sgx: add aesmd and refactor

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
2024-03-06 15:12:04 +01:00 · 2024-03-06 15:12:04 +01:00 · d0ad237493
commit d0ad237493
parent 69f4e8bcf9
8 changed files with 227 additions and 163 deletions
--- a/modules/nixos/nix-ld/default.nix
+++ b/modules/nixos/nix-ld/default.nix
@ -2,7 +2,7 @@

 with lib;
 with lib.plusultra;
-let cfg = config.plusultra.gui;
+let cfg = config.plusultra.nix-ld;
 in
 {
  options.plusultra.nix-ld = with types; {
--- a/modules/nixos/sgx/pccs/default.nix
+++ b/modules/nixos/sgx/pccs/default.nix
@ -0,0 +1,67 @@
+{ options, config, lib, pkgs, ... }:
+
+with lib;
+with lib.plusultra;
+let cfg = config.plusultra.pccs;
+in
+{
+  options.plusultra.pccs = with types; {
+    enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
+    secret = mkOption {
+      type = with types; nullOr path;
+      default = null;
+      example = literalExpression "config.sops.secrets.pccs.path";
+      description = lib.mdDoc "path to the pccs secret file";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [{
+      assertion = cfg.secret != null;
+      message = "path to the pccs secret file is required when pccs is enabled";
+    }];
+
+    virtualisation = {
+      podman = {
+        enable = true;
+
+        # Create a `docker` alias for podman, to use it as a drop-in replacement
+        dockerCompat = true;
+
+        # For Nixos version > 22.11
+        defaultNetwork.settings = { dns_enabled = true; };
+      };
+    };
+
+    virtualisation.oci-containers.backend = "podman";
+    virtualisation.oci-containers.containers = {
+      # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
+      pccs = {
+        image = "docker.io/backslashhh/pccs:dcap_1_19";
+        autoStart = true;
+        ports = [ "8081:8081" ];
+        extraOptions = [
+          "--volume=/dev/log:/dev/log"
+          "--secret=PCCS_CONFIG,type=mount"
+        ];
+      };
+    };
+
+    systemd.services.pccs-secret =
+      {
+        description = "Inject pccs secret";
+        wantedBy = [ "multi-user.target" ];
+        before = [ "podman-pccs.service" ];
+
+        serviceConfig = {
+          EnvironmentFile = cfg.secret;
+          ExecStart = ''
+            -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
+          '';
+          RemainAfterExit = true;
+        };
+      };
+
+
+  };
+}