sgx: dcap firewall rules

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>

flake.lock

@@ -787,22 +787,6 @@
         "type": "github"
       }
     },
-    "gpg-base-conf": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1710730803,
-        "narHash": "sha256-mZwEZxZJ3vLdgvKyFqGSkwg0JRgH1sshe5EvWXoU6JA=",
-        "owner": "drduh",
-        "repo": "config",
-        "rev": "6fc554136c5e179cacc9ba88a18ad61a9ea37979",
-        "type": "github"
-      },
-      "original": {
-        "owner": "drduh",
-        "repo": "config",
-        "type": "github"
-      }
-    },
     "highlight-undo": {
       "flake": false,
       "locked": {
@@ -1361,11 +1345,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1710695816,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "lastModified": 1710838473,
+        "narHash": "sha256-RLvwdQSENKOaLdKhNie8XqHmTXzNm00/M/THj6zplQo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "rev": "fa9f817df522ac294016af3d40ccff82f5fd3a63",
         "type": "github"
       },
       "original": {
@@ -2010,7 +1994,6 @@
       "inputs": {
         "darwin": "darwin",
         "disko": "disko",
-        "gpg-base-conf": "gpg-base-conf",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
         "neovim-flake": "neovim-flake",

systems/x86_64-linux/sgx-nixos/default.nix

@@ -4,6 +4,12 @@ with lib.metacfg;
 {
   imports = [ ./hardware-configuration.nix ];
 
+  boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1;
+  networking.firewall.extraCommands = ''
+    iptables -t nat -A OUTPUT -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
+    iptables -t nat -A POSTROUTING -j MASQUERADE
+  '';
+
   metacfg = {
     base.enable = true;
     nix-ld.enable = true;