feat: use nixsgx nix function to create containers

It refactors the way the SGX containers are built.
This removes all `Dockerfile` and gramine manifest files.
It also enables a single recipe for azure and non-azure variants.

Additionally the `teepot-crate.nix` is now the inherited recipe to
build the rust `teepot` crate.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

packages/container-vault-sgx-azure/default.nix

@@ -1,54 +1,92 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Matter Labs
-{ pkgs
-, vat
-, nixsgx
-, curl
+{ lib
+, pkgs
+, inputs
 , teepot
-, bash
-, coreutils
-, openssl
+, nixsgx
+, vat
 , vault
+, container-name ? "teepot-vault-sgx-azure"
+, tag ? "latest"
+, isAzure ? true
 }:
-let manifest = ./vault.manifest.toml;
-in pkgs.dockerTools.buildLayeredImage {
-  name = "teepot-vault-sgx-azure";
-  tag = "base";
+let
+  entrypoint = "${teepot.teepot.tee_ratls_preexec}/bin/tee-ratls-preexec";
+  appDir = "/opt/vault";
+in
+pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer {
+  name = container-name;
+  inherit tag;
+  inherit appDir;
 
-  config.Entrypoint = [ "/bin/sh" "-c" ];
+  packages = [
+    teepot.teepot.tee_ratls_preexec
+    vault
+    vat.vault-auth-tee
+    teepot.container-vault-start-config
+  ];
+  inherit entrypoint;
 
-  contents = pkgs.buildEnv {
-    name = "image-root";
+  isAzure = true;
 
-    paths = with pkgs.dockerTools; with nixsgx;[
-      bash
-      coreutils
-      teepot.teepot.tee_ratls_preexec
-      vault
-      azure-dcap-client
-      openssl.out
-      curl.out
-      vat.vault-auth-tee
-      gramine
-      restart-aesmd
-      sgx-dcap.quote_verify
-      sgx-psw
-      usrBinEnv
-      binSh
-      caCertificates
-      fakeNss
-      teepot.container-vault-start-config
+  extraPostBuild = ''
+    mkdir -p $out/${appDir}/{data,.cache,tls,plugins}
+    ln -s ${vat.vault-auth-tee}/bin/vault-auth-tee $out/opt/vault/plugins
+  '';
+
+  manifest = {
+    loader = {
+      argv = [
+        entrypoint
+        "--"
+        "${vault}/bin/vault"
+        "server"
+        "-config=/opt/vault/config.hcl"
+        "-log-level=trace"
+      ];
+      log_level = "error";
+      env = {
+        VAULT_CLUSTER_ADDR.passthrough = true;
+        VAULT_API_ADDR.passthrough = true;
+        VAULT_RAFT_NODE_ID.passthrough = true;
+
+        DNS_NAMES = "vault-1,vault-2,vault-3";
+
+        # otherwise vault will lock a lot of unused EPC memory
+        VAULT_RAFT_INITIAL_MMAP_SIZE = "0";
+
+        # possible tweak option, if problems with raft
+        # VAULT_RAFT_DISABLE_MAP_POPULATE = "true"
+      };
+    };
+
+    fs.mounts = [
+      { type = "tmpfs"; path = "/opt/vault/tls"; }
+      { type = "encrypted"; path = "/opt/vault/.cache"; uri = "file:/opt/vault/.cache"; key_name = "_sgx_mrsigner"; }
+      { type = "encrypted"; path = "/opt/vault/data"; uri = "file:/opt/vault/data"; key_name = "_sgx_mrsigner"; }
     ];
-    pathsToLink = [ "/bin" "/lib" "/etc" "/opt/vault" ];
-    postBuild = ''
-      mkdir -p $out/var/run
-      mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/
-      mkdir -p $out/opt/vault/data $out/opt/vault/.cache $out/opt/vault/tls
-      ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/
-      ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1
-      mkdir -p $out/opt/vault/plugins
-      ln -s ${vat.vault-auth-tee}/bin/vault-auth-tee $out/opt/vault/plugins
-      cp ${manifest} $out/opt/vault/vault.manifest.toml
-    '';
+
+    sgx = {
+      debug = false;
+      edmm_enable = false;
+      enclave_size = "8G";
+      max_threads = 64;
+      nonpie_binary = true;
+
+      trusted_files = [
+        "file:/opt/vault/plugins/"
+        "file:/opt/vault/config.hcl"
+        "file:/opt/vault/cacert.pem"
+        "file:/opt/vault/cakey.pem"
+      ];
+
+    };
+
+    sys.stack.size = "1M";
+    # vault needs flock
+    sys.experimental__enable_flock = true;
   };
 }
+
+