sgx: add aesmd and refactor

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>

flake.lock

@@ -503,6 +503,22 @@
         "type": "github"
       }
     },
+    "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -578,6 +594,24 @@
         "type": "github"
       }
     },
+    "flake-utils-plus_2": {
+      "inputs": {
+        "flake-utils": "flake-utils_5"
+      },
+      "locked": {
+        "lastModified": 1696331477,
+        "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "type": "github"
+      }
+    },
     "flake-utils_2": {
       "inputs": {
         "systems": "systems_2"
@@ -629,6 +663,24 @@
         "type": "github"
       }
     },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "flutter-tools": {
       "flake": false,
       "locked": {
@@ -1287,6 +1339,41 @@
         "type": "github"
       }
     },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1707091808,
+        "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixsgx-flake": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_5",
+        "snowfall-lib": "snowfall-lib"
+      },
+      "locked": {
+        "lastModified": 1709040449,
+        "narHash": "sha256-NDXSUI7GTCekniW52EBvi5PlzdQ37XkrIB1oH4GrUvM=",
+        "owner": "matter-labs",
+        "repo": "nixsgx",
+        "rev": "2b11fbc725fbab3fbaef13490decd3f93c43ae07",
+        "type": "github"
+      },
+      "original": {
+        "owner": "matter-labs",
+        "repo": "nixsgx",
+        "type": "github"
+      }
+    },
     "nmd": {
       "flake": false,
       "locked": {
@@ -1890,7 +1977,8 @@
         "lanzaboote": "lanzaboote",
         "neovim-flake": "neovim-flake",
         "nixpkgs": "nixpkgs_4",
-        "snowfall-lib": "snowfall-lib",
+        "nixsgx-flake": "nixsgx-flake",
+        "snowfall-lib": "snowfall-lib_2",
         "sops-nix": "sops-nix",
         "unstable": "unstable"
       }
@@ -1999,6 +2087,29 @@
       "inputs": {
         "flake-compat": "flake-compat_3",
         "flake-utils-plus": "flake-utils-plus",
+        "nixpkgs": [
+          "nixsgx-flake",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696432959,
+        "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
+        "owner": "snowfallorg",
+        "repo": "lib",
+        "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "snowfallorg",
+        "repo": "lib",
+        "type": "github"
+      }
+    },
+    "snowfall-lib_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_4",
+        "flake-utils-plus": "flake-utils-plus_2",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -2131,6 +2242,21 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tabular": {
       "flake": false,
       "locked": {

flake.nix

@@ -28,6 +28,11 @@
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixsgx-flake = {
+      url = "github:matter-labs/nixsgx";
+      # inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs:
@@ -82,6 +87,10 @@
         disko.nixosModules.disko
       ];
 
+      overlays = with inputs; [
+        nixsgx-flake.overlays.default
+      ];
+
       outputs-builder = channels: {
         formatter = channels.nixpkgs.nixpkgs-fmt;
         defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; };

modules/nixos/nix-ld/default.nix

@@ -2,7 +2,7 @@
 
 with lib;
 with lib.plusultra;
-let cfg = config.plusultra.gui;
+let cfg = config.plusultra.nix-ld;
 in
 {
   options.plusultra.nix-ld = with types; {

modules/nixos/sgx/pccs/default.nix

@@ -0,0 +1,67 @@
+{ options, config, lib, pkgs, ... }:
+
+with lib;
+with lib.plusultra;
+let cfg = config.plusultra.pccs;
+in
+{
+  options.plusultra.pccs = with types; {
+    enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
+    secret = mkOption {
+      type = with types; nullOr path;
+      default = null;
+      example = literalExpression "config.sops.secrets.pccs.path";
+      description = lib.mdDoc "path to the pccs secret file";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [{
+      assertion = cfg.secret != null;
+      message = "path to the pccs secret file is required when pccs is enabled";
+    }];
+
+    virtualisation = {
+      podman = {
+        enable = true;
+
+        # Create a `docker` alias for podman, to use it as a drop-in replacement
+        dockerCompat = true;
+
+        # For Nixos version > 22.11
+        defaultNetwork.settings = { dns_enabled = true; };
+      };
+    };
+
+    virtualisation.oci-containers.backend = "podman";
+    virtualisation.oci-containers.containers = {
+      # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
+      pccs = {
+        image = "docker.io/backslashhh/pccs:dcap_1_19";
+        autoStart = true;
+        ports = [ "8081:8081" ];
+        extraOptions = [
+          "--volume=/dev/log:/dev/log"
+          "--secret=PCCS_CONFIG,type=mount"
+        ];
+      };
+    };
+
+    systemd.services.pccs-secret =
+      {
+        description = "Inject pccs secret";
+        wantedBy = [ "multi-user.target" ];
+        before = [ "podman-pccs.service" ];
+
+        serviceConfig = {
+          EnvironmentFile = cfg.secret;
+          ExecStart = ''
+            -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
+          '';
+          RemainAfterExit = true;
+        };
+      };
+
+
+  };
+}

overlays/jetbrains-toolbox/default.nix

@@ -1,7 +1,5 @@
 { channels, ... }:
-
 final: prev:
-
 {
   inherit (channels.unstable) jetbrains-toolbox;
 }

overlays/nixsgx/default.nix

@@ -0,0 +1,5 @@
+{ channels, ... }:
+final: prev:
+{
+  inherit (channels.nixpkgs.nixsgx) sgx-psw;
+}

systems/x86_64-linux/sgx/default.nix

@@ -29,10 +29,17 @@ with lib.plusultra;
 
   networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
 
-  plusultra.gui.enable = false;
-  plusultra.nix.enable = true;
-  plusultra.nix.extra-substituters = {
-    "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
+  services.aesmd.enable = true;
+
+  plusultra = {
+    pccs.enable = true;
+    pccs.secret = config.sops.secrets.pccs.path;
+    gui.enable = false;
+    nix-ld.enable = true;
+    nix.enable = true;
+    nix.extra-substituters = {
+      "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
+    };
   };
 
   boot = {
@@ -157,154 +164,4 @@ with lib.plusultra;
     };
   };
 
-  virtualisation.oci-containers.backend = "podman";
-  virtualisation.oci-containers.containers = {
-
-    # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19
-    pccs = {
-      image = "registry.gitlab.com/haraldh/pccs:dcap_1_19";
-      autoStart = true;
-      ports = [ "8081:8081" ];
-      extraOptions = [
-        "--volume=/dev/log:/dev/log"
-        "--secret=PCCS_CONFIG,type=mount"
-      ];
-    };
-  };
-
-  systemd.services.pccs-secret =
-    {
-      description = "Inject pccs secret";
-      wantedBy = [ "multi-user.target" ];
-      before = [ "podman-pccs.service" ];
-
-      serviceConfig = {
-        EnvironmentFile = config.sops.secrets.pccs.path;
-        ExecStart = ''
-          -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
-        '';
-        RemainAfterExit = true;
-      };
-    };
-
-
-  programs.nix-ld.enable = true;
-
-  # Sets up all the libraries to load
-  programs.nix-ld.libraries = with pkgs; [
-    SDL
-    SDL2
-    SDL2_image
-    SDL2_mixer
-    SDL2_ttf
-    SDL_image
-    SDL_mixer
-    SDL_ttf
-    alsa-lib
-    at-spi2-atk
-    at-spi2-core
-    atk
-    bzip2
-    cairo
-    cups
-    curlWithGnuTls
-    dbus
-    dbus-glib
-    desktop-file-utils
-    e2fsprogs
-    expat
-    flac
-    fontconfig
-    freeglut
-    freetype
-    fribidi
-    fuse
-    fuse3
-    gdk-pixbuf
-    glew110
-    glib
-    gmp
-    gst_all_1.gst-plugins-base
-    gst_all_1.gst-plugins-ugly
-    gst_all_1.gstreamer
-    gtk2
-    harfbuzz
-    icu
-    keyutils.lib
-    libGL
-    libGLU
-    libappindicator-gtk2
-    libcaca
-    libcanberra
-    libcap
-    libclang.lib
-    libdbusmenu
-    libdrm
-    libgcrypt
-    libgpg-error
-    libidn
-    libjack2
-    libjpeg
-    libmikmod
-    libogg
-    libpng12
-    libpulseaudio
-    librsvg
-    libsamplerate
-    libthai
-    libtheora
-    libtiff
-    libudev0-shim
-    libusb1
-    libuuid
-    libvdpau
-    libvorbis
-    libvpx
-    libxcrypt-legacy
-    libxkbcommon
-    libxml2
-    mesa
-    nspr
-    nss
-    openssl
-    p11-kit
-    pango
-    pixman
-    python3
-    speex
-    stdenv.cc.cc
-    tbb
-    udev
-    vulkan-loader
-    wayland
-    xorg.libICE
-    xorg.libSM
-    xorg.libX11
-    xorg.libXScrnSaver
-    xorg.libXcomposite
-    xorg.libXcursor
-    xorg.libXdamage
-    xorg.libXext
-    xorg.libXfixes
-    xorg.libXft
-    xorg.libXi
-    xorg.libXinerama
-    xorg.libXmu
-    xorg.libXrandr
-    xorg.libXrender
-    xorg.libXt
-    xorg.libXtst
-    xorg.libXxf86vm
-    xorg.libpciaccess
-    xorg.libxcb
-    xorg.xcbutil
-    xorg.xcbutilimage
-    xorg.xcbutilkeysyms
-    xorg.xcbutilrenderutil
-    xorg.xcbutilwm
-    xorg.xkeyboardconfig
-    xz
-    zlib
-  ];
-
 }

systems/x86_64-linux/sgx/hardware-configuration.nix

@@ -5,7 +5,8 @@
 
 {
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
@@ -16,19 +17,20 @@
   boot.extraModprobeConfig = "options kvm_intel nested=1";
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
+    {
+      device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
       fsType = "btrfs";
       options = [ "subvol=@" ];
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/C902-1AF5";
+    {
+      device = "/dev/disk/by-uuid/C902-1AF5";
       fsType = "vfat";
     };
 
   swapDevices =
-    [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }
-    ];
+    [{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's