{
  options,
  config,
  lib,
  pkgs,
  ...
}:

with lib;
with lib.metacfg;
let
  cfg = config.metacfg.aesmd_dcap;
in
{
  options.metacfg.aesmd_dcap = with types; {
    enable = mkBoolOpt false "Whether or not to enable aesmd in dcap mode.";
  };

  config = mkIf cfg.enable {
    metacfg = {
      nix.extra-substituters = {
        "https://attic.teepot.org/tee-pot".key = "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=";
      };
    };
    services.aesmd = {
      enable = true;
      quoteProviderLibrary = pkgs.nixsgx.sgx-dcap.default_qpl;
    };
    systemd.services.aesmd = {
      environment.LD_LIBRARY_PATH = lib.mkForce (
        lib.makeLibraryPath [
          pkgs.nixsgx.sgx-dcap.default_qpl
          pkgs.curl.out
        ]
      );
      serviceConfig = {
        BindReadOnlyPaths = [ "/etc/sgx_default_qcnl.conf" ];
        BindPaths = [ "/dev/log" ];
      };
    };
  };
}