47 lines
1.1 KiB
Nix
47 lines
1.1 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.global.boot;
|
|
in
|
|
{
|
|
options.global.boot = {
|
|
enable = mkEnableOption "bootloader installation and maintenance" // {
|
|
default = true;
|
|
};
|
|
systemd-boot = mkEnableOption "generation selection via systemd-boot" // {
|
|
default = !cfg.lanzaboote;
|
|
};
|
|
lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
|
|
memtest = mkOption {
|
|
type = with types; nullOr int;
|
|
default = null;
|
|
description = "memtest passes to perform on boot";
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
sbPath = "/nix/persist/lanzaboote";
|
|
in
|
|
mkIf cfg.enable {
|
|
boot = {
|
|
initrd.systemd.enable = true;
|
|
lanzaboote.enable = cfg.lanzaboote;
|
|
lanzaboote.pkiBundle = sbPath;
|
|
loader.systemd-boot.enable = cfg.systemd-boot;
|
|
loader.efi.canTouchEfiVariables = true;
|
|
tmp.cleanOnBoot = true;
|
|
kernelParams = optional (cfg.memtest != null) "memtest=${toString cfg.memtest}";
|
|
};
|
|
|
|
# symlink for sbctl
|
|
environment.etc.secureboot.source = sbPath;
|
|
environment.systemPackages = [ pkgs.sbctl ];
|
|
};
|
|
}
|