From ca4553749ca72169177876a35580353706e064ff Mon Sep 17 00:00:00 2001
From: Lillian-Violet <git@lillianviolet.dev>
Date: Mon, 18 Mar 2024 22:30:27 +0100
Subject: [PATCH] Make shodan more secure for reinstall, copied stuff from EDI

---
 disko/shodan/default.nix                      | 71 +++++++++++++++++++
 flake.nix                                     |  2 +
 nixos/hosts/shodan/configuration.nix          | 11 ++-
 nixos/hosts/shodan/hardware-configuration.nix | 19 -----
 4 files changed, 83 insertions(+), 20 deletions(-)
 create mode 100644 disko/shodan/default.nix

diff --git a/disko/shodan/default.nix b/disko/shodan/default.nix
new file mode 100644
index 0000000..1375e5a
--- /dev/null
+++ b/disko/shodan/default.nix
@@ -0,0 +1,71 @@
+{
+  disko.devices = {
+    disk = {
+      nvme0n1 = {
+        type = "disk";
+        device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                extraOpenArgs = [];
+                settings = {
+                  # if you want to use the key for interactive login be sure there is no trailing newline
+                  # for example use `echo -n "password" > /tmp/secret.key`
+                  #keyFile = "/tmp/secret.key";
+                  allowDiscards = true;
+                };
+                #additionalKeyFiles = ["/tmp/additionalSecret.key"];
+                content = {
+                  type = "lvm_pv";
+                  vg = "pool";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          swap = {
+            size = "16G";
+            content = {
+              type = "swap";
+              resumeDevice = true; # resume from hiberation from this device
+            };
+          };
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "bcachefs";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index f352745..1016c5d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -176,6 +176,8 @@
           # > Our main nixos configuration file <
           ./nixos/hosts/shodan/configuration.nix
           sops-nix.nixosModules.sops
+          lanzaboote.nixosModules.lanzaboote
+          disko.nixosModules.disko
           home-manager.nixosModules.home-manager
           {
             home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
diff --git a/nixos/hosts/shodan/configuration.nix b/nixos/hosts/shodan/configuration.nix
index 462e094..b01c75a 100644
--- a/nixos/hosts/shodan/configuration.nix
+++ b/nixos/hosts/shodan/configuration.nix
@@ -22,6 +22,8 @@
     # ./nvim.nix
     ./hardware-configuration.nix
 
+    ../../../disko/EDI
+
     ./auto-mount.nix
   ];
 
@@ -184,7 +186,7 @@
     enable = true;
   };
 
-  users.users.lillian.extraGroups = ["decky"];
+  users.users.lillian.extraGroups = ["decky" "tss"];
 
   # Enable completion of system packages by zsh
   environment.pathsToLink = ["/share/zsh"];
@@ -199,6 +201,13 @@
 
   networking.hostName = "shodan";
 
+  security.tpm2.enable = true;
+  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  # tss group has access to TPM devices
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = ["bcachefs"];
   boot.loader.systemd-boot.enable = true;
   boot.loader.systemd-boot.configurationLimit = 3;
   boot.loader.timeout = 0;
diff --git a/nixos/hosts/shodan/hardware-configuration.nix b/nixos/hosts/shodan/hardware-configuration.nix
index ac88e90..fdfefac 100644
--- a/nixos/hosts/shodan/hardware-configuration.nix
+++ b/nixos/hosts/shodan/hardware-configuration.nix
@@ -17,25 +17,6 @@
   boot.kernelModules = ["kvm-amd"];
   boot.extraModulePackages = [];
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/b29d5a9c-a4a6-4321-a767-27ed928cfa94";
-    fsType = "ext4";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/ABC6-B031";
-    fsType = "vfat";
-  };
-
-  fileSystems."/run/media/lillian/SD" = {
-    device = "/dev/mmcblk0p1";
-    fsType = "exfat";
-  };
-
-  swapDevices = [
-    {device = "/dev/disk/by-uuid/c0c87d80-b6be-444a-a76f-b32d35c38994";}
-  ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction