add test image for complement

This image should satisfy the requirements described in [1]. openssl
commands were copied from [2].

[1]: https://github.com/matrix-org/complement?tab=readme-ov-file#image-requirements
[2]: https://github.com/matrix-org/complement?tab=readme-ov-file#complement-pki

flake.nix

@@ -22,6 +22,9 @@
       mkScope = pkgs: pkgs.lib.makeScope pkgs.newScope (self: {
         complement = self.callPackage ./nix/pkgs/complement {};
 
+        complement-grapevine-oci-image =
+          self.callPackage ./nix/pkgs/complement-grapevine-oci-image { };
+
         craneLib =
           (inputs.crane.mkLib pkgs).overrideToolchain self.toolchain;
 
@@ -75,6 +78,8 @@
         packages = {
           default = (mkScope pkgs).default;
           complement = (mkScope pkgs).complement;
+          complement-grapevine-oci-image =
+            (mkScope pkgs).complement-grapevine-oci-image;
         }
         //
         builtins.listToAttrs

nix/pkgs/complement-grapevine-oci-image/config.toml

@@ -0,0 +1,38 @@
+# this config file is processed with envsubst before being loaded
+
+server_name = "$SERVER_NAME"
+
+allow_registration = true
+
+# complement tests the unauthenticated media endpoints
+serve_media_unauthenticated = true
+
+[server_discovery.client]
+base_url = "https://$SERVER_NAME"
+
+[federation]
+trusted_servers = []
+
+[database]
+backend = "rocksdb"
+path = "/app/db"
+
+[observability.logs]
+filter = "debug,h2=warn,hyper=warn"
+# ansi escapes can make it hard to read the log files in an editor
+colors = false
+
+[tls]
+certs = "/app/grapevine.crt"
+key = "/app/grapevine.key"
+
+[[listen]]
+type = "tcp"
+address = "0.0.0.0"
+port = 8008
+
+[[listen]]
+type = "tcp"
+address = "0.0.0.0"
+port = 8448
+tls = true

nix/pkgs/complement-grapevine-oci-image/default.nix

@@ -0,0 +1,78 @@
+# Keep sorted
+{ buildEnv
+, coreutils
+, default
+, dockerTools
+, envsubst
+, moreutils
+, openssl
+, writeShellScript
+, writeTextDir
+}:
+
+dockerTools.buildImage {
+  name = "complement-grapevine";
+
+  copyToRoot = buildEnv {
+    name = "image-root";
+    paths = [
+     (writeTextDir "app/config.toml" (builtins.readFile ./config.toml))
+     coreutils
+     default
+     moreutils
+     envsubst
+     openssl
+   ];
+    pathsToLink = [ "/bin" "/app" ];
+  };
+
+  config = {
+    ExposedPorts = {
+      "8008/tcp" = {};
+      "8448/tcp" = {};
+    };
+    Cmd = [
+      (writeShellScript "docker-entrypoint.sh" ''
+        set -euo pipefail
+
+        mkdir -p /tmp
+
+        # trust certs signed by the complement test CA
+        mkdir -p /etc/ssl/certs
+        # we don't have any other trusted certs, so just replace this file
+        # entirely
+        cp /complement/ca/ca.crt /etc/ssl/certs/ca-certificates.crt
+
+        # sign our TLS cert with the complement test CA
+        cat > /app/v3.ext <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName=DNS:$SERVER_NAME
+EOF
+        openssl genrsa \
+          -out /app/grapevine.key \
+          2048
+        openssl req -new \
+          -sha256 \
+          -key /app/grapevine.key \
+          -subj "/CN=$SERVER_NAME" \
+          -out /app/grapevine.csr
+        openssl x509 -req \
+          -in /app/grapevine.csr \
+          -CA /complement/ca/ca.crt \
+          -CAkey /complement/ca/ca.key \
+          -CAcreateserial \
+          -out /app/grapevine.crt \
+          -extfile /app/v3.ext \
+          -days 365 \
+          -sha256
+
+        envsubst --no-unset < /app/config.toml | sponge /app/config.toml
+
+        export RUST_BACKTRACE=full
+        grapevine serve --config /app/config.toml
+      '')
+    ];
+  };
+}