nixcfg/modules/nixos/sgx/pccs/default.nix

{ options, config, lib, pkgs, ... }:

with lib;
with lib.metacfg;
let
  cfg = config.metacfg.pccs;
  cfg_podman = config.metacfg.podman;
in
{
  options.metacfg.pccs = with types; {
    enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
    secret = mkOption {
      type = with types; nullOr path;
      default = null;
      example = literalExpression "config.sops.secrets.pccs.path";
      description = lib.mdDoc "path to the pccs secret file";
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.secret != null;
        message = "path to the pccs secret file is required when pccs is enabled";
      }
      {
        assertion = cfg_podman.enable;
        message = "podman must be enabled when pccs is enabled";
      }
    ];

    metacfg = {
      nix.extra-substituters = {
        "https://attic.teepot.org/tee-pot".key = "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=";
      };
    };

    virtualisation.oci-containers.backend = "podman";
    virtualisation.oci-containers.containers = {
      # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
      pccs = {
        image = "docker.io/backslashhh/pccs:dcap_1_19";
        autoStart = true;
        ports = [ "8081:8081" ];
        extraOptions = [
          "--volume=/dev/log:/dev/log"
          "--secret=PCCS_CONFIG,type=mount"
        ];
      };
    };

    systemd.services.pccs-secret =
      {
        description = "Inject pccs secret";
        wantedBy = [ "multi-user.target" ];
        before = [ "podman-pccs.service" ];

        serviceConfig = {
          EnvironmentFile = cfg.secret;
          ExecStart = ''
            -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
          '';
          RemainAfterExit = true;
        };
      };


  };
}
A new start 2024-03-21 15:00:36 +01:00			`{ options, config, lib, pkgs, ... }:`

			`with lib;`
			`with lib.metacfg;`
			`let`
			`cfg = config.metacfg.pccs;`
			`cfg_podman = config.metacfg.podman;`
			`in`
			`{`
			`options.metacfg.pccs = with types; {`
			`enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";`
			`secret = mkOption {`
			`type = with types; nullOr path;`
			`default = null;`
			`example = literalExpression "config.sops.secrets.pccs.path";`
			`description = lib.mdDoc "path to the pccs secret file";`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`assertions = [`
			`{`
			`assertion = cfg.secret != null;`
			`message = "path to the pccs secret file is required when pccs is enabled";`
			`}`
			`{`
			`assertion = cfg_podman.enable;`
			`message = "podman must be enabled when pccs is enabled";`
			`}`
			`];`

			`metacfg = {`
			`nix.extra-substituters = {`
feat: Add new substituter and trusted key in various modules This commit introduces a new substituter 'https://attic.teepot.org/tee-pot' and its associated trusted key 'tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg='. The changes affect the Nix, aesmd_dcap, home settings, and pccs modules. This update provides additional package sources for these modules. 2024-06-28 14:33:05 +02:00			`"https://attic.teepot.org/tee-pot".key = "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=";`
A new start 2024-03-21 15:00:36 +01:00			`};`
			`};`

			`virtualisation.oci-containers.backend = "podman";`
			`virtualisation.oci-containers.containers = {`
			`# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19`
			`pccs = {`
			`image = "docker.io/backslashhh/pccs:dcap_1_19";`
			`autoStart = true;`
			`ports = [ "8081:8081" ];`
			`extraOptions = [`
			`"--volume=/dev/log:/dev/log"`
			`"--secret=PCCS_CONFIG,type=mount"`
			`];`
			`};`
			`};`

			`systemd.services.pccs-secret =`
			`{`
			`description = "Inject pccs secret";`
			`wantedBy = [ "multi-user.target" ];`
			`before = [ "podman-pccs.service" ];`

			`serviceConfig = {`
			`EnvironmentFile = cfg.secret;`
			`ExecStart = ''`
			`-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG`
			`'';`
			`RemainAfterExit = true;`
			`};`
			`};`


			`};`
			`}`