: + { # system specific outputs like, apps, checks, packages packages = let - system = pkgs.system; cranePkgs = inputs.craneNixpkgs.legacyPackages.${system}; craneLib = inputs.crane.mkLib cranePkgs; @@ -60,17 +61,181 @@ postbuildstepperArgs // { cargoArtifacts = postbuildstepperDeps; } ); + }; + + checks = + let + s3 = { + bucket = "cache.holo.host"; + endpoint = "s3.wasabisys.com"; + adminKey = "s3key"; + adminSecret = "s3secret"; + profile = "cache-holo-host-s3-wasabi"; + + userKey = "s3user"; + userSecret = "s3usersecret"; + + endpointCert = self.lib.makeCert { + inherit pkgs; + caName = "Example good CA"; + domain = "${s3.endpoint}"; + }; + + bucketCert = self.lib.makeCert { + inherit pkgs; + caName = "Example good CA"; + domain = "${s3.bucket}"; + }; + }; + + awsSharedCredentialsFile = pkgs.writeText "aws-shared-credentials" '' + [${s3.profile}] + aws_access_key_id = ${s3.userKey} + aws_secret_access_key = ${s3.userSecret}''; + + cacheSecretKey = "testing-2:CoS7sAPcH1M+LD+D/fg9sc1V3uKk88VMHZ/MvAJHsuMSasehxxlUKNa0LUedGgFfA1wlRYF74BNcAldRxX2g8A=="; + cachePublicKey = "testing-2:EmrHoccZVCjWtC1HnRoBXwNcJUWBe+ATXAJXUcV9oPA="; + in + lib.attrsets.optionalAttrs pkgs.stdenv.isx86_64 { postbuildstepper-test = pkgs.writeShellScriptBin "test" '' - env \ - PROP_owners="['steveej']" \ - PROP_repository="https://github.com/Holo-Host/holo-nixpkgs" \ - PROP_project="Holo-Host/holo-nixpkgs" \ - PROP_attr="aarch64-linux.hello" \ - SECRET_cacheHoloHost2secret="testing-2:CoS7sAPcH1M+LD+D/fg9sc1V3uKk88VMHZ/MvAJHsuMSasehxxlUKNa0LUedGgFfA1wlRYF74BNcAldRxX2g8A==" \ - SECRET_awsSharedCredentialsFile="~/.aws/credentials" \ - PROP_out_path="${pkgs.hello}" \ - nix run .\#postbuildstepper + set -x + + export PROP_owners="['steveej']" + export PROP_repository="https://github.com/Holo-Host/holo-nixpkgs" + export PROP_project="Holo-Host/holo-nixpkgs" \ + export PROP_attr="aarch64-linux.hello" + export SECRET_cacheHoloHost2secret="${cacheSecretKey}" + export PROP_out_path="${pkgs.hello}" + # this needs to be `cat`ed because the program expects this to contain the content of the file. + export SECRET_awsSharedCredentialsFile="$(cat ${awsSharedCredentialsFile})" + + exec ${pkgs.lib.getExe' self.packages.${system}.postbuildstepper "postbuildstepper"} ''; + + tests-postbuildstepper-integration = inputs.nixpkgs.lib.nixos.runTest { + name = "postbuildstepper"; + + imports = [ ]; + hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs + # defaults.services.foo.package = self'.packages.postbuildstepper; + + # One or more machines: + nodes = { + machine = + { config, pkgs, ... }: + + { + networking.hosts = { + "127.0.0.1" = [ + s3.bucket + s3.endpoint + ]; + }; + + security.pki.certificateFiles = [ + "${s3.endpointCert}/ca.crt" + "${s3.bucketCert}/ca.crt" + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + # add hello here as we need it in the VM closure at runtime, and otherwise `nix sign/copy` will try to build or fetch it + environment.systemPackages = [ pkgs.hello ]; + + services.minio = { + enable = true; + browser = false; + listenAddress = "127.0.0.1:9000"; + rootCredentialsFile = pkgs.writeText "creds" '' + MINIO_ROOT_USER=${s3.adminKey} + MINIO_ROOT_PASSWORD=${s3.adminSecret} + ''; + }; + + services.caddy = { + enable = true; + logFormat = '' + # if need be set to DEBUG + level INFO + ''; + globalConfig = '' + auto_https off + ''; + + virtualHosts.${s3.endpoint} = { + extraConfig = '' + tls ${s3.endpointCert}/server.crt ${s3.endpointCert}/server.key + reverse_proxy http://${config.services.minio.listenAddress} + ''; + }; + virtualHosts.${s3.bucket} = { + extraConfig = '' + tls ${s3.bucketCert}/server.crt ${s3.bucketCert}/server.key + rewrite * /${s3.bucket}{uri} + reverse_proxy http://${config.services.minio.listenAddress} + ''; + }; + }; + }; + }; + + testScript = '' + machine.start() + + machine.wait_for_unit("minio.service") + # uncomment this command get a minio trace log + # machine.execute( + # ${pkgs.writeShellScript "trace-minio" '' + # export PATH=${pkgs.minio-client}/bin:$PATH + # set -xe + # # background trace logging for minio + # mc admin trace --all localhost >&2 & + # ''}, + # timeout = None + # ) + + + machine.wait_for_unit("caddy.service") + + machine.succeed("${pkgs.writeShellScript "prepare-minio" '' + export PATH=${pkgs.minio-client}/bin:$PATH + + set -xe + + mc alias set localhost "https://${s3.endpoint}" "${s3.adminKey}" "${s3.adminSecret}" + mc mb localhost/${s3.bucket} + + # create a non-admin user with write permissions + mc admin user add localhost ${s3.userKey} ${s3.userSecret} + mc admin policy attach localhost readwrite --user ${s3.userKey} + mc alias set user "https://${s3.endpoint}" "${s3.userKey}" "${s3.userSecret}" + + # allow anonymous access to the "cache" + mc anonymous set --recursive download localhost/${s3.bucket} + + # this file is GET'ed by `nix copy` + echo "StoreDir: /nix/store" > nix-cache-info + mc cp nix-cache-info user/${s3.bucket}/nix-cache-info + # mc cp nix-cache-info localhost/${s3.bucket}/nix-cache-info + + for remote in \ + https://${s3.endpoint}/${s3.bucket}/nix-cache-info \ + https://${s3.bucket}/nix-cache-info \ + ; do + diff --report-identical-files <(curl ''${remote}) nix-cache-info + done + + + ''}", timeout = 10) + + machine.succeed("${lib.getExe self'.checks.postbuildstepper-test}", timeout = 30) + + machine.succeed("nix copy --trusted-public-keys ${cachePublicKey} --from https://cache.holo.host --to ./store ${pkgs.hello}", timeout = 30) + ''; + }; }; };