{ options, config, lib, pkgs, ... }:

with lib;
with lib.metacfg;
let
  cfg = config.metacfg.aesmd_dcap;
in
{
  options.metacfg.aesmd_dcap = with types; {
    enable = mkBoolOpt false "Whether or not to enable aesmd in dcap mode.";
  };

  config = mkIf cfg.enable {
    metacfg = {
      nix.extra-substituters = {
        "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
        "https://attic.teepot.org/tee-pot".key = "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=";
      };
    };
    services.aesmd = {
      enable = true;
      quoteProviderLibrary = pkgs.nixsgx.sgx-dcap.default_qpl;
    };
    systemd.services.aesmd = {
      environment.LD_LIBRARY_PATH = lib.mkForce (lib.makeLibraryPath [ pkgs.nixsgx.sgx-dcap.default_qpl pkgs.curl.out ]);
      serviceConfig = {
        BindReadOnlyPaths = [
          "/etc/sgx_default_qcnl.conf"
        ];
        BindPaths = [
          "/dev/log"
        ];
      };
    };
  };
}