From 72def65f54c9a954702c036ff225bd6bb604bef4 Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 15:29:57 +0300
Subject: [PATCH] kyra(hardening): ESP 1G->128M, LUKS2 volume and options
 hadrening

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/disko/disk.nix | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/kyra/disko/disk.nix b/kyra/disko/disk.nix
index 231e00e..a22cce7 100644
--- a/kyra/disko/disk.nix
+++ b/kyra/disko/disk.nix
@@ -21,7 +21,7 @@
 
               ESP = {
                 name = "ESP";
-                size = "1024M";
+                size = "128M";
                 type = "EF00";
                 content = {
                   type = "filesystem";
@@ -29,15 +29,27 @@
                   mountpoint = "/boot";
                   mountOptions = [
                     "umask=0077"
+                    "noexec"
+                    "nosuid"
+                    "nodev"
+                    "ro"
                   ];
                 };
               };
 
-              root = {
+              luks = {
                 size = "100%";
                 content = {
-                  type = "lvm_pv";
-                  vg = "pool";
+                  type = "luks";
+                  name = "crypted";
+                  settings = {
+                    allowDiscards = true;
+                  };
+
+                  content = {
+                    type = "lvm_pv";
+                    vg = "pool";
+                  };
                 };
               };
             };