diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..a5dbbcb --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake . diff --git a/.github/workflows/build_and_publish_tee.yaml b/.github/workflows/build_and_publish_tee.yaml index 41c94e1..9a47915 100644 --- a/.github/workflows/build_and_publish_tee.yaml +++ b/.github/workflows/build_and_publish_tee.yaml @@ -40,25 +40,37 @@ jobs: - name: Enable magic Nix cache uses: DeterminateSystems/magic-nix-cache-action@main + - name: nix build + run: nix run github:nixos/nixpkgs/nixos-23.11#nixci + - name: Log in to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build base images + - name: Build and push Docker images to matterlabsrobot + id: build run: | - nix build -L .#docker-era-fee-withdrawer-azure + nix build -L .#container-era-fee-withdrawer-dcap export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') - echo "Pushing image ${IMAGE_TAG} to Docker Hub" + echo "Pushing image ${IMAGE_TAG} to matterlabsrobot Docker Hub" docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}" docker push matterlabsrobot/"${IMAGE_TAG}" docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest" docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest" - sed -i -e "s#FROM ${IMAGE_TAG%:*}:latest#FROM matterlabsrobot/${IMAGE_TAG%:*}:latest#g" Dockerfile + + nix build -L .#container-era-fee-withdrawer-azure + export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') + echo "Pushing image ${IMAGE_TAG} to matterlabsrobot Docker Hub" + docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}" + docker push matterlabsrobot/"${IMAGE_TAG}" + docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest" + docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest" + echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT" - name: Generate build ID for Flux Image Automation - id: build + id: flux run: | sha=$(git rev-parse --short HEAD) ts=$(date +%s%N | cut -b1-13) @@ -68,14 +80,10 @@ jobs: run: | gcloud auth configure-docker us-docker.pkg.dev -q - - name: Build and push Docker image - uses: docker/build-push-action@v5 + - name: Push Docker image to matterlabs-infra if: ${{ !startsWith(github.ref, 'refs/tags') }} - with: - context: . - push: true - tags: | - "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest" - "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:${{ steps.build.outputs.BUILD_ID }}" - file: Dockerfile-azure - no-cache: true + run: | + docker tag "${{ steps.build.outputs.IMAGE_TAG}}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest" + docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest" + docker tag "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:${{ steps.build.outputs.BUILD_ID }}" + docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:${{ steps.flux.outputs.BUILD_ID }}" diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index d715e4a..0000000 --- a/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -FROM era-fee-withdrawer-azure:latest - -WORKDIR /app - -COPY enclave-key.pem /tmp/ - -RUN set -eux; \ - export HOME=/app; \ - gramine-manifest \ - -Darch_libdir=/lib/x86_64-linux-gnu \ - -Dentrypoint=$(readlink /bin/era-fee-withdrawer) \ - -Dexecdir=/bin \ - -Dlog_level=error \ - era-fee-withdrawer.manifest.toml era-fee-withdrawer.manifest; \ - gramine-sgx-sign --manifest era-fee-withdrawer.manifest --output era-fee-withdrawer.manifest.sgx --key /tmp/enclave-key.pem; \ - rm /tmp/enclave-key.pem - - -# Uncomment, if a signed sigstruct exists -# COPY era-fee-withdrawer-azure.sig . -# RUN mv era-fee-withdrawer-azure.sig era-fee-withdrawer -RUN touch -r /nix/store era-fee-withdrawer.sig - -ENTRYPOINT ["/bin/sh", "-c"] -#CMD [ "echo tee-era-fee-withdrawer in simulation mode starting ; exec gramine-direct era-fee-withdrawer" ] -CMD [ "echo tee-era-fee-withdrawer in SGX mode starting ; [[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd ; exec gramine-sgx era-fee-withdrawer" ] diff --git a/Dockerfile-dcap b/Dockerfile-dcap deleted file mode 100644 index 4046aa3..0000000 --- a/Dockerfile-dcap +++ /dev/null @@ -1,31 +0,0 @@ -FROM era-fee-withdrawer-dcap:latest - -WORKDIR /app - -COPY enclave-key.pem /tmp/ - -# The final touch for a reproducible docker file -RUN touch -r /nix/store * /etc/sgx_default_qcnl.conf - -RUN set -eux; \ - export HOME=/app; \ - gramine-manifest \ - -Darch_libdir=/lib/x86_64-linux-gnu \ - -Dentrypoint=$(readlink /bin/era-fee-withdrawer) \ - -Dexecdir=/bin \ - -Dlog_level=error \ - era-fee-withdrawer.manifest.toml era-fee-withdrawer.manifest; \ - gramine-sgx-sign --manifest era-fee-withdrawer.manifest --output era-fee-withdrawer.manifest.sgx --key /tmp/enclave-key.pem; \ - rm /tmp/enclave-key.pem - -# Uncomment, if a signed sigstruct exists -# COPY era-fee-withdrawer-dcap.sig . -# RUN mv era-fee-withdrawer-dcap.sig era-fee-withdrawer.sig -RUN touch -r /nix/store era-fee-withdrawer.sig - -ENTRYPOINT ["/bin/sh", "-c"] -ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -ENV UV_USE_IO_URING=0 - -#CMD [ "echo era-fee-withdrawer in simulation mode starting ; exec gramine-direct era-fee-withdrawer" ] -CMD [ "echo era-fee-withdrawer in SGX mode starting ; restart-aesmd ; exec gramine-sgx era-fee-withdrawer" ] diff --git a/README.md b/README.md index e4364a2..11c1988 100644 --- a/README.md +++ b/README.md @@ -12,22 +12,25 @@ Inside the container: $ echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf $ echo 'sandbox = true' >> /etc/nix/nix.conf $ cd /mnt -$ nix build -L .#docker-era-fee-withdrawer-azure +$ nix build -L .#container-era-fee-withdrawer-azure $ cp result era-fee-withdrawer-azure.tar.gz $ exit ``` -## Build the Docker image +## Load the Docker image ```bash $ docker load < era-fee-withdrawer-azure.tar.gz -$ docker build --no-cache --progress=plain -t efw -f Dockerfile . +$ docker run -v $(pwd):/mnt -i --init --rm era-fee-withdrawer-azure:latest "cp era-fee-withdrawer-azure.sig /mnt" +$ gramine-sgx-sigstruct-view era-fee-withdrawer-azure.sig ``` Should output something like: ```bash -[...] - -#9 6.572 Measurement: -#9 6.572 e3ea485757ad903e9a9a71c7363bf56d4cf47db1ccec549f5e98d917b0f34b27 -[...] +Attributes: + mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d + mr_enclave: f496995ebf3428638858c315d6194e5578df0ed0cefbcaf67b24d5d9322965bc + isv_prod_id: 0 + isv_svn: 0 + debug_enclave: False ``` -as the github actions build does. + +with the same `mr_enclave` as the github actions build does. diff --git a/container-era-fee-withdrawer.nix b/container-era-fee-withdrawer.nix new file mode 100644 index 0000000..6d6c44f --- /dev/null +++ b/container-era-fee-withdrawer.nix @@ -0,0 +1,53 @@ +{ pkgs +, nixsgx-flake +, efw +, tag ? "latest" +, isAzure ? true +}: +let + name = if isAzure then "era-fee-withdrawer-azure" else "era-fee-withdrawer-dcap"; +in +pkgs.callPackage nixsgx-flake.lib.mkSGXContainer { + inherit name; + inherit tag; + + packages = [ efw.era-fee-withdrawer ]; + entrypoint = "${efw.era-fee-withdrawer}/bin/era-fee-withdrawer"; + + isAzure = true; + + manifest = { + loader = { + log_level = "error"; + env = { + UV_USE_IO_URING = "0"; + MISC_FEE_ACCOUNT_PRIVATE_KEY.passthrough = true; + OPERATOR_ADDRESS.passthrough = true; + WITHDRAWAL_FINALIZER_ETH_ADDRESS.passthrough = true; + MISC_RESERVE_FEE_ACCUMULATOR_ADDRESS.passthrough = true; + L1_RPC_ADDRESS.passthrough = true; + ZKSYNC_WEB3_API_URL.passthrough = true; + MISC_MAX_LIQUIDATION_FEE_PERCENT.passthrough = true; + LOWER_BOUND_OPERATOR_THRESHOLD.passthrough = true; + UPPER_BOUND_OPERATOR_THRESHOLD.passthrough = true; + LOWER_BOUND_WITHDRAWER_THRESHOLD.passthrough = true; + UPPER_BOUND_WITHDRAWER_THRESHOLD.passthrough = true; + LOWER_BOUND_PAYMASTER_THRESHOLD.passthrough = true; + UPPER_BOUND_PAYMASTER_THRESHOLD.passthrough = true; + # optional env + WATCHDOG_ADDRESS.passthrough = true; + LOWER_BOUND_WATCHDOG_THRESHOLD.passthrough = true; + UPPER_BOUND_WATCHDOG_THRESHOLD.passthrough = true; + L1_ETH_TRANSFER_THRESHOLD.passthrough = true; + L2_ETH_TRANSFER_THRESHOLD.passthrough = true; + CONTRACTS_L2_TESTNET_PAYMASTER_ADDR.passthrough = true; + }; + }; + + sgx = { + edmm_enable = false; + enclave_size = "8G"; + max_threads = 64; + }; + }; +} diff --git a/docker-era-fee-withdrawer-azure.nix b/docker-era-fee-withdrawer-azure.nix deleted file mode 100644 index 49cbfeb..0000000 --- a/docker-era-fee-withdrawer-azure.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ pkgs -, bash -, curl -, nixsgx -, cacert -, coreutils -, openssl -, era-fee-withdrawer -}: -let manifest = ./era-fee-withdrawer.manifest.toml; -in pkgs.dockerTools.buildLayeredImage { - name = "era-fee-withdrawer-azure"; - tag = "latest"; - - config.Env = [ - "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" - "UV_USE_IO_URING=0" - ]; - config.Entrypoint = [ "/bin/sh" "-c" ]; - - contents = pkgs.buildEnv { - name = "image-root"; - paths = with pkgs.dockerTools; with nixsgx; [ - bash - coreutils - openssl.out - curl.out - era-fee-withdrawer - gramine - restart-aesmd - sgx-dcap.quote_verify - azure-dcap-client - sgx-psw - usrBinEnv - binSh - caCertificates - fakeNss - ]; - pathsToLink = [ "/bin" "/lib" "/etc" ]; - postBuild = '' - mkdir -p $out/{app,etc} - mkdir -p $out/app/{.dcap-qcnl,.az-dcap-client} - mkdir -p $out/var/run - mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/ - ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/ - cp ${manifest} $out/app/era-fee-withdrawer.manifest.toml - printf "precedence ::ffff:0:0/96 100\n" > $out/etc/gai.conf - ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1 - touch $out/etc/sgx_default_qcnl.conf - ''; - }; -} diff --git a/docker-era-fee-withdrawer-dcap.nix b/docker-era-fee-withdrawer-dcap.nix deleted file mode 100644 index 71618fc..0000000 --- a/docker-era-fee-withdrawer-dcap.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ pkgs -, bash -, curl -, nixsgx -, cacert -, coreutils -, openssl -, era-fee-withdrawer -}: -let manifest = ./era-fee-withdrawer.manifest.toml; -in pkgs.dockerTools.buildLayeredImage { - name = "era-fee-withdrawer-dcap"; - tag = "latest"; - - config.Env = [ - "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" - "UV_USE_IO_URING=0" - ]; - config.Entrypoint = [ "/bin/sh" "-c" ]; - - contents = pkgs.buildEnv { - name = "image-root"; - paths = with pkgs.dockerTools; with nixsgx; [ - bash - coreutils - openssl.out - curl.out - era-fee-withdrawer - gramine - restart-aesmd - sgx-dcap.default_qpl - sgx-dcap.quote_verify - sgx-psw - usrBinEnv - binSh - caCertificates - fakeNss - ]; - pathsToLink = [ "/bin" "/lib" "/etc" ]; - postBuild = '' - mkdir -p $out/{app,etc} - mkdir -p $out/app/{.dcap-qcnl,.az-dcap-client} - mkdir -p $out/var/run - mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/ - ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/ - cp ${manifest} $out/app/era-fee-withdrawer.manifest.toml - printf "precedence ::ffff:0:0/96 100\n" > $out/etc/gai.conf - ''; - }; -} - diff --git a/enclave-key.pem b/enclave-key.pem deleted file mode 100644 index 53b317a..0000000 --- a/enclave-key.pem +++ /dev/null @@ -1,39 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIG5AIBAAKCAYEAwDrEJDyGnIGv/xWF4/MQtVEshpft/xGECSdjuHOU87nwCWon -hirmOyggPPU772tobmaqRhAMHn0NwvRyFCQcSwTIjd0e/cfwH/QtEd/fp4yaw/z7 -FZmesTm+wjaobnRfPwrNHAfM8U2EQPXp1yYyjUqPVEXb/7ivdR+u7qnb0o6oNfzA -ibRF6H+Fozj5FwepfbQ1DTauTEwdjywD+/21W+Ru5qF7SQVHYwf9OuyD4yZBm9os -0Aqnk1nO6ZUSJfrL1gd10LoblnPUjNxwQtWhxIPyeKRYwmVpoaYL45U+6iNOkBiL -PyGJDC+lq+AS8YtwzPOt3pUUpFh/XZyxSHla3Q8qPAikjcv1DvTiK+NVEVXoFrbs -/uG6Ii9BSRbZ3NQH1bOLtdkW7W6GPGCMr/KuXEvIQaOpDb27/DEtvCh3T/9vrKsO -etpTI0an6NZ1oshZ3X2TxZ9nNxh9zMvPswXBdy9O9/WybAN6a1PvIb3v66bxJW6T -Pu87/q0DKzeMM20pAgEDAoIBgQCAJy1tfa8TAR//Y66X92B44MhZup6qC61bb5fQ -TQ330Uqw8W+ux0QncBV9+NKfnPBJmcbZYAgUU16B+EwNbWgyAzBek2n+hUq/+B4L -6pUaXbyCqKdju78g0SnWzxr0TZTUsd4Sr932M62Ao/E6GXcI3F+Ng+f/0HT4v8n0 -cT03CcV5UysGeC6a/65s0KYPWnD+eCNeJHQy3WkKHVf9U849QvSZwPzbWNpCBVN8 -na1CGYESkXM1XG+3kTSbuLbD/Ia8KvGsaOeVORvhXr04kD9qW2ioaisSAcXELHY7 -qFcktM1cYnDJn1/LcCH6tUlnJdGIKWYlbBcmJvhT2FqpULg5IPldNiu9ybh5yQY9 -HB0pnzg6Ldcb/aunyjdwXgcaPgdkOOpnqRYGq6yrmWk6WsnNMK/QFmgxadbfOU0i -xjSrSYVItugHwOrH2eH842jBP2wbe1UJCOrKNytzZ3mBcb0RJbbFYjV0QzdPeVTN -Y9ermQTt29tJVrd+Emzo8CK4+gMCgcEA4sXchskGNcoChkDpAqie0W2YLm2XDyPY -CoiA+OVLc5lDd995Vqe2kCIC8VMMGIHhxG3NIqxrfxpH5LvqDczphyH6dlWl/O2M -CrS/67NjCTm6935ADeR0qndYdMm5XyfYEjl5qESoq4oNq4Pg/0/P1Q/mhN8GQiKb -qYAIHE/28dw1tsF6Kl7oqALpBXLQ/iRuFqJmrSPgQ32c5bEQUBD3F7HZq8T7V+O2 -7/jH8A1A2XddnddIe6fTqboFsghcPAHrAoHBANkBLsdTugDUKDSNa2tUo9ONPU2X -gRg+6PDa2ZEzcL961w2laLoKwsrlb8J9GL5Q1LxHx4PGhmwDwvscPzyzXQA7ubnh -vPQv1E2SmOSFxkmtWMfz6kcAw/wIlavAFdZPJK0ksnIWzTfi9Y92jdkar9Ny2gSj -BoF8XgPbMeuvMV008gjXOETaCk986+gOh4LEyZ2iLYruJsRIH7n/iSDKLsXE4yQd -ZuW68IQlJ/2a65DKDCLNgdVFVRfXWhvG++H0OwKBwQCXLpMEhgQj3AGu1fCscGng -87rJnmS0wpAHBatQmNz3u4JP6lDkb88KwVdLjLK7AUEtnojByEeqEYVDJ/FeiJuv -a/xO48P987KxzdVHzOyw0SdPqYAJQvhxpOWjMSY/b+Vhe6ZwLcXHsV5yV+tU39/j -X+8DP1mBbGfGVVq9iqShPXkkgPwcP0XFV0YDoeCpbZ65wZnIwpWCU73udgrgC09l -ITvH2KeP7SSf+y/1Xis7pOkT5Nr9Go0b0VkhWugoAUcCgcEAkKt0hOJ8AI1wIwjy -R43CjQjTiQ+rZX9F9ec7tiJLKlHks8ObJrHXMe5Kgai7KYs4fYUvrS8ESAKB/L1/ -fczoqtJ70UEoosqNiQxl7a6EMR47L/fxhKstUrBjx9Vj5DTDHhh29rneJUH5Ck8J -O2cf4kyRWGyvAP2UApIhR8og6M32sI962JFcNP3ymrRaVy3bvmweXJ7Egtq/0VUG -FdwfLoNCGBOZ7nygWBjFU7ydCzFdbIkBONjjZTo8EoSn6/gnAoHBAJ/XSbhoVzkI -CgW7gXSp+qKMhtbR2QawL3006KfQbK/sdcJ0Cyd4IfHXswrFQKV4BrL4tOxay1PT -HoQZW5+pLTbZjz3d0tDU9WpSd6FNovoxB6lUA3ymD4ay8Zysy3FflNqOSO6XkwKq -0GApQ6pIiDTst+LpnfgvQBDAnJXK3Hik2wDgXThXEofUoMDcGNsQ+NbdackR7/yL -8ep5ZLAhczGi4XE471ut48CHtxKq0eGde/lHx0Origk9PPbsNoH2XA== ------END RSA PRIVATE KEY----- diff --git a/era-fee-withdrawer.manifest.toml b/era-fee-withdrawer.manifest.toml deleted file mode 100644 index 4da6399..0000000 --- a/era-fee-withdrawer.manifest.toml +++ /dev/null @@ -1,65 +0,0 @@ -libos.entrypoint = "{{ entrypoint }}" - -[loader] -argv = ["{{ entrypoint }}"] -entrypoint = "file:{{ gramine.libos }}" -# set a log level for gramine -log_level = "{{ log_level }}" - -[loader.env] -LD_LIBRARY_PATH = "/lib" -SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt" -UV_USE_IO_URING = "0" -MISC_FEE_ACCOUNT_PRIVATE_KEY.passthrough = true -OPERATOR_ADDRESS.passthrough = true -WITHDRAWAL_FINALIZER_ETH_ADDRESS.passthrough = true -MISC_RESERVE_FEE_ACCUMULATOR_ADDRESS.passthrough = true -L1_RPC_ADDRESS.passthrough = true -ZKSYNC_WEB3_API_URL.passthrough = true -MISC_MAX_LIQUIDATION_FEE_PERCENT.passthrough = true -LOWER_BOUND_OPERATOR_THRESHOLD.passthrough = true -UPPER_BOUND_OPERATOR_THRESHOLD.passthrough = true -LOWER_BOUND_WITHDRAWER_THRESHOLD.passthrough = true -UPPER_BOUND_WITHDRAWER_THRESHOLD.passthrough = true -LOWER_BOUND_PAYMASTER_THRESHOLD.passthrough = true -UPPER_BOUND_PAYMASTER_THRESHOLD.passthrough = true -# optional env -WATCHDOG_ADDRESS.passthrough = true -LOWER_BOUND_WATCHDOG_THRESHOLD.passthrough = true -UPPER_BOUND_WATCHDOG_THRESHOLD.passthrough = true -L1_ETH_TRANSFER_THRESHOLD.passthrough = true -L2_ETH_TRANSFER_THRESHOLD.passthrough = true -CONTRACTS_L2_TESTNET_PAYMASTER_ADDR.passthrough = true - -[fs] -root.uri = "file:/" -start_dir = "/app" -mounts = [ - { type = "tmpfs", path = "/var/tmp" }, - { type = "tmpfs", path = "/tmp" }, - { type = "tmpfs", path = "/app/.dcap-qcnl" }, - { type = "tmpfs", path = "/app/.az-dcap-client" }, -] - -[sgx] -debug = false -edmm_enable = false -enclave_size = "8G" -max_threads = 64 -remote_attestation = "dcap" - -trusted_files = [ - "file:/app/", - "file:/bin/", - "file:/etc/gai.conf", - "file:/etc/ssl/certs/ca-bundle.crt", - "file:/lib/", - "file:/nix/", - "file:{{ gramine.libos }}", - "file:{{ gramine.runtimedir() }}/", -] - -[sys] -stack.size = "1M" -enable_extra_runtime_domain_names_conf = true -enable_sigterm_injection = true diff --git a/flake.lock b/flake.lock index 5c6620f..e98c43d 100644 --- a/flake.lock +++ b/flake.lock @@ -39,16 +39,17 @@ "flake-utils": "flake-utils_2" }, "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", "owner": "gytis-ivaskevicius", "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", "type": "github" }, "original": { "owner": "gytis-ivaskevicius", "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", "type": "github" } }, @@ -72,16 +73,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1710283656, - "narHash": "sha256-nI+AOy4uK6jLGBi9nsbHjL1EdSIzoo8oa+9oeVhbyFc=", + "lastModified": 1717281328, + "narHash": "sha256-evZPzpf59oNcDUXxh2GHcxHkTEG4fjae2ytWP85jXRo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "51063ed4f2343a59fdeebb279bb81d87d453942b", + "rev": "b3b2b28c1daa04fe2ae47c21bb76fd226eac4ca1", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -92,11 +93,11 @@ "snowfall-lib": "snowfall-lib" }, "locked": { - "lastModified": 1716280284, - "narHash": "sha256-rofvtPgaYEW01OnKsD3DJv2B2j9QovRTWbw8h5lGjkE=", + "lastModified": 1717758565, + "narHash": "sha256-yscuZ3ixjwTkqS6ew5cB3Uvy9e807szRlMoPSyQuRJM=", "owner": "matter-labs", "repo": "nixsgx", - "rev": "7151f63b1549b65633503f505df1e2a0b5ee844f", + "rev": "49a1ae79d92ccb6ed7cabfe5c5042b1399e3cd3e", "type": "github" }, "original": { @@ -125,11 +126,11 @@ ] }, "locked": { - "lastModified": 1696432959, - "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=", + "lastModified": 1716675292, + "narHash": "sha256-7TFvVE4HR/b65/0AAhewYHEJzUXxIEJn82ow5bCkrDo=", "owner": "snowfallorg", "repo": "lib", - "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6", + "rev": "5d6e9f235735393c28e1145bec919610b172a20f", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 75ad40e..05bb3ce 100644 --- a/flake.nix +++ b/flake.nix @@ -4,48 +4,56 @@ inputs = { nixsgx-flake.url = "github:matter-labs/nixsgx"; nixpkgs.follows = "nixsgx-flake/nixpkgs"; - flake-utils.url = "github:numtide/flake-utils"; + flake-utils.url = "github:numtide/flake-utils?tag=v1.0.0"; }; outputs = { self, nixpkgs, flake-utils, nixsgx-flake }: - flake-utils.lib.eachSystem [ "x86_64-linux" ] (system: - let - pkgs = import nixpkgs { inherit system; overlays = [ nixsgx-flake.overlays.default ]; }; - era-fee-withdrawer = - pkgs.callPackage - ./era-fee-withdrawer.nix - { - pname = "era-fee-withdrawer"; - version = "2.2.33"; - src = pkgs.fetchFromGitHub { - owner = "matter-labs"; - repo = "era-fee-withdrawer"; - rev = "v2.2.33"; - hash = "sha256-vyNldcUErQ/aD/Oprbs0OocTv0ARQ0/WG05WrN13IO8="; + flake-utils.lib.eachSystem [ "x86_64-linux" ] + (system: + let + pkgs = import nixpkgs { + inherit system; + overlays = [ + nixsgx-flake.overlays.default + self.overlays.default + ]; + }; + era-fee-withdrawer = + pkgs.callPackage + ./era-fee-withdrawer.nix + { + pname = "era-fee-withdrawer"; + version = "2.2.33"; + src = pkgs.fetchFromGitHub { + owner = "matter-labs"; + repo = "era-fee-withdrawer"; + rev = "v2.2.33"; + hash = "sha256-vyNldcUErQ/aD/Oprbs0OocTv0ARQ0/WG05WrN13IO8="; + }; }; - }; - efw-pkgs = { inherit era-fee-withdrawer; }; - docker-era-fee-withdrawer-azure = pkgs.callPackage ./docker-era-fee-withdrawer-azure.nix efw-pkgs; - docker-era-fee-withdrawer-dcap = pkgs.callPackage ./docker-era-fee-withdrawer-dcap.nix efw-pkgs; - in - { - formatter = pkgs.nixpkgs-fmt; + container-era-fee-withdrawer-azure = pkgs.callPackage ./container-era-fee-withdrawer.nix { inherit nixsgx-flake; isAzure = true; }; + container-era-fee-withdrawer-dcap = pkgs.callPackage ./container-era-fee-withdrawer.nix { inherit nixsgx-flake; isAzure = false; }; + in + { + formatter = pkgs.nixpkgs-fmt; - packages = { - inherit era-fee-withdrawer; - inherit docker-era-fee-withdrawer-azure; - inherit docker-era-fee-withdrawer-dcap; - default = docker-era-fee-withdrawer-azure; - }; + packages = { + inherit era-fee-withdrawer; + inherit container-era-fee-withdrawer-azure; + inherit container-era-fee-withdrawer-dcap; + default = container-era-fee-withdrawer-azure; + }; - devShells = { - default = pkgs.mkShell { - inputsFrom = [ era-fee-withdrawer ]; - nativeBuildInputs = with pkgs; [ - nixsgx.gramine - ]; + devShells = { + default = pkgs.mkShell { + inputsFrom = [ era-fee-withdrawer ]; + nativeBuildInputs = with pkgs; [ + nixsgx.gramine + ]; + }; }; - }; - }); + }) // { + overlays.default = final: prev: { efw = { inherit (self.packages.${prev.system}) era-fee-withdrawer; }; }; + }; } diff --git a/sgx_default_qcnl.json b/sgx_default_qcnl.json deleted file mode 100644 index a2cd69e..0000000 --- a/sgx_default_qcnl.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/", - "use_secure_cert": false, - "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", - "retry_times": 6, - "retry_delay": 10, - "pck_cache_expire_hours": 168, - "verify_collateral_cache_expire_hours": 168, - "local_cache_only": false -}