Harald Hoyer
d5287f242e
The commit turns on the TPM2 security feature and its associated Access Broker and Resource Manager daemon (abrmd) in the hardware configuration for the x86_64-linux SGX system. This action, represented by changing the respective entries from false to true, enhances the security of this system configuration.
86 lines
3.6 KiB
Nix
86 lines
3.6 KiB
Nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||
# and may be overwritten by future invocations. Please make changes
|
||
# to /etc/nixos/configuration.nix instead.
|
||
{ pkgs, config, lib, modulesPath, ... }:
|
||
|
||
{
|
||
imports = [
|
||
(modulesPath + "/installer/scan/not-detected.nix")
|
||
];
|
||
|
||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
|
||
boot.initrd.kernelModules = [ ];
|
||
boot.kernelModules = [ "kvm-intel" ];
|
||
boot.extraModulePackages = [ ];
|
||
boot.extraModprobeConfig = "options kvm_intel nested=1";
|
||
|
||
services.btrfs.autoScrub.enable = true;
|
||
|
||
fileSystems = {
|
||
"/" = {
|
||
device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
|
||
fsType = "btrfs";
|
||
options = [ "subvol=@" ];
|
||
neededForBoot = true;
|
||
};
|
||
|
||
"/boot" = {
|
||
device = "/dev/disk/by-uuid/C902-1AF5";
|
||
fsType = "vfat";
|
||
};
|
||
|
||
"/mnt/raid" = {
|
||
fsType = "btrfs";
|
||
device = "/dev/disk/by-uuid/11727be7-bf9b-4888-8b02-d7eb1f898712";
|
||
options = [ "defaults" "compress=zstd" "subvol=root" "autodefrag" "noatime" "nofail" "x-systemd.device-timeout=60" ];
|
||
};
|
||
|
||
"/mnt/backup" = {
|
||
fsType = "btrfs";
|
||
device = "/dev/disk/by-uuid/c29e7eac-26ba-41b1-ac3e-11123476b7c5";
|
||
options = [ "defaults" "compress=zstd" "subvol=root" "autodefrag" "noatime" "nofail" "x-systemd.device-timeout=60" ];
|
||
};
|
||
};
|
||
|
||
swapDevices =
|
||
[{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }];
|
||
|
||
environment.etc."crypttab".text = ''
|
||
a16 /dev/disk/by-uuid/6f1c1b24-3c94-44be-8d1b-70db562079c1 /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
|
||
b16 /dev/disk/by-uuid/9540de6d-c907-43e4-b740-2d75dbf37135 /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
|
||
a4 /dev/disk/by-uuid/72924bd6-3d58-4437-aafd-ae6d2b995fbf /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
|
||
b4 /dev/disk/by-uuid/459c8d9a-6e92-4dec-a998-701ab9e76a2e /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
|
||
c4 /dev/disk/by-uuid/5c61cbf0-dbca-48e0-948e-71bea3806a6c /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
|
||
'';
|
||
|
||
systemd.services.hd-idle = {
|
||
description = "Set to idle";
|
||
wantedBy = [ "multi-user.target" ];
|
||
after = [
|
||
"dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K2TX.device"
|
||
"dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K3WR.device"
|
||
"dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0710903.device"
|
||
"dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732164.device"
|
||
"dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732505.device"
|
||
];
|
||
bindsTo = [
|
||
"dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K2TX.device"
|
||
"dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K3WR.device"
|
||
"dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0710903.device"
|
||
"dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732164.device"
|
||
"dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732505.device"
|
||
];
|
||
serviceConfig = {
|
||
Type = "oneshot";
|
||
ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.hdparm}/sbin/hdparm -S 60 /dev/disk/by-id/ata-*'";
|
||
};
|
||
};
|
||
|
||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||
|
||
security.tpm2.enable = true;
|
||
security.tpm2.abrmd.enable = true;
|
||
powerManagement.cpuFreqGovernor = "ondemand";
|
||
}
|