Generate and test RPM package for Fedora

applicative-systems · Dec 14, 2024 · d65a72d · d65a72d
1 parent d80123d
commit d65a72d
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 46 deletions.
diff --git a/flake.nix b/flake.nix
@@ -91,6 +91,9 @@
           packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
             rosenpass = pkgs.pkgsStatic.rosenpass;
           };
+          packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix {
+            rosenpass = pkgs.pkgsStatic.rosenpass;
+          };
 
           #
           ### Reading materials ###
@@ -160,9 +163,9 @@
               { nativeBuildInputs = [ pkgs.nodePackages.prettier ]; } ''
               cd ${./.} && prettier --check . && touch $out
             '';
-          } // pkgs.lib.optionalAttrs (system == "x86_64-linux") (import ./tests/packaging/deb.nix {
+          } // pkgs.lib.optionalAttrs (system == "x86_64-linux") (import ./tests/legacy-distro-packaging.nix {
             inherit pkgs;
-            rosenpass-deb = self.packages.${system}.package-deb;
+            inherit (self.packages.${system}) rosenpass-deb rosenpass-rpm;
           });
 
           formatter = pkgs.nixpkgs-fmt;

diff --git a/pkgs/package-rpm.nix b/pkgs/package-rpm.nix
@@ -0,0 +1,57 @@
+{ lib, system, runCommand, rosenpass, rpm }:
+
+let
+  splitVersion = lib.strings.splitString "-" rosenpass.version;
+  version = builtins.head splitVersion;
+  release =
+    if builtins.length splitVersion != 2
+    then "release"
+    else builtins.elemAt splitVersion 1;
+  arch = builtins.head (builtins.split "-" system);
+in
+
+runCommand "rosenpass-${version}.deb" { } ''
+  mkdir -p rpmbuild/SPECS
+
+  cat << EOF > rpmbuild/SPECS/rosenpass.spec
+  Name:           rosenpass
+  Release:        ${release}
+  Version:        ${version}
+  Summary:        Post-quantum-secure VPN key exchange
+  License:        Apache-2.0
+
+  %description
+  Post-quantum-secure VPN tool Rosenpass
+  Rosenpass is a post-quantum-secure VPN
+  that uses WireGuard to transport the actual data.
+
+  %files
+  /usr/bin/rosenpass
+  /usr/bin/rp
+  /etc/systemd/system/rosenpass.target
+  /etc/systemd/system/[email protected]
+  /etc/systemd/system/[email protected]
+  /etc/rosenpass/example.toml
+  EOF
+
+  buildroot=rpmbuild/BUILDROOT/rosenpass-${version}-${release}.${arch}
+  mkdir -p $buildroot/usr/bin
+  install -m755 -t $buildroot/usr/bin ${rosenpass}/bin/*
+
+  mkdir -p $buildroot/etc/rosenpass
+  cp -r ${rosenpass}/lib/systemd $buildroot/etc/
+  chmod -R 744 $buildroot/etc/systemd
+  cp ${./example.toml} $buildroot/etc/rosenpass/example.toml
+
+  export HOME=/build
+  mkdir -p /build/tmp
+  ls -R rpmbuild
+
+  ${rpm}/bin/rpmbuild \
+    -bb \
+    --dbpath=$HOME \
+    --define "_tmppath /build/tmp" \
+    rpmbuild/SPECS/rosenpass.spec
+
+  cp rpmbuild/RPMS/${arch}/rosenpass*.rpm $out
+''
diff --git a/tests/legacy-distro-packaging.nix b/tests/legacy-distro-packaging.nix
@@ -0,0 +1,71 @@
+{ pkgs, rosenpass-deb, rosenpass-rpm }:
+
+let
+  wg-deb = pkgs.fetchurl {
+    url = "http://ftp.de.debian.org/debian/pool/main/w/wireguard/wireguard-tools_1.0.20210914-1.1_amd64.deb";
+    hash = "sha256-s/hCUisQLR19kEbV6d8JXzzTAWUPM+NV0APgHizRGA4=";
+  };
+  wg-rpm = pkgs.fetchurl {
+    url = "https://mirrors.n-ix.net/fedora/linux/releases/40/Everything/x86_64/os/Packages/w/wireguard-tools-1.0.20210914-6.fc40.x86_64.rpm";
+    hash = "sha256-lh6kCW5gh9bfuOwzjPv96ol1d6u1JTIr/oKH5QbAlK0=";
+  };
+
+  pkgsDirDeb = pkgs.runCommand "packages" { } ''
+    mkdir $out
+    cp ${rosenpass-rpm} $out/rosenpass.rpm
+    cp ${wg-rpm} $out/wireguard.rpm
+    cp ${./prepare-test.sh} $out/prepare-test.sh
+  '';
+  pkgsDirRpm = pkgs.runCommand "packages" { } ''
+    mkdir $out
+    cp ${rosenpass-rpm} $out/rosenpass.rpm
+    cp ${wg-rpm} $out/wireguard.rpm
+    cp ${./prepare-test.sh} $out/prepare-test.sh
+  '';
+
+  test = { tester, installPrefix, suffix, source }: (tester {
+    sharedDirs.share = {
+      inherit source;
+      target = "/mnt/share";
+    };
+    testScript = ''
+      vm.wait_for_unit("multi-user.target")
+      vm.succeed("${installPrefix} /mnt/share/wireguard.${suffix}")
+      vm.succeed("${installPrefix} /mnt/share/rosenpass.${suffix}")
+      vm.succeed("bash /mnt/share/prepare-test.sh")
+
+      vm.succeed(f"systemctl start rp@server")
+      vm.succeed(f"systemctl start rp@client")
+
+      vm.wait_for_unit("[email protected]")
+      vm.wait_for_unit("[email protected]")
+
+      vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
+
+      psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1]
+      psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1]
+
+      assert psk_server == psk_client, "preshared-key exchange must be successful"
+    '';
+  }).sandboxed;
+in
+{
+  package-deb-debian-13 = test {
+    tester = pkgs.testers.legacyDistros.debian."13";
+    installPrefix = "dpkg --install";
+    suffix = "deb";
+    source = pkgsDirDeb;
+  };
+  package-deb-ubuntu-23_10 = test {
+    tester = pkgs.testers.legacyDistros.ubuntu."23_10";
+    installPrefix = "dpkg --install";
+    suffix = "deb";
+    source = pkgsDirDeb;
+  };
+  package-rpm-fedora_40 = test {
+    tester = pkgs.testers.legacyDistros.fedora."40";
+    installPrefix = "rpm -i";
+    suffix = "rpm";
+    source = pkgsDirRpm;
+  };
+}
diff --git a/tests/packaging/deb.nix b/tests/packaging/deb.nix
diff --git a/tests/packaging/prepare-test.sh → tests/prepare-test.sh b/tests/packaging/prepare-test.sh → tests/prepare-test.sh