nixcfg/systems/x86_64-linux/sgx-nixos/default.nix

{
  pkgs,
  lib,
  config,
  ...
}:
with lib;
with lib.metacfg;
{
  imports = [ ./hardware-configuration.nix ];

  boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1;
  boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;

  networking.firewall.extraCommands = ''
    iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
    iptables -t nat -A POSTROUTING -j MASQUERADE
  '';

  metacfg = {
    base.enable = true;
    nix-ld.enable = true;
    nix.enable = true;
    aesmd_dcap.enable = true;
    podman.enable = true;
    user.extraGroups = [
      "docker"
      "sgx"
    ];
    tools = {
      direnv.enable = true;
    };
  };

  environment.etc."sgx_default_qcnl.conf".text = ''
    {
      "pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/",
      "use_secure_cert": false,
      "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
      "retry_times": 6,
      "retry_delay": 10,
      "pck_cache_expire_hours": 168,
      "verify_collateral_cache_expire_hours": 168,
      "local_cache_only": false
    }
  '';

  virtualisation = {
    docker.enable = true;
    podman.dockerCompat = false;
  };

  system.autoUpgrade = {
    enable = true;
    operation = "switch";
    allowReboot = true;
  };

  security.tpm2.enable = false;
  security.tpm2.abrmd.enable = false;

  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.

  networking.firewall.allowPing = true;

  powerManagement.cpuFreqGovernor = "ondemand";

  systemd.user.extraConfig = "DefaultLimitNOFILE=32768";

  security.pam.loginLimits = [
    {
      domain = "*";
      item = "nofile";
      type = "-";
      value = "32768";
    }
    {
      domain = "*";
      item = "memlock";
      type = "-";
      value = "32768";
    }
  ];

  system.stateVersion = "23.11";
}