feat: build the container image with nix

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 15:53:55 +02:00 · 2024-02-13 13:00:57 +01:00 · 2024-02-13 13:00:57 +01:00 · 4fabbf8f3f
commit 4fabbf8f3f
parent b0653b4246
7 changed files with 117 additions and 185 deletions
--- a/flake.nix
+++ b/flake.nix
@ -2,47 +2,62 @@
  description = "vault auth plugin for remote attestation of TEEs";

  inputs = {
-    # for libsgx-dcap-quote-verify
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";

+    nix-filter.url = "github:numtide/nix-filter";
+
    nixsgx-flake = {
      url = "github:matter-labs/nixsgx";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-
-    gitignore = {
-      url = "github:hercules-ci/gitignore.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
  };

-  outputs = { self, nixpkgs, gitignore, nixsgx-flake, ... }:
+  outputs = { self, nixpkgs, nixsgx-flake, nix-filter, ... }:
    let
      system = "x86_64-linux";
+      filter = nix-filter.lib;
      pkgs = import nixpkgs { inherit system; overlays = [ nixsgx-flake.overlays.default ]; };
      bin = pkgs.buildGoModule {
-          buildInputs = with pkgs; [
-            nixsgx.sgx-sdk
-            nixsgx.sgx-dcap
-            nixsgx.sgx-dcap.quote_verify
-          ];
-
-        CGO_CFLAGS =
-          "-I${pkgs.nixsgx.sgx-dcap}/include -I${pkgs.nixsgx.sgx-sdk}/include";
-        LDFLAGS = "-L${pkgs.nixsgx.sgx-dcap}/lib";
-
-        name = "vault-auth-tee";
-        src = gitignore.lib.gitignoreSource ./.;
-        vendorHash = "sha256-lhc4Fs+jGVYnd3vUWWXpebuBsPz6vbr1bCGwdyIPeKU=";
-      };
-      dockerImage = pkgs.dockerTools.buildImage {
-        name = "vault-auth-tee";
-        tag = "latest";
-        copyToRoot = [
-          bin
-          # pkgs.vault
+        buildInputs = with pkgs; [
+          nixsgx.sgx-sdk
+          nixsgx.sgx-dcap
+          nixsgx.sgx-dcap.quote_verify
        ];
-        #config = { Cmd = [ "${bin}/bin/vault" ]; };
+
+        name = "vault-auth-tee";
+        src = filter {
+          root = ./.;
+          include = [
+            ./go.mod
+            ./go.sum
+            "cmd"
+            "test-fixtures"
+            (filter.matchExt "go")
+          ];
+        };
+
+        vendorHash = "sha256-t59C0yzJzFAXNXYOFbta2g5CYlkfvlukq42cxCwLaGY=";
+      };
+
+      dockerImage = pkgs.dockerTools.buildLayeredImage {
+        name = "vault-auth-tee";
+        tag = "test";
+
+        config.Entrypoint = [ "/bin/sh" ];
+
+        contents = pkgs.buildEnv {
+          name = "image-root";
+
+          paths = with pkgs.dockerTools; [
+            bin
+            pkgs.vault
+            usrBinEnv
+            binSh
+            caCertificates
+            fakeNss
+          ];
+          pathsToLink = [ "/bin" "/etc" ];
+        };
      };
    in
    with pkgs; {
@ -53,7 +68,7 @@
      };
      devShells.x86_64-linux.default = mkShell {
        inputsFrom = [ bin ];
-        buildInputs = with pkgs; [ dive go_1_19 gotools mypkgs.sgx-sdk mypkgs.libsgx-dcap-quote-verify ];
+        nativeBuildInputs = with pkgs; [ dive go_1_21 ];
      };
    };
 }