constellation/nix/container/vpn/vpn.nix

{ pkgs
, pkgsLinux
, stdenv
}:
let
  passwd = pkgs.writeTextDir "etc/passwd" ''
    root:x:0:0:root:/root:/bin/sh
    nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
  '';
  group = pkgs.writeTextDir "etc/group" ''
    root:x:0:
    nobody:x:65534:
  '';

  strongswanScript = pkgsLinux.writeShellApplication {
    name = "strongswan.sh";
    runtimeInputs = with pkgsLinux; [
      coreutils
      strongswan
    ];
    text = ./strongswan.sh;
  };

  sidecarScript = pkgsLinux.writeShellApplication {
    name = "sidecar.sh";
    runtimeInputs = with pkgsLinux; [
      coreutils
      iproute2
      jq
      util-linux
      procps
    ];
    text = ./sidecar.sh;
  };

  operatorScript = pkgsLinux.writeShellApplication {
    name = "operator.sh";
    runtimeInputs = with pkgsLinux; [
      coreutils
      kubernetes
      jq
    ];
    text = ./operator.sh;
  };

  image = pkgs.dockerTools.buildImage {
    name = "ghcr.io/edgelesssys/constellation/vpn";
    copyToRoot = with pkgsLinux.dockerTools; [
      passwd
      group
      strongswanScript
      sidecarScript
      operatorScript
      binSh
    ];
    config = {
      Cmd = [ "/bin/entrypoint.sh" ];
    };
  };

in

stdenv.mkDerivation {
  name = "image";

  src = image;

  buildInputs = with pkgs; [ gnutar jq ];


  installPhase = ''
    mkdir -p "$out/tmp"
    pushd "$out/tmp"
    tar -xf ${image}
    layer="$(jq -r '.[0].Layers[0]' <manifest.json)"
    chmod -R u+w "."
    mv "$layer" "$out/layer.tar"
    popd
    rm -rf -- "$out/tmp"
  '';

}
vpn: ship our own container image (#2909) * vpn: ship our own container image The container image used in the VPN chart should be reproducible and stable. We're sticking close to the original nixery.dev version by building the image with nix ourselves, and then publishing the single layer from the result with Bazel OCI rules. The resulting image should be handled similar to s3proxy: it's built as a part of the Constellation release process and then consumed from a Helm chart in our registry. Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com> 2024-02-15 07:08:27 -05:00			`{ pkgs`
			`, pkgsLinux`
			`, stdenv`
			`}:`
			`let`
			`passwd = pkgs.writeTextDir "etc/passwd" ''`
			`root:x:0:0:root:/root:/bin/sh`
			`nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin`
			`'';`
			`group = pkgs.writeTextDir "etc/group" ''`
			`root:x:0:`
			`nobody:x:65534:`
			`'';`

			`strongswanScript = pkgsLinux.writeShellApplication {`
			`name = "strongswan.sh";`
			`runtimeInputs = with pkgsLinux; [`
			`coreutils`
			`strongswan`
			`];`
			`text = ./strongswan.sh;`
			`};`

			`sidecarScript = pkgsLinux.writeShellApplication {`
			`name = "sidecar.sh";`
			`runtimeInputs = with pkgsLinux; [`
			`coreutils`
			`iproute2`
			`jq`
			`util-linux`
			`procps`
			`];`
			`text = ./sidecar.sh;`
			`};`

			`operatorScript = pkgsLinux.writeShellApplication {`
			`name = "operator.sh";`
			`runtimeInputs = with pkgsLinux; [`
			`coreutils`
			`kubernetes`
			`jq`
			`];`
			`text = ./operator.sh;`
			`};`

			`image = pkgs.dockerTools.buildImage {`
			`name = "ghcr.io/edgelesssys/constellation/vpn";`
			`copyToRoot = with pkgsLinux.dockerTools; [`
			`passwd`
			`group`
			`strongswanScript`
			`sidecarScript`
			`operatorScript`
			`binSh`
			`];`
			`config = {`
			`Cmd = [ "/bin/entrypoint.sh" ];`
			`};`
			`};`

			`in`

			`stdenv.mkDerivation {`
			`name = "image";`

			`src = image;`

			`buildInputs = with pkgs; [ gnutar jq ];`


			`installPhase = ''`
			`mkdir -p "$out/tmp"`
			`pushd "$out/tmp"`
			`tar -xf ${image}`
			`layer="$(jq -r '.[0].Layers[0]' <manifest.json)"`
			`chmod -R u+w "."`
			`mv "$layer" "$out/layer.tar"`
			`popd`
			`rm -rf -- "$out/tmp"`
			`'';`

			`}`