kyra(hardening): ESP 1G->128M, LUKS2 volume and options hadrening

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-05-03 15:29:57 +03:00 · 2026-05-03 15:29:57 +03:00 · 72def65f54
commit 72def65f54
parent 14eea58fbb
1 changed files with 16 additions and 4 deletions
--- a/kyra/disko/disk.nix
+++ b/kyra/disko/disk.nix
@ -21,7 +21,7 @@

              ESP = {
                name = "ESP";
-                size = "1024M";
+                size = "128M";
                type = "EF00";
                content = {
                  type = "filesystem";
@ -29,15 +29,27 @@
                  mountpoint = "/boot";
                  mountOptions = [
                    "umask=0077"
+                    "noexec"
+                    "nosuid"
+                    "nodev"
+                    "ro"
                  ];
                };
              };

-              root = {
+              luks = {
                size = "100%";
                content = {
-                  type = "lvm_pv";
-                  vg = "pool";
+                  type = "luks";
+                  name = "crypted";
+                  settings = {
+                    allowDiscards = true;
+                  };
+
+                  content = {
+                    type = "lvm_pv";
+                    vg = "pool";
+                  };
                };
              };
            };