From 666367bb4d058dd1cbef0a9c2969b2c352c3ffc1 Mon Sep 17 00:00:00 2001 From: Dennis Wuitz Date: Mon, 25 Dec 2023 04:27:28 +0100 Subject: [PATCH] add fulldiskencryption --- modules/boot.nix | 29 ++++++++++++++++++++++++- systems/palatine-hill/configuration.nix | 1 + 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/modules/boot.nix b/modules/boot.nix index 84e1046..f95a004 100644 --- a/modules/boot.nix +++ b/modules/boot.nix @@ -13,19 +13,45 @@ in default = ""; description = "The cpu-type installed on the server."; }; + amdGPU = libS.mkOpinionatedOption "the system contains a AMD GPU"; }; }; config.boot = lib.mkIf cfg.default { + initrd = { + # networking for netcard kernelModules = [ "e1000e" ]; + kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ]; + + network.enable = true; + network.ssh = { + enable = true; + hostKeys = [ + "/root/ssh_key" + ]; + port = 2222; + }; + luks = { + devices."cryptroot" = { + device = "/dev/sda1"; + preLVM = true; + }; + }; + }; + supportedFilesystems = [ "zfs" ]; tmp.useTmpfs = true; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"; + kernelParams = [ + "ip=:::" + "nordrand" + ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"; + zfs = { enableUnstable = true; devNodes = "/dev/disk/by-id/"; forceImportRoot = true; }; + loader = { efi = { canTouchEfiVariables = false; @@ -39,6 +65,7 @@ in efiInstallAsRemovable = true; fsIdentifier = "uuid"; device = "nodev"; + enableCryptodisk = true; }; }; }; diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index 120bf31..0cee328 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -3,6 +3,7 @@ time.timeZone = "America/New_York"; console.keyMap = "us"; networking.hostId = "1139fa08"; + boot.initrd.network.ssh.authorizedKeys = [ "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ]; virtualisation = { docker = {