sgx: add aesmd and refactor

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
2024-03-06 15:12:04 +01:00 · 2024-03-06 15:12:04 +01:00 · d0ad237493
commit d0ad237493
parent 69f4e8bcf9
8 changed files with 227 additions and 163 deletions
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@ -29,10 +29,17 @@ with lib.plusultra;

  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.

-  plusultra.gui.enable = false;
-  plusultra.nix.enable = true;
-  plusultra.nix.extra-substituters = {
-    "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
+  services.aesmd.enable = true;
+
+  plusultra = {
+    pccs.enable = true;
+    pccs.secret = config.sops.secrets.pccs.path;
+    gui.enable = false;
+    nix-ld.enable = true;
+    nix.enable = true;
+    nix.extra-substituters = {
+      "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
+    };
  };

  boot = {
@ -157,154 +164,4 @@ with lib.plusultra;
    };
  };

-  virtualisation.oci-containers.backend = "podman";
-  virtualisation.oci-containers.containers = {
-
-    # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19
-    pccs = {
-      image = "registry.gitlab.com/haraldh/pccs:dcap_1_19";
-      autoStart = true;
-      ports = [ "8081:8081" ];
-      extraOptions = [
-        "--volume=/dev/log:/dev/log"
-        "--secret=PCCS_CONFIG,type=mount"
-      ];
-    };
-  };
-
-  systemd.services.pccs-secret =
-    {
-      description = "Inject pccs secret";
-      wantedBy = [ "multi-user.target" ];
-      before = [ "podman-pccs.service" ];
-
-      serviceConfig = {
-        EnvironmentFile = config.sops.secrets.pccs.path;
-        ExecStart = ''
-          -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
-        '';
-        RemainAfterExit = true;
-      };
-    };
-
-
-  programs.nix-ld.enable = true;
-
-  # Sets up all the libraries to load
-  programs.nix-ld.libraries = with pkgs; [
-    SDL
-    SDL2
-    SDL2_image
-    SDL2_mixer
-    SDL2_ttf
-    SDL_image
-    SDL_mixer
-    SDL_ttf
-    alsa-lib
-    at-spi2-atk
-    at-spi2-core
-    atk
-    bzip2
-    cairo
-    cups
-    curlWithGnuTls
-    dbus
-    dbus-glib
-    desktop-file-utils
-    e2fsprogs
-    expat
-    flac
-    fontconfig
-    freeglut
-    freetype
-    fribidi
-    fuse
-    fuse3
-    gdk-pixbuf
-    glew110
-    glib
-    gmp
-    gst_all_1.gst-plugins-base
-    gst_all_1.gst-plugins-ugly
-    gst_all_1.gstreamer
-    gtk2
-    harfbuzz
-    icu
-    keyutils.lib
-    libGL
-    libGLU
-    libappindicator-gtk2
-    libcaca
-    libcanberra
-    libcap
-    libclang.lib
-    libdbusmenu
-    libdrm
-    libgcrypt
-    libgpg-error
-    libidn
-    libjack2
-    libjpeg
-    libmikmod
-    libogg
-    libpng12
-    libpulseaudio
-    librsvg
-    libsamplerate
-    libthai
-    libtheora
-    libtiff
-    libudev0-shim
-    libusb1
-    libuuid
-    libvdpau
-    libvorbis
-    libvpx
-    libxcrypt-legacy
-    libxkbcommon
-    libxml2
-    mesa
-    nspr
-    nss
-    openssl
-    p11-kit
-    pango
-    pixman
-    python3
-    speex
-    stdenv.cc.cc
-    tbb
-    udev
-    vulkan-loader
-    wayland
-    xorg.libICE
-    xorg.libSM
-    xorg.libX11
-    xorg.libXScrnSaver
-    xorg.libXcomposite
-    xorg.libXcursor
-    xorg.libXdamage
-    xorg.libXext
-    xorg.libXfixes
-    xorg.libXft
-    xorg.libXi
-    xorg.libXinerama
-    xorg.libXmu
-    xorg.libXrandr
-    xorg.libXrender
-    xorg.libXt
-    xorg.libXtst
-    xorg.libXxf86vm
-    xorg.libpciaccess
-    xorg.libxcb
-    xorg.xcbutil
-    xorg.xcbutilimage
-    xorg.xcbutilkeysyms
-    xorg.xcbutilrenderutil
-    xorg.xcbutilwm
-    xorg.xkeyboardconfig
-    xz
-    zlib
-  ];
-
 }
--- a/systems/x86_64-linux/sgx/hardware-configuration.nix
+++ b/systems/x86_64-linux/sgx/hardware-configuration.nix
@ -5,7 +5,8 @@

 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
    ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
@ -16,19 +17,20 @@
  boot.extraModprobeConfig = "options kvm_intel nested=1";

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
+    {
+      device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
      fsType = "btrfs";
      options = [ "subvol=@" ];
    };

  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/C902-1AF5";
+    {
+      device = "/dev/disk/by-uuid/C902-1AF5";
      fsType = "vfat";
    };

  swapDevices =
-    [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }
-    ];
+    [{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's