feat: new host - idols-akane, hardens VFAT /boot mounts (#245)

* feat: new host - idols-akane * fix: missing efi files * fix: efi partition - permission issue
2026-04-28 19:57:06 +02:00 · 2026-03-07 23:54:13 +08:00
parent f9596089b3
commit 69f77fecca
10 changed files with 276 additions and 63 deletions
--- a/hosts/k8s/disko-config/kubevirt-disko-fs.nix
+++ b/hosts/k8s/disko-config/kubevirt-disko-fs.nix
@@ -37,7 +37,9 @@
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [
-                "defaults"
+                "fmask=0177" # File mask: 777-177=600 (Owner: rw-, Group/Others: ---)
+                "dmask=0077" # Directory mask: 777-077=700 (Owner: rwx, Group/Others: ---)
+                "noexec,nosuid,nodev" # Security: Block execution, ignore setuid, and disable device nodes
              ];
            };
          };