nixos/global/boot/default.nix

{ pkgs
, lib
, config
, ... }: with lib; let
  cfg = config.global.boot;
in {
  options.global.boot = {
    enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };
    systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };
    lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
    memtest = mkOption {
      type = with types; nullOr int;
      default = null;
      description = "memtest passes to perform on boot";
    };
  };

  config = let
    sbPath = "/nix/persist/lanzaboote";
  in mkIf cfg.enable {
    boot = {
      initrd.systemd.enable = true;
      lanzaboote.enable = cfg.lanzaboote;
      lanzaboote.pkiBundle = sbPath;
      loader.systemd-boot.enable = cfg.systemd-boot;
      loader.efi.canTouchEfiVariables = true;
      tmp.cleanOnBoot = true;
      kernelParams = optional (cfg.memtest != null) "memtest=${toString cfg.memtest}";
    };

    # symlink for sbctl
    environment.etc.secureboot.source = sbPath;
    environment.systemPackages = [ pkgs.sbctl ];
  };
}
feat(boot): systemd-boot and lanzaboote toggles Secure boot is not applicable in every use case. 2024-01-02 14:44:00 +08:00			`{ pkgs`
			`, lib`
			`, config`
			`, ... }: with lib; let`
refactor: rename global from faucet 2024-01-07 22:01:31 +08:00			`cfg = config.global.boot;`
feat(boot): systemd-boot and lanzaboote toggles Secure boot is not applicable in every use case. 2024-01-02 14:44:00 +08:00			`in {`
refactor: rename global from faucet 2024-01-07 22:01:31 +08:00			`options.global.boot = {`
feat(boot): systemd-boot and lanzaboote toggles Secure boot is not applicable in every use case. 2024-01-02 14:44:00 +08:00			`enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };`
			`systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };`
			`lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";`
feat(boot): add memtest option 2024-02-04 22:17:19 +08:00			`memtest = mkOption {`
			`type = with types; nullOr int;`
			`default = null;`
			`description = "memtest passes to perform on boot";`
			`};`
feat(boot): systemd-boot and lanzaboote toggles Secure boot is not applicable in every use case. 2024-01-02 14:44:00 +08:00			`};`

			`config = let`
			`sbPath = "/nix/persist/lanzaboote";`
			`in mkIf cfg.enable {`
			`boot = {`
			`initrd.systemd.enable = true;`
			`lanzaboote.enable = cfg.lanzaboote;`
			`lanzaboote.pkiBundle = sbPath;`
			`loader.systemd-boot.enable = cfg.systemd-boot;`
			`loader.efi.canTouchEfiVariables = true;`
feat(boot): set tmp.cleanOnBoot In some cases /tmp has to be mounted on persistent storage to avoid running out of memory. Enabling this option restores tmpfs behaviour. 2024-01-02 16:36:49 +08:00			`tmp.cleanOnBoot = true;`
feat(boot): add memtest option 2024-02-04 22:17:19 +08:00			`kernelParams = optional (cfg.memtest != null) "memtest=${toString cfg.memtest}";`
feat(boot): systemd-boot and lanzaboote toggles Secure boot is not applicable in every use case. 2024-01-02 14:44:00 +08:00			`};`

			`# symlink for sbctl`
fix(boot): set up sbctl unconditionally 2024-01-04 15:14:28 +08:00			`environment.etc.secureboot.source = sbPath;`
			`environment.systemPackages = [ pkgs.sbctl ];`
feat(boot): systemd-boot and lanzaboote toggles Secure boot is not applicable in every use case. 2024-01-02 14:44:00 +08:00			`};`
			`}`