Update for secure boot

This commit is contained in:
Lillian Violet 2024-02-03 17:50:32 +01:00
parent a17a04d551
commit 17eca8a394
3 changed files with 17 additions and 22 deletions

View file

@ -19,6 +19,20 @@
]; ];
}; };
}; };
encryptedSwap = {
size = "20M";
content = {
type = "swap";
randomEncryption = true;
};
};
plainSwap = {
size = "4G";
content = {
type = "swap";
resumeDevice = true; # resume from hiberation from this device
};
};
luks = { luks = {
size = "100%"; size = "100%";
content = { content = {
@ -28,35 +42,15 @@
#passwordFile = "/tmp/secret.key"; # Interactive #passwordFile = "/tmp/secret.key"; # Interactive
settings = { settings = {
allowDiscards = true; allowDiscards = true;
keyFile = "/tmp/secret.key"; #keyFile = "/tmp/secret.key";
}; };
#additionalKeyFiles = ["/tmp/additionalSecret.key"]; #additionalKeyFiles = ["/tmp/additionalSecret.key"];
content = {
root = {
name = "root";
end = "-2G";
content = { content = {
type = "filesystem"; type = "filesystem";
format = "bcachefs"; format = "bcachefs";
mountpoint = "/"; mountpoint = "/";
}; };
}; };
encryptedSwap = {
size = "20M";
content = {
type = "swap";
randomEncryption = true;
};
};
plainSwap = {
size = "100%";
content = {
type = "swap";
resumeDevice = true; # resume from hiberation from this device
};
};
};
};
}; };
}; };
}; };

View file

@ -165,7 +165,6 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 3; boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.bootspec.enable = true;
boot.supportedFilesystems = ["bcachefs"]; boot.supportedFilesystems = ["bcachefs"];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;

View file

@ -38,6 +38,8 @@
networking.hostName = "EDI"; networking.hostName = "EDI";
boot.bootspec.enable = true;
# Enable bluetooth hardware # Enable bluetooth hardware
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;