Harald Hoyer
a7484b3891
This commit moves the kernel package version override from the base nixos service to specific system configurations. Now, the latest linux packages will be used only in the system configurations where the override has been explicitly added. This approach gives us more flexibility to handle different kernel package versions for different systems.
58 lines
1.5 KiB
Nix
58 lines
1.5 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
with lib;
|
|
with lib.metacfg;
|
|
{
|
|
imports = [ ./hardware-configuration.nix ];
|
|
|
|
boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1;
|
|
boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
|
|
|
|
networking.firewall.extraCommands = ''
|
|
iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
|
|
iptables -t nat -A POSTROUTING -j MASQUERADE
|
|
'';
|
|
|
|
metacfg = {
|
|
base.enable = true;
|
|
nix-ld.enable = true;
|
|
nix.enable = true;
|
|
aesmd_dcap.enable = true;
|
|
podman.enable = true;
|
|
user.extraGroups = [ "docker" "sgx" ];
|
|
};
|
|
|
|
environment.etc."sgx_default_qcnl.conf".text = ''
|
|
{
|
|
"pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/",
|
|
"use_secure_cert": false,
|
|
"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
|
|
"retry_times": 6,
|
|
"retry_delay": 10,
|
|
"pck_cache_expire_hours": 168,
|
|
"verify_collateral_cache_expire_hours": 168,
|
|
"local_cache_only": false
|
|
}
|
|
'';
|
|
|
|
virtualisation = {
|
|
docker.enable = true;
|
|
podman.dockerCompat = false;
|
|
};
|
|
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
operation = "switch";
|
|
allowReboot = true;
|
|
flake = "git+https://git.hoyer.xyz/harald/nixcfg.git?ref=refs/heads/b24.05";
|
|
};
|
|
|
|
security.tpm2.enable = false;
|
|
security.tpm2.abrmd.enable = false;
|
|
|
|
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
|
|
|
|
powerManagement.cpuFreqGovernor = "ondemand";
|
|
|
|
system.stateVersion = "23.11";
|
|
}
|