feat: use nixsgx nix function to create containers

It refactors the way the SGX containers are built. This removes all `Dockerfile` and gramine manifest files. It also enables a single recipe for azure and non-azure variants. Additionally the `teepot-crate.nix` is now the inherited recipe to build the rust `teepot` crate. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 23:23:57 +02:00 · 2024-06-03 16:46:21 +02:00 · 2024-06-03 16:46:21 +02:00 · d0c5950c0e
commit d0c5950c0e
parent 93e3e73d56
30 changed files with 337 additions and 897 deletions
--- a/teepot-crate.nix
+++ b/teepot-crate.nix
@ -0,0 +1,64 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+{ lib
+, inputs
+, makeRustPlatform
+, nixsgx
+, pkg-config
+, rust-bin
+, pkgs
+, src
+, ...
+}:
+let
+  rustVersion = rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
+  rustPlatform = makeRustPlatform {
+    cargo = rustVersion;
+    rustc = rustVersion;
+  };
+  craneLib = (inputs.crane.mkLib pkgs).overrideToolchain rustVersion;
+  commonArgs = {
+    nativeBuildInputs = [
+      pkg-config
+      rustPlatform.bindgenHook
+    ];
+
+    buildInputs = [
+      nixsgx.sgx-sdk
+      nixsgx.sgx-dcap
+      nixsgx.sgx-dcap.quote_verify
+    ];
+
+    strictDeps = true;
+
+
+    src = with lib.fileset; toSource {
+      root = src;
+      fileset = unions [
+        ./Cargo.lock
+        ./Cargo.toml
+        ./bin
+        ./crates
+        ./rust-toolchain.toml
+        ./deny.toml
+        ./taplo.toml
+      ];
+    };
+
+    RUSTFLAGS = "--cfg mio_unsupported_force_waker_pipe";
+    checkType = "debug";
+  };
+  cargoArtifacts = craneLib.buildDepsOnly (commonArgs // {
+    pname = "teepot-workspace";
+    inherit NIX_OUTPATH_USED_AS_RANDOM_SEED;
+  });
+  NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+in
+{
+  inherit rustPlatform
+    rustVersion
+    commonArgs
+    craneLib
+    cargoArtifacts;
+  NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+}