feat: add docker deployment for signing enclave

.gitignore

@@ -0,0 +1,2 @@
+.env
+/.idea

README.md

@@ -1 +1,19 @@
-# trusted-contract-signing-enclave-deployment
+# trusted-contract-signing-enclave-deployment
+This is a Docker Compose based deployment of [nautilus-wallet](https://github.com/ntls-io/nautilus-wallet).
+
+## Services
+
+### HTTP ingress: `nginx-proxy`
+
+This runs [nginx-proxy] and exposes ports 80 and 443, forwarding HTTP requests through to the other services (which listen on internal ports).
+
+[nginx-proxy]: https://github.com/nginx-proxy/nginx-proxy
+
+#### Configuration
+
+TLS certificates are mounted from `/etc/nginx/certs` on the host, and the proxied services use `VIRTUAL_HOST` and `CERT_NAME` to configure which host name and certificate should proxy to them.
+
+### APIs: `trusted-contract-main-api`
+
+These run the individual Wallet TEEs using the host's SGX devices, each with a Docker volume to persist wallet state (`/app/wallet_store`).
+

docker-compose.yaml

@@ -0,0 +1,39 @@
+# Ripple CBDC demo deployment
+
+networks:
+  trusted-contract-main:
+
+services:
+  # Docs: https://github.com/nginx-proxy/nginx-proxy
+  nginx-proxy:
+    image: nginxproxy/nginx-proxy:alpine
+    networks:
+      - trusted-contract-main
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - /etc/tls:/etc/nginx/certs:ro
+
+  trusted-contract-main-api:
+    image: ghcr.io/ntls-io/sgx-wallet-hw:ripple-cbdc-challenge
+    environment:
+      VIRTUAL_HOST: trusted-contract-main-api.ntls.io
+      BIND_ADDR: "0.0.0.0:8080"
+      CERT_NAME: ntls-api
+    networks:
+      - trusted-contract-main
+    volumes:
+      - trusted-contract-store-main:/app/vault_store
+    read_only: true
+    init: true
+    devices:
+      - /dev/sgx/enclave
+      - /dev/sgx/provision
+    expose:
+      - "8080"
+
+
+volumes:
+  trusted-contract-store-main: