harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 07:03:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
teepot/packages/container-vault-sgx-azure/vault.manifest.toml
Harald Hoyer 91f1612e0f
chore: cleanup and nixify 
* create containers with nix
* updated README.md
* added SPDX license headers

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2024-02-28 11:09:34 +01:00

77 lines
2 KiB
TOML
Raw Blame History

libos.entrypoint = "{{ tee_ratls_preexec }}"
[loader]
entrypoint = "file:{{ gramine.libos }}"
argv = [
"{{ tee_ratls_preexec }}",
"--",
"{{ vault_exec }}",
"server",
"-config=/opt/vault/config.hcl",
"-log-level=trace",
]
# set a log level for gramine
log_level = "{{ log_level }}"
[loader.env]
LD_LIBRARY_PATH = "/lib"
SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"
PATH = "{{ execdir }}"
HOME = "/opt/vault"
VAULT_CLUSTER_ADDR.passthrough = true
VAULT_API_ADDR.passthrough = true
VAULT_RAFT_NODE_ID.passthrough = true
DNS_NAMES = "vault-1,vault-2,vault-3"
# otherwise vault will lock a lot of unused EPC memory
VAULT_RAFT_INITIAL_MMAP_SIZE = "0"
# possible tweak option, if problems with raft
# VAULT_RAFT_DISABLE_MAP_POPULATE = "true"
[fs]
root.uri = "file:/"
start_dir = "/opt/vault"
mounts = [
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
{ type = "tmpfs", path = "/var/tmp" },
{ type = "tmpfs", path = "/tmp" },
{ type = "tmpfs", path = "/opt/vault/tls" },
{ type = "tmpfs", path = "/opt/vault/.dcap-qcnl" },
{ type = "tmpfs", path = "/opt/vault/.az-dcap-client" },
{ type = "encrypted", path = "/opt/vault/.cache", uri = "file:/opt/vault/.cache", key_name = "_sgx_mrsigner" },
{ type = "encrypted", path = "/opt/vault/data", uri = "file:/opt/vault/data", key_name = "_sgx_mrsigner" },
]
[sgx]
debug = false
edmm_enable = false
enclave_size = "8G"
max_threads = 64
nonpie_binary = true
remote_attestation = "dcap"
trusted_files = [
"file:/bin/",
"file:/etc/gai.conf",
"file:/etc/ssl/certs/ca-bundle.crt",
"file:/lib/",
"file:/nix/",
"file:/opt/vault/plugins/",
"file:/opt/vault/config.hcl",
"file:/opt/vault/cacert.pem",
"file:/opt/vault/cakey.pem",
"file:{{ gramine.libos }}",
"file:{{ gramine.runtimedir() }}/",
]
[sys]
stack.size = "1M"
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true
# vault needs flock
experimental__enable_flock = true
Reference in a new issue View git blame Copy permalink