{ pkgs, lib, config, ... }: with lib; with lib.metacfg; { imports = [ ./hardware-configuration.nix ./atticd.nix ]; boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1; boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; networking.firewall.extraCommands = '' iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081 iptables -t nat -A POSTROUTING -j MASQUERADE ''; metacfg = { base.enable = true; nix-ld.enable = true; nix.enable = true; aesmd_dcap.enable = true; podman.enable = true; user.extraGroups = [ "docker" "sgx" ]; }; environment.etc."sgx_default_qcnl.conf".text = '' { "pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/", "use_secure_cert": false, "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", "retry_times": 6, "retry_delay": 10, "pck_cache_expire_hours": 168, "verify_collateral_cache_expire_hours": 168, "local_cache_only": false } ''; virtualisation = { docker.enable = true; podman.dockerCompat = false; }; system.autoUpgrade = { enable = true; operation = "switch"; allowReboot = true; }; security.tpm2.enable = false; security.tpm2.abrmd.enable = false; networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.firewall.allowedTCPPorts = [ 8080 ]; networking.firewall.allowPing = true; powerManagement.cpuFreqGovernor = "ondemand"; system.stateVersion = "23.11"; }