-
Notifications
You must be signed in to change notification settings - Fork 1
/
default.nix
80 lines (78 loc) · 2.45 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{
nixpkgs,
systemConfig,
nitro-util,
supervisord,
dnsproxy,
keygen,
raw-proxy,
attestation-server,
vet,
kernels,
compose ? ./. + "/docker-compose.yml",
dockerImages ? [],
}: let
system = systemConfig.system;
nitro = nitro-util.lib.${system};
eifArch = systemConfig.eif_arch;
pkgs = nixpkgs.legacyPackages."${system}";
supervisord' = "${supervisord}/bin/supervisord";
dnsproxy' = "${dnsproxy}/bin/dnsproxy";
keygenEd25519 = "${keygen}/bin/keygen-ed25519";
itvroProxy = "${raw-proxy}/bin/ip-to-vsock-raw-outgoing";
vtiriProxy = "${raw-proxy}/bin/vsock-to-ip-raw-incoming";
attestationServer = "${attestation-server}/bin/oyster-attestation-server";
keygenSecp256k1 = "${keygen}/bin/keygen-secp256k1";
vet' = "${vet}/bin/vet";
kernel = kernels.kernel;
kernelConfig = kernels.kernelConfig;
nsmKo = kernels.nsmKo;
init = kernels.init;
setup = ./. + "/setup.sh";
supervisorConf = ./. + "/supervisord.conf";
app = pkgs.runCommand "app" {} ''
echo Preparing the app folder
pwd
mkdir -p $out
mkdir -p $out/app
mkdir -p $out/etc
mkdir -p $out/app/docker-images
cp ${supervisord'} $out/app/supervisord
cp ${keygenEd25519} $out/app/keygen-ed25519
cp ${itvroProxy} $out/app/ip-to-vsock-raw-outgoing
cp ${vtiriProxy} $out/app/vsock-to-ip-raw-incoming
cp ${attestationServer} $out/app/attestation-server
cp ${dnsproxy'} $out/app/dnsproxy
cp ${vet'} $out/app/vet
cp ${keygenSecp256k1} $out/app/keygen-secp256k1
cp ${setup} $out/app/setup.sh
chmod +x $out/app/*
cp ${supervisorConf} $out/etc/supervisord.conf
cp ${compose} $out/app/docker-compose.yml
${if builtins.length dockerImages == 0
then "# No docker images provided"
else builtins.concatStringsSep "\n" (map (img: "cp ${img} $out/app/docker-images/") dockerImages)}
'';
# kinda hacky, my nix-fu is not great, figure out a better way
initPerms = pkgs.runCommand "initPerms" {} ''
cp ${init} $out
chmod +x $out
'';
in {
default = nitro.buildEif {
name = "enclave";
arch = eifArch;
init = initPerms;
kernel = kernel;
kernelConfig = kernelConfig;
nsmKo = nsmKo;
cmdline = builtins.readFile nitro.blobs.${eifArch}.cmdLine;
entrypoint = "/app/setup.sh";
env = "";
copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = [app pkgs.busybox pkgs.nettools pkgs.iproute2 pkgs.iptables-legacy pkgs.ipset pkgs.cacert pkgs.docker];
pathsToLink = ["/bin" "/app" "/etc"];
};
};
}