68 lines
1.8 KiB
Nix
68 lines
1.8 KiB
Nix
|
{ options, config, lib, pkgs, ... }:
|
||
|
|
||
|
with lib;
|
||
|
with lib.plusultra;
|
||
|
let cfg = config.plusultra.pccs;
|
||
|
in
|
||
|
{
|
||
|
options.plusultra.pccs = with types; {
|
||
|
enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
|
||
|
secret = mkOption {
|
||
|
type = with types; nullOr path;
|
||
|
default = null;
|
||
|
example = literalExpression "config.sops.secrets.pccs.path";
|
||
|
description = lib.mdDoc "path to the pccs secret file";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
assertions = [{
|
||
|
assertion = cfg.secret != null;
|
||
|
message = "path to the pccs secret file is required when pccs is enabled";
|
||
|
}];
|
||
|
|
||
|
virtualisation = {
|
||
|
podman = {
|
||
|
enable = true;
|
||
|
|
||
|
# Create a `docker` alias for podman, to use it as a drop-in replacement
|
||
|
dockerCompat = true;
|
||
|
|
||
|
# For Nixos version > 22.11
|
||
|
defaultNetwork.settings = { dns_enabled = true; };
|
||
|
};
|
||
|
};
|
||
|
|
||
|
virtualisation.oci-containers.backend = "podman";
|
||
|
virtualisation.oci-containers.containers = {
|
||
|
# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
|
||
|
pccs = {
|
||
|
image = "docker.io/backslashhh/pccs:dcap_1_19";
|
||
|
autoStart = true;
|
||
|
ports = [ "8081:8081" ];
|
||
|
extraOptions = [
|
||
|
"--volume=/dev/log:/dev/log"
|
||
|
"--secret=PCCS_CONFIG,type=mount"
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.services.pccs-secret =
|
||
|
{
|
||
|
description = "Inject pccs secret";
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
before = [ "podman-pccs.service" ];
|
||
|
|
||
|
serviceConfig = {
|
||
|
EnvironmentFile = cfg.secret;
|
||
|
ExecStart = ''
|
||
|
-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
|
||
|
'';
|
||
|
RemainAfterExit = true;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
|
||
|
};
|
||
|
}
|