attestation-server/flake.nix at main · EternisAI/attestation-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
{
  description = "TEE attestation server";

  inputs = {
    # nixpkgs-unstable at 2026-03-23T13:48:00Z
    nixpkgs.url = "github:NixOS/nixpkgs/fdc7b8f7b30fdbedec91b71ed82f36e1637483ed";
    # flake-utils main at 2024-11-13T21:27:16Z
    flake-utils.url = "github:numtide/flake-utils/11707dc2f618dd54ca8739b309ec4fc024de578b";
  };

  outputs = { self, nixpkgs, flake-utils }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        src = pkgs.lib.sources.cleanSourceWith {
          src = ./.;
          filter = path: type:
            let baseName = baseNameOf path; in
            type == "directory"
            || baseName == "go.mod"
            || baseName == "go.sum"
            || pkgs.lib.hasSuffix ".go" baseName
            || pkgs.lib.hasSuffix ".json" baseName;
        };
      in
      {
        packages = rec {
          attestation-server = pkgs.buildGoModule {
            pname = "attestation-server";
            version = self.shortRev or self.dirtyShortRev or "dev";

            inherit src;
            vendorHash = "sha256-1BXfSgutuFxtBAByq+PO5K0gKpVNy4etCmcxe7t5Goo=";

            subPackages = [ "." ];

            env.CGO_ENABLED = 0;
            ldflags = [ "-s" "-w" ];

            # Live DNSSEC tests are gated behind DNSSEC_LIVE_TEST env var
            # and skip themselves in the sandbox; all other tests use fixtures
            doCheck = true;

            # The Go stdlib in nixpkgs is patched to reference nix store paths
            # for mailcap (mime types), iana-etc (/etc/services), and tzdata.
            # This server does not use mime.TypeByExtension, net.LookupPort,
            # or time.LoadLocation, so strip these references to keep the
            # runtime closure (and Docker image) minimal.
            nativeBuildInputs = [ pkgs.removeReferencesTo ];
            postInstall = ''
              remove-references-to -t ${pkgs.mailcap} $out/bin/attestation-server
              remove-references-to -t ${pkgs.iana-etc} $out/bin/attestation-server
              remove-references-to -t ${pkgs.tzdata} $out/bin/attestation-server
            '';
            disallowedReferences = [ pkgs.mailcap pkgs.iana-etc pkgs.tzdata ];
          };
          default = attestation-server;

          docker-image = pkgs.dockerTools.streamLayeredImage {
            name = "ghcr.io/eternisai/attestation-server";
            tag = "latest";
            contents = [
              attestation-server
              (pkgs.runCommand "attestation-server-link" {} ''
                mkdir -p $out/usr/local/bin
                ln -s ${attestation-server}/bin/attestation-server $out/usr/local/bin/attestation-server
              '')
            ];
            config = {
              Entrypoint = [ "${attestation-server}/bin/attestation-server" ];
            };
          };
        };
      }
    );
}