From fe5e194d14971444174ac542a7e241c455dcbd62 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux <benoit@leastauthority.com> Date: Thu, 22 Feb 2024 10:44:56 +0100 Subject: [PATCH] Enable swap encryption for hro-cloud Signed-off-by: Benoit Donneaux <benoit@leastauthority.com> --- morph/grid/hro-cloud/storage001-hardware.nix | 7 ++++--- morph/grid/hro-cloud/storage002-hardware.nix | 7 ++++--- morph/grid/hro-cloud/storage003-hardware.nix | 10 +++++++--- morph/lib/issuer-payments-ovh.nix | 1 + 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/morph/grid/hro-cloud/storage001-hardware.nix b/morph/grid/hro-cloud/storage001-hardware.nix index b2ebd742..6c76a336 100644 --- a/morph/grid/hro-cloud/storage001-hardware.nix +++ b/morph/grid/hro-cloud/storage001-hardware.nix @@ -29,9 +29,10 @@ fsType = "zfs"; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/45eb994e-0d1b-4903-9412-920f0ba017c9"; } - ]; + swapDevices = [ { + device = "/dev/disk/by-uuid/45eb994e-0d1b-4903-9412-920f0ba017c9"; + randomEncryption = true; + } ]; nix.maxJobs = lib.mkDefault 24; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; diff --git a/morph/grid/hro-cloud/storage002-hardware.nix b/morph/grid/hro-cloud/storage002-hardware.nix index 15cdbba3..84a20dde 100644 --- a/morph/grid/hro-cloud/storage002-hardware.nix +++ b/morph/grid/hro-cloud/storage002-hardware.nix @@ -31,9 +31,10 @@ fsType = "vfat"; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/51e0652f-46c9-4150-95a1-223f37154d4f"; } - ]; + swapDevices = [ { + device = "/dev/disk/by-uuid/51e0652f-46c9-4150-95a1-223f37154d4f"; } + randomEncryption = true; + } ]; nix.maxJobs = lib.mkDefault 24; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; diff --git a/morph/grid/hro-cloud/storage003-hardware.nix b/morph/grid/hro-cloud/storage003-hardware.nix index 1a4bc3f7..8d54609e 100644 --- a/morph/grid/hro-cloud/storage003-hardware.nix +++ b/morph/grid/hro-cloud/storage003-hardware.nix @@ -23,12 +23,16 @@ { device = "/dev/disk/by-uuid/23DC-4051"; fsType = "vfat"; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/b02af75a-ea3a-47cf-ad40-c6611ee4dc09"; } - ]; + fileSystems."/storage" = { device = "root"; fsType = "zfs"; }; + + swapDevices = [ { + device = "/dev/disk/by-uuid/b02af75a-ea3a-47cf-ad40-c6611ee4dc09"; } + randomEncryption = true; + } ]; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/morph/lib/issuer-payments-ovh.nix b/morph/lib/issuer-payments-ovh.nix index 53defef0..a614e743 100644 --- a/morph/lib/issuer-payments-ovh.nix +++ b/morph/lib/issuer-payments-ovh.nix @@ -8,6 +8,7 @@ swapDevices = [ { device = "/dev/sda2"; + randomEncryption = true; } ]; # Break the tie between AWS and morph for the hostname by forcing the -- GitLab