From cd439af2c4d45f568de0d5d1fbd2934b31162325 Mon Sep 17 00:00:00 2001 From: Benjamin Lee Date: Thu, 13 Jun 2024 01:09:43 -0700 Subject: [PATCH] add test image for complement This image should satisfy the requirements described in [1]. openssl commands were copied from [2]. [1]: https://github.com/matrix-org/complement?tab=readme-ov-file#image-requirements [2]: https://github.com/matrix-org/complement?tab=readme-ov-file#complement-pki --- flake.nix | 5 ++ .../config.toml | 38 +++++++++ .../default.nix | 78 +++++++++++++++++++ 3 files changed, 121 insertions(+) create mode 100644 nix/pkgs/complement-grapevine-oci-image/config.toml create mode 100644 nix/pkgs/complement-grapevine-oci-image/default.nix diff --git a/flake.nix b/flake.nix index 9cdd3ceb..8b47fa30 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,9 @@ mkScope = pkgs: pkgs.lib.makeScope pkgs.newScope (self: { complement = self.callPackage ./nix/pkgs/complement {}; + complement-grapevine-oci-image = + self.callPackage ./nix/pkgs/complement-grapevine-oci-image { }; + craneLib = (inputs.crane.mkLib pkgs).overrideToolchain self.toolchain; @@ -75,6 +78,8 @@ packages = { default = (mkScope pkgs).default; complement = (mkScope pkgs).complement; + complement-grapevine-oci-image = + (mkScope pkgs).complement-grapevine-oci-image; } // builtins.listToAttrs diff --git a/nix/pkgs/complement-grapevine-oci-image/config.toml b/nix/pkgs/complement-grapevine-oci-image/config.toml new file mode 100644 index 00000000..5c110173 --- /dev/null +++ b/nix/pkgs/complement-grapevine-oci-image/config.toml @@ -0,0 +1,38 @@ +# this config file is processed with envsubst before being loaded + +server_name = "$SERVER_NAME" + +allow_registration = true + +# complement tests the unauthenticated media endpoints +serve_media_unauthenticated = true + +[server_discovery.client] +base_url = "https://$SERVER_NAME" + +[federation] +trusted_servers = [] + +[database] +backend = "rocksdb" +path = "/app/db" + +[observability.logs] +filter = "debug,h2=warn,hyper=warn" +# ansi escapes can make it hard to read the log files in an editor +colors = false + +[tls] +certs = "/app/grapevine.crt" +key = "/app/grapevine.key" + +[[listen]] +type = "tcp" +address = "0.0.0.0" +port = 8008 + +[[listen]] +type = "tcp" +address = "0.0.0.0" +port = 8448 +tls = true diff --git a/nix/pkgs/complement-grapevine-oci-image/default.nix b/nix/pkgs/complement-grapevine-oci-image/default.nix new file mode 100644 index 00000000..7cf379e7 --- /dev/null +++ b/nix/pkgs/complement-grapevine-oci-image/default.nix @@ -0,0 +1,78 @@ +# Keep sorted +{ buildEnv +, coreutils +, default +, dockerTools +, envsubst +, moreutils +, openssl +, writeShellScript +, writeTextDir +}: + +dockerTools.buildImage { + name = "complement-grapevine"; + + copyToRoot = buildEnv { + name = "image-root"; + paths = [ + (writeTextDir "app/config.toml" (builtins.readFile ./config.toml)) + coreutils + default + moreutils + envsubst + openssl + ]; + pathsToLink = [ "/bin" "/app" ]; + }; + + config = { + ExposedPorts = { + "8008/tcp" = {}; + "8448/tcp" = {}; + }; + Cmd = [ + (writeShellScript "docker-entrypoint.sh" '' + set -euo pipefail + + mkdir -p /tmp + + # trust certs signed by the complement test CA + mkdir -p /etc/ssl/certs + # we don't have any other trusted certs, so just replace this file + # entirely + cp /complement/ca/ca.crt /etc/ssl/certs/ca-certificates.crt + + # sign our TLS cert with the complement test CA + cat > /app/v3.ext <