feat: new host - idols-akane, hardens VFAT /boot mounts (#245)

* feat: new host - idols-akane

* fix: missing efi files

* fix: efi partition - permission issue

hosts/12kingdoms-shoukei/hardware-configuration.nix

@@ -87,8 +87,9 @@ in
     device = "/dev/disk/by-uuid/01CE-1DFD";
     fsType = "vfat";
     options = [
-      "fmask=0022"
-      "dmask=0022"
+      "fmask=0177" # File mask: 777-177=600 (Owner: rw-, Group/Others: ---)
+      "dmask=0077" # Directory mask: 777-077=700 (Owner: rwx, Group/Others: ---)
+      "noexec,nosuid,nodev" # Security: Block execution, ignore setuid, and disable device nodes
     ];
   };
 

hosts/idols-ai/hardware-configuration.nix

@@ -174,6 +174,11 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/90FB-9F88";
     fsType = "vfat";
+    options = [
+      "fmask=0177" # File mask: 777-177=600 (Owner: rw-, Group/Others: ---)
+      "dmask=0077" # Directory mask: 777-077=700 (Owner: rwx, Group/Others: ---)
+      "noexec,nosuid,nodev" # Security: Block execution, ignore setuid, and disable device nodes
+    ];
   };
 
   swapDevices = [

hosts/idols-akane/README.md

@@ -0,0 +1,21 @@
+# Idols - Akane
+
+VM running on macOS's UTM App.
+
+Steps to install:
+
+```bash
+# 1. format & mount the filesystem
+nix-shell -p disko
+sudo disko --mode destroy,format,mount hosts/idols-akane/disko-fs.nix
+
+# 2. install nixos
+nixos-install --root /mnt --flake .#akane --no-root-password --show-trace --verbose --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store  https://cache.nixos.org/" # install-2
+
+# enter into the installed system, check password & users
+# `su ryan` => `sudo -i` => enter ryan's password => successfully login
+# if login failed, check the password you set in install-1, and try again
+nixos-enter
+
+reboot
+```

hosts/idols-akane/default.nix

@@ -0,0 +1,62 @@
+{
+  disko,
+  mylib,
+  lib,
+  ...
+}:
+#############################################################
+#
+#  Akane - a NixOS VM running on macOS's UTM App
+#
+#############################################################
+let
+  hostName = "akane"; # Define your hostname.
+in
+{
+  imports = (mylib.scanPaths ./.) ++ [
+    disko.nixosModules.default
+  ];
+
+  # supported file systems, so we can mount any removable disks with these filesystems
+  boot.supportedFilesystems = [
+    "ext4"
+    "btrfs"
+    "xfs"
+    #"zfs"
+    "ntfs"
+    "fat"
+    "vfat"
+    "exfat"
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "usbhid"
+    "usb_storage"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+
+  networking = {
+    inherit hostName;
+
+    networkmanager.enable = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "26.05"; # Did you read the comment?
+}

hosts/idols-akane/disko-fs.nix

@@ -0,0 +1,65 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vda"; # the virtual disk
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "450M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "fmask=0177" # File mask: 777-177=600 (Owner: rw-, Group/Others: ---)
+                  "dmask=0077" # Directory mask: 777-077=700 (Owner: rwx, Group/Others: ---)
+                  "noexec,nosuid,nodev" # Security: Block execution, ignore setuid, and disable device nodes
+                ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                subvolumes = {
+                  "@root" = {
+                    mountpoint = "/";
+                  };
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = [
+                      "compress-force=zstd:1"
+                      "noatime"
+                    ];
+                  };
+                  "@home" = {
+                    mountOptions = [ "compress=zstd:1" ];
+                    mountpoint = "/home";
+                  };
+                  "@tmp" = {
+                    mountpoint = "/tmp";
+                    mountOptions = [
+                      "noatime"
+                    ];
+                  };
+                  "@swap" = {
+                    mountpoint = "/swap";
+                    swap.swapfile.size = "4096M";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/k8s/disko-config/kubevirt-disko-fs.nix

@@ -37,7 +37,9 @@
               format = "vfat";
               mountpoint = "/boot";
               mountOptions = [
-                "defaults"
+                "fmask=0177" # File mask: 777-177=600 (Owner: rw-, Group/Others: ---)
+                "dmask=0077" # Directory mask: 777-077=700 (Owner: rwx, Group/Others: ---)
+                "noexec,nosuid,nodev" # Security: Block execution, ignore setuid, and disable device nodes
               ];
             };
           };