{ lib, pkgs, ... }: let nix_build = "/nix/build-sandbox"; persist = "/nix/persist"; tmp-exec = "/tmp-exec"; in { systemd.tmpfiles.rules = [ "D! ${nix_build} 0755 root root 7d" ]; boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work? boot.zfs = { forceImportRoot = false; requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. package = pkgs.zfs_2_3; }; boot.supportedFilesystems.zfs = true; services.zfs.trim.enable = true; # services.homed.enable = true; fileSystems."/" = { device = "none"; fsType = "tmpfs"; options = [ "defaults" "size=2G" "mode=755" "noexec" "nosuid" "nodev" ]; }; fileSystems."/tmp" = { device = "none"; fsType = "tmpfs"; options = [ "defaults" "rw" "relatime" "mode=1777" "noexec" "nosuid" "nodev" ]; }; fileSystems."${persist}" = { device = "zpool/persistent"; fsType = "zfs"; options = [ "noexec" "nosuid" "nodev" ]; }; environment.etc = lib.genAttrs [ "machine-id" "ssh/ssh_host_ed25519_key" "ssh/ssh_host_ed25519_key.pub" "ssh/ssh_host_rsa_key" "ssh/ssh_host_rsa_key.pub" ] (n: { source = "${persist}/etc/${n}"; }); fileSystems."/nix/var" = { device = "/nix/var"; options = [ "bind" "noexec" "nosuid" "nodev" ]; }; fileSystems."/etc/NetworkManager/system-connections" = { device = "${persist}/etc/NetworkManager/system-connections"; options = [ "bind" "noexec" "nosuid" "nodev" ]; }; fileSystems."/nix" = { device = "zpool/nix"; fsType = "zfs"; options = [ "exec" "suid" "nodev" ]; }; fileSystems."/var" = { device = "zpool/var"; fsType = "zfs"; options = [ "noexec" "nosuid" "nodev" ]; }; fileSystems."${nix_build}" = { # can execute device = "zpool/nix-build"; fsType = "zfs"; options = [ "exec" "nosuid" "nodev" ]; }; fileSystems."${tmp-exec}" = { device = "none"; fsType = "tmpfs"; options = [ "defaults" "size=2G" "exec" "nosuid" "nodev" "mode=1777" ]; }; systemd.services.nix-daemon.environment.TMPDIR = nix_build; fileSystems."/etc/nixos" = { device = "zpool/nix_conf"; fsType = "zfs"; options = [ "noacl" "noexec" "nosuid" "nodev" ]; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/12CE-A600"; fsType = "vfat"; options = [ "fmask=0022" "dmask=0022" "umask=077" "noexec" "nosuid" "nodev" ]; # noCheck = true; # neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out... }; # fileSystems."/crypt-storage" = # { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # fsType = "ext4"; # options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. # }; security.pam = { zfs = { enable = true; homes = "zpool/home"; }; }; boot.initrd.luks.yubikeySupport = true; # enable yubikey support boot.initrd.luks.reusePassphrases = false; boot.initrd.luks.devices."root" = { device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3 preLVM = true; allowDiscards = true; yubikey = { slot = 2; twoFactor = true; # Set to false for 1FA gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted keyLength = 64; # Set to $KEY_LENGTH/8 saltLength = 16; # Set to $SALT_LENGTH storage = { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier fsType = "ext4"; path = "/default"; }; }; }; swapDevices = [ #{ # device = "zpool/swap"; # device = "/dev/zvol/zpool/swap"; #} ]; }