nixcfg/modules/nixos/sgx/pccs/default.nix

{ options, config, lib, pkgs, ... }:

with lib;
with lib.plusultra;
let cfg = config.plusultra.pccs;
in
{
  options.plusultra.pccs = with types; {
    enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
    secret = mkOption {
      type = with types; nullOr path;
      default = null;
      example = literalExpression "config.sops.secrets.pccs.path";
      description = lib.mdDoc "path to the pccs secret file";
    };
  };

  config = mkIf cfg.enable {
    assertions = [{
      assertion = cfg.secret != null;
      message = "path to the pccs secret file is required when pccs is enabled";
    }];

    virtualisation = {
      podman = {
        enable = true;

        # Create a `docker` alias for podman, to use it as a drop-in replacement
        dockerCompat = true;

        # For Nixos version > 22.11
        defaultNetwork.settings = { dns_enabled = true; };
      };
    };

    virtualisation.oci-containers.backend = "podman";
    virtualisation.oci-containers.containers = {
      # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
      pccs = {
        image = "docker.io/backslashhh/pccs:dcap_1_19";
        autoStart = true;
        ports = [ "8081:8081" ];
        extraOptions = [
          "--volume=/dev/log:/dev/log"
          "--secret=PCCS_CONFIG,type=mount"
        ];
      };
    };

    systemd.services.pccs-secret =
      {
        description = "Inject pccs secret";
        wantedBy = [ "multi-user.target" ];
        before = [ "podman-pccs.service" ];

        serviceConfig = {
          EnvironmentFile = cfg.secret;
          ExecStart = ''
            -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
          '';
          RemainAfterExit = true;
        };
      };


  };
}
sgx: add aesmd and refactor Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-03-06 15:12:04 +01:00			`{ options, config, lib, pkgs, ... }:`

			`with lib;`
			`with lib.plusultra;`
			`let cfg = config.plusultra.pccs;`
			`in`
			`{`
			`options.plusultra.pccs = with types; {`
			`enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";`
			`secret = mkOption {`
			`type = with types; nullOr path;`
			`default = null;`
			`example = literalExpression "config.sops.secrets.pccs.path";`
			`description = lib.mdDoc "path to the pccs secret file";`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`assertions = [{`
			`assertion = cfg.secret != null;`
			`message = "path to the pccs secret file is required when pccs is enabled";`
			`}];`

			`virtualisation = {`
			`podman = {`
			`enable = true;`

			# Create a `docker` alias for podman, to use it as a drop-in replacement
			`dockerCompat = true;`

			`# For Nixos version > 22.11`
			`defaultNetwork.settings = { dns_enabled = true; };`
			`};`
			`};`

			`virtualisation.oci-containers.backend = "podman";`
			`virtualisation.oci-containers.containers = {`
			`# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19`
			`pccs = {`
			`image = "docker.io/backslashhh/pccs:dcap_1_19";`
			`autoStart = true;`
			`ports = [ "8081:8081" ];`
			`extraOptions = [`
			`"--volume=/dev/log:/dev/log"`
			`"--secret=PCCS_CONFIG,type=mount"`
			`];`
			`};`
			`};`

			`systemd.services.pccs-secret =`
			`{`
			`description = "Inject pccs secret";`
			`wantedBy = [ "multi-user.target" ];`
			`before = [ "podman-pccs.service" ];`

			`serviceConfig = {`
			`EnvironmentFile = cfg.secret;`
			`ExecStart = ''`
			`-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG`
			`'';`
			`RemainAfterExit = true;`
			`};`
			`};`


			`};`
			`}`