diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix
index f212e98..4f0e752 100644
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@@ -23,6 +23,14 @@ with lib.plusultra;
     flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx";
   };
 
+  sops.secrets.pccs = {
+    sopsFile = ../.secrets/sgx/pccs.yaml; # bring your own password file
+  };
+
+  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
+
+
+
   plusultra.gui.enable = false;
   plusultra.nix.enable = true;
   plusultra.nix.extra-substituters = {
@@ -151,6 +159,37 @@ with lib.plusultra;
     };
   };
 
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers = {
+
+    # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19
+    pccs = {
+      image = "registry.gitlab.com/haraldh/pccs:dcap_1_19";
+      autoStart = true;
+      ports = [ "8081:8081" ];
+      extraOptions = [
+        "--volume=/dev/log:/dev/log"
+        "--secret=PCCS_CONFIG,type=mount"
+      ];
+    };
+  };
+
+  systemd.services.pccs-secret =
+    {
+      description = "Inject pccs secret";
+      wantedBy = [ "multi-user.target" ];
+      before = [ "podman-pccs.service" ];
+
+      serviceConfig = {
+        EnvironmentFile = config.sops.secrets.pccs.path;
+        ExecStart = ''
+          -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
+        '';
+        RemainAfterExit = true;
+      };
+    };
+
+
   programs.nix-ld.enable = true;
 
   # Sets up all the libraries to load
diff --git a/systems/x86_64-linux/sgx/hardware-configuration.nix b/systems/x86_64-linux/sgx/hardware-configuration.nix
index 2775403..11bc10f 100644
--- a/systems/x86_64-linux/sgx/hardware-configuration.nix
+++ b/systems/x86_64-linux/sgx/hardware-configuration.nix
@@ -13,6 +13,7 @@
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
   boot.blacklistedKernelModules = [ "iwlwifi" "snd_hda_intel" "hdaudio" "btintel" "bluetooth" ];
+  boot.extraModprobeConfig = "options kvm_intel nested=1";
 
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";