nixpkgs/nixos/tests/systemd-nspawn.nix

import ./make-test.nix ({pkgs, lib, ...}:
let
  gpgKeyring = (pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
    mkdir -p $out
    export GNUPGHOME=$out
    cat > foo <<EOF
      %echo Generating a basic OpenPGP key
      %no-protection
      Key-Type: DSA
      Key-Length: 1024
      Subkey-Type: ELG-E
      Subkey-Length: 1024
      Name-Real: Joe Tester
      Name-Email: joe@foo.bar
      Expire-Date: 0
      # Do a commit here, so that we can later print "done"
      %commit
      %echo done
    EOF
    gpg --batch --generate-key foo
    rm $out/S.gpg-agent $out/S.gpg-agent.*
    gpg --export joe@foo.bar -a > $out/pubkey.gpg
  '');

  nspawnImages = (pkgs.runCommand "localhost" { buildInputs = [ pkgs.coreutils pkgs.gnupg ]; } ''
    mkdir -p $out
    cd $out
    dd if=/dev/urandom of=$out/testimage.raw bs=$((1024*1024+7)) count=5
    sha256sum testimage.raw > SHA256SUMS
    export GNUPGHOME="$(mktemp -d)"
    cp -R ${gpgKeyring}/* $GNUPGHOME
    gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS
  '');
in {
  name = "opensmtpd";

  nodes = {
    server = { pkgs, ... }: {
      networking.firewall.allowedTCPPorts = [ 80 ];
      services.nginx = {
        enable = true;
        virtualHosts."server".root = nspawnImages;
      };
    };
    client = { pkgs, ... }: {
      environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg";
    };
  };

  testScript = ''
    startAll;

    $server->waitForUnit("nginx.service");
    $client->waitForUnit("network-online.target");
    $client->succeed("machinectl pull-raw --verify=signature http://server/testimage.raw");
    $client->succeed("cmp /var/lib/machines/testimage.raw ${nspawnImages}/testimage.raw");
  '';
})
nixosTests.systemd-nspawn: add test This adds a test downloading an nspawn container via http, and ensures sha256sum verification and gpg signature verification work. 2019-11-02 19:55:41 +01:00			`import ./make-test.nix ({pkgs, lib, ...}:`
			`let`
			`gpgKeyring = (pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''`
			`mkdir -p $out`
			`export GNUPGHOME=$out`
			`cat > foo <<EOF`
			`%echo Generating a basic OpenPGP key`
			`%no-protection`
			`Key-Type: DSA`
			`Key-Length: 1024`
			`Subkey-Type: ELG-E`
			`Subkey-Length: 1024`
			`Name-Real: Joe Tester`
			`Name-Email: joe@foo.bar`
			`Expire-Date: 0`
			`# Do a commit here, so that we can later print "done"`
			`%commit`
			`%echo done`
			`EOF`
			`gpg --batch --generate-key foo`
			`rm $out/S.gpg-agent $out/S.gpg-agent.*`
			`gpg --export joe@foo.bar -a > $out/pubkey.gpg`
			`'');`

			`nspawnImages = (pkgs.runCommand "localhost" { buildInputs = [ pkgs.coreutils pkgs.gnupg ]; } ''`
			`mkdir -p $out`
			`cd $out`
			`dd if=/dev/urandom of=$out/testimage.raw bs=$((1024*1024+7)) count=5`
			`sha256sum testimage.raw > SHA256SUMS`
			`export GNUPGHOME="$(mktemp -d)"`
			`cp -R ${gpgKeyring}/* $GNUPGHOME`
			`gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS`
			`'');`
			`in {`
			`name = "opensmtpd";`

			`nodes = {`
			`server = { pkgs, ... }: {`
			`networking.firewall.allowedTCPPorts = [ 80 ];`
			`services.nginx = {`
			`enable = true;`
			`virtualHosts."server".root = nspawnImages;`
			`};`
			`};`
			`client = { pkgs, ... }: {`
			`environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg";`
			`};`
			`};`

			`testScript = ''`
			`startAll;`

			`$server->waitForUnit("nginx.service");`
			`$client->waitForUnit("network-online.target");`
			`$client->succeed("machinectl pull-raw --verify=signature http://server/testimage.raw");`
			`$client->succeed("cmp /var/lib/machines/testimage.raw ${nspawnImages}/testimage.raw");`
			`'';`
			`})`