release: add cli for aarch64-darwin

.github/actions/release_artifacts/action.yml

@@ -30,12 +30,12 @@ runs:
         CONTAINER_REGISTRY: ${{ inputs.container_registry }}
         SET: base
       run: |
-        coordinatorImg=$(nix run ".#${SET}.containers.push-coordinator" -- "${CONTAINER_REGISTRY}/contrast/coordinator")
-        nodeInstallerKataImg=$(nix run ".#${SET}.containers.push-node-installer-kata" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata")
-        nodeInstallerKataGPUImg=$(nix run ".#${SET}.containers.push-node-installer-kata-gpu" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata-gpu")
-        initializerImg=$(nix run ".#${SET}.containers.push-initializer" -- "${CONTAINER_REGISTRY}/contrast/initializer")
-        serviceMeshImg=$(nix run ".#${SET}.containers.push-service-mesh-proxy" -- "${CONTAINER_REGISTRY}/contrast/service-mesh-proxy")
-        debugShellImg=$(nix run ".#${SET}.containers.push-debugshell" -- "${CONTAINER_REGISTRY}/contrast/debugshell")
+        coordinatorImg=$(nix run ".#${SET}.container-scripts.push-coordinator" -- "${CONTAINER_REGISTRY}/contrast/coordinator")
+        nodeInstallerKataImg=$(nix run ".#${SET}.container-scripts.push-node-installer-kata" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata")
+        nodeInstallerKataGPUImg=$(nix run ".#${SET}.container-scripts.push-node-installer-kata-gpu" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata-gpu")
+        initializerImg=$(nix run ".#${SET}.container-scripts.push-initializer" -- "${CONTAINER_REGISTRY}/contrast/initializer")
+        serviceMeshImg=$(nix run ".#${SET}.container-scripts.push-service-mesh-proxy" -- "${CONTAINER_REGISTRY}/contrast/service-mesh-proxy")
+        debugShellImg=$(nix run ".#${SET}.container-scripts.push-debugshell" -- "${CONTAINER_REGISTRY}/contrast/debugshell")
         echo "coordinatorImg=$coordinatorImg" | tee -a "$GITHUB_OUTPUT"
         echo "nodeInstallerMsftImg=$nodeInstallerMsftImg" | tee -a "$GITHUB_OUTPUT"
         echo "nodeInstallerKataImg=$nodeInstallerKataImg" | tee -a "$GITHUB_OUTPUT"
@@ -113,7 +113,7 @@ runs:
       run: |
         cat << 'EOF' | tee -a "${GITHUB_OUTPUT}"
         paths<<EOM
-        workspace/contrast-cli/bin/contrast
+        workspace/contrast-x86_64-linux
         workspace/coordinator*.yml
         workspace/runtime-*.yml
         workspace/emojivoto-demo.yml
@@ -182,6 +182,8 @@ runs:
         SET: base
       run: |
         nix build -L ".#${SET}.contrast.cli-release" --out-link workspace/contrast-cli
+        SYSTEM=$(nix eval --raw --impure --expr 'builtins.currentSystem')
+        cp workspace/contrast-cli/bin/contrast "workspace/contrast-${SYSTEM}"
     - name: AWS login (IAM role)
       uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
       with:

.github/actions/setup_nix/action.yml

@@ -13,13 +13,15 @@ runs:
   using: "composite"
   steps:
     - name: Allow unrestricted user namespaces
+      if: runner.os == 'Linux'
       # Ubuntu 24.04 ships strict apparmor defaults, so we have to disable them to be able to call
       # unshare in the Nix sansbox without beeing root.
       shell: bash
       run: |
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
     - name: use btrfs for nix builds
+      if: runner.os == 'Linux'
       shell: bash
       run: |
         echo "Setting up btrfs /nix volume..."
@@ -33,7 +35,7 @@ runs:
     - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
       with:
         github_access_token: ${{ inputs.githubToken }}
-        extra_nix_config: "build-dir = /nix/bld"
+        extra_nix_config: ${{ runner.os == 'Linux' && 'build-dir = /nix/bld' || '' }}
     - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
       with:
         name: edgelesssys

.github/workflows/release.yml

@@ -121,7 +121,7 @@ jobs:
   update-main:
     name: Update main branch
     runs-on: ubuntu-24.04
-    needs: [process-inputs, release]
+    needs: [process-inputs, release, release-aarch64-darwin]
     permissions:
       contents: write
     env:
@@ -182,6 +182,11 @@ jobs:
         with:
           name: contrast-release-artifacts
           path: ./contrast-main
+      - name: Download darwin CLI artifact
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: contrast-cli-aarch64-darwin
+          path: ./contrast-main/workspace
       - name: Update contrast-releases.json with new release
         working-directory: contrast-main
         run: nix run ".#${SET}.scripts.update-contrast-releases"
@@ -217,6 +222,58 @@ jobs:
           token: ${{ secrets.NUNKI_CI_COMMIT_PUSH_PR }}
           path: ./contrast-main
 
+  release-aarch64-darwin:
+    name: Build aarch64-darwin CLI
+    runs-on: macos-latest
+    needs: process-inputs
+    permissions:
+      contents: read
+    env:
+      VERSION: ${{ inputs.version }}
+      SET: base
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
+          persist-credentials: false
+      - uses: ./.github/actions/setup_nix
+        with:
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Bump flake version to release version
+        uses: ./.github/actions/bump_version
+        with:
+          version: ${{ needs.process-inputs.outputs.WITHOUT_V }}
+          commit: false
+      - name: Build CLI
+        run: |
+          nix build -L ".#${SET}.contrast.cli-release"
+          cp result/bin/contrast contrast-aarch64-darwin
+      - name: Upload artifact
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: contrast-cli-aarch64-darwin
+          path: contrast-aarch64-darwin
+
+  attach-darwin-cli:
+    name: Attach darwin CLI to release
+    runs-on: ubuntu-24.04
+    needs: [release, release-aarch64-darwin]
+    permissions:
+      contents: write
+    env:
+      VERSION: ${{ inputs.version }}
+    steps:
+      - name: Download darwin CLI artifact
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: contrast-cli-aarch64-darwin
+      - name: Attach to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload "${VERSION}" contrast-aarch64-darwin --repo "${{ github.repository }}"
+
   release:
     name: Build and push artifacts, create release
     runs-on: ubuntu-24.04
@@ -401,7 +458,7 @@ jobs:
 
   publish:
     name: Publish release
-    needs: [process-inputs, release, test]
+    needs: [process-inputs, release, test, attach-darwin-cli]
     runs-on: ubuntu-24.04
     environment: release-publish
     permissions:

.github/workflows/static.yml

@@ -158,3 +158,26 @@ jobs:
       - name: Build CLI
         run: |
           nix build ".#${SET}.contrast.cli"
+
+  darwin-cli-build:
+    needs: cli-build
+    runs-on: macos-latest
+    timeout-minutes: 60
+    permissions:
+      contents: read
+    env:
+      SET: base
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/setup_nix
+        with:
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build darwin formatter
+        run: |
+          nix build .#formatter.aarch64-darwin
+      - name: Build darwin CLI
+        run: |
+          nix build ".#${SET}.contrast.cli"

.github/workflows/test-darwin-cli.yml

@@ -0,0 +1,36 @@
+name: Test darwin CLI build
+
+on:
+  push:
+    branches:
+      - sse/darwin-cli
+
+jobs:
+  build-darwin-cli:
+    name: Build aarch64-darwin CLI
+    runs-on: macos-latest
+    permissions:
+      contents: read
+    env:
+      SET: base
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/setup_nix
+        with:
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build CLI
+        run: |
+          nix build -L ".#${SET}.contrast.cli-release"
+          cp result/bin/contrast contrast-aarch64-darwin
+      - name: Verify binary
+        run: |
+          file contrast-aarch64-darwin
+          ./contrast-aarch64-darwin --version
+      - name: Upload artifact
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: contrast-cli-aarch64-darwin
+          path: contrast-aarch64-darwin

CONTRIBUTING.md

@@ -49,6 +49,9 @@ If you are struggling with your git history during the review process, please as
 
 ### Development setup
 
+> [!NOTE]
+> If you are developing on macOS/Darwin, you have to first follow the **experimental** [developer documentation for macOS](./dev-docs/macos.md), and then proceed with the rest of the setup.
+
 1. [Install Nix](https://nixos.org/download/#multi-user-installation-recommended)
 
     Enable the experimental features `nix-command` and `flakes` in your Nix configuration.

dev-docs/macos.md

@@ -0,0 +1,70 @@
+# Development setup for macOS (experimental)
+
+Contrast uses `just` and Nix as its build system. Several packages Contrast needs to build, such as container images (`nix build .#base.containers.*`), need to be built for `x86_64-linux` so when building from a different architecture such as `aarch64-darwin`, those builds need to be delegated to a builder that can build for `x86_64-linux`.
+
+## Canonical setup
+
+1. Install Nix. You have several options such the [Lix installer](https://lix.systems/install/) (recommended), the [Determinate Nix installer](https://docs.determinate.systems/) or by following the [official instructions](https://nixos.org/download/). It's recommended to use one of the automated installers as they also make the uninstall on macOS easy.
+
+2. Setup a `x86_64-linux` builder. There are 2 options:
+
+   - setup a remote builder by following Nix's [distributed builds tutorial](https://nix.dev/tutorials/nixos/distributed-builds-setup.html). If you are working for Edgeless Systems, you can use one of our office machines by following the instructions in https://github.com/edgelesssys/nix-remote-builders.
+   - setup a local VM-based builder that emulates x86, by installing [nix-rosetta-builder](https://github.com/cpick/nix-rosetta-builder). Not that the performance of this option might not be great but it's helpful if you need to work offline.
+
+It's recommended to setup both. Nix will automatically offload packages that need to be built for `x86_64-linux` to any builder available for that architecture. So if one of the remote machines isn't available, builds will use the VM-based builder.
+
+## Alternative setup using a Linux VM
+
+Alternatively you can setup a VM with Nix which you can use to build contrast. Since this option will be also using emulation, the performance might not be great.
+
+1. Follow the instructions on [nixos-lima](https://github.com/nixos-lima/nixos-lima) and [nixos-lima-config-sample](https://github.com/nixos-lima/nixos-lima-config-sample) to create a `x86_64-linux` VM.
+
+2. To avoid having to authenticate twice either with your container registry or kubectl, you can forward the local credentials to the VM by adding the following in the VM configuration:
+
+   ```yaml
+   - location: "~/.docker"
+     mountPoint: "/home/lima.linux/.docker"
+     writable: true
+     9p:
+       cache: "mmap"
+   - location: "~/.kube"
+     mountPoint: "/home/lima.linux/.kube"
+     writable: true
+   ```
+
+3. Forward contrast project path as well:
+
+   ```yaml
+   - location: "~/contrast"
+     writable: true
+     9p:
+       cache: "mmap"
+   ```
+
+4. Add the lima user to trusted-users by adding the following in the VM's NixOS configuration (`configuration.nix`):
+
+   ```nix
+   nix.settings.trusted-users = [ "root" "@wheel" ];
+   ```
+
+5. (Optional) You might have to add the hosts you are deploying to in the VM's NixOS configuration:
+
+   ```nix
+   networking.hosts = {
+     "XXX.YYY.ZZZ.XXX" = [ "<SOME HOSTNAME>" ];
+   };
+   ```
+
+6. Start a `x86_64` VM with:
+
+   ```bash
+   limactl start --yes --set '.user.name = "lima"' nixos.yaml --arch=x86_64
+   ```
+
+7. Connect to the VM with:
+
+   ```
+   cd ~/contrast
+   limactl shell nixos
+   nix develop .#
+   ```

docs/docs/howto/install-cli.md

@@ -12,14 +12,33 @@ Required for deploying with Contrast.
 
 ## How-to
 
-Download the Contrast CLI from the latest release:
+Download the Contrast CLI from the latest release and install it in your PATH:
+
+<Tabs queryString="platform">
+<TabItem value="linux" label="Linux (x86_64)">
 
 ```bash
-curl --proto '=https' --tlsv1.2 -fLo contrast https://github.com/edgelesssys/contrast/releases/latest/download/contrast
+curl --proto '=https' --tlsv1.2 -fLo contrast https://github.com/edgelesssys/contrast/releases/latest/download/contrast-x86_64-linux
+sudo install contrast /usr/local/bin/contrast
 ```
 
-After that, install the Contrast CLI in your PATH, e.g.:
+</TabItem>
+<TabItem value="macos" label="macOS (Apple Silicon)">
 
 ```bash
+curl --proto '=https' --tlsv1.2 -fLo contrast https://github.com/edgelesssys/contrast/releases/latest/download/contrast-aarch64-darwin
 sudo install contrast /usr/local/bin/contrast
 ```
+
+:::note
+If you download the binary via a web browser instead of `curl`, macOS may show a warning
+that the software can't be verified. Remove the quarantine attribute to resolve this:
+
+```bash
+xattr -d com.apple.quarantine contrast
+```
+
+:::
+
+</TabItem>
+</Tabs>

flake.nix

@@ -45,9 +45,9 @@
         setsFromDirectory =
           dir:
           builtins.listToAttrs (
-            map (file: {
+            map (file: rec {
               name = builtins.substring 0 (builtins.stringLength file - 4) (baseNameOf file);
-              value = mkSet (defaultOverlays ++ [ (import (dir + "/${file}")) ]);
+              value = mkSet ((defaultOverlays name) ++ [ (import (dir + "/${file}")) ]);
             }) (builtins.attrNames (builtins.readDir dir))
           );
 
@@ -65,10 +65,12 @@
             ];
           };
 
-        defaultOverlays = [
+        defaultOverlays = set: [
           (final: _prev: { fenix = self.inputs.fenix.packages.${final.stdenv.hostPlatform.system}; })
+          (_final: _prev: { runtimePkgs = self.legacyPackages.x86_64-linux.${set}; })
           (import ./overlays/nixpkgs.nix)
           (import ./overlays/contrast.nix)
+          (import ./overlays/runtimepkgs.nix)
         ];
 
         sets = setsFromDirectory ./overlays/sets;

justfile

@@ -13,7 +13,7 @@ push target set=default_set:
     set -euo pipefail
     mkdir -p {{ workspace_dir }}
     echo "Pushing container $container_registry/contrast/{{ target }}"
-    nix run -L .#{{ set }}.containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}" "{{ workspace_dir }}/just.containerlookup" "{{ workspace_dir }}/layers-cache.json"
+    nix run -L .#{{ set }}.container-scripts.push-{{ target }} -- "$container_registry/contrast/{{ target }}" "{{ workspace_dir }}/just.containerlookup" "{{ workspace_dir }}/layers-cache.json"
 
 coordinator: (push "coordinator")