aboutsummaryrefslogtreecommitdiff
path: root/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'default.nix')
-rw-r--r--default.nix56
1 files changed, 29 insertions, 27 deletions
diff --git a/default.nix b/default.nix
index de996ac1..296c7592 100644
--- a/default.nix
+++ b/default.nix
@@ -56,45 +56,47 @@ in let
*/
overrides = pkgs.rustBuilder.overrides.all ++ [
/*
- [1] We need to alter Nix hardening to be able to statically compile: PIE,
+ [1] We need to alter Nix hardening to make static binaries: PIE,
Position Independent Executables seems to be supported only on amd64. Having
- this flags set either make our executables crash or compile as dynamic on many platforms.
- In the following section codegenOpts, we reactive it for the supported targets
- (only amd64 curently) through the `-static-pie` flag. PIE is a feature used
- by ASLR, which helps mitigate security issues.
- Learn more about Nix Hardening: https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/cc-wrapper/add-hardening.sh
-
- [2] We want to inject the git version while keeping the build deterministic.
- As we do not want to consider the .git folder as part of the input source,
- we ask the user (the CI often) to pass the value to Nix.
+ this flag set either 1. make our executables crash or 2. compile as dynamic on some platforms.
+ Here, we deactivate it. Later (find `codegenOpts`), we reactivate it for supported targets
+ (only amd64 curently) through the `-static-pie` flag.
+ PIE is a feature used by ASLR, which helps mitigate security issues.
+ Learn more about Nix Hardening at: https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/cc-wrapper/add-hardening.sh
*/
(pkgs.rustBuilder.rustLib.makeOverride {
+ name = "garage";
+ overrideAttrs = drv: { hardeningDisable = [ "pie" ]; };
+ })
+
+ (pkgs.rustBuilder.rustLib.makeOverride {
name = "garage_rpc";
+
+ /*
+ [2] We want to inject the git version while keeping the build deterministic.
+ As we do not want to consider the .git folder as part of the input source,
+ we ask the user (the CI often) to pass the value to Nix.
+ */
overrideAttrs = drv:
- /* [1] */ { hardeningDisable = [ "pie" ]; }
- //
- /* [2] */ (if git_version != null then {
+ (if git_version != null then {
preConfigure = ''
${drv.preConfigure or ""}
export GIT_VERSION="${git_version}"
'';
} else {});
- })
- /*
- We ship some parts of the code disabled by default by putting them behind a flag.
- It speeds up the compilation (when the feature is not required) and released crates have less dependency by default (less attack surface, disk space, etc.).
- But we want to ship these additional features when we release Garage.
- In the end, we chose to exclude all features from debug builds while putting (all of) them in the release builds.
- Currently, the only feature of Garage is kubernetes-discovery from the garage_rpc crate.
- */
- (pkgs.rustBuilder.rustLib.makeOverride {
- name = "garage_rpc";
- overrideArgs = old:
- {
- features = if release then [ "kubernetes-discovery" ] else [];
- };
+ /*
+ [3] We ship some parts of the code disabled by default by putting them behind a flag.
+ It speeds up the compilation (when the feature is not required) and released crates have less dependency by default (less attack surface, disk space, etc.).
+ But we want to ship these additional features when we release Garage.
+ In the end, we chose to exclude all features from debug builds while putting (all of) them in the release builds.
+ Currently, the only feature of Garage is kubernetes-discovery from the garage_rpc crate.
+ */
+ overrideArgs = old: {
+ features = if release then [ "kubernetes-discovery" ] else [];
+ };
})
+
];
packageFun = import ./Cargo.nix;