Remove /home and unused top-level dirs. Make /var encrypted with tpm2.
This commit is contained in:
parent
9b6a5d9199
commit
902c3eddf3
SSH key fingerprint:
SHA256:dQy1Xj3UiqJYpKR5ggQ2bxgz4jCH8IF+k3AB8o0kmdI
7 changed files with 46 additions and 37 deletions
|
|
@ -43,6 +43,7 @@
|
|||
system.image.updates.url = "${updateUrl}";
|
||||
system.image.id = "patos";
|
||||
system.image.version = releaseVersion;
|
||||
image.compress = false;
|
||||
}
|
||||
self.nixosModules.image
|
||||
self.nixosModules.devel
|
||||
|
|
|
|||
|
|
@ -51,11 +51,16 @@
|
|||
Label = "_empty";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
"40-home" = {
|
||||
Type = "home";
|
||||
"40-var" = {
|
||||
Type = "var";
|
||||
UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
|
||||
Format = "btrfs";
|
||||
SizeMinBytes = "512M";
|
||||
Label = "patos-state";
|
||||
Minimize = "off";
|
||||
FactoryReset = "yes";
|
||||
Encrypt = "tpm2";
|
||||
SizeMinBytes = "2G";
|
||||
SplitName = "-";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -99,10 +104,21 @@
|
|||
"roothash=${config.system.build.verityRootHash}"
|
||||
];
|
||||
|
||||
fileSystems."/var" = {
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=0755" ];
|
||||
};
|
||||
fileSystems =
|
||||
let
|
||||
parts = config.systemd.repart.partitions;
|
||||
in
|
||||
{
|
||||
"/var" = {
|
||||
fsType = parts."40-var".Format;
|
||||
device = "/dev/mapper/var";
|
||||
encrypted = {
|
||||
enable = true;
|
||||
blkDev = "/dev/disk/by-partuuid/${parts."40-var".UUID}";
|
||||
label = "var";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Required to mount the efi partition
|
||||
boot.kernelModules = [
|
||||
|
|
@ -111,10 +127,10 @@
|
|||
"nls_iso8859-1"
|
||||
];
|
||||
|
||||
# Store SSH host keys on /home since /etc is read-only
|
||||
# Store SSH host keys on /var/lib/ssh since /etc is read-only
|
||||
services.openssh.hostKeys = [
|
||||
{
|
||||
path = "/home/.ssh/ssh_host_ed25519_key";
|
||||
path = "/var/lib/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
];
|
||||
|
|
@ -126,8 +142,4 @@
|
|||
|
||||
# Refuse to boot on mount failure
|
||||
systemd.targets."sysinit".requires = [ "local-fs.target" ];
|
||||
|
||||
# Make sure home gets mounted
|
||||
systemd.targets."local-fs".requires = [ "home.mount" ];
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@
|
|||
|
||||
systemd.services."default-ssh-keys" = {
|
||||
script = ''
|
||||
mkdir -p /home/admin/.ssh/
|
||||
cat /efi/default-ssh-authorized-keys.txt >> /home/admin/.ssh/authorized_keys
|
||||
mkdir -p /var/home/admin/.ssh/
|
||||
cat /efi/default-ssh-authorized-keys.txt >> /var/home/admin/.ssh/authorized_keys
|
||||
'';
|
||||
wantedBy = [
|
||||
"sshd.service"
|
||||
|
|
@ -28,8 +28,8 @@
|
|||
];
|
||||
unitConfig = {
|
||||
ConditionPathExists = [
|
||||
"/home/admin"
|
||||
"!/home/admin/.ssh/authorized_keys"
|
||||
"/var/home/admin"
|
||||
"!/var/home/admin/.ssh/authorized_keys"
|
||||
"/efi/default-ssh-authorized-keys.txt"
|
||||
];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -49,6 +49,8 @@
|
|||
services.openssh.settings.PasswordAuthentication = lib.mkDefault false;
|
||||
|
||||
users.allowNoPasswordLogin = true;
|
||||
users.users.root.home = lib.mkForce "/";
|
||||
|
||||
security.sudo.enable = lib.mkDefault false;
|
||||
|
||||
security.polkit = {
|
||||
|
|
@ -65,23 +67,16 @@
|
|||
i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
|
||||
|
||||
# Console
|
||||
# FIXME: Add option for toggle
|
||||
# console.enable = false;
|
||||
# systemd.services."getty@tty1".enable = lib.mkDefault false;
|
||||
# systemd.services."autovt@".enable = lib.mkDefault false;
|
||||
|
||||
systemd.enableEmergencyMode = false;
|
||||
boot.consoleLogLevel = lib.mkDefault 1;
|
||||
boot.kernelParams = [
|
||||
# "quiet"
|
||||
"panic=1"
|
||||
"boot.panic_on_fail"
|
||||
"nomodeset"
|
||||
"console=tty1"
|
||||
"console=ttyS0,38400"
|
||||
# "systemd.log_level=info"
|
||||
# "systemd.log_target=console"
|
||||
# "systemd.journald.forward_to_console"
|
||||
# "nomodeset"
|
||||
"console=ttyS0,115200n8"
|
||||
"earlyprintk=ttyS0,115200n8"
|
||||
"systemd.mask=systemd-vconsole-setup.service" # FIXME: Figure out why vconsole-setup fails when loading keymap
|
||||
];
|
||||
|
||||
# This is vi country
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@
|
|||
isNormalUser = true;
|
||||
linger = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
home = "/var/home/admin";
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
|
|
|
|||
|
|
@ -11,13 +11,13 @@
|
|||
"systemd-sysext.service"
|
||||
];
|
||||
|
||||
systemd.services."systemd-confext" = {
|
||||
enable = true;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
# systemd.services."systemd-confext" = {
|
||||
# enable = true;
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# };
|
||||
|
||||
systemd.services."systemd-sysext.service" = {
|
||||
enable = true;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
# systemd.services."systemd-sysext.service" = {
|
||||
# enable = true;
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# };
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ test-common.makeImageTest {
|
|||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
machine.succeed("[ -e /efi/default-ssh-authorized-keys.txt ]")
|
||||
machine.succeed("[ -e /home/admin/.ssh/authorized_keys ]")
|
||||
machine.succeed("[ -e /var/home/admin/.ssh/authorized_keys ]")
|
||||
|
||||
machine.wait_for_open_port(22)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue