nix-configuration/modules/base/bootloader.nix

{ config, lib, pkgs, ... }:

# Bootloader
let
	cfg = config.host.boot;
in
with lib;
{

	options = {
		host.boot = {
			enable = mkOption {
				description = "Automatically configures the bootloader. Set to false to configure manually.";
				type = types.bool;
				default = true;
			};
		
			secureboot.enable = mkOption {
				description = "Enables Secureboot";
				type = types.bool;
				default = true;
			};
		};
	};

	config = mkIf cfg.enable (mkMerge[
		(mkIf cfg.secureboot.enable {
			boot = {
				# Enable Secure Boot
				bootspec.enable = true;
				
				# Disable systemd-boot. We lanzaboote now.
				loader.systemd-boot.enable = false;
				loader.efi.canTouchEfiVariables = true;
				lanzaboote = {
					enable = true;
					pkiBundle = "/etc/secureboot";
				};
			};

			# Set up TPM. See https://nixos.wiki/wiki/TPM
			# After installing and rebooting, set it up via https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
			environment.systemPackages = with pkgs; [ tpm2-tss ];
			security.tpm2 = {
				enable = true;
				pkcs11.enable = true;
				tctiEnvironment.enable = true;
			};
		})

		# Plain boot
		(mkIf (!cfg.secureboot.enable) {
			boot = {
				loader.systemd-boot.enable = true;
				loader.efi.canTouchEfiVariables = true;
			};
		})
	]);
}
Real install on Khanda 2024-04-27 20:19:59 -04:00			`{ config, lib, pkgs, ... }:`
Initial public commit! 2024-02-29 09:53:34 -05:00
			`# Bootloader`
			`let`
			`cfg = config.host.boot;`
			`in`
			`with lib;`
			`{`

			`options = {`
			`host.boot = {`
			`enable = mkOption {`
			`description = "Automatically configures the bootloader. Set to false to configure manually.";`
			`type = types.bool;`
			`default = true;`
			`};`

			`secureboot.enable = mkOption {`
			`description = "Enables Secureboot";`
			`type = types.bool;`
			`default = true;`
			`};`
			`};`
			`};`

			`config = mkIf cfg.enable (mkMerge[`
Run statix linter 2024-03-02 12:58:30 -05:00			`(mkIf cfg.secureboot.enable {`
Initial public commit! 2024-02-29 09:53:34 -05:00			`boot = {`
			`# Enable Secure Boot`
			`bootspec.enable = true;`

			`# Disable systemd-boot. We lanzaboote now.`
			`loader.systemd-boot.enable = false;`
			`loader.efi.canTouchEfiVariables = true;`
			`lanzaboote = {`
			`enable = true;`
			`pkiBundle = "/etc/secureboot";`
			`};`
			`};`

			`# Set up TPM. See https://nixos.wiki/wiki/TPM`
			`# After installing and rebooting, set it up via https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module`
Real install on Khanda 2024-04-27 20:19:59 -04:00			`environment.systemPackages = with pkgs; [ tpm2-tss ];`
Initial public commit! 2024-02-29 09:53:34 -05:00			`security.tpm2 = {`
			`enable = true;`
			`pkcs11.enable = true;`
			`tctiEnvironment.enable = true;`
			`};`
			`})`

			`# Plain boot`
Run statix linter 2024-03-02 12:58:30 -05:00			`(mkIf (!cfg.secureboot.enable) {`
Initial public commit! 2024-02-29 09:53:34 -05:00			`boot = {`
			`loader.systemd-boot.enable = true;`
			`loader.efi.canTouchEfiVariables = true;`
			`};`
			`})`
			`]);`
			`}`