Make shodan more secure for reinstall, copied stuff from EDI
This commit is contained in:
parent
70f63daf80
commit
ca4553749c
71
disko/shodan/default.nix
Normal file
71
disko/shodan/default.nix
Normal file
|
|
@ -0,0 +1,71 @@
|
||||||
|
{
|
||||||
|
disko.devices = {
|
||||||
|
disk = {
|
||||||
|
nvme0n1 = {
|
||||||
|
type = "disk";
|
||||||
|
device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
ESP = {
|
||||||
|
size = "512M";
|
||||||
|
type = "EF00";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
mountOptions = [
|
||||||
|
"defaults"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
luks = {
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "luks";
|
||||||
|
name = "crypted";
|
||||||
|
extraOpenArgs = [];
|
||||||
|
settings = {
|
||||||
|
# if you want to use the key for interactive login be sure there is no trailing newline
|
||||||
|
# for example use `echo -n "password" > /tmp/secret.key`
|
||||||
|
#keyFile = "/tmp/secret.key";
|
||||||
|
allowDiscards = true;
|
||||||
|
};
|
||||||
|
#additionalKeyFiles = ["/tmp/additionalSecret.key"];
|
||||||
|
content = {
|
||||||
|
type = "lvm_pv";
|
||||||
|
vg = "pool";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
lvm_vg = {
|
||||||
|
pool = {
|
||||||
|
type = "lvm_vg";
|
||||||
|
lvs = {
|
||||||
|
swap = {
|
||||||
|
size = "16G";
|
||||||
|
content = {
|
||||||
|
type = "swap";
|
||||||
|
resumeDevice = true; # resume from hiberation from this device
|
||||||
|
};
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
size = "100%FREE";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "bcachefs";
|
||||||
|
mountpoint = "/";
|
||||||
|
mountOptions = [
|
||||||
|
"defaults"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -176,6 +176,8 @@
|
||||||
# > Our main nixos configuration file <
|
# > Our main nixos configuration file <
|
||||||
./nixos/hosts/shodan/configuration.nix
|
./nixos/hosts/shodan/configuration.nix
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
|
lanzaboote.nixosModules.lanzaboote
|
||||||
|
disko.nixosModules.disko
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
{
|
{
|
||||||
home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
|
home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,8 @@
|
||||||
# ./nvim.nix
|
# ./nvim.nix
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
||||||
|
../../../disko/EDI
|
||||||
|
|
||||||
./auto-mount.nix
|
./auto-mount.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
@ -184,7 +186,7 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.lillian.extraGroups = ["decky"];
|
users.users.lillian.extraGroups = ["decky" "tss"];
|
||||||
|
|
||||||
# Enable completion of system packages by zsh
|
# Enable completion of system packages by zsh
|
||||||
environment.pathsToLink = ["/share/zsh"];
|
environment.pathsToLink = ["/share/zsh"];
|
||||||
|
|
@ -199,6 +201,13 @@
|
||||||
|
|
||||||
networking.hostName = "shodan";
|
networking.hostName = "shodan";
|
||||||
|
|
||||||
|
security.tpm2.enable = true;
|
||||||
|
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
|
||||||
|
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
|
||||||
|
# tss group has access to TPM devices
|
||||||
|
|
||||||
|
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
|
||||||
|
boot.supportedFilesystems = ["bcachefs"];
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.systemd-boot.configurationLimit = 3;
|
boot.loader.systemd-boot.configurationLimit = 3;
|
||||||
boot.loader.timeout = 0;
|
boot.loader.timeout = 0;
|
||||||
|
|
|
||||||
|
|
@ -17,25 +17,6 @@
|
||||||
boot.kernelModules = ["kvm-amd"];
|
boot.kernelModules = ["kvm-amd"];
|
||||||
boot.extraModulePackages = [];
|
boot.extraModulePackages = [];
|
||||||
|
|
||||||
fileSystems."/" = {
|
|
||||||
device = "/dev/disk/by-uuid/b29d5a9c-a4a6-4321-a767-27ed928cfa94";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" = {
|
|
||||||
device = "/dev/disk/by-uuid/ABC6-B031";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/run/media/lillian/SD" = {
|
|
||||||
device = "/dev/mmcblk0p1";
|
|
||||||
fsType = "exfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [
|
|
||||||
{device = "/dev/disk/by-uuid/c0c87d80-b6be-444a-a76f-b32d35c38994";}
|
|
||||||
];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue