add sgx machine

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>

systems/x86_64-linux/sgx/default.nix

@@ -0,0 +1,276 @@
+{ pkgs, lib, ... }:
+with lib;
+with lib.plusultra;
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  networking.hostName = "sgx"; # Define your hostname.
+
+  system.autoUpgrade = {
+    enable = true;
+    operation = "boot";
+    allowReboot = false;
+    flags = [
+      "--update-input"
+      "nixpkgs"
+      "--update-input"
+      "unstable"
+    ];
+    flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx";
+  };
+
+  plusultra.gui.enable = false;
+  plusultra.nix.enable = true;
+  plusultra.nix.extra-substituters = {
+    "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
+  };
+
+  boot = {
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+    tmp.cleanOnBoot = true;
+    loader = {
+      systemd-boot.enable = false;
+      efi.canTouchEfiVariables = true;
+      timeout = 2;
+    };
+    initrd.systemd.enable = true;
+    kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
+  };
+
+
+  # Configure console keymap
+  console.keyMap = "us";
+  i18n.extraLocaleSettings = {
+    LC_MESSAGES = "en_US.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+
+  environment = {
+    sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; };
+    systemPackages = with pkgs; [
+      age
+      bash
+      cachix
+      cifs-utils
+      clevis
+      delta
+      efibootmgr
+      git
+      git-delete-merged-branches
+      home-manager
+      htop
+      mosh
+      nixpkgs-fmt
+      openssl
+      restic
+      rrsync
+      sbctl
+      sops
+      strace
+      tmux
+      tpm2-pkcs11
+      tpm2-pkcs11.out
+      tpm2-tools
+      vim
+      virt-manager
+      wget
+    ];
+    shells = [ pkgs.fish pkgs.bash ];
+  };
+
+  hardware = {
+    cpu = {
+      amd.updateMicrocode = lib.mkDefault true;
+      intel.updateMicrocode = lib.mkDefault true;
+    };
+    enableRedistributableFirmware = lib.mkDefault true;
+    enableAllFirmware = true;
+  };
+
+  programs = {
+    dconf.enable = true;
+    bash = {
+      ## shellInit = ''
+      interactiveShellInit = ''
+        bind '"\e[A": history-search-backward'
+        bind '"\e[B": history-search-forward'
+      '';
+    };
+    starship.enable = true;
+    mosh.enable = true;
+    vim.defaultEditor = true;
+    fish.enable = true;
+  };
+
+  powerManagement.cpuFreqGovernor = "ondemand";
+
+  services = {
+    dbus.implementation = "broker";
+    dbus.packages = [ pkgs.gcr ];
+    fail2ban.enable = false;
+    fwupd.enable = true;
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "prohibit-password";
+      settings.X11Forwarding = true;
+    };
+  };
+
+  security = {
+    tpm2.enable = lib.mkDefault true;
+    tpm2.abrmd.enable = lib.mkDefault true;
+    sudo = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+  };
+
+  system.stateVersion = "23.11";
+
+  time.timeZone = "Europe/Berlin";
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
+    "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
+  ];
+
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # For Nixos version > 22.11
+      defaultNetwork.settings = { dns_enabled = true; };
+    };
+  };
+
+  programs.nix-ld.enable = true;
+
+  # Sets up all the libraries to load
+  programs.nix-ld.libraries = with pkgs; [
+    SDL
+    SDL2
+    SDL2_image
+    SDL2_mixer
+    SDL2_ttf
+    SDL_image
+    SDL_mixer
+    SDL_ttf
+    alsa-lib
+    at-spi2-atk
+    at-spi2-core
+    atk
+    bzip2
+    cairo
+    cups
+    curlWithGnuTls
+    dbus
+    dbus-glib
+    desktop-file-utils
+    e2fsprogs
+    expat
+    flac
+    fontconfig
+    freeglut
+    freetype
+    fribidi
+    fuse
+    fuse3
+    gdk-pixbuf
+    glew110
+    glib
+    gmp
+    gst_all_1.gst-plugins-base
+    gst_all_1.gst-plugins-ugly
+    gst_all_1.gstreamer
+    gtk2
+    harfbuzz
+    icu
+    keyutils.lib
+    libGL
+    libGLU
+    libappindicator-gtk2
+    libcaca
+    libcanberra
+    libcap
+    libclang.lib
+    libdbusmenu
+    libdrm
+    libgcrypt
+    libgpg-error
+    libidn
+    libjack2
+    libjpeg
+    libmikmod
+    libogg
+    libpng12
+    libpulseaudio
+    librsvg
+    libsamplerate
+    libthai
+    libtheora
+    libtiff
+    libudev0-shim
+    libusb1
+    libuuid
+    libvdpau
+    libvorbis
+    libvpx
+    libxcrypt-legacy
+    libxkbcommon
+    libxml2
+    mesa
+    nspr
+    nss
+    openssl
+    p11-kit
+    pango
+    pixman
+    python3
+    speex
+    stdenv.cc.cc
+    tbb
+    udev
+    vulkan-loader
+    wayland
+    xorg.libICE
+    xorg.libSM
+    xorg.libX11
+    xorg.libXScrnSaver
+    xorg.libXcomposite
+    xorg.libXcursor
+    xorg.libXdamage
+    xorg.libXext
+    xorg.libXfixes
+    xorg.libXft
+    xorg.libXi
+    xorg.libXinerama
+    xorg.libXmu
+    xorg.libXrandr
+    xorg.libXrender
+    xorg.libXt
+    xorg.libXtst
+    xorg.libXxf86vm
+    xorg.libpciaccess
+    xorg.libxcb
+    xorg.xcbutil
+    xorg.xcbutilimage
+    xorg.xcbutilkeysyms
+    xorg.xcbutilrenderutil
+    xorg.xcbutilwm
+    xorg.xkeyboardconfig
+    xz
+    zlib
+  ];
+
+}

systems/x86_64-linux/sgx/hardware-configuration.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.blacklistedKernelModules = [ "iwlwifi" "snd_hda_intel" "hdaudio" "btintel" "bluetooth" ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/C902-1AF5";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}