harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

chore(nix): refactor SGX configuration for nixtee1

Browse source 
- Removed SGX-specific settings including `aesmd_dcap`, `sgx_default_qcnl.conf`, and `security.tpm2` configurations.
- Updated `system.stateVersion` and switched kernel modules to `kvm-amd`.
- Adjusted disk UUIDs and removed unused `/boot` filesystem definition.
This commit is contained in:
Harald Hoyer 2025-11-13 16:01:58 +01:00
parent 1511e72e83
commit 811457161a
2 changed files with 6 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

25
systems/x86_64-linux/sgx-nixos/default.nix → systems/x86_64-linux/nixtee1/default.nix
View file

@ -9,19 +9,12 @@ with lib.metacfg;
{ {
imports = [ ./hardware-configuration.nix ]; imports = [ ./hardware-configuration.nix ];
boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1;
boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
networking.firewall.extraCommands = ''
iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
iptables -t nat -A POSTROUTING -j MASQUERADE
'';
metacfg = { metacfg = {
base.enable = true; base.enable = true;
nix-ld.enable = true; nix-ld.enable = true;
nix.enable = true; nix.enable = true;
aesmd_dcap.enable = true;
podman.enable = true; podman.enable = true;
user.extraGroups = [ user.extraGroups = [
"docker" "docker"
@ -32,19 +25,6 @@ with lib.metacfg;
}; };
}; };
environment.etc."sgx_default_qcnl.conf".text = ''
{
"pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/",
"use_secure_cert": false,
"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
"retry_times": 6,
"retry_delay": 10,
"pck_cache_expire_hours": 168,
"verify_collateral_cache_expire_hours": 168,
"local_cache_only": false
}
'';
virtualisation = { virtualisation = {
docker.enable = true; docker.enable = true;
podman.dockerCompat = false; podman.dockerCompat = false;
@ -56,9 +36,6 @@ with lib.metacfg;
allowReboot = true; allowReboot = true;
}; };
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
@ -82,5 +59,5 @@ with lib.metacfg;
} }
]; ];
system.stateVersion = "23.11"; system.stateVersion = "25.05";
} }

13
systems/x86_64-linux/sgx-nixos/hardware-configuration.nix → systems/x86_64-linux/nixtee1/hardware-configuration.nix
View file

@ -10,7 +10,9 @@
}: }:
{ {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"ahci" "ahci"
@ -20,19 +22,14 @@
"virtio_blk" "virtio_blk"
]; ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/ebb90474-ddcb-484b-9663-d71863827af4"; device = "/dev/disk/by-uuid/a5ea57a8-1254-4bc1-9a31-edde894670bc";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/941C-7B02";
fsType = "vfat";
};
swapDevices = [ ]; swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking