chore: cleanup and nixify

* create containers with nix
* updated README.md
* added SPDX license headers

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

packages/container-vault-start-config/cacert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSDCCAzCgAwIBAgIUDjUfoOY4o+E38mka8ViQOPpHBhgwDQYJKoZIhvcNAQEL
+BQAwLTEZMBcGA1UECgwQVGVzdCBDQSwgTGltaXRlZDEQMA4GA1UEAwwHVGVzdCBD
+QTAeFw0yMzA2MDYwNzU4MTNaFw0yNDA2MDUwNzU4MTNaMC0xGTAXBgNVBAoMEFRl
+c3QgQ0EsIExpbWl0ZWQxEDAOBgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQD4hjplzpqaXoWL/8bex/zBStuYmBuOGvIELS5aiHfw
+XfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsARe/0cHn438rVbeFK6cJl/kXlwGMOy
+SpXbKDqrmM+U2lUyrcmHRapHvwBaKU5LKumsshurP62DlpcZ6Imasmtlm9t+NJfP
+esTEKAhzuRGwcEaOXkvksK7QXEwl3q4da4ST/+qjfnYq/gA6PFgHHWRo8qXPa62H
+pPcYkCiCfd4oYSSqH6kEeym2upDVVjtAo6y7ytQU0DNs51vR+ePL9qd3WVWnzm9z
+66V9ZUCqfU1LY4dAMEN8UH2QiXPVyFG/Y2lb7gtltI7D2D4C63vgCS657cRcOMg/
+xbiYXaVh0BQvJkznyv+IOkU8a42Uth/CX7Tv9N2n4X5accV82oUHtW3BbeYxW4Wb
+dTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/Tdc+yg7NxOHPpJ6ZULK6d9n1glV5
+PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8tpZqBmjhMWQddwAd5MZGWS0VBKBZb
+b5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAdMpw+wQcZQ+6twIpAQU3k6imJ4yGz
+ZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x49uAi5KpTBeeY/lLMnFLRa5sDUtLn
+kwIDAQABo2AwXjAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j
+BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIGigs3CZO1DdnaxZwUghMm95NAX
+D7vKYFAmoNtbVBv1NAfpv23XOhAzccEFGg20XEa1t2z0Nfct9NDXxZ2VCgU+9vws
+d96EBkufgnKrc/hLxRnVsExQxy5FKYz/d5LePeYd1OFS0bw+DRpzEnFZm34vpToj
+mku845LtHbeZEzaVdzaSu9m7YcoENGgGuOlsgvp/qB6MlxI0fHG5M2M5aLnIEyIv
+QAMmX42eJ09jhaLr8dl2zLImyIYO0dMO0NNl5gU01cpJ5REHJ3e3oUDUJ5ZZCL51
+/VYSd/btHYRCdH/w6FSUOGGwU38LhhbeD94103gkKS5bfIui77sY0F3jRIluVQci
+PnKzRNsfl5uL8KICDJtT6uNwkhSG4ucYNAb21eo6idzyMe4qdJz1poPjmph19rnU
+oAE/0+jqOyVErBZuRAL9wbQg1Prqx1WBsOIUyi5Y7qAUt+AuDt0uf4mdRnE1yDvw
+o0CIz3XLD1YoHXqJ/Nu1By1fI2zA0Y7osSX4SzfbD0EUXqjUyy80KrvKmJaV8lMd
+1/jGHuApNQjZFwbY+RN0OTtDk7zPAETaGz/15BEmVDpq0OAVqe0XrXpQfaYwHzzq
+TsOvVYZSj2gsDbKzM8tmCkLoS+Yh5ubxaoIE2qCjvFNXZwFzqQtDgBKQhjuE54+K
+lweZ5hgUkLPf5EW0
+-----END CERTIFICATE-----

packages/container-vault-start-config/cakey.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQD4hjplzpqaXoWL
+/8bex/zBStuYmBuOGvIELS5aiHfwXfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsAR
+e/0cHn438rVbeFK6cJl/kXlwGMOySpXbKDqrmM+U2lUyrcmHRapHvwBaKU5LKums
+shurP62DlpcZ6Imasmtlm9t+NJfPesTEKAhzuRGwcEaOXkvksK7QXEwl3q4da4ST
+/+qjfnYq/gA6PFgHHWRo8qXPa62HpPcYkCiCfd4oYSSqH6kEeym2upDVVjtAo6y7
+ytQU0DNs51vR+ePL9qd3WVWnzm9z66V9ZUCqfU1LY4dAMEN8UH2QiXPVyFG/Y2lb
+7gtltI7D2D4C63vgCS657cRcOMg/xbiYXaVh0BQvJkznyv+IOkU8a42Uth/CX7Tv
+9N2n4X5accV82oUHtW3BbeYxW4WbdTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/
+Tdc+yg7NxOHPpJ6ZULK6d9n1glV5PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8t
+pZqBmjhMWQddwAd5MZGWS0VBKBZbb5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAd
+Mpw+wQcZQ+6twIpAQU3k6imJ4yGzZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x4
+9uAi5KpTBeeY/lLMnFLRa5sDUtLnkwIDAQABAoICABokGFFsHXP+XELBGTyGwa3d
+P2L6IO/eIrXQwM7yCtekMg56lPoJ3W0IJbvPD4Kyl8PRbGEYOqbiueQ86/9Ar9sX
+sv7XlbAZtvOlrCXf3PnMgZ3HSgCRtsf7/Tky8X9Ckyovy4wwSxV6ApFRPLrTHF+6
+f9NQU+ULPmO2NKy+QHeo/Lh7U4REo7kw3iMMhSQdd43gH3xeQ2dBz3S31wjyfOCB
+zilR/ppk+5JUb591PpAFiJ4zT6eGMM+DhFVGtkML53PahPCDvQDMFpe8Onmj+rzK
+Syy3gcALBkt2AJ4Bh1SkpUge1eH5Ax/abLgSO48Acmy5II+MnhipDsSGMfm1N8zp
+yjzitqay1B/8VHu8FJ7up4XbLvvhjG3uKLchARJ9pGjJ8JYdFNcxv+ZBD2H111J5
+b5XHHII1W/6wgpcB6SesasjoTe/jJhPPosvUT+QuT3IG46TDE4ct8+20kSP3vmm4
+FtgfyMFNqh7/GR42UMDjMcx+zCUPpQj9KTH1KUHnW/tQqqb0+lCwTw9vuMBxxysD
+KjG5qxaLqY9uIQ3h+hSuTGtPOIFt3uMrZMp6R1pMmWr+imPED7NAildbOqsCxI00
+1icPp43vOVdFYIlVX3FZLGUg5c9SkTv5O628HUoHQM+TPqG6bysA+w/pL2d9ByPX
+5N3LfbqPTr9PYYd6owNBAoIBAQD89s1MDFY1E6cuP8ut2avrwJzqm0u7FzCxbXC9
+PUgzUKdcVZ7ilQxEM8GRijq0HegefycPwR5oYF8OtpXsuXJ81q69jW1hYHWTSER2
+VrjWhF5TiKoaiLW1YfSX3IQRZ2zpLKRKC1IvsOzd115Yl0gjHBXlK875z3t2d61q
+grCG/QjfXer+5pJsOjxROS+lob6pDohHJLIaRYheLRVstiG+o0pk6LCVo1UPqdQN
+rZ6pUoBZjaX56alP1xexMguN1/2GRTgkk1BUdOJ/wfpQv6VW7EpdwwkVJxZ+c77P
+6zy6FkELtSCuEYt8ETmCnYzUBJs58ZSKqar4+BFD4b4w1nRTAoIBAQD7gckhaW7G
+gHZsiaGfgsnf7kVJmeBJ5WnCTAXRDUQRK+/KEz+4uyVFoeX0czIoviYOWOn6Sg4I
+qHIUkYkIG/aOCo0z5HnxoXwAA5HY/3ZLzMGlM2sqoQpPCFUQE//a5eYfSyyOVFQO
+LoJpJyPIWppYPPo6AMy/OTXl9R6I/kN98cya8scWfwakNfgA8jhnii0ezEr1WwR8
+nrK2SBhO9Rl2FcUSNXbOtk8BmcimW5IoDiATssLyReEqoQhrCgt8It90OtozT1GQ
+qjL7ZG786s02YuBddU5t27qbqFGn4XXQk3ArCFsOUqUf8Lj5U6mZ75sNRrU1O8NB
+J4Q7E+geT1fBAoIBAEmuVXPuL/n7xHlLKbd0rIfZrZsEKtXO1mcHuovUWsBfoK/b
+XJEg2tbOwHX07k5iW6buYGFNXd8HGwj9E8RE690C5xjdJdv0Lar9pLtXXTVWjucD
+6pAZ+9teMdE98NXk6ysrzpqmm4S6ovOm9JsXTXK0jogW742B6rNB/qgEcwiOkVQG
+Vhly7XlKqSD7aC51Y0R4sCcQwDO4xxSvSwtELaYKh/PGdxDO50rNq69kP8+P8USk
+ZpDZh3By9TqumgDxxa2jYcv9gKto9EREKvX0LGOaJbsTwQSBQyMH8a88FI8bRkzz
+sBYjlB5KIhcybr+eq9v/ysVs0Bj+oIDGMxCklnMCggEAcT+hl1/oN43ExV673h2A
+VUru/BNDwUKB+rFMtTNqAOlt0eoU+VOblt0ttILihSIJ9M/om4EZDKD8rXJS58nf
+nVn29vTcTAdQ1JjG5ZUyaTNLxt1+VfWptKil1NWMkb6PfmvVJkmmh7Q9mKe9Hwxd
+D3p1mgSeLUTPljpng3wqW92zKdpD90c/cFW01Ig9CbJYWtPWtOBFBvBWvGl+OJ94
+1Yk78dUNKEtDDA95IB9/knW5z+Tgj0MT/qQALGKbhUwWnjmZ4xzGN4PL7RLuPwhj
+Wyfuq2aU6DbWshx6mEOXT1H0YgwjJDHmlJlKUUpwxhX0FWhPVCcS5pWqnwd5r5w+
+gQKCAQAG6FIn1Gh0kqlMZBp0g/NXXaC+ZqKu/GzDk5o0inGaZXjlE0XlgjAHZBCn
+DlxQsZiA1rXTOZu9oIvaVD5Kqr9PmCiRc0a17CNVK6dfBHBI4+vscVaZev10BjAD
+tIvZ+E9SqP7MRWYmNeOhSVPtty9VWCwAcKFP4zhAqfykyl9EzFvLFuoYNWy36Ggm
+EpSWHzD3ju/t/31FcAWyQ3ZzN9Z6zAd909S3YvTfBRY2HLiXzKSRKT+4BzKr5UkG
+y1aXeDQQlykdxehMU7EFu9pzFR+P3iTTh93qbcSgrWIDVUjBGhnLI03wxlLN2XPA
+ddNNT9BMXrut8KdPM9+L+8v5a57L
+-----END PRIVATE KEY-----

packages/container-vault-start-config/config.hcl

@@ -0,0 +1,55 @@
+# Parameter needed because of slow plugin loading
+# may be relaxed for faster machines
+#http_read_header_timeout = 0
+#http_read_timeout = 300
+
+disable_mlock = true
+ui            = false
+
+listener "tcp" {
+  address            = "0.0.0.0:8210"
+  cluster_address    = "0.0.0.0:8211"
+  tls_disable        = false
+  tls_cert_file      = "/opt/vault/tls/tls.crt"
+  tls_key_file       = "/opt/vault/tls/tls.key"
+  tls_client_ca_file = "/opt/vault/cacert.pem"
+}
+
+storage "raft" {
+  path    = "/opt/vault/data/"
+  # override vial env var VAULT_RAFT_NODE_ID
+  node_id = "vault-1"
+
+  # Parameter needed because of slow plugin loading
+  # may be relaxed for faster machines
+  # performance_multiplier = 200
+  #autopilot_reconcile_interval = "120s"
+  #autopilot_update_interval = "60s"
+
+  retry_join {
+    leader_api_addr         = "https://vault-1:8210"
+    leader_ca_cert_file     = "/opt/vault/cacert.pem"
+    leader_client_cert_file = "/opt/vault/tls/tls.crt"
+    leader_client_key_file  = "/opt/vault/tls/tls.key"
+  }
+  retry_join {
+    leader_api_addr         = "https://vault-2:8210"
+    leader_ca_cert_file     = "/opt/vault/cacert.pem"
+    leader_client_cert_file = "/opt/vault/tls/tls.crt"
+    leader_client_key_file  = "/opt/vault/tls/tls.key"
+  }
+  retry_join {
+    leader_api_addr         = "https://vault-3:8210"
+    leader_ca_cert_file     = "/opt/vault/cacert.pem"
+    leader_client_cert_file = "/opt/vault/tls/tls.crt"
+    leader_client_key_file  = "/opt/vault/tls/tls.key"
+  }
+}
+
+# path of plugin binaries
+plugin_directory = "/opt/vault/plugins"
+
+# override via env var VAULT_API_ADDR
+api_addr     = "https://vault:8210"
+# override via env var VAULT_CLUSTER_ADDR
+cluster_addr = "https://vault:8211"

packages/container-vault-start-config/default.nix

@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+
+# TODO: This derivation is a temporary workaround for
+# creating a self-signed certificate for Vault and the unseal TEE.
+# It will be replaced with real RA-TLS.
+{ lib
+, stdenv
+}:
+stdenv.mkDerivation rec {
+  name = "container-vault-start-config";
+  src = with lib.fileset; toSource {
+    root = ./.;
+    fileset = unions [
+      ./cacert.pem
+      ./cakey.pem
+      ./config.hcl
+    ];
+  };
+
+  phases = "installPhase";
+  postInstall = ''
+    mkdir -p $out/opt/vault
+    cp -r $src/* $out/opt/vault
+
+    mkdir -p $out/etc
+    printf "precedence ::ffff:0:0/96  100\n" > $out/etc/gai.conf
+  '';
+}