nichts/nyx/hosts/erebus/system/default.nix

# NixOS livesystem to generate yubikeys in an air-gapped manner
# $ nix build .#images.erebus
{
  config,
  lib,
  pkgs,
  ...
}: {
  # Secure defaults
  nixpkgs.config = {allowBroken = false;}; # false breaks zfs kernel - but we don't care about zfs

  # Always copytoram so that, if the image is booted from, e.g., a
  # USB stick, nothing is mistakenly written to persistent storage.
  boot = {
    kernelParams = ["copytoram"];
    tmp.cleanOnBoot = true;
    kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
  };

  # make sure we are air-gapped
  networking = {
    wireless.enable = false;
    dhcpcd.enable = false;
  };

  services.getty.helpLine = "The 'root' account has an empty password.";

  isoImage.isoBaseName = lib.mkForce config.networking.hostName;

  # words cannot express how much I hate zfs
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;

  environment = {
    # needed for i3blocks
    pathsToLink = ["/libexec"];
    # fix an annoying warning
    etc."mdadm.conf".text = ''
      MAILADDR root
    '';
  };

  fonts = {
    fontDir = {
      enable = true;
      decompressFonts = true;
    };

    fontconfig.enable = true;

    packages = with pkgs; [
      noto-fonts
      noto-fonts-cjk
      noto-fonts-color-emoji
    ];
  };
}
added stuff 2024-04-09 23:11:33 +02:00			`# NixOS livesystem to generate yubikeys in an air-gapped manner`
			`# $ nix build .#images.erebus`
			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}: {`
			`# Secure defaults`
			`nixpkgs.config = {allowBroken = false;}; # false breaks zfs kernel - but we don't care about zfs`

			`# Always copytoram so that, if the image is booted from, e.g., a`
			`# USB stick, nothing is mistakenly written to persistent storage.`
			`boot = {`
			`kernelParams = ["copytoram"];`
			`tmp.cleanOnBoot = true;`
			`kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};`
			`};`

			`# make sure we are air-gapped`
			`networking = {`
			`wireless.enable = false;`
			`dhcpcd.enable = false;`
			`};`

			`services.getty.helpLine = "The 'root' account has an empty password.";`

			`isoImage.isoBaseName = lib.mkForce config.networking.hostName;`

			`# words cannot express how much I hate zfs`
			`boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;`

			`environment = {`
			`# needed for i3blocks`
			`pathsToLink = ["/libexec"];`
			`# fix an annoying warning`
			`etc."mdadm.conf".text = ''`
			`MAILADDR root`
			`'';`
			`};`

			`fonts = {`
			`fontDir = {`
			`enable = true;`
			`decompressFonts = true;`
			`};`

			`fontconfig.enable = true;`

			`packages = with pkgs; [`
			`noto-fonts`
			`noto-fonts-cjk`
			`noto-fonts-color-emoji`
			`];`
			`};`
			`}`