grapevine/nix/pkgs/complement-grapevine-oci-image/default.nix

# Keep sorted
{ buildEnv
, coreutils
, default
, dockerTools
, envsubst
, moreutils
, openssl
, writeShellScript
, writeTextDir
}:

dockerTools.buildImage {
  name = "complement-grapevine";

  copyToRoot = buildEnv {
    name = "image-root";
    paths = [
     (writeTextDir "app/config.toml" (builtins.readFile ./config.toml))
     coreutils
     default
     moreutils
     envsubst
     openssl
   ];
    pathsToLink = [ "/bin" "/app" ];
  };

  config = {
    ExposedPorts = {
      "8008/tcp" = {};
      "8448/tcp" = {};
    };
    Cmd = [
      (writeShellScript "docker-entrypoint.sh" ''
        set -euo pipefail

        mkdir -p /tmp

        # trust certs signed by the complement test CA
        mkdir -p /etc/ssl/certs
        # we don't have any other trusted certs, so just replace this file
        # entirely
        cp /complement/ca/ca.crt /etc/ssl/certs/ca-certificates.crt

        # sign our TLS cert with the complement test CA
        cat > /app/v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=DNS:$SERVER_NAME
EOF
        openssl genrsa \
          -out /app/grapevine.key \
          2048
        openssl req -new \
          -sha256 \
          -key /app/grapevine.key \
          -subj "/CN=$SERVER_NAME" \
          -out /app/grapevine.csr
        openssl x509 -req \
          -in /app/grapevine.csr \
          -CA /complement/ca/ca.crt \
          -CAkey /complement/ca/ca.key \
          -CAcreateserial \
          -out /app/grapevine.crt \
          -extfile /app/v3.ext \
          -days 365 \
          -sha256

        envsubst --no-unset < /app/config.toml | sponge /app/config.toml

        export RUST_BACKTRACE=full
        grapevine serve --config /app/config.toml
      '')
    ];
  };
}