1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
npins,
lib,
config,
pkgs,
...
}:
let
inherit (lib) types;
cfg = config.common.configure.boot;
lanzaboote = import npins.lanzaboote {
inherit pkgs;
};
in
{
options.common.configure.boot = {
enable = lib.mkEnableOption "basic systemd-boot config";
secureboot = lib.mkEnableOption "secureboot support via lanzaboote";
configurationLimit = lib.mkOption {
type = types.number;
default = 10;
};
plymouth = {
enable = lib.mkEnableOption "graphical bootscreen";
theme = lib.mkOption {
type = types.str;
default = "bgrt";
};
};
};
imports =
(lib.mkIf cfg.enable [
lanzaboote.nixosModules.lanzaboote
]).content;
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
boot.initrd.systemd.enable = true;
boot.loader = {
grub.enable = false;
systemd-boot = {
enable = lib.mkDefault true;
inherit (cfg) configurationLimit;
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
}
(lib.mkIf cfg.plymouth.enable {
boot = {
consoleLogLevel = 0;
initrd.verbose = false;
kernelParams = [
"quiet"
"udev.log_level=3"
];
plymouth = {
enable = true;
inherit (cfg) theme;
};
};
})
(lib.mkIf cfg.secureboot {
environment.systemPackages = with pkgs; [ sbctl ];
common.configure.persist.system.dirs = [
"/var/lib/sbctl"
];
boot = {
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
inherit (cfg) configurationLimit;
};
};
})
]
);
}