diff --git a/core/bin/zksync_tee_prover/Cargo.toml b/core/bin/zksync_tee_prover/Cargo.toml index d0565eee35a8..e6fa61fab705 100644 --- a/core/bin/zksync_tee_prover/Cargo.toml +++ b/core/bin/zksync_tee_prover/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "zksync_tee_prover" -version.workspace = true +version = "0.1.0" edition.workspace = true authors.workspace = true homepage.workspace = true diff --git a/etc/nix/README.md b/etc/nix/README.md new file mode 100644 index 000000000000..99a6c90429a1 --- /dev/null +++ b/etc/nix/README.md @@ -0,0 +1,86 @@ +# Declarative and Reproducible builds with Nix + +This directory contains the nix build recipes for various components of this project. Most importantly it is used to +reproducible build `zksync_tee_prover` reproducibly and create a container containing all what is needed to run it on an +SGX machine. + +## Prerequisites + +Install [nix](https://zero-to-nix.com/start/install). + +In `~/.config/nix/nix.conf` + +```ini +experimental-features = nix-command flakes +sandbox = true +``` + +or on nixos in `/etc/nixos/configuration.nix` add the following lines: + +```nix +{ + nix = { + extraOptions = '' + experimental-features = nix-command flakes + sandbox = true + ''; + }; +} +``` + +## Build + +Build various components of this project with `nix`. + +### Build as the CI would + +```shell +$ nix run github:nixos/nixpkgs/nixos-23.11#nixci +``` + +### Build individual parts + +```shell +$ nix build .#zksync_server +``` + +or + +```shell +$ nix build .#zksync_server.contract_verifier +$ nix build .#zksync_server.external_node +$ nix build .#zksync_server.server +$ nix build .#zksync_server.snapshots_creator +$ nix build .#zksync_server.block_reverter +``` + +or + +```shell +$ nix build .#tee_prover +$ nix build .#container-tee_prover-dcap +$ nix build .#container-tee_prover-azure +``` + +## Develop + +`nix` can provide the build environment for this project. + +```shell +$ nix develop +``` + +optionally create `.envrc` for `direnv` to automatically load the environment when entering the main directory: + +```shell +$ cat < .envrc +use flake .# +EOF +$ direnv allow +``` + +### Format for commit + +```shell +$ nix run .#fmt +``` diff --git a/etc/nix/container-tee-prover.nix b/etc/nix/container-tee-prover.nix new file mode 100644 index 000000000000..ab2b12c48db0 --- /dev/null +++ b/etc/nix/container-tee-prover.nix @@ -0,0 +1,48 @@ +{ pkgs +, nixsgxLib +, teepot +, tee_prover +, container-name +, isAzure ? true +, tag ? null +}: +let + name = container-name; + entrypoint = "${teepot.teepot.tee_key_preexec}/bin/tee-key-preexec"; +in +nixsgxLib.mkSGXContainer { + inherit name; + inherit tag; + + packages = [ teepot.teepot.tee_key_preexec tee_prover ]; + inherit entrypoint; + inherit isAzure; + + manifest = { + loader = { + argv = [ + entrypoint + "${tee_prover}/bin/zksync_tee_prover" + ]; + + log_level = "error"; + + env = { + TEE_API_URL.passthrough = true; + API_PROMETHEUS_LISTENER_PORT.passthrough = true; + API_PROMETHEUS_PUSHGATEWAY_URL.passthrough = true; + API_PROMETHEUS_PUSH_INTERVAL_MS.passthrough = true; + + ### DEBUG ### + RUST_BACKTRACE = "1"; + RUST_LOG = "warning,zksync_tee_prover=debug"; + }; + }; + + sgx = { + edmm_enable = false; + enclave_size = "32G"; + max_threads = 128; + }; + }; +} diff --git a/etc/nix/devshell.nix b/etc/nix/devshell.nix new file mode 100644 index 000000000000..bccf58e50e75 --- /dev/null +++ b/etc/nix/devshell.nix @@ -0,0 +1,41 @@ +{ pkgs +, stdenv +, zksync_server +, hardeningEnable +}: +with pkgs; mkShell.override { inherit stdenv; } { + inputsFrom = [ zksync_server ]; + + packages = [ + docker-compose + nodejs + yarn + axel + postgresql + python3 + solc + sqlx-cli + mold + ]; + + inherit hardeningEnable; + + shellHook = '' + export ZKSYNC_HOME=$PWD + export PATH=$ZKSYNC_HOME/bin:$PATH + export RUSTFLAGS='-C link-arg=-fuse-ld=${pkgs.mold}/bin/mold' + export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="clang" + + if [ "x$NIX_LD" = "x" ]; then + export NIX_LD=$(<${clangStdenv.cc}/nix-support/dynamic-linker) + fi + if [ "x$NIX_LD_LIBRARY_PATH" = "x" ]; then + export NIX_LD_LIBRARY_PATH="$ZK_NIX_LD_LIBRARY_PATH" + else + export NIX_LD_LIBRARY_PATH="$NIX_LD_LIBRARY_PATH:$ZK_NIX_LD_LIBRARY_PATH" + fi + ''; + + ZK_NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ ]; +} + diff --git a/etc/nix/tee-prover.nix b/etc/nix/tee-prover.nix new file mode 100644 index 000000000000..5d362db9629e --- /dev/null +++ b/etc/nix/tee-prover.nix @@ -0,0 +1,11 @@ +{ cargoArtifacts +, craneLib +, versionSuffix +, commonArgs +}: +craneLib.buildPackage (commonArgs // { + pname = "zksync_tee_prover"; + version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix; + cargoExtraArgs = "-p zksync_tee_prover --bin zksync_tee_prover"; + inherit cargoArtifacts; +}) diff --git a/etc/nix/zksync-server.nix b/etc/nix/zksync-server.nix new file mode 100644 index 000000000000..33c7527ddfb0 --- /dev/null +++ b/etc/nix/zksync-server.nix @@ -0,0 +1,41 @@ +{ cargoArtifacts +, craneLib +, versionSuffix +, commonArgs +}: +craneLib.buildPackage (commonArgs // { + pname = "zksync"; + version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix; + cargoExtraArgs = "--all"; + inherit cargoArtifacts; + + outputs = [ + "out" + "contract_verifier" + "external_node" + "server" + "snapshots_creator" + "block_reverter" + ]; + + postInstall = '' + mkdir -p $out/nix-support + for i in $outputs; do + [[ $i == "out" ]] && continue + mkdir -p "''${!i}/bin" + echo "''${!i}" >> $out/nix-support/propagated-user-env-packages + if [[ -e "$out/bin/zksync_$i" ]]; then + mv "$out/bin/zksync_$i" "''${!i}/bin" + else + mv "$out/bin/$i" "''${!i}/bin" + fi + done + + mkdir -p $external_node/nix-support + echo "block_reverter" >> $external_node/nix-support/propagated-user-env-packages + + mv $out/bin/merkle_tree_consistency_checker $server/bin + mkdir -p $server/nix-support + echo "block_reverter" >> $server/nix-support/propagated-user-env-packages + ''; +}) diff --git a/flake.lock b/flake.lock index 8b345701bbc6..fe16e2254b51 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,95 @@ { "nodes": { + "crane": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1720226507, + "narHash": "sha256-yHVvNsgrpyNTXZBEokL8uyB2J6gB1wEx0KOJzoeZi1A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0aed560c5c0a61c9385bddff471a13036203e11c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716156051, + "narHash": "sha256-TjUX7WWRcrhuUxDHsR8pDR2N7jitqZehgCVSy3kBeS8=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7443df1c478947bf96a2e699209f53b2db26209d", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -18,10 +108,103 @@ "type": "github" } }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils_2" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils-plus_2": { + "inputs": { + "flake-utils": "flake-utils_3" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils-plus_3": { + "inputs": { + "flake-utils": "flake-utils_6" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, "flake-utils_2": { "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_4" + }, "locked": { "lastModified": 1705309234, "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", @@ -36,13 +219,49 @@ "type": "github" } }, + "flake-utils_5": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "inputs": { + "systems": "systems_6" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1717952948, - "narHash": "sha256-mJi4/gjiwQlSaxjA6AusXBN/6rQRaPCycR7bd8fydnQ=", + "lastModified": 1719956923, + "narHash": "sha256-nNJHJ9kfPdzYsCOlHOnbiiyKjZUW5sWbwx3cakg3/C4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2819fffa7fa42156680f0d282c60d81e8fb185b7", + "rev": "706eef542dec88cc0ed25b9075d3037564b2d164", "type": "github" }, "original": { @@ -54,11 +273,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1706487304, - "narHash": "sha256-LE8lVX28MV2jWJsidW13D2qrHU/RUUONendL2Q/WlJg=", + "lastModified": 1719707984, + "narHash": "sha256-RoxIr/fbndtuKqulGvNCcuzC6KdAib85Q8gXnjzA1dw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7dca15289a1c2990efbe4680f0923ce14139b042", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1718428119, + "narHash": "sha256-WdWDpNaq6u1IPtxtYHHWpl5BmabtpmLnMAx0RdJ/vo8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "90f456026d284c22b3e3497be980b2e47d0b28ac", + "rev": "e6cea36f83499eb4e9cd184c8a8e823296b50ad5", "type": "github" }, "original": { @@ -68,24 +303,115 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1719707984, + "narHash": "sha256-RoxIr/fbndtuKqulGvNCcuzC6KdAib85Q8gXnjzA1dw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7dca15289a1c2990efbe4680f0923ce14139b042", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1717281328, + "narHash": "sha256-evZPzpf59oNcDUXxh2GHcxHkTEG4fjae2ytWP85jXRo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b3b2b28c1daa04fe2ae47c21bb76fd226eac4ca1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixsgx-flake": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "snowfall-lib": "snowfall-lib" + }, + "locked": { + "lastModified": 1719923509, + "narHash": "sha256-3buuJSKCVT0o42jpreoflYA+Rlp/4eQKATEAY+pPeh8=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "520ad6227523c5720468726f9e945cecdb7a37aa", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, + "nixsgx-flake_2": { + "inputs": { + "nixpkgs": "nixpkgs_4", + "snowfall-lib": "snowfall-lib_2" + }, + "locked": { + "lastModified": 1719916365, + "narHash": "sha256-RzCFbGAHq6rTY4ctrmazGIx59qXtfrVfEnIe+L0leTo=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "0309a20ee5bf12b7390aa6795409b448420e80f2", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, + "nixsgx-flake_3": { + "inputs": { + "nixpkgs": "nixpkgs_5", + "snowfall-lib": "snowfall-lib_3" + }, + "locked": { + "lastModified": 1717758565, + "narHash": "sha256-yscuZ3ixjwTkqS6ew5cB3Uvy9e807szRlMoPSyQuRJM=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "49a1ae79d92ccb6ed7cabfe5c5042b1399e3cd3e", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, "root": { "inputs": { + "crane": "crane", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", - "rust-overlay": "rust-overlay" + "nixsgx-flake": "nixsgx-flake", + "rust-overlay": "rust-overlay", + "teepot-flake": "teepot-flake" } }, "rust-overlay": { "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1718072316, - "narHash": "sha256-p33h73iQ1HkLalCplV5MH0oP3HXRaH3zufnFqb5//ps=", + "lastModified": 1720059535, + "narHash": "sha256-h/O3PoV3KvQG4tC5UpANBZOsptAZCzEGiwyi+3oSpYc=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "bedc47af18fc41bb7d2edc2b212d59ca36253f59", + "rev": "8deeed2dfa21837c7792b46b6a9b2e73f97b472b", "type": "github" }, "original": { @@ -94,6 +420,101 @@ "type": "github" } }, + "rust-overlay_2": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717985971, + "narHash": "sha256-24h/qKp0aeI+Ew13WdRF521kY24PYa5HOvw0mlrABjk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "abfe5b3126b1b7e9e4daafc1c6478d17f0b584e7", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "snowfall-lib_2": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils-plus": "flake-utils-plus_2", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "snowfall-lib_3": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils-plus": "flake-utils-plus_3", + "nixpkgs": [ + "teepot-flake", + "vault-auth-tee-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716675292, + "narHash": "sha256-7TFvVE4HR/b65/0AAhewYHEJzUXxIEJn82ow5bCkrDo=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "5d6e9f235735393c28e1145bec919610b172a20f", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -123,6 +544,121 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "teepot-flake": { + "inputs": { + "crane": "crane_2", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ], + "nixsgx-flake": "nixsgx-flake_2", + "rust-overlay": "rust-overlay_2", + "snowfall-lib": [ + "teepot-flake", + "nixsgx-flake", + "snowfall-lib" + ], + "vault-auth-tee-flake": "vault-auth-tee-flake" + }, + "locked": { + "lastModified": 1720011517, + "narHash": "sha256-1oo9Z47CNdqDgtGNE1LC+6CQ+VXcy7TtFFnvifBnVLE=", + "owner": "matter-labs", + "repo": "teepot", + "rev": "8dadc1f76b7dd8a98be7781e8206fed5268dd0e6", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "teepot", + "type": "github" + } + }, + "vault-auth-tee-flake": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ], + "nixsgx-flake": "nixsgx-flake_3" + }, + "locked": { + "lastModified": 1718012107, + "narHash": "sha256-uKiUBaEOj9f3NCn6oTw5VqoZJxsTXSoAn2IWVB/LSS0=", + "owner": "matter-labs", + "repo": "vault-auth-tee", + "rev": "b10204436bc2fbad74c5716bd265fad74acc197c", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "vault-auth-tee", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 0287d4cf09d1..d4bb65be7395 100644 --- a/flake.nix +++ b/flake.nix @@ -1,229 +1,151 @@ ################################################################################################### # -# To build the rust components with this flake, run: -# $ nix build .#cargoDeps -# set `cargoHash` below to the result of the build -# then -# $ nix build .#zksync_server -# or -# $ nix build .#zksync_server.contract_verifier -# $ nix build .#zksync_server.external_node -# $ nix build .#zksync_server.server -# $ nix build .#zksync_server.snapshots_creator -# $ nix build .#zksync_server.block_reverter -# -# To enter the development shell, run: -# $ nix develop -# -# To vendor the dependencies manually, run: -# $ nix shell .#cargo-vendor -c cargo vendor --no-merge-sources +# see `README.md` in `etc/nix` # ################################################################################################### { description = "ZKsync-era"; + + nixConfig = { + extra-substituters = [ "https://attic.teepot.org/tee-pot" ]; + extra-trusted-public-keys = [ "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=" ]; + }; + inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + teepot-flake.url = "github:matter-labs/teepot"; + nixsgx-flake.url = "github:matter-labs/nixsgx"; flake-utils.url = "github:numtide/flake-utils"; rust-overlay.url = "github:oxalica/rust-overlay"; + crane = { + url = "github:ipetkov/crane?tag=v0.17.3"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, flake-utils, rust-overlay }: - flake-utils.lib.eachDefaultSystem (system: - let - ########################################################################################### - # This changes every time `Cargo.lock` changes. Set to `null` to force re-vendoring - cargoHash = null; - # cargoHash = "sha256-LloF3jrvFkOlZ2lQXB+/sFthfJQLLu8BvHBE88gRvFc="; - ########################################################################################### - officialRelease = false; - - versionSuffix = - if officialRelease - then "" - else "pre${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}_${self.shortRev or "dirty"}"; - - pkgs = import nixpkgs { inherit system; overlays = [ rust-overlay.overlays.default ]; }; - - # patched version of cargo to support `cargo vendor` for vendoring dependencies - # see https://github.com/matter-labs/zksync-era/issues/1086 - # used as `cargo vendor --no-merge-sources` - cargo-vendor = pkgs.rustPlatform.buildRustPackage { - pname = "cargo-vendor"; - version = "0.78.0"; - src = pkgs.fetchFromGitHub { - owner = "haraldh"; - repo = "cargo"; - rev = "3ee1557d2bd95ca9d0224c5dbf1d1e2d67186455"; - hash = "sha256-A8xrOG+NmF8dQ7tA9I2vJSNHlYxsH44ZRXdptLblCXk="; + + outputs = { self, nixpkgs, teepot-flake, nixsgx-flake, flake-utils, rust-overlay, crane }: + let + officialRelease = false; + hardeningEnable = [ "fortify3" "pie" "relro" ]; + + out = system: + let + pkgs = import nixpkgs { + inherit system; + overlays = [ + rust-overlay.overlays.default + nixsgx-flake.overlays.default + teepot-flake.overlays.default + ]; }; - doCheck = false; - cargoHash = "sha256-LtuNtdoX+FF/bG5LQc+L2HkFmgCtw5xM/m0/0ShlX2s="; - nativeBuildInputs = [ - pkgs.pkg-config - pkgs.rustPlatform.bindgenHook - ]; - buildInputs = [ - pkgs.openssl - ]; - }; - # custom import-cargo-lock to import Cargo.lock file and vendor dependencies - # see https://github.com/matter-labs/zksync-era/issues/1086 - import-cargo-lock = { lib, cacert, runCommand }: { src, cargoHash ? null }: - runCommand "import-cargo-lock" - { - inherit src; - nativeBuildInputs = [ cargo-vendor cacert ]; - preferLocalBuild = true; - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = if cargoHash != null then cargoHash else lib.fakeSha256; - } - '' - mkdir -p $out/.cargo - mkdir -p $out/cargo-vendor-dir - - HOME=$(pwd) - pushd ${src} - HOME=$HOME cargo vendor --no-merge-sources $out/cargo-vendor-dir > $out/.cargo/config - sed -i -e "s#$out#import-cargo-lock#g" $out/.cargo/config - cp $(pwd)/Cargo.lock $out/Cargo.lock - popd - '' - ; - cargoDeps = pkgs.buildPackages.callPackage import-cargo-lock { } { inherit src; inherit cargoHash; }; - - rustVersion = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain; - - stdenv = pkgs.stdenvAdapters.useMoldLinker pkgs.clangStdenv; - - rustPlatform = pkgs.makeRustPlatform { - cargo = rustVersion; - rustc = rustVersion; - inherit stdenv; - }; - zksync_server_cargoToml = builtins.fromTOML (builtins.readFile ./core/bin/zksync_server/Cargo.toml); - - hardeningEnable = [ "fortify3" "pie" "relro" ]; - - src = with pkgs.lib.fileset; toSource { - root = ./.; - fileset = unions [ - ./Cargo.lock - ./Cargo.toml - ./core - ./prover - ./.github/release-please/manifest.json - ]; - }; + appliedOverlay = self.overlays.default pkgs pkgs; + in + { + formatter = pkgs.nixpkgs-fmt; - zksync_server = with pkgs; stdenv.mkDerivation { - pname = "zksync"; - version = zksync_server_cargoToml.package.version + versionSuffix; - - updateAutotoolsGnuConfigScriptsPhase = ":"; - - nativeBuildInputs = [ - pkg-config - rustPlatform.bindgenHook - rustPlatform.cargoSetupHook - rustPlatform.cargoBuildHook - rustPlatform.cargoInstallHook - ]; - - buildInputs = [ - libclang - openssl - snappy.dev - lz4.dev - bzip2.dev - ]; - - inherit src; - cargoBuildFlags = "--all"; - cargoBuildType = "release"; - - inherit cargoDeps; - - inherit hardeningEnable; - - outputs = [ - "out" - "contract_verifier" - "external_node" - "server" - "snapshots_creator" - "block_reverter" - ]; - - postInstall = '' - mkdir -p $out/nix-support - for i in $outputs; do - [[ $i == "out" ]] && continue - mkdir -p "''${!i}/bin" - echo "''${!i}" >> $out/nix-support/propagated-user-env-packages - if [[ -e "$out/bin/zksync_$i" ]]; then - mv "$out/bin/zksync_$i" "''${!i}/bin" - else - mv "$out/bin/$i" "''${!i}/bin" - fi - done - - mkdir -p $external_node/nix-support - echo "block_reverter" >> $external_node/nix-support/propagated-user-env-packages - - mv $out/bin/merkle_tree_consistency_checker $server/bin - mkdir -p $server/nix-support - echo "block_reverter" >> $server/nix-support/propagated-user-env-packages - ''; - }; - in - { - formatter = pkgs.nixpkgs-fmt; - - packages = { - inherit zksync_server; - default = zksync_server; - inherit cargo-vendor; - inherit cargoDeps; + packages = { + # to ease potential cross-compilation, the overlay is used + inherit (appliedOverlay.zksync-era) zksync_server tee_prover container-tee_prover-azure container-tee_prover-dcap; + default = appliedOverlay.zksync-era.zksync_server; + }; + + devShells.default = appliedOverlay.zksync-era.devShell; }; + in + flake-utils.lib.eachDefaultSystem out // { + overlays.default = final: prev: + # to ease potential cross-compilation, the overlay is used + let + pkgs = final; + + versionSuffix = + if officialRelease + then "" + else "-pre${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}_${self.shortRev or "dirty"}"; + + rustVersion = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain; + + stdenv = pkgs.stdenvAdapters.useMoldLinker pkgs.clangStdenv; + + rustPlatform = pkgs.makeRustPlatform { + cargo = rustVersion; + rustc = rustVersion; + inherit stdenv; + }; - devShells = with pkgs; { - default = pkgs.mkShell.override { inherit stdenv; } { - inputsFrom = [ zksync_server ]; - - packages = [ - docker-compose - nodejs - yarn - axel - postgresql - python3 - solc - sqlx-cli - mold + craneLib = (crane.mkLib pkgs).overrideToolchain rustVersion; + NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa"; + + commonArgs = { + nativeBuildInputs = with pkgs;[ + pkg-config + rustPlatform.bindgenHook + ]; + + buildInputs = with pkgs;[ + libclang + openssl + snappy.dev + lz4.dev + bzip2.dev ]; + src = with pkgs.lib.fileset; toSource { + root = ./.; + fileset = unions [ + ./Cargo.lock + ./Cargo.toml + ./core + ./prover + ./zk_toolbox + ./.github/release-please/manifest.json + ]; + }; + + doCheck = false; + strictDeps = true; inherit hardeningEnable; + inherit NIX_OUTPATH_USED_AS_RANDOM_SEED; + }; - shellHook = '' - export ZKSYNC_HOME=$PWD - export PATH=$ZKSYNC_HOME/bin:$PATH - export RUSTFLAGS='-C link-arg=-fuse-ld=${pkgs.mold}/bin/mold' - export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="clang" - - if [ "x$NIX_LD" = "x" ]; then - export NIX_LD="$(<${clangStdenv.cc}/nix-support/dynamic-linker)" - fi - if [ "x$NIX_LD_LIBRARY_PATH" = "x" ]; then - export NIX_LD_LIBRARY_PATH="$ZK_NIX_LD_LIBRARY_PATH" - else - export NIX_LD_LIBRARY_PATH="$NIX_LD_LIBRARY_PATH:$ZK_NIX_LD_LIBRARY_PATH" - fi - ''; - - ZK_NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ ]; + cargoArtifacts = craneLib.buildDepsOnly (commonArgs // { + pname = "zksync-era-workspace"; + }); + in + { + zksync-era = rec { + devShell = pkgs.callPackage ./etc/nix/devshell.nix { + inherit stdenv; + inherit zksync_server; + inherit hardeningEnable; + }; + + zksync_server = pkgs.callPackage ./etc/nix/zksync-server.nix { + inherit cargoArtifacts; + inherit versionSuffix; + inherit craneLib; + inherit commonArgs; + }; + tee_prover = pkgs.callPackage ./etc/nix/tee-prover.nix { + inherit cargoArtifacts; + inherit versionSuffix; + inherit craneLib; + inherit commonArgs; + }; + + container-tee_prover-azure = pkgs.callPackage ./etc/nix/container-tee-prover.nix { + inherit tee_prover; + isAzure = true; + container-name = "zksync-tee_prover-azure"; + }; + container-tee_prover-dcap = pkgs.callPackage ./etc/nix/container-tee-prover.nix { + inherit tee_prover; + isAzure = false; + container-name = "zksync-tee_prover-dcap"; + }; }; }; - }); + }; }