add test image for complement

This image should satisfy the requirements described in [1]. openssl
commands were copied from [2].

[1]: https://github.com/matrix-org/complement?tab=readme-ov-file#image-requirements
[2]: https://github.com/matrix-org/complement?tab=readme-ov-file#complement-pki

flake.nix

@@ -16,6 +16,9 @@
       mkScope = pkgs: pkgs.lib.makeScope pkgs.newScope (self: {
         complement = self.callPackage ./nix/pkgs/complement {};
 
+        complement-grapevine-oci-image =
+          self.callPackage ./nix/pkgs/complement-grapevine-oci-image { };
+
         craneLib =
           (inputs.crane.mkLib pkgs).overrideToolchain self.toolchain;
 
@@ -51,6 +54,8 @@
         packages = {
           default = (mkScope pkgs).default;
           complement = (mkScope pkgs).complement;
+          complement-grapevine-oci-image =
+            (mkScope pkgs).complement-grapevine-oci-image;
         }
         //
         builtins.listToAttrs

nix/pkgs/complement-grapevine-oci-image/config.toml

@@ -0,0 +1,32 @@
+# this config file is processed with envsubst before being loaded
+
+server_name = "$SERVER_NAME"
+
+allow_registration = true
+
+[federation]
+trusted_servers = []
+
+[database]
+backend = "rocksdb"
+path = "/app/db"
+
+[observability.logs]
+filter = "debug,h2=warn,hyper=warn"
+# ansi escapes can make it hard to read the log files in an editor
+colors = false
+
+[tls]
+certs = "/app/grapevine.crt"
+key = "/app/grapevine.key"
+
+[[listen]]
+type = "tcp"
+address = "0.0.0.0"
+port = 8008
+
+[[listen]]
+type = "tcp"
+address = "0.0.0.0"
+port = 8448
+tls = true

nix/pkgs/complement-grapevine-oci-image/default.nix

@@ -0,0 +1,67 @@
+# Keep sorted
+{ buildEnv
+, coreutils
+, default
+, dockerTools
+, envsubst
+, moreutils
+, openssl
+, writeShellScript
+, writeTextDir
+}:
+
+dockerTools.buildImage {
+  name = "complement-grapevine";
+
+  copyToRoot = buildEnv {
+    name = "image-root";
+    paths = [
+     (writeTextDir "app/config.toml" (builtins.readFile ./config.toml))
+     coreutils
+     default
+     moreutils
+     envsubst
+     openssl
+   ];
+    pathsToLink = [ "/bin" "/app" ];
+  };
+
+  config = {
+    ExposedPorts = {
+      "8008/tcp" = {};
+      "8448/tcp" = {};
+    };
+    Cmd = [
+      (writeShellScript "docker-entrypoint.sh" ''
+        set -euo pipefail
+
+        mkdir -p /tmp
+
+        # trust certs signed by the complement test CA
+        mkdir -p /etc/ca-certificates
+        cp /complement/ca/ca.crt /etc/ca-certificates/
+        # sign our TLS cert with the complement test CA
+        openssl genrsa \
+          -out /app/grapevine.key \
+          2048
+        openssl req -new \
+          -sha256 \
+          -key /app/grapevine.key \
+          -subj "/CN=$SERVER_NAME" \
+          -out /app/grapevine.csr
+        openssl x509 -req \
+          -in /app/grapevine.csr \
+          -CA /complement/ca/ca.crt \
+          -CAkey /complement/ca/ca.key \
+          -CAcreateserial \
+          -out /app/grapevine.crt \
+          -days 365 \
+          -sha256
+
+        envsubst --no-unset < /app/config.toml | sponge /app/config.toml
+
+        grapevine --config /app/config.toml
+      '')
+    ];
+  };
+}