{ pkgs, lib, config, ... }:
with lib;
with lib.plusultra;
{
  imports = [ ./hardware-configuration.nix ];

  sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;

  plusultra = {
    base.enable = true;
    gui.enable = false;
    nix-ld.enable = true;
    nix.enable = true;
    nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
    pccs.enable = true;
    pccs.secret = config.sops.secrets.pccs.path;
    podman.enable = true;
    secureboot.enable = true;
    user.extraGroups = [ "docker" "sgx" ];
  };

  virtualisation.docker.enable = true;
  virtualisation.podman.dockerCompat = false;
  
  system.autoUpgrade = {
    enable = true;
    operation = "boot";
    allowReboot = true;
  };

  security.tpm2.enable = false;
  security.tpm2.abrmd.enable = false;

  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.

  # services.aesmd.enable = true;

  powerManagement.cpuFreqGovernor = "ondemand";

  system.stateVersion = "23.11";

  environment.etc."sgx_default_qcnl.conf".text = ''
    {
      "pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/",
      "use_secure_cert": false,
      "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
      "retry_times": 6,
      "retry_delay": 10,
      "pck_cache_expire_hours": 168,
      "verify_collateral_cache_expire_hours": 168,
      "local_cache_only": false
    }
  '';
}