Make shodan more secure for reinstall, copied stuff from EDI

This commit is contained in:
Lillian Violet 2024-03-18 22:30:27 +01:00
parent 70f63daf80
commit ca4553749c
4 changed files with 83 additions and 20 deletions

71
disko/shodan/default.nix Normal file
View file

@ -0,0 +1,71 @@
{
disko.devices = {
disk = {
nvme0n1 = {
type = "disk";
device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [];
settings = {
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
#keyFile = "/tmp/secret.key";
allowDiscards = true;
};
#additionalKeyFiles = ["/tmp/additionalSecret.key"];
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
swap = {
size = "16G";
content = {
type = "swap";
resumeDevice = true; # resume from hiberation from this device
};
};
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "bcachefs";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
};
};
};
};
}

View file

@ -176,6 +176,8 @@
# > Our main nixos configuration file <
./nixos/hosts/shodan/configuration.nix
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
home-manager.nixosModules.home-manager
{
home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];

View file

@ -22,6 +22,8 @@
# ./nvim.nix
./hardware-configuration.nix
../../../disko/EDI
./auto-mount.nix
];
@ -184,7 +186,7 @@
enable = true;
};
users.users.lillian.extraGroups = ["decky"];
users.users.lillian.extraGroups = ["decky" "tss"];
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];
@ -199,6 +201,13 @@
networking.hostName = "shodan";
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# tss group has access to TPM devices
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
boot.supportedFilesystems = ["bcachefs"];
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.timeout = 0;

View file

@ -17,25 +17,6 @@
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/b29d5a9c-a4a6-4321-a767-27ed928cfa94";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/ABC6-B031";
fsType = "vfat";
};
fileSystems."/run/media/lillian/SD" = {
device = "/dev/mmcblk0p1";
fsType = "exfat";
};
swapDevices = [
{device = "/dev/disk/by-uuid/c0c87d80-b6be-444a-a76f-b32d35c38994";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction