56 lines
1.3 KiB
Nix
56 lines
1.3 KiB
Nix
# NixOS livesystem to generate yubikeys in an air-gapped manner
|
|
# $ nix build .#images.erebus
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}: {
|
|
# Secure defaults
|
|
nixpkgs.config = {allowBroken = false;}; # false breaks zfs kernel - but we don't care about zfs
|
|
|
|
# Always copytoram so that, if the image is booted from, e.g., a
|
|
# USB stick, nothing is mistakenly written to persistent storage.
|
|
boot = {
|
|
kernelParams = ["copytoram"];
|
|
tmp.cleanOnBoot = true;
|
|
kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
|
|
};
|
|
|
|
# make sure we are air-gapped
|
|
networking = {
|
|
wireless.enable = false;
|
|
dhcpcd.enable = false;
|
|
};
|
|
|
|
services.getty.helpLine = "The 'root' account has an empty password.";
|
|
|
|
isoImage.isoBaseName = lib.mkForce config.networking.hostName;
|
|
|
|
# words cannot express how much I hate zfs
|
|
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
|
|
|
environment = {
|
|
# needed for i3blocks
|
|
pathsToLink = ["/libexec"];
|
|
# fix an annoying warning
|
|
etc."mdadm.conf".text = ''
|
|
MAILADDR root
|
|
'';
|
|
};
|
|
|
|
fonts = {
|
|
fontDir = {
|
|
enable = true;
|
|
decompressFonts = true;
|
|
};
|
|
|
|
fontconfig.enable = true;
|
|
|
|
packages = with pkgs; [
|
|
noto-fonts
|
|
noto-fonts-cjk
|
|
noto-fonts-color-emoji
|
|
];
|
|
};
|
|
}
|