58 lines
1.3 KiB
Nix
58 lines
1.3 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
# Bootloader: systemd-boot with EFI support
|
|
boot = {
|
|
loader = {
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = true;
|
|
};
|
|
|
|
# Enable support for LUKS
|
|
initrd = {
|
|
luks.devices = {
|
|
"root" = {
|
|
device = "/dev/sda1"; # Change to your actual encrypted partition
|
|
preLVM = true;
|
|
allowDiscards = true; # Enable if using an SSD with TRIM support
|
|
};
|
|
};
|
|
systemd.enable = true; # Required for LUKS support
|
|
};
|
|
};
|
|
|
|
# File systems
|
|
fileSystems."/" = {
|
|
device = "/dev/mapper/root"; # LUKS unlocked device
|
|
fsType = "ext4";
|
|
};
|
|
|
|
# EFI partition mount (usually /boot or /boot/efi)
|
|
fileSystems."/boot" = {
|
|
device = "/dev/sda2"; # Change to your actual EFI partition
|
|
fsType = "vfat";
|
|
options = [ "nofail" "defaults" ];
|
|
};
|
|
|
|
swapDevices = [{ device = "/swapfile"; size = 4096; }];
|
|
|
|
# Locales and timezone
|
|
time.timeZone = "Europe/London";
|
|
i18n.defaultLocale = "en_GB.UTF-8";
|
|
|
|
# UFW Firewall
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 22 ]; # Allow SSH
|
|
};
|
|
|
|
# Enable SSH
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
}
|