Make shodan more secure for reinstall, copied stuff from EDI

nixos/hosts/shodan/configuration.nix

@@ -22,6 +22,8 @@
     # ./nvim.nix
     ./hardware-configuration.nix
 
+    ../../../disko/EDI
+
     ./auto-mount.nix
   ];
 
@@ -184,7 +186,7 @@
     enable = true;
   };
 
-  users.users.lillian.extraGroups = ["decky"];
+  users.users.lillian.extraGroups = ["decky" "tss"];
 
   # Enable completion of system packages by zsh
   environment.pathsToLink = ["/share/zsh"];
@@ -199,6 +201,13 @@
 
   networking.hostName = "shodan";
 
+  security.tpm2.enable = true;
+  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  # tss group has access to TPM devices
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = ["bcachefs"];
   boot.loader.systemd-boot.enable = true;
   boot.loader.systemd-boot.configurationLimit = 3;
   boot.loader.timeout = 0;

nixos/hosts/shodan/hardware-configuration.nix

@@ -17,25 +17,6 @@
   boot.kernelModules = ["kvm-amd"];
   boot.extraModulePackages = [];
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/b29d5a9c-a4a6-4321-a767-27ed928cfa94";
-    fsType = "ext4";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/ABC6-B031";
-    fsType = "vfat";
-  };
-
-  fileSystems."/run/media/lillian/SD" = {
-    device = "/dev/mmcblk0p1";
-    fsType = "exfat";
-  };
-
-  swapDevices = [
-    {device = "/dev/disk/by-uuid/c0c87d80-b6be-444a-a76f-b32d35c38994";}
-  ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction