feat: new host - idols-akane, hardens VFAT /boot mounts (#245)

* feat: new host - idols-akane * fix: missing efi files * fix: efi partition - permission issue
2026-04-24 09:48:30 +02:00 · 2026-03-07 23:54:13 +08:00
parent f9596089b3
commit 69f77fecca
10 changed files with 276 additions and 63 deletions
--- a/vars/networking.nix
+++ b/vars/networking.nix
@@ -1,4 +1,5 @@
-{lib}: rec {
+{ lib }:
+rec {
  mainGateway = "192.168.5.1"; # main router
  mainGateway6 = "fe80::5"; # main router's link-local address
  # use suzi as the default gateway
@@ -41,6 +42,11 @@
      ipv4 = "192.168.5.100";
      ipv6 = "fe80::10"; # Link-local Address
    };
+    # akane = {
+    #   # VM (running in macOS's UTM App), using DHCP instead of static ip.
+    #   iface = "enp0s1";
+    #   ipv4 = "192.168.64.2";
+    # };
    aquamarine = {
      # VM
      iface = "enp2s0";
@@ -151,19 +157,17 @@
    };
  };

-  hostsInterface =
-    lib.attrsets.mapAttrs (key: val: {
-      interfaces."${val.iface}" = {
-        useDHCP = false;
-        ipv4.addresses = [
-          {
-            inherit prefixLength;
-            address = val.ipv4;
-          }
-        ];
-      };
-    })
-    hostsAddr;
+  hostsInterface = lib.attrsets.mapAttrs (key: val: {
+    interfaces."${val.iface}" = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          inherit prefixLength;
+          address = val.ipv4;
+        }
+      ];
+    };
+  }) hostsAddr;

  ssh = {
    # define the host alias for remote builders
@@ -178,14 +182,13 @@
    extraConfig = (
      lib.attrsets.foldlAttrs (
        acc: host: val:
-          acc
-          + ''
-            Host ${host}
-              HostName ${val.ipv4}
-              Port 22
-          ''
-      ) ""
-      hostsAddr
+        acc
+        + ''
+          Host ${host}
+            HostName ${val.ipv4}
+            Port 22
+        ''
+      ) "" hostsAddr
    );

    # this config will be written to /etc/ssh/ssh_known_hosts
@@ -197,21 +200,22 @@
      #   { x = "a"; y = "b"; }
      #     => { x = "bar-a"; y = "bar-b"; }
      lib.attrsets.mapAttrs
-      (host: value: {
-        hostNames = [host] ++ (lib.optional (hostsAddr ? host) hostsAddr.${host}.ipv4);
-        publicKey = value.publicKey;
-      })
-      {
-        # Define the root user's host key for remote builders, so that nix can verify all the remote builders
+        (host: value: {
+          hostNames = [ host ] ++ (lib.optional (hostsAddr ? host) hostsAddr.${host}.ipv4);
+          publicKey = value.publicKey;
+        })
+        {
+          # Define the root user's host key for remote builders, so that nix can verify all the remote builders

-        aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOXFhFu9Duzp6ZBE288gDZ6VLrNaeWL4kDrFUh9Neic root@aquamarine";
-        # ruby.publicKey = "";
-        # kana.publicKey = "";
+          aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOXFhFu9Duzp6ZBE288gDZ6VLrNaeWL4kDrFUh9Neic root@aquamarine";
+          # ruby.publicKey = "";
+          # kana.publicKey = "";

-        # ==================================== Other SSH Service's Public Key =======================================
+          # ==================================== Other SSH Service's Public Key =======================================

-        # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
-        "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-      };
+          # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+          "github.com".publicKey =
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+        };
  };
 }