From 811457161a4a8048276f14962da7c617dad00d1c Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Thu, 13 Nov 2025 16:01:58 +0100 Subject: [PATCH] chore(nix): refactor SGX configuration for nixtee1 - Removed SGX-specific settings including `aesmd_dcap`, `sgx_default_qcnl.conf`, and `security.tpm2` configurations. - Updated `system.stateVersion` and switched kernel modules to `kvm-amd`. - Adjusted disk UUIDs and removed unused `/boot` filesystem definition. --- .../{sgx-nixos => nixtee1}/default.nix | 25 +------------------ .../hardware-configuration.nix | 13 ++++------ 2 files changed, 6 insertions(+), 32 deletions(-) rename systems/x86_64-linux/{sgx-nixos => nixtee1}/default.nix (56%) rename systems/x86_64-linux/{sgx-nixos => nixtee1}/hardware-configuration.nix (79%) diff --git a/systems/x86_64-linux/sgx-nixos/default.nix b/systems/x86_64-linux/nixtee1/default.nix similarity index 56% rename from systems/x86_64-linux/sgx-nixos/default.nix rename to systems/x86_64-linux/nixtee1/default.nix index c8eb488..25d8cb4 100644 --- a/systems/x86_64-linux/sgx-nixos/default.nix +++ b/systems/x86_64-linux/nixtee1/default.nix @@ -9,19 +9,12 @@ with lib.metacfg; { imports = [ ./hardware-configuration.nix ]; - boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1; boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; - networking.firewall.extraCommands = '' - iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081 - iptables -t nat -A POSTROUTING -j MASQUERADE - ''; - metacfg = { base.enable = true; nix-ld.enable = true; nix.enable = true; - aesmd_dcap.enable = true; podman.enable = true; user.extraGroups = [ "docker" @@ -32,19 +25,6 @@ with lib.metacfg; }; }; - environment.etc."sgx_default_qcnl.conf".text = '' - { - "pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/", - "use_secure_cert": false, - "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", - "retry_times": 6, - "retry_delay": 10, - "pck_cache_expire_hours": 168, - "verify_collateral_cache_expire_hours": 168, - "local_cache_only": false - } - ''; - virtualisation = { docker.enable = true; podman.dockerCompat = false; @@ -56,9 +36,6 @@ with lib.metacfg; allowReboot = true; }; - security.tpm2.enable = false; - security.tpm2.abrmd.enable = false; - networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.firewall.allowPing = true; @@ -82,5 +59,5 @@ with lib.metacfg; } ]; - system.stateVersion = "23.11"; + system.stateVersion = "25.05"; } diff --git a/systems/x86_64-linux/sgx-nixos/hardware-configuration.nix b/systems/x86_64-linux/nixtee1/hardware-configuration.nix similarity index 79% rename from systems/x86_64-linux/sgx-nixos/hardware-configuration.nix rename to systems/x86_64-linux/nixtee1/hardware-configuration.nix index 0d918a2..bd10d64 100644 --- a/systems/x86_64-linux/sgx-nixos/hardware-configuration.nix +++ b/systems/x86_64-linux/nixtee1/hardware-configuration.nix @@ -10,7 +10,9 @@ }: { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; boot.initrd.availableKernelModules = [ "ahci" @@ -20,19 +22,14 @@ "virtio_blk" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = { - device = "/dev/disk/by-uuid/ebb90474-ddcb-484b-9663-d71863827af4"; + device = "/dev/disk/by-uuid/a5ea57a8-1254-4bc1-9a31-edde894670bc"; fsType = "ext4"; }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/941C-7B02"; - fsType = "vfat"; - }; - swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking