{ pkgs, lib, config, ... }: with lib; with lib.plusultra; { imports = [ ./hardware-configuration.nix ]; sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml; sops.secrets.backup-pw.sopsFile = ../.secrets/sgx/backup-s3.yaml; plusultra = { base.enable = true; gui.enable = false; nix-ld.enable = true; nix.enable = true; nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; pccs.enable = true; pccs.secret = config.sops.secrets.pccs.path; podman.enable = true; secureboot.enable = true; user.extraGroups = [ "docker" "sgx" ]; }; virtualisation.docker.enable = true; virtualisation.podman.dockerCompat = false; system.autoUpgrade = { enable = true; operation = "boot"; allowReboot = true; }; security.tpm2.enable = false; security.tpm2.abrmd.enable = false; networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. # services.aesmd.enable = true; powerManagement.cpuFreqGovernor = "ondemand"; system.stateVersion = "23.11"; environment.etc."sgx_default_qcnl.conf".text = '' { "pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/", "use_secure_cert": false, "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", "retry_times": 6, "retry_delay": 10, "pck_cache_expire_hours": 168, "verify_collateral_cache_expire_hours": 168, "local_cache_only": false } ''; }