harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
teepot/packages/container-vault-sgx-azure/default.nix
Harald Hoyer 8d3f378392
fix(container-vault-sgx-azure): remove insecure eventfd setting 
Removed the sys.insecure__allow_eventfd setting, because gramine
has a secure eventfd implementation since
[v1.7](https://github.com/gramineproject/gramine/releases/tag/v1.7).
2024-08-29 10:58:46 +02:00

90 lines
2.2 KiB
Nix
Raw Blame History

# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ teepot
, nixsgxLib
, vat
, vault
, container-name ? "teepot-vault-sgx-azure"
, tag ? null
, isAzure ? true
}:
let
entrypoint = "${teepot.teepot.tee_ratls_preexec}/bin/tee-ratls-preexec";
appDir = "/opt/vault";
in
nixsgxLib.mkSGXContainer {
name = container-name;
inherit tag;
inherit appDir;
extraCmd = "echo \"Starting ${container-name}\"; gramine-sgx-sigstruct-view app.sig; ulimit -n 65535; ulimit -n";
packages = [
teepot.teepot.tee_ratls_preexec
vault
vat.vault-auth-tee
teepot.container-vault-start-config
];
inherit entrypoint;
isAzure = true;
extraPostBuild = ''
mkdir -p $out/${appDir}/{data,.cache,tls,plugins}
ln -s ${vat.vault-auth-tee}/bin/vault-auth-tee $out/opt/vault/plugins
'';
manifest = {
loader = {
argv = [
entrypoint
"--"
"${vault}/bin/vault"
"server"
"-config=/opt/vault/config.hcl"
"-log-level=trace"
];
log_level = "error";
env = {
VAULT_CLUSTER_ADDR.passthrough = true;
VAULT_API_ADDR.passthrough = true;
VAULT_RAFT_NODE_ID.passthrough = true;
DNS_NAMES = "teepot-vault.teepot-vault,teepot-vault-0.teepot-vault,teepot-vault-1.teepot-vault,teepot-vault-2.teepot-vault";
# otherwise vault will lock a lot of unused EPC memory
VAULT_RAFT_INITIAL_MMAP_SIZE = "0";
# possible tweak option, if problems with raft
# VAULT_RAFT_DISABLE_MAP_POPULATE = "true";
};
};
fs.mounts = [
{ type = "tmpfs"; path = "/opt/vault/tls"; }
{ type = "encrypted"; path = "/opt/vault/.cache"; uri = "file:/opt/vault/.cache"; key_name = "_sgx_mrsigner"; }
{ type = "encrypted"; path = "/opt/vault/data"; uri = "file:/opt/vault/data"; key_name = "_sgx_mrsigner"; }
];
sgx = {
debug = false;
edmm_enable = false;
enclave_size = "8G";
max_threads = 128;
trusted_files = [
"file:/opt/vault/plugins/"
"file:/opt/vault/config.hcl"
"file:/opt/vault/cacert.pem"
"file:/opt/vault/cakey.pem"
];
};
sys.stack.size = "16M";
# vault needs flock
sys.experimental__enable_flock = true;
};
}
Reference in a new issue View git blame Copy permalink