Generate and test .deb package for Debian and Ubuntu

.gitignore

@@ -25,3 +25,4 @@ _markdown_*
 .vscode
 
 /output
+.nixos-test-history

flake.nix

@@ -6,9 +6,15 @@
     # for rust nightly with llvm-tools-preview
     fenix.url = "github:nix-community/fenix";
     fenix.inputs.nixpkgs.follows = "nixpkgs";
+
+    # TODO: Switch to github:numtide/nix-vm-tests when pull request
+    # https://github.com/numtide/nix-vm-test/pull/71 is through
+    nix-vm-test.url = "github:tfc/nix-vm-test";
+    nix-vm-test.inputs.nixpkgs.follows = "nixpkgs";
+    nix-vm-test.inputs.flake-utils.follows = "flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils, ... }@inputs:
+  outputs = { self, nixpkgs, flake-utils, nix-vm-test, ... }@inputs:
     nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
 
 
@@ -77,10 +83,16 @@
             inherit system;
 
             # apply our own overlay, overriding/inserting our packages as defined in ./pkgs
-            overlays = [ self.overlays.default ];
+            overlays = [
+              self.overlays.default
+              nix-vm-test.overlays.default
+            ];
           };
         in
         {
+          packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
+            rosenpass = pkgs.pkgsStatic.rosenpass;
+          };
 
           #
           ### Reading materials ###
@@ -150,7 +162,10 @@
               { nativeBuildInputs = [ pkgs.nodePackages.prettier ]; } ''
               cd ${./.} && prettier --check . && touch $out
             '';
-          };
+          } // pkgs.lib.optionalAttrs (system == "x86_64-linux") (import ./tests/packaging/deb.nix {
+            inherit pkgs;
+            rosenpass-deb = self.packages.${system}.package-deb;
+          });
 
           formatter = pkgs.nixpkgs-fmt;
         }))

pkgs/example.toml

@@ -0,0 +1,9 @@
+dev = "rp-example"
+ip = "fc00::1/64"
+listen = "[::]:51821"
+private_keys_dir = "/run/credentials/[email protected]"
+verbose = true
+
+[[peers]]
+public_keys_dir = "/etc/rosenpass/example/peers/client"
+allowed_ips = "fc00::2"

pkgs/package-deb.nix

@@ -0,0 +1,30 @@
+{ runCommand, dpkg, rosenpass }:
+
+let
+  inherit (rosenpass) version;
+in
+
+runCommand "rosenpass-${version}.deb" { } ''
+  mkdir -p packageroot/DEBIAN
+
+  cat << EOF > packageroot/DEBIAN/control
+  Package: rosenpass
+  Version: ${version}
+  Architecture: all
+  Maintainer: Jacek Galowicz <[email protected]>
+  Depends:
+  Description: Post-quantum-secure VPN tool Rosenpass
+    Rosenpass is a post-quantum-secure VPN
+    that uses WireGuard to transport the actual data.
+  EOF
+
+
+  mkdir -p packageroot/usr/bin
+  install -m755 -t packageroot/usr/bin ${rosenpass}/bin/*
+
+  mkdir -p packageroot/etc/rosenpass
+  cp -r ${rosenpass}/lib/systemd packageroot/etc/
+  cp ${./example.toml} packageroot/etc/rosenpass/example.toml
+
+  ${dpkg}/bin/dpkg --build packageroot $out
+''

tests/packaging/deb.nix

@@ -0,0 +1,44 @@
+{ pkgs, rosenpass-deb }:
+
+let
+  wg-deb = pkgs.fetchurl {
+    url = "http://ftp.de.debian.org/debian/pool/main/w/wireguard/wireguard-tools_1.0.20210914-1.1_amd64.deb";
+    hash = "sha256-s/hCUisQLR19kEbV6d8JXzzTAWUPM+NV0APgHizRGA4=";
+  };
+  pkgsDir = pkgs.runCommand "packages" {} ''
+    mkdir $out
+    cp ${rosenpass-deb} $out/rosenpass.deb
+    cp ${wg-deb} $out/wireguard.deb
+    cp ${./prepare-test.sh} $out/prepare-test.sh
+  '';
+
+  testAttrs = {
+    sharedDirs.share = {
+      source = pkgsDir;
+      target = "/mnt/share";
+    };
+    testScript = ''
+      vm.wait_for_unit("multi-user.target")
+      vm.succeed("dpkg --install /mnt/share/wireguard.deb")
+      vm.succeed("dpkg --install /mnt/share/rosenpass.deb")
+      vm.succeed("bash /mnt/share/prepare-test.sh")
+
+      vm.succeed(f"systemctl start rp@server")
+      vm.succeed(f"systemctl start rp@client")
+
+      vm.wait_for_unit("[email protected]")
+      vm.wait_for_unit("[email protected]")
+
+      vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
+
+      psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1]
+      psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1]
+
+      assert psk_server == psk_client, "preshared-key exchange must be successful"
+    '';
+  };
+in
+{
+  debian-13 = (pkgs.testers.legacyDistros.debian."13" testAttrs).sandboxed;
+  ubuntu-23_10 = (pkgs.testers.legacyDistros.ubuntu."23_10" testAttrs).sandboxed;
+}

tests/packaging/prepare-test.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+< /etc/rosenpass/example.toml  \
+  sed 's@example@server@' > /etc/rosenpass/server.toml
+
+< /etc/rosenpass/example.toml \
+  sed 's@listen.*@@' |
+  sed 's@client@server@' |
+  sed 's@example@client@' |
+  sed 's@fc00::2@fc00::1@' |
+  sed 's@fc00::1/64@fc00::2/64@' > /etc/rosenpass/client.toml
+
+echo 'endpoint = "[::1]:51821"' >> /etc/rosenpass/client.toml
+
+rp genkey server-sk
+rp pubkey server-sk server-pk
+
+rp genkey client-sk
+rp pubkey client-sk client-pk
+
+mkdir -p /etc/rosenpass/server/peers/client
+mkdir -p /etc/rosenpass/client/peers/server
+
+cp server-sk/{pqpk,pqsk,wgsk} /etc/rosenpass/server/
+cp client-sk/{pqpk,pqsk,wgsk} /etc/rosenpass/client/
+
+cp client-pk/{pqpk,wgpk} /etc/rosenpass/server/peers/client
+cp server-pk/{pqpk,wgpk} /etc/rosenpass/client/peers/server