Created
February 8, 2026 17:10
-
-
Save shift/215d0cf165beef5d9e33bdd039ac6306 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| description = "Aya eBPF Agentic Environment (Nightly + bpf-linker)"; | |
| inputs = { | |
| nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; | |
| flake-utils.url = "github:numtide/flake-utils"; | |
| rust-overlay.url = "github:oxalica/rust-overlay"; | |
| }; | |
| outputs = { self, nixpkgs, flake-utils, rust-overlay }: | |
| flake-utils.lib.eachDefaultSystem (system: | |
| let | |
| overlays = [ (import rust-overlay) ]; | |
| pkgs = import nixpkgs { inherit system overlays; }; | |
| # --------------------------------------------------------------------- | |
| # TOOLCHAIN: Nightly is REQUIRED for Aya | |
| # --------------------------------------------------------------------- | |
| # Aya needs '-Z build-std=core' to compile the kernel portion. | |
| rustToolchain = pkgs.rust-bin.nightly.latest.default.override { | |
| extensions = [ "rust-src" "rust-analyzer" "clippy" "rustfmt" ]; | |
| targets = [ "x86_64-unknown-linux-gnu" "bpfel-unknown-none" ]; | |
| }; | |
| # --------------------------------------------------------------------- | |
| # 1. AGENT-BUILD (The Xtask Wrapper) | |
| # --------------------------------------------------------------------- | |
| # Most Aya templates use 'cargo xtask build-ebpf' to handle the | |
| # cross-compilation dance. We wrap this for the agent. | |
| agentBuild = pkgs.writeShellScriptBin "agent-build" '' | |
| echo "π [Aya] Building eBPF Bytecode & Userspace..." | |
| # Check if xtask exists (Standard Aya Pattern) | |
| if [ -d "xtask" ]; then | |
| ${rustToolchain}/bin/cargo xtask build-ebpf --release | |
| ${rustToolchain}/bin/cargo build --release --message-format short --color never | |
| else | |
| echo "β οΈ No 'xtask' found. Falling back to manual build." | |
| ${rustToolchain}/bin/cargo build --release --target=bpfel-unknown-none -Z build-std=core | |
| fi | |
| ''; | |
| # --------------------------------------------------------------------- | |
| # 2. AGENT-RUN (Sudo Wrapper) | |
| # --------------------------------------------------------------------- | |
| # eBPF requires root. The agent needs a safe way to run this. | |
| agentRun = pkgs.writeShellScriptBin "agent-run" '' | |
| echo "π [Run] Loading eBPF program (Requires Sudo)..." | |
| # -E preserves env vars (like RUST_LOG) | |
| sudo -E ${rustToolchain}/bin/cargo xtask run --release | |
| ''; | |
| # --------------------------------------------------------------------- | |
| # 3. AGENT-CHECK (Dual-Target Verification) | |
| # --------------------------------------------------------------------- | |
| # Checking Aya is tricky: you can't check the whole workspace at once | |
| # because the targets differ (std vs no_std). | |
| agentCheck = pkgs.writeShellScriptBin "agent-check" '' | |
| echo "π¦ [Check] Verifying Code Integrity..." | |
| echo "1. Checking Userspace..." | |
| ${rustToolchain}/bin/cargo check --workspace --exclude *-ebpf \ | |
| --message-format short --color never --quiet | |
| echo "2. Checking eBPF Kernel Space..." | |
| ${rustToolchain}/bin/cargo check --package *-ebpf \ | |
| --target=bpfel-unknown-none \ | |
| -Z build-std=core \ | |
| --message-format short --color never --quiet | |
| ''; | |
| # --------------------------------------------------------------------- | |
| # AGENT CONTEXT (Aya Specifics) | |
| # --------------------------------------------------------------------- | |
| agentContext = '' | |
| # Aya eBPF Agent Protocol | |
| ## π ARCHITECTURE: "The Triad" | |
| Aya projects have 3 parts. KNOW WHERE YOU ARE EDITING. | |
| 1. **\`*-ebpf\` (Kernel):** - **Strict \`no_std\`.** No Heap. No \`String\`. No \`std::fs\`. | |
| - Use \`aya_log_ebpf\` for logging. | |
| 2. **\`myapp\` (Userspace):** - Standard Async Rust (\`tokio\`). | |
| - Loads the BPF program into the kernel. | |
| 3. **\`*-common\` (Shared):** - POD (Plain Old Data) structs shared between Kernel and User. | |
| - Must be \`#[repr(C)]\`. | |
| ## π¨ AYA GUARDRAILS | |
| 1. **Logging:** - **Kernel:** \`aya_log_ebpf::info!(ctx, "msg");\` | |
| - **User:** \`env_logger\` or \`tracing\`. | |
| - DO NOT use \`println!\` in the kernel crate. | |
| 2. **Memory Safety:** | |
| - The BPF Verifier is strict. | |
| - Avoid loops where possible. | |
| - If you need a buffer, use a stack array: \`let buf = [0u8; 64];\`. | |
| 3. **Build Flow:** | |
| - Use \`agent-build\`. It handles the \`xtask\` cross-compilation automatically. | |
| ## π COMMANDS | |
| | Command | Purpose | | |
| | :--- | :--- | | |
| | \`agent-check\` | specific check that handles the std/no_std split correctly. | | |
| | \`agent-build\` | Runs \`cargo xtask build-ebpf\` + \`cargo build\`. | | |
| | \`agent-run\` | Runs with \`sudo\` (Required for eBPF). | | |
| ''; | |
| in | |
| { | |
| devShells.default = pkgs.mkShell { | |
| buildInputs = [ | |
| rustToolchain | |
| pkgs.bpf-linker # CRITICAL: Links the BPF object files | |
| pkgs.bpftool # Debugging | |
| pkgs.cargo-generate # Helpful if you ask the agent to scaffold a new probe | |
| # Script aliases | |
| agentBuild | |
| agentRun | |
| agentCheck | |
| # System Libs | |
| pkgs.pkg-config | |
| pkgs.openssl | |
| ]; | |
| shellHook = '' | |
| echo "π Initializing Aya (eBPF) Environment..." | |
| echo "${agentContext}" > AGENT_CONTEXT.md | |
| # RUST_LOG is essential for seeing Aya output | |
| export RUST_LOG=info | |
| echo "β 'bpf-linker' is active." | |
| echo "π Use 'agent-check' to verify separate kernel/user targets." | |
| ''; | |
| }; | |
| } | |
| ); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment