feat: add zksync_tee_prover and container to nix

```
$ nix build -L .#tee_prover
$ nix build -L .#container-tee_prover-dcap
$ nix build -L .#container-tee_prover-azure
$ export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')

$ docker run -i --env GRAMINE_DIRECT=1 --env TEE_API_URL="http://127.0.0.1:3320" --privileged --init $IMAGE_TAG
```

Signed-off-by: Harald Hoyer <[email protected]>

core/bin/zksync_tee_prover/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "zksync_tee_prover"
-version.workspace = true
+version = "0.1.0"
 edition.workspace = true
 authors.workspace = true
 homepage.workspace = true

etc/nix/README.md

@@ -0,0 +1,86 @@
+# Declarative and Reproducible builds with Nix
+
+This directory contains the nix build recipes for various components of this project. Most importantly it is used to
+reproducible build `zksync_tee_prover` reproducibly and create a container containing all what is needed to run it on an
+SGX machine.
+
+## Prerequisites
+
+Install [nix](https://zero-to-nix.com/start/install).
+
+In `~/.config/nix/nix.conf`
+
+```ini
+experimental-features = nix-command flakes
+sandbox = true
+```
+
+or on nixos in `/etc/nixos/configuration.nix` add the following lines:
+
+```nix
+{
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+      sandbox = true
+    '';
+  };
+}
+```
+
+## Build
+
+Build various components of this project with `nix`.
+
+### Build as the CI would
+
+```shell
+$ nix run github:nixos/nixpkgs/nixos-23.11#nixci
+```
+
+### Build individual parts
+
+```shell
+$ nix build .#zksync_server
+```
+
+or
+
+```shell
+$ nix build .#zksync_server.contract_verifier
+$ nix build .#zksync_server.external_node
+$ nix build .#zksync_server.server
+$ nix build .#zksync_server.snapshots_creator
+$ nix build .#zksync_server.block_reverter
+```
+
+or
+
+```shell
+$ nix build .#tee_prover
+$ nix build .#container-tee_prover-dcap
+$ nix build .#container-tee_prover-azure
+```
+
+## Develop
+
+`nix` can provide the build environment for this project.
+
+```shell
+$ nix develop
+```
+
+optionally create `.envrc` for `direnv` to automatically load the environment when entering the main directory:
+
+```shell
+$ cat <<EOF > .envrc
+use flake .#
+EOF
+$ direnv allow
+```
+
+### Format for commit
+
+```shell
+$ nix run .#fmt
+```

etc/nix/container-tee-prover.nix

@@ -0,0 +1,48 @@
+{ pkgs
+, nixsgxLib
+, teepot
+, tee_prover
+, container-name
+, isAzure ? true
+, tag ? null
+}:
+let
+  name = container-name;
+  entrypoint = "${teepot.teepot.tee_key_preexec}/bin/tee-key-preexec";
+in
+nixsgxLib.mkSGXContainer {
+  inherit name;
+  inherit tag;
+
+  packages = [ teepot.teepot.tee_key_preexec tee_prover ];
+  inherit entrypoint;
+  inherit isAzure;
+
+  manifest = {
+    loader = {
+      argv = [
+        entrypoint
+        "${tee_prover}/bin/zksync_tee_prover"
+      ];
+
+      log_level = "error";
+
+      env = {
+        TEE_API_URL.passthrough = true;
+        API_PROMETHEUS_LISTENER_PORT.passthrough = true;
+        API_PROMETHEUS_PUSHGATEWAY_URL.passthrough = true;
+        API_PROMETHEUS_PUSH_INTERVAL_MS.passthrough = true;
+
+        ### DEBUG ###
+        RUST_BACKTRACE = "1";
+        RUST_LOG = "warning,zksync_tee_prover=debug";
+      };
+    };
+
+    sgx = {
+      edmm_enable = false;
+      enclave_size = "32G";
+      max_threads = 128;
+    };
+  };
+}

etc/nix/devshell.nix

@@ -0,0 +1,41 @@
+{ pkgs
+, stdenv
+, zksync_server
+, hardeningEnable
+}:
+with pkgs; mkShell.override { inherit stdenv; } {
+  inputsFrom = [ zksync_server ];
+
+  packages = [
+    docker-compose
+    nodejs
+    yarn
+    axel
+    postgresql
+    python3
+    solc
+    sqlx-cli
+    mold
+  ];
+
+  inherit hardeningEnable;
+
+  shellHook = ''
+    export ZKSYNC_HOME=$PWD
+    export PATH=$ZKSYNC_HOME/bin:$PATH
+    export RUSTFLAGS='-C link-arg=-fuse-ld=${pkgs.mold}/bin/mold'
+    export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="clang"
+
+    if [ "x$NIX_LD" = "x" ]; then
+      export NIX_LD=$(<${clangStdenv.cc}/nix-support/dynamic-linker)
+    fi
+    if [ "x$NIX_LD_LIBRARY_PATH" = "x" ]; then
+      export NIX_LD_LIBRARY_PATH="$ZK_NIX_LD_LIBRARY_PATH"
+    else
+      export NIX_LD_LIBRARY_PATH="$NIX_LD_LIBRARY_PATH:$ZK_NIX_LD_LIBRARY_PATH"
+    fi
+  '';
+
+  ZK_NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ ];
+}
+

etc/nix/tee-prover.nix

@@ -0,0 +1,11 @@
+{ cargoArtifacts
+, craneLib
+, versionSuffix
+, commonArgs
+}:
+craneLib.buildPackage (commonArgs // {
+  pname = "zksync_tee_prover";
+  version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix;
+  cargoExtraArgs = "-p zksync_tee_prover --bin zksync_tee_prover";
+  inherit cargoArtifacts;
+})

etc/nix/zksync-server.nix

@@ -0,0 +1,41 @@
+{ cargoArtifacts
+, craneLib
+, versionSuffix
+, commonArgs
+}:
+craneLib.buildPackage (commonArgs // {
+  pname = "zksync";
+  version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix;
+  cargoExtraArgs = "--all";
+  inherit cargoArtifacts;
+
+  outputs = [
+    "out"
+    "contract_verifier"
+    "external_node"
+    "server"
+    "snapshots_creator"
+    "block_reverter"
+  ];
+
+  postInstall = ''
+    mkdir -p $out/nix-support
+    for i in $outputs; do
+      [[ $i == "out" ]] && continue
+      mkdir -p "''${!i}/bin"
+      echo "''${!i}" >> $out/nix-support/propagated-user-env-packages
+      if [[ -e "$out/bin/zksync_$i" ]]; then
+        mv "$out/bin/zksync_$i" "''${!i}/bin"
+      else
+        mv "$out/bin/$i" "''${!i}/bin"
+      fi
+    done
+
+    mkdir -p $external_node/nix-support
+    echo "block_reverter" >> $external_node/nix-support/propagated-user-env-packages
+
+    mv $out/bin/merkle_tree_consistency_checker $server/bin
+    mkdir -p $server/nix-support
+    echo "block_reverter" >> $server/nix-support/propagated-user-env-packages
+  '';
+})